Calling async verify function from synchronous verify_server_cert function #2
Description
The plan is that clients will verify attestations from a custom certificate verifier, which implements rustls::client::danger::ServerCertVerifier.
verify_server_cert is synchronous, but AttestationVerifier::verfiy_attestation is async:
attested-tls/crates/attestation/src/lib.rs
Line 282 in 117e951
We could get around this using something like:
tokio::task::block_in_place(|| {
tokio::runtime::Handle::current().block_on(async {
attestation_verifier::verify_attestation(...).await
})
})This works but since it blocks, it doesn't play nice with the tokio runtime.
The reason verify_attestation is async is only for the collateral-fetching. Ideally collateral-fetching should never by done on the hot path, and i am currently working on a cache for this which should mean that in practice we never have to wait for collateral at the point of attestation verification.
But there are a couple of edge-cases:
- If for whatever reason we get an attestation with a surprise FMSPC which is not in our cache, the right thing to do would be to fetch it rather than bail. Theoretically this should not happen but we have to somehow handle this case.
- Sometimes we want a one-shot verification where it doesn't make sense to pre-fetch all relevant collateral. Eg: Buildernet attested-get case, where we have a process which will do just one verification.