stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
ce1f282ce02ba0a8acec1eea05f5ac8c1ff2e6ca
git.stella-ops.org/docs/security/crypto-simulation-services.md
StellaOps Bot ce1f282ce0
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
up
2025-12-11 08:20:15 +02:00

3.3 KiB
Raw Blame History

Crypto Simulation Services · 2025-12-11

Use these simulation paths when licensed hardware or certified modules are unavailable. They let us keep the registry/profile contracts stable while we wait for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens.

Unified simulator (sim-crypto-service)

  • Location: ops/crypto/sim-crypto-service/
  • Provider ID: sim.crypto.remote
  • Algorithms covered:
    • GOST: GOST12-256, GOST12-512, ru.magma.sim, ru.kuznyechik.sim (deterministic HMAC-SHA256)
    • SM: SM2, sm.sim, sm2.sim (deterministic HMAC-SHA256)
    • PQ: DILITHIUM3, FALCON512, pq.sim (deterministic HMAC-SHA256)
    • FIPS/eIDAS/KCMVP/world: ES256, ES384, ES512, fips.sim, eidas.sim, kcmvp.sim, world.sim (ECDSA P-256 with static key)
  • Run: 
    docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
docker run --rm -p 8080:8080 sim-crypto
curl -s -X POST http://localhost:8080/sign -d '{"message":"hello","algorithm":"SM2"}'
  • Wire:
    • Set STELLAOPS_CRYPTO_ENABLE_SIM=1 to append sim.crypto.remote to registry ordering.
    • Point the client: STELLAOPS_CRYPTO_SIM_URL=http://<host>:8080 or bind StellaOps:Crypto:Sim:BaseAddress.
    • The SimRemoteProviderOptions.Algorithms default list already includes the IDs above; extend if you add new aliases.
  • Quick check: 
    curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}'
  • Scripted smoke (no VSTest): scripts/crypto/run-sim-smoke.ps1 (args: -BaseUrl http://localhost:5000 -SimProfile sm|ru-free|ru-paid|eidas|fips|kcmvp|pq).
  • Headless smoke harness (no VSTest): dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj (env: STELLAOPS_CRYPTO_SIM_URL, optional SIM_ALGORITHMS=SM2,pq.sim,ES256).

Regional notes

  • RU (GOST): OSS remote signer available at docs/security/openssl-gost-remote.md. Licensed CryptoPro path is Linux-only via ops/cryptopro/linux-csp-service (customer debs, CRYPTOPRO_ACCEPT_EULA=1); use the simulator above when licensing is unavailable.
  • CN (SM): Hardware/PKCS#11 bring-up in docs/security/sm-hardware-simulation.md. Legacy SM-only simulator is retired; use sim-crypto-service for SM2 tests.
  • FIPS / eIDAS / KCMVP: Hardware/QSCD runbook in docs/security/fips-eidas-kcmvp-validation.md. Until certified modules arrive, rely on the simulator above and keep profiles labeled “non-certified.”
  • PQ: Built-in pq.soft remains the baseline; the simulator is available for integration tests that expect a remote signer.

Config snippet (example)

{
  "StellaOps": {
    "Crypto": {
      "Registry": {
        "ActiveProfile": "sm",
        "PreferredProviders": [ "sim.crypto.remote", "cn.sm.soft" ]
      },
      "Sim": {
        "BaseAddress": "http://localhost:8080"
      }
    }
  }
}

Evidence to capture

  • JWKS export showing sim.crypto.remote keys.
  • CryptoProviderMetrics with the simulated provider ID.
  • Sample signatures/hashes from fixed message stellaops-sim-vector.

Status

  • Simulation coverage exists for all regions; real licensing/hardware remains customer-supplied. Use this doc to unblock sprint closures until certified evidence arrives.