Function signature
pub async fn atls_connect<S>(
stream: S,
server_name: &str,
policy: Policy,
alpn: Option<Vec<String>>,
) -> Result<(TlsStream<S>, Report), AtlsVerificationError>
where
S: AsyncByteStream + 'static,
Description
Establishes a TLS connection with attestation verification in a single operation. This high-level function combines:
- TLS handshake with CA certificate verification
- Server leaf certificate capture
- Verifier creation from policy
- Attestation verification over the TLS stream
- Returns the verified TLS stream and attestation report
Parameters
The underlying transport stream (e.g., TcpStream). Must implement AsyncByteStream.
The server hostname for TLS SNI and verification.
The attestation policy determining verifier and configuration. See Policy types. Optional ALPN protocols (e.g., ["http/1.1", "h2"]).
Return type
Returns a tuple on success:The established TLS stream ready for encrypted communication.
Error handling
Returns AtlsVerificationError if:
- TLS handshake fails
- Certificate verification fails
- Attestation verification fails
- Policy configuration is invalid
See Error handling for complete error variants.
Usage examples
Basic usage with development policy
use atlas_rs::{atls_connect, Policy, DstackTdxPolicy};
async fn connect_to_tee() -> Result<(), Box<dyn std::error::Error>> {
// Connect with development policy (relaxed TCB status)
let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
let policy = Policy::DstackTdx(DstackTdxPolicy::dev());
let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, None).await?;
// Access report data via pattern matching
match &report {
atlas_rs::Report::Tdx(tdx_report) => {
println!("TCB Status: {}", tdx_report.status);
}
}
Ok(())
}
Production usage with custom policy
use atlas_rs::{atls_connect, Policy, DstackTdxPolicy};
use atlas_rs::tdx::ExpectedBootchain;
async fn connect_with_verification() -> Result<(), Box<dyn std::error::Error>> {
let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
// Create policy with expected measurements
let policy = Policy::DstackTdx(DstackTdxPolicy {
expected_bootchain: Some(ExpectedBootchain {
mrtd: "abc123...".to_string(),
rtmr0: "def456...".to_string(),
rtmr1: "ghi789...".to_string(),
rtmr2: "jkl012...".to_string(),
}),
allowed_tcb_status: vec!["UpToDate".to_string()],
..Default::default()
});
let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, None).await?;
// Use tls_stream for encrypted communication
Ok(())
}
With ALPN protocols
use atlas_rs::{atls_connect, Policy, DstackTdxPolicy};
async fn connect_with_alpn() -> Result<(), Box<dyn std::error::Error>> {
let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
let policy = Policy::DstackTdx(DstackTdxPolicy::dev());
// Specify ALPN protocols
let alpn = Some(vec!["h2".to_string(), "http/1.1".to_string()]);
let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, alpn).await?;
Ok(())
}
Loading policy from JSON
use atlas_rs::{atls_connect, Policy};
async fn connect_with_json_policy() -> Result<(), Box<dyn std::error::Error>> {
let tcp = tokio::net::TcpStream::connect("tee.example.com:443").await?;
// Load policy from JSON configuration
let json = r#"{
"type": "dstack_tdx",
"allowed_tcb_status": ["UpToDate", "SWHardeningNeeded"]
}"#;
let policy: Policy = serde_json::from_str(json)?;
let (tls_stream, report) = atls_connect(tcp, "tee.example.com", policy, None).await?;
Ok(())
}
- Native: Uses
tokio_rustls::client::TlsStream
- WASM: Uses
futures_rustls::client::TlsStream
The appropriate implementation is selected at compile time via conditional compilation.
See also