This is a production-grade implementation of the TEE + MPC protocol for secure TLS communication with split AEAD processing. The system enables users to prove data from HTTPS websites while maintaining privacy through redaction capabilities and zero-knowledge proofs.
The codebase is organized into multiple components for modularity and maintainability:
reclaim-tee/
├── tee_k/ # TEE_K service (key holder)
│ ├── main.go # Service entry point
│ ├── tee_k.go # Core TEE_K logic
│ ├── session_manager.go
│ ├── tls_handlers.go
│ ├── crypto.go
│ ├── attestation.go
│ └── ...
├── tee_t/ # TEE_T service (tag computation)
│ ├── main.go # Service entry point
│ ├── tee_t.go # Core TEE_T logic
│ ├── crypto_handlers.go
│ ├── attestation.go
│ └── ...
├── demo_standalone/ # Standalone client application
│ └── main.go # Client entry point
├── client/ # Client library package
│ └── client.go # Client implementation
├── minitls/ # Custom TLS implementation
│ ├── client.go
│ ├── client12.go
│ ├── crypto12.go
│ ├── handshake12.go
│ └── ...
├── shared/ # Shared utilities and services
│ ├── attestation_*.go
│ ├── kms_*.go
│ ├── cert_*.go
│ ├── logger.go
│ └── ...
├── lib/ # Shared C library (libreclaim.so)
│ ├── libreclaim.go # CGO implementation
│ ├── libreclaim.h # C header
│ └── Makefile
├── demo_lib/ # Sample app using shared library
├── proxy/ # HTTP/HTTPS proxy service
│ ├── main.go
│ ├── http_router.go
│ ├── https_router.go
│ ├── kms_proxy.go
│ └── go.mod # Separate module
├── proto/ # Protocol buffer definitions
│ ├── common.proto
│ ├── transport.proto
│ ├── attestor_api.proto
│ └── ...
├── providers/ # Provider implementations
│ ├── http.go
│ ├── http_parser.go
│ └── validation.go
├── proofverifier/ # Proof verification logic
├── circuits/ # ZK circuit files (proving keys, R1CS)
├── deploy/ # Deployment configurations
├── bin/ # Compiled executables (created by build.sh)
│ ├── tee_k
│ ├── tee_t
│ ├── client
│ └── proxy
├── build.sh # Build script for all services
├── demo.sh # Demo orchestration script
├── lib.sh # Shared library build/run script
├── go.mod # Go module configuration
└── README.md # This file
-
TEE_K (tee_k/) - Key holder TEE service that manages TLS connections
- Handles TLS handshake with target websites
- Performs encryption operations with actual keys
- Manages session state and WebSocket connections
- Provides attestation capabilities
- Runs on port 8080 by default
-
TEE_T (tee_t/) - Tag computation TEE service for authentication
- Computes and verifies authentication tags
- Assists in split AEAD processing without key access
- Handles transcript generation
- Provides independent attestation
- Runs on port 8081 by default
-
Client (demo_standalone/) - Orchestrates the protocol
- Establishes secure WebSocket connections with both TEEs
- Manages request redaction and response verification
- Initializes ZK circuits for OPRF proofs
- Generates final proof transcripts
-
Proxy (proxy/) - HTTP/HTTPS proxy service for protocol mediation
- Routes requests between clients and TEE services
- Provides KMS and CloudWatch proxy functionality
- Separate Go module with independent deployment
-
Shared Library (lib/) - C-compatible library (libreclaim.so)
- Enables integration with non-Go applications
- Provides FFI bindings for core functionality
-
MiniTLS (minitls/) - Custom TLS 1.2/1.3 implementation
- Supports split AEAD modifications
- Implements required cipher suites
- Enables fine-grained control over TLS operations
-
Providers (providers/) - HTTP parsing and validation
- JSON/XML/XPath positioned parsing
- Response extraction and validation
The recommended way to build is using the build script, which builds all services and generates protobuf code:
./build.shThis will:
- Generate Go code from protocol buffer definitions
- Build TEE_K service →
bin/tee_k - Build TEE_T service →
bin/tee_t - Build Client →
bin/client - Build Proxy →
bin/proxy
You can also build services individually:
# Build TEE_K
cd tee_k && go build -o ../bin/tee_k . && cd ..
# Build TEE_T
cd tee_t && go build -o ../bin/tee_t . && cd ..
# Build Client
cd demo_standalone && go build -o ../bin/client . && cd ..
# Build Proxy (has separate go.mod)
cd proxy && go mod download && go build -o ../bin/proxy . && cd ..To build the shared library for C/Go interop:
./lib.sh buildThis creates lib/libreclaim.so that can be used by other applications.
If you modify .proto files, regenerate Go code:
protoc -I proto --go_out=proto/ --go_opt=paths=source_relative proto/*.protoThe easiest way to run the complete system:
./demo.shThis script will:
- Build all services using
./build.sh - Start TEE_K service on port 8080 (logs to
/tmp/demo_teek.log) - Start TEE_T service on port 8081 (logs to
/tmp/demo_teet.log) - Run the Client which connects to both services
- Execute the full TEE + MPC protocol with a test request
- Display results and shut down gracefully
You can pass additional arguments to configure the demo:
./demo.sh [client-args]Each service can be run independently for development or testing:
# Run TEE_K service
./bin/tee_k [port] # Default: 8080
# Run TEE_T service
./bin/tee_t [port] # Default: 8081
# Run Client (requires TEE_K and TEE_T to be running)
./bin/client [teek_url] # Default: ws://localhost:8080/ws
# Run Proxy service
./bin/proxyTo run the demo using the shared library:
./lib.sh runOr manually:
# Build library first
./lib.sh build
# Set library path and run sample app
cd demo_lib
LD_LIBRARY_PATH=../bin:$LD_LIBRARY_PATH ./sample_app_sharedThis implementation follows the TEE + MPC protocol for privacy-preserving TLS attestation.
- Go 1.25.3 or later
- github.com/gorilla/websocket v1.5.3
- golang.org/x/crypto v0.43.0
- google.golang.org/protobuf v1.36.10
- github.com/reclaimprotocol/zk-symmetric-crypto/gnark
- github.com/ethereum/go-ethereum v1.16.5
- github.com/consensys/gnark v0.14.0
- cloud.google.com/go/kms v1.23.2
- cloud.google.com/go/secretmanager v1.16.0
- cloud.google.com/go/logging v1.13.1
- github.com/anjuna-security/go-nitro-attestation
- github.com/austinast/nitro-enclaves-sdk-go
- github.com/hf/nsm
- github.com/mdlayher/vsock v1.2.1
See go.mod for complete dependency list.
# Run all tests
go test ./...
# Run tests with coverage
go test -cover ./...
# Run specific package tests
go test ./minitls/...
go test ./tee_k/...
go test ./tee_t/...
go test ./providers/...
# Run with verbose output
go test -v ./...# Full integration test via demo
./demo.sh
# Test shared library
./lib.sh run
# Check service logs during demo
tail -f /tmp/demo_teek.log
tail -f /tmp/demo_teet.log# Development mode (disables some security checks)
export DEVELOPMENT=true
# Google Cloud configuration
export GCP_PROJECT_ID=your-project-id
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credentials.json
# AWS configuration for KMS/Secrets Manager
export AWS_REGION=us-east-1
export AWS_ACCESS_KEY_ID=your-access-key
export AWS_SECRET_ACCESS_KEY=your-secret-key
# Nitro Enclave mode
export NITRO_ENCLAVE=true
export PARENT_VSOCK_PORT=5000
# Logging
export LOG_LEVEL=debug # or info, warn, error- Monorepo structure with single
go.modat root (except proxy which has its own) - Each service is independently buildable
- Shared packages (minitls, shared, providers) used across services
- Protocol definitions centralized in
proto/
Core Services: tee_k/, tee_t/, demo_standalone/
Libraries: minitls/, shared/, providers/, client/
Infrastructure: proxy/, lib/, proto/
ZK Circuits: circuits/
Verification: proofverifier/
# Regenerate protobufs after .proto changes
protoc -I proto --go_out=proto/ --go_opt=paths=source_relative proto/*.proto
# Build and test
./build.sh && go test ./...
# Run with debug logging
LOG_LEVEL=debug ./demo.sh
# Format and vet code
go fmt ./...
go vet ./...Service fails to start:
- Check if ports 8080/8081 are available
- Verify protobuf files are generated: run
./build.sh - Check logs:
/tmp/demo_teek.logand/tmp/demo_teet.log
TLS connection failures:
- Ensure target website supports TLS 1.2 or 1.3
- Verify cipher suite compatibility (AES-128-GCM, AES-256-GCM)
- Check certificate validation settings
WebSocket connection errors:
- Ensure TEE services are running before starting client
- Check firewall rules and network connectivity
- Verify WebSocket URLs are correct (default: ws://localhost:8080/ws)
Build failures:
- Run
go mod downloadto fetch dependencies - Ensure Go 1.25.3+ is installed
- Check for missing protoc compiler installation
ZK circuit errors:
- Verify
circuits/directory contains required proving key and R1CS files - Check that .pk and .r1cs files exist for configured algorithms
- Ensure sufficient memory for proof generation