stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c58a236d70742082c8dda5a967972d08424732f2
git.stella-ops.org/docs/doctor/articles/crypto/sm.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

3.9 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.crypto.sm stellaops.doctor.crypto fail
crypto
sm2
sm3
sm4
china
compliance

SM2/SM3/SM4 Availability

What It Checks

Verifies that Chinese national cryptographic algorithms (GM/T standards) are available for CN deployments. The check validates:

  1. OpenSSL version: SM algorithms are natively supported in OpenSSL 1.1.1+. If the version is older, the check fails immediately.
  2. Algorithm availability: tests each required algorithm:
    • SM2: Elliptic curve cryptography (signature, key exchange)
    • SM3: Cryptographic hash function (256-bit output)
    • SM4: Block cipher (128-bit blocks, 128-bit key)
  3. SM2 curve parameters: verifies the SM2 elliptic curve is properly initialized.
Condition Result
OpenSSL < 1.1.1 and algorithms missing Fail
Any SM algorithms unavailable Fail
All algorithms available but SM2 curve cannot be verified Warn
All algorithms available and SM2 curve verified Pass

Evidence collected: CryptoProfile, OpenSslVersion, NativeSmSupport, AvailableAlgorithms, MissingAlgorithms, SM2CurveVerified.

The check only runs when Crypto:Profile or Cryptography:Profile contains "sm", "china", or equals "cn".

Why It Matters

Chinese regulatory requirements (GB/T standards) mandate the use of SM2, SM3, and SM4 algorithms for government systems, financial services, and critical infrastructure. Without SM algorithm support, the platform cannot create compliant digital signatures or encrypt data according to Chinese national standards. This blocks deployment in regulated Chinese environments and may violate the Cryptography Law of the People's Republic of China.

Common Causes

  • OpenSSL version too old (pre-1.1.1) to include native SM support
  • Using LibreSSL instead of OpenSSL (lacks SM algorithm support)
  • System OpenSSL not updated to a version with SM support
  • OpenSSL compiled without SM algorithm support (custom builds)
  • SM algorithms disabled in OpenSSL configuration
  • SM2 curve not properly initialized in the crypto provider
  • Missing external SM crypto provider (e.g., GmSSL)

How to Fix

Docker Compose

# Check OpenSSL version (must be 1.1.1+)
docker compose exec gateway openssl version

# Verify SM algorithm support
docker compose exec gateway openssl list -cipher-algorithms | grep -i sm
docker compose exec gateway openssl ecparam -list_curves | grep -i sm2

# Set crypto profile
# Crypto__Profile=cn

# If OpenSSL is too old, rebuild with a newer base image
# FROM ubuntu:22.04 (includes OpenSSL 3.0+)

docker compose restart gateway

Bare Metal / systemd

# Check current OpenSSL version
openssl version

# Update OpenSSL to 1.1.1+ if needed
sudo apt update && sudo apt install openssl

# Verify SM algorithm support
openssl list -cipher-algorithms | grep -i sm
openssl ecparam -list_curves | grep -i sm2

# Configure SM crypto profile
stella crypto profile set --profile cn

# Or use external SM provider (GmSSL)
stella crypto config set --sm-provider gmssl

# In appsettings.json:
# "Crypto": { "Profile": "cn" }

sudo systemctl restart stellaops-platform

Kubernetes / Helm

# values.yaml
crypto:
  profile: cn
  # Optionally specify external SM provider
  smProvider: native  # or "gmssl" for GmSSL

# Verify SM support in pod
kubectl exec deploy/stellaops-gateway -- openssl version
kubectl exec deploy/stellaops-gateway -- openssl ecparam -list_curves | grep -i sm2

helm upgrade stellaops ./charts/stellaops -f values.yaml

Verification

stella doctor run --check check.crypto.sm

Related Checks

  • check.crypto.certchain — certificates in CN deployments should use SM2 signatures
  • check.crypto.gost — GOST (Russian) is another regional crypto profile with similar structure
  • check.crypto.fips — FIPS and SM are mutually exclusive regional crypto profiles
  • check.crypto.hsm — SM keys may be stored in an HSM with SM algorithm support