stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/attestor/trust-anchor-management.md

2.8 KiB
Raw Blame History

Trust Anchor Management

Module

Attestor

Status

IMPLEMENTED

Description

Trust anchor system with per-dependency anchors (public key + policy), PURL pattern matching, allowed key IDs, revoked keys tracking, and verification step integration.

Implementation Details

  • Trust Anchor Verification Step: src/Attestor/__Libraries/StellaOps.Attestor.ProofChain/Verification/TrustAnchorVerificationStep.cs -- verification step that checks attestation signatures against trusted anchors.
  • Verification Context: Verification/VerificationContext.cs -- context containing trust anchors for the verification pipeline.
  • Trust Anchor Entity: __Libraries/StellaOps.Attestor.Persistence/Entities/TrustAnchorEntity.cs -- persisted trust anchor with key material, expiry, allowed patterns, and revocation status.
  • Anchors Controller: StellaOps.Attestor.WebService/Controllers/AnchorsController.cs -- REST API for managing trust anchors (create, query, revoke).
  • Signing Key Profile: Signing/SigningKeyProfile.cs -- key profile linked to trust anchors.
  • Signature Verification Result: Signing/SignatureVerificationResult.cs -- result of signature verification against trust anchors.
  • TUF Client: __Libraries/StellaOps.Attestor.TrustRepo/ITufClient.cs -- TUF client for retrieving trusted root keys.
  • TUF Metadata Store: __Libraries/StellaOps.Attestor.TrustRepo/ITufMetadataStore.cs -- stores TUF metadata. FileSystemTufMetadataStore.cs (with .Atomic, .IO) -- filesystem implementation. InMemoryTufMetadataStore.cs -- in-memory implementation.
  • TUF Key Loader: __Libraries/StellaOps.Attestor.TrustRepo/ITufKeyLoader.cs -- loads TUF keys. Ed25519PublicKey.cs -- Ed25519 key model.
  • TUF Metadata Verifier: __Libraries/StellaOps.Attestor.TrustRepo/ITufMetadataVerifier.cs -- verifies TUF metadata signatures.
  • Tests: __Tests/StellaOps.Attestor.ProofChain.Tests/TrustAnchorTests.cs, __Tests/StellaOps.Attestor.TrustRepo.Tests/

E2E Test Plan

  • Create a trust anchor via AnchorsController with a public key and PURL pattern and verify it is persisted
  • Verify an attestation signed by a trusted key passes TrustAnchorVerificationStep
  • Verify an attestation signed by an untrusted key fails TrustAnchorVerificationStep
  • Revoke a trust anchor and verify subsequent attestation verification fails for that key
  • Verify PURL pattern matching: create an anchor for pkg:npm/* and verify it matches npm packages but not maven packages
  • Load trusted roots via TUF client and verify key rotation (new root replaces old root)
  • Store TUF metadata via FileSystemTufMetadataStore and verify atomic updates
  • Verify trust anchor expiry: create an anchor with a past expiry date and verify it is rejected