stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/excititor/vex-issuer-identity-verification.md

2.2 KiB
Raw Blame History

VEX Issuer Identity Verification

Module

Excititor

Status

IMPLEMENTED

Description

Cryptographic verification of VEX issuer identities with signature verification, issuer directory lookup, verification caching, and configurable verification options.

Implementation Details

  • Modules: src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/, src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/
  • Key Classes:
    • IssuerDirectoryClient (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/IssuerDirectoryClient.cs) - looks up issuer public keys from the issuer directory
    • ProductionVexSignatureVerifier (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/ProductionVexSignatureVerifier.cs) - verifies VEX document signatures against issuer keys
    • VerificationCacheService (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VerificationCacheService.cs) - caches issuer verification results
    • VexSignatureVerifierOptions (src/Excititor/__Libraries/StellaOps.Excititor.Core/Verification/VexSignatureVerifierOptions.cs) - configurable verification options
    • ConnectorSignerMetadata (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadata.cs) - signer metadata for connector-level trust
    • ConnectorSignerMetadataEnricher (src/Excititor/__Libraries/StellaOps.Excititor.Connectors.Abstractions/Trust/ConnectorSignerMetadataEnricher.cs) - enriches connector metadata with signer info
  • Interfaces: IVexSignatureVerifierV2
  • Source: Feature matrix scan

E2E Test Plan

  • Verify IssuerDirectoryClient looks up issuer public keys from the issuer directory service
  • Verify ProductionVexSignatureVerifier validates a VEX document signed by a known issuer
  • Verify rejection when a VEX document is signed by an unknown issuer not in the directory
  • Verify VerificationCacheService caches issuer lookup results and returns cached results on repeat queries
  • Verify ConnectorSignerMetadataEnricher enriches connector metadata with signer identity info
  • Verify VexSignatureVerifierOptions allows configuring verification strictness (strict, permissive, disabled)