stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
49922dff5ad4435420dac177e832ba4290ceaea9
git.stella-ops.org/docs/security/crypto-profile-configuration.md
StellaOps Bot 49922dff5a
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Export Center CI / export-ci (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Risk Bundle CI / risk-bundle-build (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Risk Bundle CI / risk-bundle-offline-kit (push) Has been cancelled
Details
Risk Bundle CI / publish-checksums (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
devportal-offline / build-offline (push) Has been cancelled
Details
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
Details
up the blokcing tasks
2025-12-11 02:32:18 +02:00

5.3 KiB
Raw Blame History

Crypto Profile Configuration · 2025-12-11

How to pick regional crypto profiles, choose between free/paid providers, and enable simulations while hardware or licenses are pending.

Quick selectors

  • Compliance profile (hash/sign policy): STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=world|fips|gost|sm|kcmvp|eidas (or config Crypto:Compliance:ProfileId).
  • Registry ordering: set StellaOps:Crypto:Registry:ActiveProfile (env: STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE) and PreferredProviders.
  • Simulation toggle: STELLAOPS_CRYPTO_ENABLE_SIM=1 (adds sim.crypto.remote to the registry); STELLAOPS_CRYPTO_SIM_URL=http://host:8080 if the simulator runs remotely.

Step-by-step: pick a region

  1. Choose the compliance profile ID and set STELLAOPS_CRYPTO_COMPLIANCE_PROFILE.
  2. Set StellaOps:Crypto:Registry:ActiveProfile to the region (see table below) and order the PreferredProviders.
  3. Decide on provider type:
    • Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines.
    • Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available.
    • Simulation: enable STELLAOPS_CRYPTO_ENABLE_SIM=1 and point STELLAOPS_CRYPTO_SIM_URL to sim-crypto-service.
  4. Apply any provider-specific env (e.g., CRYPTOPRO_ACCEPT_EULA=1, SM_SOFT_ALLOWED=1, PQ_SOFT_ALLOWED=1, PKCS#11 PINs).
  5. Capture evidence: JWKS export + CryptoProviderMetrics + fixed-message sign/verify logs.
  6. If you only need a smoke check without full tests, run dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj against a running simulator.

Choosing a region

Region Compliance profile Registry profile / providers Free vs paid Simulation
RU (OSS) gost ActiveProfile: ru-offline; providers: ru.openssl.gost, ru.pkcs11 Free (OpenSSL) path on Linux. Optional remote signer: set STELLAOPS_RU_OPENSSL_REMOTE_URL=http://host:9090 (see docs/security/openssl-gost-remote.md). STELLAOPS_CRYPTO_ENABLE_SIM=1; sim covers GOST12 + Magma/Kuznyechik when hardware/licensing is unavailable.
RU (CryptoPro paid) gost Same profile; ensure ru.cryptopro.csp registered. Linux-only CSP service: bind customer .deb packages to /opt/cryptopro/downloads, set CRYPTOPRO_ACCEPT_EULA=1, run ops/cryptopro/linux-csp-service. Licensing model documented in docs/legal/crypto-compliance-review.md. Use simulator until licenses are supplied.
CN (SM) sm ActiveProfile: sm; providers: cn.sm.soft (env SM_SOFT_ALLOWED=1), optional PKCS#11. Hardware/PKCS#11 wiring in docs/security/sm-hardware-simulation.md. sim-crypto-service handles SM2 (sim.crypto.remote).
FIPS (US) fips Providers: fips.ecdsa.soft (env FIPS_SOFT_ALLOWED), KMS/OpenSSL FIPS when available. Certified module runbook: docs/security/fips-eidas-kcmvp-validation.md. Simulator covers ES256/384/512 (sim.crypto.remote).
eIDAS (EU) eidas Providers: eu.eidas.soft (env EIDAS_SOFT_ALLOWED). QSCD bring-up in docs/security/fips-eidas-kcmvp-validation.md. Simulator (sim.crypto.remote) until QSCD arrives.
KCMVP (KR) kcmvp Providers: kr.kcmvp.hash (env KCMVP_HASH_ALLOWED=1), future KCDSA/ARIA/SEED module. Hardware flow in docs/security/fips-eidas-kcmvp-validation.md. Simulator (sim.crypto.remote) while awaiting certified module.
PQ addenda (overlay) Enable via PQ_SOFT_ALLOWED=1; provider pq.soft. Uses liboqs/BouncyCastle soft providers. Simulator available via sim.crypto.remote if you want a remote signer.

Sample config (appsettings.json)

{
  "StellaOps": {
    "Crypto": {
      "Registry": {
        "ActiveProfile": "ru-offline",
        "PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ]
      },
      "Sim": {
        "BaseAddress": "http://localhost:8080"
      }
    },
    "Compliance": {
      "ProfileId": "gost",
      "StrictValidation": true
    }
  }
}

Licensing and hardware notes

  • CryptoPro: customer-provided .deb packages, Linux only. Accept EULA via CRYPTOPRO_ACCEPT_EULA=1; service wrapper at ops/cryptopro/linux-csp-service. Licensing/export posture is in docs/legal/crypto-compliance-review.md.
  • SM hardware: bring-up and PKCS#11 wiring in docs/security/sm-hardware-simulation.md.
  • FIPS/eIDAS/KCMVP hardware/QSCD: runbook in docs/security/fips-eidas-kcmvp-validation.md.
  • OpenSSL GOST remote signer (OSS baseline) in docs/security/openssl-gost-remote.md.

Simulation guidance

  • Default simulator: ops/crypto/sim-crypto-service + provider sim.crypto.remote (see docs/security/crypto-simulation-services.md).
  • Use the simulator to close sprints until certified evidence is available; keep “non-certified” labels in RootPack manifests.
  • Quick simulation steps:
    1. docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
    2. docker run --rm -p 8080:8080 sim-crypto
    3. Set STELLAOPS_CRYPTO_ENABLE_SIM=1 and STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080
    4. Keep sim.crypto.remote first in PreferredProviders for the target profile.

Evidence expectations

  • JWKS export from Authority/Signer for the active profile.
  • CryptoProviderMetrics showing the chosen provider ID (oss, paid, or sim).
  • Fixed-message signing/verification logs (stellaops-crypto-profile-check) for audit trails.