stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
ccdfd41e4f39e22f65e3030fa326adbe494a1528
git.stella-ops.org/docs/features/unimplemented/attestor/asn-1-native-rfc-3161-timestamp-token-parsing.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

5.1 KiB
Raw Blame History

ASN.1-Native RFC 3161 Timestamp Token Parsing

Module

Attestor

Status

PARTIALLY_IMPLEMENTED

Description

Native ASN.1 parsing of RFC 3161 timestamp tokens using System.Formats.Asn1 (no BouncyCastle dependency). Includes request encoding, response decoding, TstInfo extraction, certificate chain parsing, and signature verification. This is the low-level implementation detail behind the known "RFC-3161 TSA Client" entry.

Implementation Details

  • Timestamp Service: src/Attestor/__Libraries/StellaOps.Attestor.Timestamping/AttestationTimestampService.cs (with .Helpers, .Timestamp, .Verify partials) -- core service handling RFC 3161 timestamp request/response lifecycle.
  • IAttestationTimestampService: IAttestationTimestampService.cs -- interface for timestamp operations.
  • Timestamp Policy: TimestampPolicy.cs, TimestampPolicyEvaluator.cs, TimestampPolicyResult.cs -- policy evaluation for timestamp requirements.
  • TSA Certificate Validation: TsaCertificateStatus.cs -- certificate chain status. TstVerificationStatus.cs -- TstInfo verification result.
  • Time Correlation: TimeCorrelationValidator.cs (with .Async, .GapChecks, .Validate partials) -- validates timestamp consistency across multiple TSA sources. TimeCorrelationPolicy.cs, TimeCorrelationResult.cs, TimeCorrelationStatus.cs define correlation rules.
  • Time Consistency: TimeConsistencyResult.cs -- result of cross-TSA time consistency checks.
  • Multi-Provider Fallback: src/Attestor/__Libraries/StellaOps.Attestor.Infrastructure/Timestamping/TsaMultiProvider.cs -- fallback chain across multiple TSA providers.
  • Configuration: AttestationTimestampOptions.cs, AttestationTimestampServiceOptions.cs, AttestationTimestampVerificationOptions.cs, AttestationTimestampPolicyContext.cs.
  • Timestamped Attestation: TimestampedAttestation.cs -- wraps an attestation with its timestamp token.
  • Tests: src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/Timestamping/AttestationTimestampServiceTests.cs, src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/Timestamping/AttestationTimestampPolicyTests.cs, src/Attestor/StellaOps.Attestor/StellaOps.Attestor.Tests/Timestamping/TimeCorrelationValidatorTests.cs

E2E Test Plan

  • Create a timestamp request for a SHA-256 hash via AttestationTimestampService, send to a TSA endpoint, and verify the response contains a valid TstInfo with matching hash
  • Parse an RFC 3161 timestamp token response and verify certificate chain extraction produces valid TsaCertificateStatus
  • Verify a timestamp token signature against the TSA certificate and confirm TstVerificationStatus indicates success
  • Configure TimeCorrelationValidator with two TSA sources and verify TimeConsistencyResult passes when timestamps are within configured gap tolerance
  • Configure TimeCorrelationValidator with a strict gap threshold and submit timestamps with drift exceeding the threshold, verifying TimeCorrelationStatus indicates failure
  • Test TsaMultiProvider fallback by configuring a primary TSA that fails and a secondary that succeeds, verifying the timestamp is obtained from the fallback provider
  • Create a TimestampedAttestation wrapping a DSSE envelope and verify the timestamp token is correctly associated

Implementation Gaps (2026-02-11)

  • AttestationTimestampService.Helpers still uses placeholder methods for RFC-3161 request/parse/verify flow (RequestTimestampAsync, ParseTstInfo, VerifyImprintAsync, VerifyTstSignatureAsync) instead of native ASN.1 token parsing and verification.
  • TsaMultiProvider request/response handling is marked as simplified placeholder and references hypothetical BouncyCastle integration rather than implemented native ASN.1 parsing.
  • Current timestamping tests validate digest/policy scaffolding but do not exercise real RFC-3161 token decode, certificate-chain extraction, CMS signature verification, or fallback-provider behavior with realistic responses.

Verification

  • Evaluated on 2026-02-11 via run-001.
  • Tier 0 source checks were partial only due legacy test path references in the feature dossier; active timestamping source/test files were present.
  • Tier 1 and Tier 2 executed successfully for existing timestamping behavior tests (12/12 class-scoped), but claim parity review failed because RFC-3161 ASN.1 parse/verification paths are still placeholders.
  • Feature terminalized as not_implemented and moved from unchecked to unimplemented.
  • Evidence:
    • docs/qa/feature-checks/runs/attestor/asn-1-native-rfc-3161-timestamp-token-parsing/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/attestor/asn-1-native-rfc-3161-timestamp-token-parsing/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/attestor/asn-1-native-rfc-3161-timestamp-token-parsing/run-001/tier2-integration-check.json
    • docs/qa/feature-checks/runs/attestor/asn-1-native-rfc-3161-timestamp-token-parsing/run-001/triage.json
    • docs/qa/feature-checks/runs/attestor/asn-1-native-rfc-3161-timestamp-token-parsing/run-001/confirmation.json