Implement VEX document verification system with issuer management and signature verification
- Added IIssuerDirectory interface for managing VEX document issuers, including methods for registration, revocation, and trust validation. - Created InMemoryIssuerDirectory class as an in-memory implementation of IIssuerDirectory for testing and single-instance deployments. - Introduced ISignatureVerifier interface for verifying signatures on VEX documents, with support for multiple signature formats. - Developed SignatureVerifier class as the default implementation of ISignatureVerifier, allowing extensibility for different signature formats. - Implemented handlers for DSSE and JWS signature formats, including methods for verification and signature extraction. - Defined various records and enums for issuer and signature metadata, enhancing the structure and clarity of the verification process.
This commit is contained in:
StellaOps Bot
@@ -0,0 +1,52 @@
|
||||
namespace StellaOps.Policy.Engine.AirGap;
|
||||
|
||||
/// <summary>
|
||||
/// Service for managing sealed-mode operations for policy packs per CONTRACT-SEALED-MODE-004.
|
||||
/// </summary>
|
||||
public interface ISealedModeService
|
||||
{
|
||||
/// <summary>
|
||||
/// Gets whether the environment is currently sealed.
|
||||
/// </summary>
|
||||
bool IsSealed { get; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets the current sealed state for a tenant.
|
||||
/// </summary>
|
||||
Task<PolicyPackSealedState> GetStateAsync(string tenantId, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Gets the sealed status with staleness evaluation.
|
||||
/// </summary>
|
||||
Task<SealedStatusResponse> GetStatusAsync(string tenantId, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Seals the environment for a tenant.
|
||||
/// </summary>
|
||||
Task<SealResponse> SealAsync(string tenantId, SealRequest request, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Unseals the environment for a tenant.
|
||||
/// </summary>
|
||||
Task<SealResponse> UnsealAsync(string tenantId, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Evaluates staleness for the current time anchor.
|
||||
/// </summary>
|
||||
Task<StalenessEvaluation?> EvaluateStalenessAsync(string tenantId, CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Enforces sealed-mode constraints for bundle import operations.
|
||||
/// </summary>
|
||||
Task<SealedModeEnforcementResult> EnforceBundleImportAsync(
|
||||
string tenantId,
|
||||
string bundlePath,
|
||||
CancellationToken cancellationToken = default);
|
||||
|
||||
/// <summary>
|
||||
/// Verifies a bundle against trust roots.
|
||||
/// </summary>
|
||||
Task<BundleVerifyResponse> VerifyBundleAsync(
|
||||
BundleVerifyRequest request,
|
||||
CancellationToken cancellationToken = default);
|
||||
}
|
||||
Reference in New Issue
Block a user