# StellaOps Cryptography Configuration - China Profile (SM)
# This configuration enforces SM2/SM3/SM4 (ShangMi) cryptographic standards
# for People's Republic of China deployments requiring OSCCA compliance.

StellaOps:
  Crypto:
    Plugins:
      # Path to the plugin manifest JSON file
      ManifestPath: "/app/etc/crypto-plugins-manifest.json"

      # Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
      # Production deployments should use "explicit" for security
      DiscoveryMode: "explicit"

      # List of enabled plugins with optional priority and configuration overrides
      Enabled:
        # Offline Verification Provider - temporary fallback until SM plugin available
        # WARNING: This uses NIST algorithms (ECDSA, RSA, SHA-2) NOT SM algorithms
        # TODO: Replace with sm.soft plugin when available for OSCCA compliance
        - Id: "offline-verification"
          Priority: 100
          Options: {}

      # CRITICAL: Disable ALL non-SM providers
      Disabled:
        - "default"           # Standard .NET crypto (SHA-256, ECDSA)
        - "libsodium"         # Ed25519, XChaCha20-Poly1305
        - "openssl.gost"      # Russian GOST
        - "pkcs11.gost"
        - "cryptopro.gost"
        - "wine.csp"
        - "eidas.*"           # European eIDAS
        - "fips.*"            # FIPS 140-3
        - "pq.*"              # Post-quantum
        - "sim.*"             # Simulation providers

      # Fail application startup if SM provider cannot be loaded
      FailOnMissingPlugin: true

      # Require at least one SM provider
      RequireAtLeastOne: true

      Compliance:
        # Compliance profile: SM (ShangMi - Commercial Cipher)
        ProfileId: "sm"

        # CRITICAL: Enable strict validation
        # This will REJECT any signature/hash algorithm that is not SM-compliant
        # TODO: Re-enable when SM plugin is available
        StrictValidation: false

        # Enforce jurisdiction filtering
        # TODO: Re-enable when SM plugin is available
        EnforceJurisdiction: false

        # Only allow Chinese jurisdiction plugins
        AllowedJurisdictions:
          - "china"
          - "world"  # Temporary: Allow world jurisdiction for offline-verification

        # Canonical algorithms (SM2 signature, SM3 hash, SM4 encryption)
        HashAlgorithm: "SM3"
        SignatureAlgorithm: "SM2"
        SymmetricAlgorithm: "SM4"

        # Enable warnings for any non-SM algorithm attempts
        WarnOnWeakAlgorithms: true

# SM Algorithm Overview (GM/T standards):
# - SM2: Public key cryptography (similar to ECDSA, uses 256-bit curve)
#   Standard: GM/T 0003-2012
# - SM3: Cryptographic hash function (256-bit output, similar to SHA-256)
#   Standard: GM/T 0004-2012
# - SM4: Block cipher (128-bit key, 128-bit block, similar to AES)
#   Standard: GM/T 0002-2012
# - SM9: Identity-based cryptography
#   Standard: GM/T 0044-2016

# OSCCA (Office of State Commercial Cryptography Administration) Compliance:
# - All cryptographic operations MUST use SM algorithms
# - Hardware Security Modules (HSMs) MUST be OSCCA-certified
# - Certificates MUST comply with GM/T 0015 (Certificate Profile)

# Optional: SM remote HSM configuration
#   Crypto:
#     SmRemote:
#       # Base URL of SM-compliant HSM service
#       BaseAddress: "https://sm-hsm.example.com:8900"
#       # API authentication token
#       ApiKey: "${SM_HSM_API_KEY}"
#       # Connection timeout (ms)
#       Timeout: 30000
#       # Enable TLS client certificate authentication
#       ClientCertificatePath: "/etc/stellaops/certs/sm-client.pfx"
#       ClientCertificatePassword: "${SM_CLIENT_CERT_PASSWORD}"

# Optional: Override default provider preferences
#   Crypto:
#     Registry:
#       PreferredProviders:
#         - "sm.soft"
#         - "sm.remote"