{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://stellaops.io/schemas/time-anchor.v1.json", "title": "TimeAnchor", "description": "Time anchor and TUF trust schema for air-gapped time verification", "type": "object", "$defs": { "TimeAnchor": { "type": "object", "description": "Trusted time anchor for offline environments", "required": ["anchorTime", "source", "format", "tokenDigest"], "properties": { "anchorTime": { "type": "string", "format": "date-time", "description": "RFC3339 timestamp of the anchor" }, "source": { "$ref": "#/$defs/TimeSource" }, "format": { "type": "string", "description": "Format identifier for the time token", "examples": ["roughtime-v1", "rfc3161-v1"] }, "signatureFingerprint": { "type": "string", "pattern": "^[a-f0-9]+$", "description": "Hex-encoded fingerprint of the signing key" }, "tokenDigest": { "type": "string", "pattern": "^[a-f0-9]{64}$", "description": "SHA-256 hex digest of the time token" }, "verification": { "$ref": "#/$defs/VerificationStatus" } } }, "TimeSource": { "type": "string", "description": "Source of the time anchor", "enum": ["roughtime", "rfc3161", "unknown"] }, "VerificationStatus": { "type": "object", "properties": { "status": { "type": "string", "enum": ["unknown", "passed", "failed"] }, "reason": { "type": "string" }, "verifiedAt": { "type": "string", "format": "date-time" } } }, "TrustRootsBundle": { "type": "object", "description": "Bundle of trusted time sources", "required": ["version"], "properties": { "version": { "type": "integer", "minimum": 1 }, "roughtime": { "type": "array", "items": { "$ref": "#/$defs/RoughtimeRoot" } }, "rfc3161": { "type": "array", "items": { "$ref": "#/$defs/Rfc3161Root" } } } }, "RoughtimeRoot": { "type": "object", "description": "Roughtime server trust root", "required": ["name", "publicKeyBase64", "validFrom", "validTo"], "properties": { "name": { "type": "string", "description": "Human-readable server name" }, "publicKeyBase64": { "type": "string", "description": "Base64-encoded Ed25519 public key" }, "validFrom": { "type": "string", "format": "date-time" }, "validTo": { "type": "string", "format": "date-time" } } }, "Rfc3161Root": { "type": "object", "description": "RFC 3161 TSA trust root", "required": ["name", "certificatePem", "validFrom", "validTo", "fingerprintSha256"], "properties": { "name": { "type": "string" }, "certificatePem": { "type": "string", "description": "PEM-encoded X.509 certificate" }, "validFrom": { "type": "string", "format": "date-time" }, "validTo": { "type": "string", "format": "date-time" }, "fingerprintSha256": { "type": "string", "pattern": "^[A-F0-9]{64}$", "description": "SHA-256 fingerprint of certificate" } } }, "TufMetadata": { "type": "object", "description": "TUF (The Update Framework) metadata for secure updates", "required": ["specVersion", "version", "expires"], "properties": { "specVersion": { "type": "string", "const": "1.0.0" }, "version": { "type": "integer", "minimum": 1, "description": "Monotonically increasing version" }, "expires": { "type": "string", "format": "date-time" } } }, "TufRoot": { "type": "object", "description": "TUF root metadata", "allOf": [ {"$ref": "#/$defs/TufMetadata"}, { "type": "object", "required": ["keys", "roles"], "properties": { "keys": { "type": "object", "additionalProperties": { "$ref": "#/$defs/TufKey" } }, "roles": { "type": "object", "properties": { "root": {"$ref": "#/$defs/TufRole"}, "snapshot": {"$ref": "#/$defs/TufRole"}, "timestamp": {"$ref": "#/$defs/TufRole"}, "targets": {"$ref": "#/$defs/TufRole"} } } } } ] }, "TufKey": { "type": "object", "required": ["keytype", "scheme", "keyval"], "properties": { "keytype": { "type": "string", "enum": ["ed25519", "rsa", "ecdsa"] }, "scheme": { "type": "string", "enum": ["ed25519", "rsassa-pss-sha256", "ecdsa-sha2-nistp256"] }, "keyval": { "type": "object", "properties": { "public": {"type": "string"} } } } }, "TufRole": { "type": "object", "required": ["keyids", "threshold"], "properties": { "keyids": { "type": "array", "items": {"type": "string"} }, "threshold": { "type": "integer", "minimum": 1 } } }, "TufSnapshot": { "type": "object", "description": "TUF snapshot metadata", "allOf": [ {"$ref": "#/$defs/TufMetadata"}, { "type": "object", "required": ["meta"], "properties": { "meta": { "type": "object", "additionalProperties": { "$ref": "#/$defs/TufFileMeta" } } } } ] }, "TufTimestamp": { "type": "object", "description": "TUF timestamp metadata", "allOf": [ {"$ref": "#/$defs/TufMetadata"}, { "type": "object", "required": ["meta"], "properties": { "meta": { "type": "object", "properties": { "snapshot.json": { "$ref": "#/$defs/TufFileMeta" } } } } } ] }, "TufFileMeta": { "type": "object", "required": ["version"], "properties": { "version": { "type": "integer" }, "length": { "type": "integer" }, "hashes": { "type": "object", "properties": { "sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$" }, "sha512": { "type": "string", "pattern": "^[a-f0-9]{128}$" } } } } }, "TufValidationResult": { "type": "object", "description": "Result of TUF metadata validation", "required": ["valid"], "properties": { "valid": { "type": "boolean" }, "failureCode": { "type": "string", "enum": [ "tuf-version-invalid", "tuf-expiry-invalid", "tuf-snapshot-hash-mismatch", "tuf-signature-invalid", "tuf-threshold-not-met" ] }, "message": { "type": "string" } } }, "RootRotationPolicy": { "type": "object", "description": "Policy for rotating TUF root keys", "required": ["minApprovers", "pendingKeys"], "properties": { "minApprovers": { "type": "integer", "minimum": 2, "description": "Minimum distinct approvers required" }, "pendingKeys": { "type": "array", "items": {"type": "string"}, "minItems": 1, "description": "Keys pending rotation" }, "activeKeys": { "type": "array", "items": {"type": "string"} } } } }, "examples": [ { "anchorTime": "2025-12-06T00:00:00Z", "source": "roughtime", "format": "roughtime-v1", "tokenDigest": "abc123def456789...", "verification": { "status": "passed", "verifiedAt": "2025-12-06T00:00:01Z" } } ] }