-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DO NOT MERGE] Use notary-server
#12
Conversation
forcing nightly
modified notary server: https://github.com/mhchia/notary-server/tree/work-with-extension Changes - websocket connection to notary-server - HTTP request to /session first and get sessionId - Craft it through web_sys - Send HTTP request with `fetch` - Usually it's done with window, but in web worker there is no window - Use WebSocket API to establish wss connection to notary server - Chang notary-server to accept a param `sessionId` - In browser there is no way to add headers, so we couldn't add "X-Session-Id" - Prover config must use the session id returned from the notary server Concerns - Now we have to manually set notary server as trusted since the cert is self-signed. - rootCert couldn't be added when initiating HTTP request due to browser security config
@mhchia , just a quick thought about 2. Self-signed root cert (this approach requires some changes on the notary-server side) |
sry, this is actually a deeper topic. we first need to decide if it useful to allow the extension to use |
@themighty1 thanks a lot for your insights! 😊 Sorry that I didn't add context about the self-signed root. From my understanding from the discussion with @yuroitaki (please feel free to correct me if I misunderstood your points 🙏 ), it seems like we'll eventually be using an officially signed cert from a proper CA chain for the notary server in production. Given that, I'm thinking it might make sense to connect notary server with |
OK, makes sense about assuming that the notary will be using a proper CA-signed cert for now. Note however, for p2p (notary-less) scenarios where the prover proves interactively to the verifier, requiring the verifier to have a CA-signed cert seems unnecessarily burdensome. |
@themighty1 Thanks for the input! Now there is already a public notary server with a properly signed cert so it works well now. About the p2p scenario, for websocket on browser to work without verifying certs, I think you're right we would need to go with the TLS over a plain ws as you mentioned |
p2p scenario is tracked in #19. Closing this PR since it's stale |
Based on #11 . For this PR to be ready, we'd need some changes in notary-server.
Issues
1. No way to set
X-Session-Id
Notary Server expects a header
X-Session-Id
to getsession_id
, but browser WebSocket API doesn’t allow setting custom headers. Possible workarounds can be seen here. Promising ones aresessionId
through the headerSec-WebSocket-Protocol
const ws = new WebSocket("wss://127.0.0.1:7047/notarize", ["sessionId", sessionId])
Sec-WebSocket-Protocol
and getsessionId
sessionId
through url params:const ws = new WebSocket("wss://127.0.0.1:7047/notarize?sessionId={sessionId}”)
sessionId
sThis PR uses option 2 but now I'm leaning towards option 1 since it seems to have fewer side-effects.
2. Self-signed root cert
In the browser, no way to accept root cert when initiating http request, due to browser restriction. Now we can bypass it by manually setting the notary server as trusted.
What is done?
Talk to the notary-server instead of the simple-notary.
Steps to run
Step 1: Fill in information twitter message information
tlsn-extension/wasm/prover/src/lib.rs
Lines 43 to 52 in 9f40dc2
Step 2: Open a new terminal. Build and run a websocket proxy
Step 3: Open a new terminal. Run a modified notary server
Step 4: Build the wasm and run the dev server
Step 5: Load built extension
Go to
chrome://extensions
, clickLoad unpacked
, select thebuild
directoryStep 6: Run notarize
Open the TLSN Extension and click
Notarize
. Check out the console by clicking theoffscreen.html
in the inspect views section in TLSN Extension