stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
bc0762e97d251723854b9c4e482b218c8efb1e04
git.stella-ops.org/docs/legal/crypto-compliance-review.md
StellaOps Bot 965cbf9574
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Manifest Integrity / Validate Schema Integrity (push) Has been cancelled
Details
Manifest Integrity / Validate Contract Documents (push) Has been cancelled
Details
Manifest Integrity / Validate Pack Fixtures (push) Has been cancelled
Details
Manifest Integrity / Audit SHA256SUMS Files (push) Has been cancelled
Details
Manifest Integrity / Verify Merkle Roots (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
Add unit tests for PhpFrameworkSurface and PhpPharScanner 
- Implement comprehensive tests for PhpFrameworkSurface, covering scenarios such as empty surfaces, presence of routes, controllers, middlewares, CLI commands, cron jobs, and event listeners.
- Validate metadata creation for route counts, HTTP methods, protected and public routes, and route patterns.
- Introduce tests for PhpPharScanner, including handling of non-existent files, null or empty paths, invalid PHAR files, and minimal PHAR structures.
- Ensure correct computation of SHA256 for valid PHAR files and validate the properties of PhpPharArchive, PhpPharEntry, and PhpPharScanResult.
2025-12-07 13:44:13 +02:00

8.8 KiB
Raw Blame History

Crypto Compliance Review · License & Export Analysis

Status: DRAFT Date: 2025-12-07 Owners: Security Guild, Legal Unblocks: RU-CRYPTO-VAL-05, RU-CRYPTO-VAL-06

Overview

This document captures the licensing, export controls, and distribution guidance for cryptographic components in StellaOps, specifically:

  1. GostCryptography Fork (third_party/forks/AlexMAS.GostCryptography)
  2. CryptoPro Plugin (StellaOps.Cryptography.Plugin.CryptoPro)
  3. Regional Crypto Providers (GOST, SM2/SM3, eIDAS)

1. GostCryptography Fork

1.1 License

Attribute Value
Upstream https://github.com/AlexMAS/GostCryptography
License MIT
StellaOps Usage Source-vendored in third_party/forks/
Compatibility MIT is compatible with AGPL-3.0-or-later

1.2 Attribution Requirements

The MIT license requires attribution in distributed software:

Copyright (c) 2014-2024 AlexMAS
See third_party/forks/AlexMAS.GostCryptography/LICENSE

Required Actions:

  • Keep LICENSE file in fork directory
  • Add attribution to NOTICE.md in repository root
  • Include attribution in RootPack_RU bundle documentation

1.3 Distribution Guidance

Distribution Channel Allowed Notes
StellaOps Source Yes Fork stays vendored
RootPack_RU Bundle Yes Source + binaries allowed
Public NuGet No Do not publish as standalone package
Container Images Yes With source attribution

2. CryptoPro CSP Plugin

2.1 License

Attribute Value
Vendor CryptoPro LLC (crypto-pro.ru)
Product CryptoPro CSP 5.0
License Type Commercial (per-deployment)
Cost Varies by tier (~$50-200 USD per instance)

2.2 Distribution Model

CryptoPro CSP is not redistributable by StellaOps. The distribution model is:

┌─────────────────────────────────────────────────────────────────┐
│                        Distribution Model                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  StellaOps ships:                                               │
│  ├── Plugin source code (AGPL-3.0-or-later)                     │
│  ├── Interface bindings to CryptoPro CSP                        │
│  └── Documentation for customer-provided CSP installation       │
│                                                                  │
│  Customer provides:                                              │
│  ├── CryptoPro CSP license                                      │
│  ├── CSP binaries installed on target system                    │
│  └── PKCS#11 module path configuration                          │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

2.3 Configuration for Customer-Provided CSP

# etc/authority.yaml - Customer configures CSP path
crypto:
  pkcs11:
    library_path: /opt/cprocsp/lib/amd64/libcapi20.so  # Customer-provided
    slot_id: 0
    pin_env: AUTHORITY_HSM_PIN

2.4 Documentation Requirements

  • Document that CSP is "customer-provided" in installation guide
  • Add EULA notice that CSP licensing is customer responsibility
  • Include CSP version compatibility matrix (CSP 4.0/5.0)

3. Export Control Analysis

3.1 Applicable Regulations

Regulation Jurisdiction Relevance
EAR (Export Administration Regulations) USA Crypto export controls
Wassenaar Arrangement 42 countries Dual-use goods
EU Dual-Use Regulation EU Crypto controls
Russian Export Controls Russia GOST algorithm distribution

3.2 Algorithm Classification

Algorithm Classification Notes
ECDSA P-256/P-384 Mass-market exempt Widely available
RSA 2048+ Mass-market exempt Widely available
EdDSA (Ed25519) Mass-market exempt Widely available
GOST R 34.10-2012 Regional use See Section 3.3
SM2/SM3 Regional use Chinese national standard

3.3 GOST Algorithm Guidance

GOST algorithms (GOST R 34.10-2012, GOST R 34.11-2012) are:

  • Not export-controlled from Russia when used in commercial software
  • May be restricted for import into certain jurisdictions
  • Recommended for use only in RootPack_RU deployments targeting Russian customers

Guidance:

  1. Default StellaOps distribution does NOT include GOST algorithms enabled
  2. RootPack_RU is a separate distribution with GOST opt-in
  3. Document that customers are responsible for compliance with local crypto regulations

3.4 Distribution Matrix

Component Global RootPack_RU RootPack_CN Notes
Core StellaOps Yes Yes Yes ECDSA/RSA/EdDSA
GostCryptography Fork Source only Source + Binary No MIT license
CryptoPro Plugin Interface only Interface + docs No Customer-provided CSP
SM2/SM3 Plugin No No Interface + docs Customer-provided HSM

4. EULA and Notice Requirements

4.1 NOTICE.md Addition

Add to repository NOTICE.md:

## Third-Party Cryptographic Components

### GostCryptography (MIT License)
Copyright (c) 2014-2024 AlexMAS
https://github.com/AlexMAS/GostCryptography

This software includes a forked version of the GostCryptography library
for GOST algorithm support. The fork is located at:
third_party/forks/AlexMAS.GostCryptography/

### CryptoPro CSP Integration
The CryptoPro CSP plugin provides integration with CryptoPro CSP software.
CryptoPro CSP is commercial software and must be licensed separately by
the end user. StellaOps does not distribute CryptoPro CSP binaries.

4.2 Installation Guide Addition

Add to installation documentation:

## Regional Crypto Support (Optional)

### Russian Federation (RootPack_RU)

StellaOps supports GOST R 34.10-2012 signing through integration with
CryptoPro CSP. This integration requires:

1. A valid CryptoPro CSP license (obtained separately from crypto-pro.ru)
2. CryptoPro CSP 4.0 or 5.0 installed on the target system
3. Configuration of the PKCS#11 module path

**Note:** CryptoPro CSP is commercial software. StellaOps provides only
the integration plugin; the CSP runtime must be licensed and installed
by the customer.

5. CI/Testing Implications

5.1 Test Environment Requirements

Environment CSP Required Legal Status
Development (Linux) No OpenSSL GOST engine fallback
CI (Linux) No Mock/skip CSP tests
CI (Windows opt-in) Yes Customer/StellaOps license
Production Customer Customer license

5.2 CI Guard Implementation

Tests are guarded by environment variable:

[Fact]
[SkipUnless("STELLAOPS_CRYPTO_PRO_ENABLED", "1")]
public async Task CryptoProSigner_SignsWithGost()
{
    // Test only runs when CSP is available and licensed
}

5.3 Wine Loader Experiment (RU-CRYPTO-VAL-05)

Status: BLOCKED pending legal review

Running CryptoPro CSP DLLs under Wine for cross-platform testing:

Consideration Assessment
Technical Feasibility Uncertain - CSP uses Windows APIs
Legal Permissibility Requires CryptoPro EULA review
Recommendation Defer to Windows-only testing

Decision: Do not pursue Wine loader approach until/unless CryptoPro explicitly permits this use case in their EULA.

6. Action Items

Immediate (unblocks RU-CRYPTO-VAL-06)

  • Document fork licensing (MIT) ← This document
  • Document CryptoPro distribution model ← This document
  • Add attribution to NOTICE.md
  • Update installation guide with CSP requirements

Short-term

  • Review CryptoPro EULA for Wine usage (if needed)
  • Create regional distribution manifests for RootPack_RU
  • Add compliance checkboxes to RootPack_RU installation

For Legal Sign-off

  • Confirm MIT + AGPL-3.0 compatibility statement
  • Confirm customer-provided model for CSP is acceptable
  • Review export control applicability for GOST distribution

7. Sign-off Log

Role Name Date Notes
Security Guild
Legal
Product

Document Version: 1.0.0 Last Updated: 2025-12-07