stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/cryptographic-proof-generation.md

2.6 KiB
Raw Blame History

Cryptographic Proof Generation (SHA-256 hashing)

Module

Attestor

Status

IMPLEMENTED

Description

Cryptographic proof generation using canonical JSON serialization and SHA-256 hashing. ProofBlobs are tamper-evident with computed hashes that can be verified. Note: The codebase uses SHA-256 through CanonJson utilities. The advisory mentioned BLAKE3-256 as well; the DB schema references BLAKE3-256 in comments but actual code uses SHA-256 via CanonJson.

Implementation Details

  • Proof Hashing: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/ProofHashing.cs -- SHA-256 hashing utilities for proof chain artifacts.
  • Proof Blob: __Libraries/StellaOps.Attestor.ProofChain/Models/ProofBlob.cs -- tamper-evident proof container with computed SHA-256 hash.
  • Canonical JSON: __Libraries/StellaOps.Attestor.ProofChain/Json/Rfc8785JsonCanonicalizer.cs (with .DecimalPoint, .NumberSerialization, .StringNormalization, .WriteMethods) -- RFC 8785 canonicalization ensuring deterministic JSON for stable hashing.
  • Content-Addressed IDs: Identifiers/ContentAddressedIdGenerator.cs -- generates SHA-256 IDs from canonical content.
  • Merkle Tree: Merkle/DeterministicMerkleTreeBuilder.cs (with .Helpers, .Proof) -- Merkle tree construction using SHA-256 for proof aggregation. MerkleProof.cs, MerkleProofStep.cs -- inclusion proofs.
  • DSSE Signing: Signing/ProofChainSigner.cs (with .Verification) -- signs proof blobs in DSSE envelopes. DssePreAuthenticationEncoding.cs -- PAE for DSSE.
  • Canonical JSON Serializer (Core): StellaOps.Attestor.Core/Serialization/CanonicalJsonSerializer.cs -- alternative canonical serializer in core.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/JsonCanonicalizerTests.cs, MerkleTreeBuilderTests.cs, Signing/ProofChainSignerTests.cs, StellaOps.Attestor.Core.Tests/Serialization/CanonicalJsonSerializerTests.cs

E2E Test Plan

  • Create a ProofBlob from JSON content, compute its SHA-256 hash via ProofHashing, and verify the hash matches manual SHA-256 computation of the canonical JSON
  • Modify the proof blob content and verify the hash changes
  • Canonicalize identical JSON with different formatting via Rfc8785JsonCanonicalizer, hash both, and verify hashes match
  • Build a Merkle tree from 8 proof blobs and verify the root hash is deterministic
  • Generate an inclusion proof for a specific blob and verify it validates against the root
  • Sign a proof blob via ProofChainSigner and verify the DSSE envelope contains the correct hash
  • Verify a signed proof blob via ProofChainSigner.Verification and confirm integrity