stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
88a85cdd92394204a7a8877e62f9f32df07848d9
git.stella-ops.org/docs/security/crypto-profile-configuration.md

6.9 KiB
Raw Blame History

Crypto Profile Configuration · 2025-12-11

How to pick regional crypto profiles, choose between free/paid providers, and enable simulations while hardware or licenses are pending.

Quick selectors

  • Compliance profile (hash/sign policy): STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=world|fips|gost|sm|kcmvp|eidas (or config Crypto:Compliance:ProfileId).
  • Registry ordering: set StellaOps:Crypto:Registry:ActiveProfile (env: STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE) and PreferredProviders.
  • Simulation toggle: STELLAOPS_CRYPTO_ENABLE_SIM=1 (adds sim.crypto.remote to the registry); STELLAOPS_CRYPTO_SIM_URL=http://host:8080 if the simulator runs remotely.

Step-by-step: pick a region

  1. Choose the compliance profile ID and set STELLAOPS_CRYPTO_COMPLIANCE_PROFILE.
  2. Set StellaOps:Crypto:Registry:ActiveProfile to the region (see table below) and order the PreferredProviders.
  3. Decide on provider type:
    • Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines.
    • Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available. See docs/legal/crypto-compliance-review.md for licensing/export notes.
    • Simulation: enable STELLAOPS_CRYPTO_ENABLE_SIM=1 and point STELLAOPS_CRYPTO_SIM_URL to sim-crypto-service.
  4. Apply any provider-specific env (e.g., CRYPTOPRO_ACCEPT_EULA=1, SM_SOFT_ALLOWED=1, PQ_SOFT_ALLOWED=1, PKCS#11 PINs).
  5. Capture evidence: JWKS export + CryptoProviderMetrics + fixed-message sign/verify logs.
  6. If you only need a smoke check without full tests, run dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj against a running simulator (see SIM_PROFILE/SIM_ALGORITHMS below).

Choosing a region

Region Compliance profile Registry profile / providers Free vs paid Simulation
RU (OSS) gost ActiveProfile: ru-offline; providers: ru.openssl.gost, ru.pkcs11 Free (OpenSSL) path on Linux. Optional remote signer: set STELLAOPS_RU_OPENSSL_REMOTE_URL=http://host:9090 (see docs/security/openssl-gost-remote.md). STELLAOPS_CRYPTO_ENABLE_SIM=1; sim covers GOST12 + Magma/Kuznyechik when hardware/licensing is unavailable.
RU (CryptoPro paid) gost Same profile; ensure ru.cryptopro.csp registered. Linux-only CSP service: bind customer .deb packages to /opt/cryptopro/downloads, set CRYPTOPRO_ACCEPT_EULA=1, run ops/cryptopro/linux-csp-service. Licensing model documented in docs/legal/crypto-compliance-review.md. Use simulator until licenses are supplied.
CN (SM) sm ActiveProfile: sm; providers: cn.sm.soft (env SM_SOFT_ALLOWED=1), optional PKCS#11. Hardware/PKCS#11 wiring in docs/security/sm-hardware-simulation.md. sim-crypto-service handles SM2 (sim.crypto.remote).
FIPS (US) fips Providers: fips.ecdsa.soft (env FIPS_SOFT_ALLOWED), KMS/OpenSSL FIPS when available. Certified module runbook: docs/security/fips-eidas-kcmvp-validation.md. Simulator covers ES256/384/512 (sim.crypto.remote).
eIDAS (EU) eidas Providers: eu.eidas.soft (env EIDAS_SOFT_ALLOWED). QSCD bring-up in docs/security/fips-eidas-kcmvp-validation.md. Simulator (sim.crypto.remote) until QSCD arrives.
KCMVP (KR) kcmvp Providers: kr.kcmvp.hash (env KCMVP_HASH_ALLOWED=1), future KCDSA/ARIA/SEED module. Hardware flow in docs/security/fips-eidas-kcmvp-validation.md. Simulator (sim.crypto.remote) while awaiting certified module.
PQ addenda (overlay) Enable via PQ_SOFT_ALLOWED=1; provider pq.soft. Uses liboqs/BouncyCastle soft providers. Simulator available via sim.crypto.remote if you want a remote signer.

Sample config (appsettings.json)

{
  "StellaOps": {
    "Crypto": {
      "Registry": {
        "ActiveProfile": "ru-offline",
        "PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ]
      },
      "Sim": {
        "BaseAddress": "http://localhost:8080"
      }
    },
    "Compliance": {
      "ProfileId": "gost",
      "StrictValidation": true
    }
  }
}

Licensing and hardware notes

  • CryptoPro: customer-provided .deb packages, Linux only. Accept EULA via CRYPTOPRO_ACCEPT_EULA=1; service wrapper at ops/cryptopro/linux-csp-service. Licensing/export posture is in docs/legal/crypto-compliance-review.md.
  • SM hardware: bring-up and PKCS#11 wiring in docs/security/sm-hardware-simulation.md.
  • FIPS/eIDAS/KCMVP hardware/QSCD: runbook in docs/security/fips-eidas-kcmvp-validation.md.
  • OpenSSL GOST remote signer (OSS baseline) in docs/security/openssl-gost-remote.md.

Simulation guidance

Use simulation paths when licensed hardware or certified modules are unavailable. They keep the registry/profile contracts stable while waiting for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens.

Unified simulator (sim-crypto-service)

  • Location: ops/crypto/sim-crypto-service/
  • Provider ID: sim.crypto.remote
  • Algorithms covered:
    • GOST: GOST12-256, GOST12-512, ru.magma.sim, ru.kuznyechik.sim (deterministic HMAC-SHA256)
    • SM: SM2, sm.sim, sm2.sim (deterministic HMAC-SHA256)
    • PQ: DILITHIUM3, FALCON512, pq.sim (deterministic HMAC-SHA256)
    • FIPS/eIDAS/KCMVP/world: ES256, ES384, ES512, fips.sim, eidas.sim, kcmvp.sim, world.sim (ECDSA P-256 with static key)
  • The SimRemoteProviderOptions.Algorithms default list includes the IDs above; extend if you add new aliases.

Quick simulation steps

  1. Build and run:

    docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
docker run --rm -p 8080:8080 sim-crypto

  2. Configure environment:

    • Set STELLAOPS_CRYPTO_ENABLE_SIM=1 to append sim.crypto.remote to registry ordering.
    • Point the client: STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080 or bind StellaOps:Crypto:Sim:BaseAddress.
    • Keep sim.crypto.remote first in PreferredProviders for the target profile.

  3. Quick check (curl):

    curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}'

  4. Smoke harnesses (no VSTest):

    • PowerShell: ops/crypto/run-sim-smoke.ps1 (args: -BaseUrl http://localhost:5000 -SimProfile sm|ru-free|ru-paid|eidas|fips|kcmvp|pq)
    • Headless: dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release with SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq and optional SIM_MESSAGE/SIM_ALGORITHMS=SM2,pq.sim,ES256.

Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests.

Evidence expectations

  • JWKS export from Authority/Signer for the active profile.
  • CryptoProviderMetrics showing the chosen provider ID (oss, paid, or sim).
  • Fixed-message signing/verification logs (stellaops-crypto-profile-check) for audit trails.