Add inner TLS session only support to proxy client

src/attested_get.rs

@@ -86,6 +86,7 @@ mod tests {
                 },
             }),
             Some("127.0.0.1:0"),
+            None,
             target_addr.to_string(),
             AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(),
             AttestationVerifier::expect_none(),

src/file_server.rs

@@ -7,16 +7,42 @@ use std::{net::SocketAddr, path::PathBuf};
 use tokio::net::ToSocketAddrs;
 use tower_http::services::ServeDir;
 
+/// Configuration for serving a local directory over the attested proxy
+pub struct AttestedFileServerConfig<A> {
+    /// Filesystem path to expose over HTTP
+    pub path_to_serve: PathBuf,
+    /// TLS certificate and key for the optional outer listener
+    pub outer_cert_and_key: Option<TlsCertAndKey>,
+    /// Bind address for the optional outer nested-TLS listener
+    pub outer_listen_addr: Option<A>,
+    /// Bind address for the optional inner attested-TLS listener
+    pub inner_listen_addr: Option<A>,
+    /// Certificate name to embed in the inner attested certificate
+    pub inner_certificate_name: Option<String>,
+    /// Attestation generator used by the proxy server
+    pub attestation_generator: AttestationGenerator,
+    /// Attestation verifier used for the remote peer
+    pub attestation_verifier: AttestationVerifier,
+    /// Whether inner TLS should require client authentication
+    pub client_auth: bool,
+}
+
 /// Setup a static file server serving the given directory, and a proxy server targetting it
-pub async fn attested_file_server(
-    path_to_serve: PathBuf,
-    outer_cert_and_key: Option<TlsCertAndKey>,
-    outer_listen_addr: Option<impl ToSocketAddrs>,
-    inner_listen_addr: Option<impl ToSocketAddrs>,
-    attestation_generator: AttestationGenerator,
-    attestation_verifier: AttestationVerifier,
-    client_auth: bool,
-) -> Result<(), ProxyError> {
+pub async fn attested_file_server<A>(config: AttestedFileServerConfig<A>) -> Result<(), ProxyError>
+where
+    A: ToSocketAddrs,
+{
+    let AttestedFileServerConfig {
+        path_to_serve,
+        outer_cert_and_key,
+        outer_listen_addr,
+        inner_listen_addr,
+        inner_certificate_name,
+        attestation_generator,
+        attestation_verifier,
+        client_auth,
+    } = config;
+
     let target_addr = static_file_server(path_to_serve).await?;
     let outer_session = match (outer_cert_and_key, outer_listen_addr) {
         (Some(cert_and_key), Some(listen_addr)) => Some(OuterTlsConfig {
@@ -32,6 +58,7 @@ pub async fn attested_file_server(
     let server = ProxyServer::new(
         outer_session,
         inner_listen_addr,
+        inner_certificate_name,
         target_addr.to_string(),
         attestation_generator,
         attestation_verifier,
@@ -121,6 +148,7 @@ mod tests {
                 },
             }),
             Some("127.0.0.1:0"),
+            None,
             target_addr.to_string(),
             AttestationGenerator::new(AttestationType::DcapTdx, None).unwrap(),
             AttestationVerifier::expect_none(),

src/http_version.rs

@@ -9,6 +9,7 @@ pub const ALPN_HTTP11: &[u8] = b"http/1.1";
 
 type ProxyClientTlsStream =
     tokio_rustls::client::TlsStream<tokio_rustls::client::TlsStream<tokio::net::TcpStream>>;
+type ProxyClientInnerOnlyTlsStream = tokio_rustls::client::TlsStream<tokio::net::TcpStream>;
 
 /// Supported HTTP versions
 #[derive(Debug)]
@@ -60,12 +61,21 @@ type Http2Sender = hyper::client::conn::http2::SendRequest<hyper::body::Incoming
 
 type Http1Connection =
     hyper::client::conn::http1::Connection<TokioIo<ProxyClientTlsStream>, hyper::body::Incoming>;
+type Http1InnerOnlyConnection = hyper::client::conn::http1::Connection<
+    TokioIo<ProxyClientInnerOnlyTlsStream>,
+    hyper::body::Incoming,
+>;
 
 type Http2Connection = hyper::client::conn::http2::Connection<
     TokioIo<ProxyClientTlsStream>,
     hyper::body::Incoming,
     crate::TokioExecutor,
 >;
+type Http2InnerOnlyConnection = hyper::client::conn::http2::Connection<
+    TokioIo<ProxyClientInnerOnlyTlsStream>,
+    hyper::body::Incoming,
+    crate::TokioExecutor,
+>;
 
 /// A protocol version agnostic HTTP sender
 pub enum HttpSender {
@@ -102,7 +112,9 @@ pin_project_lite::pin_project! {
     #[project = HttpConnectionProj]
     pub enum HttpConnection {
         Http1 { #[pin] inner: Http1Connection },
+        Http1InnerOnly { #[pin] inner: Http1InnerOnlyConnection },
         Http2 { #[pin] inner: Http2Connection },
+        Http2InnerOnly { #[pin] inner: Http2InnerOnlyConnection },
     }
 }
 
@@ -118,13 +130,27 @@ impl From<Http2Connection> for HttpConnection {
     }
 }
 
+impl From<Http1InnerOnlyConnection> for HttpConnection {
+    fn from(inner: Http1InnerOnlyConnection) -> Self {
+        Self::Http1InnerOnly { inner }
+    }
+}
+
+impl From<Http2InnerOnlyConnection> for HttpConnection {
+    fn from(inner: Http2InnerOnlyConnection) -> Self {
+        Self::Http2InnerOnly { inner }
+    }
+}
+
 impl Future for HttpConnection {
     type Output = Result<(), hyper::Error>;
 
     fn poll(self: Pin<&mut Self>, cx: &mut Context<'_>) -> Poll<Self::Output> {
         match self.project() {
             HttpConnectionProj::Http1 { inner } => inner.poll(cx),
+            HttpConnectionProj::Http1InnerOnly { inner } => inner.poll(cx),
             HttpConnectionProj::Http2 { inner } => inner.poll(cx),
+            HttpConnectionProj::Http2InnerOnly { inner } => inner.poll(cx),
         }
     }
 }