# StellaOps Cryptography Configuration - EU Profile (eIDAS)
# This configuration aligns with eIDAS (electronic IDentification, Authentication and trust Services)
# regulation (EU) No 910/2014 for European Union deployments.

StellaOps:
  Crypto:
    Plugins:
      # Path to the plugin manifest JSON file
      ManifestPath: "/etc/stellaops/crypto-plugins-manifest.json"

      # Discovery mode: "explicit" (only load configured plugins) or "auto" (load all compatible)
      # Production deployments should use "explicit" for security
      DiscoveryMode: "explicit"

      # List of enabled plugins with optional priority and configuration overrides
      Enabled:
        # eIDAS software provider (QSCD not enforced)
        - Id: "eidas.soft"
          Priority: 100
          Options: {}

        # Default provider for standard ECDSA/RSA
        - Id: "default"
          Priority: 90
          Options: {}

        # Libsodium for Ed25519 (permitted under eIDAS)
        - Id: "libsodium"
          Priority: 80
          Options: {}

        # FIPS provider for enhanced security
        - Id: "fips.soft"
          Priority: 85
          Options: {}

      # Disable non-eIDAS compliant providers
      Disabled:
        - "sm.*"        # Chinese SM algorithms
        - "openssl.gost"  # Russian GOST
        - "pkcs11.gost"
        - "cryptopro.gost"
        - "wine.csp"
        - "pq.*"        # Post-quantum (not yet eIDAS-qualified)

      # Fail application startup if a configured plugin cannot be loaded
      FailOnMissingPlugin: true

      # Require at least one crypto provider to be successfully loaded
      RequireAtLeastOne: true

      Compliance:
        # eIDAS compliance profile
        ProfileId: "eidas"

        # Enable strict validation (reject algorithms not approved by eIDAS)
        StrictValidation: true

        # Enforce jurisdiction filtering (only EU-compliant plugins)
        EnforceJurisdiction: true

        # Allowed jurisdictions
        AllowedJurisdictions:
          - "eu"
          - "world"

        # Canonical algorithm preferences (ETSI TS 119 312)
        HashAlgorithm: "SHA-256"
        SignatureAlgorithm: "ES256"

        # Enable algorithm downgrade warnings
        WarnOnWeakAlgorithms: true

# eIDAS certificate requirements (for reference):
# - Certificates must comply with ETSI EN 319 412-1 and 319 412-2
# - Minimum key lengths: RSA 2048-bit, ECDSA P-256
# - Qualified certificates require QSCD (e.g., smart card, HSM)
# - Advanced Electronic Signatures (AdES): XAdES, PAdES, CAdES formats

# Optional: Override default provider preferences
#   Crypto:
#     Registry:
#       PreferredProviders:
#         - "eidas.soft"
#         - "default"
#         - "libsodium"