# StellaOps Cryptography Configuration - China Profile (SM)
# This configuration enforces SM2/SM3/SM4 (ShangMi) cryptographic standards
# for People's Republic of China deployments requiring OSCCA compliance.

StellaOps:
  Crypto:
    Plugins:
      # Path to the plugin manifest JSON file
      ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"

      # Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
      # Production deployments should use "explicit" for security
      DiscoveryMode: "explicit"

      # List of enabled plugins with optional priority and configuration overrides
      Enabled:
        # SM software provider (primary)
        - Id: "sm.soft"
          Priority: 100
          Options: {}

        # SM remote HSM provider (for hardware-backed operations)
        - Id: "sm.remote"
          Priority: 90
          Options:
            baseAddress: "http://sm-hsm.internal:8900"
            timeout: 30000
            retryCount: 3

      # CRITICAL: Disable ALL non-SM providers
      Disabled:
        - "default"           # Standard .NET crypto (SHA-256, ECDSA)
        - "libsodium"         # Ed25519, XChaCha20-Poly1305
        - "openssl.gost"      # Russian GOST
        - "pkcs11.gost"
        - "cryptopro.gost"
        - "wine.csp"
        - "eidas.*"           # European eIDAS
        - "fips.*"            # FIPS 140-3
        - "pq.*"              # Post-quantum
        - "sim.*"             # Simulation providers

      # Fail application startup if SM provider cannot be loaded
      FailOnMissingPlugin: true

      # Require at least one SM provider
      RequireAtLeastOne: true

      Compliance:
        # Compliance profile: SM (ShangMi - Commercial Cipher)
        ProfileId: "sm"

        # CRITICAL: Enable strict validation
        # This will REJECT any signature/hash algorithm that is not SM-compliant
        StrictValidation: true

        # Enforce jurisdiction filtering
        EnforceJurisdiction: true

        # Only allow Chinese jurisdiction plugins
        AllowedJurisdictions:
          - "china"

        # Canonical algorithms (SM2 signature, SM3 hash, SM4 encryption)
        HashAlgorithm: "SM3"
        SignatureAlgorithm: "SM2"
        SymmetricAlgorithm: "SM4"

        # Enable warnings for any non-SM algorithm attempts
        WarnOnWeakAlgorithms: true

# SM Algorithm Overview (GM/T standards):
# - SM2: Public key cryptography (similar to ECDSA, uses 256-bit curve)
#   Standard: GM/T 0003-2012
# - SM3: Cryptographic hash function (256-bit output, similar to SHA-256)
#   Standard: GM/T 0004-2012
# - SM4: Block cipher (128-bit key, 128-bit block, similar to AES)
#   Standard: GM/T 0002-2012
# - SM9: Identity-based cryptography
#   Standard: GM/T 0044-2016

# OSCCA (Office of State Commercial Cryptography Administration) Compliance:
# - All cryptographic operations MUST use SM algorithms
# - Hardware Security Modules (HSMs) MUST be OSCCA-certified
# - Certificates MUST comply with GM/T 0015 (Certificate Profile)

# Optional: SM remote HSM configuration
#   Crypto:
#     SmRemote:
#       # Base URL of SM-compliant HSM service
#       BaseAddress: "https://sm-hsm.example.com:8900"
#       # API authentication token
#       ApiKey: "${SM_HSM_API_KEY}"
#       # Connection timeout (ms)
#       Timeout: 30000
#       # Enable TLS client certificate authentication
#       ClientCertificatePath: "/etc/stellaops/certs/sm-client.pfx"
#       ClientCertificatePassword: "${SM_CLIENT_CERT_PASSWORD}"

# Optional: Override default provider preferences
#   Crypto:
#     Registry:
#       PreferredProviders:
#         - "sm.soft"
#         - "sm.remote"