# Regional Crypto Profiles (FIPS, GOST, eIDAS, SM)

## Module
Cryptography

## Status
IMPLEMENTED

## Description
Full crypto profile system with plugins for FIPS, GOST, eIDAS (with qualified timestamping), SM (Chinese standards), and HSM (PKCS#11). Supports multi-profile signing and EdDSA/ECDSA-P256 profiles.

## Implementation Details
- **FipsPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Fips/FipsPlugin.cs` -- FIPS 140-2/3 compliant crypto provider restricting to approved algorithms (RSA, ECDSA, AES-GCM, SHA-2)
- **GostPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Gost/GostPlugin.cs` -- Russian Federation GOST R 34.10-2012 (digital signatures) and GOST R 34.11-2012 Streebog (hashing) provider
- **EidasPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs` -- EU eIDAS provider with qualified timestamping (QualifiedTimestampVerifier, EuTrustListService, TimestampModeSelector) and CAdES signature building (CadesSignatureBuilder)
- **SmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Sm/SmPlugin.cs` -- Chinese national standards: SM2 (elliptic curve), SM3 (hash), SM4 (block cipher) provider
- **HsmPlugin**: `src/Cryptography/StellaOps.Cryptography.Plugin.Hsm/HsmPlugin.cs` -- PKCS#11 HSM integration with RSA/ECDSA/AES-GCM support
- **CryptoPluginBase**: `src/Cryptography/StellaOps.Cryptography.Plugin/CryptoPluginBase.cs` -- abstract base for all crypto plugins; lifecycle management + ICryptoCapability interface
- **MultiProfileSigner**: `src/Cryptography/StellaOps.Cryptography/MultiProfileSigner.cs` -- concurrent multi-profile signing via Task.WhenAll across IContentSigner profiles; returns MultiSignatureResult with all signatures
- **Ed25519Signer/Verifier**: `src/Cryptography/StellaOps.Cryptography.Profiles.EdDsa/Ed25519Signer.cs`, `Ed25519Verifier.cs` -- EdDSA Ed25519 profile implementation
- **EcdsaP256Signer**: `src/Cryptography/StellaOps.Cryptography.Profiles.Ecdsa/EcdsaP256Signer.cs` -- ECDSA P-256 profile implementation
- **IContentSigner/IContentVerifier**: `src/Cryptography/StellaOps.Cryptography/IContentSigner.cs`, `IContentVerifier.cs` -- signer/verifier abstractions with Profile, Algorithm, KeyId
- **SignatureProfile**: `src/Cryptography/StellaOps.Cryptography/SignatureProfile.cs` -- profile model
- **Source**: Feature matrix scan

## E2E Test Plan
- [ ] Verify each regional plugin (FIPS, GOST, eIDAS, SM, HSM) loads and passes health check
- [ ] Verify FIPS plugin rejects non-FIPS algorithms and accepts approved ones
- [ ] Verify GOST plugin supports GOST R 34.10-2012 signing and GOST R 34.11-2012 hashing
- [ ] Verify eIDAS plugin integrates qualified timestamping with EU Trust List validation
- [ ] Verify SM plugin supports SM2 signing, SM3 hashing, SM4 encryption
- [ ] Test multi-profile signing with EdDSA + GOST dual-stack produces two independent signatures
- [ ] Verify Ed25519 signer/verifier round-trip (sign then verify)
- [ ] Verify ECDSA P-256 signer round-trip
- [ ] Test profile selection routes to correct plugin based on algorithm