stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
ce1f282ce02ba0a8acec1eea05f5ac8c1ff2e6ca
git.stella-ops.org/docs/security/crypto-simulation-services.md
StellaOps Bot ce1f282ce0
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Details
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Details
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Details
up
2025-12-11 08:20:15 +02:00

60 lines
3.3 KiB
Markdown
Raw Blame History

# Crypto Simulation Services · 2025-12-11
Use these simulation paths when licensed hardware or certified modules are unavailable. They let us keep the registry/profile contracts stable while we wait for customer licenses (CryptoPro), QSCD devices (eIDAS), KCMVP modules, or SM PKCS#11 tokens.
## Unified simulator (sim-crypto-service)
- Location: `ops/crypto/sim-crypto-service/`
- Provider ID: `sim.crypto.remote`
- Algorithms covered:
- GOST: `GOST12-256`, `GOST12-512`, `ru.magma.sim`, `ru.kuznyechik.sim` (deterministic HMAC-SHA256)
- SM: `SM2`, `sm.sim`, `sm2.sim` (deterministic HMAC-SHA256)
- PQ: `DILITHIUM3`, `FALCON512`, `pq.sim` (deterministic HMAC-SHA256)
- FIPS/eIDAS/KCMVP/world: `ES256`, `ES384`, `ES512`, `fips.sim`, `eidas.sim`, `kcmvp.sim`, `world.sim` (ECDSA P-256 with static key)
- Run:
```bash
docker build -t sim-crypto -f ops/crypto/sim-crypto-service/Dockerfile ops/crypto/sim-crypto-service
docker run --rm -p 8080:8080 sim-crypto
curl -s -X POST http://localhost:8080/sign -d '{"message":"hello","algorithm":"SM2"}'
```
- Wire:
- Set `STELLAOPS_CRYPTO_ENABLE_SIM=1` to append `sim.crypto.remote` to registry ordering.
- Point the client: `STELLAOPS_CRYPTO_SIM_URL=http://<host>:8080` or bind `StellaOps:Crypto:Sim:BaseAddress`.
- The `SimRemoteProviderOptions.Algorithms` default list already includes the IDs above; extend if you add new aliases.
- Quick check:
```bash
curl -s -X POST http://localhost:8080/sign -d '{"message":"stellaops-sim-check","algorithm":"SM2"}'
```
- Scripted smoke (no VSTest): `scripts/crypto/run-sim-smoke.ps1` (args: `-BaseUrl http://localhost:5000 -SimProfile sm|ru-free|ru-paid|eidas|fips|kcmvp|pq`).
- Headless smoke harness (no VSTest): `dotnet run --project ops/crypto/sim-crypto-smoke/SimCryptoSmoke.csproj` (env: `STELLAOPS_CRYPTO_SIM_URL`, optional `SIM_ALGORITHMS=SM2,pq.sim,ES256`).
## Regional notes
- **RU (GOST)**: OSS remote signer available at `docs/security/openssl-gost-remote.md`. Licensed CryptoPro path is Linux-only via `ops/cryptopro/linux-csp-service` (customer debs, `CRYPTOPRO_ACCEPT_EULA=1`); use the simulator above when licensing is unavailable.
- **CN (SM)**: Hardware/PKCS#11 bring-up in `docs/security/sm-hardware-simulation.md`. Legacy SM-only simulator is retired; use `sim-crypto-service` for SM2 tests.
- **FIPS / eIDAS / KCMVP**: Hardware/QSCD runbook in `docs/security/fips-eidas-kcmvp-validation.md`. Until certified modules arrive, rely on the simulator above and keep profiles labeled “non-certified.”
- **PQ**: Built-in `pq.soft` remains the baseline; the simulator is available for integration tests that expect a remote signer.
## Config snippet (example)
```json
{
"StellaOps": {
"Crypto": {
"Registry": {
"ActiveProfile": "sm",
"PreferredProviders": [ "sim.crypto.remote", "cn.sm.soft" ]
},
"Sim": {
"BaseAddress": "http://localhost:8080"
}
}
}
}
```
## Evidence to capture
- JWKS export showing `sim.crypto.remote` keys.
- `CryptoProviderMetrics` with the simulated provider ID.
- Sample signatures/hashes from fixed message `stellaops-sim-vector`.
## Status
- Simulation coverage exists for all regions; real licensing/hardware remains customer-supplied. Use this doc to unblock sprint closures until certified evidence arrives.
Reference in New Issue View Git Blame Copy Permalink