An implementation of the notary server in Rust.
This crate is currently under active development and should not be used in production. Expect bugs and regular major breaking changes.
- When running this server against a prover (e.g. Rust or browser extension), please ensure that the prover's version is the same as the version of this server
- When running this server in a production environment, please first read this page
- When running this server in a local environment with a browser extension, please turn off this server's TLS in the config (refer here)
- Configure the server setting in this config file — refer here for more information on the definition of the setting parameters.
- Start the server by running the following in a terminal at the root of this crate.
cargo run --release- To use a config file from a different location, run the following command to override the default config file location.
cargo run --release -- --config-file <path-of-new-config-file>There are two ways to obtain the notary server's Docker image:
- Obtain the latest image with:
docker pull ghcr.io/tlsnotary/tlsn/notary-server:latest- Run the docker container with:
docker run --init -p 127.0.0.1:7047:7047 ghcr.io/tlsnotary/tlsn/notary-server:latest- If you want to change the default configuration, create a
configfolder locally, that contains aconfig.yaml, whose content follows the format of the default config file here. - Instead of step 2, run the docker container with the following (remember to change the port mapping if you have changed that in the config):
docker run --init -p 127.0.0.1:7047:7047 -v <your config folder path>:/root/.notary-server/config ghcr.io/tlsnotary/tlsn/notary-server:latest- Configure the server setting in this config file.
- Build the docker image by running the following in a terminal at the root of this repository.
docker build . -t notary-server:local -f notary-server/notary-server.Dockerfile- Run the docker container and specify the port specified in the config file, e.g. for the default port 7047
docker run --init -p 127.0.0.1:7047:7047 notary-server:local- Instead of changing the key/cert/auth file path(s) in the config file, create a folder containing your key/cert/auth files by following the folder structure here.
- When launching the docker container, mount your folder onto the docker container at the relevant path prefixed by
/root/.notary-server.
- Example 1: Using different key, cert, and auth files:
docker run --init -p 127.0.0.1:7047:7047 -v <your folder path>:/root/.notary-server/fixture notary-server:local- Example 2: Using different key for notarization:
docker run --init -p 127.0.0.1:7047:7047 -v <your folder path>:/root/.notary-server/fixture/notary notary-server:localAll APIs are TLS-protected, hence please use https:// or wss://.
Defined in the OpenAPI specification.
To perform notarization using the session id (unique id returned upon calling the /session endpoint successfully).
sessionId
String
The default logging strategy of this server is set to DEBUG verbosity level for the crates that are useful for most debugging scenarios, i.e. using the following filtering logic:
notary_server=DEBUG,tlsn_verifier=DEBUG,tls_mpc=DEBUG,tls_client_async=DEBUG
In the config file, one can toggle the verbosity level for these crates using the level field under logging.
One can also provide custom filtering logic by adding a filter field under logging in the config file above, and use a value that follows tracing crate's filter directive syntax.
The main objective of a notary server is to perform notarization together with a prover. In this case, the prover can either be
- TCP client — which has access and control over the transport layer, i.e. TCP
- WebSocket client — which has no access over TCP and instead uses WebSocket for notarization
To perform notarization, some parameters need to be configured by the prover and notary server (more details in the OpenAPI specification), i.e.
- maximum transcript size
- unique session id
To streamline this process, a single HTTP endpoint (/session) is used by both TCP and WebSocket clients.
After calling the configuration endpoint above, prover can proceed to start notarization. For TCP client, that means calling the /notarize endpoint using HTTP (https), while WebSocket client should call the same endpoint but using WebSocket (wss). Example implementations of these clients can be found in the integration test.
Currently, both the private key (and cert) used to establish TLS connection with prover, and the private key used by notary server to sign the notarized transcript, are hardcoded PEM keys stored in this repository. Though the paths of these keys can be changed in the config (notary-key field) to use different keys instead.
An optional authorization module is available to only allow requests with valid API key attached in the authorization header. The API key whitelist path (as well as the flag to enable/disable this module) can be changed in the config (authorization field).
Hot reloading of the whitelist is supported, i.e. modification of the whitelist file will be automatically applied without needing to restart the server. Please take note of the following
- Avoid using auto save mode when editing the whitelist to prevent spamming hot reloads
- Once the edit is saved, ensure that it has been reloaded successfully by checking the server log
TLS between prover and notary is currently manually handled in the server, though it can be turned off if any of the following is true
- This server is run locally
- TLS is to be handled by an external environment, e.g. reverse proxy, cloud setup
The toggle to turn on/off TLS is in the config (tls field).
Axum is chosen as the framework to serve HTTP and WebSocket requests from the prover clients due to its rich and well supported features, e.g. native integration with Tokio/Hyper/Tower, customizable middleware, ability to support lower level integration of TLS (example). To simplify the notary server setup, a single Axum router is used to support both HTTP and WebSocket connections, i.e. all requests can be made to the same port of the notary server.
Axum's internal implementation of WebSocket uses tokio_tungstenite, which provides a WebSocket struct that doesn't implement AsyncRead and AsyncWrite. Both these traits are required by TLSN core libraries for prover and notary. To overcome this, a slight modification of Axum's implementation of WebSocket is used, where async_tungstenite is used instead so that ws_stream_tungstenite can be used to wrap on top of the WebSocket struct to get AsyncRead and AsyncWrite implemented.