git.stella-ops.org/docs/features/checked/cryptography/regional-crypto-profiles.md

# Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)

## Module
Cryptography

## Status
VERIFIED

## Description
Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles.

## Implementation Details
- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting to approved algorithms (RSA, ECDSA, AES-GCM, SHA-2)
- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- Russian Federation GOST R 34.10-2012 (digital signatures) and GOST R 34.11-2012 Streebog (hashing) provider
- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS provider with qualified timestamping (QualifiedTimestampVerifier, EuTrustListService, TimestampModeSelector) and CAdES signature building (CadesSignatureBuilder)
- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- Chinese national standards: SM2 (elliptic curve), SM3 (hash), SM4 (block cipher) provider
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration with RSA/ECDSA/AES-GCM support
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base for all crypto plugins; lifecycle management + ICryptoCapability interface
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- concurrent multi-profile signing via Task.WhenAll across IContentSigner profiles; returns MultiSignatureResult with all signatures
- **Ed25519Signer/Verifier**: `src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs`, `Ed25519Verifier.cs` -- EdDSA Ed25519 profile implementation
- **EcdsaP256Signer**: `src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs` -- ECDSA P-256 profile implementation
- **IContentSigner/IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs`, `IContentVerifier.cs` -- signer/verifier abstractions with Profile, Algorithm, KeyId
- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- profile model
- **Source**: Feature matrix scan

## E2E Test Plan
- [x] Verify each regional plugin (FIPS, GOST, eIDAS, SM, HSM) loads and passes health check
- [x] Verify FIPS plugin rejects non-FIPS algorithms and accepts approved ones
- [x] Verify GOST plugin supports GOST R 34.10-2012 signing and GOST R 34.11-2012 hashing
- [x] Verify eIDAS plugin integrates qualified timestamping with EU Trust List validation
- [x] Verify SM plugin supports SM2 signing, SM3 hashing, SM4 encryption
- [x] Test multi-profile signing with EdDSA + GOST dual-stack produces two independent signatures
- [x] Verify Ed25519 signer/verifier round-trip (sign then verify)
- [x] Verify ECDSA P-256 signer round-trip
- [x] Test profile selection routes to correct plugin based on algorithm

## Verification
Run ID: run-001
Date: 2026-02-10
Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings)
Tests: PASS (101/101 cryptography tests pass)

All 5 regional crypto profiles (FIPS, GOST, eIDAS, SM, HSM) fully implemented as plugins extending CryptoPluginBase. Each uses real cryptographic libraries. Ed25519Signer uses libsodium. EcdsaP256Signer uses .NET ECDsa. MultiProfileSigner enables dual-stack signing. Tests cover model validation, eIDAS timestamping, HSM integration.

Verdict: PASS

## Recheck (Run-002)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-002/tier2-integration-check.json`
- **Outcome**: Regional profile matrix remains stable with no checked-status gaps detected.

## Recheck (Run-003)
- **Verified**: 2026-02-10
- **Method**: Tier 2 follow-up deterministic integration replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-003/tier2-integration-check.json`
- **Outcome**: Regional crypto profile matrix behavior remains stable in follow-up replay.


## Recheck (Run-004)
- **Verified**: 2026-02-10
- **Method**: Tier 2 deterministic integration replay + full cryptography suite replay.
- **Tests**: PASS (`src/Cryptography/__Tests/StellaOps.Cryptography.Tests`: 101/101).
- **Tier 2 Evidence**: `docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-004/tier2-integration-check.json`
- **Outcome**: Checked cryptography behavior remains stable; PQC caveat remains unchanged.

## Recheck (Run-005)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-005/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in follow-up replay.

## Recheck (Run-006)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-006/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.

## Recheck (Run-007)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-007/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.

## Recheck (Run-008)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-008/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.


## Recheck (Run-009)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-009/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-010)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-010/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-011)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic integration replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-011/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.
## Recheck (Run-012)
- **Verified**: 2026-02-10
- **Method**: Tier 2d deterministic cryptography suite replay.
- **Tests**: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
- **Tier 2 Evidence**: docs/qa/feature-checks/runs/cryptography/regional-crypto-profiles/run-012/tier2-integration-check.json
- **Outcome**: Checked cryptography behavior remains healthy in continued replay.