stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity
Files
0de92144d2acb6a0d9cd2b817b760909c30ec706
git.stella-ops.org/docs/schemas/authority-production-signing.schema.json
StellaOps Bot 0de92144d2
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
mock-dev-release / package-mock-release (push) Has been cancelled
Details
feat(api): Implement Console Export Client and Models 
- Added ConsoleExportClient for managing export requests and responses.
- Introduced ConsoleExportRequest and ConsoleExportResponse models.
- Implemented methods for creating and retrieving exports with appropriate headers.

feat(crypto): Add Software SM2/SM3 Cryptography Provider

- Implemented SmSoftCryptoProvider for software-only SM2/SM3 cryptography.
- Added support for signing and verification using SM2 algorithm.
- Included hashing functionality with SM3 algorithm.
- Configured options for loading keys from files and environment gate checks.

test(crypto): Add unit tests for SmSoftCryptoProvider

- Created comprehensive tests for signing, verifying, and hashing functionalities.
- Ensured correct behavior for key management and error handling.

feat(api): Enhance Console Export Models

- Expanded ConsoleExport models to include detailed status and event types.
- Added support for various export formats and notification options.

test(time): Implement TimeAnchorPolicyService tests

- Developed tests for TimeAnchorPolicyService to validate time anchors.
- Covered scenarios for anchor validation, drift calculation, and policy enforcement.
2025-12-07 00:27:33 +02:00

533 lines
14 KiB
JSON
Raw Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://stella-ops.org/schemas/authority-production-signing.schema.json",
"title": "StellaOps Authority Production Signing Schema",
"description": "Schema for production DSSE signing keys, key management, and artifact signing workflows. Unblocks AUTH-GAPS-314-004, REKOR-RECEIPT-GAPS-314-005 (2+ tasks).",
"type": "object",
"definitions": {
"SigningKey": {
"type": "object",
"description": "Production signing key configuration",
"required": ["key_id", "algorithm", "purpose"],
"properties": {
"key_id": {
"type": "string",
"description": "Unique key identifier"
},
"algorithm": {
"type": "string",
"enum": ["ecdsa-p256", "ecdsa-p384", "ed25519", "rsa-2048", "rsa-4096"],
"description": "Signing algorithm"
},
"purpose": {
"type": "string",
"enum": ["artifact_signing", "attestation", "timestamp", "code_signing", "sbom_signing"],
"description": "Key purpose"
},
"key_type": {
"type": "string",
"enum": ["software", "hsm", "kms", "yubikey"],
"description": "Key storage type"
},
"public_key": {
"type": "string",
"description": "PEM-encoded public key"
},
"public_key_fingerprint": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 fingerprint of public key"
},
"certificate": {
"$ref": "#/definitions/SigningCertificate"
},
"created_at": {
"type": "string",
"format": "date-time"
},
"expires_at": {
"type": "string",
"format": "date-time"
},
"status": {
"type": "string",
"enum": ["active", "pending_rotation", "revoked", "expired"],
"default": "active"
},
"rotation_policy": {
"$ref": "#/definitions/KeyRotationPolicy"
},
"metadata": {
"type": "object",
"additionalProperties": true
}
}
},
"SigningCertificate": {
"type": "object",
"description": "X.509 certificate for signing key",
"properties": {
"certificate_pem": {
"type": "string",
"description": "PEM-encoded certificate"
},
"issuer": {
"type": "string"
},
"subject": {
"type": "string"
},
"serial_number": {
"type": "string"
},
"not_before": {
"type": "string",
"format": "date-time"
},
"not_after": {
"type": "string",
"format": "date-time"
},
"chain": {
"type": "array",
"items": {
"type": "string"
},
"description": "Certificate chain (PEM)"
}
}
},
"KeyRotationPolicy": {
"type": "object",
"description": "Key rotation policy",
"properties": {
"rotation_interval_days": {
"type": "integer",
"minimum": 1,
"description": "Days between rotations"
},
"overlap_period_days": {
"type": "integer",
"minimum": 1,
"description": "Days both keys are valid"
},
"auto_rotate": {
"type": "boolean",
"default": false
},
"notify_before_days": {
"type": "integer",
"description": "Days before expiry to notify"
}
}
},
"SigningRequest": {
"type": "object",
"description": "Request to sign an artifact",
"required": ["artifact_type", "artifact_digest"],
"properties": {
"request_id": {
"type": "string",
"format": "uuid"
},
"artifact_type": {
"type": "string",
"enum": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"],
"description": "Type of artifact to sign"
},
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$",
"description": "SHA-256 digest of artifact"
},
"artifact_uri": {
"type": "string",
"format": "uri",
"description": "URI to artifact (optional)"
},
"key_id": {
"type": "string",
"description": "Specific key to use (uses default if not specified)"
},
"signature_format": {
"type": "string",
"enum": ["dsse", "cosign", "gpg", "jws"],
"default": "dsse"
},
"annotations": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "Annotations to include in signature"
},
"transparency_log": {
"type": "boolean",
"default": true,
"description": "Upload to transparency log (Rekor)"
},
"timestamp": {
"type": "boolean",
"default": true,
"description": "Include RFC 3161 timestamp"
}
}
},
"SigningResponse": {
"type": "object",
"description": "Signing operation result",
"required": ["signature_id", "artifact_digest", "signature"],
"properties": {
"signature_id": {
"type": "string",
"format": "uuid"
},
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"signature": {
"type": "string",
"description": "Base64-encoded signature"
},
"signature_format": {
"type": "string",
"enum": ["dsse", "cosign", "gpg", "jws"]
},
"key_id": {
"type": "string"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"certificate": {
"type": "string",
"description": "Signing certificate (PEM)"
},
"chain": {
"type": "array",
"items": {
"type": "string"
}
},
"transparency_log_entry": {
"$ref": "#/definitions/TransparencyLogEntry"
},
"timestamp_response": {
"type": "string",
"description": "RFC 3161 timestamp response (base64)"
}
}
},
"TransparencyLogEntry": {
"type": "object",
"description": "Rekor transparency log entry",
"properties": {
"log_id": {
"type": "string",
"description": "Log instance identifier"
},
"log_index": {
"type": "integer",
"description": "Entry index in log"
},
"entry_uuid": {
"type": "string",
"description": "Entry UUID"
},
"integrated_time": {
"type": "string",
"format": "date-time"
},
"inclusion_proof": {
"$ref": "#/definitions/InclusionProof"
},
"verification_url": {
"type": "string",
"format": "uri"
}
}
},
"InclusionProof": {
"type": "object",
"description": "Merkle tree inclusion proof",
"properties": {
"tree_size": {
"type": "integer"
},
"root_hash": {
"type": "string"
},
"hashes": {
"type": "array",
"items": {
"type": "string"
}
},
"log_index": {
"type": "integer"
}
}
},
"VerificationRequest": {
"type": "object",
"description": "Request to verify a signature",
"required": ["artifact_digest", "signature"],
"properties": {
"artifact_digest": {
"type": "string",
"pattern": "^sha256:[a-f0-9]{64}$"
},
"signature": {
"type": "string",
"description": "Base64-encoded signature"
},
"certificate": {
"type": "string",
"description": "Expected signing certificate (optional)"
},
"trusted_roots": {
"type": "array",
"items": {
"type": "string"
},
"description": "Trusted root certificates (PEM)"
},
"verify_transparency_log": {
"type": "boolean",
"default": true
},
"verify_timestamp": {
"type": "boolean",
"default": true
}
}
},
"VerificationResponse": {
"type": "object",
"description": "Signature verification result",
"required": ["verified", "artifact_digest"],
"properties": {
"verified": {
"type": "boolean"
},
"artifact_digest": {
"type": "string"
},
"signer": {
"type": "string",
"description": "Signer identity from certificate"
},
"signed_at": {
"type": "string",
"format": "date-time"
},
"certificate_chain_valid": {
"type": "boolean"
},
"transparency_log_valid": {
"type": "boolean"
},
"timestamp_valid": {
"type": "boolean"
},
"errors": {
"type": "array",
"items": {
"type": "string"
}
},
"warnings": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"KeyRegistry": {
"type": "object",
"description": "Registry of signing keys",
"required": ["registry_id", "keys"],
"properties": {
"registry_id": {
"type": "string"
},
"version": {
"type": "string"
},
"updated_at": {
"type": "string",
"format": "date-time"
},
"keys": {
"type": "array",
"items": {
"$ref": "#/definitions/SigningKey"
}
},
"default_key_id": {
"type": "string",
"description": "Default key for signing operations"
},
"trusted_roots": {
"type": "array",
"items": {
"type": "string"
},
"description": "Trusted root certificates (PEM)"
},
"rekor_url": {
"type": "string",
"format": "uri",
"default": "https://rekor.sigstore.dev"
},
"tsa_url": {
"type": "string",
"format": "uri",
"description": "RFC 3161 timestamp authority URL"
}
}
},
"ProductionSigningConfig": {
"type": "object",
"description": "Production signing configuration",
"required": ["config_id"],
"properties": {
"config_id": {
"type": "string"
},
"environment": {
"type": "string",
"enum": ["development", "staging", "production"]
},
"key_registry": {
"$ref": "#/definitions/KeyRegistry"
},
"signing_policy": {
"$ref": "#/definitions/SigningPolicy"
},
"audit_config": {
"$ref": "#/definitions/AuditConfig"
}
}
},
"SigningPolicy": {
"type": "object",
"description": "Signing policy rules",
"properties": {
"require_approval": {
"type": "boolean",
"default": false,
"description": "Require approval for production signing"
},
"approvers": {
"type": "array",
"items": {
"type": "string"
}
},
"allowed_artifact_types": {
"type": "array",
"items": {
"type": "string"
}
},
"require_transparency_log": {
"type": "boolean",
"default": true
},
"require_timestamp": {
"type": "boolean",
"default": true
},
"max_signatures_per_key_per_day": {
"type": "integer"
}
}
},
"AuditConfig": {
"type": "object",
"description": "Audit logging configuration",
"properties": {
"log_all_requests": {
"type": "boolean",
"default": true
},
"log_verification_failures": {
"type": "boolean",
"default": true
},
"retention_days": {
"type": "integer",
"default": 365
},
"alert_on_anomaly": {
"type": "boolean",
"default": true
}
}
}
},
"properties": {
"config": {
"$ref": "#/definitions/ProductionSigningConfig"
}
},
"examples": [
{
"config": {
"config_id": "stellaops-prod-signing",
"environment": "production",
"key_registry": {
"registry_id": "stellaops-keys",
"version": "2025.10.0",
"updated_at": "2025-12-06T10:00:00Z",
"keys": [
{
"key_id": "stellaops-artifact-signing-2025",
"algorithm": "ecdsa-p256",
"purpose": "artifact_signing",
"key_type": "kms",
"public_key_fingerprint": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
"created_at": "2025-01-01T00:00:00Z",
"expires_at": "2026-01-01T00:00:00Z",
"status": "active",
"rotation_policy": {
"rotation_interval_days": 365,
"overlap_period_days": 30,
"auto_rotate": false,
"notify_before_days": 60
}
},
{
"key_id": "stellaops-attestation-signing-2025",
"algorithm": "ecdsa-p256",
"purpose": "attestation",
"key_type": "kms",
"status": "active"
}
],
"default_key_id": "stellaops-artifact-signing-2025",
"rekor_url": "https://rekor.sigstore.dev",
"tsa_url": "https://timestamp.digicert.com"
},
"signing_policy": {
"require_approval": false,
"allowed_artifact_types": ["container_image", "sbom", "vex", "attestation", "policy_pack", "evidence_bundle"],
"require_transparency_log": true,
"require_timestamp": true,
"max_signatures_per_key_per_day": 10000
},
"audit_config": {
"log_all_requests": true,
"log_verification_failures": true,
"retention_days": 365,
"alert_on_anomaly": true
}
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink