stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
b8b493913a27b931e1497fd9d04a9eff281e41cf
git.stella-ops.org/docs/security/crypto-profile-configuration.md
StellaOps Bot b8b493913a up
2025-12-11 08:20:04 +02:00

73 lines
5.7 KiB
Markdown
Raw Blame History

# Crypto Profile Configuration · 2025-12-11
How to pick regional crypto profiles, choose between free/paid providers, and enable simulations while hardware or licenses are pending.
## Quick selectors
- Compliance profile (hash/sign policy): `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE=world|fips|gost|sm|kcmvp|eidas` (or config `Crypto:Compliance:ProfileId`).
- Registry ordering: set `StellaOps:Crypto:Registry:ActiveProfile` (env: `STELLAOPS__CRYPTO__REGISTRY__ACTIVEPROFILE`) and `PreferredProviders`.
- Simulation toggle: `STELLAOPS_CRYPTO_ENABLE_SIM=1` (adds `sim.crypto.remote` to the registry); `STELLAOPS_CRYPTO_SIM_URL=http://host:8080` if the simulator runs remotely.
## Step-by-step: pick a region
1) Choose the compliance profile ID and set `STELLAOPS_CRYPTO_COMPLIANCE_PROFILE`.
2) Set `StellaOps:Crypto:Registry:ActiveProfile` to the region (see table below) and order the `PreferredProviders`.
3) Decide on provider type:
- Free/OSS: OpenSSL GOST (RU), SM soft, PQ soft, FIPS/eIDAS/KCMVP soft baselines.
- Paid/licensed: CryptoPro (RU), QSCD (eIDAS), certified FIPS/KCMVP modules when available. See `docs/legal/crypto-compliance-review.md` for licensing/export notes.
- Simulation: enable `STELLAOPS_CRYPTO_ENABLE_SIM=1` and point `STELLAOPS_CRYPTO_SIM_URL` to `sim-crypto-service`.
4) Apply any provider-specific env (e.g., `CRYPTOPRO_ACCEPT_EULA=1`, `SM_SOFT_ALLOWED=1`, `PQ_SOFT_ALLOWED=1`, PKCS#11 PINs).
5) Capture evidence: JWKS export + `CryptoProviderMetrics` + fixed-message sign/verify logs.
6) If you only need a smoke check without full tests, run `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` against a running simulator (see `SIM_PROFILE`/`SIM_ALGORITHMS` below).
## Choosing a region
| Region | Compliance profile | Registry profile / providers | Free vs paid | Simulation |
| --- | --- | --- | --- | --- |
| RU (OSS) | `gost` | `ActiveProfile: ru-offline`; providers: `ru.openssl.gost`, `ru.pkcs11` | Free (OpenSSL) path on Linux. Optional remote signer: set `STELLAOPS_RU_OPENSSL_REMOTE_URL=http://host:9090` (see `docs/security/openssl-gost-remote.md`). | `STELLAOPS_CRYPTO_ENABLE_SIM=1`; sim covers GOST12 + Magma/Kuznyechik when hardware/licensing is unavailable. |
| RU (CryptoPro paid) | `gost` | Same profile; ensure `ru.cryptopro.csp` registered. | Linux-only CSP service: bind customer `.deb` packages to `/opt/cryptopro/downloads`, set `CRYPTOPRO_ACCEPT_EULA=1`, run `ops/cryptopro/linux-csp-service`. Licensing model documented in `docs/legal/crypto-compliance-review.md`. | Use simulator until licenses are supplied. |
| CN (SM) | `sm` | `ActiveProfile: sm`; providers: `cn.sm.soft` (env `SM_SOFT_ALLOWED=1`), optional PKCS#11. | Hardware/PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`. | `sim-crypto-service` handles `SM2` (`sim.crypto.remote`). |
| FIPS (US) | `fips` | Providers: `fips.ecdsa.soft` (env `FIPS_SOFT_ALLOWED`), KMS/OpenSSL FIPS when available. | Certified module runbook: `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator covers `ES256/384/512` (`sim.crypto.remote`). |
| eIDAS (EU) | `eidas` | Providers: `eu.eidas.soft` (env `EIDAS_SOFT_ALLOWED`). | QSCD bring-up in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) until QSCD arrives. |
| KCMVP (KR) | `kcmvp` | Providers: `kr.kcmvp.hash` (env `KCMVP_HASH_ALLOWED=1`), future KCDSA/ARIA/SEED module. | Hardware flow in `docs/security/fips-eidas-kcmvp-validation.md`. | Simulator (`sim.crypto.remote`) while awaiting certified module. |
| PQ addenda | (overlay) | Enable via `PQ_SOFT_ALLOWED=1`; provider `pq.soft`. | Uses liboqs/BouncyCastle soft providers. | Simulator available via `sim.crypto.remote` if you want a remote signer. |
## Sample config (appsettings.json)
```json
{
"StellaOps": {
"Crypto": {
"Registry": {
"ActiveProfile": "ru-offline",
"PreferredProviders": [ "ru.openssl.gost", "ru.pkcs11", "sim.crypto.remote" ]
},
"Sim": {
"BaseAddress": "http://localhost:8080"
}
},
"Compliance": {
"ProfileId": "gost",
"StrictValidation": true
}
}
}
```
## Licensing and hardware notes
- CryptoPro: customer-provided `.deb` packages, Linux only. Accept EULA via `CRYPTOPRO_ACCEPT_EULA=1`; service wrapper at `ops/cryptopro/linux-csp-service`. Licensing/export posture is in `docs/legal/crypto-compliance-review.md`.
- SM hardware: bring-up and PKCS#11 wiring in `docs/security/sm-hardware-simulation.md`.
- FIPS/eIDAS/KCMVP hardware/QSCD: runbook in `docs/security/fips-eidas-kcmvp-validation.md`.
- OpenSSL GOST remote signer (OSS baseline) in `docs/security/openssl-gost-remote.md`.
## Simulation guidance
- Default simulator: `ops/crypto/sim-crypto-service` + provider `sim.crypto.remote` (see `docs/security/crypto-simulation-services.md`).
- Use the simulator to close sprints until certified evidence is available; keep "non-certified" labels in RootPack manifests.
- Quick simulation steps:
1) `docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service`
2) `docker run --rm -p 8080:8080 sim-crypto`
3) Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` and `STELLAOPS_CRYPTO_SIM_URL=http://localhost:8080`
4) Keep `sim.crypto.remote` first in `PreferredProviders` for the target profile.
5) Optional smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj -c Release` with `SIM_PROFILE=ru-free|ru-paid|sm|eidas|fips|kcmvp|pq` and optional `SIM_MESSAGE`/`SIM_ALGORITHMS`.
## Evidence expectations
- JWKS export from Authority/Signer for the active profile.
- `CryptoProviderMetrics` showing the chosen provider ID (oss, paid, or sim).
- Fixed-message signing/verification logs (`stellaops-crypto-profile-check`) for audit trails.
Reference in New Issue View Git Blame Copy Permalink