git.stella-ops.org/docs/features/checked/excititor/vex-cryptographic-verification.md

VEX Cryptographic Verification

Module

Excititor

Status

VERIFIED

Description

Cryptographic signature verification of VEX documents at ingestion time with crypto profile selection and issuer validation.

Implementation Details

• Modules: src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/, src/Excititor/StellaOps.Excititor.Worker/Signature/
• Key Classes:
  • ProductionVexSignatureVerifier (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs) - production signature verifier for VEX documents
  • CryptoProfileSelector (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/CryptoProfileSelector.cs) - selects crypto profile (FIPS, eIDAS, GOST, SM) based on issuer
  • VerificationCacheService (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs) - caches verification results for performance
  • VexSignatureVerifierOptions (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs) - configurable verification options
  • VexVerificationModels (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationModels.cs) - verification result models
  • VexVerificationMetrics (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexVerificationMetrics.cs) - metrics for verification operations
  • WorkerSignatureVerifier (src/Excititor/StellaOps.Excititor.Worker/Signature/WorkerSignatureVerifier.cs) - worker-side signature verification
  • VerifyingVexRawDocumentSink (src/Excititor/StellaOps.Excititor.Worker/Signature/VerifyingVexRawDocumentSink.cs) - sink that verifies signatures before persisting
• Interfaces: IVexSignatureVerifierV2
• Source: Feature matrix scan

E2E Test Plan

• Ingest a cryptographically signed VEX document and verify ProductionVexSignatureVerifier validates the signature
• Verify CryptoProfileSelector selects the correct crypto profile based on the issuer's regional requirements
• Verify VerificationCacheService caches verification results and returns cached results for repeated checks
• Ingest a VEX document with an invalid signature and verify rejection with a clear error
• Verify VerifyingVexRawDocumentSink rejects unsigned documents when signature verification is required
• Verify VexVerificationMetrics records verification success/failure counts and latency

Verification

• Verified on 2026-02-13 via run-001.
• Tier 0: Source files confirmed present on disk.
• Tier 1: dotnet build passed (0 errors); 503/504 tests passed (1 env_issue: no local Postgres).
• Tier 2d: docs/qa/feature-checks/runs/excititor/vex-cryptographic-verification/run-001/tier2-integration-check.json