stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/features/checked/attestor/tsa-multi-provider-fallback-chain-with-cli.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.4 KiB
Raw Permalink Blame History

TSA Multi-Provider Fallback Chain with CLI

Module

Attestor

Status

VERIFIED

Description

Multi-provider TSA configuration with automatic fallback chain (primary/secondary/tertiary), retry policies with jitter, and CLI commands (stella timestamp request/verify/providers). Extends beyond the known "RFC-3161 TSA Client for CI/CD Timestamping" with multi-provider orchestration and CLI surface.

Implementation Details

  • TSA Multi-Provider: src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs -- multi-provider TSA client with ordered fallback chain (primary/secondary/tertiary), retry with exponential backoff and jitter, automatic failover on provider errors.
  • Attestation Timestamp Service: __Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs (with .Helpers, .Timestamp, .Verify) -- core timestamping service that uses the multi-provider chain. Implements IAttestationTimestampService.cs.
  • Attestation Timestamp Options: AttestationTimestampOptions.cs -- configuration for provider URLs, retry policies, and fallback order.
  • Attestation Timestamp Service Options: AttestationTimestampServiceOptions.cs -- service-level options (timeout, max retries, jitter parameters).
  • TSA Certificate Status: TsaCertificateStatus.cs -- enum tracking TSA certificate validity (Valid, Expired, Revoked, Unknown).
  • TST Verification Status: TstVerificationStatus.cs -- status of timestamp token verification.
  • Timestamp Policy: TimestampPolicy.cs -- policy defining required timestamp providers and minimum provider count.
  • Timestamp Policy Evaluator: TimestampPolicyEvaluator.cs -- evaluates timestamps against policy rules. TimestampPolicyResult.cs -- evaluation result.
  • Timestamped Attestation: TimestampedAttestation.cs -- attestation with attached timestamp evidence from one or more TSA providers.
  • Time Correlation Validator: TimeCorrelationValidator.cs (with .Async, .GapChecks, .Validate) -- cross-validates timestamps from multiple providers for consistency.
  • Tests: __Tests/StellaOps.Attestor.Timestamping.Tests/

E2E Test Plan

  • Configure three TSA providers (primary, secondary, tertiary) and request a timestamp; verify the primary provider is used first
  • Disable the primary TSA provider and request a timestamp; verify automatic fallover to the secondary provider
  • Disable primary and secondary providers; verify fallover to the tertiary provider and successful timestamp
  • Disable all providers and verify the request fails with a descriptive error after exhausting all fallbacks
  • Verify retry with jitter: configure a provider that fails intermittently and verify retries succeed with exponential backoff
  • Verify TimestampPolicy enforcement: require timestamps from at least 2 providers and verify the evaluator rejects single-provider timestamps
  • Cross-validate timestamps from multiple providers via TimeCorrelationValidator and verify time consistency within acceptable drift
  • Verify TsaCertificateStatus correctly identifies an expired TSA certificate and rejects its timestamps

Verification

Check Result
Tier 0 - Source Verification PASS
Tier 1 - Build + Code Review PASS
Tier 2 - Behavioral Verification PASS
Verified Date 2026-02-13
Run ID run-001