--- checkId: check.crypto.sm plugin: stellaops.doctor.crypto severity: fail tags: [crypto, sm2, sm3, sm4, china, compliance] --- # SM2/SM3/SM4 Availability ## What It Checks Verifies that Chinese national cryptographic algorithms (GM/T standards) are available for CN deployments. The check validates: 1. **OpenSSL version**: SM algorithms are natively supported in OpenSSL 1.1.1+. If the version is older, the check fails immediately. 2. **Algorithm availability**: tests each required algorithm: - **SM2**: Elliptic curve cryptography (signature, key exchange) - **SM3**: Cryptographic hash function (256-bit output) - **SM4**: Block cipher (128-bit blocks, 128-bit key) 3. **SM2 curve parameters**: verifies the SM2 elliptic curve is properly initialized. | Condition | Result | |---|---| | OpenSSL < 1.1.1 and algorithms missing | Fail | | Any SM algorithms unavailable | Fail | | All algorithms available but SM2 curve cannot be verified | Warn | | All algorithms available and SM2 curve verified | Pass | Evidence collected: `CryptoProfile`, `OpenSslVersion`, `NativeSmSupport`, `AvailableAlgorithms`, `MissingAlgorithms`, `SM2CurveVerified`. The check only runs when `Crypto:Profile` or `Cryptography:Profile` contains "sm", "china", or equals "cn". ## Why It Matters Chinese regulatory requirements (GB/T standards) mandate the use of SM2, SM3, and SM4 algorithms for government systems, financial services, and critical infrastructure. Without SM algorithm support, the platform cannot create compliant digital signatures or encrypt data according to Chinese national standards. This blocks deployment in regulated Chinese environments and may violate the Cryptography Law of the People's Republic of China. ## Common Causes - OpenSSL version too old (pre-1.1.1) to include native SM support - Using LibreSSL instead of OpenSSL (lacks SM algorithm support) - System OpenSSL not updated to a version with SM support - OpenSSL compiled without SM algorithm support (custom builds) - SM algorithms disabled in OpenSSL configuration - SM2 curve not properly initialized in the crypto provider - Missing external SM crypto provider (e.g., GmSSL) ## How to Fix ### Docker Compose ```bash # Check OpenSSL version (must be 1.1.1+) docker compose exec gateway openssl version # Verify SM algorithm support docker compose exec gateway openssl list -cipher-algorithms | grep -i sm docker compose exec gateway openssl ecparam -list_curves | grep -i sm2 # Set crypto profile # Crypto__Profile=cn # If OpenSSL is too old, rebuild with a newer base image # FROM ubuntu:22.04 (includes OpenSSL 3.0+) docker compose restart gateway ``` ### Bare Metal / systemd ```bash # Check current OpenSSL version openssl version # Update OpenSSL to 1.1.1+ if needed sudo apt update && sudo apt install openssl # Verify SM algorithm support openssl list -cipher-algorithms | grep -i sm openssl ecparam -list_curves | grep -i sm2 # Configure SM crypto profile stella crypto profile set --profile cn # Or use external SM provider (GmSSL) stella crypto config set --sm-provider gmssl # In appsettings.json: # "Crypto": { "Profile": "cn" } sudo systemctl restart stellaops-platform ``` ### Kubernetes / Helm ```yaml # values.yaml crypto: profile: cn # Optionally specify external SM provider smProvider: native # or "gmssl" for GmSSL ``` ```bash # Verify SM support in pod kubectl exec deploy/stellaops-gateway -- openssl version kubectl exec deploy/stellaops-gateway -- openssl ecparam -list_curves | grep -i sm2 helm upgrade stellaops ./charts/stellaops -f values.yaml ``` ## Verification ``` stella doctor run --check check.crypto.sm ``` ## Related Checks - `check.crypto.certchain` — certificates in CN deployments should use SM2 signatures - `check.crypto.gost` — GOST (Russian) is another regional crypto profile with similar structure - `check.crypto.fips` — FIPS and SM are mutually exclusive regional crypto profiles - `check.crypto.hsm` — SM keys may be stored in an HSM with SM algorithm support