stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

license switch agpl -> busl1, sprints work, new product advisories

Browse Source
This commit is contained in:
master
2026-01-20 15:32:20 +02:00
parent 4903395618
commit c32fff8f86
1835 changed files with 38630 additions and 4359 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Models/BundleFormatV2.cs
View File

@@ -19,13 +19,29 @@ public sealed record BundleManifestV2
[JsonPropertyName("schemaVersion")]
public string SchemaVersion { get; init; } = "2.0.0";
/// <summary>Canonical manifest hash (sha256 over canonical JSON).</summary>
[JsonPropertyName("canonicalManifestHash")]
public string? CanonicalManifestHash { get; init; }
/// <summary>Subject digests for the bundle target.</summary>
[JsonPropertyName("subject")]
public BundleSubject? Subject { get; init; }
/// <summary>Timestamp entries for offline verification.</summary>
[JsonPropertyName("timestamps")]
public ImmutableArray<TimestampEntry> Timestamps { get; init; } = [];
/// <summary>Rekor proof entries for offline verification.</summary>
[JsonPropertyName("rekorProofs")]
public ImmutableArray<RekorProofEntry> RekorProofs { get; init; } = [];
/// <summary>Bundle information.</summary>
[JsonPropertyName("bundle")]
public required BundleInfoV2 Bundle { get; init; }
/// <summary>Verification configuration.</summary>
[JsonPropertyName("verify")]
public BundleVerifySection? Verify { get; init; }
public BundleVerifySectionV2? Verify { get; init; }
/// <summary>Bundle metadata.</summary>
[JsonPropertyName("metadata")]
@@ -47,7 +63,7 @@ public sealed record BundleInfoV2
/// <summary>Bundle artifacts.</summary>
[JsonPropertyName("artifacts")]
public required ImmutableArray<BundleArtifact> Artifacts { get; init; }
public required ImmutableArray<BundleArtifactV2> Artifacts { get; init; }
/// <summary>OCI referrer manifest.</summary>
[JsonPropertyName("referrers")]
@@ -57,7 +73,7 @@ public sealed record BundleInfoV2
/// <summary>
/// Bundle artifact entry.
/// </summary>
public sealed record BundleArtifact
public sealed record BundleArtifactV2
{
/// <summary>Path within bundle.</summary>
[JsonPropertyName("path")]
@@ -130,7 +146,7 @@ public enum BundleArtifactType
/// <summary>
/// Bundle verification section.
/// </summary>
public sealed record BundleVerifySection
public sealed record BundleVerifySectionV2
{
/// <summary>Trusted signing keys.</summary>
[JsonPropertyName("keys")]

20
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Models/BundleManifest.cs
View File

@@ -44,6 +44,26 @@ public sealed record BundleManifest
/// Verification section with keys and expectations.
/// </summary>
public BundleVerifySection? Verify { get; init; }
/// <summary>
/// Canonical manifest hash (sha256 over canonical JSON).
/// </summary>
public string? CanonicalManifestHash { get; init; }
/// <summary>
/// Subject digests for the bundle target.
/// </summary>
public BundleSubject? Subject { get; init; }
/// <summary>
/// Timestamp entries for offline verification.
/// </summary>
public ImmutableArray<TimestampEntry> Timestamps { get; init; } = [];
/// <summary>
/// Rekor proof entries for offline verification.
/// </summary>
public ImmutableArray<RekorProofEntry> RekorProofs { get; init; } = [];
}
/// <summary>

17
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Models/BundleSubject.cs Normal file
View File

@@ -0,0 +1,17 @@
using System.Text.Json.Serialization;
namespace StellaOps.AirGap.Bundle.Models;
/// <summary>
/// Subject digests for the bundle target.
/// </summary>
public sealed record BundleSubject
{
/// <summary>SHA-256 digest for the subject.</summary>
[JsonPropertyName("sha256")]
public required string Sha256 { get; init; }
/// <summary>Optional SHA-512 digest for the subject.</summary>
[JsonPropertyName("sha512")]
public string? Sha512 { get; init; }
}

21
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Models/RekorProofEntry.cs Normal file
View File

@@ -0,0 +1,21 @@
using System.Text.Json.Serialization;
namespace StellaOps.AirGap.Bundle.Models;
/// <summary>
/// Rekor inclusion proof metadata for offline verification.
/// </summary>
public sealed record RekorProofEntry
{
[JsonPropertyName("entryBodyPath")]
public required string EntryBodyPath { get; init; }
[JsonPropertyName("leafHash")]
public required string LeafHash { get; init; }
[JsonPropertyName("inclusionProofPath")]
public required string InclusionProofPath { get; init; }
[JsonPropertyName("signedEntryTimestamp")]
public required string SignedEntryTimestamp { get; init; }
}

36
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Models/TimestampEntry.cs Normal file
View File

@@ -0,0 +1,36 @@
using System.Collections.Immutable;
using System.Text.Json.Serialization;
namespace StellaOps.AirGap.Bundle.Models;
/// <summary>
/// Timestamp entry with a type discriminator for offline verification bundles.
/// </summary>
public abstract record TimestampEntry;
/// <summary>
/// RFC3161 timestamp entry with bundled TSA verification materials.
/// </summary>
public sealed record Rfc3161TimestampEntry : TimestampEntry
{
[JsonPropertyName("tsaChainPaths")]
public ImmutableArray<string> TsaChainPaths { get; init; } = [];
[JsonPropertyName("ocspBlobs")]
public ImmutableArray<string> OcspBlobs { get; init; } = [];
[JsonPropertyName("crlBlobs")]
public ImmutableArray<string> CrlBlobs { get; init; } = [];
[JsonPropertyName("tstBase64")]
public required string TstBase64 { get; init; }
}
/// <summary>
/// eIDAS Qualified Timestamp entry metadata.
/// </summary>
public sealed record EidasQtsTimestampEntry : TimestampEntry
{
[JsonPropertyName("qtsMetaPath")]
public required string QtsMetaPath { get; init; }
}

81
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Schemas/bundle-manifest.schema.json
View File

@@ -28,7 +28,14 @@
"rekorSnapshot": { "$ref": "#/$defs/rekorSnapshot" },
"cryptoProviders": { "type": "array", "items": { "$ref": "#/$defs/cryptoProvider" } },
"totalSizeBytes": { "type": "integer" },
"bundleDigest": { "type": ["string", "null"] }
"bundleDigest": { "type": ["string", "null"] },
"canonicalManifestHash": { "type": ["string", "null"] },
"subject": { "$ref": "#/$defs/subject" },
"image": { "type": ["string", "null"] },
"artifacts": { "type": "array", "items": { "$ref": "#/$defs/artifact" } },
"verify": { "$ref": "#/$defs/verify" },
"timestamps": { "type": "array", "items": { "$ref": "#/$defs/timestampEntry" } },
"rekorProofs": { "type": "array", "items": { "$ref": "#/$defs/rekorProof" } }
},
"$defs": {
"feed": {
@@ -107,6 +114,78 @@
"sizeBytes": { "type": "integer" },
"supportedAlgorithms": { "type": "array", "items": { "type": "string" } }
}
},
"artifact": {
"type": "object",
"properties": {
"path": { "type": "string" },
"type": { "type": "string" },
"contentType": { "type": ["string", "null"] },
"digest": { "type": ["string", "null"] },
"sizeBytes": { "type": ["integer", "null"] }
}
},
"verify": {
"type": ["object", "null"],
"properties": {
"keys": { "type": "array", "items": { "type": "string" } },
"expectations": { "$ref": "#/$defs/verifyExpectations" },
"trustRoot": { "type": ["string", "null"] },
"rekorCheckpointPath": { "type": ["string", "null"] }
}
},
"verifyExpectations": {
"type": ["object", "null"],
"properties": {
"payloadTypes": { "type": "array", "items": { "type": "string" } },
"rekorRequired": { "type": "boolean" },
"minSignatures": { "type": "integer" },
"requiredArtifacts": { "type": "array", "items": { "type": "string" } },
"verifyChecksums": { "type": "boolean" }
}
},
"subject": {
"type": ["object", "null"],
"required": ["sha256"],
"properties": {
"sha256": { "type": "string" },
"sha512": { "type": ["string", "null"] }
}
},
"rekorProof": {
"type": "object",
"required": ["entryBodyPath", "leafHash", "inclusionProofPath", "signedEntryTimestamp"],
"properties": {
"entryBodyPath": { "type": "string" },
"leafHash": { "type": "string" },
"inclusionProofPath": { "type": "string" },
"signedEntryTimestamp": { "type": "string" }
}
},
"timestampEntry": {
"oneOf": [
{ "$ref": "#/$defs/rfc3161Timestamp" },
{ "$ref": "#/$defs/eidasQtsTimestamp" }
]
},
"rfc3161Timestamp": {
"type": "object",
"required": ["type", "tstBase64"],
"properties": {
"type": { "const": "rfc3161" },
"tsaChainPaths": { "type": "array", "items": { "type": "string" } },
"ocspBlobs": { "type": "array", "items": { "type": "string" } },
"crlBlobs": { "type": "array", "items": { "type": "string" } },
"tstBase64": { "type": "string" }
}
},
"eidasQtsTimestamp": {
"type": "object",
"required": ["type", "qtsMetaPath"],
"properties": {
"type": { "const": "eidas-qts" },
"qtsMetaPath": { "type": "string" }
}
}
}
}

21
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Serialization/BundleManifestSerializer.cs
View File

@@ -18,7 +18,11 @@ public static class BundleManifestSerializer
WriteIndented = false,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping
Encoder = JavaScriptEncoder.UnsafeRelaxedJsonEscaping,
Converters =
{
new TimestampEntryJsonConverter()
}
};
public static string Serialize(BundleManifest manifest)
@@ -36,12 +40,23 @@ public static class BundleManifestSerializer
public static string ComputeDigest(BundleManifest manifest)
{
var withoutDigest = manifest with { BundleDigest = null };
var withoutDigest = manifest with
{
BundleDigest = null,
CanonicalManifestHash = null
};
var json = Serialize(withoutDigest);
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(json));
return Convert.ToHexString(hash).ToLowerInvariant();
}
public static BundleManifest WithDigest(BundleManifest manifest)
=> manifest with { BundleDigest = ComputeDigest(manifest) };
{
var digest = ComputeDigest(manifest);
return manifest with
{
BundleDigest = digest,
CanonicalManifestHash = digest
};
}
}

65
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Serialization/TimestampEntryJsonConverter.cs Normal file
View File

@@ -0,0 +1,65 @@
using System.Text.Json;
using System.Text.Json.Serialization;
using StellaOps.AirGap.Bundle.Models;
namespace StellaOps.AirGap.Bundle.Serialization;
/// <summary>
/// JSON converter for timestamp entries with explicit type discriminators.
/// </summary>
public sealed class TimestampEntryJsonConverter : JsonConverter<TimestampEntry>
{
public override TimestampEntry Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options)
{
using var document = JsonDocument.ParseValue(ref reader);
if (!document.RootElement.TryGetProperty("type", out var typeProperty))
{
throw new NotSupportedException("Timestamp entry is missing a type discriminator.");
}
var type = typeProperty.GetString();
return type switch
{
"rfc3161" => JsonSerializer.Deserialize<Rfc3161TimestampEntry>(document.RootElement.GetRawText(), options)
?? throw new JsonException("Failed to deserialize RFC3161 timestamp entry."),
"eidas-qts" => JsonSerializer.Deserialize<EidasQtsTimestampEntry>(document.RootElement.GetRawText(), options)
?? throw new JsonException("Failed to deserialize eIDAS QTS timestamp entry."),
_ => throw new NotSupportedException($"Unsupported timestamp entry type '{type}'.")
};
}
public override void Write(Utf8JsonWriter writer, TimestampEntry value, JsonSerializerOptions options)
{
switch (value)
{
case Rfc3161TimestampEntry rfc3161:
writer.WriteStartObject();
writer.WriteString("type", "rfc3161");
WriteStringArray(writer, "tsaChainPaths", rfc3161.TsaChainPaths);
WriteStringArray(writer, "ocspBlobs", rfc3161.OcspBlobs);
WriteStringArray(writer, "crlBlobs", rfc3161.CrlBlobs);
writer.WriteString("tstBase64", rfc3161.TstBase64);
writer.WriteEndObject();
break;
case EidasQtsTimestampEntry eidas:
writer.WriteStartObject();
writer.WriteString("type", "eidas-qts");
writer.WriteString("qtsMetaPath", eidas.QtsMetaPath);
writer.WriteEndObject();
break;
default:
throw new NotSupportedException($"Unsupported timestamp entry type '{value.GetType().Name}'.");
}
}
private static void WriteStringArray(Utf8JsonWriter writer, string name, IReadOnlyCollection<string> values)
{
writer.WritePropertyName(name);
writer.WriteStartArray();
foreach (var value in values)
{
writer.WriteStringValue(value);
}
writer.WriteEndArray();
}
}

177
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/BundleBuilder.cs
View File

@@ -10,15 +10,31 @@ public sealed class BundleBuilder : IBundleBuilder
{
private readonly TimeProvider _timeProvider;
private readonly IGuidProvider _guidProvider;
private readonly ITsaChainBundler _tsaChainBundler;
private readonly IOcspResponseFetcher _ocspFetcher;
private readonly ICrlFetcher _crlFetcher;
public BundleBuilder() : this(TimeProvider.System, SystemGuidProvider.Instance)
public BundleBuilder() : this(
TimeProvider.System,
SystemGuidProvider.Instance,
null,
null,
null)
{
}
public BundleBuilder(TimeProvider timeProvider, IGuidProvider guidProvider)
public BundleBuilder(
TimeProvider timeProvider,
IGuidProvider guidProvider,
ITsaChainBundler? tsaChainBundler,
IOcspResponseFetcher? ocspFetcher,
ICrlFetcher? crlFetcher)
{
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
_guidProvider = guidProvider ?? throw new ArgumentNullException(nameof(guidProvider));
_tsaChainBundler = tsaChainBundler ?? new TsaChainBundler();
_ocspFetcher = ocspFetcher ?? new OcspResponseFetcher();
_crlFetcher = crlFetcher ?? new CrlFetcher();
}
public async Task<BundleManifest> BuildAsync(
@@ -135,10 +151,44 @@ public sealed class BundleBuilder : IBundleBuilder
files.ToImmutableArray()));
}
var timestamps = new List<TimestampEntry>();
long timestampSizeBytes = 0;
var timestampConfigs = request.Timestamps ?? Array.Empty<TimestampBuildConfig>();
foreach (var timestampConfig in timestampConfigs)
{
switch (timestampConfig)
{
case Rfc3161TimestampBuildConfig rfc3161:
var (rfcEntry, rfcSizeBytes) = await BuildRfc3161TimestampAsync(
rfc3161,
outputPath,
ct).ConfigureAwait(false);
timestamps.Add(rfcEntry);
timestampSizeBytes += rfcSizeBytes;
break;
case EidasQtsTimestampBuildConfig eidas:
var qtsComponent = await CopyTimestampFileAsync(
eidas.SourcePath,
eidas.RelativePath,
outputPath,
ct).ConfigureAwait(false);
timestamps.Add(new EidasQtsTimestampEntry
{
QtsMetaPath = qtsComponent.RelativePath
});
timestampSizeBytes += qtsComponent.SizeBytes;
break;
default:
throw new NotSupportedException(
$"Unsupported timestamp build config type '{timestampConfig.GetType().Name}'.");
}
}
var totalSize = feeds.Sum(f => f.SizeBytes) +
policies.Sum(p => p.SizeBytes) +
cryptoMaterials.Sum(c => c.SizeBytes) +
ruleBundles.Sum(r => r.SizeBytes);
ruleBundles.Sum(r => r.SizeBytes) +
timestampSizeBytes;
var manifest = new BundleManifest
{
@@ -152,6 +202,7 @@ public sealed class BundleBuilder : IBundleBuilder
Policies = policies.ToImmutableArray(),
CryptoMaterials = cryptoMaterials.ToImmutableArray(),
RuleBundles = ruleBundles.ToImmutableArray(),
Timestamps = timestamps.ToImmutableArray(),
TotalSizeBytes = totalSize
};
@@ -180,7 +231,116 @@ public sealed class BundleBuilder : IBundleBuilder
return new CopiedComponent(source.RelativePath, digest, info.Length);
}
private async Task<(Rfc3161TimestampEntry Entry, long SizeBytes)> BuildRfc3161TimestampAsync(
Rfc3161TimestampBuildConfig config,
string outputPath,
CancellationToken ct)
{
if (config.TimeStampToken is not { Length: > 0 })
{
throw new ArgumentException("RFC3161 timestamp token is required.", nameof(config));
}
var tokenHash = SHA256.HashData(config.TimeStampToken);
var tokenPrefix = Convert.ToHexString(tokenHash).ToLowerInvariant()[..12];
var chainResult = await _tsaChainBundler.BundleAsync(
config.TimeStampToken,
outputPath,
tokenPrefix,
ct).ConfigureAwait(false);
var ocspBlobs = await _ocspFetcher.FetchAsync(chainResult.Certificates, ct).ConfigureAwait(false);
var (ocspPaths, ocspSizeBytes) = await WriteRevocationBlobsAsync(
"tsa/ocsp",
"der",
tokenPrefix,
ocspBlobs,
outputPath,
ct).ConfigureAwait(false);
var crlBlobs = await _crlFetcher.FetchAsync(chainResult.Certificates, ct).ConfigureAwait(false);
var (crlPaths, crlSizeBytes) = await WriteRevocationBlobsAsync(
"tsa/crl",
"crl",
tokenPrefix,
crlBlobs,
outputPath,
ct).ConfigureAwait(false);
var entry = new Rfc3161TimestampEntry
{
TsaChainPaths = chainResult.ChainPaths,
OcspBlobs = ocspPaths,
CrlBlobs = crlPaths,
TstBase64 = Convert.ToBase64String(config.TimeStampToken)
};
return (entry, chainResult.TotalSizeBytes + ocspSizeBytes + crlSizeBytes);
}
private static async Task<(ImmutableArray<string> Paths, long SizeBytes)> WriteRevocationBlobsAsync(
string baseDir,
string extension,
string prefix,
IReadOnlyList<TsaRevocationBlob> blobs,
string outputPath,
CancellationToken ct)
{
if (blobs.Count == 0)
{
return ([], 0);
}
var paths = new List<string>(blobs.Count);
long totalSize = 0;
foreach (var blob in blobs
.OrderBy(b => b.CertificateIndex)
.ThenBy(b => ComputeShortHash(blob.Data), StringComparer.Ordinal))
{
var hash = ComputeShortHash(blob.Data);
var fileName = $"{prefix}-{blob.CertificateIndex:D2}-{hash}.{extension}";
var relativePath = $"{baseDir}/{fileName}";
var targetPath = PathValidation.SafeCombine(outputPath, relativePath);
Directory.CreateDirectory(Path.GetDirectoryName(targetPath) ?? outputPath);
await File.WriteAllBytesAsync(targetPath, blob.Data, ct).ConfigureAwait(false);
totalSize += blob.Data.Length;
paths.Add(relativePath);
}
return (paths.ToImmutableArray(), totalSize);
}
private static string ComputeShortHash(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexString(hash).ToLowerInvariant()[..16];
}
private static async Task<CopiedTimestampComponent> CopyTimestampFileAsync(
string sourcePath,
string relativePath,
string outputPath,
CancellationToken ct)
{
var targetPath = PathValidation.SafeCombine(outputPath, relativePath);
Directory.CreateDirectory(Path.GetDirectoryName(targetPath) ?? outputPath);
await using (var input = File.OpenRead(sourcePath))
await using (var output = File.Create(targetPath))
{
await input.CopyToAsync(output, ct).ConfigureAwait(false);
}
var info = new FileInfo(targetPath);
return new CopiedTimestampComponent(relativePath, info.Length);
}
private sealed record CopiedComponent(string RelativePath, string Digest, long SizeBytes);
private sealed record CopiedTimestampComponent(string RelativePath, long SizeBytes);
}
public interface IBundleBuilder
@@ -195,7 +355,8 @@ public sealed record BundleBuildRequest(
IReadOnlyList<FeedBuildConfig> Feeds,
IReadOnlyList<PolicyBuildConfig> Policies,
IReadOnlyList<CryptoBuildConfig> CryptoMaterials,
IReadOnlyList<RuleBundleBuildConfig> RuleBundles);
IReadOnlyList<RuleBundleBuildConfig> RuleBundles,
IReadOnlyList<TimestampBuildConfig>? Timestamps = null);
public abstract record BundleComponentSource(string SourcePath, string RelativePath);
@@ -227,6 +388,14 @@ public sealed record CryptoBuildConfig(
DateTimeOffset? ExpiresAt)
: BundleComponentSource(SourcePath, RelativePath);
public abstract record TimestampBuildConfig;
public sealed record Rfc3161TimestampBuildConfig(byte[] TimeStampToken)
: TimestampBuildConfig;
public sealed record EidasQtsTimestampBuildConfig(string SourcePath, string RelativePath)
: TimestampBuildConfig;
/// <summary>
/// Configuration for building a rule bundle component.
/// </summary>

160
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/CrlFetcher.cs Normal file
View File

@@ -0,0 +1,160 @@
using System.Formats.Asn1;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
namespace StellaOps.AirGap.Bundle.Services;
public interface ICrlFetcher
{
Task<IReadOnlyList<TsaRevocationBlob>> FetchAsync(
IReadOnlyList<X509Certificate2> certificateChain,
CancellationToken ct = default);
}
public sealed class CrlFetcher : ICrlFetcher
{
private static readonly HttpClient DefaultClient = new();
private readonly Func<Uri, CancellationToken, Task<byte[]?>>? _fetcher;
private readonly Dictionary<string, byte[]> _cache = new(StringComparer.Ordinal);
public CrlFetcher(Func<Uri, CancellationToken, Task<byte[]?>>? fetcher = null)
{
_fetcher = fetcher;
}
public static CrlFetcher CreateNetworked(HttpClient? client = null)
{
client ??= DefaultClient;
return new CrlFetcher(async (uri, ct) =>
{
using var response = await client.GetAsync(uri, ct).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
return null;
}
return await response.Content.ReadAsByteArrayAsync(ct).ConfigureAwait(false);
});
}
public async Task<IReadOnlyList<TsaRevocationBlob>> FetchAsync(
IReadOnlyList<X509Certificate2> certificateChain,
CancellationToken ct = default)
{
if (certificateChain.Count == 0 || _fetcher is null)
{
return Array.Empty<TsaRevocationBlob>();
}
var results = new List<TsaRevocationBlob>();
for (var i = 0; i < certificateChain.Count; i++)
{
var cert = certificateChain[i];
var crlUris = ExtractCrlUris(cert);
foreach (var uri in crlUris.OrderBy(u => u.ToString(), StringComparer.Ordinal))
{
var data = await FetchCachedAsync(uri, ct).ConfigureAwait(false);
if (data is { Length: > 0 })
{
results.Add(new TsaRevocationBlob(i, data, uri.ToString()));
break;
}
}
}
return results;
}
private async Task<byte[]?> FetchCachedAsync(Uri uri, CancellationToken ct)
{
var key = uri.ToString();
if (_cache.TryGetValue(key, out var cached))
{
return cached;
}
var data = await _fetcher!(uri, ct).ConfigureAwait(false);
if (data is { Length: > 0 })
{
_cache[key] = data;
}
return data;
}
private static IReadOnlyList<Uri> ExtractCrlUris(X509Certificate2 certificate)
{
try
{
var ext = certificate.Extensions.Cast<X509Extension>()
.FirstOrDefault(e => e.Oid?.Value == "2.5.29.31");
if (ext is null)
{
return Array.Empty<Uri>();
}
var reader = new AsnReader(ext.RawData, AsnEncodingRules.DER);
var bytes = reader.ReadOctetString();
var dpReader = new AsnReader(bytes, AsnEncodingRules.DER);
var sequence = dpReader.ReadSequence();
var uris = new List<Uri>();
while (sequence.HasData)
{
var distributionPoint = sequence.ReadSequence();
if (!distributionPoint.HasData)
{
continue;
}
var tag = distributionPoint.PeekTag();
if (tag.TagClass == TagClass.ContextSpecific && tag.TagValue == 0)
{
var dpName = distributionPoint.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (dpName.HasData)
{
var nameTag = dpName.PeekTag();
if (nameTag.TagClass == TagClass.ContextSpecific && nameTag.TagValue == 0)
{
var fullName = dpName.ReadSequence(new Asn1Tag(TagClass.ContextSpecific, 0));
if (fullName.HasData)
{
var names = fullName.ReadSequence();
while (names.HasData)
{
var nameTagValue = names.PeekTag();
if (nameTagValue.TagClass == TagClass.ContextSpecific &&
nameTagValue.TagValue == 6)
{
var uriValue = names.ReadCharacterString(
UniversalTagNumber.IA5String,
new Asn1Tag(TagClass.ContextSpecific, 6));
if (Uri.TryCreate(uriValue, UriKind.Absolute, out var uri))
{
uris.Add(uri);
}
}
else
{
names.ReadEncodedValue();
}
}
}
}
}
}
while (distributionPoint.HasData)
{
distributionPoint.ReadEncodedValue();
}
}
return uris;
}
catch
{
return Array.Empty<Uri>();
}
}
}

138
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/OcspResponseFetcher.cs Normal file
View File

@@ -0,0 +1,138 @@
using System.Formats.Asn1;
using System.Security.Cryptography.X509Certificates;
using System.Net.Http;
namespace StellaOps.AirGap.Bundle.Services;
public interface IOcspResponseFetcher
{
Task<IReadOnlyList<TsaRevocationBlob>> FetchAsync(
IReadOnlyList<X509Certificate2> certificateChain,
CancellationToken ct = default);
}
public sealed class OcspResponseFetcher : IOcspResponseFetcher
{
private static readonly HttpClient DefaultClient = new();
private readonly Func<Uri, CancellationToken, Task<byte[]?>>? _fetcher;
private readonly Dictionary<string, byte[]> _cache = new(StringComparer.Ordinal);
public OcspResponseFetcher(Func<Uri, CancellationToken, Task<byte[]?>>? fetcher = null)
{
_fetcher = fetcher;
}
public static OcspResponseFetcher CreateNetworked(HttpClient? client = null)
{
client ??= DefaultClient;
return new OcspResponseFetcher(async (uri, ct) =>
{
using var response = await client.GetAsync(uri, ct).ConfigureAwait(false);
if (!response.IsSuccessStatusCode)
{
return null;
}
return await response.Content.ReadAsByteArrayAsync(ct).ConfigureAwait(false);
});
}
public async Task<IReadOnlyList<TsaRevocationBlob>> FetchAsync(
IReadOnlyList<X509Certificate2> certificateChain,
CancellationToken ct = default)
{
if (certificateChain.Count == 0 || _fetcher is null)
{
return Array.Empty<TsaRevocationBlob>();
}
var results = new List<TsaRevocationBlob>();
for (var i = 0; i < certificateChain.Count; i++)
{
var cert = certificateChain[i];
var ocspUris = ExtractOcspUris(cert);
foreach (var uri in ocspUris.OrderBy(u => u.ToString(), StringComparer.Ordinal))
{
var data = await FetchCachedAsync(uri, ct).ConfigureAwait(false);
if (data is { Length: > 0 })
{
results.Add(new TsaRevocationBlob(i, data, uri.ToString()));
break;
}
}
}
return results;
}
private async Task<byte[]?> FetchCachedAsync(Uri uri, CancellationToken ct)
{
var key = uri.ToString();
if (_cache.TryGetValue(key, out var cached))
{
return cached;
}
var data = await _fetcher!(uri, ct).ConfigureAwait(false);
if (data is { Length: > 0 })
{
_cache[key] = data;
}
return data;
}
private static IReadOnlyList<Uri> ExtractOcspUris(X509Certificate2 certificate)
{
try
{
var ext = certificate.Extensions.Cast<X509Extension>()
.FirstOrDefault(e => e.Oid?.Value == "1.3.6.1.5.5.7.1.1");
if (ext is null)
{
return Array.Empty<Uri>();
}
var reader = new AsnReader(ext.RawData, AsnEncodingRules.DER);
var bytes = reader.ReadOctetString();
var aiaReader = new AsnReader(bytes, AsnEncodingRules.DER);
var sequence = aiaReader.ReadSequence();
var uris = new List<Uri>();
while (sequence.HasData)
{
var accessDescription = sequence.ReadSequence();
var accessMethod = accessDescription.ReadObjectIdentifier();
if (!accessDescription.HasData)
{
continue;
}
var tag = accessDescription.PeekTag();
if (accessMethod == "1.3.6.1.5.5.7.48.1" &&
tag.TagClass == TagClass.ContextSpecific &&
tag.TagValue == 6)
{
var uriValue = accessDescription.ReadCharacterString(
UniversalTagNumber.IA5String,
new Asn1Tag(TagClass.ContextSpecific, 6));
if (Uri.TryCreate(uriValue, UriKind.Absolute, out var uri))
{
uris.Add(uri);
}
}
else
{
accessDescription.ReadEncodedValue();
}
}
return uris;
}
catch
{
return Array.Empty<Uri>();
}
}
}

265
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/TsaChainBundler.cs Normal file
View File

@@ -0,0 +1,265 @@
using System.Collections.Immutable;
using System.Formats.Asn1;
using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using System.Text;
namespace StellaOps.AirGap.Bundle.Services;
public interface ITsaChainBundler
{
Task<TsaChainBundleResult> BundleAsync(
ReadOnlyMemory<byte> timeStampToken,
string outputPath,
string? filePrefix = null,
CancellationToken ct = default);
}
public sealed class TsaChainBundler : ITsaChainBundler
{
public async Task<TsaChainBundleResult> BundleAsync(
ReadOnlyMemory<byte> timeStampToken,
string outputPath,
string? filePrefix = null,
CancellationToken ct = default)
{
if (timeStampToken.IsEmpty)
{
throw new ArgumentException("RFC3161 timestamp token is required.", nameof(timeStampToken));
}
var signedCms = new SignedCms();
signedCms.Decode(timeStampToken.ToArray());
if (signedCms.SignerInfos.Count == 0)
{
throw new InvalidOperationException("RFC3161 timestamp token has no signer.");
}
var signerCert = signedCms.SignerInfos[0].Certificate;
if (signerCert is null)
{
throw new InvalidOperationException("RFC3161 timestamp token has no signer certificate.");
}
var certificates = new List<X509Certificate2>(signedCms.Certificates.Cast<X509Certificate2>());
if (!certificates.Any(c => string.Equals(c.Thumbprint, signerCert.Thumbprint, StringComparison.OrdinalIgnoreCase)))
{
certificates.Add(signerCert);
}
var chain = BuildChain(signerCert, certificates);
if (chain.Count == 0)
{
throw new InvalidOperationException("RFC3161 timestamp token contains no usable certificate chain.");
}
filePrefix ??= ComputePrefix(timeStampToken.Span);
var entries = new List<TsaChainEntry>(chain.Count);
for (var i = 0; i < chain.Count; i++)
{
var cert = chain[i];
var certHash = ComputeShortHash(cert.RawData);
var fileName = $"{filePrefix}-{i:D2}-{certHash}.pem";
var relativePath = $"tsa/chain/{fileName}";
var targetPath = PathValidation.SafeCombine(outputPath, relativePath);
Directory.CreateDirectory(Path.GetDirectoryName(targetPath) ?? outputPath);
await File.WriteAllTextAsync(targetPath, EncodePem(cert.RawData), Encoding.ASCII, ct)
.ConfigureAwait(false);
var info = new FileInfo(targetPath);
entries.Add(new TsaChainEntry(cert, relativePath, info.Length));
}
return new TsaChainBundleResult(
entries.Select(e => e.RelativePath).ToImmutableArray(),
entries.Select(e => e.Certificate).ToImmutableArray(),
entries.Sum(e => e.SizeBytes));
}
private static List<X509Certificate2> BuildChain(
X509Certificate2 leaf,
IReadOnlyList<X509Certificate2> pool)
{
var byThumbprint = new Dictionary<string, X509Certificate2>(StringComparer.OrdinalIgnoreCase);
foreach (var cert in pool)
{
if (!string.IsNullOrWhiteSpace(cert.Thumbprint) && !byThumbprint.ContainsKey(cert.Thumbprint))
{
byThumbprint[cert.Thumbprint] = cert;
}
}
var chain = new List<X509Certificate2>();
var visited = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
var current = leaf;
while (current is not null && !string.IsNullOrWhiteSpace(current.Thumbprint))
{
if (!visited.Add(current.Thumbprint))
{
break;
}
chain.Add(current);
if (IsSelfSigned(current))
{
break;
}
var issuer = FindIssuer(current, byThumbprint.Values);
if (issuer is null)
{
break;
}
current = issuer;
}
return chain;
}
private static X509Certificate2? FindIssuer(
X509Certificate2 certificate,
IEnumerable<X509Certificate2> candidates)
{
var issuerName = certificate.Issuer;
var issuerCandidates = candidates
.Where(c => string.Equals(c.Subject, issuerName, StringComparison.OrdinalIgnoreCase))
.OrderBy(c => c.Thumbprint, StringComparer.OrdinalIgnoreCase)
.ToList();
if (issuerCandidates.Count == 0)
{
return null;
}
if (issuerCandidates.Count == 1)
{
return issuerCandidates[0];
}
var authorityKeyId = TryGetAuthorityKeyIdentifier(certificate);
if (authorityKeyId is null)
{
return issuerCandidates[0];
}
foreach (var candidate in issuerCandidates)
{
var subjectKeyId = TryGetSubjectKeyIdentifier(candidate);
if (subjectKeyId is not null && subjectKeyId.SequenceEqual(authorityKeyId))
{
return candidate;
}
}
return issuerCandidates[0];
}
private static bool IsSelfSigned(X509Certificate2 certificate)
{
if (!string.Equals(certificate.Subject, certificate.Issuer, StringComparison.OrdinalIgnoreCase))
{
return false;
}
var authorityKeyId = TryGetAuthorityKeyIdentifier(certificate);
var subjectKeyId = TryGetSubjectKeyIdentifier(certificate);
if (authorityKeyId is null || subjectKeyId is null)
{
return true;
}
return authorityKeyId.SequenceEqual(subjectKeyId);
}
private static byte[]? TryGetSubjectKeyIdentifier(X509Certificate2 certificate)
{
var ext = certificate.Extensions.Cast<X509Extension>()
.FirstOrDefault(e => e.Oid?.Value == "2.5.29.14");
if (ext is null)
{
return null;
}
try
{
var ski = new X509SubjectKeyIdentifierExtension(ext, ext.Critical);
return Convert.FromHexString(ski.SubjectKeyIdentifier);
}
catch
{
return null;
}
}
private static byte[]? TryGetAuthorityKeyIdentifier(X509Certificate2 certificate)
{
var ext = certificate.Extensions.Cast<X509Extension>()
.FirstOrDefault(e => e.Oid?.Value == "2.5.29.35");
if (ext is null)
{
return null;
}
try
{
var reader = new AsnReader(ext.RawData, AsnEncodingRules.DER);
var akiBytes = reader.ReadOctetString();
var akiReader = new AsnReader(akiBytes, AsnEncodingRules.DER);
var sequence = akiReader.ReadSequence();
while (sequence.HasData)
{
var tag = sequence.PeekTag();
if (tag.TagClass == TagClass.ContextSpecific && tag.TagValue == 0)
{
return sequence.ReadOctetString(new Asn1Tag(TagClass.ContextSpecific, 0));
}
sequence.ReadEncodedValue();
}
}
catch
{
return null;
}
return null;
}
private static string ComputePrefix(ReadOnlySpan<byte> tokenBytes)
{
var hash = SHA256.HashData(tokenBytes);
return Convert.ToHexString(hash).ToLowerInvariant()[..12];
}
private static string ComputeShortHash(byte[] data)
{
var hash = SHA256.HashData(data);
return Convert.ToHexString(hash).ToLowerInvariant()[..16];
}
private static string EncodePem(byte[] raw)
{
var base64 = Convert.ToBase64String(raw, Base64FormattingOptions.InsertLineBreaks);
var builder = new StringBuilder();
builder.Append("-----BEGIN CERTIFICATE-----\n");
builder.Append(base64);
builder.Append("\n-----END CERTIFICATE-----\n");
return builder.ToString();
}
}
public sealed record TsaChainBundleResult(
ImmutableArray<string> ChainPaths,
ImmutableArray<X509Certificate2> Certificates,
long TotalSizeBytes);
internal sealed record TsaChainEntry(X509Certificate2 Certificate, string RelativePath, long SizeBytes);

3
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/Services/TsaRevocationBlob.cs Normal file
View File

@@ -0,0 +1,3 @@
namespace StellaOps.AirGap.Bundle.Services;
public sealed record TsaRevocationBlob(int CertificateIndex, byte[] Data, string? SourceUri);

3
src/AirGap/__Libraries/StellaOps.AirGap.Bundle/StellaOps.AirGap.Bundle.csproj
View File

@@ -7,6 +7,9 @@
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="System.Security.Cryptography.Pkcs" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Canonical.Json\StellaOps.Canonical.Json.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Determinism.Abstractions\StellaOps.Determinism.Abstractions.csproj" />