Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 27 additions & 2 deletions rust/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ http = "1"
## Quick Start

```rust
use opensecret::{OpenSecretClient, Result};
use opensecret::{OpenSecretClient, Pcr0TrustPolicy, Result};
use uuid::Uuid;

#[tokio::main]
Expand All @@ -51,6 +51,28 @@ async fn main() -> Result<()> {
}
```

Production clients verify both the AWS Nitro attestation and the enclave's
PCR0 deployment identity. `OpenSecretClient::new` uses pinned official PCR0
values and OpenSecret's signed production and development histories. Custom
deployments can add a static allowlist without replacing official trust:

```rust
let policy = Pcr0TrustPolicy::official().with_additional_pcr0s([
"0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
])?;
let client = OpenSecretClient::new_with_pcr0_trust_policy(
"https://api.opensecret.cloud",
policy,
)?;
```

Use `Pcr0TrustPolicy::from_static_allowlist(...)` to disable remote history and
trust only an explicit custom set. Remote entries are size/time bounded and
must verify against the SDK's hardcoded OpenSecret P-384 signing key. Exact
localhost, loopback, and unspecified-address development endpoints continue to
use mock attestation; Android also supports the exact emulator alias
`10.0.2.2`. Other endpoints must use HTTPS.

## Inference APIs

`send_inference_request` is the lossless inference API. The caller owns the
Expand Down Expand Up @@ -139,7 +161,10 @@ let response = client.login_with_id(
Tokens are automatically stored after login/registration. You can:

```rust
// Get current tokens
// Get one coherent access/refresh pair snapshot
let tokens = client.get_tokens()?;

// Individual reads remain available when a coherent pair is not required
let access_token = client.get_access_token()?;
let refresh_token = client.get_refresh_token()?;

Expand Down
6 changes: 6 additions & 0 deletions rust/src/attestation.rs
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ pub struct AttestationDocument {
pub nonce: Option<Vec<u8>>,
}

/// Low-level AWS Nitro document verifier.
///
/// This verifies the certificate chain, document signature, and nonce. Nitro
/// authenticity alone does not identify an OpenSecret deployment. Production
/// callers should use `OpenSecretClient`, which additionally enforces its
/// configured `Pcr0TrustPolicy` before key exchange.
pub struct AttestationVerifier {
expected_pcrs: Option<std::collections::HashMap<usize, Vec<u8>>>,
allow_debug: bool,
Expand Down
Loading
Loading