stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c58a236d70742082c8dda5a967972d08424732f2
git.stella-ops.org/docs/doctor/articles/crypto/eidas.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

3.6 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.crypto.eidas stellaops.doctor.crypto fail
crypto
eidas
eu
compliance
signature

eIDAS Compliance

What It Checks

Verifies that eIDAS-compliant signature algorithms are available for EU deployments. The check references ETSI TS 119 312 (Cryptographic Suites) and validates availability of the following required algorithms:

  • RSA-PSS-SHA256 (RSA-PSS with SHA-256)
  • RSA-PSS-SHA384 (RSA-PSS with SHA-384)
  • RSA-PSS-SHA512 (RSA-PSS with SHA-512)
  • ECDSA-P256-SHA256 (ECDSA with P-256 and SHA-256)
  • ECDSA-P384-SHA384 (ECDSA with P-384 and SHA-384)
  • Ed25519 (EdDSA with Curve25519)

The check also validates the minimum RSA key size. Per eIDAS guidelines post-2024, RSA keys must be at least 3072 bits. The configured minimum is read from Crypto:MinRsaKeySize (default 2048).

Condition Result
Any required algorithms missing Fail
All algorithms available but RSA key size < 3072 Warn
All algorithms available and key size >= 3072 Pass

Evidence collected: CryptoProfile, AvailableAlgorithms, MissingAlgorithms, MinRsaKeySize, RequiredMinRsaKeySize.

The check only runs when Crypto:Profile or Cryptography:Profile contains "eidas", "eu", or "european".

Why It Matters

eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation that establishes standards for electronic signatures and trust services. Deployments in the EU that create qualified electronic signatures or seals must use algorithms approved by ETSI. Using non-compliant algorithms means signatures may not be legally recognized, and the deployment may fail regulatory requirements. RSA keys below 3072 bits are considered insufficient for long-term security under current eIDAS guidelines.

Common Causes

  • OpenSSL version too old to support all required algorithms
  • Crypto libraries compiled without required algorithm support
  • Configuration restricting the set of available algorithms
  • Legacy RSA key size configuration not updated for post-2024 requirements
  • Using LibreSSL instead of OpenSSL (missing some algorithms)

How to Fix

Docker Compose

# Check OpenSSL version and available algorithms
docker compose exec gateway openssl version
docker compose exec gateway openssl list -signature-algorithms

# Update minimum RSA key size
# Crypto__MinRsaKeySize=3072
# Crypto__Profile=eu

# Restart services after configuration change
docker compose restart gateway

Bare Metal / systemd

# Check OpenSSL version
openssl version

# Verify available signature algorithms
openssl list -signature-algorithms

# Update OpenSSL if algorithms are missing
sudo apt update && sudo apt install openssl libssl-dev

# Configure eIDAS crypto profile
stella crypto profile set --profile eu

# Set minimum RSA key size in appsettings.json
# "Crypto": { "Profile": "eu", "MinRsaKeySize": 3072 }

sudo systemctl restart stellaops-platform

Kubernetes / Helm

# values.yaml
crypto:
  profile: eu
  minRsaKeySize: 3072

# Verify algorithm support in pod
kubectl exec deploy/stellaops-gateway -- openssl list -signature-algorithms

helm upgrade stellaops ./charts/stellaops -f values.yaml

Verification

stella doctor run --check check.crypto.eidas

Related Checks

  • check.crypto.certchain — certificate chain must use eIDAS-compliant algorithms
  • check.crypto.fips — FIPS and eIDAS have overlapping but distinct algorithm requirements
  • check.crypto.hsm — HSM may be required for qualified eIDAS signatures
  • check.compliance.attestation-signing — attestation signing should use eIDAS-compliant algorithms in EU deployments