Merge pull request #17 from tlsnotary/custom-extension

feat: add custom extension, minor fixes.
2026-01-07 21:24:15 -05:00 · 2025-05-28 12:44:25 +08:00
parent 75f212b0be 4e472b27b0
commit a0f6393f53
4 changed files with 82 additions and 4 deletions
--- a/docs/intro.md
+++ b/docs/intro.md
@@ -74,7 +74,7 @@ While TLSNotary can notarize publicly available data, it does not solve the "[or
 ## What TLS version does TLSNotary support?
-TLSNotary currently supports TLS 1.2. TLS 1.3 support will be added in 2024.
+TLSNotary currently supports TLS 1.2. Support for TLS 1.3 is on the roadmap.
 ## Who is behind TLSNotary?
--- a/docs/protocol/commit_strategy.md
+++ b/docs/protocol/commit_strategy.md
@@ -25,4 +25,4 @@ The commitment strategies differ mainly in the number of committed ranges (`K`).
 | `Attestation` | Artifact signed by the `Notary` attesting to the authenticity of the plaintext from a TLS session | Constant     | `Attestation` only contains data that remains constant-sized regardless of `K`, e.g., the Merkle root of the commitments |
 | `Secret`      | Artifact containing secret data that correspond to commitments in `Attestation`                   | Linear       | `Secret` contains some data whose sizes scale linearly with `K`, e.g., a Merkle tree whose number of leaves equals `K`   |
-Using the default hash algorithm (i.e., BLAKE3), every additional range committed costs around 250 bytes of increment in the size of `Secret`. For more details, please visit this [Jupyter notebook](https://github.com/tlsnotary/landing-page/blob/docusaurus/docs/Protocol/commit_strategy.ipynb).
+Using the default hash algorithm (i.e., BLAKE3), every additional range committed costs around 250 bytes of increment in the size of `Secret`. For more details, please visit this [Jupyter notebook](https://github.com/tlsnotary/landing-page/blob/master/docs/protocol/commit_strategy.ipynb).
--- a/docs/protocol/custom_extension.md
+++ b/docs/protocol/custom_extension.md
@@ -0,0 +1,78 @@
 ---
 sidebar_position: 5
 ---
 # Custom Extensions
 Notary attestations can be extended with custom fields defined by the `Prover` or the `Notary`. This allows applications to attach additional data to attestations in a verifiable way.
 For now, the default notary server implementation only supports including custom data requested by the `Prover` in the attestation without any validation. In the future, a plugin system will allow developers to add custom logic to the notary server for adding or validating these data, without needing to modify the notary server code.
 ## Use Cases
 - The `Prover` includes their public key to bind the attestation to their identity.
 - The `Notary` includes a TEE (Trusted Execution Environment) attestation to prove code integrity.
 - The `Prover` includes a nullifier to prevent reuse of the attestation.
 ## Example
 The following demonstrates how to modify the [attestation example](https://github.com/tlsnotary/tlsn/blob/main/crates/examples/attestation/README.md) to include the `Prover`'s public key as a custom extension.
 ### Prover
 The [attestation prover](https://github.com/tlsnotary/tlsn/blob/main/crates/examples/attestation/prove.rs) is modified as follows:
 ```rust
 // ...
 let builder = RequestConfig::builder();
 builder.extension(Extension {
    id: b"prover_public_key".to_vec(),
    value: b"PUBLIC_KEY_PEM".to_vec(),
 });
 let request_config = builder.build()?;
 // ...
 ```
 Note that the `Extension`'s `id` and `value` are both `Vec<u8>`, giving full control over the encoding format.
 ### Notary
 The [Notary server](https://github.com/tlsnotary/tlsn/tree/main/crates/notary/server) must be started with `allow_extensions` enabled:
 ```bash
 NS_NOTARIZATION__ALLOW_EXTENSIONS=true cargo run --release
 ```
 Currently, the notary server does not support adding its own extensions or performing validations on extensions requested by the `Prover` out of the box. To do so, you’ll need to extend the notary server using the APIs outlined in the [API docs](https://tlsnotary.github.io/tlsn/tlsn_core/attestation/index.html#extensions).
 ### Verifier
 The [attestation verifier](https://github.com/tlsnotary/tlsn/blob/main/crates/examples/attestation/verify.rs) can be modified to inspect extensions:
 ```rust
 // ...
 let PresentationOutput {
    server_name,
    connection_info,
    transcript,
    mut extensions, // Optionally, verify any custom extensions from the prover or notary.
    ..
 } = presentation.verify(&crypto_provider).unwrap();
 let Extension { id, value } = extensions.pop().unwrap();
 // Check the prover's public key.
 if id.as_slice() == b"prover_public_key" {
    let public_key_pem = String::from_utf8(value).unwrap();
    // ...
 }
 // ...
 ```
 This allows the `Verifier` to confirm that the attestation is bound to the identity associated with the specified public key.
--- a/docs/protocol/server_identity_privacy.md
+++ b/docs/protocol/server_identity_privacy.md
@@ -1,7 +1,7 @@
 ---
-sidebar_position: 5
+sidebar_position: 6
 ---
-# Server identity privacy
+# Server Identity Privacy
 To maximize `Prover` privacy, the server identity is not revealed to the `Verifier` by default. 
 The TLSNotary protocol mitigates the threat of a malicious `Verifier` attempting to infer the server identity from the messages they receive during MPC-TLS.