Switch proxy to use nested attested TLS protocol

Cargo.toml

@@ -11,8 +11,10 @@ repository = "https://github.com/flashbots/attested-tls-proxy"
 keywords = ["attested-TLS", "CVM", "TDX"]
 
 [dependencies]
-attested-tls = { path = "attested-tls", default-features = false }
-tokio = { version = "1.48.0", features = ["full"] }
+attested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate" }
+nested-tls = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate" }
+attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate" }
+tokio = { version = "1.50.0", features = ["full"] }
 tokio-rustls = { version = "0.26.4", default-features = false }
 x509-parser = { version = "0.18.0", features = ["verify"] }
 thiserror = "2.0.17"
@@ -45,14 +47,15 @@ pin-project-lite = "0.2.16"
 [dev-dependencies]
 tempfile = "3.23.0"
 tdx-quote = { version = "0.0.5", features = ["mock"] }
-attested-tls = { path = "attested-tls", features = ["test-helpers", "mock"] }
+attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate", features = ["mock"] }
+tokio = { version = "1.48.0", features = ["full"] }
 jsonrpsee = { version = "0.26.0", features = ["server"] }
 
 [features]
 default = []
 
 # Adds support for Microsoft Azure attestation generation and verification
-azure = ["attested-tls/azure"]
+azure = ["attestation/azure"]
 
 [package.metadata.deb]
 maintainer = "Flashbots Team <devops+ci@flashbots.net>"

attested-tls/Cargo.toml

@@ -18,7 +18,7 @@ http = "1.3.1"
 serde_json = "1.0.145"
 tracing = "0.1.41"
 parity-scale-codec = "3.7.5"
-attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/add-attestation-crate" }
+attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate" }
 
 # Used for websocket support
 tokio-tungstenite = { version = "0.28.0", optional = true }
@@ -40,7 +40,7 @@ rcgen = { version = "0.14.5", optional = true }
 [dev-dependencies]
 rcgen = "0.14.5"
 tempfile = "3.23.0"
-attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/add-attestation-crate", features = ["mock"] }
+attestation = { git = "https://github.com/flashbots/attested-tls", branch = "peg/attested-tls-crate", features = ["mock"] }
 
 [features]
 default = ["ws", "rpc"]

src/attested_get.rs

@@ -9,30 +9,16 @@ pub async fn attested_get(
     url_path: &str,
     attestation_verifier: AttestationVerifier,
     remote_certificate: Option<CertificateDer<'static>>,
-    allow_self_signed: bool,
 ) -> Result<reqwest::Response, ProxyError> {
-    let proxy_client = if allow_self_signed {
-        let client_config = crate::self_signed::client_tls_config_allow_self_signed()?;
-        ProxyClient::new_with_tls_config(
-            client_config,
-            "127.0.0.1:0".to_string(),
-            target_addr,
-            AttestationGenerator::with_no_attestation(),
-            attestation_verifier,
-            None,
-        )
-        .await?
-    } else {
-        ProxyClient::new(
-            None,
-            "127.0.0.1:0".to_string(),
-            target_addr,
-            AttestationGenerator::with_no_attestation(),
-            attestation_verifier,
-            remote_certificate,
-        )
-        .await?
-    };
+    let proxy_client = ProxyClient::new(
+        None,
+        "127.0.0.1:0".to_string(),
+        target_addr,
+        AttestationGenerator::with_no_attestation(),
+        attestation_verifier,
+        remote_certificate,
+    )
+    .await?;
 
     attested_get_with_client(proxy_client, url_path).await
 }
@@ -69,14 +55,14 @@ async fn attested_get_with_client(
 mod tests {
     use super::*;
     use crate::{
-        ProxyServer,
+        OuterTlsConfig, OuterTlsMode, ProxyServer,
         attestation::AttestationType,
         file_server::static_file_server,
-        test_helpers::{generate_certificate_chain, generate_tls_config},
+        test_helpers::{generate_certificate_chain_for_host, generate_tls_config},
     };
     use tempfile::tempdir;
 
-    #[tokio::test]
+    #[tokio::test(flavor = "multi_thread")]
     async fn test_attested_get() {
         // Create a temporary directory with a file to serve
         let dir = tempdir().unwrap();
@@ -87,17 +73,23 @@ mod tests {
         let target_addr = static_file_server(dir.path().to_path_buf()).await.unwrap();
 
         // Create TLS configuration
-        let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
+        let (cert_chain, private_key) = generate_certificate_chain_for_host("localhost");
         let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
 
         // Setup a proxy server targetting the static file server
-        let proxy_server = ProxyServer::new_with_tls_config(
-            cert_chain,
-            server_config,
-            "127.0.0.1:0",
+        let proxy_server = ProxyServer::new(
+            Some(OuterTlsConfig {
+                listen_addr: "127.0.0.1:0",
+                tls: OuterTlsMode::Preconfigured {
+                    server_config,
+                    certificate_name: "localhost".to_string(),
+                },
+            }),
+            Some("127.0.0.1:0"),
             target_addr.to_string(),
             AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(),
             AttestationVerifier::expect_none(),
+            false,
         )
         .await
         .unwrap();
@@ -113,7 +105,7 @@ mod tests {
         let proxy_client = ProxyClient::new_with_tls_config(
             client_config,
             "127.0.0.1:0".to_string(),
-            proxy_addr.to_string(),
+            format!("localhost:{}", proxy_addr.port()),
             AttestationGenerator::with_no_attestation(),
             AttestationVerifier::mock(),
             None,

src/file_server.rs

@@ -1,23 +1,37 @@
 //! Static HTTP file server provided by an attested TLS proxy server
-use crate::{AttestationGenerator, AttestationVerifier, ProxyError, ProxyServer, TlsCertAndKey};
+use crate::{
+    AttestationGenerator, AttestationVerifier, OuterTlsConfig, OuterTlsMode, ProxyError,
+    ProxyServer, TlsCertAndKey,
+};
 use std::{net::SocketAddr, path::PathBuf};
 use tokio::net::ToSocketAddrs;
 use tower_http::services::ServeDir;
 
 /// Setup a static file server serving the given directory, and a proxy server targetting it
 pub async fn attested_file_server(
     path_to_serve: PathBuf,
-    cert_and_key: TlsCertAndKey,
-    listen_addr: impl ToSocketAddrs,
+    outer_cert_and_key: Option<TlsCertAndKey>,
+    outer_listen_addr: Option<impl ToSocketAddrs>,
+    inner_listen_addr: Option<impl ToSocketAddrs>,
     attestation_generator: AttestationGenerator,
     attestation_verifier: AttestationVerifier,
     client_auth: bool,
 ) -> Result<(), ProxyError> {
     let target_addr = static_file_server(path_to_serve).await?;
+    let outer_session = match (outer_cert_and_key, outer_listen_addr) {
+        (Some(cert_and_key), Some(listen_addr)) => Some(OuterTlsConfig {
+            listen_addr,
+            tls: OuterTlsMode::CertAndKey(cert_and_key),
+        }),
+        (Some(_), None) | (None, Some(_)) => {
+            return Err(ProxyError::NoListenersConfigured);
+        }
+        (None, None) => None,
+    };
 
     let server = ProxyServer::new(
-        cert_and_key,
-        listen_addr,
+        outer_session,
+        inner_listen_addr,
         target_addr.to_string(),
         attestation_generator,
         attestation_verifier,
@@ -52,10 +66,10 @@ pub(crate) async fn static_file_server(path: PathBuf) -> Result<SocketAddr, Prox
 
 #[cfg(test)]
 mod tests {
-    use crate::{ProxyClient, attestation::AttestationType};
+    use crate::{OuterTlsConfig, OuterTlsMode, ProxyClient, attestation::AttestationType};
 
     use super::*;
-    use crate::test_helpers::{generate_certificate_chain, generate_tls_config};
+    use crate::test_helpers::{generate_certificate_chain_for_host, generate_tls_config};
     use tempfile::tempdir;
 
     /// Given a URL, fetch response body and content type header
@@ -74,7 +88,7 @@ mod tests {
         (body.to_vec(), content_type)
     }
 
-    #[tokio::test]
+    #[tokio::test(flavor = "multi_thread")]
     async fn test_static_file_server() {
         // Create a temporary directory with some files to serve
         let dir = tempdir().unwrap();
@@ -94,17 +108,23 @@ mod tests {
         let target_addr = static_file_server(dir.path().to_path_buf()).await.unwrap();
 
         // Create TLS configuration
-        let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
+        let (cert_chain, private_key) = generate_certificate_chain_for_host("localhost");
         let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
 
         // Setup a proxy server targetting the static file server
-        let proxy_server = ProxyServer::new_with_tls_config(
-            cert_chain,
-            server_config,
-            "127.0.0.1:0",
+        let proxy_server = ProxyServer::new(
+            Some(OuterTlsConfig {
+                listen_addr: "127.0.0.1:0",
+                tls: OuterTlsMode::Preconfigured {
+                    server_config,
+                    certificate_name: "localhost".to_string(),
+                },
+            }),
+            Some("127.0.0.1:0"),
             target_addr.to_string(),
             AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(),
             AttestationVerifier::expect_none(),
+            false,
         )
         .await
         .unwrap();
@@ -118,7 +138,7 @@ mod tests {
         let proxy_client = ProxyClient::new_with_tls_config(
             client_config,
             "127.0.0.1:0".to_string(),
-            proxy_addr.to_string(),
+            format!("localhost:{}", proxy_addr.port()),
             AttestationGenerator::with_no_attestation(),
             AttestationVerifier::mock(),
             None,
@@ -128,35 +148,31 @@ mod tests {
 
         let proxy_client_addr = proxy_client.local_addr().unwrap();
 
-        // Proxy cient accepts a single connection
+        // Accept one client connection per request.
         tokio::spawn(async move {
             proxy_client.accept().await.unwrap();
+            proxy_client.accept().await.unwrap();
+            proxy_client.accept().await.unwrap();
         });
 
         let client = reqwest::Client::new();
 
         // This makes the request
-        let (body, content_type) = get_body_and_content_type(
-            format!("http://{}/foo.txt", proxy_client_addr.to_string()),
-            &client,
-        )
-        .await;
+        let (body, content_type) =
+            get_body_and_content_type(format!("http://{}/foo.txt", proxy_client_addr), &client)
+                .await;
         assert_eq!(content_type, "text/plain");
         assert_eq!(body, b"bar");
 
-        let (body, content_type) = get_body_and_content_type(
-            format!("http://{}/index.html", proxy_client_addr.to_string()),
-            &client,
-        )
-        .await;
+        let (body, content_type) =
+            get_body_and_content_type(format!("http://{}/index.html", proxy_client_addr), &client)
+                .await;
         assert_eq!(content_type, "text/html");
         assert_eq!(body, b"<html><body>foo</body></html>");
 
-        let (body, content_type) = get_body_and_content_type(
-            format!("http://{}/data.bin", proxy_client_addr.to_string()),
-            &client,
-        )
-        .await;
+        let (body, content_type) =
+            get_body_and_content_type(format!("http://{}/data.bin", proxy_client_addr), &client)
+                .await;
         assert_eq!(content_type, "application/octet-stream");
         assert_eq!(body, [0u8; 32]);
     }

src/http_version.rs

@@ -7,6 +7,9 @@ use std::task::{Context, Poll};
 pub const ALPN_H2: &[u8] = b"h2";
 pub const ALPN_HTTP11: &[u8] = b"http/1.1";
 
+type ProxyClientTlsStream =
+    tokio_rustls::client::TlsStream<tokio_rustls::client::TlsStream<tokio::net::TcpStream>>;
+
 /// Supported HTTP versions
 #[derive(Debug)]
 pub enum HttpVersion {
@@ -55,13 +58,11 @@ impl HttpVersion {
 type Http1Sender = hyper::client::conn::http1::SendRequest<hyper::body::Incoming>;
 type Http2Sender = hyper::client::conn::http2::SendRequest<hyper::body::Incoming>;
 
-type Http1Connection = hyper::client::conn::http1::Connection<
-    TokioIo<tokio_rustls::client::TlsStream<tokio::net::TcpStream>>,
-    hyper::body::Incoming,
->;
+type Http1Connection =
+    hyper::client::conn::http1::Connection<TokioIo<ProxyClientTlsStream>, hyper::body::Incoming>;
 
 type Http2Connection = hyper::client::conn::http2::Connection<
-    TokioIo<tokio_rustls::client::TlsStream<tokio::net::TcpStream>>,
+    TokioIo<ProxyClientTlsStream>,
     hyper::body::Incoming,
     crate::TokioExecutor,
 >;