Expand description
§ANS Trust Verification Library
This library implements the ANS (Agent Name Service) Trust Verification Flow, providing tools for verifying agent identity and trust status.
§Overview
The ANS architecture uses a dual-certificate model:
- Public Server Certificate: Issued by a public CA (e.g., Let’s Encrypt)
- Private Identity Certificate: Issued by the ANS Private CA
Verification relies on:
- DNS
_ans-badgeTXT records pointing to the transparency log (with_ra-badgefallback) - Transparency Log API returning badges with status and certificate fingerprints
- Certificate fingerprint comparison
- Optional DANE/TLSA verification for additional DNS-based certificate binding
§Quick Start
use ans_verify::{AnsVerifier, VerificationOutcome, CertIdentity};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let verifier = AnsVerifier::new().await?;
// After TLS handshake, extract server certificate and verify
let cert_der: &[u8] = &[]; // Your certificate bytes
let cert_identity = CertIdentity::from_der(cert_der)?;
let outcome = verifier
.verify_server("agent.example.com", &cert_identity)
.await;
match outcome {
VerificationOutcome::Verified { badge, .. } => {
println!("Verified ANS agent: {}", badge.agent_name());
}
VerificationOutcome::NotAnsAgent { fqdn } => {
println!("Not a registered ANS agent: {}", fqdn);
}
_ => println!("Verification failed"),
}
Ok(())
}§Features
- DNS-based badge discovery via
_ans-badgeTXT records (with_ra-badgefallback) - Transparency Log API integration for badge retrieval
- Certificate fingerprint verification (SHA-256)
- Optional DANE/TLSA verification with configurable policies
- DNSSEC validation support
- Configurable DNS resolvers (System, Cloudflare, Google, Quad9)
- Response caching with configurable TTL
- Async-first design with tokio
- Optional rustls integration for TLS handshake verification
Structs§
- Agent
Event - Agent event containing all registration/verification details.
- Agent
Info - Basic agent information.
- AnsName
- An ANS Name URI (e.g., ans://v1.0.0.agent.example.com).
- AnsVerifier
- High-level ANS verifier combining server and client verification.
- AnsVerifier
Builder - Builder for
AnsVerifier. - Attestations
- Certificate attestations.
- Audit
Response - Audit response from the transparency log.
- Badge
- Full badge response from the Transparency Log API.
- Badge
Cache - Badge cache with TTL support.
- Badge
Payload - Badge payload containing the producer and signed event.
- Badge
Record - Parsed badge TXT record from
_ans-badgeor_ra-badgeDNS records. - Cache
Config - Cache configuration.
- Cached
Badge - Cached badge entry with metadata.
- Cert
Attestation - Certificate attestation with fingerprint and type.
- Cert
Fingerprint - SHA-256 certificate fingerprint in
SHA256:<hex>format. - Cert
Identity - Extracted identity information from a certificate.
- Client
Verifier - Client verifier for servers verifying mTLS agent clients.
- Fqdn
- A Fully Qualified Domain Name (FQDN).
- Hickory
DnsResolver - DNS resolver implementation using hickory-resolver.
- Http
Error - HTTP transport error wrapper.
- Http
Transparency LogClient - HTTP-based Transparency Log client.
- Merkle
Proof - Merkle proof for transparency log inclusion verification.
- Producer
- Producer information with the agent event and signature.
- Server
Verifier - Server verifier for clients verifying agent servers.
- Tlsa
Record - A parsed TLSA record.
- Version
- A semantic version (e.g., v1.0.0).
Enums§
- AnsError
- Top-level error type for ANS operations.
- Badge
Status - Badge status values.
- Cache
Key - Cache key for badge lookups.
- Crypto
Error - Certificate and cryptographic errors.
- Dane
Error - DANE/TLSA verification errors.
- Dane
Policy - DANE verification policy.
- Dane
Verification Result - Result of DANE verification.
- DnsError
- DNS-specific errors.
- DnsResolver
Config - Well-known DNS resolver configurations.
- Event
Type - Event types for badge events.
- Failure
Policy - Failure handling policy.
- Parse
Error - Parse errors for various types.
- Tlog
Error - Transparency log API errors.
- Tlsa
Matching Type - TLSA matching type field values (RFC 6698).
- Tlsa
Selector - TLSA selector field values (RFC 6698).
- Tlsa
Usage - TLSA certificate usage field values (RFC 6698).
- Verification
Error - Verification logic errors.
- Verification
Outcome - Result of a verification operation.
Traits§
- DnsResolver
- DNS resolver trait for looking up badge records and TLSA records.
- Transparency
LogClient - Transparency Log API client trait.
Type Aliases§
- AnsResult
- Result type alias using
AnsError.