stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
4bdc298ec1fc821ee0d9dda6d2d4643dcedf6b35
git.stella-ops.org/docs/features/unchecked/signer/tuf-client-for-trust-root-management.md

2.9 KiB
Raw Blame History

TUF Client for Trust Root Management

Module

Signer

Status

IMPLEMENTED

Description

Full TUF (The Update Framework) client implementation for secure trust root management, including root rotation, timestamp verification, target hash validation, cached state management, and offline mode support. Provides the foundation for Sigstore trust root bootstrapping.

Implementation Details

  • TrustAnchorManager: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs -- trust anchor CRUD with PURL pattern matching: CreateAnchorAsync (validates PURL pattern format), FindAnchorForPurlAsync (glob-style matching with specificity scoring: segments10 - wildcards5, most-specific-match-wins), GetActiveAnchorsAsync, DeactivateAnchorAsync; VerifySignatureAuthorizationAsync combines temporal key validity check with predicate type authorization; each anchor has AllowedKeyIds, RevokedKeyIds, AllowedPredicateTypes, PolicyRef, PolicyVersion
  • PurlPatternMatcher: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/TrustAnchorManager.cs -- validates PURL patterns (must start with pkg:), converts glob patterns to regex (*/? wildcards), computes specificity scores for best-match resolution
  • KeyRotationService: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationService.cs -- trust anchor key lifecycle: AddKeyAsync, RevokeKeyAsync, CheckKeyValidityAsync (temporal validation), GetRotationWarningsAsync (expiry/age/algorithm warnings), GetKeyHistoryAsync; supports key rotation while preserving historical key validity for signature verification at signing time
  • KeyRotationAuditRepository: src/Signer/__Libraries/StellaOps.Signer.KeyManagement/KeyRotationAuditRepository.cs -- audit trail for all key operations
  • SigstoreModels: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Sigstore/SigstoreModels.cs -- Sigstore trust root data models
  • DefaultSigningKeyResolver: src/Signer/StellaOps.Signer/StellaOps.Signer.Infrastructure/Signing/DefaultSigningKeyResolver.cs -- resolves signing keys from trust anchors
  • Tests: src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/KeyManagement/TrustAnchorManagerTests.cs
  • Source: batch_38/file_08.md

E2E Test Plan

  • Verify trust anchor creation with valid PURL pattern succeeds
  • Verify trust anchor creation with invalid PURL pattern (missing pkg: prefix) is rejected
  • Test PURL pattern matching: exact match, wildcard match (pkg:npm/), namespace wildcard (pkg:maven/org.apache/)
  • Verify most-specific pattern wins when multiple patterns match a PURL
  • Verify VerifySignatureAuthorizationAsync returns IsAuthorized=false when key is not valid at signing time
  • Verify predicate type authorization restricts signing to allowed predicate types
  • Test trust anchor deactivation prevents matching
  • Verify key rotation updates AllowedKeyIds on the anchor while preserving historical validity