stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/features/unchecked/authority/trust-root-and-certificate-chain-verification.md Normal file
View File

@@ -0,0 +1,35 @@
# Trust Root and Certificate Chain Verification
## Module
Authority
## Status
IMPLEMENTED
## Description
Certificate chain validation checks, TSA certificate expiry monitoring, and timestamp token verification with configurable trust anchors and verification options.
## Implementation Details
- **Timestamp Token Verifier**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimeStampTokenVerifier.cs` (with partials `.CertificateChain.cs`, `.Signature.cs`, `.Validation.cs`, `.Warnings.cs`) -- verifies RFC 3161 timestamp tokens including certificate chain validation, signature verification, and trust anchor checks.
- **TSA Client**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs` (with partials `.GetTimeStamp.cs`, `.ProviderOrdering.cs`, `.ProviderRequest.cs`, `.Verification.cs`) -- HTTP client for TSA servers implementing `ITimeStampAuthorityClient`.
- **TSA Provider Registry**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderRegistry.cs` (with partials `.HealthCheck.cs`, `.ProviderState.cs`, `.Providers.cs`, `.Reporting.cs`, `.Stats.cs`) -- manages TSA providers with health monitoring and failover.
- **Verification Options**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/TimeStampVerificationOptions.cs` -- configurable trust anchors, allowed algorithms, certificate policies.
- **Verification Result**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/TimeStampVerificationResult.cs` -- detailed result with errors and warnings.
- **Verification Error/Warning Codes**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/VerificationError.cs`, `VerificationErrorCode.cs`, `VerificationWarning.cs`, `VerificationWarningCode.cs`, `VerificationStatus.cs`.
- **TSA Health**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderHealth.cs`, `TsaHealthStatus.cs` -- health check types for TSA certificate expiry monitoring.
- **Signing Key Management**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthoritySigningKeyManager.cs` -- manages authority signing keys with rotation; `AuthoritySigningKeyStatus.cs` tracks key health.
- **JWKS Service**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthorityJwksService.cs` -- serves the JSON Web Key Set for public key distribution.
- **DSSE Statement Signer**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/AuthorityDsseStatementSigner.cs` -- signs in-toto/DSSE statements using authority keys.
- **KMS Key Source**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/KmsAuthoritySigningKeySource.cs` -- resolves signing keys from a Key Management Service.
- **File Key Source**: `src/Authority/StellaOps.Authority/StellaOps.Authority/Signing/FileAuthoritySigningKeySource.cs` -- resolves signing keys from local files.
- **Tests**: `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/TimeStampTokenVerifierTests.cs`, `TsaProviderRegistryTests.cs`; `src/Authority/StellaOps.Authority/StellaOps.Authority.Tests/Signing/AuthorityJwksServiceTests.cs`, `AuthoritySigningKeyManagerTests.cs`, `KmsAuthoritySigningKeySourceTests.cs`, `TokenSignVerifyRoundtripTests.cs`
## E2E Test Plan
- [ ] Submit a timestamp request to a TSA server via `HttpTsaClient` and verify the returned timestamp token passes `TimeStampTokenVerifier` validation
- [ ] Verify certificate chain: provide a timestamp token with a valid chain and verify `TimeStampTokenVerifier.CertificateChain` validates each certificate up to the trust anchor
- [ ] Provide a timestamp token signed by an untrusted CA and verify the verifier rejects it with `VerificationErrorCode.UntrustedCertificate`
- [ ] Configure `TimeStampVerificationOptions` to reject weak algorithms (e.g., SHA-1) and verify tokens using SHA-1 are rejected
- [ ] Verify TSA health monitoring: register a TSA provider and verify `TsaProviderRegistry.HealthCheck` detects certificate expiry within the warning threshold
- [ ] Verify signing key rotation: rotate the authority signing key via `AuthoritySigningKeyManager` and verify the JWKS endpoint reflects the new key while the old key remains for validation
- [ ] Verify DSSE signing: sign a statement via `AuthorityDsseStatementSigner` and verify the signature can be validated using the JWKS public key
- [ ] Verify KMS key source: configure `KmsAuthoritySigningKeySource` and verify signing operations use the KMS-managed key