Add attested-tls crate by ameba23 · Pull Request #6 · flashbots/attested-tls

ameba23 · 2026-03-13T07:41:39Z

This adds a the attested TLS crate which provides an attested certificate resolver, providing and handling renewal of TLS certificates with embedded attestations, and an attested certificate verifier, which can verify these attestations during the TLS handshake.

Note: This PR targets peg/add-attestation-crate as i needed stuff from that branch.

Attestation input data is computed as

SHA512(
  Der-encoded public key 
  || not before date as seconds big endian u64
  || not after date as seconds big endian u64
  || hostname
)

Features

Both self-signed certificates and private certificate authorities are supported
Verifier caches trusted certificates and skips subsequent attestation verification for them
Attested client authentication supported

Things to be aware of

Panics on poisoned mutex - which happens if a thread panics while holding the gaurd. If the code is correct this is acceptable because there should be no execution path in which this can happen.
Attestation verifier currently blocks over an async call - see Calling async verify function from synchronous verify_server_cert function #2

Basic attested cert resolver and verifier

6ceced8

ameba23 marked this pull request as draft March 13, 2026 07:41

ameba23 added 12 commits March 13, 2026 08:52

Support client auth

6b92a59

Allow hostnames to be provided in the constructor

8d138d8

Fmt

6c8664a

Improve error handling during verification

4cfe131

Tidy tests

1ad4dd1

Improve delay handling in ceritifcate refresh loop

dcb7492

Add test to demonstrate using nested attested tls

ea40974

Move nestedtls test to be integration test

643ccfd

Fmt

fa5a156

Make root store optional for verifier

c9207f4

Tidy optional root store logic

fc6203d

Fmt

d58141e

ameba23 changed the base branch from main to peg/add-attestation-crate March 16, 2026 07:04

ameba23 added 14 commits March 16, 2026 08:07

Clippy

5e7af15

Tidy, add debug impl for ResolverState

c58fcfb

Add comments

92071ed

Cache trusted cerificate input data

d6d45a1

Comments, tidy tests

bc51460

Tidy tests

97bd108

Move aws provider to only be enabled in tests

20c8fc6

Fmt

bec6b88

Error handling

75cc172

Add check for server hostname

2a5bcbb

Rm old entries from cache on writing a new one

f86dd9a

Include hostname in report data

1330820

Minor fix variable name

0fdb708

Fmt

5c109db

ameba23 marked this pull request as ready for review March 16, 2026 10:29

ameba23 requested a review from 0x416e746f6e March 16, 2026 10:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add attested-tls crate#6

Add attested-tls crate#6
ameba23 wants to merge 27 commits intopeg/add-attestation-cratefrom
peg/attested-tls-crate

ameba23 commented Mar 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

ameba23 commented Mar 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Features

Things to be aware of

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

ameba23 commented Mar 13, 2026 •

edited

Loading