Skip to content

Comments

implement attested channels#24

Open
0x416e746f6e wants to merge 3 commits intofix/lagging-resetter-channelfrom
feat/atls
Open

implement attested channels#24
0x416e746f6e wants to merge 3 commits intofix/lagging-resetter-channelfrom
feat/atls

Conversation

@0x416e746f6e
Copy link
Member

@0x416e746f6e 0x416e746f6e commented Feb 19, 2026

subj.

todo:

  • implement atls for websockets
  • implement external tdx quote provider (via URL)
  • implement matching of tdx measurements against expected values (either directly or via on-chain policy contract)

also:

  • add e2e unit-tests
  • add benchmark tests

@0x416e746f6e 0x416e746f6e self-assigned this Feb 19, 2026
ameba23
ameba23 approved these changes Feb 20, 2026
View reviewed changes
Copy link

@ameba23 ameba23 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥇 Looks great! 💯

As you already put in the todos, it would be great to have a test to be sure this works.

And as already mentioned i have concerns about nesting TLS, but i think most of my worries could be mitigated by good configuration, eg: setting max_fragment_size on the inner session to avoid overflowing TLS records on the outer session. With benchmarking we should be able to figure out a config that works well.

crates/atls/src/client/server_cert_verifier.rs
ocsp_response: &[u8],
now: UnixTime,
) -> Result<ServerCertVerified, rustls::Error> {
match self.inner.verify_server_cert(
Copy link

@ameba23 ameba23 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah this is cool that it handles CA signed-certs as usual as well as self-signed

crates/rproxy/src/server/proxy/http/proxy.rs
tls.tls_key(),
tls.tls_certificate(),
tls.atls_key(),
atls::server::AttestationGenerator::with_no_attestation(), // TODO: use real stuff
Copy link

@ameba23 ameba23 Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can instantiate AttestationGenerator and AttestationVerifier as part of config processing, and grab them here with getter methods as with the other TLS related stuff.

Cargo.toml
awc = { version = "3.7.0", features = ["rustls-0_23"] }
http = "1.3.1"
rcgen = { version = "0.14.7", features = ["x509-parser"] }
rustls = { version = "0.23.32", features = ["aws_lc_rs"] }
Copy link

@ameba23 ameba23 Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not too critical, but since tokio-rustls re-exports rustls, using the re-exported version could guarantee that there is no version drift when you update. But since it anyway uses 0.23 this is fine.

crates/rproxy/src/server/proxy/http/proxy.rs
)
.unwrap(); // TODO: verify on start

client.connector(connector.connector(atls)).finish()
Copy link

@ameba23 ameba23 Feb 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure whether it was intentional, but it looks like we no longer do .limit(connections_limit). Theres no compiler warning that the value is unused because it is logged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ameba23 ameba23 ameba23 approved these changes

@SozinM SozinM Awaiting requested review from SozinM

Assignees

@0x416e746f6e 0x416e746f6e

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0x416e746f6e @ameba23