stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/evidencelocker/offline-kit-with-sbom-dsse-rekor-receipt.md

2.6 KiB
Raw Blame History

Offline Kit with SBOM + DSSE + Rekor Receipt

Module

EvidenceLocker

Status

IMPLEMENTED

Description

Offline kit import with SBOM, DSSE attestation verification, offline timestamp verification, and bundled test fixtures for offline scenarios.

Implementation Details

  • Modules: src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/, src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/, src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Export/
  • Key Classes:
    • TimestampBundleExporter (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Bundle/TimestampBundleExporter.cs) - exports timestamp bundles for offline kits
    • TimestampBundleImporter (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Bundle/TimestampBundleImporter.cs) - imports timestamp bundles from offline kits
    • OfflineTimestampVerifier (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Verification/OfflineTimestampVerifier.cs) - verifies Rekor timestamps offline
    • TimestampEvidence (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/TimestampEvidence.cs) - timestamp evidence data model
    • RevocationEvidence (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/Models/RevocationEvidence.cs) - revocation evidence for offline verification
    • RetimestampService (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/RetimestampService.cs) - re-timestamps evidence for extended retention
    • TimestampEvidenceRepository (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Timestamping/TimestampEvidenceRepository.cs) - persists timestamp evidence
    • EvidenceBundleImporter (src/EvidenceLocker/__Libraries/StellaOps.EvidenceLocker.Import/EvidenceBundleImporter.cs) - imports evidence bundles from offline kits
  • Interfaces: IRetimestampService, ITimestampEvidenceRepository
  • Source: Feature matrix scan

E2E Test Plan

  • Export an offline kit via TimestampBundleExporter containing SBOM, DSSE attestation, and Rekor receipt
  • Import the offline kit via TimestampBundleImporter and verify all components are ingested
  • Verify OfflineTimestampVerifier validates Rekor receipts without network access
  • Verify RetimestampService re-timestamps evidence before certificate expiry
  • Verify TimestampEvidence and RevocationEvidence models capture all required fields for offline verification
  • Verify the offline kit can be verified in an air-gapped environment using only bundled artifacts