Flow 30 --- Regulatory Compliance Templates for Composite Keys

This scenario demonstrates one-line regulatory compliance for composite cryptographic keys using pre-configured templates. Instead of manually configuring algorithms, KDFs, and security levels, developers use factory methods that automatically satisfy jurisdiction-specific requirements.

Six regulatory frameworks are covered: BSI TR-02102-1 (Germany), ANSSI RGS v2.0 (France), ETSI TS 103 744 (EU Telecommunications), EU Unified (multi-national), NIST SP 800-227 (USA), and ENISA Guidelines (EU general).

Initialize SDK - Authenticate with application credentials
Choose framework - Select BSI, ANSSI, ETSI, EU, NIST, or ENISA template
Generate key - Call factory method with kid and mode
Verify compliance - Confirm algorithm, KDF, and level meet regulatory requirements

Key points

RegulatoryTemplateFactory provides one-line compliance for 6 frameworks

KDF requirements vary: ANSSI allows only HKDF, ETSI requires CatKDF for telecom

BSI/ANSSI/ETSI enforce hybrid mode mandatory; NIST/ENISA recommend but don't mandate

Multi-jurisdiction support: EU Unified template satisfies all European regulations simultaneously

When to use it

Regulated industries requiring documented PQC compliance (finance, healthcare, defense)
Multi-national operations needing one configuration for multiple EU countries
Government contracts with specific BSI, ANSSI, or NIST compliance mandates
EU telecommunications deploying 5G/6G infrastructure with ETSI TS 103 744 requirements

Shared helper – this code imports the utility class from example_util.md (configuration, authentication).

Complete Java implementation

src/main/java/co/ankatech/ankasecure/sdk/examples/ExampleScenario30.java

/** **************************************************************************
 * FILE: ExampleScenario30.java
 * SCENARIO: Regulatory Compliance Templates for Composite Keys
 * TAGS: composite-keys, regulatory-compliance, templates, bsi, anssi, etsi
 *************************************************************************** */
package co.ankatech.ankasecure.sdk.examples;

import co.ankatech.ankasecure.sdk.AnkaSecureSdk;
import co.ankatech.ankasecure.sdk.model.*;

import static co.ankatech.ankasecure.sdk.examples.ExampleUtil.*;

/**
 * <h1>Scenario 30: Regulatory Compliance Templates for Composite Keys</h1>
 * <p>
 * Demonstrates how to create composite cryptographic keys that comply with
 * specific regulatory frameworks using pre-configured templates.
 * </p>
 *
 * <h3>What You'll Learn:</h3>
 * <ul>
 *   <li>How to use {@link RegulatoryTemplateFactory} for one-line compliance</li>
 *   <li>Differences between BSI, ANSSI, ETSI, EU, NIST, and ENISA requirements</li>
 *   <li>Which KDFs are required/allowed by each framework</li>
 *   <li>How to generate keys for different regulatory jurisdictions</li>
 * </ul>
 *
 * <h3>Regulatory Frameworks Covered:</h3>
 * <ol>
 *   <li><strong>BSI TR-02102-1</strong> (Germany) - HKDF-SHA256</li>
 *   <li><strong>ANSSI RGS v2.0</strong> (France) - HKDF-SHA256</li>
 *   <li><strong>ETSI TS 103 744</strong> (EU Telecom) - CatKDF (telecom-specific)</li>
 *   <li><strong>EU Unified</strong> (Multi-national) - All KDFs supported</li>
 *   <li><strong>NIST SP 800-227</strong> (USA) - Flexible levels</li>
 *   <li><strong>ENISA Guidelines</strong> (EU) - Risk-based approach</li>
 * </ol>
 *
 * <h3>Prerequisites:</h3>
 * <ul>
 *   <li>AnkaSecure Core API running and accessible</li>
 *   <li>Valid authentication credentials (application or user)</li>
 *   <li>Tenant with appropriate policy configuration</li>
 * </ul>
 *
 *
 * @see RegulatoryTemplateFactory
 * @see RegulatoryTemplate
 * @see Kdf
 */
public class ExampleScenario30 {

    public static void main(String[] args) {
        try {
            System.out.println("=================================================================");
            System.out.println("  SCENARIO 30: Regulatory Compliance Templates");
            System.out.println("=================================================================\n");

            // Initialize SDK
            java.util.Properties props = loadProperties();
            AnkaSecureSdk sdk = authenticate(props);

            // Template 1: BSI (Germany)
            demonstrateBsiCompliance(sdk);

            // Template 2: ANSSI (France)
            demonstrateAnssiCompliance(sdk);

            // Template 3: ETSI (EU Telecom)
            demonstrateEtsiCompliance(sdk);

            // Template 4: EU Unified (Multi-national)
            demonstrateEuUnifiedCompliance(sdk);

            // Template 5: NIST (USA)
            demonstrateNistCompliance(sdk);

            // Template 6: ENISA (EU General)
            demonstrateEnisaCompliance(sdk);

            System.out.println("\n=================================================================");
            System.out.println("  ALL REGULATORY TEMPLATES DEMONSTRATED SUCCESSFULLY");
            System.out.println("=================================================================");

        } catch (Exception e) {
            fatal("Scenario 30 failed", e);
        }
    }

    /**
     * Demonstrates BSI TR-02102-1 (Germany) compliant key generation.
     */
    private static void demonstrateBsiCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[1/6] BSI TR-02102-1 (GERMANY)");
        System.out.println("      Framework: Bundesamt für Sicherheit in der Informationstechnik");
        System.out.println("      Requirement: Hybrid keys MANDATORY for PQC algorithms\n");

        // One-line BSI-compliant encryption key
        GenerateCompositeKeySpec spec = RegulatoryTemplateFactory.bsiHybrid(
            "bsi_germany_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE
        );

        System.out.println("      Configuration:");
        System.out.println("      - Mode: " + spec.getMode());
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: HKDF-SHA256 (BSI-approved)");
        System.out.println("      - Min Level: 3 (192-bit)");

        KeyGenerationSummarySpec result = sdk.generateCompositeKey(spec);
        System.out.println("      ✅ BSI-compliant key generated: " + result.getKid());
        System.out.println("      Status: " + result.getStatus() + "\n");
    }

    /**
     * Demonstrates ANSSI RGS v2.0 (France) compliant key generation.
     */
    private static void demonstrateAnssiCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[2/6] ANSSI RGS v2.0 (FRANCE)");
        System.out.println("      Framework: Agence Nationale de la Sécurité des Systèmes d'Information");
        System.out.println("      Requirement: Hybrid keys MANDATORY, conservative KDF policy\n");

        GenerateCompositeKeySpec spec = RegulatoryTemplateFactory.anssiHybrid(
            "anssi_france_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE
        );

        System.out.println("      Configuration:");
        System.out.println("      - Mode: " + spec.getMode());
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: HKDF-SHA256 (ANSSI-approved)");
        System.out.println("      - ⚠️  CatKDF/CasKDF NOT allowed (France-specific restriction)");

        KeyGenerationSummarySpec result = sdk.generateCompositeKey(spec);
        System.out.println("      ✅ ANSSI-compliant key generated: " + result.getKid());
        System.out.println("      Status: " + result.getStatus() + "\n");
    }

    /**
     * Demonstrates ETSI TS 103 744 (EU Telecom) compliant key generation.
     */
    private static void demonstrateEtsiCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[3/6] ETSI TS 103 744 (EU TELECOMMUNICATIONS)");
        System.out.println("      Framework: European Telecommunications Standards Institute");
        System.out.println("      Requirement: CatKDF or CasKDF REQUIRED for 5G/6G networks\n");

        GenerateCompositeKeySpec spec = RegulatoryTemplateFactory.etsiHybrid(
            "etsi_telecom_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE
        );

        System.out.println("      Configuration:");
        System.out.println("      - Mode: " + spec.getMode());
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: CatKDF (ETSI TS 103 744 Section 5.2.1)");
        System.out.println("      - Use Case: EU 5G/6G base stations");

        KeyGenerationSummarySpec result = sdk.generateCompositeKey(spec);
        System.out.println("      ✅ ETSI-compliant telecom key generated: " + result.getKid());
        System.out.println("      Status: " + result.getStatus() + "\n");
    }

    /**
     * Demonstrates EU Unified (multi-national) compliant key generation.
     */
    private static void demonstrateEuUnifiedCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[4/6] EU UNIFIED (MULTI-NATIONAL EU)");
        System.out.println("      Framework: Intersection of BSI + ANSSI + ETSI");
        System.out.println("      Requirement: Strictest EU requirements, all KDFs supported\n");

        // Encryption key
        GenerateCompositeKeySpec encSpec = RegulatoryTemplateFactory.euUnifiedHybrid(
            "eu_unified_enc_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE
        );

        System.out.println("      Configuration (Encryption):");
        System.out.println("      - Mode: " + encSpec.getMode());
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: HKDF-SHA256");

        KeyGenerationSummarySpec encResult = sdk.generateCompositeKey(encSpec);
        System.out.println("      ✅ EU encryption key generated: " + encResult.getKid());

        // Signature key
        GenerateCompositeKeySpec signSpec = RegulatoryTemplateFactory.euUnifiedHybrid(
            "eu_unified_sign_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.DUALSIGN
        );

        System.out.println("\n      Configuration (Signature):");
        System.out.println("      - Mode: " + signSpec.getMode());
        System.out.println("      - Classical: Ed25519 (Level 3)");
        System.out.println("      - PQC: ML-DSA-65 (Level 3)");

        KeyGenerationSummarySpec signResult = sdk.generateCompositeKey(signSpec);
        System.out.println("      ✅ EU signature key generated: " + signResult.getKid());
        System.out.println("      Status: " + signResult.getStatus() + "\n");
    }

    /**
     * Demonstrates NIST SP 800-227 (USA) compliant key generation with flexible levels.
     */
    private static void demonstrateNistCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[5/6] NIST SP 800-227 (USA)");
        System.out.println("      Framework: National Institute of Standards and Technology");
        System.out.println("      Requirement: Hybrid OPTIONAL, flexible security levels\n");

        // Level 3 (standard)
        GenerateCompositeKeySpec level3 = RegulatoryTemplateFactory.nistHybrid(
            "nist_level3_" + System.currentTimeMillis(),
            NistSecurityLevel.LEVEL_3,
            sdk.getSupportedAlgorithms()
        );

        System.out.println("      Configuration (Level 3):");
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: HKDF-SHA256");

        KeyGenerationSummarySpec result3 = sdk.generateCompositeKey(level3);
        System.out.println("      ✅ NIST Level 3 key generated: " + result3.getKid());

        // Level 5 (high security)
        GenerateCompositeKeySpec level5 = RegulatoryTemplateFactory.nistHybrid(
            "nist_level5_" + System.currentTimeMillis(),
            NistSecurityLevel.LEVEL_5,
            sdk.getSupportedAlgorithms()
        );

        System.out.println("\n      Configuration (Level 5 - Classified):");
        System.out.println("      - Classical: RSA-4096 (Level 5)");
        System.out.println("      - PQC: ML-KEM-1024 (Level 5)");
        System.out.println("      - KDF: HKDF-SHA512");

        KeyGenerationSummarySpec result5 = sdk.generateCompositeKey(level5);
        System.out.println("      ✅ NIST Level 5 key generated: " + result5.getKid());
        System.out.println("      Status: " + result5.getStatus() + "\n");
    }

    /**
     * Demonstrates ENISA (EU) risk-based compliant key generation.
     */
    private static void demonstrateEnisaCompliance(AnkaSecureSdk sdk) throws Exception {
        System.out.println("[6/6] ENISA RISK-BASED (EU GENERAL)");
        System.out.println("      Framework: European Union Agency for Cybersecurity");
        System.out.println("      Requirement: Hybrid RECOMMENDED (not mandated)\n");

        GenerateCompositeKeySpec spec = RegulatoryTemplateFactory.enisaRiskBased(
            "enisa_eu_" + System.currentTimeMillis(),
            GenerateCompositeKeySpec.Mode.HYBRID_KEM_COMBINE
        );

        System.out.println("      Configuration:");
        System.out.println("      - Mode: " + spec.getMode());
        System.out.println("      - Classical: X25519 (Level 3)");
        System.out.println("      - PQC: ML-KEM-768 (Level 3)");
        System.out.println("      - KDF: HKDF-SHA256");
        System.out.println("      - Approach: Risk-based (organization decides)");

        KeyGenerationSummarySpec result = sdk.generateCompositeKey(spec);
        System.out.println("      ✅ ENISA-compliant key generated: " + result.getKid());
        System.out.println("      Status: " + result.getStatus() + "\n");
    }

}

Running the example

mvn -q compile exec:java \
  -Dexec.mainClass="co.ankatech.ankasecure.sdk.examples.ExampleScenario30"

Expected output

=================================================================
  SCENARIO 30: Regulatory Compliance Templates
=================================================================

[1/6] BSI TR-02102-1 (GERMANY)
      Framework: Bundesamt für Sicherheit in der Informationstechnik
      Requirement: Hybrid keys MANDATORY for PQC algorithms

      Configuration:
      - Mode: HYBRID_KEM_COMBINE
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: HKDF-SHA256 (BSI-approved)
      - Min Level: 3 (192-bit)
      ✅ BSI-compliant key generated: bsi_germany_1735420800000
      Status: ACTIVE

[2/6] ANSSI RGS v2.0 (FRANCE)
      Framework: Agence Nationale de la Sécurité des Systèmes d'Information
      Requirement: Hybrid keys MANDATORY, conservative KDF policy

      Configuration:
      - Mode: HYBRID_KEM_COMBINE
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: HKDF-SHA256 (ANSSI-approved)
      - ⚠️  CatKDF/CasKDF NOT allowed (France-specific restriction)
      ✅ ANSSI-compliant key generated: anssi_france_1735420800100
      Status: ACTIVE

[3/6] ETSI TS 103 744 (EU TELECOMMUNICATIONS)
      Framework: European Telecommunications Standards Institute
      Requirement: CatKDF or CasKDF REQUIRED for 5G/6G networks

      Configuration:
      - Mode: HYBRID_KEM_COMBINE
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: CatKDF (ETSI TS 103 744 Section 5.2.1)
      - Use Case: EU 5G/6G base stations
      ✅ ETSI-compliant telecom key generated: etsi_telecom_1735420800200
      Status: ACTIVE

[4/6] EU UNIFIED (MULTI-NATIONAL EU)
      Framework: Intersection of BSI + ANSSI + ETSI
      Requirement: Strictest EU requirements, all KDFs supported

      Configuration (Encryption):
      - Mode: HYBRID_KEM_COMBINE
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: HKDF-SHA256
      ✅ EU encryption key generated: eu_unified_enc_1735420800300

      Configuration (Signature):
      - Mode: DUALSIGN
      - Classical: Ed25519 (Level 3)
      - PQC: ML-DSA-65 (Level 3)
      ✅ EU signature key generated: eu_unified_sign_1735420800350
      Status: ACTIVE

[5/6] NIST SP 800-227 (USA)
      Framework: National Institute of Standards and Technology
      Requirement: Hybrid OPTIONAL, flexible security levels

      Configuration (Level 3):
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: HKDF-SHA256
      ✅ NIST Level 3 key generated: nist_level3_1735420800400

      Configuration (Level 5 - Classified):
      - Classical: RSA-4096 (Level 5)
      - PQC: ML-KEM-1024 (Level 5)
      - KDF: HKDF-SHA512
      ✅ NIST Level 5 key generated: nist_level5_1735420800450
      Status: ACTIVE

[6/6] ENISA RISK-BASED (EU GENERAL)
      Framework: European Union Agency for Cybersecurity
      Requirement: Hybrid RECOMMENDED (not mandated)

      Configuration:
      - Mode: HYBRID_KEM_COMBINE
      - Classical: X25519 (Level 3)
      - PQC: ML-KEM-768 (Level 3)
      - KDF: HKDF-SHA256
      - Approach: Risk-based (organization decides)
      ✅ ENISA-compliant key generated: enisa_eu_1735420800500
      Status: ACTIVE

=================================================================
  ALL REGULATORY TEMPLATES DEMONSTRATED SUCCESSFULLY
=================================================================

Flow 30 --- Regulatory Compliance Templates for Composite Keys

When to use it

Complete Java implementation

Running the example

Expected output

Where next?