Custom Extensions
Notary attestations can be extended with custom fields defined by the Prover or the Notary. This allows applications to attach additional data to attestations in a verifiable way.
For now, the default notary server implementation only supports including custom data requested by the Prover in the attestation without any validation. In the future, a plugin system will allow developers to add custom logic to the notary server for adding or validating these data, without needing to modify the notary server code.
Use Cases
- The
Proverincludes their public key to bind the attestation to their identity. - The
Notaryincludes a TEE (Trusted Execution Environment) attestation to prove code integrity. - The
Proverincludes a nullifier to prevent reuse of the attestation.
Example
The following demonstrates how to modify the attestation example to include the Prover's public key as a custom extension.
Prover
The attestation prover is modified as follows:
// ...
let builder = RequestConfig::builder();
builder.extension(Extension {
id: b"prover_public_key".to_vec(),
value: b"PUBLIC_KEY_PEM".to_vec(),
});
let request_config = builder.build()?;
// ...
Note that the Extension's id and value are both Vec<u8>, giving full control over the encoding format.
Notary
The Notary server must be started with allow_extensions enabled:
NS_NOTARIZATION__ALLOW_EXTENSIONS=true cargo run --release
Currently, the notary server does not support adding its own extensions or performing validations on extensions requested by the Prover out of the box. To do so, you’ll need to extend the notary server using the APIs outlined in the API docs.
Verifier
The attestation verifier can be modified to inspect extensions:
// ...
let PresentationOutput {
server_name,
connection_info,
transcript,
mut extensions, // Optionally, verify any custom extensions from the prover or notary.
..
} = presentation.verify(&crypto_provider).unwrap();
let Extension { id, value } = extensions.pop().unwrap();
// Check the prover's public key.
if id.as_slice() == b"prover_public_key" {
let public_key_pem = String::from_utf8(value).unwrap();
// ...
}
// ...
This allows the Verifier to confirm that the attestation is bound to the identity associated with the specified public key.