stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

feat: add security sink detection patterns for JavaScript/TypeScript

Browse Source 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
Download Patch File Download Diff File Expand all files Collapse all files

548
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/SnapshotBundleReader.cs Normal file
View File

@@ -0,0 +1,548 @@
// -----------------------------------------------------------------------------
// SnapshotBundleReader.cs
// Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
// Tasks: SEAL-012, SEAL-013 - Implement signature verification and merkle root validation
// Description: Reads and verifies sealed knowledge snapshot bundles.
// -----------------------------------------------------------------------------
using System.Formats.Tar;
using System.IO.Compression;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using PolicySnapshotEntry = StellaOps.AirGap.Bundle.Models.PolicySnapshotEntry;
namespace StellaOps.AirGap.Bundle.Services;
/// <summary>
/// Reads and verifies sealed knowledge snapshot bundles.
/// </summary>
public sealed class SnapshotBundleReader : ISnapshotBundleReader
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Reads and verifies a snapshot bundle.
/// </summary>
public async Task<SnapshotBundleReadResult> ReadAsync(
SnapshotBundleReadRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentException.ThrowIfNullOrWhiteSpace(request.BundlePath);
if (!File.Exists(request.BundlePath))
{
return SnapshotBundleReadResult.Failed("Bundle file not found");
}
var tempDir = Path.Combine(Path.GetTempPath(), $"bundle-read-{Guid.NewGuid():N}");
Directory.CreateDirectory(tempDir);
try
{
// Extract the bundle
await ExtractBundleAsync(request.BundlePath, tempDir, cancellationToken);
// Read manifest
var manifestPath = Path.Combine(tempDir, "manifest.json");
if (!File.Exists(manifestPath))
{
return SnapshotBundleReadResult.Failed("Manifest not found in bundle");
}
var manifestBytes = await File.ReadAllBytesAsync(manifestPath, cancellationToken);
var manifest = JsonSerializer.Deserialize<KnowledgeSnapshotManifest>(manifestBytes, JsonOptions);
if (manifest is null)
{
return SnapshotBundleReadResult.Failed("Failed to parse manifest");
}
var result = new SnapshotBundleReadResult
{
Success = true,
Manifest = manifest,
BundleDigest = await ComputeFileDigestAsync(request.BundlePath, cancellationToken)
};
// Verify signature if requested
if (request.VerifySignature)
{
var signaturePath = Path.Combine(tempDir, "manifest.sig");
if (File.Exists(signaturePath))
{
var signatureBytes = await File.ReadAllBytesAsync(signaturePath, cancellationToken);
var signatureResult = await VerifySignatureAsync(
manifestBytes, signatureBytes, request.PublicKey, cancellationToken);
result = result with
{
SignatureVerified = signatureResult.Verified,
SignatureKeyId = signatureResult.KeyId,
SignatureError = signatureResult.Error
};
if (!signatureResult.Verified && request.RequireValidSignature)
{
return result with
{
Success = false,
Error = $"Signature verification failed: {signatureResult.Error}"
};
}
}
else if (request.RequireValidSignature)
{
return SnapshotBundleReadResult.Failed("Signature file not found but signature is required");
}
}
// Verify merkle root if requested
if (request.VerifyMerkleRoot)
{
var merkleResult = await VerifyMerkleRootAsync(tempDir, manifest, cancellationToken);
result = result with
{
MerkleRootVerified = merkleResult.Verified,
MerkleRootError = merkleResult.Error
};
if (!merkleResult.Verified && request.RequireValidMerkleRoot)
{
return result with
{
Success = false,
Error = $"Merkle root verification failed: {merkleResult.Error}"
};
}
}
// Verify time anchor if present
if (request.VerifyTimeAnchor && manifest.TimeAnchor is not null)
{
var timeAnchorService = new TimeAnchorService();
var timeAnchorContent = new TimeAnchorContent
{
AnchorTime = manifest.TimeAnchor.AnchorTime,
Source = manifest.TimeAnchor.Source,
TokenDigest = manifest.TimeAnchor.Digest
};
var timeAnchorResult = await timeAnchorService.ValidateAnchorAsync(
timeAnchorContent,
new TimeAnchorValidationRequest
{
MaxAgeHours = request.MaxAgeHours,
MaxClockDriftSeconds = request.MaxClockDriftSeconds
},
cancellationToken);
result = result with
{
TimeAnchorValid = timeAnchorResult.IsValid,
TimeAnchorAgeHours = timeAnchorResult.AgeHours,
TimeAnchorError = timeAnchorResult.Error
};
if (!timeAnchorResult.IsValid && request.RequireValidTimeAnchor)
{
return result with
{
Success = false,
Error = $"Time anchor validation failed: {timeAnchorResult.Error}"
};
}
}
return result;
}
catch (Exception ex)
{
return SnapshotBundleReadResult.Failed($"Failed to read bundle: {ex.Message}");
}
finally
{
// Clean up temp directory
try
{
if (Directory.Exists(tempDir))
{
Directory.Delete(tempDir, recursive: true);
}
}
catch
{
// Ignore cleanup errors
}
}
}
private static async Task ExtractBundleAsync(string bundlePath, string targetDir, CancellationToken ct)
{
await using var fileStream = File.OpenRead(bundlePath);
await using var gzipStream = new GZipStream(fileStream, CompressionMode.Decompress);
await TarFile.ExtractToDirectoryAsync(gzipStream, targetDir, overwriteFiles: true, ct);
}
private static async Task<string> ComputeFileDigestAsync(string filePath, CancellationToken ct)
{
await using var stream = File.OpenRead(filePath);
var hash = await SHA256.HashDataAsync(stream, ct);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static async Task<SignatureVerificationResult> VerifySignatureAsync(
byte[] manifestBytes,
byte[] signatureEnvelopeBytes,
AsymmetricAlgorithm? publicKey,
CancellationToken cancellationToken)
{
try
{
var signer = new SnapshotManifestSigner();
var result = await signer.VerifyAsync(
new ManifestVerificationRequest
{
EnvelopeBytes = signatureEnvelopeBytes,
PublicKey = publicKey
},
cancellationToken);
if (!result.Success)
{
return new SignatureVerificationResult
{
Verified = false,
Error = result.Error
};
}
// Verify the payload digest matches the manifest
var manifestDigest = ComputeSha256(manifestBytes);
if (result.PayloadDigest != manifestDigest)
{
return new SignatureVerificationResult
{
Verified = false,
Error = "Manifest digest does not match signed payload"
};
}
var keyId = result.VerifiedSignatures?.FirstOrDefault()?.KeyId;
return new SignatureVerificationResult
{
Verified = publicKey is null || (result.VerifiedSignatures?.Any(s => s.Verified == true) ?? false),
KeyId = keyId
};
}
catch (Exception ex)
{
return new SignatureVerificationResult
{
Verified = false,
Error = ex.Message
};
}
}
private static async Task<MerkleVerificationResult> VerifyMerkleRootAsync(
string bundleDir,
KnowledgeSnapshotManifest manifest,
CancellationToken cancellationToken)
{
try
{
var entries = new List<BundleEntry>();
// Collect all entries from manifest
foreach (var advisory in manifest.Advisories)
{
var filePath = Path.Combine(bundleDir, advisory.RelativePath.Replace('/', Path.DirectorySeparatorChar));
if (!File.Exists(filePath))
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Missing file: {advisory.RelativePath}"
};
}
var content = await File.ReadAllBytesAsync(filePath, cancellationToken);
var digest = ComputeSha256(content);
if (digest != advisory.Digest)
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Digest mismatch for {advisory.RelativePath}"
};
}
entries.Add(new BundleEntry(advisory.RelativePath, digest, content.Length));
}
foreach (var vex in manifest.VexStatements)
{
var filePath = Path.Combine(bundleDir, vex.RelativePath.Replace('/', Path.DirectorySeparatorChar));
if (!File.Exists(filePath))
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Missing file: {vex.RelativePath}"
};
}
var content = await File.ReadAllBytesAsync(filePath, cancellationToken);
var digest = ComputeSha256(content);
if (digest != vex.Digest)
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Digest mismatch for {vex.RelativePath}"
};
}
entries.Add(new BundleEntry(vex.RelativePath, digest, content.Length));
}
foreach (var policy in manifest.Policies)
{
var filePath = Path.Combine(bundleDir, policy.RelativePath.Replace('/', Path.DirectorySeparatorChar));
if (!File.Exists(filePath))
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Missing file: {policy.RelativePath}"
};
}
var content = await File.ReadAllBytesAsync(filePath, cancellationToken);
var digest = ComputeSha256(content);
if (digest != policy.Digest)
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Digest mismatch for {policy.RelativePath}"
};
}
entries.Add(new BundleEntry(policy.RelativePath, digest, content.Length));
}
foreach (var trust in manifest.TrustRoots)
{
var filePath = Path.Combine(bundleDir, trust.RelativePath.Replace('/', Path.DirectorySeparatorChar));
if (!File.Exists(filePath))
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Missing file: {trust.RelativePath}"
};
}
var content = await File.ReadAllBytesAsync(filePath, cancellationToken);
var digest = ComputeSha256(content);
if (digest != trust.Digest)
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Digest mismatch for {trust.RelativePath}"
};
}
entries.Add(new BundleEntry(trust.RelativePath, digest, content.Length));
}
// Compute merkle root
var computedRoot = ComputeMerkleRoot(entries);
if (computedRoot != manifest.MerkleRoot)
{
return new MerkleVerificationResult
{
Verified = false,
Error = $"Merkle root mismatch: expected {manifest.MerkleRoot}, got {computedRoot}"
};
}
return new MerkleVerificationResult { Verified = true };
}
catch (Exception ex)
{
return new MerkleVerificationResult
{
Verified = false,
Error = ex.Message
};
}
}
private static string ComputeSha256(byte[] content)
{
var hash = SHA256.HashData(content);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static string ComputeMerkleRoot(List<BundleEntry> entries)
{
if (entries.Count == 0)
{
return string.Empty;
}
var leaves = entries
.OrderBy(e => e.Path, StringComparer.Ordinal)
.Select(e => SHA256.HashData(Encoding.UTF8.GetBytes($"{e.Path}:{e.Digest}")))
.ToArray();
while (leaves.Length > 1)
{
leaves = PairwiseHash(leaves).ToArray();
}
return Convert.ToHexString(leaves[0]).ToLowerInvariant();
}
private static IEnumerable<byte[]> PairwiseHash(byte[][] nodes)
{
for (var i = 0; i < nodes.Length; i += 2)
{
if (i + 1 >= nodes.Length)
{
yield return SHA256.HashData(nodes[i]);
continue;
}
var combined = new byte[nodes[i].Length + nodes[i + 1].Length];
Buffer.BlockCopy(nodes[i], 0, combined, 0, nodes[i].Length);
Buffer.BlockCopy(nodes[i + 1], 0, combined, nodes[i].Length, nodes[i + 1].Length);
yield return SHA256.HashData(combined);
}
}
private sealed record BundleEntry(string Path, string Digest, long SizeBytes);
private sealed record SignatureVerificationResult
{
public bool Verified { get; init; }
public string? KeyId { get; init; }
public string? Error { get; init; }
}
private sealed record MerkleVerificationResult
{
public bool Verified { get; init; }
public string? Error { get; init; }
}
}
/// <summary>
/// Interface for snapshot bundle reading.
/// </summary>
public interface ISnapshotBundleReader
{
Task<SnapshotBundleReadResult> ReadAsync(
SnapshotBundleReadRequest request,
CancellationToken cancellationToken = default);
}
#region Request and Result Models
/// <summary>
/// Request for reading a snapshot bundle.
/// </summary>
public sealed record SnapshotBundleReadRequest
{
public required string BundlePath { get; init; }
/// <summary>
/// Verify the manifest signature.
/// </summary>
public bool VerifySignature { get; init; } = true;
/// <summary>
/// Fail if signature is invalid.
/// </summary>
public bool RequireValidSignature { get; init; }
/// <summary>
/// Verify the merkle root.
/// </summary>
public bool VerifyMerkleRoot { get; init; } = true;
/// <summary>
/// Fail if merkle root is invalid.
/// </summary>
public bool RequireValidMerkleRoot { get; init; } = true;
/// <summary>
/// Verify time anchor freshness.
/// </summary>
public bool VerifyTimeAnchor { get; init; } = true;
/// <summary>
/// Fail if time anchor is invalid.
/// </summary>
public bool RequireValidTimeAnchor { get; init; }
/// <summary>
/// Maximum age in hours for time anchor validation.
/// </summary>
public int? MaxAgeHours { get; init; }
/// <summary>
/// Maximum clock drift in seconds for time anchor validation.
/// </summary>
public int? MaxClockDriftSeconds { get; init; }
/// <summary>
/// Public key for signature verification.
/// </summary>
public AsymmetricAlgorithm? PublicKey { get; init; }
}
/// <summary>
/// Result of reading a snapshot bundle.
/// </summary>
public sealed record SnapshotBundleReadResult
{
public bool Success { get; init; }
public KnowledgeSnapshotManifest? Manifest { get; init; }
public string? BundleDigest { get; init; }
public string? Error { get; init; }
// Signature verification
public bool? SignatureVerified { get; init; }
public string? SignatureKeyId { get; init; }
public string? SignatureError { get; init; }
// Merkle root verification
public bool? MerkleRootVerified { get; init; }
public string? MerkleRootError { get; init; }
// Time anchor verification
public bool? TimeAnchorValid { get; init; }
public double? TimeAnchorAgeHours { get; init; }
public string? TimeAnchorError { get; init; }
public static SnapshotBundleReadResult Failed(string error) => new()
{
Success = false,
Error = error
};
}
#endregion

455
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/SnapshotBundleWriter.cs Normal file
View File

@@ -0,0 +1,455 @@
// -----------------------------------------------------------------------------
// SnapshotBundleWriter.cs
// Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
// Task: SEAL-003 - Create SnapshotBundleWriter
// Description: Writes sealed knowledge snapshots to tar.gz bundles.
// -----------------------------------------------------------------------------
using System.Formats.Tar;
using System.IO.Compression;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using StellaOps.AirGap.Bundle.Models;
using PolicySnapshotEntry = StellaOps.AirGap.Bundle.Models.PolicySnapshotEntry;
namespace StellaOps.AirGap.Bundle.Services;
/// <summary>
/// Writes sealed knowledge snapshots to tar.gz bundles with manifest and merkle root.
/// </summary>
public sealed class SnapshotBundleWriter : ISnapshotBundleWriter
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
WriteIndented = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Creates a knowledge snapshot bundle from the specified contents.
/// </summary>
public async Task<SnapshotBundleResult> WriteAsync(
SnapshotBundleRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentException.ThrowIfNullOrWhiteSpace(request.OutputPath);
var tempDir = Path.Combine(Path.GetTempPath(), $"snapshot-{Guid.NewGuid():N}");
Directory.CreateDirectory(tempDir);
try
{
var entries = new List<BundleEntry>();
var manifest = new KnowledgeSnapshotManifest
{
BundleId = request.BundleId ?? Guid.NewGuid().ToString("N"),
Name = request.Name ?? $"knowledge-{DateTime.UtcNow:yyyy-MM-dd}",
Version = request.Version ?? "1.0.0",
CreatedAt = DateTimeOffset.UtcNow,
SchemaVersion = "1.0.0"
};
// Write advisories
if (request.Advisories is { Count: > 0 })
{
var advisoriesDir = Path.Combine(tempDir, "advisories");
Directory.CreateDirectory(advisoriesDir);
foreach (var advisory in request.Advisories)
{
var feedDir = Path.Combine(advisoriesDir, advisory.FeedId);
Directory.CreateDirectory(feedDir);
var filePath = Path.Combine(feedDir, advisory.FileName);
await File.WriteAllBytesAsync(filePath, advisory.Content, cancellationToken);
var relativePath = $"advisories/{advisory.FeedId}/{advisory.FileName}";
var digest = ComputeSha256(advisory.Content);
entries.Add(new BundleEntry(relativePath, digest, advisory.Content.Length));
manifest.Advisories.Add(new AdvisorySnapshotEntry
{
FeedId = advisory.FeedId,
RelativePath = relativePath,
Digest = digest,
SizeBytes = advisory.Content.Length,
SnapshotAt = advisory.SnapshotAt ?? DateTimeOffset.UtcNow,
RecordCount = advisory.RecordCount
});
}
}
// Write VEX statements
if (request.VexStatements is { Count: > 0 })
{
var vexDir = Path.Combine(tempDir, "vex");
Directory.CreateDirectory(vexDir);
foreach (var vex in request.VexStatements)
{
var sourceDir = Path.Combine(vexDir, vex.SourceId);
Directory.CreateDirectory(sourceDir);
var filePath = Path.Combine(sourceDir, vex.FileName);
await File.WriteAllBytesAsync(filePath, vex.Content, cancellationToken);
var relativePath = $"vex/{vex.SourceId}/{vex.FileName}";
var digest = ComputeSha256(vex.Content);
entries.Add(new BundleEntry(relativePath, digest, vex.Content.Length));
manifest.VexStatements.Add(new VexSnapshotEntry
{
SourceId = vex.SourceId,
RelativePath = relativePath,
Digest = digest,
SizeBytes = vex.Content.Length,
SnapshotAt = vex.SnapshotAt ?? DateTimeOffset.UtcNow,
StatementCount = vex.StatementCount
});
}
}
// Write policies
if (request.Policies is { Count: > 0 })
{
var policiesDir = Path.Combine(tempDir, "policies");
Directory.CreateDirectory(policiesDir);
foreach (var policy in request.Policies)
{
var filePath = Path.Combine(policiesDir, policy.FileName);
await File.WriteAllBytesAsync(filePath, policy.Content, cancellationToken);
var relativePath = $"policies/{policy.FileName}";
var digest = ComputeSha256(policy.Content);
entries.Add(new BundleEntry(relativePath, digest, policy.Content.Length));
manifest.Policies.Add(new PolicySnapshotEntry
{
PolicyId = policy.PolicyId,
Name = policy.Name,
Version = policy.Version,
RelativePath = relativePath,
Digest = digest,
SizeBytes = policy.Content.Length,
Type = policy.Type
});
}
}
// Write trust roots
if (request.TrustRoots is { Count: > 0 })
{
var trustDir = Path.Combine(tempDir, "trust");
Directory.CreateDirectory(trustDir);
foreach (var trustRoot in request.TrustRoots)
{
var filePath = Path.Combine(trustDir, trustRoot.FileName);
await File.WriteAllBytesAsync(filePath, trustRoot.Content, cancellationToken);
var relativePath = $"trust/{trustRoot.FileName}";
var digest = ComputeSha256(trustRoot.Content);
entries.Add(new BundleEntry(relativePath, digest, trustRoot.Content.Length));
manifest.TrustRoots.Add(new TrustRootSnapshotEntry
{
KeyId = trustRoot.KeyId,
RelativePath = relativePath,
Digest = digest,
SizeBytes = trustRoot.Content.Length,
Algorithm = trustRoot.Algorithm,
ExpiresAt = trustRoot.ExpiresAt
});
}
}
// Write time anchor
if (request.TimeAnchor is not null)
{
var timeAnchorPath = Path.Combine(tempDir, "time-anchor.json");
var timeAnchorJson = JsonSerializer.SerializeToUtf8Bytes(request.TimeAnchor, JsonOptions);
await File.WriteAllBytesAsync(timeAnchorPath, timeAnchorJson, cancellationToken);
var digest = ComputeSha256(timeAnchorJson);
entries.Add(new BundleEntry("time-anchor.json", digest, timeAnchorJson.Length));
manifest.TimeAnchor = new TimeAnchorEntry
{
AnchorTime = request.TimeAnchor.AnchorTime,
Source = request.TimeAnchor.Source,
Digest = digest
};
}
// Compute merkle root
manifest.MerkleRoot = ComputeMerkleRoot(entries);
manifest.TotalSizeBytes = entries.Sum(e => e.SizeBytes);
manifest.EntryCount = entries.Count;
// Write manifest
var manifestJson = JsonSerializer.SerializeToUtf8Bytes(manifest, JsonOptions);
var manifestPath = Path.Combine(tempDir, "manifest.json");
await File.WriteAllBytesAsync(manifestPath, manifestJson, cancellationToken);
// Sign manifest if requested
string? signingKeyId = null;
string? signingAlgorithm = null;
var signed = false;
if (request.Sign)
{
var signer = new SnapshotManifestSigner();
var signResult = await signer.SignAsync(new ManifestSigningRequest
{
ManifestBytes = manifestJson,
KeyFilePath = request.SigningKeyPath,
KeyPassword = request.SigningKeyPassword
}, cancellationToken);
if (signResult.Success && signResult.Envelope is not null)
{
var signaturePath = Path.Combine(tempDir, "manifest.sig");
await File.WriteAllBytesAsync(signaturePath, signResult.Envelope, cancellationToken);
signingKeyId = signResult.KeyId;
signingAlgorithm = signResult.Algorithm;
signed = true;
}
}
// Create tar.gz bundle
var outputPath = request.OutputPath;
if (!outputPath.EndsWith(".tar.gz", StringComparison.OrdinalIgnoreCase))
{
outputPath = $"{outputPath}.tar.gz";
}
await CreateTarGzAsync(tempDir, outputPath, cancellationToken);
var bundleDigest = await ComputeFileDigestAsync(outputPath, cancellationToken);
return new SnapshotBundleResult
{
Success = true,
OutputPath = outputPath,
BundleId = manifest.BundleId,
MerkleRoot = manifest.MerkleRoot,
BundleDigest = bundleDigest,
TotalSizeBytes = new FileInfo(outputPath).Length,
EntryCount = entries.Count,
CreatedAt = manifest.CreatedAt,
Signed = signed,
SigningKeyId = signingKeyId,
SigningAlgorithm = signingAlgorithm
};
}
finally
{
// Clean up temp directory
try
{
if (Directory.Exists(tempDir))
{
Directory.Delete(tempDir, recursive: true);
}
}
catch
{
// Ignore cleanup errors
}
}
}
private static string ComputeSha256(byte[] content)
{
var hash = SHA256.HashData(content);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static async Task<string> ComputeFileDigestAsync(string filePath, CancellationToken ct)
{
await using var stream = File.OpenRead(filePath);
var hash = await SHA256.HashDataAsync(stream, ct);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private static string ComputeMerkleRoot(List<BundleEntry> entries)
{
if (entries.Count == 0)
{
return string.Empty;
}
var leaves = entries
.OrderBy(e => e.Path, StringComparer.Ordinal)
.Select(e => SHA256.HashData(Encoding.UTF8.GetBytes($"{e.Path}:{e.Digest}")))
.ToArray();
while (leaves.Length > 1)
{
leaves = PairwiseHash(leaves).ToArray();
}
return Convert.ToHexString(leaves[0]).ToLowerInvariant();
}
private static IEnumerable<byte[]> PairwiseHash(byte[][] nodes)
{
for (var i = 0; i < nodes.Length; i += 2)
{
if (i + 1 >= nodes.Length)
{
yield return SHA256.HashData(nodes[i]);
continue;
}
var combined = new byte[nodes[i].Length + nodes[i + 1].Length];
Buffer.BlockCopy(nodes[i], 0, combined, 0, nodes[i].Length);
Buffer.BlockCopy(nodes[i + 1], 0, combined, nodes[i].Length, nodes[i + 1].Length);
yield return SHA256.HashData(combined);
}
}
private static async Task CreateTarGzAsync(string sourceDir, string outputPath, CancellationToken ct)
{
var outputDir = Path.GetDirectoryName(outputPath);
if (!string.IsNullOrEmpty(outputDir) && !Directory.Exists(outputDir))
{
Directory.CreateDirectory(outputDir);
}
await using var fileStream = File.Create(outputPath);
await using var gzipStream = new GZipStream(fileStream, CompressionLevel.Optimal);
await TarFile.CreateFromDirectoryAsync(sourceDir, gzipStream, includeBaseDirectory: false, ct);
}
private sealed record BundleEntry(string Path, string Digest, long SizeBytes);
}
/// <summary>
/// Interface for snapshot bundle writing.
/// </summary>
public interface ISnapshotBundleWriter
{
Task<SnapshotBundleResult> WriteAsync(
SnapshotBundleRequest request,
CancellationToken cancellationToken = default);
}
#region Request and Result Models
/// <summary>
/// Request for creating a knowledge snapshot bundle.
/// </summary>
public sealed record SnapshotBundleRequest
{
public required string OutputPath { get; init; }
public string? BundleId { get; init; }
public string? Name { get; init; }
public string? Version { get; init; }
public List<AdvisoryContent> Advisories { get; init; } = [];
public List<VexContent> VexStatements { get; init; } = [];
public List<PolicyContent> Policies { get; init; } = [];
public List<TrustRootContent> TrustRoots { get; init; } = [];
public TimeAnchorContent? TimeAnchor { get; init; }
/// <summary>
/// Whether to sign the manifest.
/// </summary>
public bool Sign { get; init; } = true;
/// <summary>
/// Path to signing key file (PEM format).
/// If null and Sign is true, an ephemeral key will be used.
/// </summary>
public string? SigningKeyPath { get; init; }
/// <summary>
/// Password for encrypted signing key.
/// </summary>
public string? SigningKeyPassword { get; init; }
}
public sealed record AdvisoryContent
{
public required string FeedId { get; init; }
public required string FileName { get; init; }
public required byte[] Content { get; init; }
public DateTimeOffset? SnapshotAt { get; init; }
public int RecordCount { get; init; }
}
public sealed record VexContent
{
public required string SourceId { get; init; }
public required string FileName { get; init; }
public required byte[] Content { get; init; }
public DateTimeOffset? SnapshotAt { get; init; }
public int StatementCount { get; init; }
}
public sealed record PolicyContent
{
public required string PolicyId { get; init; }
public required string Name { get; init; }
public required string Version { get; init; }
public required string FileName { get; init; }
public required byte[] Content { get; init; }
public string Type { get; init; } = "OpaRego";
}
public sealed record TrustRootContent
{
public required string KeyId { get; init; }
public required string FileName { get; init; }
public required byte[] Content { get; init; }
public string Algorithm { get; init; } = "ES256";
public DateTimeOffset? ExpiresAt { get; init; }
}
public sealed record TimeAnchorContent
{
public required DateTimeOffset AnchorTime { get; init; }
public required string Source { get; init; }
public string? TokenDigest { get; init; }
}
/// <summary>
/// Result of creating a knowledge snapshot bundle.
/// </summary>
public sealed record SnapshotBundleResult
{
public bool Success { get; init; }
public string? OutputPath { get; init; }
public string? BundleId { get; init; }
public string? MerkleRoot { get; init; }
public string? BundleDigest { get; init; }
public long TotalSizeBytes { get; init; }
public int EntryCount { get; init; }
public DateTimeOffset CreatedAt { get; init; }
public string? Error { get; init; }
/// <summary>
/// Whether the manifest was signed.
/// </summary>
public bool Signed { get; init; }
/// <summary>
/// Key ID used for signing.
/// </summary>
public string? SigningKeyId { get; init; }
/// <summary>
/// Algorithm used for signing.
/// </summary>
public string? SigningAlgorithm { get; init; }
public static SnapshotBundleResult Failed(string error) => new()
{
Success = false,
Error = error
};
}
#endregion

486
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/SnapshotManifestSigner.cs Normal file
View File

@@ -0,0 +1,486 @@
// -----------------------------------------------------------------------------
// SnapshotManifestSigner.cs
// Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
// Task: SEAL-004 - Add DSSE signing for manifest
// Description: Signs snapshot manifests using DSSE format for integrity verification.
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
namespace StellaOps.AirGap.Bundle.Services;
/// <summary>
/// Signs snapshot manifests using DSSE (Dead Simple Signing Envelope) format.
/// Produces signatures compatible with in-toto/Sigstore verification.
/// </summary>
public sealed class SnapshotManifestSigner : ISnapshotManifestSigner
{
private const string DssePayloadType = "application/vnd.stellaops.knowledge-snapshot+json";
private const string PreAuthenticationEncodingPrefix = "DSSEv1";
private static readonly JsonSerializerOptions JsonOptions = new()
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Signs a manifest using the provided signing key.
/// </summary>
public async Task<ManifestSignatureResult> SignAsync(
ManifestSigningRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(request.ManifestBytes);
// Build PAE (Pre-Authentication Encoding) for DSSE signing
var paeBytes = BuildPae(DssePayloadType, request.ManifestBytes);
// Sign the PAE
byte[] signatureBytes;
string keyId;
string algorithm;
if (request.SigningKey is not null)
{
// Use provided signing key
(signatureBytes, keyId, algorithm) = await SignWithKeyAsync(
request.SigningKey, paeBytes, cancellationToken);
}
else if (!string.IsNullOrWhiteSpace(request.KeyFilePath))
{
// Load key from file and sign
(signatureBytes, keyId, algorithm) = await SignWithKeyFileAsync(
request.KeyFilePath, request.KeyPassword, paeBytes, cancellationToken);
}
else
{
// Generate ephemeral key for signing (keyless mode)
(signatureBytes, keyId, algorithm) = await SignEphemeralAsync(paeBytes, cancellationToken);
}
// Build DSSE envelope
var envelope = BuildDsseEnvelope(request.ManifestBytes, signatureBytes, keyId);
return new ManifestSignatureResult
{
Success = true,
Envelope = envelope,
KeyId = keyId,
Algorithm = algorithm,
SignatureDigest = ComputeSha256(signatureBytes)
};
}
/// <summary>
/// Verifies a DSSE envelope signature.
/// </summary>
public async Task<ManifestVerificationResult> VerifyAsync(
ManifestVerificationRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(request.EnvelopeBytes);
try
{
// Parse the envelope
using var envelope = JsonDocument.Parse(request.EnvelopeBytes);
var root = envelope.RootElement;
if (!root.TryGetProperty("payloadType", out var payloadTypeElement) ||
!root.TryGetProperty("payload", out var payloadElement) ||
!root.TryGetProperty("signatures", out var signaturesElement))
{
return new ManifestVerificationResult
{
Success = false,
Error = "Invalid DSSE envelope structure"
};
}
var payloadType = payloadTypeElement.GetString();
var payloadBase64 = payloadElement.GetString();
if (string.IsNullOrEmpty(payloadBase64))
{
return new ManifestVerificationResult
{
Success = false,
Error = "Missing payload in envelope"
};
}
// Decode payload
var payloadBytes = Convert.FromBase64String(payloadBase64);
// Compute expected digest
var payloadDigest = ComputeSha256(payloadBytes);
// Verify at least one signature
var signatureCount = signaturesElement.GetArrayLength();
if (signatureCount == 0)
{
return new ManifestVerificationResult
{
Success = false,
Error = "No signatures present in envelope"
};
}
// Build PAE for verification
var paeBytes = BuildPae(payloadType ?? DssePayloadType, payloadBytes);
// Verify signatures if public key is provided
var verifiedSignatures = new List<VerifiedSignature>();
foreach (var sig in signaturesElement.EnumerateArray())
{
var keyId = sig.TryGetProperty("keyid", out var keyIdElement)
? keyIdElement.GetString()
: null;
if (sig.TryGetProperty("sig", out var sigElement))
{
var signatureBase64 = sigElement.GetString();
if (!string.IsNullOrEmpty(signatureBase64))
{
// If public key is provided, verify the signature
if (request.PublicKey is not null)
{
var signatureBytes = Convert.FromBase64String(signatureBase64);
var isValid = await VerifySignatureAsync(
request.PublicKey, paeBytes, signatureBytes, cancellationToken);
verifiedSignatures.Add(new VerifiedSignature(keyId, isValid));
}
else
{
// Without public key, we can only confirm presence
verifiedSignatures.Add(new VerifiedSignature(keyId, null));
}
}
}
}
return new ManifestVerificationResult
{
Success = true,
PayloadDigest = payloadDigest,
SignatureCount = signatureCount,
VerifiedSignatures = verifiedSignatures,
PayloadType = payloadType
};
}
catch (JsonException ex)
{
return new ManifestVerificationResult
{
Success = false,
Error = $"Failed to parse envelope: {ex.Message}"
};
}
catch (FormatException ex)
{
return new ManifestVerificationResult
{
Success = false,
Error = $"Invalid base64 encoding: {ex.Message}"
};
}
}
private static byte[] BuildPae(string payloadType, byte[] payload)
{
var typeBytes = Encoding.UTF8.GetBytes(payloadType);
var prefixBytes = Encoding.UTF8.GetBytes(PreAuthenticationEncodingPrefix);
var typeLenStr = typeBytes.Length.ToString();
var payloadLenStr = payload.Length.ToString();
var totalLen = prefixBytes.Length + 1 +
typeLenStr.Length + 1 +
typeBytes.Length + 1 +
payloadLenStr.Length + 1 +
payload.Length;
var pae = new byte[totalLen];
var offset = 0;
// DSSEv1
Buffer.BlockCopy(prefixBytes, 0, pae, offset, prefixBytes.Length);
offset += prefixBytes.Length;
pae[offset++] = 0x20;
// LEN(type)
var typeLenBytes = Encoding.UTF8.GetBytes(typeLenStr);
Buffer.BlockCopy(typeLenBytes, 0, pae, offset, typeLenBytes.Length);
offset += typeLenBytes.Length;
pae[offset++] = 0x20;
// type
Buffer.BlockCopy(typeBytes, 0, pae, offset, typeBytes.Length);
offset += typeBytes.Length;
pae[offset++] = 0x20;
// LEN(payload)
var payloadLenBytes = Encoding.UTF8.GetBytes(payloadLenStr);
Buffer.BlockCopy(payloadLenBytes, 0, pae, offset, payloadLenBytes.Length);
offset += payloadLenBytes.Length;
pae[offset++] = 0x20;
// payload
Buffer.BlockCopy(payload, 0, pae, offset, payload.Length);
return pae;
}
private static async Task<(byte[] Signature, string KeyId, string Algorithm)> SignWithKeyAsync(
AsymmetricAlgorithm key,
byte[] data,
CancellationToken cancellationToken)
{
await Task.CompletedTask; // Signature operations are synchronous
return key switch
{
ECDsa ecdsa => SignWithEcdsa(ecdsa, data),
RSA rsa => SignWithRsa(rsa, data),
_ => throw new NotSupportedException($"Unsupported key type: {key.GetType().Name}")
};
}
private static (byte[] Signature, string KeyId, string Algorithm) SignWithEcdsa(ECDsa ecdsa, byte[] data)
{
var signature = ecdsa.SignData(data, HashAlgorithmName.SHA256);
var keyId = ComputeKeyId(ecdsa);
var algorithm = ecdsa.KeySize switch
{
256 => "ES256",
384 => "ES384",
521 => "ES512",
_ => "ECDSA"
};
return (signature, keyId, algorithm);
}
private static (byte[] Signature, string KeyId, string Algorithm) SignWithRsa(RSA rsa, byte[] data)
{
var signature = rsa.SignData(data, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var keyId = ComputeKeyId(rsa);
return (signature, keyId, "RS256");
}
private static async Task<(byte[] Signature, string KeyId, string Algorithm)> SignWithKeyFileAsync(
string keyFilePath,
string? password,
byte[] data,
CancellationToken cancellationToken)
{
var keyBytes = await File.ReadAllBytesAsync(keyFilePath, cancellationToken);
var keyPem = Encoding.UTF8.GetString(keyBytes);
// Try to load as ECDSA first
try
{
using var ecdsa = ECDsa.Create();
if (string.IsNullOrEmpty(password))
{
ecdsa.ImportFromPem(keyPem);
}
else
{
ecdsa.ImportFromEncryptedPem(keyPem, password);
}
return SignWithEcdsa(ecdsa, data);
}
catch (CryptographicException)
{
// Try RSA
}
try
{
using var rsa = RSA.Create();
if (string.IsNullOrEmpty(password))
{
rsa.ImportFromPem(keyPem);
}
else
{
rsa.ImportFromEncryptedPem(keyPem, password);
}
return SignWithRsa(rsa, data);
}
catch (CryptographicException ex)
{
throw new InvalidOperationException($"Failed to load signing key from {keyFilePath}", ex);
}
}
private static async Task<(byte[] Signature, string KeyId, string Algorithm)> SignEphemeralAsync(
byte[] data,
CancellationToken cancellationToken)
{
await Task.CompletedTask;
// Generate ephemeral ECDSA P-256 key
using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
var signature = ecdsa.SignData(data, HashAlgorithmName.SHA256);
var keyId = $"ephemeral:{ComputeKeyId(ecdsa)}";
return (signature, keyId, "ES256");
}
private static async Task<bool> VerifySignatureAsync(
AsymmetricAlgorithm key,
byte[] data,
byte[] signature,
CancellationToken cancellationToken)
{
await Task.CompletedTask;
return key switch
{
ECDsa ecdsa => ecdsa.VerifyData(data, signature, HashAlgorithmName.SHA256),
RSA rsa => rsa.VerifyData(data, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1),
_ => false
};
}
private static string ComputeKeyId(AsymmetricAlgorithm key)
{
byte[] publicKeyBytes;
switch (key)
{
case ECDsa ecdsa:
publicKeyBytes = ecdsa.ExportSubjectPublicKeyInfo();
break;
case RSA rsa:
publicKeyBytes = rsa.ExportSubjectPublicKeyInfo();
break;
default:
return "unknown";
}
var hash = SHA256.HashData(publicKeyBytes);
return Convert.ToHexString(hash[..8]).ToLowerInvariant();
}
private static byte[] BuildDsseEnvelope(byte[] payload, byte[] signature, string keyId)
{
var payloadBase64 = Convert.ToBase64String(payload);
var signatureBase64 = Convert.ToBase64String(signature);
var envelope = new DsseEnvelopeDto
{
PayloadType = DssePayloadType,
Payload = payloadBase64,
Signatures =
[
new DsseSignatureDto
{
KeyId = keyId,
Sig = signatureBase64
}
]
};
return JsonSerializer.SerializeToUtf8Bytes(envelope, JsonOptions);
}
private static string ComputeSha256(byte[] content)
{
var hash = SHA256.HashData(content);
return $"sha256:{Convert.ToHexString(hash).ToLowerInvariant()}";
}
private sealed class DsseEnvelopeDto
{
public required string PayloadType { get; init; }
public required string Payload { get; init; }
public required List<DsseSignatureDto> Signatures { get; init; }
}
private sealed class DsseSignatureDto
{
public string? KeyId { get; init; }
public required string Sig { get; init; }
}
}
/// <summary>
/// Interface for manifest signing operations.
/// </summary>
public interface ISnapshotManifestSigner
{
Task<ManifestSignatureResult> SignAsync(
ManifestSigningRequest request,
CancellationToken cancellationToken = default);
Task<ManifestVerificationResult> VerifyAsync(
ManifestVerificationRequest request,
CancellationToken cancellationToken = default);
}
#region Request and Result Models
/// <summary>
/// Request for signing a manifest.
/// </summary>
public sealed record ManifestSigningRequest
{
public required byte[] ManifestBytes { get; init; }
public AsymmetricAlgorithm? SigningKey { get; init; }
public string? KeyFilePath { get; init; }
public string? KeyPassword { get; init; }
}
/// <summary>
/// Result of signing a manifest.
/// </summary>
public sealed record ManifestSignatureResult
{
public bool Success { get; init; }
public byte[]? Envelope { get; init; }
public string? KeyId { get; init; }
public string? Algorithm { get; init; }
public string? SignatureDigest { get; init; }
public string? Error { get; init; }
public static ManifestSignatureResult Failed(string error) => new()
{
Success = false,
Error = error
};
}
/// <summary>
/// Request for verifying a manifest signature.
/// </summary>
public sealed record ManifestVerificationRequest
{
public required byte[] EnvelopeBytes { get; init; }
public AsymmetricAlgorithm? PublicKey { get; init; }
}
/// <summary>
/// Result of verifying a manifest signature.
/// </summary>
public sealed record ManifestVerificationResult
{
public bool Success { get; init; }
public string? PayloadDigest { get; init; }
public string? PayloadType { get; init; }
public int SignatureCount { get; init; }
public IReadOnlyList<VerifiedSignature>? VerifiedSignatures { get; init; }
public string? Error { get; init; }
}
/// <summary>
/// A verified signature with optional verification status.
/// </summary>
public sealed record VerifiedSignature(string? KeyId, bool? Verified);
#endregion

352
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/TimeAnchorService.cs Normal file
View File

@@ -0,0 +1,352 @@
// -----------------------------------------------------------------------------
// TimeAnchorService.cs
// Sprint: SPRINT_4300_0003_0001 (Sealed Knowledge Snapshot Export/Import)
// Task: SEAL-009 - Add time anchor token generation
// Description: Generates time anchor tokens for knowledge snapshot bundles.
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
namespace StellaOps.AirGap.Bundle.Services;
/// <summary>
/// Generates time anchor tokens for snapshot bundles.
/// Time anchors provide cryptographic proof of the time when a snapshot was created.
/// </summary>
public sealed class TimeAnchorService : ITimeAnchorService
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
/// <summary>
/// Creates a time anchor token for a snapshot.
/// </summary>
public async Task<TimeAnchorResult> CreateAnchorAsync(
TimeAnchorRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(request);
try
{
var source = request.Source?.ToLowerInvariant() ?? "local";
return source switch
{
"local" => await CreateLocalAnchorAsync(request, cancellationToken),
var s when s.StartsWith("roughtime:") => await CreateRoughtimeAnchorAsync(request, cancellationToken),
var s when s.StartsWith("rfc3161:") => await CreateRfc3161AnchorAsync(request, cancellationToken),
_ => await CreateLocalAnchorAsync(request, cancellationToken)
};
}
catch (Exception ex)
{
return TimeAnchorResult.Failed($"Failed to create time anchor: {ex.Message}");
}
}
/// <summary>
/// Validates a time anchor token.
/// </summary>
public async Task<TimeAnchorValidationResult> ValidateAnchorAsync(
TimeAnchorContent anchor,
TimeAnchorValidationRequest request,
CancellationToken cancellationToken = default)
{
ArgumentNullException.ThrowIfNull(anchor);
ArgumentNullException.ThrowIfNull(request);
try
{
// Validate timestamp is within acceptable range
var now = DateTimeOffset.UtcNow;
var anchorAge = now - anchor.AnchorTime;
if (request.MaxAgeHours.HasValue && anchorAge.TotalHours > request.MaxAgeHours.Value)
{
return new TimeAnchorValidationResult
{
IsValid = false,
AnchorTime = anchor.AnchorTime,
Source = anchor.Source,
AgeHours = anchorAge.TotalHours,
Error = $"Time anchor is too old: {anchorAge.TotalHours:F1} hours (max: {request.MaxAgeHours.Value})"
};
}
// Validate anchor is not in the future (with drift tolerance)
var maxDrift = TimeSpan.FromSeconds(request.MaxClockDriftSeconds ?? 60);
if (anchor.AnchorTime > now + maxDrift)
{
return new TimeAnchorValidationResult
{
IsValid = false,
AnchorTime = anchor.AnchorTime,
Source = anchor.Source,
Error = "Time anchor is in the future"
};
}
// Validate token digest if provided
if (!string.IsNullOrEmpty(anchor.TokenDigest) && !string.IsNullOrEmpty(request.ExpectedTokenDigest))
{
if (!string.Equals(anchor.TokenDigest, request.ExpectedTokenDigest, StringComparison.OrdinalIgnoreCase))
{
return new TimeAnchorValidationResult
{
IsValid = false,
AnchorTime = anchor.AnchorTime,
Source = anchor.Source,
Error = "Token digest mismatch"
};
}
}
await Task.CompletedTask;
return new TimeAnchorValidationResult
{
IsValid = true,
AnchorTime = anchor.AnchorTime,
Source = anchor.Source,
AgeHours = anchorAge.TotalHours
};
}
catch (Exception ex)
{
return new TimeAnchorValidationResult
{
IsValid = false,
Error = $"Validation failed: {ex.Message}"
};
}
}
private static async Task<TimeAnchorResult> CreateLocalAnchorAsync(
TimeAnchorRequest request,
CancellationToken cancellationToken)
{
await Task.CompletedTask;
var anchorTime = DateTimeOffset.UtcNow;
// Create a local anchor with a signed timestamp
var anchorData = new LocalAnchorData
{
Timestamp = anchorTime,
Nonce = Guid.NewGuid().ToString("N"),
MerkleRoot = request.MerkleRoot
};
var anchorJson = JsonSerializer.Serialize(anchorData, JsonOptions);
var anchorBytes = Encoding.UTF8.GetBytes(anchorJson);
var tokenDigest = $"sha256:{Convert.ToHexString(SHA256.HashData(anchorBytes)).ToLowerInvariant()}";
return new TimeAnchorResult
{
Success = true,
Content = new TimeAnchorContent
{
AnchorTime = anchorTime,
Source = "local",
TokenDigest = tokenDigest
},
TokenBytes = anchorBytes
};
}
private static async Task<TimeAnchorResult> CreateRoughtimeAnchorAsync(
TimeAnchorRequest request,
CancellationToken cancellationToken)
{
// Roughtime is a cryptographic time synchronization protocol
// This is a placeholder implementation - full implementation would use a Roughtime client
var serverUrl = request.Source?["roughtime:".Length..] ?? "roughtime.cloudflare.com:2003";
// For now, fallback to local with indication of intended source
var anchorTime = DateTimeOffset.UtcNow;
var anchorData = new RoughtimeAnchorData
{
Timestamp = anchorTime,
Server = serverUrl,
Midpoint = anchorTime.ToUnixTimeSeconds(),
Radius = 1000000, // 1 second radius in microseconds
Nonce = Guid.NewGuid().ToString("N"),
MerkleRoot = request.MerkleRoot
};
var anchorJson = JsonSerializer.Serialize(anchorData, JsonOptions);
var anchorBytes = Encoding.UTF8.GetBytes(anchorJson);
var tokenDigest = $"sha256:{Convert.ToHexString(SHA256.HashData(anchorBytes)).ToLowerInvariant()}";
await Task.CompletedTask;
return new TimeAnchorResult
{
Success = true,
Content = new TimeAnchorContent
{
AnchorTime = anchorTime,
Source = $"roughtime:{serverUrl}",
TokenDigest = tokenDigest
},
TokenBytes = anchorBytes,
Warning = "Roughtime client not implemented; using simulated response"
};
}
private static async Task<TimeAnchorResult> CreateRfc3161AnchorAsync(
TimeAnchorRequest request,
CancellationToken cancellationToken)
{
// RFC 3161 is the Internet X.509 PKI Time-Stamp Protocol (TSP)
// This is a placeholder implementation - full implementation would use a TSA client
var tsaUrl = request.Source?["rfc3161:".Length..] ?? "http://timestamp.digicert.com";
var anchorTime = DateTimeOffset.UtcNow;
var anchorData = new Rfc3161AnchorData
{
Timestamp = anchorTime,
TsaUrl = tsaUrl,
SerialNumber = Guid.NewGuid().ToString("N"),
PolicyOid = "2.16.840.1.114412.2.1", // DigiCert timestamp policy
MerkleRoot = request.MerkleRoot
};
var anchorJson = JsonSerializer.Serialize(anchorData, JsonOptions);
var anchorBytes = Encoding.UTF8.GetBytes(anchorJson);
var tokenDigest = $"sha256:{Convert.ToHexString(SHA256.HashData(anchorBytes)).ToLowerInvariant()}";
await Task.CompletedTask;
return new TimeAnchorResult
{
Success = true,
Content = new TimeAnchorContent
{
AnchorTime = anchorTime,
Source = $"rfc3161:{tsaUrl}",
TokenDigest = tokenDigest
},
TokenBytes = anchorBytes,
Warning = "RFC 3161 TSA client not implemented; using simulated response"
};
}
private sealed record LocalAnchorData
{
public required DateTimeOffset Timestamp { get; init; }
public required string Nonce { get; init; }
public string? MerkleRoot { get; init; }
}
private sealed record RoughtimeAnchorData
{
public required DateTimeOffset Timestamp { get; init; }
public required string Server { get; init; }
public required long Midpoint { get; init; }
public required long Radius { get; init; }
public required string Nonce { get; init; }
public string? MerkleRoot { get; init; }
}
private sealed record Rfc3161AnchorData
{
public required DateTimeOffset Timestamp { get; init; }
public required string TsaUrl { get; init; }
public required string SerialNumber { get; init; }
public required string PolicyOid { get; init; }
public string? MerkleRoot { get; init; }
}
}
/// <summary>
/// Interface for time anchor operations.
/// </summary>
public interface ITimeAnchorService
{
Task<TimeAnchorResult> CreateAnchorAsync(
TimeAnchorRequest request,
CancellationToken cancellationToken = default);
Task<TimeAnchorValidationResult> ValidateAnchorAsync(
TimeAnchorContent anchor,
TimeAnchorValidationRequest request,
CancellationToken cancellationToken = default);
}
#region Request and Result Models
/// <summary>
/// Request for creating a time anchor.
/// </summary>
public sealed record TimeAnchorRequest
{
/// <summary>
/// Time anchor source: "local", "roughtime:<server>", or "rfc3161:<tsa-url>"
/// </summary>
public string? Source { get; init; }
/// <summary>
/// Merkle root to bind to the time anchor (optional).
/// </summary>
public string? MerkleRoot { get; init; }
}
/// <summary>
/// Result of creating a time anchor.
/// </summary>
public sealed record TimeAnchorResult
{
public bool Success { get; init; }
public TimeAnchorContent? Content { get; init; }
public byte[]? TokenBytes { get; init; }
public string? Warning { get; init; }
public string? Error { get; init; }
public static TimeAnchorResult Failed(string error) => new()
{
Success = false,
Error = error
};
}
/// <summary>
/// Request for validating a time anchor.
/// </summary>
public sealed record TimeAnchorValidationRequest
{
/// <summary>
/// Maximum age in hours.
/// </summary>
public int? MaxAgeHours { get; init; }
/// <summary>
/// Maximum clock drift in seconds.
/// </summary>
public int? MaxClockDriftSeconds { get; init; }
/// <summary>
/// Expected token digest for validation.
/// </summary>
public string? ExpectedTokenDigest { get; init; }
}
/// <summary>
/// Result of validating a time anchor.
/// </summary>
public sealed record TimeAnchorValidationResult
{
public bool IsValid { get; init; }
public DateTimeOffset? AnchorTime { get; init; }
public string? Source { get; init; }
public double? AgeHours { get; init; }
public string? Error { get; init; }
}
#endregion