stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/attestor/crypto-sovereign-design.md

3.4 KiB
Raw Blame History

Crypto-Sovereign Design (eIDAS/FIPS/GOST/SM/PQC)

Module

Attestor

Status

IMPLEMENTED

Description

SigningKeyProfile supports crypto-sovereign configurations. SM2 tests exist for Chinese crypto support. The signing key registry supports multiple profiles. Full eIDAS/GOST/PQC implementations appear to be partially supported through the profile system but not all crypto backends are fully implemented.

What's Implemented

  • Signing Key Profile: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Signing/SigningKeyProfile.cs -- key profile supporting multiple algorithm families and sovereign configurations.
  • ProofChain Signer: Signing/ProofChainSigner.cs (with .Verification) -- signing with algorithm-agnostic interface.
  • IProofChainKeyStore: Signing/IProofChainKeyStore.cs -- key store interface supporting multiple key types.
  • DSSE Signing: Signing/DsseEnvelope.cs, DsseSignature.cs, DssePreAuthenticationEncoding.cs -- DSSE envelope signing.
  • Attestor Signing Key Registry: StellaOps.Attestor.Infrastructure/Signing/AttestorSigningKeyRegistry.cs -- registry for multiple signing key profiles.
  • DSSE SPDX3 Signer: __Libraries/StellaOps.Attestor.Spdx3/DsseSpdx3Signer.cs -- SPDX3-specific signing.
  • DSSE Signing Provider: Spdx3/IDsseSigningProvider.cs -- provider interface for crypto operations.

Additional Implementation Found (Cryptography Plugins)

The following crypto plugins exist under src/Cryptography/ with a plugin architecture (CryptoPluginBase.cs, MultiProfileSigner.cs, SignatureProfile.cs):

  • GOST: src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs -- GOST R 34.10-2012 support
  • eIDAS: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs -- includes ETSI conformance test vectors
  • SM2/SM3: src/Cryptography/StellaOps.Cryptography.Plugin.Sm/ -- SM2/SM3 support
  • FIPS: src/Cryptography/StellaOps.Cryptography.Plugin.Fips/ -- FIPS 140 compliance plugin
  • HSM: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/ -- HSM integration plugin
  • Tests: src/Cryptography/__Tests/ and src/__Libraries/__Tests/StellaOps.Cryptography.Tests/

What's Missing

  • Post-Quantum Cryptography (PQC): No CRYSTALS-Dilithium, SPHINCS+, or other PQC algorithm support. The profile system can model PQC keys but no backend implements them. This is the only major crypto profile gap.
  • eIDAS qualified signature validation: Plugin exists but validation that timestamps meet eIDAS Article 42 qualified timestamp requirements may not be complete.
  • Crypto provider integration with Attestor SigningKeyProfile: The Cryptography plugin system and the Attestor SigningKeyProfile are not fully bridged -- Attestor signing uses its own key profiles rather than the Cryptography plugin registry.
  • Algorithm negotiation: No cross-sovereign algorithm negotiation for interoperability between different crypto profiles.

Implementation Plan

  • Implement PQC plugin (CRYSTALS-Dilithium, SPHINCS+) following the existing CryptoPluginBase pattern
  • Bridge Cryptography plugin registry with Attestor SigningKeyProfile for unified key management
  • Add eIDAS Article 42 qualified timestamp validation
  • Add algorithm negotiation for cross-sovereign interoperability
  • Verify ETSI conformance test vectors pass end-to-end for eIDAS plugin

Related Documentation

  • Source: See feature catalog