stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/checked/cryptography/eidas-qualified-timestamping.md
master cf5b72974f save checkpoint
2026-02-11 01:32:14 +02:00

8.2 KiB
Raw Blame History

eIDAS Qualified Timestamping

Module

Cryptography

Status

VERIFIED

Description

EU-qualified timestamp verification with TSA configuration, EU Trust List integration, and CAdES signature building for eIDAS compliance.

Implementation Details

  • EidasPlugin: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/EidasPlugin.cs -- eIDAS crypto provider plugin extending CryptoPluginBase
  • QualifiedTimestampVerifier: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTimestampVerifier.cs -- verifies RFC 3161 timestamps from EU-qualified TSAs against the EU Trust List
  • IQualifiedTimestampVerifier: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IQualifiedTimestampVerifier.cs -- verification interface
  • EuTrustListService: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EuTrustListService.cs -- fetches and caches the EU Trusted List of TSA providers for validation
  • IEuTrustListService: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/IEuTrustListService.cs -- trust list interface
  • TimestampModeSelector: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/TimestampModeSelector.cs -- selects between qualified and standard timestamping based on configuration and TSA availability
  • ITimestampModeSelector: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ITimestampModeSelector.cs -- mode selection interface
  • CadesSignatureBuilder: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/CadesSignatureBuilder.cs -- builds CAdES (CMS Advanced Electronic Signatures) signatures with embedded timestamps per EU regulation requirements
  • ICadesSignatureBuilder: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/ICadesSignatureBuilder.cs -- CAdES builder interface
  • QualifiedTsaConfiguration: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/QualifiedTsaConfiguration.cs -- TSA endpoint URL, authentication, certificate chain configuration
  • EidasTimestampingExtensions: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Timestamping/EidasTimestampingExtensions.cs -- DI registration extensions for eIDAS timestamping services
  • EtsiConformanceTestVectors: src/Cryptography/StellaOps.Cryptography.Plugin.Eidas/Tests/EtsiConformanceTestVectors.cs -- ETSI conformance test vectors
  • Tests: src/Cryptography/__Tests/StellaOps.Cryptography.Tests/Eidas/QualifiedTsaProviderTests.cs, TimestampModeSelectorTests.cs
  • Source: Feature matrix scan

E2E Test Plan

  • Verify qualified timestamp verification validates RFC 3161 timestamp against EU Trust List
  • Test timestamp mode selector chooses qualified mode when TSA is available and standard mode as fallback
  • Verify CAdES signature builder produces valid CMS Advanced Electronic Signatures with embedded timestamps
  • Test EU Trust List service fetches and caches TSA provider list
  • Verify QualifiedTsaConfiguration validates TSA endpoint URL and certificate chain
  • Test ETSI conformance test vectors pass validation
  • Verify timestamp verification fails for non-qualified TSA providers

Verification

Run ID: run-001 Date: 2026-02-10 Method: Tier 1 code review + Tier 2d test verification

Build: PASS (0 errors, 0 warnings) Tests: PASS (101/101 cryptography tests pass)

Most thoroughly implemented feature. QualifiedTimestampVerifier decodes RFC 3161 timestamps via SignedCms, verifies CMS signature, parses TSTInfo ASN.1. EuTrustListService fetches LOTL from EU URL, parses ETSI TS 119 612 XML, supports offline path for air-gap. TimestampModeSelector policy-based with env/tag/repo pattern matching. CadesSignatureBuilder creates CAdES-B/T/LT/LTA. 26 unit tests across QualifiedTsaProviderTests (14) and TimestampModeSelectorTests (12).

Verdict: PASS

Recheck (Run-002)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-002/tier2-integration-check.json
  • Outcome: eIDAS qualified timestamping and trust-list flows remain stable.

Recheck (Run-003)

  • Verified: 2026-02-10
  • Method: Tier 2 follow-up deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-003/tier2-integration-check.json
  • Outcome: eIDAS timestamping and trust-list behavior remains stable in follow-up replay.

Recheck (Run-004)

  • Verified: 2026-02-10
  • Method: Tier 2 deterministic integration replay + full cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-004/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains stable; PQC caveat remains unchanged.

Recheck (Run-005)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-005/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in follow-up replay.

Recheck (Run-006)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-006/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-007)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-007/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-008)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-008/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-009)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-009/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-010)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-010/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-011)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic integration replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-011/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.

Recheck (Run-012)

  • Verified: 2026-02-10
  • Method: Tier 2d deterministic cryptography suite replay.
  • Tests: PASS (src/Cryptography/__Tests/StellaOps.Cryptography.Tests: 101/101).
  • Tier 2 Evidence: docs/qa/feature-checks/runs/cryptography/eidas-qualified-timestamping/run-012/tier2-integration-check.json
  • Outcome: Checked cryptography behavior remains healthy in continued replay.