feat(notary): add support for custom extension (#872)

* Add dos extension validator. * Revert to allow any extensions. --------- Co-authored-by: yuroitaki <>
2026-01-09 14:48:13 -05:00 · 2025-05-20 11:19:05 +08:00
parent 33c4b9d16f
commit b3558bef9c
5 changed files with 17 additions and 38 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1220,12 +1220,6 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"

-[[package]]
-name = "base64"
-version = "0.13.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e1b586273c5702936fe7b7d6896644d8be71e6314cfe09d3167c95f712589e8"
-
 [[package]]
 name = "base64"
 version = "0.21.7"
@@ -4695,6 +4689,7 @@ dependencies = [
 "base64 0.21.7",
 "chrono",
 "config",
+ "const-oid",
 "csv",
 "eyre",
 "futures-util",
@@ -4705,12 +4700,9 @@ dependencies = [
 "hyper 1.6.0",
 "hyper-util",
 "k256",
- "lazy_static",
 "mc-sgx-dcap-types",
 "notify",
- "once_cell",
 "p256",
- "pem",
 "pkcs8",
 "rand 0.9.1",
 "rand06-compat",
@@ -4719,7 +4711,6 @@ dependencies = [
 "serde",
 "serde_yaml",
 "sha1",
- "simple_asn1",
 "structopt",
 "thiserror 1.0.69",
 "tlsn-common",
@@ -5046,15 +5037,6 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"

-[[package]]
-name = "pem"
-version = "1.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8835c273a76a90455d7344889b0964598e3316e2a79ede8e36f16bdcf2228b8"
-dependencies = [
- "base64 0.13.1",
-]
-
 [[package]]
 name = "pem-rfc7468"
 version = "0.7.0"
@@ -6540,18 +6522,6 @@ version = "0.3.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe"

-[[package]]
-name = "simple_asn1"
-version = "0.6.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
-dependencies = [
- "num-bigint",
- "num-traits",
- "thiserror 2.0.12",
- "time",
-]
-
 [[package]]
 name = "simplecss"
 version = "0.2.2"
--- a/crates/notary/server/src/config.rs
+++ b/crates/notary/server/src/config.rs
@@ -93,6 +93,8 @@ pub struct NotarizationProperties {
    /// Signature algorithm used to generate a random private key when
    /// private_key_path is not set
    pub signature_algorithm: String,
+    /// Flag to allow any custom extensions from the prover.
+    pub allow_extensions: bool,
 }

 #[derive(Clone, Debug, Serialize, Deserialize, Default)]
@@ -180,6 +182,7 @@ impl Default for NotarizationProperties {
            timeout: 1800,
            private_key_path: None,
            signature_algorithm: "secp256k1".to_string(),
+            allow_extensions: false,
        }
    }
 }
--- a/crates/notary/server/src/service.rs
+++ b/crates/notary/server/src/service.rs
@@ -202,8 +202,16 @@ pub async fn notary_service<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(

    let crypto_provider = notary_globals.crypto_provider.clone();

-    let att_config = AttestationConfig::builder()
-        .supported_signature_algs(Vec::from_iter(crypto_provider.signer.supported_algs()))
+    let mut att_config_builder = AttestationConfig::builder();
+    att_config_builder
+        .supported_signature_algs(Vec::from_iter(crypto_provider.signer.supported_algs()));
+
+    // If enabled, accepts any custom extensions from the prover.
+    if notary_globals.notarization_config.allow_extensions {
+        att_config_builder.extension_validator(|_| Ok(()));
+    }
+
+    let att_config = att_config_builder
        .build()
        .map_err(|err| NotaryServerError::Notarization(Box::new(err)))?;

--- a/crates/notary/tests-integration/fixture/config/config.yaml
+++ b/crates/notary/tests-integration/fixture/config/config.yaml
@@ -30,6 +30,7 @@ notarization:
  timeout: 1800
  private_key_path: "../notary/notary.key"
  signature_algorithm: secp256k1
+  allow_extensions: false

 tls:
  enabled: false
--- a/crates/notary/tests-integration/tests/notary.rs
+++ b/crates/notary/tests-integration/tests/notary.rs
@@ -28,7 +28,7 @@ use tracing_subscriber::EnvFilter;
 use ws_stream_tungstenite::WsStream;

 use notary_server::{
-    read_pem_file, run_server, AuthorizationProperties, LogProperties, NotarizationProperties,
+    read_pem_file, run_server, AuthorizationProperties, NotarizationProperties,
    NotarizationSessionRequest, NotarizationSessionResponse, NotaryServerProperties, TLSProperties,
 };

@@ -50,7 +50,6 @@ fn get_server_config(
    NotaryServerProperties {
        host: NOTARY_HOST.to_string(),
        port,
-        html_info: "example html response".to_string(),
        notarization: NotarizationProperties {
            max_sent_data: 1 << 13,
            max_recv_data: 1 << 14,
@@ -62,14 +61,12 @@ fn get_server_config(
            private_key_path: Some("./fixture/tls/notary.key".to_string()),
            certificate_path: Some("./fixture/tls/notary.crt".to_string()),
        },
-        log: LogProperties {
-            ..Default::default()
-        },
        auth: AuthorizationProperties {
            enabled: auth_enabled,
            whitelist_path: Some("./fixture/auth/whitelist.csv".to_string()),
        },
        concurrency,
+        ..Default::default()
    }
 }