Skip to content

Remove notarize methods for prover and verifier #952

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Aug 6, 2025
Merged

Remove notarize methods for prover and verifier #952

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
0ac8b47
feat: remove notarize methods for prover and verifier
th4s Jul 30, 2025
1f1c474
clean up imports
th4s Aug 1, 2025
b3bdee7
remove remaining notarize methods
th4s Aug 4, 2025
4a6280d
clean up imports
th4s Aug 4, 2025
023fcee
remove wasm attestation bindings
sinui0 Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 2 additions & 118 deletions crates/tlsn/src/prover.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,20 +32,16 @@ use crate::{
use futures::{AsyncRead, AsyncWrite, TryFutureExt};
use mpc_tls::{LeaderCtrl, MpcTlsLeader, SessionKeys};
use rand::Rng;
use serio::{SinkExt, stream::IoStreamExt};
use serio::SinkExt;
use std::sync::Arc;
use tls_client::{ClientConnection, ServerName as TlsServerName};
use tls_client_async::{TlsConnection, bind_client};
use tls_core::msgs::enums::ContentType;
use tlsn_attestation::{
Attestation, CryptoProvider, Secrets,
request::{Request, RequestConfig},
};
use tlsn_core::{
ProvePayload,
connection::ServerCertData,
hash::{Blake3, HashAlgId, HashAlgorithm, Keccak256, Sha256},
transcript::{Direction, TlsTranscript, Transcript, TranscriptCommitment, TranscriptSecret},
transcript::{TlsTranscript, Transcript, TranscriptCommitment, TranscriptSecret},
};
use tlsn_deap::Deap;
use tokio::sync::Mutex;
Expand Down Expand Up @@ -458,118 +454,6 @@ impl Prover<state::Committed> {
Ok(output)
}

/// Requests an attestation from the verifier.
///
/// # Arguments
///
/// * `config` - The attestation request configuration.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize(
&mut self,
config: &RequestConfig,
) -> Result<(Attestation, Secrets), ProverError> {
#[allow(deprecated)]
self.notarize_with_provider(config, &CryptoProvider::default())
.await
}

/// Requests an attestation from the verifier.
///
/// # Arguments
///
/// * `config` - The attestation request configuration.
/// * `provider` - Cryptography provider.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize_with_provider(
&mut self,
config: &RequestConfig,
provider: &CryptoProvider,
) -> Result<(Attestation, Secrets), ProverError> {
let mut builder = ProveConfig::builder(self.transcript());

if let Some(config) = config.transcript_commit() {
// Temporarily, we reject attestation requests which contain hash commitments to
// subsets of the transcript. We do this because we want to preserve the
// obliviousness of the reference notary, and hash commitments currently leak
// the ranges which are being committed.
for ((direction, idx), _) in config.iter_hash() {
let len = match direction {
Direction::Sent => self.transcript().sent().len(),
Direction::Received => self.transcript().received().len(),
};

if idx.start() > 0 || idx.end() < len || idx.count() != 1 {
return Err(ProverError::attestation(
"hash commitments to subsets of the transcript are currently not supported in attestation requests",
));
}
}

builder.transcript_commit(config.clone());
}

let disclosure_config = builder.build().map_err(ProverError::attestation)?;

let ProverOutput {
transcript_commitments,
transcript_secrets,
..
} = self.prove(&disclosure_config).await?;

let state::Committed {
mux_fut,
ctx,
tls_transcript,
transcript,
..
} = &mut self.state;

let mut builder = Request::builder(config);

builder
.server_name(self.config.server_name().clone())
.server_cert_data(ServerCertData {
certs: tls_transcript
.server_cert_chain()
.expect("server cert chain is present")
.to_vec(),
sig: tls_transcript
.server_signature()
.expect("server signature is present")
.clone(),
handshake: tls_transcript.handshake_data().clone(),
})
.transcript(transcript.clone())
.transcript_commitments(transcript_secrets, transcript_commitments);

let (request, secrets) = builder.build(provider).map_err(ProverError::attestation)?;

let attestation = mux_fut
.poll_with(async {
debug!("sending attestation request");

ctx.io_mut().send(request.clone()).await?;

let attestation: Attestation = ctx.io_mut().expect_next().await?;

Ok::<_, ProverError>(attestation)
})
.await?;

// Check the attestation is consistent with the Prover's view.
request
.validate(&attestation)
.map_err(ProverError::attestation)?;

Ok((attestation, secrets))
}

/// Closes the connection with the verifier.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
pub async fn close(self) -> Result<(), ProverError> {
Expand Down
9 changes: 0 additions & 9 deletions crates/tlsn/src/prover/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,6 @@ impl ProverError {
{
Self::new(ErrorKind::Commit, source)
}

pub(crate) fn attestation<E>(source: E) -> Self
where
E: Into<Box<dyn Error + Send + Sync + 'static>>,
{
Self::new(ErrorKind::Attestation, source)
}
}

#[derive(Debug)]
Expand All @@ -65,7 +58,6 @@ enum ErrorKind {
Zk,
Config,
Commit,
Attestation,
}

impl fmt::Display for ProverError {
Expand All @@ -78,7 +70,6 @@ impl fmt::Display for ProverError {
ErrorKind::Zk => f.write_str("zk error")?,
ErrorKind::Config => f.write_str("config error")?,
ErrorKind::Commit => f.write_str("commit error")?,
ErrorKind::Attestation => f.write_str("attestation error")?,
}

if let Some(source) = &self.source {
Expand Down
175 changes: 2 additions & 173 deletions crates/tlsn/src/verifier.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,11 @@ use mpz_common::Context;
use mpz_core::Block;
use mpz_garble_core::Delta;
use mpz_vm_core::prelude::*;
use serio::{SinkExt, stream::IoStreamExt};
use serio::stream::IoStreamExt;
use tls_core::{msgs::enums::ContentType, verify::WebPkiVerifier};
use tlsn_attestation::{Attestation, AttestationConfig, CryptoProvider, request::Request};
use tlsn_core::{
ProvePayload,
connection::{ConnectionInfo, ServerName, TranscriptLength},
connection::{ConnectionInfo, ServerName},
transcript::{TlsTranscript, TranscriptCommitment},
};
use tlsn_deap::Deap;
Expand Down Expand Up @@ -152,59 +151,6 @@ impl Verifier<state::Initialized> {
})
}

/// Runs the verifier to completion and attests to the TLS session.
///
/// This is a convenience method which runs all the steps needed for
/// notarization.
///
/// # Arguments
///
/// * `socket` - The socket to the prover.
/// * `config` - The attestation configuration.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize<S: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
self,
socket: S,
config: &AttestationConfig,
) -> Result<Attestation, VerifierError> {
#[allow(deprecated)]
self.notarize_with_provider(socket, config, &CryptoProvider::default())
.await
}

/// Runs the verifier to completion and attests to the TLS session.
///
/// This is a convenience method which runs all the steps needed for
/// notarization.
///
/// # Arguments
///
/// * `socket` - The socket to the prover.
/// * `config` - The attestation configuration.
/// * `provider` - Cryptography provider.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize_with_provider<S: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
self,
socket: S,
config: &AttestationConfig,
provider: &CryptoProvider,
) -> Result<Attestation, VerifierError> {
let mut verifier = self.setup(socket).await?.run().await?;

#[allow(deprecated)]
let attestation = verifier.notarize_with_provider(config, provider).await?;

verifier.close().await?;

Ok(attestation)
}

/// Runs the TLS verifier to completion, verifying the TLS session.
///
/// This is a convenience method which runs all the steps needed for
Expand Down Expand Up @@ -472,123 +418,6 @@ impl Verifier<state::Committed> {
})
}

/// Attests to the TLS session.
///
/// # Arguments
///
/// * `config` - Attestation configuration.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize(
&mut self,
config: &AttestationConfig,
) -> Result<Attestation, VerifierError> {
#[allow(deprecated)]
self.notarize_with_provider(config, &CryptoProvider::default())
.await
}

/// Attests to the TLS session.
///
/// # Arguments
///
/// * `config` - Attestation configuration.
/// * `provider` - Cryptography provider.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
#[deprecated(
note = "attestation functionality will be removed from this API in future releases."
)]
pub async fn notarize_with_provider(
&mut self,
config: &AttestationConfig,
provider: &CryptoProvider,
) -> Result<Attestation, VerifierError> {
let VerifierOutput {
server_name,
transcript,
transcript_commitments,
} = self.verify(&VerifyConfig::default()).await?;

if server_name.is_some() {
return Err(VerifierError::attestation(
"server name can not be revealed to a verifier",
));
} else if transcript.is_some() {
return Err(VerifierError::attestation(
"transcript data can not be revealed to a verifier",
));
}

let state::Committed {
mux_fut,
ctx,
tls_transcript,
..
} = &mut self.state;

let sent_len = tls_transcript
.sent()
.iter()
.filter_map(|record| {
if let ContentType::ApplicationData = record.typ {
Some(record.ciphertext.len())
} else {
None
}
})
.sum::<usize>();

let recv_len = tls_transcript
.recv()
.iter()
.filter_map(|record| {
if let ContentType::ApplicationData = record.typ {
Some(record.ciphertext.len())
} else {
None
}
})
.sum::<usize>();

let request: Request = mux_fut
.poll_with(ctx.io_mut().expect_next().map_err(VerifierError::from))
.await?;

let mut builder = Attestation::builder(config)
.accept_request(request)
.map_err(VerifierError::attestation)?;

builder
.connection_info(ConnectionInfo {
time: tls_transcript.time(),
version: (*tls_transcript.version()),
transcript_length: TranscriptLength {
sent: sent_len as u32,
received: recv_len as u32,
},
})
.server_ephemeral_key(tls_transcript.server_ephemeral_key().clone())
.transcript_commitments(transcript_commitments);

let attestation = builder
.build(provider)
.map_err(VerifierError::attestation)?;

mux_fut
.poll_with(
ctx.io_mut()
.send(attestation.clone())
.map_err(VerifierError::from),
)
.await?;

info!("Sent attestation");

Ok(attestation)
}

/// Closes the connection with the prover.
#[instrument(parent = &self.span, level = "info", skip_all, err)]
pub async fn close(self) -> Result<(), VerifierError> {
Expand Down
Loading
Loading