Document protocol details in READMEs#37
Open
ameba23 wants to merge 5 commits into
Open
Conversation
* main: doc: qualify the `build()` method description chore: switch to single-threaded tests chore: switch to blocking verifier feat: implement allow-lists of leaf cert pubkeys feat: implement builder for cert resolver/verifier fix: be explicit w.r.t attestation types fix: make `AttestedCertificateResolver::new()` non-async fix: re-export `ra_tls::rcgen` feat: allow using custom key-pairs chore: rename primary_name to subject chore: make detect() non-async Attested certificate verifier should require client authentication Bump rustls-webpki from 0.103.12 to 0.103.13
0x416e746f6e
approved these changes
May 18, 2026
Comment on lines
+17
to
+23
| PCCS enabled and calling verification APIs, including | ||
| `verify_attestation_sync()`, is expected to happen from within a Tokio runtime, | ||
| and will panic if called outside of one. | ||
|
|
||
| Note that the synchronous verification API is synchronous in its return type, | ||
| but it still relies on Tokio-backed background tasks for PCCS pre-warm | ||
| and cache refresh. |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| PCCS enabled and calling verification APIs, including | |
| `verify_attestation_sync()`, is expected to happen from within a Tokio runtime, | |
| and will panic if called outside of one. | |
| Note that the synchronous verification API is synchronous in its return type, | |
| but it still relies on Tokio-backed background tasks for PCCS pre-warm | |
| and cache refresh. | |
| PCCS enabled and calling verification APIs is expected to happen from within a | |
| Tokio runtime and might panic if called outside of one. | |
| Note that although some of the verification API methods are synchronous (for | |
| example `verify_attestation_sync`), still their functionality depends on | |
| Tokio-backed background tasks such as PCCS pre-warm and cache refresh. |
Comment on lines
+7
to
+16
| - `AttestedCertificateResolver`: issues TLS certificates which contain an | ||
| embedded attestation and handles renewal. It implements | ||
| [`rustls::server::ResolvesServerCert`](https://docs.rs/rustls/latest/rustls/server/trait.ResolvesServerCert.html) | ||
| and [`rustls::client::ResolvesClientCert`](https://docs.rs/rustls/latest/rustls/client/trait.ResolvesClientCert.html). | ||
| - `AttestedCertificateVerifier`: verifies the TLS certificate and the embedded | ||
| attestation during TLS handshake. It implements [`rustls::client::danger::ServerCertVerifier`](https://docs.rs/rustls/latest/rustls/client/danger/trait.ServerCertVerifier.html) | ||
| and [`rustls::server::danger::ClientCertVerifier`](https://docs.rs/rustls/latest/rustls/server/danger/trait.ClientCertVerifier.html). | ||
|
|
||
| The crate supports both server and client TLS authentication, and can be used as the | ||
| inner attested session inside [`nested-tls`](../nested-tls). |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| - `AttestedCertificateResolver`: issues TLS certificates which contain an | |
| embedded attestation and handles renewal. It implements | |
| [`rustls::server::ResolvesServerCert`](https://docs.rs/rustls/latest/rustls/server/trait.ResolvesServerCert.html) | |
| and [`rustls::client::ResolvesClientCert`](https://docs.rs/rustls/latest/rustls/client/trait.ResolvesClientCert.html). | |
| - `AttestedCertificateVerifier`: verifies the TLS certificate and the embedded | |
| attestation during TLS handshake. It implements [`rustls::client::danger::ServerCertVerifier`](https://docs.rs/rustls/latest/rustls/client/danger/trait.ServerCertVerifier.html) | |
| and [`rustls::server::danger::ClientCertVerifier`](https://docs.rs/rustls/latest/rustls/server/danger/trait.ClientCertVerifier.html). | |
| The crate supports both server and client TLS authentication, and can be used as the | |
| inner attested session inside [`nested-tls`](../nested-tls). | |
| - `AttestedCertificateResolver`: issues and renews TLS certificates with | |
| attestations embedded in their extensions. | |
| It implements [`rustls::server::ResolvesServerCert`](https://docs.rs/rustls/latest/rustls/server/trait.ResolvesServerCert.html) | |
| and [`rustls::client::ResolvesClientCert`](https://docs.rs/rustls/latest/rustls/client/trait.ResolvesClientCert.html). | |
| - `AttestedCertificateVerifier`: verifies the TLS certificates and their | |
| embedded attestations during TLS handshake. | |
| It implements [`rustls::client::danger::ServerCertVerifier`](https://docs.rs/rustls/latest/rustls/client/danger/trait.ServerCertVerifier.html) | |
| and [`rustls::server::danger::ClientCertVerifier`](https://docs.rs/rustls/latest/rustls/server/danger/trait.ClientCertVerifier.html). | |
| The crate supports both server and client TLS authentication, and can be used as | |
| the inner attested session inside [`nested-tls`](../nested-tls). |
|
|
||
| ## Protocol details | ||
|
|
||
| The resolver issues a short-lived X.509 leaf certificate whose attestation is |
Member
There was a problem hiding this comment.
grammar:
Suggested change
| The resolver issues a short-lived X.509 leaf certificate whose attestation is | |
| The resolver issues a short-lived X.509 leaf certificate which attestation is |
(certificate is a thing, not a person)
Comment on lines
+39
to
+40
| - Issues either a self-signed leaf certificate or a leaf signed by a provided | ||
| private CA |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| - Issues either a self-signed leaf certificate or a leaf signed by a provided | |
| private CA | |
| - Issues either a self-signed certificate or a leaf certificate signed by a | |
| provided (private) CA |
Comment on lines
+70
to
+71
| The attestation is embedded using the `ra-tls` certificate extension format. | ||
| When verifying a certificate, this crate first tries to parse the `ra-tls` |
Member
There was a problem hiding this comment.
provide hyperlinks:
Suggested change
| The attestation is embedded using the `ra-tls` certificate extension format. | |
| When verifying a certificate, this crate first tries to parse the `ra-tls` | |
| The attestation is embedded using the [`ra-tls`](https://github.com/Dstack-TEE/dstack/tree/master/ra-tls) | |
| certificate extension format. When verifying a certificate, this crate first | |
| tries to parse the [`ra-tls`](https://github.com/Dstack-TEE/dstack/tree/master/ra-tls) |
|
|
||
| This crate is used by attestation verification code that needs Intel TDX/SGX | ||
| collateral such as TCB info, QE identity, and certificate revocation lists. | ||
| It can: |
Member
There was a problem hiding this comment.
nit:
Suggested change
| It can: | |
| It can: |
Comment on lines
+25
to
+27
| That applies even when calling synchronous-looking APIs such as | ||
| `get_collateral_sync()`: cache miss repair, proactive refresh, and startup | ||
| pre-warm are all driven by Tokio background tasks. |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| That applies even when calling synchronous-looking APIs such as | |
| `get_collateral_sync()`: cache miss repair, proactive refresh, and startup | |
| pre-warm are all driven by Tokio background tasks. | |
| The above applies even when calling synchronous-looking APIs such as | |
| `get_collateral_sync()` because cache miss repair, proactive refresh, and | |
| startup pre-warm are all driven by Tokio background tasks. |
| Primitives for attested TLS channels. | ||
|
|
||
| Provided crates: | ||
| This workspace contains components for a protocol which binds confidential |
Member
There was a problem hiding this comment.
grammar:
Suggested change
| This workspace contains components for a protocol which binds confidential | |
| This workspace contains components for a protocol that binds confidential |
("binds confidential computing attestation evidence" is definitive property of the protocol, also called "restrictive")
Comment on lines
+23
to
+24
| - An inner TLS session which uses a certificate with attestation | ||
| evidence embedded in an extension. |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| - An inner TLS session which uses a certificate with attestation | |
| evidence embedded in an extension. | |
| - An inner TLS session uses a certificate with attestation evidence embedded in | |
| an extension. |
Comment on lines
+31
to
+32
| The inner identity should not be persistent and represents a particular CVM | ||
| instance and particular OS image build. |
Member
There was a problem hiding this comment.
rephrase:
Suggested change
| The inner identity should not be persistent and represents a particular CVM | |
| instance and particular OS image build. | |
| The inner identity represents particular CVM lifetime (for example, it can | |
| persist across service restarts, but must not persist across CVM reboots, let | |
| alone CVM image updates). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds more details to the top-level and crate-level readme files, covering the implementation, intended use and the protocol at a high level.
This also addresses #23 by documenting that particular crates expect a tokio runtime.