stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

semi implemented and features implemented save checkpoint

Browse Source
This commit is contained in:
master
2026-02-08 18:00:49 +02:00
parent 04360dff63
commit 1bf6bbf395
20895 changed files with 716795 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
docs/features/unchecked/evidencelocker/doctor-evidence-integrity-check.md Normal file
View File

@@ -0,0 +1,30 @@
# Doctor Evidence Integrity Check (DSSE + Rekor + Hash Verification)
## Module
EvidenceLocker
## Status
IMPLEMENTED
## Description
Doctor health check that validates DSSE signature validity, Rekor inclusion (or offline ledger), and evidence hash consistency using canonical JSON, with deterministic and offline-friendly output.
## Implementation Details
- **Modules**: `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/`, `src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/`
- **Key Classes**:
- `EvidenceSignatureService` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/EvidenceSignatureService.cs`) - validates DSSE signatures on evidence bundles
- `Rfc3161TimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/Rfc3161TimestampAuthorityClient.cs`) - RFC 3161 timestamp verification for Rekor receipts
- `NullTimestampAuthorityClient` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Infrastructure/Signing/NullTimestampAuthorityClient.cs`) - no-op timestamp client for offline mode
- `MerkleTreeCalculator` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.Core/Builders/MerkleTreeCalculator.cs`) - recomputes Merkle tree hashes for integrity verification
- `EvidenceAuditLogger` (`src/EvidenceLocker/StellaOps.EvidenceLocker/StellaOps.EvidenceLocker.WebService/Audit/EvidenceAuditLogger.cs`) - logs integrity check results
- `OfflineTimestampVerifier` (`src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Verification/OfflineTimestampVerifier.cs`) - verifies timestamps offline without network access
- **Interfaces**: `IEvidenceSignatureService`, `ITimestampAuthorityClient`
- **Source**: SPRINT_20260112_004_LB_doctor_evidence_integrity_checks.md
## E2E Test Plan
- [ ] Run doctor integrity check on a valid evidence bundle and verify DSSE signature, Rekor inclusion, and hash consistency all pass
- [ ] Tamper with an evidence bundle payload and verify `EvidenceSignatureService` detects the DSSE signature mismatch
- [ ] Verify `MerkleTreeCalculator` recomputes the Merkle root and detects a modified evidence item
- [ ] Verify `OfflineTimestampVerifier` validates timestamps without network access using bundled Rekor receipts
- [ ] Verify `Rfc3161TimestampAuthorityClient` validates RFC 3161 timestamps against the authority
- [ ] Verify integrity check output is deterministic: same bundle produces identical check results across runs