stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5593212b414864ab213082c8945a267451b99901
git.stella-ops.org/docs/features/checked/cryptography/regional-crypto-profiles.md

3.5 KiB
Raw Blame History

Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)

Module

Cryptography

Status

VERIFIED

Description

Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles.

Implementation Details

  • FipsPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs -- FIPS 140-2/3 compliant crypto provider restricting to approved algorithms (RSA, ECDSA, AES-GCM, SHA-2)
  • GostPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs -- Russian Federation GOST R 34.10-2012 (digital signatures) and GOST R 34.11-2012 Streebog (hashing) provider
  • EidasPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs -- EU eIDAS provider with qualified timestamping (QualifiedTimestampVerifier, EuTrustListService, TimestampModeSelector) and CAdES signature building (CadesSignatureBuilder)
  • SmPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs -- Chinese national standards: SM2 (elliptic curve), SM3 (hash), SM4 (block cipher) provider
  • HsmPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs -- PKCS#11 HSM integration with RSA/ECDSA/AES-GCM support
  • CryptoPluginBase: src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs -- abstract base for all crypto plugins; lifecycle management + ICryptoCapability interface
  • MultiProfileSigner: src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs -- concurrent multi-profile signing via Task.WhenAll across IContentSigner profiles; returns MultiSignatureResult with all signatures
  • Ed25519Signer/Verifier: src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs, Ed25519Verifier.cs -- EdDSA Ed25519 profile implementation
  • EcdsaP256Signer: src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs -- ECDSA P-256 profile implementation
  • IContentSigner/IContentVerifier: src/Cryptography/StellaOps.Cryptography/IContentSigner.cs, IContentVerifier.cs -- signer/verifier abstractions with Profile, Algorithm, KeyId
  • SignatureProfile: src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs -- profile model
  • Source: Feature matrix scan

E2E Test Plan

  • Verify each regional plugin (FIPS, GOST, eIDAS, SM, HSM) loads and passes health check
  • Verify FIPS plugin rejects non-FIPS algorithms and accepts approved ones
  • Verify GOST plugin supports GOST R 34.10-2012 signing and GOST R 34.11-2012 hashing
  • Verify eIDAS plugin integrates qualified timestamping with EU Trust List validation
  • Verify SM plugin supports SM2 signing, SM3 hashing, SM4 encryption
  • Test multi-profile signing with EdDSA + GOST dual-stack produces two independent signatures
  • Verify Ed25519 signer/verifier round-trip (sign then verify)
  • Verify ECDSA P-256 signer round-trip
  • Test profile selection routes to correct plugin based on algorithm

Verification

Run ID: run-001 Date: 2026-02-10 Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings) Tests: PASS (101/101 cryptography tests pass)

All 5 regional crypto profiles (FIPS, GOST, eIDAS, SM, HSM) fully implemented as plugins extending CryptoPluginBase. Each uses real cryptographic libraries. Ed25519Signer uses libsodium. EcdsaP256Signer uses .NET ECDsa. MultiProfileSigner enables dual-stack signing. Tests cover model validation, eIDAS timestamping, HSM integration.

Verdict: PASS