stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/authority/rfc-3161-tsa-client-for-ci-cd-timestamping.md

5.0 KiB
Raw Blame History

RFC-3161 TSA Client for CI/CD Timestamping

Module

Authority

Status

IMPLEMENTED

Description

RFC 3161 TSA client infrastructure for CI/CD timestamping. A comprehensive TSA client library exists in the Authority module with ASN.1 encoding/decoding, multi-provider failover, response caching, and certificate chain verification. The eIDAS plugin adds additional compliance support. Some CI/CD-specific integration features are still missing.

What's Implemented

  • TSA Client: src/Authority/__Libraries/StellaOps.Authority.Timestamping/HttpTsaClient.cs (with partials .GetTimeStamp.cs, .ProviderOrdering.cs, .ProviderRequest.cs, .Verification.cs) -- full RFC 3161 HTTP-based TSA client implementing ITimeStampAuthorityClient with multi-provider failover and response verification.
  • ASN.1 Request Encoding: src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampReqEncoder.cs (with partials .Algorithms.cs, .Extensions.cs, .MessageImprint.cs) -- encodes RFC 3161 TimeStampReq ASN.1 structures with algorithm selection and extension support.
  • ASN.1 Response Decoding: src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampRespDecoder.cs -- decodes TimeStampResp ASN.1 structures.
  • ASN.1 Token Decoding: src/Authority/__Libraries/StellaOps.Authority.Timestamping/Asn1/TimeStampTokenDecoder.cs (with partials .Accuracy.cs, .Certificates.cs, .SignedData.cs, .TstInfo.cs, .TstInfo.OptionalFields.cs) -- decodes timestamp tokens including TSTInfo, signed data, and certificates.
  • Token Verifier: src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimeStampTokenVerifier.cs (with partials .CertificateChain.cs, .Signature.cs, .Validation.cs, .Warnings.cs) -- full verification of timestamp tokens: signature, certificate chain, trust anchors, policy, and nonce checks.
  • Provider Registry: src/Authority/__Libraries/StellaOps.Authority.Timestamping/TsaProviderRegistry.cs (with partials .HealthCheck.cs, .ProviderState.cs, .Providers.cs, .Reporting.cs, .Stats.cs) -- manages multiple TSA providers with health monitoring, automatic failover, and statistics tracking.
  • Response Caching: src/Authority/__Libraries/StellaOps.Authority.Timestamping/Caching/InMemoryTsaCacheStore.cs (with .Helpers.cs), ITsaCacheStore.cs -- caches TSA responses to reduce provider load.
  • Abstractions: src/Authority/__Libraries/StellaOps.Authority.Timestamping.Abstractions/ -- complete contract surface: ITimeStampAuthorityClient.cs, TimeStampRequest.cs (with .Factory.cs), TimeStampResponse.cs, TimeStampToken.cs, TstInfo.cs, TstAccuracy.cs, TimeStampVerificationOptions.cs, TimeStampVerificationResult.cs, TsaClientOptions.cs, TsaProviderOptions.cs, FailoverStrategy.cs, PkiStatus.cs, PkiFailureInfo.cs, verification error/warning enums.
  • DI Extensions: src/Authority/__Libraries/StellaOps.Authority.Timestamping/TimestampingServiceCollectionExtensions.cs (with .CommonProviders.cs, .Provider.cs) -- registers TSA client and providers in DI.
  • Tests: src/Authority/__Tests/StellaOps.Authority.Timestamping.Tests/TimeStampReqEncoderTests.cs, TimeStampRespDecoderTests.cs, TimeStampTokenVerifierTests.cs, TsaProviderRegistryTests.cs, InMemoryTsaCacheStoreTests.cs; src/Authority/__Tests/StellaOps.Authority.Timestamping.Abstractions.Tests/ -- 9 test files covering requests, responses, tokens, options, TstInfo, TstAccuracy.

What's Missing

  • CI/CD pipeline integration hooks: No dedicated middleware or service that automatically timestamps CI/CD build artifacts (e.g., SBOM, attestation, build log) as part of a pipeline step. The TSA client exists but is not wired into an automated CI/CD timestamping flow.
  • Timestamped artifact registry: No storage for mapping artifact digests to their timestamp tokens, enabling lookup of "when was this artifact timestamped?" across the platform.
  • Pipeline-scoped timestamp policies: No configuration for per-pipeline or per-environment timestamp requirements (e.g., "production releases require dual-provider timestamps").
  • Timestamp receipt in release evidence: The release orchestrator does not include timestamp receipts as evidence in the release decision chain.
  • eIDAS/qualified TSA compliance checks: While an eIDAS plugin exists in Cryptography, there is no validation that a timestamp meets qualified timestamp requirements per eIDAS Article 42.

Implementation Plan

  • Create a CiCdTimestampingService that integrates with the Orchestrator/TaskRunner to automatically timestamp build artifacts
  • Add a timestamp artifact registry in the Evidence Locker for storing and querying artifact-to-timestamp mappings
  • Add pipeline-scoped timestamp policy configuration in the Policy module
  • Integrate timestamp receipts into the Release Orchestrator's evidence chain
  • Add eIDAS qualified timestamp compliance validation for regulated deployments
  • Add E2E tests for the CI/CD timestamping flow end-to-end

Related Documentation

  • Source: See feature catalog