stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
bc4318ef971247e18c9c05f8b7838880f6584dc3
git.stella-ops.org/docs/cli/compliance-guide.md
master b444284be5 docs: Archive Sprint 3500 (PoE), Sprint 7100 (Proof Moats), and additional sprints 
Archive completed sprint documentation and deliverables:

## SPRINT_3500 - Proof of Exposure (PoE) Implementation (COMPLETE )
- Windows filesystem hash sanitization (colon → underscore)
- Namespace conflict resolution (Subgraph → PoESubgraph)
- Mock test improvements with It.IsAny<>()
- Direct orchestrator unit tests
- 8/8 PoE tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-3500-poe/

## SPRINT_7100.0001 - Proof-Driven Moats Core (COMPLETE )
- Four-tier backport detection system
- 9 production modules (4,044 LOC)
- Binary fingerprinting (TLSH + instruction hashing)
- VEX integration with proof-carrying verdicts
- 42+ unit tests passing (100% success)
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_7100.0002 - Proof Moats Storage Layer (COMPLETE )
- PostgreSQL repository implementations
- Database migrations (4 evidence tables + audit)
- Test data seed scripts (12 evidence records, 3 CVEs)
- Integration tests with Testcontainers
- <100ms proof generation performance
- Archived to: docs/implplan/archived/2025-12-23-sprint-7100-proof-moats/

## SPRINT_3000_0200 - Authority Admin & Branding (COMPLETE )
- Console admin RBAC UI components
- Branding editor with tenant isolation
- Authority backend endpoints
- Archived to: docs/implplan/archived/

## Additional Documentation
- CLI command reference and compliance guides
- Module architecture docs (26 modules documented)
- Data schemas and contracts
- Operations runbooks
- Security risk models
- Product roadmap

All archived sprints achieved 100% completion of planned deliverables.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-23 15:02:38 +02:00

657 lines
18 KiB
Markdown
Raw Blame History

# stella CLI - Regional Cryptographic Compliance Guide
**Sprint:** SPRINT_4100_0006_0006 - CLI Documentation Overhaul
## Overview
StellaOps CLI supports regional cryptographic algorithms to comply with national and international cryptographic standards and regulations. This guide covers compliance requirements for:
- **GOST** (Russia and CIS states)
- **eIDAS** (European Union)
- **SM** (China)
**Important:** Use the distribution appropriate for your jurisdiction. Unauthorized export or use of regional cryptographic implementations may violate export control laws.
---
## GOST (Russia and CIS States)
### Overview
**GOST** (Государственный стандарт, State Standard) refers to the family of Russian cryptographic standards mandated for government and regulated sectors in Russia and CIS states.
**Applicable Jurisdictions:** Russia, Belarus, Kazakhstan, Armenia, Kyrgyzstan
**Legal Basis:**
- Federal Law No. 63-FZ "On Electronic Signature" (2011)
- FSTEC (Federal Service for Technical and Export Control) regulations
- GOST standards published by Rosstandart
---
### GOST Standards
| Standard | Name | Purpose |
|----------|------|---------|
| **GOST R 34.10-2012** | Digital Signature Algorithm | Elliptic curve digital signatures (256-bit and 512-bit) |
| **GOST R 34.11-2012** (Streebog) | Hash Function | Cryptographic hash (256-bit and 512-bit) |
| **GOST R 34.12-2015** (Kuznyechik) | Block Cipher | Symmetric encryption (256-bit key) |
| **GOST R 34.12-2015** (Magma) | Block Cipher | Legacy symmetric encryption (256-bit key, formerly GOST 28147-89) |
| **GOST R 34.13-2015** | Cipher Modes | Modes of operation for block ciphers |
---
### Crypto Providers
The `stella-russia` distribution includes three GOST providers:
#### 1. CryptoPro CSP (Recommended for Production)
**Provider:** Commercial CSP from CryptoPro
**Certification:** FSTEC-certified
**License:** Commercial (required for production use)
**Installation:**
```bash
# Install CryptoPro CSP (requires license)
sudo ./install.sh
# Verify installation
/opt/cprocsp/bin/amd64/csptestf -absorb -alg GR3411_2012_256
```
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Gost:
CryptoProCsp:
Enabled: true
ContainerName: "StellaOps-GOST-2024"
ProviderType: 80 # PROV_GOST_2012_256
```
**Usage:**
```bash
stella crypto sign \
--provider gost \
--algorithm GOST12-256 \
--key-id gost-prod-key \
--file document.pdf \
--output document.pdf.sig
```
#### 2. OpenSSL-GOST (Open Source, Non-certified)
**Provider:** OpenSSL with GOST engine
**Certification:** Not FSTEC-certified (development/testing only)
**License:** Open source
**Installation:**
```bash
# Install OpenSSL with GOST engine
sudo apt install openssl gost-engine
# Verify installation
openssl engine gost
```
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Gost:
OpenSslGost:
Enabled: true
EnginePath: "/usr/lib/x86_64-linux-gnu/engines-1.1/gost.so"
```
#### 3. PKCS#11 (HSM Support)
**Provider:** PKCS#11 interface to hardware security modules
**Certification:** Depends on HSM (e.g., Rutoken, JaCarta)
**License:** Depends on HSM vendor
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Gost:
Pkcs11:
Enabled: true
LibraryPath: "/usr/lib/librtpkcs11ecp.so"
SlotId: 0
```
---
### Algorithms
| Algorithm | Description | GOST Standard | Key Size | Recommended |
|-----------|-------------|---------------|----------|-------------|
| `GOST12-256` | GOST R 34.10-2012 (256-bit) | GOST R 34.10-2012 | 256-bit | ✅ Yes |
| `GOST12-512` | GOST R 34.10-2012 (512-bit) | GOST R 34.10-2012 | 512-bit | ✅ Yes |
| `GOST2001` | GOST R 34.10-2001 (legacy) | GOST R 34.10-2001 | 256-bit | ⚠️ Legacy |
**Recommendation:** Use `GOST12-256` or `GOST12-512` for new implementations. `GOST2001` is supported for backward compatibility only.
---
### Configuration Example
```yaml
# appsettings.gost.yaml
StellaOps:
Backend:
BaseUrl: "https://api.stellaops.ru"
Crypto:
DefaultProvider: "gost"
Profiles:
- name: "gost-prod-signing"
provider: "gost"
algorithm: "GOST12-256"
keyId: "gost-prod-key-2024"
- name: "gost-qualified-signature"
provider: "gost"
algorithm: "GOST12-512"
keyId: "gost-qes-key"
Providers:
Gost:
CryptoProCsp:
Enabled: true
ContainerName: "StellaOps-GOST"
ProviderType: 80
Keys:
- KeyId: "gost-prod-key-2024"
Algorithm: "GOST12-256"
Source: "csp"
FriendlyName: "Production GOST Signing Key 2024"
- KeyId: "gost-qes-key"
Algorithm: "GOST12-512"
Source: "csp"
FriendlyName: "Qualified Electronic Signature Key"
```
---
### Test Vectors (FSTEC Compliance)
Verify your GOST implementation with official test vectors:
```bash
# Test vector from GOST R 34.11-2012 (Streebog hash)
echo -n "012345678901234567890123456789012345678901234567890123456789012" | \
openssl dgst -engine gost -streebog256
# Expected output:
# 9d151eefd8590b89daa6ba6cb74af9275dd051026bb149a452fd84e5e57b5500
```
**Official Test Vectors:**
- GOST R 34.10-2012: [TC26 GitHub](https://github.com/tc26/gost-crypto/blob/master/test_vectors/)
- GOST R 34.11-2012: [RFC 6986 Appendix A](https://datatracker.ietf.org/doc/html/rfc6986#appendix-A)
---
### Compliance Checklist
- [ ] Use FSTEC-certified cryptographic provider (CryptoPro CSP or certified HSM)
- [ ] Use GOST R 34.10-2012 (not legacy GOST 2001) for new signatures
- [ ] Use GOST R 34.11-2012 (Streebog) for hashing
- [ ] Store private keys in certified HSM for qualified signatures
- [ ] Maintain key management records per FSTEC requirements
- [ ] Obtain certificate from accredited Russian CA for qualified signatures
- [ ] Verify signatures against FSTEC test vectors
---
### Legal Considerations
**Export Control:**
- GOST implementations are subject to Russian export control laws
- Distribution outside Russia/CIS may require special permissions
- StellaOps `stella-russia` distribution is authorized for Russia/CIS only
**Qualified Electronic Signatures:**
- Qualified signatures require accredited CA certificate
- Accredited CAs: [Ministry of Digital Development list](https://digital.gov.ru/en/)
- Private keys must be stored in FSTEC-certified HSM
---
## eIDAS (European Union)
### Overview
**eIDAS** (electronic IDentification, Authentication and trust Services) is the EU regulation (No 910/2014) governing electronic signatures, seals, and trust services across EU member states.
**Applicable Jurisdictions:** All 27 EU member states + EEA (Norway, Iceland, Liechtenstein)
**Legal Basis:**
- Regulation (EU) No 910/2014 (eIDAS Regulation)
- ETSI standards for implementation
- National laws implementing eIDAS
---
### Signature Levels
| Level | Name | Description | Recommended Use |
|-------|------|-------------|-----------------|
| **QES** | Qualified Electronic Signature | Equivalent to handwritten signature | Contracts, legal documents |
| **AES** | Advanced Electronic Signature | High assurance, not qualified | Internal approvals, workflows |
| **AdES** | Advanced Electronic Signature | Basic electronic signature | General document signing |
---
### Crypto Providers
The `stella-eu` distribution includes eIDAS-compliant providers:
#### 1. TSP Client (Remote Qualified Signature)
**Provider:** Trust Service Provider remote signing client
**Certification:** Depends on TSP (must be EU-qualified)
**License:** Subscription-based (per TSP)
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Eidas:
TspClient:
Enabled: true
TspUrl: "https://tsp.example.eu/api/v1/sign"
ApiKey: "${EIDAS_TSP_API_KEY}"
CertificateId: "qes-cert-2024"
```
**Usage:**
```bash
# Sign with QES (Qualified Electronic Signature)
stella crypto sign \
--provider eidas \
--algorithm ECDSA-P256-QES \
--key-id qes-cert-2024 \
--file contract.pdf \
--output contract.pdf.sig
```
#### 2. Local Signer (Advanced Signature)
**Provider:** Local signing with software keys
**Certification:** Not qualified (AES/AdES only)
**License:** Open source
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Eidas:
LocalSigner:
Enabled: true
KeyStorePath: "/etc/stellaops/eidas-keys"
```
---
### Standards
| Standard | Name | Purpose |
|----------|------|---------|
| **ETSI EN 319 412** | Certificate Profiles | Requirements for certificates (QES, AES) |
| **ETSI EN 319 102** | Signature Policies | Signature policy requirements |
| **ETSI EN 319 142** | PAdES (PDF Signatures) | PDF Advanced Electronic Signatures |
| **ETSI TS 119 432** | Remote Signing | Remote signature creation protocols |
| **ETSI EN 319 401** | Trust Service Providers | TSP requirements and policies |
---
### Algorithms
| Algorithm | Description | Signature Level | Recommended |
|-----------|-------------|-----------------|-------------|
| `ECDSA-P256-QES` | ECDSA with P-256 curve (QES) | QES | ✅ Yes |
| `ECDSA-P384-QES` | ECDSA with P-384 curve (QES) | QES | ✅ Yes |
| `RSA-2048-QES` | RSA 2048-bit (QES) | QES | ⚠️ Use ECDSA |
| `ECDSA-P256-AES` | ECDSA with P-256 curve (AES) | AES | ✅ Yes |
**Recommendation:** Use ECDSA P-256 or P-384 for new implementations. RSA is supported but ECDSA is preferred.
---
### Configuration Example
```yaml
# appsettings.eidas.yaml
StellaOps:
Backend:
BaseUrl: "https://api.stellaops.eu"
Crypto:
DefaultProvider: "eidas"
Profiles:
- name: "eidas-qes"
provider: "eidas"
algorithm: "ECDSA-P256-QES"
keyId: "qes-cert-2024"
- name: "eidas-aes"
provider: "eidas"
algorithm: "ECDSA-P256-AES"
keyId: "aes-cert-2024"
Providers:
Eidas:
TspClient:
Enabled: true
TspUrl: "https://tsp.example.eu/api/v1/sign"
ApiKey: "${EIDAS_TSP_API_KEY}"
# Qualified Trust Service Provider
TspProfile:
Name: "Example Trust Services Provider"
QualifiedStatus: true
Country: "DE"
TrustedListUrl: "https://tsp.example.eu/tsl.xml"
Keys:
- KeyId: "qes-cert-2024"
Algorithm: "ECDSA-P256-QES"
Source: "tsp"
SignatureLevel: "QES"
FriendlyName: "Qualified Electronic Signature 2024"
- KeyId: "aes-cert-2024"
Algorithm: "ECDSA-P256-AES"
Source: "local"
SignatureLevel: "AES"
FriendlyName: "Advanced Electronic Signature 2024"
```
---
### EU Trusted List Validation
Verify TSP is on the EU Trusted List:
```bash
# Download EU Trusted List
wget https://ec.europa.eu/tools/lotl/eu-lotl.xml
# Validate TSP certificate against trusted list
stella crypto verify-tsp \
--tsp-cert tsp-certificate.pem \
--trusted-list eu-lotl.xml
```
**Official EU Trusted List:**
- https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/EU+Trusted+Lists
---
### Compliance Checklist
#### For QES (Qualified Electronic Signature):
- [ ] Use EU-qualified Trust Service Provider (on EU Trusted List)
- [ ] Verify TSP certificate is qualified according to ETSI EN 319 412-2
- [ ] Use signature policy compliant with ETSI EN 319 102-1
- [ ] Include qualified certificate in signature
- [ ] Use qualified signature creation device (QSCD) for key storage
- [ ] Validate against EU Trusted List before accepting signatures
- [ ] Maintain signature validation for 30+ years (long-term validation)
#### For AES (Advanced Electronic Signature):
- [ ] Uniquely linked to signatory
- [ ] Capable of identifying signatory
- [ ] Created using secure signature creation data
- [ ] Linked to signed data to detect alterations
---
### Legal Considerations
**Cross-border Recognition:**
- QES has same legal effect as handwritten signature in all EU member states
- AES/AdES may have varying legal recognition across member states
**Long-term Validation:**
- QES must remain verifiable for decades
- Use AdES with long-term validation (LTV) attributes
- Timestamp signatures to prove time of signing
**Data Protection (GDPR):**
- eIDAS signatures may contain personal data
- Comply with GDPR when processing signature certificates
- Obtain consent for processing qualified certificate data
---
## SM (China)
### Overview
**SM** (ShāngMì, 商密, Commercial Cipher) refers to China's national cryptographic algorithms mandated by OSCCA (Office of State Commercial Cryptography Administration).
**Applicable Jurisdiction:** People's Republic of China
**Legal Basis:**
- Cryptography Law of PRC (2020)
- GM/T standards published by OSCCA
- MLPS 2.0 (Multi-Level Protection Scheme 2.0)
---
### SM Standards
| Standard | Name | Purpose |
|----------|------|---------|
| **GM/T 0003-2012** (SM2) | Public Key Cryptographic Algorithm | Elliptic curve signatures and encryption (256-bit) |
| **GM/T 0004-2012** (SM3) | Cryptographic Hash Algorithm | Hash function (256-bit output) |
| **GM/T 0002-2012** (SM4) | Block Cipher Algorithm | Symmetric encryption (128-bit key) |
| **GM/T 0009-2012** (SM9) | Identity-Based Cryptography | Identity-based encryption and signatures |
---
### Crypto Providers
The `stella-china` distribution includes SM providers:
#### 1. GmSSL (Open Source)
**Provider:** GmSSL library
**Certification:** Not OSCCA-certified (development/testing only)
**License:** Apache 2.0
**Installation:**
```bash
# Install GmSSL
sudo apt install gmssl
# Verify installation
gmssl version
```
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Sm:
GmSsl:
Enabled: true
LibraryPath: "/usr/lib/libgmssl.so"
```
#### 2. Commercial CSP (OSCCA-certified)
**Provider:** OSCCA-certified commercial CSP
**Certification:** OSCCA-certified (required for production)
**License:** Commercial (vendor-specific)
**Configuration:**
```yaml
StellaOps:
Crypto:
Providers:
Sm:
CommercialCsp:
Enabled: true
VendorId: "vendor-name"
DeviceId: "device-serial"
```
---
### Algorithms
| Algorithm | Description | GM Standard | Key Size | Recommended |
|-----------|-------------|-------------|----------|-------------|
| `SM2` | Elliptic curve signature and encryption | GM/T 0003-2012 | 256-bit | ✅ Yes |
| `SM3` | Cryptographic hash | GM/T 0004-2012 | 256-bit output | ✅ Yes |
| `SM4` | Block cipher | GM/T 0002-2012 | 128-bit key | ✅ Yes |
| `SM9` | Identity-based crypto | GM/T 0009-2012 | 256-bit | ⚠️ Specialized |
---
### Configuration Example
```yaml
# appsettings.sm.yaml
StellaOps:
Backend:
BaseUrl: "https://api.stellaops.cn"
Crypto:
DefaultProvider: "sm"
Profiles:
- name: "sm-prod-signing"
provider: "sm"
algorithm: "SM2"
keyId: "sm-prod-key-2024"
Providers:
Sm:
GmSsl:
Enabled: true
LibraryPath: "/usr/lib/libgmssl.so"
Keys:
- KeyId: "sm-prod-key-2024"
Algorithm: "SM2"
Source: "file"
FilePath: "/etc/stellaops/keys/sm-key.pem"
FriendlyName: "Production SM2 Signing Key 2024"
```
---
### Usage Example
```bash
# Sign with SM2
stella crypto sign \
--provider sm \
--algorithm SM2 \
--key-id sm-prod-key-2024 \
--file document.pdf \
--output document.pdf.sig
# Verify SM2 signature
stella crypto verify \
--provider sm \
--algorithm SM2 \
--key-id sm-prod-key-2024 \
--file document.pdf \
--signature document.pdf.sig
```
---
### Test Vectors (OSCCA Compliance)
Verify your SM implementation with official test vectors:
```bash
# Test vector from GM/T 0004-2012 (SM3 hash)
echo -n "abc" | gmssl sm3
# Expected output:
# 66c7f0f462eeedd9d1f2d46bdc10e4e24167c4875cf2f7a2297da02b8f4ba8e0
```
**Official Test Vectors:**
- SM2: [GM/T 0003-2012 Appendix A](http://www.gmbz.org.cn/main/viewfile/20180108023812835219.html)
- SM3: [GM/T 0004-2012 Appendix A](http://www.gmbz.org.cn/main/viewfile/20180108023528214322.html)
---
### Compliance Checklist
- [ ] Use OSCCA-certified cryptographic product for production
- [ ] Use SM2 for digital signatures (not RSA/ECDSA)
- [ ] Use SM3 for hashing (not SHA-256)
- [ ] Use SM4 for symmetric encryption (not AES)
- [ ] Obtain commercial cipher product model certificate
- [ ] Register commercial cipher use with local authorities (MLPS 2.0)
- [ ] Store keys in OSCCA-certified hardware for sensitive applications
---
### Legal Considerations
**Export Control:**
- SM implementations are subject to Chinese export control laws
- Distribution outside China may require special permissions
- StellaOps `stella-china` distribution is authorized for China only
**MLPS 2.0 Requirements:**
- Level 2+: SM algorithms recommended
- Level 3+: SM algorithms mandatory
- Level 4+: SM algorithms + OSCCA-certified hardware mandatory
**Commercial Cipher Regulations:**
- Commercial use requires OSCCA product certification
- Open-source implementations (GmSSL) for development/testing only
- Production systems must use OSCCA-certified CSPs
---
## Distribution Selection
| Your Location | Required Compliance | Distribution |
|---------------|---------------------|--------------|
| Russia, CIS | GOST R 34.10-2012 (government/regulated) | `stella-russia` |
| EU Member State | eIDAS QES (legal documents) | `stella-eu` |
| China | SM2/SM3/SM4 (MLPS 2.0 Level 3+) | `stella-china` |
| Other | None (international standards) | `stella-international` |
---
## See Also
- [CLI Overview](README.md) - Installation and quick start
- [CLI Architecture](architecture.md) - Plugin architecture
- [Command Reference](command-reference.md) - Crypto command usage
- [Crypto Plugin Development](crypto-plugins.md) - Develop custom plugins
- [Distribution Matrix](distribution-matrix.md) - Build and distribution guide
- [Troubleshooting](troubleshooting.md) - Common compliance issues
Reference in New Issue View Git Blame Copy Permalink