tlsnotary/tlsn
1
0
Fork 0
mirror of https://github.com/tlsnotary/tlsn.git synced 2026-01-06 20:14:00 -05:00
Code Issues Packages Projects Releases 12 Wiki Activity

chore: remove notary crates (#953)

Browse Source 
Co-authored-by: Hendrik Eeckhaut <hendrik@eeckhaut.org>
This commit is contained in:
yuroitaki
2025-08-04 16:41:45 +08:00
committed by GitHub
parent 33153d1124
commit 2f072b2578
66 changed files with 39 additions and 7589 deletions
Download Patch File Download Diff File Expand all files Collapse all files

199
.github/workflows/ci.yml vendored
View File

@@ -11,7 +11,6 @@ on:
permissions:
id-token: write
contents: read
attestations: write
env:
CARGO_TERM_COLOR: always
@@ -22,7 +21,6 @@ env:
# - https://github.com/privacy-scaling-explorations/mpz/issues/178
# 32 seems to be big enough for the foreseeable future
RAYON_NUM_THREADS: 32
GIT_COMMIT_HASH: ${{ github.event.pull_request.head.sha || github.sha }}
RUST_VERSION: 1.88.0
jobs:
@@ -159,9 +157,6 @@ jobs:
- name: Use caching
uses: Swatinem/rust-cache@v2.7.7
- name: Add custom DNS entry to /etc/hosts for notary TLS test
run: echo "127.0.0.1 tlsnotaryserver.io" | sudo tee -a /etc/hosts
- name: Run integration tests
run: cargo test --locked --profile tests-integration --workspace --exclude tlsn-tls-client --exclude tlsn-tls-core --no-fail-fast -- --include-ignored
@@ -186,201 +181,9 @@ jobs:
files: lcov.info
fail_ci_if_error: true
build-sgx:
runs-on: ubuntu-latest
needs: build-and-test
container:
image: rust:latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Install Clang
run: |
apt update
apt install -y clang
- name: Use caching
uses: Swatinem/rust-cache@v2.7.7
- name: Build Rust Binary
run: |
cargo build --locked --bin notary-server --release --features tee_quote
cp --verbose target/release/notary-server $GITHUB_WORKSPACE
- name: Upload Binary for use in the Gramine Job
uses: actions/upload-artifact@v4
with:
name: notary-server
path: notary-server
if-no-files-found: error
gramine-sgx:
runs-on: ubuntu-latest
needs: build-sgx
container:
image: gramineproject/gramine:latest
if: github.ref == 'refs/heads/dev' || (startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.'))
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Restore SGX signing key from secrets
run: |
mkdir -p "${HOME}/.config/gramine/"
echo "${{ secrets.SGX_SIGNING_KEY }}" > "${HOME}/.config/gramine/enclave-key.pem"
# verify key
openssl rsa -in "${HOME}/.config/gramine/enclave-key.pem" -check -noout
- name: Download notary-server binary from build job
uses: actions/download-artifact@v4
with:
name: notary-server
path: crates/notary/server/tee
- name: Install jq
run: |
apt update
apt install -y jq
- name: Use Gramine to calculate measurements
run: |
cd crates/notary/server/tee
chmod +x notary-server
gramine-manifest \
-Dlog_level=debug \
-Darch_libdir=/lib/x86_64-linux-gnu \
-Dself_exe=notary-server \
notary-server.manifest.template \
notary-server.manifest
gramine-sgx-sign \
--manifest notary-server.manifest \
--output notary-server.manifest.sgx
gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig | tee >> notary-server-sigstruct.json
cat notary-server-sigstruct.json
mr_enclave=$(jq -r '.mr_enclave' notary-server-sigstruct.json)
mr_signer=$(jq -r '.mr_signer' notary-server-sigstruct.json)
echo "mrenclave=$mr_enclave" >>"$GITHUB_OUTPUT"
echo "#### sgx mrenclave" | tee >>$GITHUB_STEP_SUMMARY
echo "\`\`\`mr_enclave: ${mr_enclave}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY
echo "\`\`\`mr_signer: ${mr_signer}\`\`\`" | tee >>$GITHUB_STEP_SUMMARY
- name: Upload notary-server and signatures
id: upload-notary-server-sgx
uses: actions/upload-artifact@v4
with:
name: notary-server-sgx.zip
path: |
crates/notary/server/tee/notary-server
crates/notary/server/tee/notary-server-sigstruct.json
crates/notary/server/tee/notary-server.sig
crates/notary/server/tee/notary-server.manifest
crates/notary/server/tee/notary-server.manifest.sgx
crates/notary/server/tee/README.md
if-no-files-found: error
- name: Attest Build Provenance
if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/dev'
uses: actions/attest-build-provenance@v2
with:
subject-name: notary-server-sgx.zip
subject-digest: sha256:${{ steps.upload-notary-server-sgx.outputs.artifact-digest }}
- uses: geekyeggo/delete-artifact@v5 # Delete notary-server from the build job, It is part of the zipfile with the signature
with:
name: notary-server
gramine-sgx-docker:
runs-on: ubuntu-latest
needs: gramine-sgx
permissions:
contents: read
packages: write
env:
CONTAINER_REGISTRY: ghcr.io
if: github.ref == 'refs/heads/dev' || (startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.'))
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
sparse-checkout: './crates/notary/server/tee/notary-server-sgx.Dockerfile'
- name: Download notary-server-sgx.zip from gramine-sgx job
uses: actions/download-artifact@v4
with:
name: notary-server-sgx.zip
path: ./notary-server-sgx
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker image of notary server
id: meta-notary-server-sgx
uses: docker/metadata-action@v4
with:
images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}/notary-server-sgx
- name: Build and push Docker image of notary server
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: ${{ steps.meta-notary-server-sgx.outputs.tags }}
labels: ${{ steps.meta-notary-server-sgx.outputs.labels }}
file: ./crates/notary/server/tee/notary-server-sgx.Dockerfile
build_and_publish_notary_server_image:
name: Build and publish notary server's image
runs-on: ubuntu-latest
needs: build-and-test
permissions:
contents: read
packages: write
env:
CONTAINER_REGISTRY: ghcr.io
if: github.ref == 'refs/heads/dev' || (startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.'))
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Log in to the Container registry
uses: docker/login-action@v2
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker image of notary server
id: meta-notary-server
uses: docker/metadata-action@v4
with:
images: ${{ env.CONTAINER_REGISTRY }}/${{ github.repository }}/notary-server
- name: Build and push Docker image of notary server
uses: docker/build-push-action@v4
with:
context: .
push: true
tags: ${{ steps.meta-notary-server.outputs.tags }}
labels: ${{ steps.meta-notary-server.outputs.labels }}
file: ./crates/notary/server/notary-server.Dockerfile
create-release-draft:
name: Create Release Draft
needs: build_and_publish_notary_server_image
needs: build-and-test
runs-on: ubuntu-latest
permissions:
contents: write

1125
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

16
Cargo.toml
View File

@@ -9,10 +9,6 @@ members = [
"crates/data-fixtures",
"crates/examples",
"crates/formats",
"crates/notary/client",
"crates/notary/common",
"crates/notary/server",
"crates/notary/tests-integration",
"crates/server-fixture/certs",
"crates/server-fixture/server",
"crates/tls/backend",
@@ -45,9 +41,6 @@ inherits = "release"
lto = true
[workspace.dependencies]
notary-client = { path = "crates/notary/client" }
notary-common = { path = "crates/notary/common" }
notary-server = { path = "crates/notary/server" }
tls-server-fixture = { path = "crates/tls/server-fixture" }
tlsn-attestation = { path = "crates/attestation" }
tlsn-cipher = { path = "crates/components/cipher" }
@@ -95,7 +88,6 @@ aes = { version = "0.8" }
aes-gcm = { version = "0.9" }
anyhow = { version = "1.0" }
async-trait = { version = "0.1" }
async-tungstenite = { version = "0.28.2" }
axum = { version = "0.8" }
bcs = { version = "0.1" }
bincode = { version = "1.3" }
@@ -116,12 +108,10 @@ enum-try-as-inner = { version = "0.1" }
env_logger = { version = "0.10" }
futures = { version = "0.3" }
futures-rustls = { version = "0.26" }
futures-util = { version = "0.3" }
generic-array = { version = "0.14" }
ghash = { version = "0.5" }
hex = { version = "0.4" }
hmac = { version = "0.12" }
http = { version = "1.1" }
http-body-util = { version = "0.1" }
hyper = { version = "1.1" }
hyper-util = { version = "0.1" }
@@ -134,7 +124,6 @@ log = { version = "0.4" }
once_cell = { version = "1.19" }
opaque-debug = { version = "0.3" }
p256 = { version = "0.13" }
pkcs8 = { version = "0.10" }
pin-project-lite = { version = "0.2" }
pollster = { version = "0.4" }
rand = { version = "0.9" }
@@ -157,23 +146,18 @@ signature = { version = "2.2" }
thiserror = { version = "1.0" }
tiny-keccak = { version = "2.0" }
tokio = { version = "1.38" }
tokio-rustls = { version = "0.24" }
tokio-util = { version = "0.7" }
toml = { version = "0.8" }
tower = { version = "0.5" }
tower-http = { version = "0.5" }
tower-service = { version = "0.3" }
tower-util = { version = "0.3.1" }
tracing = { version = "0.1" }
tracing-subscriber = { version = "0.3" }
uuid = { version = "1.4" }
wasm-bindgen = { version = "0.2" }
wasm-bindgen-futures = { version = "0.4" }
web-spawn = { version = "0.2" }
web-time = { version = "0.2" }
webpki = { version = "0.22" }
webpki-roots = { version = "0.26" }
ws_stream_tungstenite = { version = "0.14" }
# Use the patched ws_stream_wasm to fix the issue https://github.com/najamelan/ws_stream_wasm/issues/12#issuecomment-1711902958
ws_stream_wasm = { git = "https://github.com/tlsnotary/ws_stream_wasm", rev = "2ed12aad9f0236e5321f577672f309920b2aef51" }
zeroize = { version = "1.8" }

9
README.md
View File

@@ -12,7 +12,7 @@
[actions-url]: https://github.com/tlsnotary/tlsn/actions?query=workflow%3Aci+branch%3Adev
[Website](https://tlsnotary.org) |
[Documentation](https://docs.tlsnotary.org) |
[Documentation](https://tlsnotary.org/docs/intro) |
[API Docs](https://tlsnotary.github.io/tlsn) |
[Discord](https://discord.gg/9XwESXtcN7)
@@ -44,12 +44,9 @@ at your option.
## Directory
- [examples](./crates/examples/): Examples on how to use the TLSNotary protocol.
- [tlsn-prover](./crates/prover/): The library for the prover component.
- [tlsn-verifier](./crates/verifier/): The library for the verifier component.
- [notary](./crates/notary/): Implements the [notary server](https://docs.tlsnotary.org/intro.html#tls-verification-with-a-general-purpose-notary) and its client.
- [components](./crates/components/): Houses low-level libraries.
- [tlsn](./crates/tlsn/): The TLSNotary library.
This repository contains the source code for the Rust implementation of the TLSNotary protocol. For additional tools and implementations related to TLSNotary, visit <https://github.com/tlsnotary>. This includes repositories such as [`tlsn-js`](https://github.com/tlsnotary/tlsn-js), [`tlsn-extension`](https://github.com/tlsnotary/tlsn-extension), [`explorer`](https://github.com/tlsnotary/explorer), among others.
This repository contains the source code for the Rust implementation of the TLSNotary protocol. For additional tools and implementations related to TLSNotary, visit <https://github.com/tlsnotary>. This includes repositories such as [`tlsn-js`](https://github.com/tlsnotary/tlsn-js), [`tlsn-extension`](https://github.com/tlsnotary/tlsn-extension), among others.
## Development

5
crates/attestation/src/fixtures.rs
View File

@@ -16,11 +16,6 @@ use crate::{
signing::SignatureAlgId,
};
/// Returns a notary signing key fixture.
pub fn notary_signing_key() -> p256::ecdsa::SigningKey {
p256::ecdsa::SigningKey::from_slice(&[1; 32]).unwrap()
}
/// A Request fixture used for testing.
#[allow(missing_docs)]
pub struct RequestFixture {

13
crates/examples/Cargo.toml
View File

@@ -8,7 +8,6 @@ version = "0.0.0"
workspace = true
[dependencies]
notary-client = { workspace = true }
tlsn-core = { workspace = true }
tlsn = { workspace = true }
tlsn-formats = { workspace = true }
@@ -41,18 +40,6 @@ tokio-util = { workspace = true }
tracing = { workspace = true }
tracing-subscriber = { workspace = true }
[[example]]
name = "attestation_prove"
path = "attestation/prove.rs"
[[example]]
name = "attestation_present"
path = "attestation/present.rs"
[[example]]
name = "attestation_verify"
path = "attestation/verify.rs"
[[example]]
name = "interactive"
path = "interactive/interactive.rs"

111
crates/examples/attestation/README.md
View File

@@ -1,111 +0,0 @@
## Simple Attestation Example: Notarize Public Data from example.com (Rust) <a name="rust-simple"></a>
This example demonstrates the simplest possible use case for TLSNotary. A Prover notarizes data from a local test server with a local Notary.
**Overview**:
1. Notarize a request and response from the test server and acquire an attestation of its content.
2. Create a redacted, verifiable presentation using the attestation.
3. Verify the presentation.
### 1. Notarize
Before starting the notarization, set up the local test server and local notary.
Run the following commands from the root of this repository (not from this example's folder):
1. Run the test server:
```shell
RUST_LOG=info PORT=4000 cargo run --bin tlsn-server-fixture
```
2. Run the notary server:
```shell
cargo run --release --bin notary-server
```
3. Run the prove example:
```shell
SERVER_PORT=4000 cargo run --release --example attestation_prove
```
To see more details, run with additional debug information:
```shell
RUST_LOG=debug,yamux=info,uid_mux=info SERVER_PORT=4000 cargo run --release --example attestation_prove
```
If notarization is successful, you should see the following output in the console:
```log
Starting an MPC TLS connection with the server
Got a response from the server: 200 OK
Notarization complete!
Notarization completed successfully!
The attestation has been written to `example-json.attestation.tlsn` and the corresponding secrets to `example-json.secrets.tlsn`.
```
⚠️ Note: In this example, we run a local Notary server for demonstration purposes. In real-world applications, the Notary should be operated by a trusted third party. Refer to the [Notary Server Documentation](https://docs.tlsnotary.org/developers/notary_server.html) for more details on running a Notary server.
### 2. Build a Verifiable Presentation
This step creates a verifiable presentation with optional redactions, which can be shared with any verifier.
Run the present example:
```shell
cargo run --release --example attestation_present
```
If successful, youll see this output in the console:
```log
Presentation built successfully!
The presentation has been written to `example-json.presentation.tlsn`.
```
You can create multiple presentations from the attestation and secrets in the notarization step, each with customized data redactions. You are invited to experiment!
### 3. Verify the Presentation
This step reads the presentation created above, verifies it, and prints the disclosed data to the console.
Run the verify binary:
```shell
cargo run --release --example attestation_verify
```
Upon success, you should see output similar to:
```log
Verifying presentation with {key algorithm} key: { hex encoded key }
**Ask yourself, do you trust this key?**
-------------------------------------------------------------------
Successfully verified that the data below came from a session with test-server.io at { time }.
Note that the data which the Prover chose not to disclose are shown as X.
Data sent:
...
```
⚠️ The presentation includes a “verifying key,” which the Notary used when issuing the attestation. If you trust this key, you can trust the authenticity of the presented data.
### HTML
In the example above, we notarized a JSON response. TLSNotary also supports notarizing HTML content. To run an HTML example, use:
```shell
# notarize
SERVER_PORT=4000 cargo run --release --example attestation_prove -- html
# present
cargo run --release --example attestation_present -- html
# verify
cargo run --release --example attestation_verify -- html
```
### Private Data
The examples above demonstrate how to use TLSNotary with publicly accessible data. TLSNotary can also be utilized for private data that requires authentication. To access this data, you can add the necessary headers (such as an authentication token) or cookies to your request. To run an example that uses an authentication token, execute the following command:
```shell
# notarize
SERVER_PORT=4000 cargo run --release --example attestation_prove -- authenticated
# present
cargo run --release --example attestation_present -- authenticated
# verify
cargo run --release --example attestation_verify -- authenticated
```

117
crates/examples/attestation/present.rs
View File

@@ -1,117 +0,0 @@
// This example demonstrates how to build a verifiable presentation from an
// attestation and the corresponding connection secrets. See the `prove.rs`
// example to learn how to acquire an attestation from a Notary.
use clap::Parser;
use hyper::header;
use tlsn::attestation::{presentation::Presentation, Attestation, CryptoProvider, Secrets};
use tlsn_examples::ExampleType;
use tlsn_formats::http::HttpTranscript;
#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
/// What data to notarize
#[clap(default_value_t, value_enum)]
example_type: ExampleType,
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args = Args::parse();
create_presentation(&args.example_type).await
}
async fn create_presentation(example_type: &ExampleType) -> Result<(), Box<dyn std::error::Error>> {
let attestation_path = tlsn_examples::get_file_path(example_type, "attestation");
let secrets_path = tlsn_examples::get_file_path(example_type, "secrets");
// Read attestation from disk.
let attestation: Attestation = bincode::deserialize(&std::fs::read(attestation_path)?)?;
// Read secrets from disk.
let secrets: Secrets = bincode::deserialize(&std::fs::read(secrets_path)?)?;
// Parse the HTTP transcript.
let transcript = HttpTranscript::parse(secrets.transcript())?;
// Build a transcript proof.
let mut builder = secrets.transcript_proof_builder();
// Here is where we reveal all or some of the parts we committed in `prove.rs`
// previously.
let request = &transcript.requests[0];
// Reveal the structure of the request without the headers or body.
builder.reveal_sent(&request.without_data())?;
// Reveal the request target.
builder.reveal_sent(&request.request.target)?;
// Reveal all request headers except the values of User-Agent and Authorization.
for header in &request.headers {
if !(header
.name
.as_str()
.eq_ignore_ascii_case(header::USER_AGENT.as_str())
|| header
.name
.as_str()
.eq_ignore_ascii_case(header::AUTHORIZATION.as_str()))
{
builder.reveal_sent(header)?;
} else {
builder.reveal_sent(&header.without_value())?;
}
}
// Reveal only parts of the response.
let response = &transcript.responses[0];
// Reveal the structure of the response without the headers or body.
builder.reveal_recv(&response.without_data())?;
// Reveal all response headers.
for header in &response.headers {
builder.reveal_recv(header)?;
}
let content = &response.body.as_ref().unwrap().content;
match content {
tlsn_formats::http::BodyContent::Json(json) => {
// For experimentation, reveal the entire response or just a selection.
let reveal_all = false;
if reveal_all {
builder.reveal_recv(response)?;
} else {
builder.reveal_recv(json.get("id").unwrap())?;
builder.reveal_recv(json.get("information.name").unwrap())?;
builder.reveal_recv(json.get("meta.version").unwrap())?;
}
}
tlsn_formats::http::BodyContent::Unknown(span) => {
builder.reveal_recv(span)?;
}
_ => {}
}
let transcript_proof = builder.build()?;
// Use default crypto provider to build the presentation.
let provider = CryptoProvider::default();
let mut builder = attestation.presentation_builder(&provider);
builder
.identity_proof(secrets.identity_proof())
.transcript_proof(transcript_proof);
let presentation: Presentation = builder.build()?;
let presentation_path = tlsn_examples::get_file_path(example_type, "presentation");
// Write the presentation to disk.
std::fs::write(&presentation_path, bincode::serialize(&presentation)?)?;
println!("Presentation built successfully!");
println!("The presentation has been written to `{presentation_path}`.");
Ok(())
}

244
crates/examples/attestation/prove.rs
View File

@@ -1,244 +0,0 @@
// This example demonstrates how to use the Prover to acquire an attestation for
// an HTTP request sent to example.com. The attestation and secrets are saved to
// disk.
use std::env;
use clap::Parser;
use http_body_util::Empty;
use hyper::{body::Bytes, Request, StatusCode};
use hyper_util::rt::TokioIo;
use spansy::Spanned;
use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
use tracing::debug;
use notary_client::{Accepted, NotarizationRequest, NotaryClient};
use tls_server_fixture::{CA_CERT_DER, SERVER_DOMAIN};
use tlsn::{
attestation::request::RequestConfig,
config::ProtocolConfig,
prover::{Prover, ProverConfig, TlsConfig},
transcript::TranscriptCommitConfig,
};
use tlsn_examples::ExampleType;
use tlsn_formats::http::{DefaultHttpCommitter, HttpCommit, HttpTranscript};
use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
use tlsn_server_fixture_certs::{CLIENT_CERT, CLIENT_KEY};
// Setting of the application server.
const USER_AGENT: &str = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36";
#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
/// What data to notarize.
#[clap(default_value_t, value_enum)]
example_type: ExampleType,
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args = Args::parse();
let (uri, extra_headers) = match args.example_type {
ExampleType::Json => ("/formats/json", vec![]),
ExampleType::Html => ("/formats/html", vec![]),
ExampleType::Authenticated => ("/protected", vec![("Authorization", "random_auth_token")]),
};
notarize(uri, extra_headers, &args.example_type).await
}
async fn notarize(
uri: &str,
extra_headers: Vec<(&str, &str)>,
example_type: &ExampleType,
) -> Result<(), Box<dyn std::error::Error>> {
tracing_subscriber::fmt::init();
let notary_host: String = env::var("NOTARY_HOST").unwrap_or("127.0.0.1".into());
let notary_port: u16 = env::var("NOTARY_PORT")
.map(|port| port.parse().expect("port should be valid integer"))
.unwrap_or(7047);
let server_host: String = env::var("SERVER_HOST").unwrap_or("127.0.0.1".into());
let server_port: u16 = env::var("SERVER_PORT")
.map(|port| port.parse().expect("port should be valid integer"))
.unwrap_or(DEFAULT_FIXTURE_PORT);
// Build a client to connect to the notary server.
let notary_client = NotaryClient::builder()
.host(notary_host)
.port(notary_port)
// WARNING: Always use TLS to connect to notary server, except if notary is running locally
// e.g. this example, hence `enable_tls` is set to False (else it always defaults to True).
.enable_tls(false)
.build()
.unwrap();
// Send requests for configuration and notarization to the notary server.
let notarization_request = NotarizationRequest::builder()
// We must configure the amount of data we expect to exchange beforehand, which will
// be preprocessed prior to the connection. Reducing these limits will improve
// performance.
.max_sent_data(tlsn_examples::MAX_SENT_DATA)
.max_recv_data(tlsn_examples::MAX_RECV_DATA)
.build()?;
let Accepted {
io: notary_connection,
id: _session_id,
..
} = notary_client
.request_notarization(notarization_request)
.await
.expect("Could not connect to notary. Make sure it is running.");
// Create a crypto provider accepting the server-fixture's self-signed
// root certificate.
//
// This is only required for offline testing with the server-fixture. In
// production, use `CryptoProvider::default()` instead.
let mut root_store = tls_core::anchors::RootCertStore::empty();
root_store
.add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
.unwrap();
// Set up protocol configuration for prover.
let mut prover_config_builder = ProverConfig::builder();
prover_config_builder
.server_name(SERVER_DOMAIN)
.protocol_config(
ProtocolConfig::builder()
// We must configure the amount of data we expect to exchange beforehand, which will
// be preprocessed prior to the connection. Reducing these limits will improve
// performance.
.max_sent_data(tlsn_examples::MAX_SENT_DATA)
.max_recv_data(tlsn_examples::MAX_RECV_DATA)
.build()?,
);
// (Optional) Set up TLS client authentication if required by the server.
prover_config_builder.tls_config(
TlsConfig::builder()
.client_auth_pem((vec![CLIENT_CERT.to_vec()], CLIENT_KEY.to_vec()))
.unwrap()
.build()?,
);
let prover_config = prover_config_builder.build()?;
// Create a new prover and perform necessary setup.
let prover = Prover::new(prover_config)
.setup(notary_connection.compat())
.await?;
// Open a TCP connection to the server.
let client_socket = tokio::net::TcpStream::connect((server_host, server_port)).await?;
// Bind the prover to the server connection.
// The returned `mpc_tls_connection` is an MPC TLS connection to the server: all
// data written to/read from it will be encrypted/decrypted using MPC with
// the notary.
let (mpc_tls_connection, prover_fut) = prover.connect(client_socket.compat()).await?;
let mpc_tls_connection = TokioIo::new(mpc_tls_connection.compat());
// Spawn the prover task to be run concurrently in the background.
let prover_task = tokio::spawn(prover_fut);
// Attach the hyper HTTP client to the connection.
let (mut request_sender, connection) =
hyper::client::conn::http1::handshake(mpc_tls_connection).await?;
// Spawn the HTTP task to be run concurrently in the background.
tokio::spawn(connection);
// Build a simple HTTP request with common headers.
let request_builder = Request::builder()
.uri(uri)
.header("Host", SERVER_DOMAIN)
.header("Accept", "*/*")
// Using "identity" instructs the Server not to use compression for its HTTP response.
// TLSNotary tooling does not support compression.
.header("Accept-Encoding", "identity")
.header("Connection", "close")
.header("User-Agent", USER_AGENT);
let mut request_builder = request_builder;
for (key, value) in extra_headers {
request_builder = request_builder.header(key, value);
}
let request = request_builder.body(Empty::<Bytes>::new())?;
println!("Starting an MPC TLS connection with the server");
// Send the request to the server and wait for the response.
let response = request_sender.send_request(request).await?;
println!("Got a response from the server: {}", response.status());
assert!(response.status() == StatusCode::OK);
// The prover task should be done now, so we can await it.
let mut prover = prover_task.await??;
// Parse the HTTP transcript.
let transcript = HttpTranscript::parse(prover.transcript())?;
let body_content = &transcript.responses[0].body.as_ref().unwrap().content;
let body = String::from_utf8_lossy(body_content.span().as_bytes());
match body_content {
tlsn_formats::http::BodyContent::Json(_json) => {
let parsed = serde_json::from_str::<serde_json::Value>(&body)?;
debug!("{}", serde_json::to_string_pretty(&parsed)?);
}
tlsn_formats::http::BodyContent::Unknown(_span) => {
debug!("{}", &body);
}
_ => {}
}
// Commit to the transcript.
let mut builder = TranscriptCommitConfig::builder(prover.transcript());
// This commits to various parts of the transcript separately (e.g. request
// headers, response headers, response body and more). See https://docs.tlsnotary.org//protocol/commit_strategy.html
// for other strategies that can be used to generate commitments.
DefaultHttpCommitter::default().commit_transcript(&mut builder, &transcript)?;
let transcript_commit = builder.build()?;
// Build an attestation request.
let mut builder = RequestConfig::builder();
builder.transcript_commit(transcript_commit);
// Optionally, add an extension to the attestation if the notary supports it.
// builder.extension(Extension {
// id: b"example.name".to_vec(),
// value: b"Bobert".to_vec(),
// });
let request_config = builder.build()?;
#[allow(deprecated)]
let (attestation, secrets) = prover.notarize(&request_config).await?;
println!("Notarization complete!");
// Write the attestation to disk.
let attestation_path = tlsn_examples::get_file_path(example_type, "attestation");
let secrets_path = tlsn_examples::get_file_path(example_type, "secrets");
tokio::fs::write(&attestation_path, bincode::serialize(&attestation)?).await?;
// Write the secrets to disk.
tokio::fs::write(&secrets_path, bincode::serialize(&secrets)?).await?;
println!("Notarization completed successfully!");
println!(
"The attestation has been written to `{attestation_path}` and the \
corresponding secrets to `{secrets_path}`."
);
Ok(())
}

94
crates/examples/attestation/verify.rs
View File

@@ -1,94 +0,0 @@
// This example demonstrates how to verify a presentation. See `present.rs` for
// an example of how to build a presentation from an attestation and connection
// secrets.
use std::time::Duration;
use clap::Parser;
use tls_core::verify::WebPkiVerifier;
use tls_server_fixture::CA_CERT_DER;
use tlsn::attestation::{
presentation::{Presentation, PresentationOutput},
signing::VerifyingKey,
CryptoProvider,
};
use tlsn_examples::ExampleType;
#[derive(Parser, Debug)]
#[command(version, about, long_about = None)]
struct Args {
/// What data to notarize.
#[clap(default_value_t, value_enum)]
example_type: ExampleType,
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args = Args::parse();
verify_presentation(&args.example_type).await
}
async fn verify_presentation(example_type: &ExampleType) -> Result<(), Box<dyn std::error::Error>> {
// Read the presentation from disk.
let presentation_path = tlsn_examples::get_file_path(example_type, "presentation");
let presentation: Presentation = bincode::deserialize(&std::fs::read(presentation_path)?)?;
// Create a crypto provider accepting the server-fixture's self-signed
// root certificate.
//
// This is only required for offline testing with the server-fixture. In
// production, use `CryptoProvider::default()` instead.
let mut root_store = tls_core::anchors::RootCertStore::empty();
root_store
.add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
.unwrap();
let crypto_provider = CryptoProvider {
cert: WebPkiVerifier::new(root_store, None),
..Default::default()
};
let VerifyingKey {
alg,
data: key_data,
} = presentation.verifying_key();
println!(
"Verifying presentation with {alg} key: {}\n\n**Ask yourself, do you trust this key?**\n",
hex::encode(key_data)
);
// Verify the presentation.
let PresentationOutput {
server_name,
connection_info,
transcript,
// extensions, // Optionally, verify any custom extensions from prover/notary.
..
} = presentation.verify(&crypto_provider).unwrap();
// The time at which the connection was started.
let time = chrono::DateTime::UNIX_EPOCH + Duration::from_secs(connection_info.time);
let server_name = server_name.unwrap();
let mut partial_transcript = transcript.unwrap();
// Set the unauthenticated bytes so they are distinguishable.
partial_transcript.set_unauthed(b'X');
let sent = String::from_utf8_lossy(partial_transcript.sent_unsafe());
let recv = String::from_utf8_lossy(partial_transcript.received_unsafe());
println!("-------------------------------------------------------------------");
println!(
"Successfully verified that the data below came from a session with {server_name} at {time}.",
);
println!("Note that the data which the Prover chose not to disclose are shown as X.\n");
println!("Data sent:\n");
println!("{sent}\n");
println!("Data received:\n");
println!("{recv}\n");
println!("-------------------------------------------------------------------");
Ok(())
}

29
crates/notary/client/Cargo.toml
View File

@@ -1,29 +0,0 @@
[package]
name = "notary-client"
version = "0.1.0-alpha.13-pre"
edition = "2021"
[lints]
workspace = true
[dependencies]
notary-common = { workspace = true }
derive_builder = { workspace = true }
futures = { workspace = true }
http-body-util = { workspace = true }
hyper = { workspace = true, features = ["client", "http1"] }
hyper-util = { workspace = true, features = ["full"] }
serde_json = { workspace = true }
thiserror = { workspace = true }
tokio = { workspace = true, features = [
"rt",
"rt-multi-thread",
"macros",
"net",
"io-std",
"fs",
] }
tokio-rustls = { workspace = true }
tracing = { workspace = true }
webpki-roots = { workspace = true }

530
crates/notary/client/src/client.rs
View File

@@ -1,530 +0,0 @@
//! Notary client.
//!
//! This module sets up connection to notary server via TCP or TLS for
//! subsequent requests for notarization.
use http_body_util::{BodyExt as _, Either, Empty, Full};
use hyper::{
body::{Bytes, Incoming},
client::conn::http1::Parts,
header::AUTHORIZATION,
Request, Response, StatusCode,
};
use hyper_util::rt::TokioIo;
use notary_common::{
ClientType, NotarizationSessionRequest, NotarizationSessionResponse, X_API_KEY_HEADER,
};
use std::{
io::Error as IoError,
pin::Pin,
sync::Arc,
task::{Context, Poll},
};
use tokio::{
io::{AsyncRead, AsyncWrite, ReadBuf},
net::TcpStream,
time::{sleep, timeout, Duration},
};
use tokio_rustls::{
client::TlsStream,
rustls::{self, ClientConfig, OwnedTrustAnchor, RootCertStore},
TlsConnector,
};
use tracing::{debug, error, info};
use crate::error::{ClientError, ErrorKind};
/// Parameters used to configure notarization.
#[derive(Debug, Clone, derive_builder::Builder)]
pub struct NotarizationRequest {
/// Maximum number of bytes that can be sent.
max_sent_data: usize,
/// Maximum number of bytes that can be received.
max_recv_data: usize,
}
impl NotarizationRequest {
/// Creates a new builder for `NotarizationRequest`.
pub fn builder() -> NotarizationRequestBuilder {
NotarizationRequestBuilder::default()
}
}
/// An accepted notarization request.
#[derive(Debug)]
#[non_exhaustive]
pub struct Accepted {
/// Session identifier.
pub id: String,
/// Connection to the notary server to be used by a prover.
pub io: NotaryConnection,
}
/// A notary server connection.
#[derive(Debug)]
#[allow(clippy::large_enum_variant)]
pub enum NotaryConnection {
/// Unencrypted TCP connection.
Tcp(TcpStream),
/// TLS connection.
Tls(TlsStream<TcpStream>),
}
impl AsyncRead for NotaryConnection {
#[inline]
fn poll_read(
self: Pin<&mut Self>,
cx: &mut Context<'_>,
buf: &mut ReadBuf<'_>,
) -> Poll<Result<(), IoError>> {
match self.get_mut() {
NotaryConnection::Tcp(stream) => Pin::new(stream).poll_read(cx, buf),
NotaryConnection::Tls(stream) => Pin::new(stream).poll_read(cx, buf),
}
}
}
impl AsyncWrite for NotaryConnection {
#[inline]
fn poll_write(
self: Pin<&mut Self>,
cx: &mut Context<'_>,
buf: &[u8],
) -> Poll<Result<usize, IoError>> {
match self.get_mut() {
NotaryConnection::Tcp(stream) => Pin::new(stream).poll_write(cx, buf),
NotaryConnection::Tls(stream) => Pin::new(stream).poll_write(cx, buf),
}
}
#[inline]
fn poll_flush(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), IoError>> {
match self.get_mut() {
NotaryConnection::Tcp(stream) => Pin::new(stream).poll_flush(cx),
NotaryConnection::Tls(stream) => Pin::new(stream).poll_flush(cx),
}
}
#[inline]
fn poll_shutdown(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Result<(), IoError>> {
match self.get_mut() {
NotaryConnection::Tcp(stream) => Pin::new(stream).poll_shutdown(cx),
NotaryConnection::Tls(stream) => Pin::new(stream).poll_shutdown(cx),
}
}
}
/// Client that sets up connection to notary server.
#[derive(Debug, Clone, derive_builder::Builder)]
pub struct NotaryClient {
/// Host of the notary server endpoint, either a DNS name (if TLS is used)
/// or IP address.
#[builder(setter(into))]
host: String,
/// Port of the notary server endpoint.
#[builder(default = "self.default_port()")]
port: u16,
/// URL path prefix of the notary server endpoint, e.g. "https://<host>:<port>/<path_prefix>/...".
#[builder(setter(into), default = "String::from(\"\")")]
path_prefix: String,
/// Flag to turn on/off using TLS with notary server.
#[builder(setter(name = "enable_tls"), default = "true")]
tls: bool,
/// Root certificate store used for establishing TLS connection with notary
/// server.
#[builder(default = "default_root_store()")]
root_cert_store: RootCertStore,
/// API key used to call notary server endpoints if whitelisting is enabled
/// in notary server.
#[builder(setter(into, strip_option), default)]
api_key: Option<String>,
/// JWT token used to call notary server endpoints if JWT authorization is
/// enabled in notary server.
#[builder(setter(into, strip_option), default)]
jwt: Option<String>,
/// The duration of notarization request timeout in seconds.
#[builder(default = "60")]
request_timeout: usize,
/// The number of seconds to wait between notarization request retries.
///
/// By default uses the value suggested by the server.
#[builder(default = "None")]
request_retry_override: Option<u64>,
}
impl NotaryClientBuilder {
// Default setter of port.
fn default_port(&self) -> u16 {
// If port is not specified, set it to 80 if TLS is off, else 443 since TLS is
// on (including when self.tls = None, which means it's set to default
// (true)).
if let Some(false) = self.tls {
80
} else {
443
}
}
}
impl NotaryClient {
/// Creates a new builder for `NotaryClient`.
pub fn builder() -> NotaryClientBuilder {
NotaryClientBuilder::default()
}
/// Configures and requests a notarization, returning a connection to the
/// notary server if successful.
pub async fn request_notarization(
&self,
notarization_request: NotarizationRequest,
) -> Result<Accepted, ClientError> {
let notary_socket = tokio::net::TcpStream::connect((self.host.as_str(), self.port))
.await
.map_err(|err| ClientError::new(ErrorKind::Connection, Some(Box::new(err))))?;
// Setting TCP_NODELAY will improve prover latency.
let _ = notary_socket
.set_nodelay(true)
.map_err(|_| info!("An error occured when setting TCP_NODELAY. This will result in higher protocol latency."));
if self.tls {
debug!("Setting up tls connection...");
let notary_client_config = ClientConfig::builder()
.with_safe_defaults()
.with_root_certificates(self.root_cert_store.clone())
.with_no_client_auth();
let notary_connector = TlsConnector::from(Arc::new(notary_client_config));
let notary_tls_socket = notary_connector
.connect(
self.host.as_str().try_into().map_err(|err| {
error!("Failed to parse notary server DNS name: {:?}", self.host);
ClientError::new(ErrorKind::TlsSetup, Some(Box::new(err)))
})?,
notary_socket,
)
.await
.map_err(|err| {
if is_tls_mismatch_error(&err) {
error!("Perhaps the notary server is not accepting our TLS connection");
}
ClientError::new(ErrorKind::TlsSetup, Some(Box::new(err)))
})?;
self.send_request(notary_tls_socket, notarization_request)
.await
.map(|(connection, session_id)| Accepted {
id: session_id,
io: NotaryConnection::Tls(connection),
})
} else {
debug!("Setting up tcp connection...");
self.send_request(notary_socket, notarization_request)
.await
.map(|(connection, session_id)| Accepted {
id: session_id,
io: NotaryConnection::Tcp(connection),
})
}
}
/// Sends notarization request to the notary server.
async fn send_request<S: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
&self,
notary_socket: S,
notarization_request: NotarizationRequest,
) -> Result<(S, String), ClientError> {
let http_scheme = if self.tls { "https" } else { "http" };
let path_prefix = if self.path_prefix.is_empty() {
String::new()
} else {
format!("/{}", self.path_prefix)
};
// Attach the hyper HTTP client to the notary connection to send request to the
// /session endpoint to configure notarization and obtain session id.
let (mut notary_request_sender, notary_connection) =
hyper::client::conn::http1::handshake(TokioIo::new(notary_socket))
.await
.map_err(|err| {
error!("Failed to attach http client to notary socket");
ClientError::new(ErrorKind::Connection, Some(Box::new(err)))
})?;
// Create a future to poll the notary connection to completion before extracting
// the socket.
let notary_connection_fut = async {
// Claim back notary socket after HTTP exchange is done.
let Parts {
io: notary_socket, ..
} = notary_connection.without_shutdown().await.map_err(|err| {
error!("Failed to claim back notary socket after HTTP exchange is done");
ClientError::new(ErrorKind::Internal, Some(Box::new(err)))
})?;
Ok(notary_socket)
};
// Create a future to send configuration and notarization requests to the notary
// server using the connection established above.
let client_requests_fut = async {
// Build the HTTP request to configure notarization.
let configuration_request_payload =
serde_json::to_string(&NotarizationSessionRequest {
client_type: ClientType::Tcp,
max_sent_data: Some(notarization_request.max_sent_data),
max_recv_data: Some(notarization_request.max_recv_data),
})
.map_err(|err| {
error!("Failed to serialise http request for configuration");
ClientError::new(ErrorKind::Internal, Some(Box::new(err)))
})?;
let mut configuration_request_builder = Request::builder()
.uri(format!(
"{http_scheme}://{}:{}{}/session",
self.host, self.port, path_prefix
))
.method("POST")
.header("Host", &self.host)
// Need to specify application/json for axum to parse it as json.
.header("Content-Type", "application/json");
if let Some(api_key) = &self.api_key {
configuration_request_builder =
configuration_request_builder.header(X_API_KEY_HEADER, api_key);
}
if let Some(jwt) = &self.jwt {
configuration_request_builder =
configuration_request_builder.header(AUTHORIZATION, format!("Bearer {jwt}"));
}
let configuration_request = configuration_request_builder
.body(Either::Left(Full::new(Bytes::from(
configuration_request_payload,
))))
.map_err(|err| {
error!("Failed to build http request for configuration");
ClientError::new(ErrorKind::Internal, Some(Box::new(err)))
})?;
debug!("Sending configuration request: {:?}", configuration_request);
let configuration_response = notary_request_sender
.send_request(configuration_request)
.await
.map_err(|err| {
error!("Failed to send http request for configuration");
ClientError::new(ErrorKind::Http, Some(Box::new(err)))
})?;
debug!("Sent configuration request");
if configuration_response.status() != StatusCode::OK {
return Err(ClientError::new(
ErrorKind::Configuration,
Some(
format!(
"Configuration response status is not OK: {configuration_response:?}"
)
.into(),
),
));
}
let configuration_response_payload = configuration_response
.into_body()
.collect()
.await
.map_err(|err| {
error!("Failed to parse configuration response");
ClientError::new(ErrorKind::Http, Some(Box::new(err)))
})?
.to_bytes();
let configuration_response_payload_parsed =
serde_json::from_str::<NotarizationSessionResponse>(&String::from_utf8_lossy(
&configuration_response_payload,
))
.map_err(|err| {
error!("Failed to parse configuration response payload");
ClientError::new(ErrorKind::Internal, Some(Box::new(err)))
})?;
debug!(
"Configuration response: {:?}",
configuration_response_payload_parsed
);
// Send notarization request via HTTP, where the underlying TCP/TLS connection
// will be extracted later.
let notarization_request = Request::builder()
// Need to specify the session_id so that notary server knows the right
// configuration to use as the configuration is set in the previous
// HTTP call.
.uri(format!(
"{http_scheme}://{}:{}{}/notarize?sessionId={}",
self.host,
self.port,
path_prefix,
&configuration_response_payload_parsed.session_id
))
.method("GET")
.header("Host", &self.host)
.header("Connection", "Upgrade")
// Need to specify this upgrade header for server to extract TCP/TLS connection
// later.
.header("Upgrade", "TCP")
.body(Either::Right(Empty::<Bytes>::new()))
.map_err(|err| {
error!("Failed to build http request for notarization");
ClientError::new(ErrorKind::Internal, Some(Box::new(err)))
})?;
debug!("Sending notarization request: {:?}", notarization_request);
let notarize_with_retry_fut = async {
loop {
let notarization_response = notary_request_sender
.send_request(notarization_request.clone())
.await
.map_err(|err| {
error!("Failed to send http request for notarization");
ClientError::new(ErrorKind::Http, Some(Box::new(err)))
})?;
if notarization_response.status() == StatusCode::SWITCHING_PROTOCOLS {
return Ok::<Response<Incoming>, ClientError>(notarization_response);
} else if notarization_response.status() == StatusCode::SERVICE_UNAVAILABLE {
let retry_after = self
.request_retry_override
.unwrap_or(parse_retry_after(&notarization_response)?);
debug!("Retrying notarization request in {:?}", retry_after);
sleep(Duration::from_secs(retry_after)).await;
} else {
return Err(ClientError::new(
ErrorKind::Internal,
Some(
format!(
"Server sent unexpected status code {:?}",
notarization_response.status()
)
.into(),
),
));
}
}
};
let notarization_response = timeout(
Duration::from_secs(self.request_timeout as u64),
notarize_with_retry_fut,
)
.await
.map_err(|_| {
ClientError::new(
ErrorKind::Internal,
Some(
"Timed out while waiting for server to accept notarization request".into(),
),
)
})??;
debug!("Notarization request was accepted by the server");
if notarization_response.status() != StatusCode::SWITCHING_PROTOCOLS {
return Err(ClientError::new(
ErrorKind::Internal,
Some(
format!(
"Notarization response status is not SWITCHING_PROTOCOL: {notarization_response:?}"
)
.into(),
),
));
}
Ok(configuration_response_payload_parsed.session_id)
};
// Poll both futures simultaneously to obtain the resulting socket and
// session_id.
let (notary_socket, session_id) =
futures::try_join!(notary_connection_fut, client_requests_fut)?;
Ok((notary_socket.into_inner(), session_id))
}
/// Sets notarization request timeout duration in seconds.
pub fn request_timeout(&mut self, timeout: usize) {
self.request_timeout = timeout;
}
/// Sets the number of seconds to wait between notarization request
/// retries.
pub fn request_retry_override(&mut self, seconds: u64) {
self.request_retry_override = Some(seconds);
}
}
/// Default root store using mozilla certs.
fn default_root_store() -> RootCertStore {
let mut root_store = RootCertStore::empty();
root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
OwnedTrustAnchor::from_subject_spki_name_constraints(
ta.subject.as_ref(),
ta.subject_public_key_info.as_ref(),
ta.name_constraints.as_ref().map(|nc| nc.as_ref()),
)
}));
root_store
}
// Checks whether the error is potentially related to a mismatch in TLS
// configuration between the client and the server.
fn is_tls_mismatch_error(err: &std::io::Error) -> bool {
if let Some(rustls::Error::InvalidMessage(rustls::InvalidMessage::InvalidContentType)) = err
.get_ref()
.and_then(|inner| inner.downcast_ref::<rustls::Error>())
{
return true;
}
false
}
// Attempts to parse the value of the "Retry-After" header from the given
// `response`.
fn parse_retry_after(response: &Response<Incoming>) -> Result<u64, ClientError> {
let seconds = match response.headers().get("Retry-After") {
Some(value) => {
let value_str = value.to_str().map_err(|err| {
ClientError::new(
ErrorKind::Internal,
Some(format!("Invalid Retry-After header: {err}").into()),
)
})?;
let seconds: u64 = value_str.parse().map_err(|err| {
ClientError::new(
ErrorKind::Internal,
Some(format!("Could not parse Retry-After header as number: {err}").into()),
)
})?;
seconds
}
None => {
return Err(ClientError::new(
ErrorKind::Internal,
Some("The expected Retry-After header was not found in server response".into()),
));
}
};
Ok(seconds)
}

48
crates/notary/client/src/error.rs
View File

@@ -1,48 +0,0 @@
//! Notary client errors.
//!
//! This module handles errors that might occur during connection setup and
//! notarization requests.
use derive_builder::UninitializedFieldError;
use std::{error::Error, fmt};
#[derive(Debug)]
#[allow(missing_docs)]
pub(crate) enum ErrorKind {
Internal,
Builder,
Connection,
TlsSetup,
Http,
Configuration,
}
#[derive(Debug, thiserror::Error)]
#[allow(missing_docs)]
pub struct ClientError {
kind: ErrorKind,
#[source]
source: Option<Box<dyn Error + Send + Sync>>,
}
impl ClientError {
pub(crate) fn new(kind: ErrorKind, source: Option<Box<dyn Error + Send + Sync>>) -> Self {
Self { kind, source }
}
}
impl fmt::Display for ClientError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(
f,
"client error: {:?}, source: {:?}",
self.kind, self.source
)
}
}
impl From<UninitializedFieldError> for ClientError {
fn from(ufe: UninitializedFieldError) -> Self {
ClientError::new(ErrorKind::Builder, Some(Box::new(ufe)))
}
}

15
crates/notary/client/src/lib.rs
View File

@@ -1,15 +0,0 @@
//! Notary client library.
//!
//! A notary client's purpose is to establish a connection to the notary server
//! via TCP or TLS, and to configure and request notarization.
//! Note that the actual notarization is not performed by the notary client but
//! by the prover of the TLSNotary protocol.
#![deny(missing_docs, unreachable_pub, unused_must_use)]
#![deny(clippy::all)]
#![forbid(unsafe_code)]
mod client;
mod error;
pub use client::{Accepted, NotarizationRequest, NotaryClient, NotaryConnection};
pub use error::ClientError;

11
crates/notary/common/Cargo.toml
View File

@@ -1,11 +0,0 @@
[package]
name = "notary-common"
version = "0.1.0-alpha.13-pre"
description = "Common code shared between notary-server and notary-client"
edition = "2021"
[lints]
workspace = true
[dependencies]
serde = { workspace = true, features = ["derive"] }

34
crates/notary/common/src/lib.rs
View File

@@ -1,34 +0,0 @@
use serde::{Deserialize, Serialize};
/// Custom HTTP header used for specifying a whitelisted API key.
pub const X_API_KEY_HEADER: &str = "X-API-Key";
/// Types of client that the prover is using.
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
pub enum ClientType {
/// Client that has access to the transport layer.
Tcp,
/// Client that cannot directly access the transport layer, e.g. browser
/// extension.
Websocket,
}
/// Request object of the /session API.
#[derive(Debug, Clone, Copy, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct NotarizationSessionRequest {
pub client_type: ClientType,
/// Maximum data that can be sent by the prover.
pub max_sent_data: Option<usize>,
/// Maximum data that can be received by the prover.
pub max_recv_data: Option<usize>,
}
/// Response object of the /session API.
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct NotarizationSessionResponse {
/// Unique session id that is generated by the notary and shared to the
/// prover.
pub session_id: String,
}

66
crates/notary/server/Cargo.toml
View File

@@ -1,66 +0,0 @@
[package]
name = "notary-server"
version = "0.1.0-alpha.13-pre"
edition = "2021"
[lints]
workspace = true
[features]
tee_quote = ["dep:mc-sgx-dcap-types", "dep:hex"]
[dependencies]
notary-common = { workspace = true }
tlsn-core = { workspace = true }
tlsn = { workspace = true }
async-tungstenite = { workspace = true, features = ["tokio-native-tls"] }
axum = { workspace = true, features = ["ws"] }
axum-core = { version = "0.5" }
axum-macros = { version = "0.5" }
base64 = { version = "0.21" }
config = { version = "0.14", features = ["yaml"] }
const-oid = { version = "0.9.6", features = ["db"] }
csv = { version = "1.3" }
eyre = { version = "0.6" }
futures-util = { workspace = true }
http = { workspace = true }
http-body-util = { workspace = true }
hyper = { workspace = true, features = ["client", "http1", "server"] }
hyper-util = { workspace = true, features = ["full"] }
jsonwebtoken = { version = "9.3.1", features = ["use_pem"] }
k256 = { workspace = true }
notify = { version = "6.1.1", default-features = false, features = [
"macos_kqueue",
] }
p256 = { workspace = true }
pkcs8 = { workspace = true, features = ["pem"] }
rand = { workspace = true }
rand06-compat = { workspace = true }
rustls = { workspace = true }
rustls-pemfile = { workspace = true }
serde = { workspace = true, features = ["derive"] }
serde_json = { workspace = true }
serde_yaml = { version = "0.9" }
sha1 = { version = "0.10" }
structopt = { version = "0.3" }
strum = { version = "0.27", features = ["derive"] }
thiserror = { workspace = true }
tokio = { workspace = true, features = ["full"] }
tokio-rustls = { workspace = true }
tokio-util = { workspace = true, features = ["compat"] }
tower-http = { workspace = true, features = ["cors"] }
tower-service = { workspace = true }
tower-util = { workspace = true }
tracing = { workspace = true }
tracing-subscriber = { workspace = true, features = ["env-filter", "json"] }
uuid = { workspace = true, features = ["v4", "fast-rng"] }
ws_stream_tungstenite = { workspace = true, features = ["tokio_io"] }
zeroize = { workspace = true }
hex = { workspace = true, optional = true }
mc-sgx-dcap-types = { version = "0.11.0", optional = true }
[build-dependencies]
git2 = "0.19.0"
chrono.workspace = true

226
crates/notary/server/README.md
View File

@@ -1,226 +0,0 @@
# notary-server
An implementation of the notary server in Rust.
## ⚠️ Notice
This crate is currently under active development and should not be used in production. Expect bugs and regular major breaking changes.
---
## Running the server
### ⚠️ Notice
- When running this server against a prover (e.g. [Rust](../../examples/) or [browser extension](https://github.com/tlsnotary/tlsn-extension)), please ensure that the prover's version is the same as the version of this server.
- When running this server in a *production environment*, please first read this [page](https://docs.tlsnotary.org/developers/notary_server.html).
### Using Cargo
Start the server with:
```bash
cargo run --release --bin notary-server
```
### Using Docker
There are two ways to obtain the notary server's Docker image.
- [GitHub](#obtaining-the-image-via-github)
- [Building from source](#building-from-source)
#### GitHub
1. Obtain the latest image.
```bash
docker pull ghcr.io/tlsnotary/tlsn/notary-server:latest
```
2. Run the docker container.
```bash
docker run --init -p 127.0.0.1:7047:7047 ghcr.io/tlsnotary/tlsn/notary-server:latest
```
#### Building from source
1. Build the docker image at the root of this *repository*.
```bash
docker build . -t notary-server:local -f crates/notary/server/notary-server.Dockerfile
```
2. Run the docker container.
```bash
docker run --init -p 127.0.0.1:7047:7047 notary-server:local
```
---
## Configuration
### Default
Refer to [config.rs](./src/config.rs) for more information on the definition of these setting parameters.
```yaml
host: "0.0.0.0"
port: 7047
html_info: |
<head>
<meta charset="UTF-8">
<meta name="author" content="tlsnotary">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<svg width="86" height="88" viewBox="0 0 86 88" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M25.5484 0.708986C25.5484 0.17436 26.1196 -0.167376 26.5923 0.0844205L33.6891 3.86446C33.9202 3.98756 34.0645 4.22766 34.0645 4.48902V9.44049H37.6129C38.0048 9.44049 38.3226 9.75747 38.3226 10.1485V21.4766L36.1936 20.0606V11.5645H34.0645V80.9919C34.0645 81.1134 34.0332 81.2328 33.9735 81.3388L30.4251 87.6388C30.1539 88.1204 29.459 88.1204 29.1878 87.6388L25.6394 81.3388C25.5797 81.2328 25.5484 81.1134 25.5484 80.9919V0.708986Z" fill="#243F5F"/>
<path d="M21.2903 25.7246V76.7012H12.7742V34.2207H0V25.7246H21.2903Z" fill="#243F5F"/>
<path d="M63.871 76.7012H72.3871V34.2207H76.6452V76.7012H85.1613V25.7246H63.871V76.7012Z" fill="#243F5F"/>
<path d="M38.3226 25.7246H59.6129V34.2207H46.8387V46.9649H59.6129V76.7012H38.3226V68.2051H51.0968V55.4609H38.3226V25.7246Z" fill="#243F5F"/>
</svg>
<h1>Notary Server {version}!</h1>
<ul>
<li>public key: <pre>{public_key}</pre></li>
<li>git commit hash: <a href="https://github.com/tlsnotary/tlsn/commit/{git_commit_hash}">{git_commit_hash}</a></li>
<li><a href="healthcheck">health check</a></li>
<li><a href="info">info</a></li>
</ul>
</body>
concurrency: 32
notarization:
max_sent_data: 4096
max_recv_data: 16384
timeout: 1800
private_key_path: null
signature_algorithm: secp256k1
tls:
enabled: false
private_key_path: null
certificate_path: null
log:
level: DEBUG
filter: null
format: COMPACT
auth:
enabled: false
whitelist: null
```
⚠️ By default, `notarization.private_key_path` is `null`, which means a **random, ephemeral** signing key will be generated at runtime (see [Signing](#signing) for more details).
### Overriding default
The default setting can be overriden with either (1) environment variables, or (2) a configuration file (yaml).
#### Environment Variables
Default values can be overriden by setting environment variables. The variables have a `NS_`-prefix followed by the configuration key in uppercase. Double underscores are used for nested configuration keys, e.g. `tls.enabled` will be `NS_TLS__ENABLED`.
Example:
```bash
NS_PORT=8080 NS_NOTARIZATION__MAX_SENT_DATA=2048 cargo run --release --bin notary-server
```
#### Configuration File
This will override all the default values, hence it needs to **contain all compulsory** configuration keys and values (refer to the [default yaml](#default)). The config file has precedence over environment variables.
```bash
cargo run --release --bin notary-server -- --config <path to your config.yaml>
```
### When using Docker
1. Override the port.
```bash
docker run --init -p 127.0.0.1:7070:7070 -e NS_PORT=7070 notary-server:local
```
2. Override the notarization private key path, and map a local private key into the container.
```bash
docker run --init -p 127.0.0.1:7047:7047 -e NS_NOTARIZATION__PRIVATE_KEY_PATH="/root/.notary/notary.key" -v <your private key>:/root/.notary/notary.key notary-server:local
```
3. Override with a configuration file.
```bash
docker run --init -p 127.0.0.1:7047:7047 -v <your config.yaml>:/root/.notary/config.yaml notary-server:local --config /root/.notary/config.yaml
```
⚠️ The default `workdir` of the container is `/root/.notary`.
---
## API
### HTTP APIs
Defined in the [OpenAPI specification](./openapi.yaml).
### WebSocket APIs
#### /notarize
##### Description
To perform a notarization using a session id — an unique id returned upon calling the `/session` endpoint successfully.
##### Query Parameter
`sessionId`
##### Query Parameter Type
String
---
## Features
### Notarization Configuration
To perform a notarization, some parameters need to be configured by the prover and the notary server (more details in the [OpenAPI specification](./openapi.yaml)), i.e.
- maximum data that can be sent and received.
- unique session id.
To streamline this process, a single HTTP endpoint (`/session`) is used by both TCP and WebSocket clients.
### Notarization
After calling the configuration endpoint above, the prover can proceed to start the notarization. For a TCP client, that means calling the `/notarize` endpoint using HTTP, while a WebSocket client should call the same endpoint but using WebSocket. Example implementations of these clients can be found in the [integration test](../tests-integration/tests/notary.rs).
### Signing
To sign the notarized transcript, the notary server requires a signing key. If this signing key (`notarization.private_key_path` in the config) is not provided by the user, then **by default, a random, ephemeral** signing key will be generated at runtime.
This ephemeral key, along with its public key, are not persisted. The keys disappear once the server stops. This makes the keys only suitable for testing.
### TLS
TLS needs to be turned on between the prover and the notary for security purposes. It can be turned off though, if any of the following is true.
1. This server is run locally.
2. TLS is to be handled by an external environment, e.g. reverse proxy, cloud setup.
The toggle to turn on TLS, as well as paths to the TLS private key and certificate can be defined in the config (`tls` field).
### Authorization
An optional authorization module is available to only allow requests with a valid credential attached. Currently, two modes are supported: whitelist and JWT.
Please note that only *one* mode can be active at any one time.
#### Whitelist mode
In whitelist mode, a valid API key needs to be attached in the custom HTTP header `X-API-Key`. The path of the API key whitelist, as well as the flag to enable/disable this module, can be changed in the config (`auth` field).
Hot reloading of the whitelist is supported, i.e. changes to the whitelist file are automatically applied without needing to restart the server.
#### JWT mode
In JWT mode, JSON Web Token is attached in the standard `Authorization` HTTP header as a bearer token. The algorithm, the path to verifying key, as well as custom user claims, can be changed in the config (`auth` field).
Care should be taken when defining custom user claims as the middleware will:
- accept any claim if no custom claim is defined,
- as long as user defined claims are found, other unknown claims will be ignored.
An example JWT config may look something like this:
```yaml
auth:
enabled: true
jwt:
algorithm: "RS256"
public_key_path: "./fixture/auth/jwt.key.pub"
claims:
- name: sub
values: ["tlsnotary"]
```
### Logging
The default logging strategy of this server is set to `DEBUG` verbosity level for the crates that are useful for most debugging scenarios, i.e. using the following filtering logic.
`notary_server=DEBUG,tlsn_verifier=DEBUG,mpc_tls=DEBUG,tls_client_async=DEBUG`
In the configuration, one can toggle the verbosity level for these crates using the `level` field under `logging`.
One can also provide a custom filtering logic by adding a `filter` field under `logging`, and use a value that follows the tracing crate's [filter directive syntax](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#example-syntax).
Logs can be printed in two formats. Compact and JSON. Compact is human-readable and is best suited for console. JSON is machine-readable and is used to send logs to log collection services. One can change log format by switching the `format` field under `logging`. Accepted values are `COMPACT` and `JSON`. `COMPACT` is used by default.
### Concurrency
One can limit the number of concurrent notarization requests from provers via `concurrency` in the config. This is to limit resource utilization and mitigate potential DoS attacks.
---
## Architecture
### Objective
The main objective of a notary server is to perform notarizations together with a prover. In this case, the prover can either be a
1. TCP client — which has access and control over the transport layer, i.e. TCP.
2. WebSocket client — which has no access over TCP and instead uses WebSocket for notarizations.
### Design Choices
#### Web Framework
Axum is chosen as the framework to serve HTTP and WebSocket requests from the prover clients due to its rich and well supported features, e.g. native integration with Tokio/Hyper/Tower, customizable middleware, the ability to support lower level integrations of TLS ([example](https://github.com/tokio-rs/axum/blob/main/examples/low-level-rustls/src/main.rs)). To simplify the notary server setup, a single Axum router is used to support both HTTP and WebSocket connections, i.e. all requests can be made to the same port of the notary server.
#### WebSocket
Axum's internal implementation of WebSocket uses [tokio_tungstenite](https://docs.rs/tokio-tungstenite/latest/tokio_tungstenite/), which provides a WebSocket struct that doesn't implement [AsyncRead](https://docs.rs/futures/latest/futures/io/trait.AsyncRead.html) and [AsyncWrite](https://docs.rs/futures/latest/futures/io/trait.AsyncWrite.html). Both these traits are required by the TLSN core libraries for the prover and the notary. To overcome this, a [slight modification](./src/service/axum_websocket.rs) of Axum's implementation of WebSocket is used, where [async_tungstenite](https://docs.rs/async-tungstenite/latest/async_tungstenite/) is used instead so that [ws_stream_tungstenite](https://docs.rs/ws_stream_tungstenite/latest/ws_stream_tungstenite/index.html) can be used to wrap on top of the WebSocket struct to get AsyncRead and AsyncWrite implemented.

55
crates/notary/server/build.rs
View File

@@ -1,55 +0,0 @@
use chrono::DateTime;
use git2::{Commit, Repository, StatusOptions};
use std::{env, error::Error};
fn main() -> Result<(), Box<dyn Error>> {
if env::var("GIT_COMMIT_HASH").is_err() {
match get_commithash_with_dirty_suffix() {
Ok(commit_hash_with_suffix) => {
// Pass value as env var to the notary server
println!("cargo:rustc-env=GIT_COMMIT_HASH={commit_hash_with_suffix}");
}
Err(e) => {
eprintln!("Failed to get commit hash in notary server build");
eprintln!("Fix the error or configure GIT_COMMIT_HASH as environment variable");
return Err(e.message().into());
}
};
}
Ok(())
}
fn get_commithash_with_dirty_suffix() -> Result<String, git2::Error> {
let repo = Repository::discover(".")?;
let commit = get_commit(&repo)?;
let commit_hash = commit.id().to_string();
let _timestamp = get_commit_timestamp(&commit)?;
let has_changes = check_local_changes(&repo)?;
if has_changes {
Ok(format!("{commit_hash} (with local changes)"))
} else {
Ok(commit_hash)
}
}
fn get_commit(repo: &Repository) -> Result<Commit, git2::Error> {
let head = repo.head()?;
head.peel_to_commit()
}
fn get_commit_timestamp(commit: &Commit) -> Result<String, git2::Error> {
let timestamp = commit.time().seconds();
let date_time = DateTime::from_timestamp(timestamp, 0)
.ok_or_else(|| git2::Error::from_str("Invalid timestamp"))?;
Ok(date_time.to_rfc2822())
}
fn check_local_changes(repo: &Repository) -> Result<bool, git2::Error> {
let mut status_options = StatusOptions::new();
status_options
.include_untracked(false)
.include_ignored(false);
let statuses = repo.statuses(Some(&mut status_options))?;
Ok(!statuses.is_empty())
}

19
crates/notary/server/notary-server.Dockerfile
View File

@@ -1,19 +0,0 @@
# !!! To use this file, please run docker run at the root level of this repository
FROM rust:latest AS builder
RUN apt-get update && apt-get install -y clang libclang-dev
WORKDIR /usr/src/tlsn
COPY . .
RUN cargo install --locked --path crates/notary/server
FROM ubuntu:latest
WORKDIR /root/.notary
RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \
pkg-config \
libssl-dev \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /usr/local/cargo/bin/notary-server /usr/local/bin/notary-server
# Label to link this image with the repository in Github Container Registry (https://docs.github.com/en/packages/learn-github-packages/connecting-a-repository-to-a-package#connecting-a-repository-to-a-container-image-using-the-command-line)
LABEL org.opencontainers.image.source=https://github.com/tlsnotary/tlsn
LABEL org.opencontainers.image.description="An implementation of the notary server in Rust."
ENTRYPOINT [ "notary-server" ]

4
crates/notary/server/notary-server.Dockerfile.dockerignore
View File

@@ -1,4 +0,0 @@
# exclude Rust build artifacts
./target
./crates/wasm/pkg/
./crates/harness/static/generated/

223
crates/notary/server/openapi.yaml
View File

@@ -1,223 +0,0 @@
openapi: 3.0.0
info:
title: Notary Server
description: Notary server written in Rust to provide notarization service.
version: 0.1.0-alpha.13-pre
tags:
- name: General
- name: Notarization
paths:
/healthcheck:
get:
tags:
- General
description: Healthcheck endpoint
security:
- {} # make security optional
- ApiKeyAuth: []
- BearerAuth: []
responses:
'200':
description: Ok response from server
content:
text/plain:
schema:
type: string
example: Ok
'401':
description: API key is invalid
content:
text/plain:
schema:
type: string
example: 'Unauthorized request from prover: Invalid API key.'
/info:
get:
tags:
- General
description: General information about the notary server
security:
- {} # make security optional
- ApiKeyAuth: []
- BearerAuth: []
responses:
'200':
description: Info response from server
content:
application/json:
schema:
$ref: '#/components/schemas/InfoResponse'
'401':
description: API key is invalid
content:
text/plain:
schema:
type: string
example: 'Unauthorized request from prover: Invalid API key.'
/session:
post:
tags:
- Notarization
description: Initialize and configure notarization for both TCP and WebSocket clients
security:
- {} # make security optional
- ApiKeyAuth: []
- BearerAuth: []
parameters:
- in: header
name: Content-Type
description: The value must be application/json
schema:
type: string
enum:
- application/json
required: true
requestBody:
description: Notarization session request to server
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/NotarizationSessionRequest'
responses:
'200':
description: Notarization session response from server
content:
application/json:
schema:
$ref: '#/components/schemas/NotarizationSessionResponse'
'400':
description: Configuration parameters or headers provided by prover are invalid
content:
text/plain:
schema:
type: string
example: 'Invalid request from prover: Failed to deserialize the JSON body into the target type'
'401':
description: API key is invalid
content:
text/plain:
schema:
type: string
example: 'Unauthorized request from prover: Invalid API key.'
'500':
description: There was some internal error when processing
content:
text/plain:
schema:
type: string
example: Something is wrong
/notarize:
get:
tags:
- Notarization
description: Start notarization for TCP client
parameters:
- in: header
name: Connection
description: The value should be 'Upgrade'
schema:
type: string
enum:
- Upgrade
required: true
- in: header
name: Upgrade
description: The value should be 'TCP'
schema:
type: string
enum:
- TCP
required: true
- in: query
name: sessionId
description: Unique ID returned from server upon calling POST /session
schema:
type: string
required: true
responses:
'101':
description: Switching protocol response
'400':
description: Headers provided by prover are invalid
content:
text/plain:
schema:
type: string
example: 'Invalid request from prover: Upgrade header is not set for client'
'500':
description: There was some internal error when processing
content:
text/plain:
schema:
type: string
example: Something is wrong
components:
schemas:
NotarizationSessionRequest:
type: object
properties:
clientType:
description: Types of client that the prover is using
type: string
enum:
- Tcp
- Websocket
maxSentData:
description: Maximum data that can be sent by the prover in bytes
type: integer
maxRecvData:
description: Maximum data that can be received by the prover in bytes
type: integer
required:
- clientType
NotarizationSessionResponse:
type: object
properties:
sessionId:
description: Unique ID returned from server upon calling POST /session
type: string
required:
- sessionId
InfoResponse:
type: object
properties:
version:
description: Current version of notary server
type: string
publicKey:
description: Public key of notary server for its notarization transcript signature
type: string
gitCommitHash:
description: The git commit hash of source code that this notary server is running
type: string
quote:
type: object
properties:
rawQuote:
description: Hex bytes representing the signed-by-intel quote
type: string
mrsigner:
description: Represents the public key of the enclave signer
type: string
mrenclave:
description: The enclave image hash, including gramine and the notary server itself
type: string
error:
description: Error that occurs when generating this quote
type: string
required:
- version
- publicKey
- gitCommitHash
securitySchemes:
ApiKeyAuth:
type: apiKey
in: header
name: X-API-Key
description: Whitelisted API key if auth module is turned on and in whitelist mode
BearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: JSON Web Token if auth module is turned on and in JWT mode

81
crates/notary/server/src/auth.rs
View File

@@ -1,81 +0,0 @@
pub(crate) mod jwt;
pub(crate) mod whitelist;
use eyre::{eyre, Result};
use jwt::load_jwt_key;
use std::{
str::FromStr,
sync::{Arc, Mutex},
};
use strum::VariantNames;
use tracing::debug;
use whitelist::load_authorization_whitelist;
pub use jwt::{Algorithm, Jwt};
pub use whitelist::{
watch_and_reload_authorization_whitelist, AuthorizationWhitelistRecord, Whitelist,
};
use crate::{AuthorizationModeProperties, NotaryServerProperties};
/// Supported authorization modes.
#[derive(Clone)]
pub enum AuthorizationMode {
Jwt(Jwt),
Whitelist(Whitelist),
}
impl AuthorizationMode {
pub fn as_whitelist(&self) -> Option<&Whitelist> {
match self {
Self::Jwt(..) => None,
Self::Whitelist(whitelist) => Some(whitelist),
}
}
}
/// Load authorization mode if it is enabled
pub async fn load_authorization_mode(
config: &NotaryServerProperties,
) -> Result<Option<AuthorizationMode>> {
if !config.auth.enabled {
debug!("Skipping authorization as it is turned off.");
return Ok(None);
}
let auth_mode = match config.auth.mode.as_ref().ok_or_else(|| {
eyre!(
"Authorization enabled but failed to load either whitelist or jwt properties. They are either absent or malformed."
)
})? {
AuthorizationModeProperties::Jwt(jwt_opts) => {
debug!("Using JWT for authorization");
let algorithm = Algorithm::from_str(&jwt_opts.algorithm).map_err(|_| {
eyre!(
"Unexpected JWT signing algorithm specified: '{}'. Possible values are: {:?}",
jwt_opts.algorithm,
Algorithm::VARIANTS,
)
})?;
let claims = jwt_opts.claims.clone();
let key = load_jwt_key(&jwt_opts.public_key_path, algorithm)
.await
.map_err(|err| eyre!("Failed to parse JWT public key: {:?}", err))?;
AuthorizationMode::Jwt(Jwt {
key,
claims,
algorithm,
})
}
AuthorizationModeProperties::Whitelist(whitelist_csv_path) => {
debug!("Using whitelist for authorization");
let entries = load_authorization_whitelist(whitelist_csv_path)?;
AuthorizationMode::Whitelist(Whitelist {
entries: Arc::new(Mutex::new(entries)),
csv_path: whitelist_csv_path.clone(),
})
}
};
Ok(Some(auth_mode))
}

210
crates/notary/server/src/auth/jwt.rs
View File

@@ -1,210 +0,0 @@
use eyre::Result;
use jsonwebtoken::{Algorithm as JwtAlgorithm, DecodingKey};
use serde_json::Value;
use strum::{EnumString, VariantNames};
use tracing::error;
use crate::JwtClaim;
/// Custom error for JWT handling
#[derive(Debug, thiserror::Error, PartialEq)]
#[error("JWT validation error: {0}")]
pub struct JwtValidationError(String);
type JwtResult<T> = std::result::Result<T, JwtValidationError>;
/// JWT config which also encapsulates claims validation logic.
#[derive(Clone)]
pub struct Jwt {
pub algorithm: Algorithm,
pub key: DecodingKey,
pub claims: Vec<JwtClaim>,
}
impl Jwt {
pub fn validate(&self, claims: &Value) -> JwtResult<()> {
Jwt::validate_claims(&self.claims, claims)
}
fn validate_claims(expected: &[JwtClaim], claims: &Value) -> JwtResult<()> {
expected
.iter()
.try_for_each(|expected| Self::validate_claim(expected, claims))
}
fn validate_claim(expected: &JwtClaim, given: &Value) -> JwtResult<()> {
let pointer = format!("/{}", expected.name.replace(".", "/"));
let field = given.pointer(&pointer).ok_or(JwtValidationError(format!(
"missing claim '{}'",
expected.name
)))?;
let field_typed = field.as_str().ok_or(JwtValidationError(format!(
"unexpected type for claim '{}': only strings are supported for claim values",
expected.name,
)))?;
if !expected.values.is_empty() {
expected.values.iter().any(|exp| exp == field_typed).then_some(()).ok_or_else(|| {
let expected_values = expected.values.iter().map(|x| format!("'{x}'")).collect::<Vec<String>>().join(", ");
JwtValidationError(format!(
"unexpected value for claim '{}': expected one of [ {expected_values} ], received '{field_typed}'", expected.name
))
})?;
}
Ok(())
}
}
#[derive(EnumString, Debug, Clone, Copy, PartialEq, Eq, VariantNames)]
#[strum(ascii_case_insensitive)]
/// Supported JWT signing algorithms
pub enum Algorithm {
/// RSASSA-PKCS1-v1_5 using SHA-256
RS256,
/// RSASSA-PKCS1-v1_5 using SHA-384
RS384,
/// RSASSA-PKCS1-v1_5 using SHA-512
RS512,
/// RSASSA-PSS using SHA-256
PS256,
/// RSASSA-PSS using SHA-384
PS384,
/// RSASSA-PSS using SHA-512
PS512,
/// ECDSA using SHA-256
ES256,
/// ECDSA using SHA-384
ES384,
/// Edwards-curve Digital Signature Algorithm (EdDSA)
EdDSA,
}
impl From<Algorithm> for JwtAlgorithm {
fn from(value: Algorithm) -> Self {
match value {
Algorithm::RS256 => Self::RS256,
Algorithm::RS384 => Self::RS384,
Algorithm::RS512 => Self::RS512,
Algorithm::PS256 => Self::PS256,
Algorithm::PS384 => Self::PS384,
Algorithm::PS512 => Self::PS512,
Algorithm::ES256 => Self::ES256,
Algorithm::ES384 => Self::ES384,
Algorithm::EdDSA => Self::EdDSA,
}
}
}
/// Load JWT public key
pub(super) async fn load_jwt_key(
public_key_pem_path: &str,
algorithm: Algorithm,
) -> Result<DecodingKey> {
let key_pem_bytes = tokio::fs::read(public_key_pem_path).await?;
let key = match algorithm {
Algorithm::RS256
| Algorithm::RS384
| Algorithm::RS512
| Algorithm::PS256
| Algorithm::PS384
| Algorithm::PS512 => DecodingKey::from_rsa_pem(&key_pem_bytes)?,
Algorithm::ES256 | Algorithm::ES384 => DecodingKey::from_ec_pem(&key_pem_bytes)?,
Algorithm::EdDSA => DecodingKey::from_ed_pem(&key_pem_bytes)?,
};
Ok(key)
}
#[cfg(test)]
mod test {
use super::*;
use serde_json::json;
#[test]
fn validates_presence() {
let expected = JwtClaim {
name: "sub".to_string(),
..Default::default()
};
let given = json!({
"exp": 12345,
"sub": "test",
});
Jwt::validate_claim(&expected, &given).unwrap();
}
#[test]
fn validates_expected_value() {
let expected = JwtClaim {
name: "custom.host".to_string(),
values: vec!["tlsn.com".to_string(), "api.tlsn.com".to_string()],
};
let given = json!({
"exp": 12345,
"custom": {
"host": "api.tlsn.com",
},
});
Jwt::validate_claim(&expected, &given).unwrap();
}
#[test]
fn validates_with_unknown_claims() {
let given = json!({
"exp": 12345,
"sub": "test",
"what": "is_this",
});
Jwt::validate_claims(&[], &given).unwrap();
}
#[test]
fn fails_if_claim_missing() {
let expected = JwtClaim {
name: "sub".to_string(),
..Default::default()
};
let given = json!({
"exp": 12345,
"host": "localhost",
});
assert_eq!(
Jwt::validate_claim(&expected, &given),
Err(JwtValidationError("missing claim 'sub'".to_string()))
)
}
#[test]
fn fails_if_claim_has_unknown_value() {
let expected = JwtClaim {
name: "sub".to_string(),
values: vec!["tlsn_prod".to_string(), "tlsn_test".to_string()],
};
let given = json!({
"sub": "tlsn",
});
assert_eq!(
Jwt::validate_claim(&expected, &given),
Err(JwtValidationError("unexpected value for claim 'sub': expected one of [ 'tlsn_prod', 'tlsn_test' ], received 'tlsn'".to_string()))
)
}
#[test]
fn fails_if_claim_has_invalid_value_type() {
let expected = JwtClaim {
name: "sub".to_string(),
..Default::default()
};
let given = json!({
"sub": { "name": "john" }
});
assert_eq!(
Jwt::validate_claim(&expected, &given),
Err(JwtValidationError(
"unexpected type for claim 'sub': only strings are supported for claim values"
.to_string()
))
)
}
}

161
crates/notary/server/src/auth/whitelist.rs
View File

@@ -1,161 +0,0 @@
use eyre::{eyre, Result};
use notify::{
event::ModifyKind, Error, Event, EventKind, RecommendedWatcher, RecursiveMode, Watcher,
};
use serde::{Deserialize, Serialize};
use std::{
collections::HashMap,
path::Path,
sync::{Arc, Mutex},
};
use tracing::{debug, error, info};
use crate::util::parse_csv_file;
#[derive(Clone)]
pub struct Whitelist {
pub entries: Arc<Mutex<HashMap<String, AuthorizationWhitelistRecord>>>,
pub csv_path: String,
}
/// Structure of each whitelisted record of the API key whitelist for
/// authorization purpose
#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "PascalCase")]
pub struct AuthorizationWhitelistRecord {
pub name: String,
pub api_key: String,
pub created_at: String,
}
/// Convert whitelist data structure from vector to hashmap using api_key as the
/// key to speed up lookup
pub(crate) fn authorization_whitelist_vec_into_hashmap(
authorization_whitelist: Vec<AuthorizationWhitelistRecord>,
) -> HashMap<String, AuthorizationWhitelistRecord> {
let mut hashmap = HashMap::new();
authorization_whitelist.iter().for_each(|record| {
hashmap.insert(record.api_key.clone(), record.to_owned());
});
hashmap
}
/// Load authorization whitelist
pub(super) fn load_authorization_whitelist(
whitelist_csv_path: &str,
) -> Result<HashMap<String, AuthorizationWhitelistRecord>> {
// Load the csv
let whitelist_csv = parse_csv_file::<AuthorizationWhitelistRecord>(whitelist_csv_path)
.map_err(|err| eyre!("Failed to parse authorization whitelist csv: {:?}", err))?;
// Convert the whitelist record into hashmap for faster lookup
let whitelist_hashmap = authorization_whitelist_vec_into_hashmap(whitelist_csv);
Ok(whitelist_hashmap)
}
// Setup a watcher to detect any changes to authorization whitelist
// When the list file is modified, the watcher thread will reload the whitelist
// The watcher is setup in a separate thread by the notify library which is
// synchronous
pub fn watch_and_reload_authorization_whitelist(
whitelist: &Whitelist,
) -> Result<RecommendedWatcher> {
let whitelist_csv_path_cloned = whitelist.csv_path.clone();
let entries = whitelist.entries.clone();
// Setup watcher by giving it a function that will be triggered when an event is
// detected
let mut watcher = RecommendedWatcher::new(
move |event: Result<Event, Error>| {
match event {
Ok(event) => {
// Only reload whitelist if it's an event that modified the file data
if let EventKind::Modify(ModifyKind::Data(_)) = event.kind {
debug!("Authorization whitelist is modified");
match load_authorization_whitelist(&whitelist_csv_path_cloned) {
Ok(new_authorization_whitelist) => {
*entries.lock().unwrap() = new_authorization_whitelist;
info!("Successfully reloaded authorization whitelist!");
}
// Ensure that error from reloading doesn't bring the server down
Err(err) => error!("{err}"),
}
}
}
Err(err) => {
error!("Error occured when watcher detected an event: {err}")
}
}
},
notify::Config::default(),
)
.map_err(|err| eyre!("Error occured when setting up watcher for hot reload: {err}"))?;
// Start watcher to listen to any changes on the whitelist file
watcher
.watch(Path::new(&whitelist.csv_path), RecursiveMode::Recursive)
.map_err(|err| eyre!("Error occured when starting up watcher for hot reload: {err}"))?;
// Need to return the watcher to parent function, else it will be dropped and
// stop listening
Ok(watcher)
}
#[cfg(test)]
mod test {
use std::{fs::OpenOptions, time::Duration};
use csv::WriterBuilder;
use super::*;
#[tokio::test]
async fn test_watch_and_reload_authorization_whitelist() {
// Clone fixture auth whitelist for testing
let original_whitelist_csv_path = "../tests-integration/fixture/auth/whitelist.csv";
let whitelist_csv_path =
"../tests-integration/fixture/auth/whitelist_copied.csv".to_string();
std::fs::copy(original_whitelist_csv_path, &whitelist_csv_path).unwrap();
// Setup watcher
let entries = load_authorization_whitelist(&whitelist_csv_path).expect(
"Authorization whitelist csv from fixture should be able
to be loaded",
);
let whitelist = Whitelist {
entries: Arc::new(Mutex::new(entries)),
csv_path: whitelist_csv_path.clone(),
};
let _watcher = watch_and_reload_authorization_whitelist(&whitelist)
.expect("Watcher should be able to be setup successfully");
// Sleep to buy a bit of time for hot reload task and watcher thread to run
tokio::time::sleep(Duration::from_millis(50)).await;
// Write a new record to the whitelist to trigger modify event
let new_record = AuthorizationWhitelistRecord {
name: "unit-test-name".to_string(),
api_key: "unit-test-api-key".to_string(),
created_at: "unit-test-created-at".to_string(),
};
let file = OpenOptions::new()
.append(true)
.open(&whitelist_csv_path)
.unwrap();
let mut wtr = WriterBuilder::new()
.has_headers(false) // Set to false to avoid writing header again
.from_writer(file);
wtr.serialize(new_record).unwrap();
wtr.flush().unwrap();
// Sleep to buy a bit of time for updated whitelist to be hot reloaded
tokio::time::sleep(Duration::from_millis(50)).await;
assert!(whitelist
.entries
.lock()
.unwrap()
.contains_key("unit-test-api-key"));
// Delete the cloned whitelist
std::fs::remove_file(&whitelist_csv_path).unwrap();
}
}

10
crates/notary/server/src/cli.rs
View File

@@ -1,10 +0,0 @@
use structopt::StructOpt;
// Fields loaded from the command line when launching this server.
#[derive(Clone, Debug, StructOpt)]
#[structopt(name = "Notary Server")]
pub struct CliFields {
/// Configuration file location (optional).
#[structopt(long)]
pub config: Option<String>,
}

245
crates/notary/server/src/config.rs
View File

@@ -1,245 +0,0 @@
use config::{Config, Environment};
use eyre::{eyre, Result};
use serde::{Deserialize, Serialize};
use std::path::Path;
use crate::{parse_config_file, util::prepend_file_path, CliFields};
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct NotaryServerProperties {
pub host: String,
pub port: u16,
/// Static html response returned from API root endpoint "/". Default html
/// response contains placeholder strings that will be replaced with
/// actual values in server.rs, e.g. {version}, {public_key}
pub html_info: String,
/// The maximum number of concurrent notarization sessions
pub concurrency: usize,
/// Setting for notarization
pub notarization: NotarizationProperties,
/// Setting for TLS connection between prover and notary
pub tls: TLSProperties,
/// Setting for logging
pub log: LogProperties,
/// Setting for authorization
pub auth: AuthorizationProperties,
}
impl NotaryServerProperties {
pub fn new(cli_fields: &CliFields) -> Result<Self> {
// Uses config file if given.
if let Some(config_path) = &cli_fields.config {
let mut config: NotaryServerProperties = parse_config_file(config_path)?;
// Ensures all relative file paths in the config file are prepended with
// the config file's parent directory, so that server binary can be run from
// anywhere.
let parent_dir = Path::new(config_path)
.parent()
.ok_or(eyre!("Failed to get parent directory of config file"))?
.to_str()
.ok_or_else(|| eyre!("Failed to convert path to str"))?
.to_string();
// Prepend notarization key path.
if let Some(path) = config.notarization.private_key_path {
config.notarization.private_key_path = Some(prepend_file_path(&path, &parent_dir)?);
}
// Prepend TLS key paths.
if let Some(path) = config.tls.private_key_path {
config.tls.private_key_path = Some(prepend_file_path(&path, &parent_dir)?);
}
if let Some(path) = config.tls.certificate_path {
config.tls.certificate_path = Some(prepend_file_path(&path, &parent_dir)?);
}
// Prepend auth file path.
if let Some(mode) = config.auth.mode {
config.auth.mode = Some(match mode {
AuthorizationModeProperties::Jwt(JwtAuthorizationProperties {
algorithm,
public_key_path,
claims,
}) => AuthorizationModeProperties::Jwt(JwtAuthorizationProperties {
algorithm,
public_key_path: prepend_file_path(&public_key_path, &parent_dir)?,
claims,
}),
AuthorizationModeProperties::Whitelist(path) => {
AuthorizationModeProperties::Whitelist(prepend_file_path(
&path,
&parent_dir,
)?)
}
});
}
Ok(config)
} else {
let default_config = Config::try_from(&NotaryServerProperties::default())?;
let config = Config::builder()
.add_source(default_config)
// Add in settings from environment variables (with a prefix of NS and '_' as
// separator).
.add_source(
Environment::with_prefix("NS")
.try_parsing(true)
.prefix_separator("_")
.separator("__"),
)
.build()?
.try_deserialize()?;
Ok(config)
}
}
}
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct NotarizationProperties {
/// Global limit for maximum number of bytes that can be sent
pub max_sent_data: usize,
/// Global limit for maximum number of bytes that can be received
pub max_recv_data: usize,
/// Number of seconds before notarization timeouts to prevent unreleased
/// memory
pub timeout: u64,
/// File path of private key (in PEM format) used to sign the notarization
pub private_key_path: Option<String>,
/// Signature algorithm used to generate a random private key when
/// private_key_path is not set
pub signature_algorithm: String,
/// Flag to allow any custom extensions from the prover.
pub allow_extensions: bool,
}
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct TLSProperties {
/// Flag to turn on/off TLS between prover and notary — should always be
/// turned on unless either
/// (1) TLS is handled by external setup e.g. reverse proxy, cloud; or
/// (2) For local testing
pub enabled: bool,
/// File path of TLS private key (in PEM format)
pub private_key_path: Option<String>,
/// File path of TLS cert (in PEM format)
pub certificate_path: Option<String>,
}
#[derive(Clone, Copy, Debug, Serialize, Deserialize)]
#[serde(rename_all = "UPPERCASE")]
pub enum LogFormat {
Compact,
Json,
}
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct LogProperties {
/// Log verbosity level of the default filtering logic, which is
/// notary_server=<level>,tlsn_verifier=<level>,mpc_tls=<level>
/// Must be either of <https://docs.rs/tracing/latest/tracing/struct.Level.html#implementations>
pub level: String,
/// Custom filtering logic, refer to the syntax here https://docs.rs/tracing-subscriber/latest/tracing_subscriber/filter/struct.EnvFilter.html#example-syntax
/// This will override the default filtering logic above
pub filter: Option<String>,
/// Log format. Available options are "COMPACT" and "JSON"
pub format: LogFormat,
}
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct AuthorizationProperties {
/// Flag to turn on or off auth middleware
pub enabled: bool,
/// Authorization mode to use: JWT or Whitelist
#[serde(flatten)]
pub mode: Option<AuthorizationModeProperties>,
}
#[derive(Clone, Debug, Serialize, Deserialize)]
#[serde(rename_all = "kebab-case")]
pub enum AuthorizationModeProperties {
/// JWT authorization properties
Jwt(JwtAuthorizationProperties),
/// File path of the API key whitelist (in CSV format)
Whitelist(String),
}
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct JwtAuthorizationProperties {
/// Algorithm used for signing the JWT
pub algorithm: String,
/// File path to JWT public key (in PEM format) for verifying token
/// signatures
pub public_key_path: String,
/// Optional set of required JWT claims
#[serde(default)]
pub claims: Vec<JwtClaim>,
}
#[derive(Clone, Debug, Serialize, Deserialize, Default)]
pub struct JwtClaim {
/// Name of the claim
pub name: String,
/// Optional set of expected values for the claim
#[serde(default)]
pub values: Vec<String>,
}
impl Default for NotaryServerProperties {
fn default() -> Self {
Self {
host: "0.0.0.0".to_string(),
port: 7047,
html_info: r#"
<head>
<meta charset='UTF-8'>
<meta name='author' content='tlsnotary'>
<meta name='viewport' content='width=device-width, initial-scale=1.0'>
</head>
<body>
<svg width='86' height='88' viewBox='0 0 86 88' fill='none' xmlns='http://www.w3.org/2000/svg'>
<path d='M25.5484 0.708986C25.5484 0.17436 26.1196 -0.167376 26.5923 0.0844205L33.6891 3.86446C33.9202 3.98756 34.0645 4.22766 34.0645 4.48902V9.44049H37.6129C38.0048 9.44049 38.3226 9.75747 38.3226 10.1485V21.4766L36.1936 20.0606V11.5645H34.0645V80.9919C34.0645 81.1134 34.0332 81.2328 33.9735 81.3388L30.4251 87.6388C30.1539 88.1204 29.459 88.1204 29.1878 87.6388L25.6394 81.3388C25.5797 81.2328 25.5484 81.1134 25.5484 80.9919V0.708986Z' fill='#243F5F'/>
<path d='M21.2903 25.7246V76.7012H12.7742V34.2207H0V25.7246H21.2903Z' fill='#243F5F'/>
<path d='M63.871 76.7012H72.3871V34.2207H76.6452V76.7012H85.1613V25.7246H63.871V76.7012Z' fill='#243F5F'/>
<path d='M38.3226 25.7246H59.6129V34.2207H46.8387V46.9649H59.6129V76.7012H38.3226V68.2051H51.0968V55.4609H38.3226V25.7246Z' fill='#243F5F'/>
</svg>
<h1>Notary Server {version}!</h1>
<ul>
<li>public key: <pre>{public_key}</pre></li>
<li>git commit hash: <a href='https://github.com/tlsnotary/tlsn/commit/{git_commit_hash}'>{git_commit_hash}</a></li>
<li><a href='healthcheck'>health check</a></li>
<li><a href='info'>info</a></li>
</ul>
</body>
"#.to_string(),
concurrency: 32,
notarization: Default::default(),
tls: Default::default(),
log: Default::default(),
auth: Default::default(),
}
}
}
impl Default for NotarizationProperties {
fn default() -> Self {
Self {
max_sent_data: 4096,
max_recv_data: 16384,
timeout: 1800,
private_key_path: None,
signature_algorithm: "secp256k1".to_string(),
allow_extensions: false,
}
}
}
impl Default for LogProperties {
fn default() -> Self {
Self {
level: "DEBUG".to_string(),
filter: None,
format: LogFormat::Compact,
}
}
}

61
crates/notary/server/src/error.rs
View File

@@ -1,61 +0,0 @@
use axum::http::StatusCode;
use axum_core::response::{IntoResponse as AxumCoreIntoResponse, Response};
use eyre::Report;
use std::error::Error;
use tlsn::{
config::ProtocolConfigValidatorBuilderError,
verifier::{VerifierConfigBuilderError, VerifierError},
};
#[derive(Debug, thiserror::Error)]
pub enum NotaryServerError {
#[error(transparent)]
Unexpected(#[from] Report),
#[error("Failed to connect to prover: {0}")]
Connection(String),
#[error("Error occurred during notarization: {0}")]
Notarization(Box<dyn Error + Send + 'static>),
#[error("Invalid request from prover: {0}")]
BadProverRequest(String),
#[error("Unauthorized request from prover: {0}")]
UnauthorizedProverRequest(String),
}
impl From<VerifierError> for NotaryServerError {
fn from(error: VerifierError) -> Self {
Self::Notarization(Box::new(error))
}
}
impl From<VerifierConfigBuilderError> for NotaryServerError {
fn from(error: VerifierConfigBuilderError) -> Self {
Self::Notarization(Box::new(error))
}
}
impl From<ProtocolConfigValidatorBuilderError> for NotaryServerError {
fn from(error: ProtocolConfigValidatorBuilderError) -> Self {
Self::Notarization(Box::new(error))
}
}
/// Trait implementation to convert this error into an axum http response
impl AxumCoreIntoResponse for NotaryServerError {
fn into_response(self) -> Response {
match self {
bad_request_error @ NotaryServerError::BadProverRequest(_) => {
(StatusCode::BAD_REQUEST, bad_request_error.to_string()).into_response()
}
unauthorized_request_error @ NotaryServerError::UnauthorizedProverRequest(_) => (
StatusCode::UNAUTHORIZED,
unauthorized_request_error.to_string(),
)
.into_response(),
_ => (
StatusCode::INTERNAL_SERVER_ERROR,
"Something wrong happened.",
)
.into_response(),
}
}
}

23
crates/notary/server/src/lib.rs
View File

@@ -1,23 +0,0 @@
mod auth;
mod cli;
mod config;
mod error;
mod middleware;
mod server;
mod server_tracing;
mod service;
mod signing;
#[cfg(feature = "tee_quote")]
mod tee;
mod types;
mod util;
pub use cli::CliFields;
pub use config::{
AuthorizationModeProperties, AuthorizationProperties, JwtAuthorizationProperties, JwtClaim,
LogProperties, NotarizationProperties, NotaryServerProperties, TLSProperties,
};
pub use error::NotaryServerError;
pub use server::{read_pem_file, run_server};
pub use server_tracing::init_tracing;
pub use util::parse_config_file;

30
crates/notary/server/src/main.rs
View File

@@ -1,30 +0,0 @@
use eyre::{eyre, Result};
use notary_server::{
init_tracing, run_server, CliFields, NotaryServerError, NotaryServerProperties,
};
use structopt::StructOpt;
use tracing::debug;
#[tokio::main]
async fn main() -> Result<(), NotaryServerError> {
// Load command line arguments
let cli_fields: CliFields = CliFields::from_args();
let config = NotaryServerProperties::new(&cli_fields)
.map_err(|err| eyre!("Failed to load config: {}", err))?;
// Set up tracing for logging
init_tracing(&config).map_err(|err| eyre!("Failed to set up tracing: {err}"))?;
// debug!("Server config loaded: \n{}", config);
debug!(
"Server config loaded: \n{}",
serde_yaml::to_string(&config).map_err(|err| eyre!("Failed to print config: {err}"))?
);
// Run the server
run_server(&config).await?;
Ok(())
}

132
crates/notary/server/src/middleware.rs
View File

@@ -1,132 +0,0 @@
use axum::http::{header, request::Parts};
use axum_core::extract::{FromRef, FromRequestParts};
use jsonwebtoken::{decode, TokenData, Validation};
use notary_common::X_API_KEY_HEADER;
use serde_json::Value;
use std::collections::HashMap;
use tracing::{error, trace};
use crate::{
auth::{AuthorizationMode, AuthorizationWhitelistRecord},
types::NotaryGlobals,
NotaryServerError,
};
/// Auth middleware to prevent DOS
pub struct AuthorizationMiddleware;
impl<S> FromRequestParts<S> for AuthorizationMiddleware
where
NotaryGlobals: FromRef<S>,
S: Send + Sync,
{
type Rejection = NotaryServerError;
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
let notary_globals = NotaryGlobals::from_ref(state);
let Some(mode) = notary_globals.authorization_mode else {
trace!("Skipping authorization as it's not enabled.");
return Ok(Self);
};
match mode {
AuthorizationMode::Whitelist(whitelist) => {
let Some(auth_header) = parts
.headers
.get(X_API_KEY_HEADER)
.and_then(|value| std::str::from_utf8(value.as_bytes()).ok())
else {
return Err(unauthorized("Missing API key"));
};
let entries = whitelist.entries.lock().unwrap();
if api_key_is_valid(auth_header, &entries) {
trace!("Request authorized.");
Ok(Self)
} else {
Err(unauthorized("Invalid API key"))
}
}
AuthorizationMode::Jwt(jwt_config) => {
let Some(auth_header) = parts
.headers
.get(header::AUTHORIZATION)
.and_then(|value| std::str::from_utf8(value.as_bytes()).ok())
else {
return Err(unauthorized("Missing JWT token"));
};
let raw_token = auth_header.strip_prefix("Bearer ").ok_or_else(|| {
unauthorized("Invalid Authorization header: expected 'Bearer <token>'")
})?;
let validation = Validation::new(jwt_config.algorithm.into());
let claims = match decode::<Value>(raw_token, &jwt_config.key, &validation) {
Ok(TokenData { claims, .. }) => claims,
Err(err) => {
error!("Decoding JWT failed with error: {err:?}");
return Err(unauthorized("Invalid JWT token"));
}
};
if let Err(err) = jwt_config.validate(&claims) {
error!("Validating JWT failed with error: {err:?}");
return Err(unauthorized("Invalid JWT token"));
};
trace!("Request authorized.");
Ok(Self)
}
}
}
}
fn unauthorized(err_msg: impl ToString) -> NotaryServerError {
let err_msg = err_msg.to_string();
error!(err_msg);
NotaryServerError::UnauthorizedProverRequest(err_msg)
}
/// Helper function to check if an API key is in whitelist
fn api_key_is_valid(
api_key: &str,
whitelist: &HashMap<String, AuthorizationWhitelistRecord>,
) -> bool {
whitelist.get(api_key).is_some()
}
#[cfg(test)]
mod test {
use super::{api_key_is_valid, HashMap};
use crate::auth::{
whitelist::authorization_whitelist_vec_into_hashmap, AuthorizationWhitelistRecord,
};
use std::sync::Arc;
fn get_whitelist_fixture() -> HashMap<String, AuthorizationWhitelistRecord> {
authorization_whitelist_vec_into_hashmap(vec![
AuthorizationWhitelistRecord {
name: "test-name-0".to_string(),
api_key: "test-api-key-0".to_string(),
created_at: "2023-10-18T07:38:53Z".to_string(),
},
AuthorizationWhitelistRecord {
name: "test-name-1".to_string(),
api_key: "test-api-key-1".to_string(),
created_at: "2023-10-11T07:38:53Z".to_string(),
},
AuthorizationWhitelistRecord {
name: "test-name-2".to_string(),
api_key: "test-api-key-2".to_string(),
created_at: "2022-10-11T07:38:53Z".to_string(),
},
])
}
#[test]
fn test_api_key_is_present() {
let whitelist = get_whitelist_fixture();
assert!(api_key_is_valid("test-api-key-0", &Arc::new(whitelist)));
}
#[test]
fn test_api_key_is_absent() {
let whitelist = get_whitelist_fixture();
assert!(!api_key_is_valid("test-api-keY-0", &Arc::new(whitelist)));
}
}

349
crates/notary/server/src/server.rs
View File

@@ -1,349 +0,0 @@
use axum::{
extract::Request,
http::StatusCode,
middleware::from_extractor_with_state,
response::{Html, IntoResponse},
routing::{get, post},
Json, Router,
};
use eyre::{ensure, eyre, Result};
use futures_util::future::poll_fn;
use hyper::{body::Incoming, server::conn::http1};
use hyper_util::rt::TokioIo;
use pkcs8::DecodePrivateKey;
use rustls::{Certificate, PrivateKey, ServerConfig};
use std::{
fs::File as StdFile,
io::BufReader,
net::{IpAddr, SocketAddr},
pin::Pin,
sync::Arc,
};
use tlsn::attestation::CryptoProvider;
use tokio::{fs::File, io::AsyncReadExt, net::TcpListener};
use tokio_rustls::{rustls, TlsAcceptor};
use tower_http::cors::CorsLayer;
use tower_service::Service;
use tracing::{debug, error, info, warn};
use zeroize::Zeroize;
use crate::{
auth::{load_authorization_mode, watch_and_reload_authorization_whitelist, AuthorizationMode},
config::{NotarizationProperties, NotaryServerProperties},
error::NotaryServerError,
middleware::AuthorizationMiddleware,
service::{initialize, upgrade_protocol},
signing::AttestationKey,
types::{InfoResponse, NotaryGlobals},
};
#[cfg(feature = "tee_quote")]
use crate::tee::quote;
use tokio::sync::Semaphore;
/// Start a TCP server (with or without TLS) to accept notarization request for
/// both TCP and WebSocket clients
#[tracing::instrument(skip(config))]
pub async fn run_server(config: &NotaryServerProperties) -> Result<(), NotaryServerError> {
let attestation_key = get_attestation_key(&config.notarization).await?;
let verifying_key_pem = attestation_key
.verifying_key_pem()
.map_err(|err| eyre!("Failed to get verifying key in PEM format: {err}"))?;
#[cfg(feature = "tee_quote")]
let verifying_key_bytes = attestation_key.verifying_key_bytes();
let crypto_provider = build_crypto_provider(attestation_key);
// Build TLS acceptor if it is turned on
let tls_acceptor = if !config.tls.enabled {
debug!("Skipping TLS setup as it is turned off.");
None
} else {
let private_key_pem_path = config
.tls
.private_key_path
.as_deref()
.ok_or_else(|| eyre!("TLS is enabled but private key PEM path is not set"))?;
let certificate_pem_path = config
.tls
.certificate_path
.as_deref()
.ok_or_else(|| eyre!("TLS is enabled but certificate PEM path is not set"))?;
let (tls_private_key, tls_certificates) =
load_tls_key_and_cert(private_key_pem_path, certificate_pem_path).await?;
let mut server_config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth()
.with_single_cert(tls_certificates, tls_private_key)
.map_err(|err| eyre!("Failed to instantiate notary server tls config: {err}"))?;
// Set the http protocols we support
server_config.alpn_protocols = vec![b"http/1.1".to_vec()];
let tls_config = Arc::new(server_config);
Some(TlsAcceptor::from(tls_config))
};
// Set up authorization if it is turned on
let authorization_mode = load_authorization_mode(config).await?;
// Enable hot reload if authorization whitelist is available
let watcher = authorization_mode
.as_ref()
.and_then(AuthorizationMode::as_whitelist)
.map(watch_and_reload_authorization_whitelist)
.transpose()?;
if watcher.is_some() {
debug!("Successfully setup watcher for hot reload of authorization whitelist!");
}
let notary_address = SocketAddr::new(
IpAddr::V4(config.host.parse().map_err(|err| {
eyre!("Failed to parse notary host address from server config: {err}")
})?),
config.port,
);
let mut listener = TcpListener::bind(notary_address)
.await
.map_err(|err| eyre!("Failed to bind server address to tcp listener: {err}"))?;
info!("Listening for TCP traffic at {}", notary_address);
let protocol = Arc::new(http1::Builder::new());
let notary_globals = NotaryGlobals::new(
Arc::new(crypto_provider),
config.notarization.clone(),
authorization_mode,
Arc::new(Semaphore::new(config.concurrency)),
);
// Parameters needed for the info endpoint
let version = env!("CARGO_PKG_VERSION").to_string();
let git_commit_hash = env!("GIT_COMMIT_HASH").to_string();
// Parameters needed for the root / endpoint
let html_string = config.html_info.clone();
let html_info = Html(
html_string
.replace("{version}", &version)
.replace("{git_commit_hash}", &git_commit_hash)
.replace("{public_key}", &verifying_key_pem),
);
let router = Router::new()
.route(
"/",
get(|| async move { (StatusCode::OK, html_info).into_response() }),
)
.route(
"/healthcheck",
get(|| async move { (StatusCode::OK, "Ok").into_response() }),
)
.route(
"/info",
get(|| async move {
(
StatusCode::OK,
Json(InfoResponse {
version,
public_key: verifying_key_pem,
git_commit_hash,
#[cfg(feature = "tee_quote")]
quote: quote(verifying_key_bytes).await,
}),
)
.into_response()
}),
)
.route("/session", post(initialize))
// Not applying auth middleware to /notarize endpoint for now as we can rely on our
// short-lived session id generated from /session endpoint, as it is not possible
// to use header for API key for websocket /notarize endpoint due to browser restriction
// ref: https://stackoverflow.com/a/4361358; And putting it in url query param
// seems to be more insecured: https://stackoverflow.com/questions/5517281/place-api-key-in-headers-or-url
.route_layer(from_extractor_with_state::<
AuthorizationMiddleware,
NotaryGlobals,
>(notary_globals.clone()))
.route("/notarize", get(upgrade_protocol))
.layer(CorsLayer::permissive())
.with_state(notary_globals);
loop {
// Poll and await for any incoming connection, ensure that all operations inside
// are infallible to prevent bringing down the server
let stream = match poll_fn(|cx| Pin::new(&mut listener).poll_accept(cx)).await {
Ok((stream, _)) => stream,
Err(err) => {
error!("{}", NotaryServerError::Connection(err.to_string()));
continue;
}
};
// Setting TCP_NODELAY will improve notary latency.
let _ = stream.set_nodelay(true).map_err(|_| {
info!("An error occured when setting TCP_NODELAY. This will result in higher protocol latency.");
});
debug!("Received a prover's TCP connection");
let tower_service = router.clone();
let tls_acceptor = tls_acceptor.clone();
let protocol = protocol.clone();
// Spawn a new async task to handle the new connection
tokio::spawn(async move {
// When TLS is enabled
if let Some(acceptor) = tls_acceptor {
match acceptor.accept(stream).await {
Ok(stream) => {
info!("Accepted prover's TLS-secured TCP connection");
// Reference: https://github.com/tokio-rs/axum/blob/5201798d4e4d4759c208ef83e30ce85820c07baa/examples/low-level-rustls/src/main.rs#L67-L80
let io = TokioIo::new(stream);
let hyper_service =
hyper::service::service_fn(move |request: Request<Incoming>| {
tower_service.clone().call(request)
});
// Serve different requests using the same hyper protocol and axum router
let _ = protocol
.serve_connection(io, hyper_service)
// use with_upgrades to upgrade connection to websocket for websocket
// clients and to extract tcp connection for
// tcp clients
.with_upgrades()
.await;
}
Err(err) => {
error!("{}", NotaryServerError::Connection(err.to_string()));
if let Some(rustls::Error::InvalidMessage(
rustls::InvalidMessage::InvalidContentType,
)) = err
.get_ref()
.and_then(|inner| inner.downcast_ref::<rustls::Error>())
{
error!("Perhaps the client is connecting without TLS");
}
}
}
} else {
// When TLS is disabled
info!("Accepted prover's TCP connection",);
// Reference: https://github.com/tokio-rs/axum/blob/5201798d4e4d4759c208ef83e30ce85820c07baa/examples/low-level-rustls/src/main.rs#L67-L80
let io = TokioIo::new(stream);
let hyper_service =
hyper::service::service_fn(move |request: Request<Incoming>| {
tower_service.clone().call(request)
});
// Serve different requests using the same hyper protocol and axum router
let _ = protocol
.serve_connection(io, hyper_service)
// use with_upgrades to upgrade connection to websocket for websocket clients
// and to extract tcp connection for tcp clients
.with_upgrades()
.await;
}
});
}
}
fn build_crypto_provider(attestation_key: AttestationKey) -> CryptoProvider {
let mut provider = CryptoProvider::default();
provider.signer.set_signer(attestation_key.into_signer());
provider
}
/// Get notary signing key for attestations.
/// Generate a random key if user does not provide a static key.
async fn get_attestation_key(config: &NotarizationProperties) -> Result<AttestationKey> {
let key = if let Some(private_key_path) = &config.private_key_path {
debug!("Loading notary server's signing key");
let mut file = File::open(private_key_path).await?;
let mut pem = String::new();
file.read_to_string(&mut pem)
.await
.map_err(|_| eyre!("pem file does not contain valid UTF-8"))?;
let key = AttestationKey::from_pkcs8_pem(&pem)
.map_err(|err| eyre!("Failed to load notary signing key for notarization: {err}"))?;
pem.zeroize();
key
} else {
warn!(
"⚠️ Using a random, ephemeral signing key because `notarization.private_key_path` is not set."
);
AttestationKey::random(&config.signature_algorithm)?
};
Ok(key)
}
/// Read a PEM-formatted file and return its buffer reader
pub async fn read_pem_file(file_path: &str) -> Result<BufReader<StdFile>> {
let key_file = File::open(file_path).await?.into_std().await;
Ok(BufReader::new(key_file))
}
/// Load notary tls private key and cert from static files
async fn load_tls_key_and_cert(
private_key_pem_path: &str,
certificate_pem_path: &str,
) -> Result<(PrivateKey, Vec<Certificate>)> {
debug!("Loading notary server's tls private key and certificate");
let mut private_key_file_reader = read_pem_file(private_key_pem_path).await?;
let mut private_keys = rustls_pemfile::pkcs8_private_keys(&mut private_key_file_reader)?;
ensure!(
private_keys.len() == 1,
"More than 1 key found in the tls private key pem file"
);
let private_key = PrivateKey(private_keys.remove(0));
let mut certificate_file_reader = read_pem_file(certificate_pem_path).await?;
let certificates = rustls_pemfile::certs(&mut certificate_file_reader)?
.into_iter()
.map(Certificate)
.collect();
debug!("Successfully loaded notary server's tls private key and certificate!");
Ok((private_key, certificates))
}
#[cfg(test)]
mod test {
use super::*;
#[tokio::test]
async fn test_load_tls_key_and_cert() {
let private_key_pem_path = "../tests-integration/fixture/tls/notary.key";
let certificate_pem_path = "../tests-integration/fixture/tls/notary.crt";
let result: Result<(PrivateKey, Vec<Certificate>)> =
load_tls_key_and_cert(private_key_pem_path, certificate_pem_path).await;
assert!(result.is_ok(), "Could not load tls private key and cert");
}
#[tokio::test]
async fn test_load_attestation_key() {
let config = NotarizationProperties {
private_key_path: Some("../tests-integration/fixture/notary/notary.key".to_string()),
..Default::default()
};
let result = get_attestation_key(&config).await;
assert!(result.is_ok(), "Could not load attestation key");
}
#[tokio::test]
async fn test_generate_attestation_key() {
let config = NotarizationProperties {
private_key_path: None,
..Default::default()
};
let result = get_attestation_key(&config).await;
assert!(result.is_ok(), "Could not generate attestation key");
}
}

41
crates/notary/server/src/server_tracing.rs
View File

@@ -1,41 +0,0 @@
use eyre::Result;
use std::str::FromStr;
use tracing::{Level, Subscriber};
use tracing_subscriber::{
fmt, layer::SubscriberExt, registry::LookupSpan, util::SubscriberInitExt, EnvFilter, Layer,
Registry,
};
use crate::config::{LogFormat, NotaryServerProperties};
fn format_layer<S>(format: LogFormat) -> Box<dyn Layer<S> + Send + Sync>
where
S: Subscriber + for<'a> LookupSpan<'a>,
{
let f = fmt::layer().with_thread_ids(true).with_thread_names(true);
match format {
LogFormat::Compact => f.compact().boxed(),
LogFormat::Json => f.json().boxed(),
}
}
pub fn init_tracing(config: &NotaryServerProperties) -> Result<()> {
// Retrieve log filtering logic from config
let directives = match &config.log.filter {
// Use custom filter that is provided by user
Some(filter) => filter.clone(),
// Use the default filter when only verbosity level is provided
None => {
let level = Level::from_str(&config.log.level)?;
format!("notary_server={level},tlsn_verifier={level},mpc_tls={level}")
}
};
let filter_layer = EnvFilter::builder().parse(directives)?;
Registry::default()
.with(filter_layer)
.with(format_layer(config.log.format))
.try_init()?;
Ok(())
}

240
crates/notary/server/src/service.rs
View File

@@ -1,240 +0,0 @@
pub mod axum_websocket;
pub mod tcp;
pub mod websocket;
use axum::{
body::Body,
extract::{rejection::JsonRejection, FromRequestParts, Query, State},
http::{header, request::Parts, StatusCode},
response::{IntoResponse, Json, Response},
};
use axum_macros::debug_handler;
use eyre::eyre;
use notary_common::{NotarizationSessionRequest, NotarizationSessionResponse};
use std::time::Duration;
use tlsn::{
attestation::AttestationConfig,
config::ProtocolConfigValidator,
verifier::{Verifier, VerifierConfig},
};
use tokio::{
io::{AsyncRead, AsyncWrite},
time::timeout,
};
use tokio_util::compat::TokioAsyncReadCompatExt;
use tracing::{debug, error, info, trace};
use uuid::Uuid;
use crate::{
error::NotaryServerError,
service::{
axum_websocket::{header_eq, WebSocketUpgrade},
tcp::{tcp_notarize, TcpUpgrade},
websocket::websocket_notarize,
},
types::{NotarizationRequestQuery, NotaryGlobals},
};
/// A wrapper enum to facilitate extracting TCP connection for either WebSocket
/// or TCP clients, so that we can use a single endpoint and handler for
/// notarization for both types of clients
pub enum ProtocolUpgrade {
Tcp(TcpUpgrade),
Ws(WebSocketUpgrade),
}
impl<S> FromRequestParts<S> for ProtocolUpgrade
where
S: Send + Sync,
{
type Rejection = NotaryServerError;
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
// Extract tcp connection for websocket client
if header_eq(&parts.headers, header::UPGRADE, "websocket") {
let extractor = WebSocketUpgrade::from_request_parts(parts, state)
.await
.map_err(|err| NotaryServerError::BadProverRequest(err.to_string()))?;
Ok(Self::Ws(extractor))
// Extract tcp connection for tcp client
} else if header_eq(&parts.headers, header::UPGRADE, "tcp") {
let extractor = TcpUpgrade::from_request_parts(parts, state)
.await
.map_err(|err| NotaryServerError::BadProverRequest(err.to_string()))?;
Ok(Self::Tcp(extractor))
} else {
Err(NotaryServerError::BadProverRequest(
"Upgrade header is not set for client".to_string(),
))
}
}
}
/// Handler to upgrade protocol from http to either websocket or underlying tcp
/// depending on the type of client the session_id parameter is also extracted
/// here to fetch the configuration parameters that have been submitted in the
/// previous request to /session made by the same client
pub async fn upgrade_protocol(
protocol_upgrade: ProtocolUpgrade,
State(notary_globals): State<NotaryGlobals>,
Query(params): Query<NotarizationRequestQuery>,
) -> Response {
let permit = if let Ok(permit) = notary_globals.semaphore.clone().try_acquire_owned() {
permit
} else {
// TODO: estimate the time more precisely to avoid unnecessary retries.
return Response::builder()
.status(StatusCode::SERVICE_UNAVAILABLE)
.header("Retry-After", 5)
.body(Body::default())
.expect("Builder should not fail");
};
info!("Received upgrade protocol request");
let session_id = params.session_id;
// Check if session_id exists in the store, this also removes session_id from
// the store as each session_id can only be used once
if notary_globals
.store
.lock()
.unwrap()
.remove(&session_id)
.is_none()
{
let err_msg = format!("Session id {session_id} does not exist");
error!(err_msg);
return NotaryServerError::BadProverRequest(err_msg).into_response();
};
// This completes the HTTP Upgrade request and returns a successful response to
// the client, meanwhile initiating the websocket or tcp connection
match protocol_upgrade {
ProtocolUpgrade::Ws(ws) => ws.on_upgrade(move |socket| async move {
websocket_notarize(socket, notary_globals, session_id).await;
drop(permit);
}),
ProtocolUpgrade::Tcp(tcp) => tcp.on_upgrade(move |stream| async move {
tcp_notarize(stream, notary_globals, session_id).await;
drop(permit);
}),
}
}
/// Handler to initialize and configure notarization for both TCP and WebSocket
/// clients
#[debug_handler(state = NotaryGlobals)]
pub async fn initialize(
State(notary_globals): State<NotaryGlobals>,
payload: Result<Json<NotarizationSessionRequest>, JsonRejection>,
) -> impl IntoResponse {
info!(
?payload,
"Received request for initializing a notarization session"
);
// Parse the body payload
let payload = match payload {
Ok(payload) => payload,
Err(err) => {
error!("Malformed payload submitted for initializing notarization: {err}");
return NotaryServerError::BadProverRequest(err.to_string()).into_response();
}
};
// Ensure that the max_sent_data, max_recv_data submitted is not larger than the
// global max limits configured in notary server
if payload.max_sent_data.is_some() || payload.max_recv_data.is_some() {
if payload.max_sent_data.unwrap_or_default()
> notary_globals.notarization_config.max_sent_data
{
error!(
"Max sent data requested {:?} exceeds the global maximum threshold {:?}",
payload.max_sent_data.unwrap_or_default(),
notary_globals.notarization_config.max_sent_data
);
return NotaryServerError::BadProverRequest(
"Max sent data requested exceeds the global maximum threshold".to_string(),
)
.into_response();
}
if payload.max_recv_data.unwrap_or_default()
> notary_globals.notarization_config.max_recv_data
{
error!(
"Max recv data requested {:?} exceeds the global maximum threshold {:?}",
payload.max_recv_data.unwrap_or_default(),
notary_globals.notarization_config.max_recv_data
);
return NotaryServerError::BadProverRequest(
"Max recv data requested exceeds the global maximum threshold".to_string(),
)
.into_response();
}
}
let prover_session_id = Uuid::new_v4().to_string();
// Store the configuration data in a temporary store
notary_globals
.store
.lock()
.unwrap()
.insert(prover_session_id.clone(), ());
trace!("Latest store state: {:?}", notary_globals.store);
// Return the session id in the response to the client
(
StatusCode::OK,
Json(NotarizationSessionResponse {
session_id: prover_session_id,
}),
)
.into_response()
}
/// Run the notarization
pub async fn notary_service<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
socket: T,
notary_globals: NotaryGlobals,
session_id: &str,
) -> Result<(), NotaryServerError> {
debug!(?session_id, "Starting notarization...");
let crypto_provider = notary_globals.crypto_provider.clone();
let mut att_config_builder = AttestationConfig::builder();
att_config_builder
.supported_signature_algs(Vec::from_iter(crypto_provider.signer.supported_algs()));
// If enabled, accepts any custom extensions from the prover.
if notary_globals.notarization_config.allow_extensions {
att_config_builder.extension_validator(|_| Ok(()));
}
let att_config = att_config_builder
.build()
.map_err(|err| NotaryServerError::Notarization(Box::new(err)))?;
let config = VerifierConfig::builder()
.protocol_config_validator(
ProtocolConfigValidator::builder()
.max_sent_data(notary_globals.notarization_config.max_sent_data)
.max_recv_data(notary_globals.notarization_config.max_recv_data)
.build()?,
)
.build()?;
#[allow(deprecated)]
timeout(
Duration::from_secs(notary_globals.notarization_config.timeout),
Verifier::new(config).notarize_with_provider(
socket.compat(),
&att_config,
&crypto_provider,
),
)
.await
.map_err(|_| eyre!("Timeout reached before notarization completes"))??;
Ok(())
}

1172
crates/notary/server/src/service/axum_websocket.rs
View File

File diff suppressed because it is too large Load Diff

106
crates/notary/server/src/service/tcp.rs
View File

@@ -1,106 +0,0 @@
use axum::{
extract::FromRequestParts,
http::{header, request::Parts, HeaderValue, StatusCode},
response::Response,
};
use axum_core::body::Body;
use hyper::upgrade::{OnUpgrade, Upgraded};
use hyper_util::rt::TokioIo;
use std::future::Future;
use tokio::time::Instant;
use tracing::{debug, error, info};
use crate::{service::notary_service, types::NotaryGlobals, NotaryServerError};
/// Custom extractor used to extract underlying TCP connection for TCP client —
/// using the same upgrade primitives used by the WebSocket implementation where
/// the underlying TCP connection (wrapped in an Upgraded object) only gets
/// polled as an OnUpgrade future after the ongoing HTTP request is finished (ref: https://github.com/tokio-rs/axum/blob/a6a849bb5b96a2f641fa077fe76f70ad4d20341c/axum/src/extract/ws.rs#L122)
///
/// More info on the upgrade primitives: https://docs.rs/hyper/latest/hyper/upgrade/index.html
pub struct TcpUpgrade {
pub on_upgrade: OnUpgrade,
}
impl<S> FromRequestParts<S> for TcpUpgrade
where
S: Send + Sync,
{
type Rejection = NotaryServerError;
async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
let on_upgrade =
parts
.extensions
.remove::<OnUpgrade>()
.ok_or(NotaryServerError::BadProverRequest(
"Upgrade header is not set for TCP client".to_string(),
))?;
Ok(Self { on_upgrade })
}
}
impl TcpUpgrade {
/// Utility function to complete the http upgrade protocol by
/// (1) Return 101 switching protocol response to client to indicate the
/// switching to TCP (2) Spawn a new thread to await on the OnUpgrade
/// object to claim the underlying TCP connection
pub fn on_upgrade<C, Fut>(self, callback: C) -> Response
where
C: FnOnce(TokioIo<Upgraded>) -> Fut + Send + 'static,
Fut: Future<Output = ()> + Send + 'static,
{
let on_upgrade = self.on_upgrade;
tokio::spawn(async move {
let upgraded = match on_upgrade.await {
Ok(upgraded) => upgraded,
Err(err) => {
error!("Something wrong with upgrading HTTP: {:?}", err);
return;
}
};
let upgraded = TokioIo::new(upgraded);
callback(upgraded).await;
});
#[allow(clippy::declare_interior_mutable_const)]
const UPGRADE: HeaderValue = HeaderValue::from_static("upgrade");
#[allow(clippy::declare_interior_mutable_const)]
const TCP: HeaderValue = HeaderValue::from_static("tcp");
let builder = Response::builder()
.status(StatusCode::SWITCHING_PROTOCOLS)
.header(header::CONNECTION, UPGRADE)
.header(header::UPGRADE, TCP);
builder.body(Body::empty()).unwrap()
}
}
/// Perform notarization using the extracted tcp connection
pub async fn tcp_notarize(
stream: TokioIo<Upgraded>,
notary_globals: NotaryGlobals,
session_id: String,
) {
let start = Instant::now();
debug!(?session_id, "Upgraded to tcp connection");
match notary_service(stream, notary_globals, &session_id).await {
Ok(_) => {
info!(
?session_id,
elapsed_time_millis = start.elapsed().as_millis(),
"Successful notarization using tcp!"
);
}
Err(err) => {
error!(
?session_id,
elapsed_time_millis = start.elapsed().as_millis(),
"Failed notarization using tcp: {err}"
);
}
}
}

37
crates/notary/server/src/service/websocket.rs
View File

@@ -1,37 +0,0 @@
use tokio::time::Instant;
use tracing::{debug, error, info};
use ws_stream_tungstenite::WsStream;
use crate::{
service::{axum_websocket::WebSocket, notary_service},
types::NotaryGlobals,
};
/// Perform notarization using the established websocket connection
pub async fn websocket_notarize(
socket: WebSocket,
notary_globals: NotaryGlobals,
session_id: String,
) {
let start = Instant::now();
debug!(?session_id, "Upgraded to websocket connection");
// Wrap the websocket in WsStream so that we have AsyncRead and AsyncWrite
// implemented
let stream = WsStream::new(socket.into_inner());
match notary_service(stream, notary_globals, &session_id).await {
Ok(_) => {
info!(
?session_id,
elapsed_time_millis = start.elapsed().as_millis(),
"Successful notarization using websocket!"
);
}
Err(err) => {
error!(
?session_id,
elapsed_time_millis = start.elapsed().as_millis(),
"Failed notarization using websocket: {err}"
);
}
}
}

153
crates/notary/server/src/signing.rs
View File

@@ -1,153 +0,0 @@
use const_oid::db::rfc5912::ID_EC_PUBLIC_KEY as OID_EC_PUBLIC_KEY;
use core::fmt;
use eyre::{eyre, Result};
use pkcs8::{
der::{self, pem::PemLabel, Encode},
spki::{DynAssociatedAlgorithmIdentifier, SubjectPublicKeyInfoRef},
AssociatedOid, DecodePrivateKey, LineEnding, PrivateKeyInfo,
};
use rand06_compat::Rand0_6CompatExt;
use tlsn::attestation::signing::{Secp256k1Signer, Secp256r1Signer, SignatureAlgId, Signer};
use tracing::error;
/// A cryptographic key used for signing attestations.
pub struct AttestationKey {
alg_id: SignatureAlgId,
key: SigningKey,
}
impl TryFrom<PrivateKeyInfo<'_>> for AttestationKey {
type Error = pkcs8::Error;
fn try_from(pkcs8: PrivateKeyInfo<'_>) -> Result<Self, Self::Error> {
// For now we only support elliptic curve keys.
if pkcs8.algorithm.oid != OID_EC_PUBLIC_KEY {
error!("unsupported key algorithm OID: {:?}", pkcs8.algorithm.oid);
return Err(pkcs8::Error::KeyMalformed);
}
let (alg_id, key) = match pkcs8.algorithm.parameters_oid()? {
k256::Secp256k1::OID => {
let key = k256::ecdsa::SigningKey::from_pkcs8_der(&pkcs8.to_der()?)
.map_err(|_| pkcs8::Error::KeyMalformed)?;
(SignatureAlgId::SECP256K1, SigningKey::Secp256k1(key))
}
p256::NistP256::OID => {
let key = p256::ecdsa::SigningKey::from_pkcs8_der(&pkcs8.to_der()?)
.map_err(|_| pkcs8::Error::KeyMalformed)?;
(SignatureAlgId::SECP256R1, SigningKey::Secp256r1(key))
}
oid => {
error!("unsupported curve OID: {:?}", oid);
return Err(pkcs8::Error::KeyMalformed);
}
};
Ok(Self { alg_id, key })
}
}
impl AttestationKey {
/// Samples a new attestation key of the given signature algorithm.
pub fn random(alg_id: &str) -> Result<Self> {
match alg_id.to_uppercase().as_str() {
"SECP256K1" => Ok(Self {
alg_id: SignatureAlgId::SECP256K1,
key: SigningKey::Secp256k1(k256::ecdsa::SigningKey::random(
&mut rand::rng().compat(),
)),
}),
"SECP256R1" => Ok(Self {
alg_id: SignatureAlgId::SECP256R1,
key: SigningKey::Secp256r1(p256::ecdsa::SigningKey::random(
&mut rand::rng().compat(),
)),
}),
alg_id => Err(eyre!("unsupported signature algorithm: {alg_id} — only secp256k1 and secp256r1 are supported")),
}
}
/// Creates a new signer using this key.
pub fn into_signer(self) -> Box<dyn Signer + Send + Sync> {
match self.key {
SigningKey::Secp256k1(key) => {
Box::new(Secp256k1Signer::new(&key.to_bytes()).expect("key should be valid"))
}
SigningKey::Secp256r1(key) => {
Box::new(Secp256r1Signer::new(&key.to_bytes()).expect("key should be valid"))
}
}
}
/// Returns the verifying key in compressed bytes.
pub fn verifying_key_bytes(&self) -> Vec<u8> {
match self.key {
SigningKey::Secp256k1(ref key) => key
.verifying_key()
.to_encoded_point(true)
.as_bytes()
.to_vec(),
SigningKey::Secp256r1(ref key) => key
.verifying_key()
.to_encoded_point(true)
.as_bytes()
.to_vec(),
}
}
/// Returns the verifying key in compressed PEM format.
pub fn verifying_key_pem(&self) -> Result<String, pkcs8::spki::Error> {
let algorithm = match &self.key {
SigningKey::Secp256k1(key) => key.verifying_key().algorithm_identifier()?,
SigningKey::Secp256r1(key) => key.verifying_key().algorithm_identifier()?,
};
let verifying_key_bytes = self.verifying_key_bytes();
let subject_public_key = der::asn1::BitStringRef::new(0, &verifying_key_bytes)?;
let der: der::Document = pkcs8::SubjectPublicKeyInfo {
algorithm,
subject_public_key,
}
.try_into()?;
let pem = der.to_pem(SubjectPublicKeyInfoRef::PEM_LABEL, LineEnding::LF)?;
Ok(pem)
}
}
impl fmt::Debug for AttestationKey {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("AttestationKey")
.field("alg_id", &self.alg_id)
.finish_non_exhaustive()
}
}
enum SigningKey {
Secp256k1(k256::ecdsa::SigningKey),
Secp256r1(p256::ecdsa::SigningKey),
}
#[cfg(test)]
mod tests {
use super::*;
use std::fs::read_to_string;
#[test]
fn test_verifying_key_pem() {
let attestation_key_pem =
read_to_string("../tests-integration/fixture/notary/notary.key").unwrap();
let attestation_key = AttestationKey::from_pkcs8_pem(&attestation_key_pem).unwrap();
let verifying_key_pem = attestation_key.verifying_key_pem().unwrap();
let expected_verifying_key_pem =
read_to_string("../tests-integration/fixture/notary/notary.pub").unwrap();
assert_eq!(verifying_key_pem, expected_verifying_key_pem);
}
}

125
crates/notary/server/src/tee.rs
View File

@@ -1,125 +0,0 @@
use mc_sgx_dcap_types::{QlError, Quote3};
use serde::{Deserialize, Serialize};
use std::{
fs,
fs::File,
io::{self, Read},
path::Path,
};
use tracing::{debug, error, instrument};
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct Quote {
raw_quote: Option<String>,
mrsigner: Option<String>,
mrenclave: Option<String>,
error: Option<String>,
}
impl Default for Quote {
fn default() -> Quote {
Quote {
raw_quote: Some("".to_string()),
mrsigner: None,
mrenclave: None,
error: None,
}
}
}
impl std::fmt::Debug for QuoteError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
QuoteError::IoError(err) => write!(f, "IoError: {err:?}"),
QuoteError::IntelQuoteLibrary(err) => {
write!(f, "IntelQuoteLibrary: {err}")
}
}
}
}
impl From<io::Error> for QuoteError {
fn from(err: io::Error) -> QuoteError {
QuoteError::IoError(err)
}
}
enum QuoteError {
IoError(io::Error),
IntelQuoteLibrary(QlError),
}
impl From<QlError> for QuoteError {
fn from(src: QlError) -> Self {
Self::IntelQuoteLibrary(src)
}
}
#[instrument(level = "debug", skip_all)]
async fn gramine_quote(public_key: Vec<u8>) -> Result<Quote, QuoteError> {
//// Check if the the gramine pseudo-hardware exists
if !Path::new("/dev/attestation/quote").exists() {
return Ok(Quote::default());
}
// Reading attestation type
let mut attestation_file = File::open("/dev/attestation/attestation_type")?;
let mut attestation_type = String::new();
attestation_file.read_to_string(&mut attestation_type)?;
debug!("Detected attestation type: {}", attestation_type);
// Read `/dev/attestation/my_target_info`
let my_target_info = fs::read("/dev/attestation/my_target_info")?;
// Write to `/dev/attestation/target_info`
fs::write("/dev/attestation/target_info", my_target_info)?;
//// Writing the pubkey to bind the instance to the hw (note: this is not
//// mrsigner)
fs::write("/dev/attestation/user_report_data", public_key)?;
//// Reading from the gramine quote pseudo-hardware `/dev/attestation/quote`
let mut quote_file = File::open("/dev/attestation/quote")?;
let mut quote = Vec::new();
let _ = quote_file.read_to_end(&mut quote);
//// todo: wire up Qlerror and drop .expect()
let quote3 = Quote3::try_from(quote.as_ref()).expect("quote3 error");
let mrenclave = quote3.app_report_body().mr_enclave().to_string();
let mrsigner = quote3.app_report_body().mr_signer().to_string();
debug!("mrenclave: {}", mrenclave);
debug!("mrsigner: {}", mrsigner);
//// Return the Quote struct with the extracted data
Ok(Quote {
raw_quote: Some(hex::encode(quote)),
mrsigner: Some(mrsigner),
mrenclave: Some(mrenclave),
error: None,
})
}
pub async fn quote(public_key: Vec<u8>) -> Quote {
//// tee-detection logic will live here, for now its only gramine-sgx
match gramine_quote(public_key).await {
Ok(quote) => quote,
Err(err) => {
error!("Failed to retrieve quote: {:?}", err);
match err {
QuoteError::IoError(_) => Quote {
raw_quote: None,
mrsigner: None,
mrenclave: None,
error: Some("io".to_owned()),
},
QuoteError::IntelQuoteLibrary(_) => Quote {
raw_quote: None,
mrsigner: None,
mrenclave: None,
error: Some("hw".to_owned()),
},
}
}
}
}

64
crates/notary/server/src/types.rs
View File

@@ -1,64 +0,0 @@
use serde::{Deserialize, Serialize};
use std::{
collections::HashMap,
sync::{Arc, Mutex},
};
use tlsn::attestation::CryptoProvider;
use tokio::sync::Semaphore;
#[cfg(feature = "tee_quote")]
use crate::tee::Quote;
use crate::{auth::AuthorizationMode, config::NotarizationProperties};
/// Response object of the /info API
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct InfoResponse {
/// Current version of notary-server
pub version: String,
/// Public key of the notary signing key
pub public_key: String,
/// Current git commit hash of notary-server
pub git_commit_hash: String,
/// Hardware attestation
#[cfg(feature = "tee_quote")]
pub quote: Quote,
}
/// Request query of the /notarize API
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct NotarizationRequestQuery {
/// Session id that is returned from /session API
pub session_id: String,
}
/// Global data that needs to be shared with the axum handlers
#[derive(Clone)]
pub struct NotaryGlobals {
pub crypto_provider: Arc<CryptoProvider>,
pub notarization_config: NotarizationProperties,
/// A temporary storage to store session_id
pub store: Arc<Mutex<HashMap<String, ()>>>,
/// Selected authorization mode if any
pub authorization_mode: Option<AuthorizationMode>,
/// A semaphore to acquire a permit for notarization
pub semaphore: Arc<Semaphore>,
}
impl NotaryGlobals {
pub fn new(
crypto_provider: Arc<CryptoProvider>,
notarization_config: NotarizationProperties,
authorization_mode: Option<AuthorizationMode>,
semaphore: Arc<Semaphore>,
) -> Self {
Self {
crypto_provider,
notarization_config,
store: Default::default(),
authorization_mode,
semaphore,
}
}
}

83
crates/notary/server/src/util.rs
View File

@@ -1,83 +0,0 @@
use eyre::{eyre, Result};
use serde::de::DeserializeOwned;
use std::path::Path;
/// Parse a yaml configuration file into a struct
pub fn parse_config_file<T: DeserializeOwned>(location: &str) -> Result<T> {
let file = std::fs::File::open(location)?;
let config: T = serde_yaml::from_reader(file)?;
Ok(config)
}
/// Parse a csv file into a vec of structs
pub fn parse_csv_file<T: DeserializeOwned>(location: &str) -> Result<Vec<T>> {
let file = std::fs::File::open(location)?;
let mut reader = csv::Reader::from_reader(file);
let mut table: Vec<T> = Vec::new();
for result in reader.deserialize() {
let record: T = result?;
table.push(record);
}
Ok(table)
}
/// Prepend a file path with a base directory if the path is not absolute.
pub fn prepend_file_path<S: AsRef<str>>(file_path: S, base_dir: S) -> Result<String> {
let path = Path::new(file_path.as_ref());
if !path.is_absolute() {
Ok(Path::new(base_dir.as_ref())
.join(path)
.to_str()
.ok_or_else(|| eyre!("Failed to convert path to str"))?
.to_string())
} else {
Ok(file_path.as_ref().to_string())
}
}
#[cfg(test)]
mod test {
use crate::{
auth::AuthorizationWhitelistRecord,
config::NotaryServerProperties,
util::{parse_csv_file, prepend_file_path},
};
use super::{parse_config_file, Result};
#[test]
fn test_parse_config_file() {
let location = "../tests-integration/fixture/config/config.yaml";
let config: Result<NotaryServerProperties> = parse_config_file(location);
assert!(
config.is_ok(),
"Could not open file or read the file's values."
);
}
#[test]
fn test_parse_csv_file() {
let location = "../tests-integration/fixture/auth/whitelist.csv";
let table: Result<Vec<AuthorizationWhitelistRecord>> = parse_csv_file(location);
assert!(
table.is_ok(),
"Could not open csv or read the csv's values."
);
}
#[test]
fn test_prepend_file_path() {
let base_dir = "/base/dir";
let relative_path = "relative/path";
let absolute_path = "/absolute/path";
let result = prepend_file_path(relative_path, base_dir);
assert!(result.is_ok());
assert_eq!(result.unwrap(), "/base/dir/relative/path");
let result = prepend_file_path(absolute_path, base_dir);
assert!(result.is_ok());
assert_eq!(result.unwrap(), "/absolute/path");
}
}

114
crates/notary/server/tee/README.md
View File

@@ -1,114 +0,0 @@
This folder contains the necessary files to build a Docker image for running the Notary Server on Intel SGX-enabled hardware.
## Compile the Notary Server for Intel SGX
We use [Gramine](https://github.com/gramineproject/gramine) to run the Notary Server on Intel SGX. Gramine allows the Notary Server to run in an isolated environment with minimal host requirements.
The isolated environment is defined via the manifest template (`notary-server.manifest.template`).
The Notary Server for SGX is compiled with the Rust feature flag `tee_quote`. This enables the server to add the SGX *quote* to the server's `/info` endpoint.
### CI
The [notary-server-sgx Docker container](https://github.com/tlsnotary/tlsn/pkgs/container/tlsn%2Fnotary-server-sgx) is built as part of the CI pipeline. For details on the build process, refer to the [CI workflow configuration](../../../../.github/workflows/ci.yml).
CI builds a zip file named `notary-server-sgx.zip`, which contains the compiled binary and the signed manifest. This zip file is available for all releases and `dev` builds in the build artifacts. We also publish a Docker image `notary-server-sgx` at <https://github.com/tlsnotary/tlsn/pkgs/container/tlsn%2Fnotary-server-sgx>. Check the section below for details on running this container.
### Development
You can also build everything locally using the `run-gramine-local.sh` script.
This script creates and signs the Gramine manifest for the Notary Server in a local development environment. It requires the Gramine SDK, so the most convenient way to use it is within a Docker container that includes the necessary dependencies and tools.
> ⚠️ This script assumes that the `notary-server` binary is already built (for `linux/amd64`) and available in the current directory. Make sure it is built with the `tee_quote` feature:
> `cargo build --bin notary-server --release --features tee_quote`
#### Build the Docker Image
To build the Docker image for local development, run:
```sh
docker build -f gramine-local.Dockerfile -t gramine-local .
```
#### Run the Gramine Script
Once the image is built, you can run the `run-gramine-local.sh` script inside the container:
```
docker run --rm -it \
--platform=linux/amd64 \
-v "${PWD}:/app" \
-w /app/ \
gramine-local \
"bash -c ./run-gramine-local.sh"
```
If successful, the script will generate the following files:
* `notary-server.sig`
* `notary-server-sigstruct.json`
* `notary-server.manifest`
* `notary-server.manifest.sgx`
You can verify that the provided **enclave signature (`notary-server.sig`)** matches the expected **`MR_ENCLAVE` and `MR_SIGNER`** values in `notary-server-sigstruct.json`, by running the following command inside a **Gramine Docker container** to inspect the enclave's signature:
```sh
docker run --rm -v "$(pwd):/work" -w /work gramineproject/gramine:latest \
"gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig"
```
The output should be the same as `notary-server-sigstruct.json`
## How to Run TLSNotary on Intel SGX?
Before running the Notary Server on Intel SGX hardware, ensure your system has the required Intel SGX components installed:
```sh
wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
# Add the repository to your sources:
echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install libsgx-epid libsgx-quote-ex libsgx-dcap-ql -y
```
For more details, refer to the official **[Intel SGX Installation Guide](https://download.01.org/intel-sgx/latest/dcap-latest/linux/docs/Intel_SGX_SW_Installation_Guide_for_Linux.pdf).**
### Docker Compose
To run the Notary Server using Docker Compose, create a docker-compose.yml file like the following:
```yaml
services:
dev:
container_name: dev
image: ghcr.io/tlsnotary/tlsn/notary-server-sgx:dev
restart: unless-stopped
devices:
- /dev/sgx_enclave
- /dev/sgx_provision
volumes:
- /var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket
ports:
- "7047:7047"
entrypoint: [ "gramine-sgx", "notary-server" ]
```
To retrieve the SGX attestation quote, query the `/info` endpoint:
```sh
curl localhost:7047/info | jq
```
### Run local build directly with Gramine
To run a locally built Notary Server inside a Gramine-protected SGX enclave, execute:
```sh
docker run --detach \
--restart=unless-stopped \
--device=/dev/sgx_enclave \
--device=/dev/sgx_provision \
--volume=/var/run/aesmd/aesm.socket:/var/run/aesmd/aesm.socket \
--publish=7047:7047 \
--volume="$(pwd):/work" \
--workdir=/work \
gramineproject/gramine:latest \
"gramine-sgx notary-server"
```

6
crates/notary/server/tee/gramine-local.Dockerfile
View File

@@ -1,6 +0,0 @@
FROM --platform=linux/amd64 gramineproject/gramine:latest
RUN apt update && \
apt install -y jq openssl zip && \
apt clean && \
rm -rf /var/lib/apt/lists/*

11
crates/notary/server/tee/notary-server-sgx.Dockerfile
View File

@@ -1,11 +0,0 @@
FROM gramineproject/gramine:latest
WORKDIR /work
# Copies `notary-server-sgx.zip` from the CI build or created locally via `run-gramine-local.sh`.
COPY ./notary-server-sgx /work
RUN chmod +x /work/notary-server
LABEL org.opencontainers.image.source=https://github.com/tlsnotary/tlsn
LABEL org.opencontainers.image.description="TLSNotary notary server in SGX/Gramine."
ENTRYPOINT ["gramine-sgx", "notary-server"]

38
crates/notary/server/tee/notary-server.manifest.template
View File

@@ -1,38 +0,0 @@
libos.entrypoint = "{{ self_exe }}"
loader.log_level = "{{ log_level }}"
loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}"
# See https://gramine.readthedocs.io/en/stable/performance.html#glibc-malloc-tuning
loader.env.MALLOC_ARENA_MAX = "1"
# encrypted type not used
fs.mounts = [
{ path = "/lib", uri = "file:{{ gramine.runtimedir() }}" },
{ path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}" },
{ type = "tmpfs", path = "/ephemeral" },
{ type = "encrypted", path = "/vault", uri = "file:vault", key_name = "_sgx_mrenclave" },
]
# hashed @ buildtime. at runtime => these files are +ro
# and can be accessed if hash matches manifest
# !!!! hashed !!!!
# https://gramine.readthedocs.io/en/stable/manifest-syntax.html#trusted-files
sgx.trusted_files = [
"file:{{ self_exe }}",
"file:{{ gramine.runtimedir() }}/",
"file:{{ arch_libdir }}/",
]
sgx.edmm_enable = false
sgx.remote_attestation = "dcap"
sgx.max_threads = 64
sgx.enclave_size = "2G"
sys.disallow_subprocesses = true
#### tlsn rev
sgx.isvprodid = 7
#### F
sgx.isvsvn = 1

48
crates/notary/server/tee/run-gramine-local.sh
View File

@@ -1,48 +0,0 @@
#!/bin/bash
set -euo pipefail
echo "[*] Generating SGX signing key..."
gramine-sgx-gen-private-key
if [ ! -f notary-server ]; then
echo "[!] notary-server binary not found. Please copy it from ci, or build it first."
echo "Note that notary-server must be built for linux/amd64 with tee_quote feature enabled"
exit 1
fi
chmod +x notary-server
echo "[*] Creating Gramine manifest..."
gramine-manifest \
-Dlog_level=debug \
-Darch_libdir=/lib/x86_64-linux-gnu \
-Dself_exe=notary-server \
notary-server.manifest.template \
notary-server.manifest
echo "[*] Signing manifest..."
gramine-sgx-sign \
--manifest notary-server.manifest \
--output notary-server.manifest.sgx
echo "[*] Viewing SIGSTRUCT..."
gramine-sgx-sigstruct-view --verbose --output-format=json notary-server.sig >notary-server-sigstruct.json
cat notary-server-sigstruct.json | jq .
mr_enclave=$(jq -r ".mr_enclave" notary-server-sigstruct.json)
mr_signer=$(jq -r ".mr_signer" notary-server-sigstruct.json)
echo "=============================="
echo "MRENCLAVE: $mr_enclave"
echo "MRSIGNER: $mr_signer"
echo "=============================="
zip -r notary-server-sgx.zip \
notary-server \
notary-server-sigstruct.json \
notary-server.sig \
notary-server.manifest \
notary-server.manifest.sgx \
README.md

39
crates/notary/tests-integration/Cargo.toml
View File

@@ -1,39 +0,0 @@
[package]
name = "notary-tests-integration"
version = "0.0.0"
edition = "2021"
publish = false
[lints]
workspace = true
[dev-dependencies]
notary-client = { workspace = true }
notary-common = { workspace = true }
notary-server = { workspace = true }
tls-server-fixture = { workspace = true }
tlsn = { workspace = true }
tlsn-tls-core = { workspace = true }
tlsn-core = { workspace = true }
async-tungstenite = { workspace = true, features = ["tokio-native-tls"] }
futures = { workspace = true }
http = { workspace = true }
http-body-util = { workspace = true }
hyper = { workspace = true, features = ["client", "http1", "server"] }
hyper-tls = { version = "0.6", features = [
"vendored",
] } # specify vendored feature to use statically linked copy of OpenSSL
hyper-util = { workspace = true, features = ["full"] }
jsonwebtoken = { version = "9.3.1", features = ["use_pem"] }
rstest = { workspace = true }
rustls = { workspace = true }
rustls-pemfile = { workspace = true }
serde_json = { workspace = true }
tokio = { workspace = true, features = ["full"] }
tokio-native-tls = { version = "0.3.1", features = ["vendored"] }
tokio-util = { workspace = true, features = ["compat"] }
tracing = { workspace = true }
tracing-subscriber = { workspace = true, features = ["env-filter"] }
uuid = { workspace = true, features = ["v4", "fast-rng"] }
ws_stream_tungstenite = { workspace = true, features = ["tokio_io"] }

1
crates/notary/tests-integration/fixture/.gitignore vendored
View File

@@ -1 +0,0 @@
!*

51
crates/notary/tests-integration/fixture/auth/jwt.key
View File

@@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAxkfGQo2iyUK6sV84rvsb6d4IlorFaX4WDwDnEP/zU2Pduwf7
kV39x6oqJzNjmfXm/RkcaAZXQdbvjBA9uwM7cd2Z7hMWLT3oix66Qv9d3+PWcdJt
TUVK710+QflZJqOEFOt30eNHm/8pN6z1P6YSZvYpHMVlCC7tL8OLWcMH9gYmUH6c
WOdzCaCigdQD1CqE9TG7jZlIepiWI7QMD7v/yN8tZoV8EzW25JdGPe4gtetBl1O+
QoAUpuQp7JSUxV4RR8HArGGSQ0OHHZMcfWx/CoLBUyXlmSCC21sSl634l7+HUM6U
/dHo1b+XSMpjjVCTjd0lDFCU+kiLtapdcCiJDijSj+a4xkJP+uvxpTZuB6A4W31e
DeKPIeutPAwcnw8UktdX6eiAt1ONAxB+ytZNcdrAUbMdIcocrMxgyPtCWBgDX1LK
fpPlRTBRI50mdFkIOp9dh02ijpWAYXaFA65aI8Tqh9j3wzbvFsCWpBfK7Zcbl7BZ
skAvXCjnPHDdup5sesnYrhOOG4jo2/nho7AmEEkvZVDyH9jDPrA6imljFX1gpKvW
mtERY7eor3gPI6FFOUh8qwEOB4lTsj9DUd75vvRlaPU7ibvFTdLVoRiXkAraKR59
WmcOpAfut9yOxNaE+M25jY/Jj+crptEt0MmezfowRimt3wpQ0C7i6hCBgrMCAwEA
AQKCAgAx05WR4e/XbapmqkwfRMEV+xLjacoEIYg/ivWGAxvNh9oPhwkD1b/RbgSb
x0EvTmkWjznhNj61L+MQqoAov74vdgWZmzhGdDk8xKL/9RZNDf80qTGIanJTRnY/
s/5gRFULwMRifR/gprVf5VnX/c7ACvn33e7uqIQ4LYaWLvmQLKlyLu7xNHBnKfPM
dk/kAC9bQn0kLzHUhQWtwTAKwC6d9t981OyCE0x7kzw2keGsdYsNESFNqswFyG50
oj3kfygOhTT63KYZux14JCDTr/EY3hTg5TQWT+IyZ2d7sF85GwtRFijAxAAjvrqw
sxNjTq1VyA3oU1OstZBOPZqvdbBC6ZpIiWyPE5j+H4R2/rxnKc/nwI+PXU5L1qKf
kB8yUsXxZQA9KY48VU3Z3WZxGWZwoU8Z+WUN6rJknZkVfk14GdQrf6BNyUVQk/Rd
W1bGZB11CHH80LRdsx5T7B2gwq41EJ33+8Hd8S/9YeSWMnHKkpH39bjMu328jn8U
0TaXQ8H/ZMwEmDZ74nmct4VnmF09dxdIHILKyohjGuU9nUBXnXw8orJPXgFlOkmn
G55/sMqDwnnz9O7wGptY3Vx7xCO4I9N4CijUw065dyZaY6wzyph9dAurnDu0MmA7
o0JwnhI2iKwPU8hq6nm2Ku2YNz7f0O5v5NMtw5z4lrOo4TX6MQKCAQEA/eLuS+dz
mrLEpKCDi63y1G6SYDM+mHWaN3B/y6XVgVjGyZWvebMIol5nGo0URdUHqXVw4krt
Hjr3AulSASr4s75wfk2bVwVuUQfCQrM+zvqBcApWJq+Ve7LEIYRchr8+vlyqiBBV
IV/XyL/KshSXKDscf/1J881M+ZxuGCfqQ0TADJ7592nHCXcDJ8XJXkPRQQEN2QwT
DGdYDIo276IfbiY2MAjCQRvzdGUocfeNZ5SYXOODhS2n99aLWsK3uXG74+tzFZhl
5fJVjxuipZVO4ycEHX8BYqikXQzQKe8UW2Z2Xhb4CQCDw58KXbLShhtRB16m7HJN
2nPXQYN2S6OMawKCAQEAx+5Ww2MPGLa5gvuJTE/qK4pXHrOGA/QM55qqtMlCPZEz
8/3qgcbkKAQL0GJe8Xlsuu0oKBYxIZQnimxlUAFq776b62s5DJuKMA5WhgTRO7Zg
mV5FZUtx+1H9W7GQsDWYlMjUmZOCvefu5qXOLH5gr9AS3Ckyfq1i8xwvAyXRr/4B
jAFtSUgQpbkFhjQtjEVcFEdJhz4OtIbXD0AWgMPSysH2ABZf+tht27mEvAuBCKzn
qa3aQuR5+D7fuDIN9To5QlFUX52vY+xLiaHgUuqC1Ud7y5TKlfNuG+IbYAUWTddS
j62m1G7xBAAAn+D6PX8egQe8EeTWBUaX159YlX102QKCAQEA4C5atsF4DfietLNb
lKITksrUC4gUVLE7bIq0/ZDAV0eZuHSpDrAtBpqPNh2u8f6qllKyS89XU2NDq9l0
ZL2Z/7VARfanHQ8Zmwlb2mPGKSN/2fv2mJBgUWrHzsS+oukKMTNIDX9GfILR2lyo
UdjmpEqV3to8S8BToPElMcVFEQMLBdn25SYM72mcaqk2JzuA8YJJxQbpZwF1+RSu
b6jbUfsBzCZfyPgyX+vW69NolDbc1uC6yIVJFQnn4UugyWoJO7cy1rXL/GCgdg4z
7zxI/UD9XEJCaeh5wgRHZ0/JzO9Lw8dKW0COGNU9ZQE67dn/EZ/di1lfL28sepfn
g+C1YwKCAQBnOzJDeq991ENfVV+kLpM73hdzu8BT5DyRjbPc2xo/zeykbBQc5ERE
QSqUc2aQimDQ98lHQYYmz2fHOobpU4ISvjmlydxQHTOx8oVMd8pNabLhHeL5FYaJ
/OCz6rBJu7LICBZ2IctdIReisjQNl0d3IBnM4dy3ufEglAnWNz3ZAG9uCgKS1wn5
d9pZXDG0fs+3jMNzeGCBaCo9Lpsv62y40oOhsevnCr9Wt6jIq6v5fcW0QBc1eOFd
g6Fiaz33xBNyoanOIQ5Bqu2p6BJ63ammVF2gVXhxCpts/EekQZwtnyN7Gm/Mumfp
59JquvCatjta5lJ+bsjvOm8Gn7lOntOpAoIBAFQqUgq5XllVEAyvsdUrXhv0zTb+
AeM49hHcGPL3S/pOkiHqsbCfjJe1v5Jqcm579s/O4lqtuL2e4INNqOVmxkOfRbFh
oRioUrdAsWv8t2Q6CkXhwoK59kJwitOaF00OyixxdCO9WY6qhg+ZZgZDiLnM7V7b
u8zMvwgqDKD3+7tTjM318bEyE4MCooh9vVD3CxOcdc7oe9TnZvxyuUIRB6UBEyTg
jfvGcyDTSzW3P4SetKOqenk0HuDTPGHtGjYpRnKFfRRcHOqo3p/l1Z+l08alLNAS
wAREawpeuKGx9/ZrhTrqgLTkbx7lSwP9aTKPQka1CtGvgSUohqQ3OPrG0Jk=
-----END RSA PRIVATE KEY-----

14
crates/notary/tests-integration/fixture/auth/jwt.key.pub
View File

@@ -1,14 +0,0 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxkfGQo2iyUK6sV84rvsb
6d4IlorFaX4WDwDnEP/zU2Pduwf7kV39x6oqJzNjmfXm/RkcaAZXQdbvjBA9uwM7
cd2Z7hMWLT3oix66Qv9d3+PWcdJtTUVK710+QflZJqOEFOt30eNHm/8pN6z1P6YS
ZvYpHMVlCC7tL8OLWcMH9gYmUH6cWOdzCaCigdQD1CqE9TG7jZlIepiWI7QMD7v/
yN8tZoV8EzW25JdGPe4gtetBl1O+QoAUpuQp7JSUxV4RR8HArGGSQ0OHHZMcfWx/
CoLBUyXlmSCC21sSl634l7+HUM6U/dHo1b+XSMpjjVCTjd0lDFCU+kiLtapdcCiJ
DijSj+a4xkJP+uvxpTZuB6A4W31eDeKPIeutPAwcnw8UktdX6eiAt1ONAxB+ytZN
cdrAUbMdIcocrMxgyPtCWBgDX1LKfpPlRTBRI50mdFkIOp9dh02ijpWAYXaFA65a
I8Tqh9j3wzbvFsCWpBfK7Zcbl7BZskAvXCjnPHDdup5sesnYrhOOG4jo2/nho7Am
EEkvZVDyH9jDPrA6imljFX1gpKvWmtERY7eor3gPI6FFOUh8qwEOB4lTsj9DUd75
vvRlaPU7ibvFTdLVoRiXkAraKR59WmcOpAfut9yOxNaE+M25jY/Jj+crptEt0Mme
zfowRimt3wpQ0C7i6hCBgrMCAwEAAQ==
-----END PUBLIC KEY-----

3
crates/notary/tests-integration/fixture/auth/whitelist.csv
View File

@@ -1,3 +0,0 @@
"Name","ApiKey","CreatedAt"
"Jonas Nielsen","test_api_key_0","2023-09-18T07:38:53Z"
"Eren Jaeger","test_api_key_1","2023-10-18T07:38:53Z"
1 Name ApiKey CreatedAt
2 Jonas Nielsen test_api_key_0 2023-09-18T07:38:53Z
3 Eren Jaeger test_api_key_1 2023-10-18T07:38:53Z

46
crates/notary/tests-integration/fixture/config/config.yaml
View File

@@ -1,46 +0,0 @@
host: "0.0.0.0"
port: 7047
html_info: |
<head>
<meta charset="UTF-8">
<meta name="author" content="tlsnotary">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<svg width="86" height="88" viewBox="0 0 86 88" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M25.5484 0.708986C25.5484 0.17436 26.1196 -0.167376 26.5923 0.0844205L33.6891 3.86446C33.9202 3.98756 34.0645 4.22766 34.0645 4.48902V9.44049H37.6129C38.0048 9.44049 38.3226 9.75747 38.3226 10.1485V21.4766L36.1936 20.0606V11.5645H34.0645V80.9919C34.0645 81.1134 34.0332 81.2328 33.9735 81.3388L30.4251 87.6388C30.1539 88.1204 29.459 88.1204 29.1878 87.6388L25.6394 81.3388C25.5797 81.2328 25.5484 81.1134 25.5484 80.9919V0.708986Z" fill="#243F5F"/>
<path d="M21.2903 25.7246V76.7012H12.7742V34.2207H0V25.7246H21.2903Z" fill="#243F5F"/>
<path d="M63.871 76.7012H72.3871V34.2207H76.6452V76.7012H85.1613V25.7246H63.871V76.7012Z" fill="#243F5F"/>
<path d="M38.3226 25.7246H59.6129V34.2207H46.8387V46.9649H59.6129V76.7012H38.3226V68.2051H51.0968V55.4609H38.3226V25.7246Z" fill="#243F5F"/>
</svg>
<h1>Notary Server {version}!</h1>
<ul>
<li>public key: <pre>{public_key}</pre></li>
<li>git commit hash: <a href="https://github.com/tlsnotary/tlsn/commit/{git_commit_hash}">{git_commit_hash}</a></li>
<li><a href="healthcheck">health check</a></li>
<li><a href="info">info</a></li>
</ul>
</body>
concurrency: 32
notarization:
max_sent_data: 4096
max_recv_data: 16384
timeout: 1800
private_key_path: "../notary/notary.key"
signature_algorithm: secp256k1
allow_extensions: false
tls:
enabled: false
private_key_path: "../tls/key.pem"
certificate_path: "../tls/cert.pem"
log:
level: DEBUG
format: COMPACT
auth:
enabled: false
whitelist: "../auth/whitelist.csv"

5
crates/notary/tests-integration/fixture/notary/notary.key
View File

@@ -1,5 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIGEAgEAMBAGByqGSM49AgEGBSuBBAAKBG0wawIBAQQgbGCmm+WHxwlKKKRWddfO
02TmpM787BJQuoVrHeCI5v6hRANCAAR7SPGcE5toiPteODpNcsIzUYb9WFjnrnQ6
tL+OBxsG5+j9AN8W8v+KvMi/UlKaEaJVywIcLCiWENdZyB7u/Yix
-----END PRIVATE KEY-----

4
crates/notary/tests-integration/fixture/notary/notary.pub
View File

@@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MDYwEAYHKoZIzj0CAQYFK4EEAAoDIgADe0jxnBObaIj7Xjg6TXLCM1GG/VhY5650
OrS/jgcbBuc=
-----END PUBLIC KEY-----

14
crates/notary/tests-integration/fixture/tls/README.md
View File

@@ -1,14 +0,0 @@
# Create a private key for the root CA
openssl genpkey -algorithm RSA -out rootCA.key -pkeyopt rsa_keygen_bits:2048
# Create a self-signed root CA certificate (100 years validity)
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 36525 -out rootCA.crt -subj "/C=US/ST=State/L=City/O=tlsnotary/OU=IT/CN=tlsnotary.org"
# Create a private key for the end entity certificate
openssl genpkey -algorithm RSA -out notary.key -pkeyopt rsa_keygen_bits:2048
# Create a certificate signing request (CSR) for the end entity certificate
openssl req -new -key notary.key -out notary.csr -subj "/C=US/ST=State/L=City/O=tlsnotary/OU=IT/CN=tlsnotaryserver.io"
# Sign the CSR with the root CA to create the end entity certificate (100 years validity)
openssl x509 -req -in notary.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out notary.crt -days 36525 -sha256 -extfile openssl.cnf -extensions v3_req

23
crates/notary/tests-integration/fixture/tls/notary.crt
View File

@@ -1,23 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIJALo+PtyTmxENMA0GCSqGSIb3DQEBCwUAMGUxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVTdGF0ZTENMAsGA1UEBwwEQ2l0eTESMBAGA1UECgwJ
dGxzbm90YXJ5MQswCQYDVQQLDAJJVDEWMBQGA1UEAwwNdGxzbm90YXJ5Lm9yZzAg
Fw0yNDA4MDIxMTE1MzZaGA8yMTI0MDgwMzExMTUzNlowajELMAkGA1UEBhMCVVMx
DjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5MRIwEAYDVQQKDAl0bHNub3Rh
cnkxCzAJBgNVBAsMAklUMRswGQYDVQQDDBJ0bHNub3RhcnlzZXJ2ZXIuaW8wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEzkZE9X7Utn3by4sFG8KcDrdV
3szzPP9eA8U4cVmrWQAS0lsrEeHDv0KGKMFKOi3FDgyF1I8OWMIvnWj4LQ1zKYny
fufOkAv4UcYY0E9/VonqPKY0Xo9lbbl5Xu/E55gfJhAPZzoV73uXjvlhSVdhaypZ
ibSZm9t5izTiK1pcKDuvubB5zhmldt1+f0wbBxhLWVlf8T8GaPVZ37NCJGeeUf6Z
GL6Fq4jBYfvjzUQl6P72Zk0FCpIq2W/z2yBfWnNRRPjQuzIxk7cB6ssVpQF52cXZ
OF5YJhc7C/hr4rfWLshGQxkmwNktBSHrQUBm3LQHaT9ccPy0xgdIAD9Avf0BAgMB
AAGjeTB3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdEQQWMBSCEnRsc25v
dGFyeXNlcnZlci5pbzAdBgNVHQ4EFgQULo1DGRbjA/+zX9AvRk6YcO2AYHowHwYD
VR0jBBgwFoAUKmfDzMNGdJr5blSUarmhRIiI88IwDQYJKoZIhvcNAQELBQADggEB
AFgTVLHCfaswU8pTwgRK1xWTGlMDQmZU//Lbatel6HTH0zMF4wj/hVkGikHWpJLt
1UipGRPUgyjFtDoPag8jrSDeK1ahtjNzkGEuz5wXM0zYqIv1xkXPatEbCV4LLI3Q
Yxf2YI7Nh599+2I/oZ+8YKUMn6EI58PgiSjyG7vzRoQKGAoE82FpBFyEUpcUXQDa
MIr/D8Xcv+RPpdHxi4cyHJAy+irzs9ghF7WdmFEOATYNF8EsP/doiskXWl68t2Hn
sDflDIbOH1xId3zJIwE/5IG3NrNqhVm2va06TNWURo3v8h+7bnD8Rxq107ObflKj
i1MwBiwdf7/w5Dw9o3K21ic=
-----END CERTIFICATE-----

17
crates/notary/tests-integration/fixture/tls/notary.csr
View File

@@ -1,17 +0,0 @@
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwajELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYD
VQQHDARDaXR5MRIwEAYDVQQKDAl0bHNub3RhcnkxCzAJBgNVBAsMAklUMRswGQYD
VQQDDBJ0bHNub3RhcnlzZXJ2ZXIuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDEzkZE9X7Utn3by4sFG8KcDrdV3szzPP9eA8U4cVmrWQAS0lsrEeHD
v0KGKMFKOi3FDgyF1I8OWMIvnWj4LQ1zKYnyfufOkAv4UcYY0E9/VonqPKY0Xo9l
bbl5Xu/E55gfJhAPZzoV73uXjvlhSVdhaypZibSZm9t5izTiK1pcKDuvubB5zhml
dt1+f0wbBxhLWVlf8T8GaPVZ37NCJGeeUf6ZGL6Fq4jBYfvjzUQl6P72Zk0FCpIq
2W/z2yBfWnNRRPjQuzIxk7cB6ssVpQF52cXZOF5YJhc7C/hr4rfWLshGQxkmwNkt
BSHrQUBm3LQHaT9ccPy0xgdIAD9Avf0BAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
AQEAups2oJRV5x/BZcZvRseWpGToqr5pO3ESXUEEbCpeHDKLIav4aWfYUkY4UGGN
2m1XYN7nEytwygJmMRWS8kjJzacII9j+dCysqCmm71T2L4BszCCVYGwTAigZuZ1R
WmULhso1tXXUF7ggEdTUpxMa5VijkbpZ5iQfBbslpSo0mjgM2bL4hO3Y8dl7a1Bn
0LNasWzWaizp6SkMU2BDNVF+i5blR4p8Bk0GQpPzGqwZf2tKcqmvutPqEm4rcOOC
U5j/U6uZpCYc8VQOklOUkDUSAZzCSJxeGHykddtMFte5+HkqBZoMCQwHeZl1g0qZ
/NLvHB8YO7U2XRJTfxloHhj3WQ==
-----END CERTIFICATE REQUEST-----

28
crates/notary/tests-integration/fixture/tls/notary.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEzkZE9X7Utn3b
y4sFG8KcDrdV3szzPP9eA8U4cVmrWQAS0lsrEeHDv0KGKMFKOi3FDgyF1I8OWMIv
nWj4LQ1zKYnyfufOkAv4UcYY0E9/VonqPKY0Xo9lbbl5Xu/E55gfJhAPZzoV73uX
jvlhSVdhaypZibSZm9t5izTiK1pcKDuvubB5zhmldt1+f0wbBxhLWVlf8T8GaPVZ
37NCJGeeUf6ZGL6Fq4jBYfvjzUQl6P72Zk0FCpIq2W/z2yBfWnNRRPjQuzIxk7cB
6ssVpQF52cXZOF5YJhc7C/hr4rfWLshGQxkmwNktBSHrQUBm3LQHaT9ccPy0xgdI
AD9Avf0BAgMBAAECggEACAuCldkPOTTIik6UvT24Q9baKbl02VCaA8bVrgv8JWP6
+8n7jhQqDW1pE8Dgvd8I9fAwFNxuiKCaN4YQv2xgC2AcUnxbj3cV9i2pkmQZi9QG
yTt3c9aVuAi3Nz3pQTxSXJuatnZ6ymDCxZxDl3V/C+1sisJ1Tn4vh5VoMQKiq/eq
sgmNF73VvKiHUeJGpMixho9AeFfE/o+HTAXcycmHlXBvJzOMsgmgTxinBNt54ROc
WKtt4GNvkxN72e/qu2rNPJvi/Hdq9cG03LmuaOn9dSbHWOdeLZFR2OkO6jvrUKv0
doDOYUsdCBIC/LaLvtOBzts3d3BZou9MOcz9cXUBDQKBgQDrFomWXDEnqH6o4ixg
1VpZfaK+fRHasni9txZC0zK44HOL4qnUjLLQ7GPyam44exq2/B2ouTCrV+TicoKy
GYAjCL+/rhZfiMoWrXO/SIU73TiXbYQiNEV2FYuAbvCsW9rLRH2/GzYu+fb/hUBP
vYLn9gf2u/nCiqGZ4dJnmrEOIwKBgQDWT/eE6+4HQB8Zhz6Dxu6/EOlwZtC9QsiT
CEEYja7yl0MDnQsQzv2nbCs5li6359IQJR1+L6G3kcd0z6EumWpB0JVQzMtKwlVe
WodfpPOWrectftfGUr+3xZIRbSV/hj89RhG2uhQ8xJYDLWHjP3LF0menvW/1JP0K
xhlGKqRwiwKBgQCtzz3uYz8ceSEcMAxrk5J3M8JNYB8BOI64hVL6GTgZJCmJtQ2n
TlcuzHeg1Tukmq/HtmMfSbxIEnXxToR+tQfd3ywVxdpYy8POPHOlazLGberXWmsk
9sycX5WCYYOji04alwr5bl8DIGCTzqsbyZutcGO28ofYY7LTGPj9DIv3TQKBgHiM
gq5CB6IMb3HsoT1+qMzQtn6DVuceqbQK8JLfH4lVjFx7+b16sTN7pNS/pYfM3lw2
hGB2aoDXf1o1cHTF1v8uVM8eYzuqFFr+kSc7ockgCOmOb9EeurikaYVj37Pbz7an
s08VXEzSR4+B943cIrMjpyqzZEaAh9WHmK/fTKABAoGACsgGUB84KSV+LBz/LY9M
5xYJNuf11Jucx6bahX6wPZyssLnZ5o+x7QmFIVXyPnQ7wn69C7EfvKJIgdXmjEEk
P4oUh7Osc5UwTR5s7Kr9iCqcDIR5NW68AFHEddMEXpOyFn4QrjrdYSlO4CQAiQUU
Nudz2KSI148F/vzo0I78A7c=
-----END PRIVATE KEY-----

7
crates/notary/tests-integration/fixture/tls/openssl.cnf
View File

@@ -1,7 +0,0 @@
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = tlsnotaryserver.io

22
crates/notary/tests-integration/fixture/tls/rootCA.crt
View File

@@ -1,22 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIDrTCCApWgAwIBAgIUUmpF/+i9EcDpciV0s1Okh4Wx/QswDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5
MRIwEAYDVQQKDAl0bHNub3RhcnkxCzAJBgNVBAsMAklUMRYwFAYDVQQDDA10bHNu
b3Rhcnkub3JnMCAXDTI0MDgwMjExMDU1MloYDzIxMjQwODAzMTEwNTUyWjBlMQsw
CQYDVQQGEwJVUzEOMAwGA1UECAwFU3RhdGUxDTALBgNVBAcMBENpdHkxEjAQBgNV
BAoMCXRsc25vdGFyeTELMAkGA1UECwwCSVQxFjAUBgNVBAMMDXRsc25vdGFyeS5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDNGFXBMov4HBr4F/W
+9mzM4t+ww4jURyF/7O1puyhz0gueAu5/kzh6d5r+P2xwP0tpqtITvwfo2tHCNTg
dKBNPO7NnRnW8QtommHhafHUfj+4cR7G1xxSZD34mwuBnYW3cmxCbi0l5dClWfHA
G7GRHv5aPBBYbeF2ACYBesaCJLa5OMkab/N7DwPTWuSjoQqrMeodaQ1Q5Ro09cbt
WlL+ywRVq1gKZvgs3RogwDt6NUEZ8Hkz/BZzbo2HlX1+XUpMP7ucHGUQIt7F2Z+6
iYkMJfP+BflBR+qOzoMbgHo1SD5uIv1/iXi3UoddpCnzsretkcNs2pnpiPWoEhdA
fNuxAgMBAAGjUzBRMB0GA1UdDgQWBBQqZ8PMw0Z0mvluVJRquaFEiIjzwjAfBgNV
HSMEGDAWgBQqZ8PMw0Z0mvluVJRquaFEiIjzwjAPBgNVHRMBAf8EBTADAQH/MA0G
CSqGSIb3DQEBCwUAA4IBAQA7HR1mmHe5jT52EhSjwePvzvW7Tx6VGSUrhzkhnRVv
IbYjX0jWPSSXvc2NG3LyxyDLLOTkM0xWQLGEQ9LYYuH9Sy1ZUK4Mv7qWO23LaM2s
dYjWDKM9N23XhtgkbzFX6+X1Q93wU5KIibVMkPSzmaxDbhoiKYozznmSjOBt2HR2
UbpjNPjzN7BL+Gv+8hBhS0UeE2zgN0XcZmyiZQlfL7XTVoszjNd6HeKyCHX1Tk4a
/vYn3B1cFK8u4gRyjPKr8QH/uju4T+0gp8GtB1eQ9erdBkehPgb8x1QwdXWKPp4m
woJDTdgJhMu3w0InHtQztCtiTPphjrN/as2rw9hyYU4C
-----END CERTIFICATE-----

28
crates/notary/tests-integration/fixture/tls/rootCA.key
View File

@@ -1,28 +0,0 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDDNGFXBMov4HBr
4F/W+9mzM4t+ww4jURyF/7O1puyhz0gueAu5/kzh6d5r+P2xwP0tpqtITvwfo2tH
CNTgdKBNPO7NnRnW8QtommHhafHUfj+4cR7G1xxSZD34mwuBnYW3cmxCbi0l5dCl
WfHAG7GRHv5aPBBYbeF2ACYBesaCJLa5OMkab/N7DwPTWuSjoQqrMeodaQ1Q5Ro0
9cbtWlL+ywRVq1gKZvgs3RogwDt6NUEZ8Hkz/BZzbo2HlX1+XUpMP7ucHGUQIt7F
2Z+6iYkMJfP+BflBR+qOzoMbgHo1SD5uIv1/iXi3UoddpCnzsretkcNs2pnpiPWo
EhdAfNuxAgMBAAECggEAGlol5z4e9XD9JvMMEn++wfHBcS7FPStOsyBJPcqibgMH
oY5UjEVc/QU6IPq6H5cIFsjwnTsHJQDwveQz/iErICzg/Xep7K8ZyoNHl3YFTu8Z
jGgTruWMo0AjxZNYwvoQT9WYm9c318KQn4yRlaJSHwnqGHsR/H4eTnRyrQcgE/gY
V7TNEqS7CMvuKqY+rnRhRjXlnKD0p6iT68QF5RVfWH4Qedk5t09JohfTjCK+5+Zo
TXFkpltNv6qHXpZoq5LTo4HZL/l9AnvUU5sjHbzfB6FJtZ0wYtI4q0EIchTusIw8
cJttSsIHzDnWaw2HLRm7dIHyrk7WqbLUtJRn+Bu9SQKBgQDwKJM7EoH0ZzzG+D24
lnSV+zjcBeMB4VLRAt5uabWZhmEa0lcb1nv73RU6vmU71UeuzlErSSRPqutr7Ajk
f37xQCeuQKFLrY1OGmiBp4CBOFLe/l2mwPjnDgccgaWPrkj7QoqMdDAK7sdWnUO1
uo9mKhzX08DuLxlU5VxxarzFqwKBgQDQFLGH38rg2BcYV5TjE2SZHAWZSz5TQTNj
8PMqzZWqbY0WtmEnJEh6I99l0Y4MguuFVjO9WD0kssiQtL+kQvVJkR1WPaOAviFl
PppWyA4BKGcdXSGKsXY08I4KXJaWVzolYZLA/y1zT+7JSrBd2QILyrZvF4DiPv5Y
Jm1LMd6QEwKBgBOnDl1QJ2hLpnKVz98yGLpJQ57lsGzv9mn6NR+N8PluQLYELnKt
u5mhvuH+wKQD0QjiA0xqgNkwIHHFb/ja4hV17YlZ6pkZy61vhcvOXDq21DlBUYKa
2gN2Z2iSx2yZk4lUKahSvbe3UIKq/eZ6LM/sdE3JG0miew0yc70oQehfAoGAOvTy
DEabjDON76a5F9Hh2gP3jiSkpyA9OF8H9yPC+UQLCtloE5gTNRA+9vF2JxNdOi1f
gZGj2WcSrvWXqyoRp+OHBW13iz3T5oTjZB1Q4oEZHlfJ7is0C/HwvPzY6gYTAo5v
72Ed9qM6TCxuZljbXI32POnS6cfhdwaERx79KaMCgYAJzrJBGEd194gVewUsoeiL
fB8eERgvvPCZwfKMh4H0Q8i6RsECNrZJOnNq6xG/Pf1ubasxNYZwSP4yOB+syhA7
NlvIP8Wps+c0M0oAAhF8q//eduUHyS1o/BbTL44ZkINVlmO5WuQ2pB1QdaBunrnF
GbrTaj5XbaeHwD4CKq5q0w==
-----END PRIVATE KEY-----

1
crates/notary/tests-integration/fixture/tls/rootCA.srl
View File

@@ -1 +0,0 @@
BA3E3EDC939B110D

574
crates/notary/tests-integration/tests/notary.rs
View File

@@ -1,574 +0,0 @@
use async_tungstenite::{
tokio::connect_async_with_tls_connector_and_config, tungstenite::protocol::WebSocketConfig,
};
use futures::future::join_all;
use http_body_util::{BodyExt as _, Full};
use hyper::{body::Bytes, Request, StatusCode};
use hyper_tls::HttpsConnector;
use hyper_util::{
client::legacy::{connect::HttpConnector, Builder},
rt::{TokioExecutor, TokioIo},
};
use jsonwebtoken::{encode, get_current_timestamp, Algorithm, EncodingKey, Header};
use notary_client::{Accepted, ClientError, NotarizationRequest, NotaryClient, NotaryConnection};
use notary_common::{ClientType, NotarizationSessionRequest, NotarizationSessionResponse};
use rstest::rstest;
use rustls::{Certificate, RootCertStore};
use std::{string::String, time::Duration};
use tls_server_fixture::{bind_test_server_hyper, CA_CERT_DER, SERVER_DOMAIN};
use tlsn::{
attestation::request::RequestConfig,
config::ProtocolConfig,
prover::{Prover, ProverConfig, TlsConfig},
transcript::TranscriptCommitConfig,
};
use tokio::{
io::{AsyncRead, AsyncWrite, AsyncWriteExt},
time::sleep,
};
use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
use tracing::debug;
use tracing_subscriber::EnvFilter;
use ws_stream_tungstenite::WsStream;
use notary_server::{
read_pem_file, run_server, AuthorizationModeProperties, AuthorizationProperties,
JwtAuthorizationProperties, JwtClaim, NotarizationProperties, NotaryServerProperties,
TLSProperties,
};
const MAX_SENT_DATA: usize = 1 << 13;
const MAX_RECV_DATA: usize = 1 << 13;
const NOTARY_HOST: &str = "127.0.0.1";
const NOTARY_DNS: &str = "tlsnotaryserver.io";
const NOTARY_CA_CERT_PATH: &str = "./fixture/tls/rootCA.crt";
const NOTARY_CA_CERT_BYTES: &[u8] = include_bytes!("../fixture/tls/rootCA.crt");
const API_KEY: &str = "test_api_key_0";
const JWT_PRIVATE_KEY: &[u8] = include_bytes!("../fixture/auth/jwt.key");
enum AuthMode {
Jwt,
Whitelist,
}
fn get_jwt() -> String {
let priv_key = EncodingKey::from_rsa_pem(JWT_PRIVATE_KEY).unwrap();
let timestamp = get_current_timestamp() as i64 + 1000;
encode(
&Header::new(Algorithm::RS256),
&serde_json::json!({ "exp": timestamp, "sub": "test"}),
&priv_key,
)
.unwrap()
}
fn get_server_config(
port: u16,
tls_enabled: bool,
auth: Option<AuthMode>,
concurrency: usize,
) -> NotaryServerProperties {
NotaryServerProperties {
host: NOTARY_HOST.to_string(),
port,
notarization: NotarizationProperties {
max_sent_data: 1 << 13,
max_recv_data: 1 << 14,
private_key_path: Some("./fixture/notary/notary.key".to_string()),
..Default::default()
},
tls: TLSProperties {
enabled: tls_enabled,
private_key_path: Some("./fixture/tls/notary.key".to_string()),
certificate_path: Some("./fixture/tls/notary.crt".to_string()),
},
auth: AuthorizationProperties {
enabled: auth.is_some(),
mode: auth.map(|mode| match mode {
AuthMode::Jwt => AuthorizationModeProperties::Jwt(JwtAuthorizationProperties {
algorithm: "rs256".to_string(),
public_key_path: "./fixture/auth/jwt.key.pub".to_string(),
claims: vec![JwtClaim {
name: "sub".to_string(),
..Default::default()
}],
}),
AuthMode::Whitelist => AuthorizationModeProperties::Whitelist(
"./fixture/auth/whitelist.csv".to_string(),
),
}),
},
concurrency,
..Default::default()
}
}
async fn setup_config_and_server(
sleep_ms: u64,
port: u16,
tls_enabled: bool,
auth: Option<AuthMode>,
concurrency: usize,
) -> NotaryServerProperties {
let notary_config = get_server_config(port, tls_enabled, auth, concurrency);
// Abruptly closed connections will cause the server to log errors. We
// prevent that by excluding the noisy modules from logging.
let _ = tracing_subscriber::fmt()
.with_env_filter(EnvFilter::new(
"error,uid_mux::yamux=off,tlsn_verifier=off,notary_server::service::tcp=off",
))
.try_init();
// Note: since only one global subscriber is allowed for the entire
// testsuite, the above filter will have an effect on all tests.
let config = notary_config.clone();
// Run the notary server
tokio::spawn(async move {
run_server(&config).await.unwrap();
});
// Sleep for a while to allow notary server to finish set up and start listening
tokio::time::sleep(Duration::from_millis(sleep_ms)).await;
notary_config
}
// Returns `NotaryClient` configured for proving over TCP.
fn tcp_prover_client(notary_config: NotaryServerProperties) -> NotaryClient {
let mut notary_client_builder = NotaryClient::builder();
notary_client_builder
.host(&notary_config.host)
.port(notary_config.port)
.enable_tls(false);
if notary_config.auth.enabled {
match notary_config.auth.mode.unwrap() {
AuthorizationModeProperties::Jwt(..) => {
notary_client_builder.jwt(get_jwt());
}
AuthorizationModeProperties::Whitelist(..) => {
notary_client_builder.api_key(API_KEY);
}
}
}
notary_client_builder.build().unwrap()
}
// Tries to put the client in an `Accepted` state.
async fn accepted_client(client: NotaryClient) -> Result<Accepted, ClientError> {
let notarization_request = NotarizationRequest::builder()
.max_sent_data(MAX_SENT_DATA)
.max_recv_data(MAX_RECV_DATA)
.build()
.unwrap();
client.request_notarization(notarization_request).await
}
async fn tcp_prover(notary_config: NotaryServerProperties) -> (NotaryConnection, String) {
let accepted = accepted_client(tcp_prover_client(notary_config))
.await
.unwrap();
(accepted.io, accepted.id)
}
async fn tls_prover(notary_config: NotaryServerProperties) -> (NotaryConnection, String) {
let mut certificate_file_reader = read_pem_file(NOTARY_CA_CERT_PATH).await.unwrap();
let mut certificates: Vec<Certificate> = rustls_pemfile::certs(&mut certificate_file_reader)
.unwrap()
.into_iter()
.map(Certificate)
.collect();
let certificate = certificates.remove(0);
let mut root_cert_store = RootCertStore::empty();
root_cert_store.add(&certificate).unwrap();
let notary_client = NotaryClient::builder()
.host(NOTARY_DNS)
.port(notary_config.port)
.root_cert_store(root_cert_store)
.build()
.unwrap();
let accepted = accepted_client(notary_client).await.unwrap();
(accepted.io, accepted.id)
}
#[rstest]
// For `tls_without_auth` test to pass, one needs to add "<NOTARY_HOST> <NOTARY_DNS>" in /etc/hosts
// so that this test programme can resolve the self-named NOTARY_DNS to NOTARY_HOST IP successfully.
#[case::tls_without_auth({
tls_prover(setup_config_and_server(100, 7047, true, None, 100).await)
})]
#[case::tcp_with_whitelist_auth({
tcp_prover(setup_config_and_server(100, 7048, false, Some(AuthMode::Whitelist), 100).await)
})]
#[case::tcp_with_jwt_auth({
tcp_prover(setup_config_and_server(100, 7049, false, Some(AuthMode::Jwt), 100).await)
})]
#[case::tcp_without_auth({
tcp_prover(setup_config_and_server(100, 7050, false, None, 100).await)
})]
#[awt]
#[tokio::test]
#[ignore = "expensive"]
async fn test_tcp_prover<S: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
#[future]
#[case]
requested_notarization: (S, String),
) {
let (notary_socket, _) = requested_notarization;
let mut root_store = tls_core::anchors::RootCertStore::empty();
root_store
.add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
.unwrap();
let protocol_config = ProtocolConfig::builder()
.max_sent_data(MAX_SENT_DATA)
.max_recv_data(MAX_RECV_DATA)
.build()
.unwrap();
// Set up prover config.
let prover_config = ProverConfig::builder()
.server_name(SERVER_DOMAIN)
.tls_config(TlsConfig::builder().root_store(root_store).build().unwrap())
.protocol_config(protocol_config)
.build()
.unwrap();
// Create a new Prover.
let prover = Prover::new(prover_config)
.setup(notary_socket.compat())
.await
.unwrap();
// Connect to the Server.
let (client_socket, server_socket) = tokio::io::duplex(1 << 16);
let server_task = tokio::spawn(bind_test_server_hyper(server_socket.compat()));
let (tls_connection, prover_fut) = prover.connect(client_socket.compat()).await.unwrap();
// Spawn the Prover task to be run concurrently.
let prover_task = tokio::spawn(prover_fut);
let (mut request_sender, connection) =
hyper::client::conn::http1::handshake(TokioIo::new(tls_connection.compat()))
.await
.unwrap();
tokio::spawn(connection);
let request = Request::builder()
.uri(format!("https://{SERVER_DOMAIN}/echo"))
.method("POST")
.header("Host", SERVER_DOMAIN)
.header("Connection", "close")
.body(Full::<Bytes>::new("echo".into()))
.unwrap();
debug!("Sending request to server: {:?}", request);
let response = request_sender.send_request(request).await.unwrap();
assert!(response.status() == StatusCode::OK);
let payload = response.into_body().collect().await.unwrap().to_bytes();
debug!(
"Received response from server: {:?}",
&String::from_utf8_lossy(&payload)
);
server_task.await.unwrap().unwrap();
let mut prover = prover_task.await.unwrap().unwrap();
let (sent_len, recv_len) = prover.transcript().len();
let mut builder = TranscriptCommitConfig::builder(prover.transcript());
builder.commit_sent(&(0..sent_len)).unwrap();
builder.commit_recv(&(0..recv_len)).unwrap();
let transcript_commit = builder.build().unwrap();
let mut builder = RequestConfig::builder();
builder.transcript_commit(transcript_commit);
let request = builder.build().unwrap();
#[allow(deprecated)]
prover.notarize(&request).await.unwrap();
prover.close().await.unwrap();
debug!("Done notarization!");
}
#[tokio::test]
#[ignore = "expensive"]
async fn test_websocket_prover() {
// Notary server configuration setup
let notary_config = setup_config_and_server(100, 7051, true, None, 100).await;
let notary_host = notary_config.host.clone();
let notary_port = notary_config.port;
// Connect to the notary server via TLS-WebSocket
// Try to avoid dealing with transport layer directly to mimic the limitation of
// a browser extension that uses websocket
//
// Establish TLS setup for connections later
let certificate =
tokio_native_tls::native_tls::Certificate::from_pem(NOTARY_CA_CERT_BYTES).unwrap();
let notary_tls_connector = tokio_native_tls::native_tls::TlsConnector::builder()
.add_root_certificate(certificate)
.use_sni(false)
.danger_accept_invalid_certs(true)
.build()
.unwrap();
// Call the /session HTTP API to configure notarization and obtain session id
let mut hyper_http_connector = HttpConnector::new();
hyper_http_connector.enforce_http(false);
let mut hyper_tls_connector =
HttpsConnector::from((hyper_http_connector, notary_tls_connector.clone().into()));
hyper_tls_connector.https_only(true);
let https_client = Builder::new(TokioExecutor::new()).build(hyper_tls_connector);
// Build the HTTP request to configure notarization
let payload = serde_json::to_string(&NotarizationSessionRequest {
client_type: ClientType::Websocket,
max_sent_data: Some(MAX_SENT_DATA),
max_recv_data: Some(MAX_RECV_DATA),
})
.unwrap();
let request = Request::builder()
.uri(format!("https://{notary_host}:{notary_port}/session"))
.method("POST")
.header("Host", notary_host.clone())
// Need to specify application/json for axum to parse it as json
.header("Content-Type", "application/json")
.body(Full::new(Bytes::from(payload)))
.unwrap();
debug!("Sending request");
let response = https_client.request(request).await.unwrap();
debug!("Sent request");
assert!(response.status() == StatusCode::OK);
debug!("Response OK");
// Pretty printing :)
let payload = response.into_body().collect().await.unwrap().to_bytes();
let notarization_response =
serde_json::from_str::<NotarizationSessionResponse>(&String::from_utf8_lossy(&payload))
.unwrap();
debug!("Notarization response: {:?}", notarization_response,);
// Connect to the Notary via TLS-Websocket
//
// Note: This will establish a new TLS-TCP connection instead of reusing the
// previous TCP connection used in the previous HTTP POST request because we
// cannot claim back the tcp connection used in hyper client while using its
// high level request function — there does not seem to have a crate that can
// let you make a request without establishing TCP connection where you can
// claim the TCP connection later after making the request
let request = http::Request::builder()
// Need to specify the session_id so that notary server knows the right configuration to use
// as the configuration is set in the previous HTTP call
.uri(format!(
"wss://{}:{}/notarize?sessionId={}",
notary_host,
notary_port,
notarization_response.session_id.clone()
))
.header("Host", notary_host.clone())
.header("Sec-WebSocket-Key", uuid::Uuid::new_v4().to_string())
.header("Sec-WebSocket-Version", "13")
.header("Connection", "Upgrade")
.header("Upgrade", "Websocket")
.body(())
.unwrap();
let (notary_ws_stream, _) = connect_async_with_tls_connector_and_config(
request,
Some(notary_tls_connector.into()),
Some(WebSocketConfig::default()),
)
.await
.unwrap();
// Wrap the socket with the adapter so that we get AsyncRead and AsyncWrite
// implemented
let notary_ws_socket = WsStream::new(notary_ws_stream);
// Connect to the Server
let (client_socket, server_socket) = tokio::io::duplex(1 << 16);
let server_task = tokio::spawn(bind_test_server_hyper(server_socket.compat()));
let mut root_store = tls_core::anchors::RootCertStore::empty();
root_store
.add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
.unwrap();
let mut tls_config_builder = TlsConfig::builder();
tls_config_builder.root_store(root_store);
let tls_config = tls_config_builder.build().unwrap();
let protocol_config = ProtocolConfig::builder()
.max_sent_data(MAX_SENT_DATA)
.max_recv_data(MAX_RECV_DATA)
.build()
.unwrap();
// Set up prover config.
let prover_config = ProverConfig::builder()
.server_name(SERVER_DOMAIN)
.protocol_config(protocol_config)
.tls_config(tls_config)
.build()
.unwrap();
// Bind the Prover to the sockets
let prover = Prover::new(prover_config)
.setup(notary_ws_socket)
.await
.unwrap();
let (tls_connection, prover_fut) = prover.connect(client_socket.compat()).await.unwrap();
// Spawn the Prover and Mux tasks to be run concurrently
let prover_task = tokio::spawn(prover_fut);
let (mut request_sender, connection) =
hyper::client::conn::http1::handshake(TokioIo::new(tls_connection.compat()))
.await
.unwrap();
tokio::spawn(connection);
let request = Request::builder()
.uri(format!("https://{SERVER_DOMAIN}/echo"))
.header("Host", SERVER_DOMAIN)
.header("Connection", "close")
.method("POST")
.body(Full::<Bytes>::new("echo".into()))
.unwrap();
debug!("Sending request to server: {:?}", request);
let response = request_sender.send_request(request).await.unwrap();
assert!(response.status() == StatusCode::OK);
let payload = response.into_body().collect().await.unwrap().to_bytes();
debug!(
"Received response from server: {:?}",
&String::from_utf8_lossy(&payload)
);
server_task.await.unwrap().unwrap();
let mut prover = prover_task.await.unwrap().unwrap();
let (sent_len, recv_len) = prover.transcript().len();
let mut builder = TranscriptCommitConfig::builder(prover.transcript());
builder.commit_sent(&(0..sent_len)).unwrap();
builder.commit_recv(&(0..recv_len)).unwrap();
let transcript_commit = builder.build().unwrap();
let mut builder = RequestConfig::builder();
builder.transcript_commit(transcript_commit);
let request = builder.build().unwrap();
#[allow(deprecated)]
prover.notarize(&request).await.unwrap();
prover.close().await.unwrap();
debug!("Done notarization!");
}
#[tokio::test]
async fn test_concurrency_limit() {
const CONCURRENCY: usize = 5;
let notary_config = setup_config_and_server(100, 7052, false, None, CONCURRENCY).await;
async fn do_test(config: NotaryServerProperties) -> Vec<(NotaryConnection, String)> {
// Start notarization requests in parallel.
let connections = (0..CONCURRENCY).map(|_| tcp_prover(config.clone()));
// Wait for all requests to become accepted.
let mut connections = join_all(connections).await;
// Start a new request which will time out.
let mut client = tcp_prover_client(config.clone());
client.request_timeout(1);
assert_eq!(accepted_client(client.clone()).await.err().unwrap().to_string(), "client error: Internal, source: Some(\"Timed out while waiting for server to accept notarization request\")");
// Close one of the connections.
connections.pop().unwrap().0.shutdown().await.unwrap();
// Start a new request which will be accepted this time.
let accepted = accepted_client(client).await.unwrap();
connections.push((accepted.io, accepted.id));
connections
}
let connections = do_test(notary_config.clone()).await;
// Close all connections.
for mut c in connections {
c.0.shutdown().await.unwrap();
}
// Test again to make sure the server's semaphore was restored to the initial
// state.
_ = do_test(notary_config).await;
}
#[tokio::test]
async fn test_notarization_request_retry() {
const CONCURRENCY: usize = 5;
let config = setup_config_and_server(100, 7053, false, None, CONCURRENCY).await;
// Max out the concurrency limit.
let connections = (0..CONCURRENCY).map(|_| tcp_prover(config.clone()));
let mut connections = join_all(connections).await;
// Start a new request which will retry every second.
let mut client = tcp_prover_client(config.clone());
client.request_retry_override(1);
let client_fut = accepted_client(client.clone());
tokio::pin!(client_fut);
tokio::select! {
_ = &mut client_fut => panic!("Expected timeout to complete first"),
_ = sleep(Duration::from_secs(2)) => {}
}
// Close one of the connections.
connections.pop().unwrap().0.shutdown().await.unwrap();
// Now the request will be accepted.
tokio::select! {
_ = client_fut => {},
_ = sleep(Duration::from_secs(2)) => panic!("Expected client future to complete first")
}
}

4
crates/tlsn/src/verifier.rs
View File

@@ -513,11 +513,11 @@ impl Verifier<state::Committed> {
if server_name.is_some() {
return Err(VerifierError::attestation(
"server name can not be revealed to a notary",
"server name can not be revealed to a verifier",
));
} else if transcript.is_some() {
return Err(VerifierError::attestation(
"transcript data can not be revealed to a notary",
"transcript data can not be revealed to a verifier",
));
}

11
pre-commit-check.sh
View File

@@ -7,13 +7,16 @@
set -e
# Check formatting
cargo +nightly fmt --all
cargo +nightly fmt --check --all
# Check clippy
cargo clippy --all-features --all-targets -- -D warnings
cargo clippy --all-features --all-targets --locked -- -D warnings
# Build all targets
# cargo build --all-targets
cargo build --all-targets --locked
# Run tests
# cargo test
cargo test --locked
# Run integration tests, excluding specific targets
cargo test --locked --profile tests-integration --workspace --exclude tlsn-tls-client --exclude tlsn-tls-core -- --include-ignored

3
set_tlsn_version.rs
View File

@@ -55,9 +55,6 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
}
}
let open_api_path = Path::new(&args.workspace).join("crates/notary/server/openapi.yaml");
replace_version_with_regex(&open_api_path, r"(?m)^(\s*version:\s*)([^\s]+)($)", &args.version)?;
let releng_workflow_path = Path::new(&args.workspace).join(".github/workflows/releng.yml");
replace_version_with_regex(&releng_workflow_path,r#"(?m)^(\s*default:\s*'v)([^']+)(')"#, &args.version)?;