stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

partly or unimplemented features - now implemented

Browse Source
This commit is contained in:
master
2026-02-09 08:53:51 +02:00
parent 1bf6bbf395
commit 4bdc298ec1
674 changed files with 90194 additions and 2271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/features/unchecked/authority/rfc-3161-tsa-client-for-ci-cd-timestamping.md Normal file
View File

@@ -0,0 +1,40 @@
# RFC-3161 TSA Client for CI/CD Timestamping
## Module
Authority
## Status
IMPLEMENTED
## Description
RFC 3161 TSA client infrastructure for CI/CD timestamping. A comprehensive TSA client library exists in the Authority module with ASN.1 encoding/decoding, multi-provider failover, response caching, and certificate chain verification. The eIDAS plugin adds additional compliance support. Some CI/CD-specific integration features are still missing.
## What's Implemented
- **TSA Client**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs` (with partials `.GetTimeStamp.cs`, `.ProviderOrdering.cs`, `.ProviderRequest.cs`, `.Verification.cs`) -- full RFC 3161 HTTP-based TSA client implementing `ITimeStampAuthorityClient` with multi-provider failover and response verification.
- **ASN.1 Request Encoding**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampReqEncoder.cs` (with partials `.Algorithms.cs`, `.Extensions.cs`, `.MessageImprint.cs`) -- encodes RFC 3161 TimeStampReq ASN.1 structures with algorithm selection and extension support.
- **ASN.1 Response Decoding**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampRespDecoder.cs` -- decodes TimeStampResp ASN.1 structures.
- **ASN.1 Token Decoding**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampTokenDecoder.cs` (with partials `.Accuracy.cs`, `.Certificates.cs`, `.SignedData.cs`, `.TstInfo.cs`, `.TstInfo.OptionalFields.cs`) -- decodes timestamp tokens including TSTInfo, signed data, and certificates.
- **Token Verifier**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimeStampTokenVerifier.cs` (with partials `.CertificateChain.cs`, `.Signature.cs`, `.Validation.cs`, `.Warnings.cs`) -- full verification of timestamp tokens: signature, certificate chain, trust anchors, policy, and nonce checks.
- **Provider Registry**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderRegistry.cs` (with partials `.HealthCheck.cs`, `.ProviderState.cs`, `.Providers.cs`, `.Reporting.cs`, `.Stats.cs`) -- manages multiple TSA providers with health monitoring, automatic failover, and statistics tracking.
- **Response Caching**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/Caching/InMemoryTsaCacheStore.cs` (with `.Helpers.cs`), `ITsaCacheStore.cs` -- caches TSA responses to reduce provider load.
- **Abstractions**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/` -- complete contract surface: `ITimeStampAuthorityClient.cs`, `TimeStampRequest.cs` (with `.Factory.cs`), `TimeStampResponse.cs`, `TimeStampToken.cs`, `TstInfo.cs`, `TstAccuracy.cs`, `TimeStampVerificationOptions.cs`, `TimeStampVerificationResult.cs`, `TsaClientOptions.cs`, `TsaProviderOptions.cs`, `FailoverStrategy.cs`, `PkiStatus.cs`, `PkiFailureInfo.cs`, verification error/warning enums.
- **DI Extensions**: `src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs` (with `.CommonProviders.cs`, `.Provider.cs`) -- registers TSA client and providers in DI.
- **Tests**: `src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/TimeStampReqEncoderTests.cs`, `TimeStampRespDecoderTests.cs`, `TimeStampTokenVerifierTests.cs`, `TsaProviderRegistryTests.cs`, `InMemoryTsaCacheStoreTests.cs`; `src/Authority/__Tests/StellaOps.Authority.Timestamping.Abstractions.Tests/` -- 9 test files covering requests, responses, tokens, options, TstInfo, TstAccuracy.
## What's Missing
- **CI/CD pipeline integration hooks**: No dedicated middleware or service that automatically timestamps CI/CD build artifacts (e.g., SBOM, attestation, build log) as part of a pipeline step. The TSA client exists but is not wired into an automated CI/CD timestamping flow.
- **Timestamped artifact registry**: No storage for mapping artifact digests to their timestamp tokens, enabling lookup of "when was this artifact timestamped?" across the platform.
- **Pipeline-scoped timestamp policies**: No configuration for per-pipeline or per-environment timestamp requirements (e.g., "production releases require dual-provider timestamps").
- **Timestamp receipt in release evidence**: The release orchestrator does not include timestamp receipts as evidence in the release decision chain.
- **eIDAS/qualified TSA compliance checks**: While an eIDAS plugin exists in Cryptography, there is no validation that a timestamp meets qualified timestamp requirements per eIDAS Article 42.
## Implementation Plan
- Create a `CiCdTimestampingService` that integrates with the Orchestrator/TaskRunner to automatically timestamp build artifacts
- Add a timestamp artifact registry in the Evidence Locker for storing and querying artifact-to-timestamp mappings
- Add pipeline-scoped timestamp policy configuration in the Policy module
- Integrate timestamp receipts into the Release Orchestrator's evidence chain
- Add eIDAS qualified timestamp compliance validation for regulated deployments
- Add E2E tests for the CI/CD timestamping flow end-to-end
## Related Documentation
- Source: See feature catalog