# SPDX-License-Identifier: AGPL-3.0-or-later
# Sprint: SPRINT_4100_0006_0003 - SM Crypto CLI Integration
# Configuration example for Chinese ShangMi (SM) crypto providers

StellaOps:
  Crypto:
    Registry:
      # Active profile for SM operations
      ActiveProfile: "sm-production"

      Profiles:
        # Production profile using GmSSL or remote CSP
        - Name: "sm-production"
          PreferredProviders:
            - "cn.sm.soft"       # GmSSL software implementation
            - "cn.sm.remote.http" # Remote cryptographic service provider

          Keys:
            # Software SM2 key (GmSSL)
            - KeyId: "sm-signing-2025"
              Source: "file"
              Location: "/etc/stellaops/keys/sm-2025.pem"
              Algorithm: "SM2"
              CertificateFormat: "GM/T 0015-2012"  # SM2 certificate standard
              Metadata:
                description: "Production SM2 signing key"
                usage: "signatures"
                compliant: "OSCCA GM/T 0003-2012"

            # Remote CSP key
            - KeyId: "sm-csp-prod"
              Source: "remote-csp"
              Endpoint: "https://sm-csp.example.cn"
              CredentialId: "cred-sm-123456"
              Algorithm: "SM2"
              Metadata:
                description: "Remote CSP signing key"
                vendor: "Example CSP Provider"
                certified: "true"

        # Testing/development profile with simulator
        - Name: "sm-simulator"
          PreferredProviders:
            - "cn.sm.simulator"  # Simulator for testing without real CSP

          Keys:
            - KeyId: "sm-test-key"
              Source: "simulator"
              Algorithm: "SM2"
              Metadata:
                description: "Test SM2 key for development"
                warning: "NOT for production use"

    # SM Soft Provider Configuration (GmSSL-based)
    Profiles:
      sm-soft:
        # Require SM_SOFT_ALLOWED=1 environment variable
        RequireEnvironmentGate: true

        # Pre-configured keys
        Keys:
          - KeyId: "sm-signing-2025"
            PrivateKeyPath: "/etc/stellaops/keys/sm-2025.pem"
            # Supports both PEM and PKCS#8 DER formats

      # SM Remote Provider Configuration (Remote CSP)
      sm-remote:
        # Skip initial probe if CSP is not always available
        SkipProbe: false

        # Pre-configured remote keys
        Keys:
          - KeyId: "sm-csp-prod"
            RemoteKeyId: "remote-key-id-at-csp"

      # SM Simulator Provider Configuration (Testing)
      sm-simulator:
        # Simulator endpoint (local or remote)
        Endpoint: "http://localhost:8888"

        # Auto-generate test keys
        AutoGenerateKeys: true

        Keys:
          - KeyId: "sm-test-key"
            GenerateOnStartup: true

# SM Algorithm Constants
# - SM2: Public key cryptography (equivalent to ECDSA P-256)
# - SM3: Hash function (equivalent to SHA-256, 256-bit output)
# - SM4: Block cipher (equivalent to AES-128)
# - SM9: Identity-based cryptography

# Compliance Requirements (OSCCA)
# - Algorithms must use OSCCA-certified implementations
# - Certificates must follow GM/T 0015-2012 (SM2 certificate format)
# - Key exchange follows GM/T 0003.5 protocol

# Usage Examples:
#
# Sign with SM2:
#   stella crypto sign \
#     --provider cn.sm.soft \
#     --profile sm-production \
#     --key-id sm-signing-2025 \
#     --alg SM2 \
#     --file document.pdf \
#     --out document.pdf.sig
#
# Hash with SM3:
#   stella crypto hash \
#     --alg SM3 \
#     --file document.pdf
#
# Verify SM2 signature:
#   stella crypto verify \
#     --provider cn.sm.soft \
#     --key-id sm-signing-2025 \
#     --alg SM2 \
#     --file document.pdf \
#     --signature document.pdf.sig
#
# List SM providers:
#   stella crypto providers --filter sm