PrivasysVerification Libraries
Multi-language libraries for verifying attested connections, available in Python, Go, Rust, TypeScript, and C#.
The RA-TLS Clients provide verification libraries in five languages, enabling any application to connect to an RA-TLS server and verify its attestation, whether it is an Enclave OS instance or a Privasys Platform deployment.
Repositories: ratls-client-go ratls-client-rs ratls-client-py
Available Clients
| Language | Package | Status |
|---|---|---|
| Python | ra-tls-verify | ✅ Full verification |
| Go | ratls | ✅ Full verification |
| Rust | ra-tls-verify | ✅ Full verification |
| TypeScript | @privasys/ra-tls | ✅ Full verification |
| C# | Privasys.RaTls | ✅ Full verification |
Verification Flow
All clients follow the same verification logic described in Attestation and RA-TLS:
1. Connect to the RA-TLS server via TLS
│
▼
2. Extract the server's X.509 certificate
│
▼
3. Parse the SGX/TDX Quote from extension
OID 1.2.840.113741.1.13.1.0
│
▼
4. Verify the quote signature against
Intel's DCAP root of trust
│
▼
5. Check MRENCLAVE (SGX) or MRTD (TDX)
against expected value
│
▼
6. Recompute ReportData:
SHA-512(SHA-256(SPKI_DER) || binding)
and compare with quote's ReportData
│
▼
7. Check the Image Profile (OID 65230.2.8):
must be "production" unless the policy
explicitly allows debug/dev images
│
▼
8. (Optional) Extract and verify the
Config Merkle Root from OID 65230.1.1
│
▼
9. (Optional) Extract workload hashes
from OID 65230.2.* extensions
│
▼
10. Connection is attested ✓Usage Examples
Python
from ra_tls_verify import RaTlsVerifier, SgxPolicy
policy = SgxPolicy(
mrenclave="a1b2c3d4...", # Expected MRENCLAVE (hex)
allow_debug=False,
)
verifier = RaTlsVerifier(policy)
session = verifier.connect("enclave.example.com", 443)
# session is now a verified TLS connection
response = session.get("/api/secrets")Go
import "github.com/Privasys/ratls-client-go/ratls"
policy := ratls.SgxPolicy{
MrEnclave: "a1b2c3d4...",
AllowDebug: false,
}
conn, err := ratls.Dial("enclave.example.com:443", policy)
if err != nil {
log.Fatal("Attestation failed:", err)
}
defer conn.Close()
// conn is a verified *tls.ConnRust
use ra_tls_verify::{RaTlsVerifier, SgxPolicy};
let policy = SgxPolicy {
mrenclave: hex::decode("a1b2c3d4...")?,
allow_debug: false,
};
let verifier = RaTlsVerifier::new(policy);
let stream = verifier.connect("enclave.example.com:443")?;
// stream is a verified TLS streamTypeScript
import { RaTlsVerifier, SgxPolicy } from '@privasys/ra-tls';
const policy: SgxPolicy = {
mrenclave: 'a1b2c3d4...',
allowDebug: false,
};
const verifier = new RaTlsVerifier(policy);
const response = await verifier.fetch('https://enclave.example.com:443/api/secrets');C#
using Privasys.RaTls;
var policy = new SgxPolicy
{
MrEnclave = "a1b2c3d4...",
AllowDebug = false
};
var verifier = new RaTlsVerifier(policy);
using var client = verifier.CreateHttpClient();
var response = await client.GetAsync("https://enclave.example.com:443/api/secrets");Verification Policies
Each client supports configurable verification policies:
SGX Policy
| Field | Type | Description |
|---|---|---|
mrenclave | string (hex) | Expected MRENCLAVE measurement. If set, the quote's MRENCLAVE must match exactly. |
mrsigner | string (hex) | Expected MRSIGNER measurement. Alternative to MRENCLAVE; allows any enclave signed by a specific key. |
allow_debug | bool | Whether to accept quotes from debug-mode enclaves. Must be false in production. |
min_isv_svn | u16 | Minimum ISV Security Version Number. Used for rollback protection. |
TDX Policy
| Field | Type | Description |
|---|---|---|
mrtd | string (hex) | Expected MRTD (Trust Domain measurement). |
rtmr | string[] (hex) | Expected Runtime Measurement Registers (RTMR0-3). |
allow_debug_images | bool | Whether to accept certificates whose Image Profile extension (OID 65230.2.8) is not "production" (e.g. dev images built with SSH and debug tools). Defaults to false and must stay false in production. The check fails closed: any unknown profile value is rejected. Certificates without the extension (images that predate it) are accepted. |
Merkle Root Policy (Optional)
| Field | Type | Description |
|---|---|---|
expected_root | string (hex) | Expected Merkle root hash. If set, the certificate's Merkle root extension must match. |
Challenge Mode
For clients that need freshness guarantees, the clients support challenge-response attestation:
- The client generates a random nonce.
- The client sends the nonce in a custom TLS
ClientHelloextension (0xFFBB). - The server generates a fresh certificate using the nonce as the binding value.
- The client verifies that the quote's
ReportDatacontains a hash of both the public key and the nonce.
This proves the certificate was generated in response to this specific connection, preventing replay attacks.
# Python challenge mode example
session = verifier.connect(
"enclave.example.com", 443,
mode="challenge" # Sends random nonce in ClientHello
)Challenge mode requires server support (both Enclave OS and the Privasys Platform support it).
Test Certificates
The repository includes test certificates with pre-generated SGX quotes for development and testing without SGX hardware. These certificates have a known MRENCLAVE and are signed with a debug key.
# Load test certificate for offline verification testing
from ra_tls_verify.testing import load_test_cert
cert = load_test_cert("sgx_debug")
result = verifier.verify_certificate(cert)
assert result.mrenclave == "expected_test_mrenclave..."Each client is independently packaged and published to the respective language's package registry.
App Store
A country-scoped catalogue of verified confidential applications running on Privasys infrastructure, where every listing is backed by hardware attestation.
Overview
The identity and authentication layer for Privasys — wallet, identity provider, browser SDK, and session-relay transport for non-RA-TLS-capable clients.