From e4b7ce74e6470905c31761e06a258eebc316f395 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Thu, 26 Feb 2026 10:09:56 +0100
Subject: [PATCH 1/2] cargo fmt after fixing editor settings

---
 attestation-provider-server/build.rs            |  5 ++++-
 attestation-provider-server/src/main.rs         |  2 +-
 .../src/attestation/azure/ak_certificate.rs     |  2 +-
 attested-tls/src/attestation/azure/mod.rs       |  6 ++++--
 attested-tls/src/attestation/azure/nv_index.rs  |  2 +-
 attested-tls/src/attestation/dcap.rs            |  4 ++--
 attested-tls/src/attestation/measurements.rs    |  4 ++--
 attested-tls/src/attestation/mod.rs             |  4 +++-
 attested-tls/src/attested_rpc.rs                |  8 ++++----
 attested-tls/src/lib.rs                         |  8 ++++----
 attested-tls/src/test_helpers.rs                | 11 ++++-------
 attested-tls/src/websockets.rs                  |  6 +++---
 build.rs                                        |  5 ++++-
 src/attested_get.rs                             |  2 +-
 src/file_server.rs                              |  2 +-
 src/health_check.rs                             |  2 +-
 src/lib.rs                                      | 12 ++++++------
 src/main.rs                                     | 17 ++++++++++-------
 src/normalize_pem.rs                            |  2 +-
 src/self_signed.rs                              |  2 +-
 src/test_helpers.rs                             |  8 ++++----
 21 files changed, 62 insertions(+), 52 deletions(-)

diff --git a/attestation-provider-server/build.rs b/attestation-provider-server/build.rs
index c63463c..beba533 100644
--- a/attestation-provider-server/build.rs
+++ b/attestation-provider-server/build.rs
@@ -37,7 +37,10 @@ fn emit_git_rerun_hints() {
     let manifest_dir =
         PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap_or_else(|_| ".".to_owned()));
 
-    for git_dir in [manifest_dir.join(".git"), manifest_dir.join("..").join(".git")] {
+    for git_dir in [
+        manifest_dir.join(".git"),
+        manifest_dir.join("..").join(".git"),
+    ] {
         if git_dir.exists() {
             println!("cargo:rerun-if-changed={}", git_dir.join("HEAD").display());
             println!(
diff --git a/attestation-provider-server/src/main.rs b/attestation-provider-server/src/main.rs
index cb6d46f..b7c5c13 100644
--- a/attestation-provider-server/src/main.rs
+++ b/attestation-provider-server/src/main.rs
@@ -1,6 +1,6 @@
 use attestation_provider_server::{attestation_provider_client, attestation_provider_server};
 use attested_tls_proxy::attestation::{
-    measurements::MeasurementPolicy, AttestationGenerator, AttestationVerifier,
+    AttestationGenerator, AttestationVerifier, measurements::MeasurementPolicy,
 };
 use clap::{Parser, Subcommand};
 use std::{net::SocketAddr, path::PathBuf};
diff --git a/attested-tls/src/attestation/azure/ak_certificate.rs b/attested-tls/src/attestation/azure/ak_certificate.rs
index 7efc854..ae2bb55 100644
--- a/attested-tls/src/attestation/azure/ak_certificate.rs
+++ b/attested-tls/src/attestation/azure/ak_certificate.rs
@@ -1,5 +1,5 @@
 //! Generation and verification of AK certificates from the vTPM
-use crate::attestation::azure::{nv_index, MaaError};
+use crate::attestation::azure::{MaaError, nv_index};
 use once_cell::sync::Lazy;
 use std::time::Duration;
 use tokio_rustls::rustls::pki_types::{CertificateDer, TrustAnchor, UnixTime};
diff --git a/attested-tls/src/attestation/azure/mod.rs b/attested-tls/src/attestation/azure/mod.rs
index ec82695..63486b1 100644
--- a/attested-tls/src/attestation/azure/mod.rs
+++ b/attested-tls/src/attestation/azure/mod.rs
@@ -4,7 +4,7 @@ mod nv_index;
 use ak_certificate::{read_ak_certificate_from_tpm, verify_ak_cert_with_azure_roots};
 
 use az_tdx_vtpm::{hcl, imds, vtpm};
-use base64::{engine::general_purpose::URL_SAFE as BASE64_URL_SAFE, Engine as _};
+use base64::{Engine as _, engine::general_purpose::URL_SAFE as BASE64_URL_SAFE};
 use dcap_qvl::QuoteCollateralV3;
 use num_bigint::BigUint;
 use openssl::{error::ErrorStack, pkey::PKey};
@@ -310,7 +310,9 @@ pub enum MaaError {
     Hex(#[from] hex::FromHexError),
     #[error("Attestation Key from HCL runtime claims does not match that from HCL report")]
     AkFromClaimsNotEqualAkFromHcl,
-    #[error("Attestation Key from HCL runtime claims does not match that from attestation key certificate")]
+    #[error(
+        "Attestation Key from HCL runtime claims does not match that from attestation key certificate"
+    )]
     AkFromClaimsNotEqualAkFromCertificate,
     #[error("WebPKI: {0}")]
     WebPki(#[from] webpki::Error),
diff --git a/attested-tls/src/attestation/azure/nv_index.rs b/attested-tls/src/attestation/azure/nv_index.rs
index d1cfe85..2d448ac 100644
--- a/attested-tls/src/attestation/azure/nv_index.rs
+++ b/attested-tls/src/attestation/azure/nv_index.rs
@@ -1,8 +1,8 @@
 use tss_esapi::{
+    Context,
     handles::NvIndexTpmHandle,
     interface_types::{resource_handles::NvAuth, session_handles::AuthSession},
     tcti_ldr::{DeviceConfig, TctiNameConf},
-    Context,
 };
 
 pub fn get_session_context() -> Result<Context, tss_esapi::Error> {
diff --git a/attested-tls/src/attestation/dcap.rs b/attested-tls/src/attestation/dcap.rs
index 3cdc01e..2632557 100644
--- a/attested-tls/src/attestation/dcap.rs
+++ b/attested-tls/src/attestation/dcap.rs
@@ -1,12 +1,12 @@
 //! Data Center Attestation Primitives (DCAP) evidence generation and verification
-use crate::attestation::{measurements::MultiMeasurements, AttestationError};
+use crate::attestation::{AttestationError, measurements::MultiMeasurements};
 
 use configfs_tsm::QuoteGenerationError;
 use dcap_qvl::{
+    QuoteCollateralV3,
     collateral::get_collateral_for_fmspc,
     quote::{Quote, Report},
     tcb_info::TcbInfo,
-    QuoteCollateralV3,
 };
 use thiserror::Error;
 
diff --git a/attested-tls/src/attestation/measurements.rs b/attested-tls/src/attestation/measurements.rs
index 384426c..b7c109e 100644
--- a/attested-tls/src/attestation/measurements.rs
+++ b/attested-tls/src/attestation/measurements.rs
@@ -1,10 +1,10 @@
 //! Measurements and policy for enforcing them when validating a remote attestation
-use crate::attestation::{dcap::DcapVerificationError, AttestationError, AttestationType};
+use crate::attestation::{AttestationError, AttestationType, dcap::DcapVerificationError};
 use std::{collections::HashMap, path::PathBuf};
 use std::{fmt, fmt::Formatter};
 
 use dcap_qvl::quote::Report;
-use http::{header::InvalidHeaderValue, HeaderValue};
+use http::{HeaderValue, header::InvalidHeaderValue};
 use serde::Deserialize;
 use thiserror::Error;
 
diff --git a/attested-tls/src/attestation/mod.rs b/attested-tls/src/attestation/mod.rs
index dabdc48..f017f2b 100644
--- a/attested-tls/src/attestation/mod.rs
+++ b/attested-tls/src/attestation/mod.rs
@@ -206,7 +206,9 @@ impl AttestationGenerator {
                 }
                 #[cfg(not(feature = "azure"))]
                 {
-                    tracing::error!("Attempted to generate an azure attestation but the `azure` feature not enabled");
+                    tracing::error!(
+                        "Attempted to generate an azure attestation but the `azure` feature not enabled"
+                    );
                     Err(AttestationError::AttestationTypeNotSupported)
                 }
             }
diff --git a/attested-tls/src/attested_rpc.rs b/attested-tls/src/attested_rpc.rs
index e2142e1..0e19c6d 100644
--- a/attested-tls/src/attested_rpc.rs
+++ b/attested-tls/src/attested_rpc.rs
@@ -1,7 +1,7 @@
 //! Provides an attested JSON RPC client based on [alloy_rpc_client::RpcClient]
 use alloy_rpc_client::RpcClient;
 use alloy_transport_http::{Http, HyperClient};
-use hyper::{client::conn, Request, Response};
+use hyper::{Request, Response, client::conn};
 use hyper_util::rt::TokioIo;
 use std::{
     future::Future,
@@ -13,8 +13,8 @@ use thiserror::Error;
 use tower_service::Service;
 
 use crate::{
-    attestation::{measurements::MultiMeasurements, AttestationType},
     AttestedTlsClient, AttestedTlsError,
+    attestation::{AttestationType, measurements::MultiMeasurements},
 };
 
 /// Supported HTTP versions for RPC connection bootstrapping
@@ -201,15 +201,15 @@ mod tests {
     use hyper::service::service_fn;
     use hyper::{Request, Response, StatusCode};
     use hyper_util::rt::TokioIo;
-    use serde_json::{json, Value};
+    use serde_json::{Value, json};
     use tokio::net::TcpListener;
 
     use super::AttestedRpcClient;
 
     use crate::{
+        AttestedTlsClient, AttestedTlsServer,
         attestation::{AttestationGenerator, AttestationType, AttestationVerifier},
         test_helpers::{generate_certificate_chain, generate_tls_config},
-        AttestedTlsClient, AttestedTlsServer,
     };
 
     async fn simple_json_rpc_service(
diff --git a/attested-tls/src/lib.rs b/attested-tls/src/lib.rs
index 0059f3f..70301bd 100644
--- a/attested-tls/src/lib.rs
+++ b/attested-tls/src/lib.rs
@@ -11,8 +11,8 @@ pub mod attested_rpc;
 pub mod test_helpers;
 
 use crate::attestation::{
-    measurements::MultiMeasurements, AttestationError, AttestationExchangeMessage,
-    AttestationGenerator, AttestationType, AttestationVerifier,
+    AttestationError, AttestationExchangeMessage, AttestationGenerator, AttestationType,
+    AttestationVerifier, measurements::MultiMeasurements,
 };
 use parity_scale_codec::{Decode, Encode};
 use sha2::{Digest, Sha256};
@@ -26,11 +26,11 @@ use x509_parser::parse_x509_certificate;
 use std::num::TryFromIntError;
 use std::sync::Arc;
 use tokio::io::{AsyncRead, AsyncReadExt, AsyncWrite, AsyncWriteExt};
-use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
 use tokio_rustls::rustls::RootCertStore;
+use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, ServerName};
 use tokio_rustls::{
-    rustls::{ClientConfig, ServerConfig},
     TlsAcceptor, TlsConnector,
+    rustls::{ClientConfig, ServerConfig},
 };
 
 /// This makes it possible to add breaking protocol changes and provide backwards compatibility.
diff --git a/attested-tls/src/test_helpers.rs b/attested-tls/src/test_helpers.rs
index 47b0ce0..365629e 100644
--- a/attested-tls/src/test_helpers.rs
+++ b/attested-tls/src/test_helpers.rs
@@ -1,14 +1,14 @@
 //! Helper functions used in tests
 use std::{collections::HashMap, net::IpAddr, sync::Arc};
 use tokio_rustls::rustls::{
-    pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
-    server::{danger::ClientCertVerifier, WebPkiClientVerifier},
     ClientConfig, RootCertStore, ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
+    server::{WebPkiClientVerifier, danger::ClientCertVerifier},
 };
 
 use crate::{
-    attestation::measurements::{DcapMeasurementRegister, MultiMeasurements},
     SUPPORTED_ALPN_PROTOCOL_VERSIONS,
+    attestation::measurements::{DcapMeasurementRegister, MultiMeasurements},
 };
 
 /// Helper to generate a self-signed certificate for testing
@@ -67,10 +67,7 @@ pub fn generate_tls_config_with_client_auth(
     alice_key: PrivateKeyDer<'static>,
     bob_certificate_chain: Vec<CertificateDer<'static>>,
     bob_key: PrivateKeyDer<'static>,
-) -> (
-    (ServerConfig, ClientConfig),
-    (ServerConfig, ClientConfig),
-) {
+) -> ((ServerConfig, ClientConfig), (ServerConfig, ClientConfig)) {
     let supported_protocols: Vec<_> = SUPPORTED_ALPN_PROTOCOL_VERSIONS
         .into_iter()
         .map(|p| p.to_vec())
diff --git a/attested-tls/src/websockets.rs b/attested-tls/src/websockets.rs
index 9607e17..7669787 100644
--- a/attested-tls/src/websockets.rs
+++ b/attested-tls/src/websockets.rs
@@ -2,11 +2,11 @@
 use std::{net::SocketAddr, sync::Arc};
 use thiserror::Error;
 use tokio::net::{TcpListener, ToSocketAddrs};
-use tokio_tungstenite::{tungstenite::protocol::WebSocketConfig, WebSocketStream};
+use tokio_tungstenite::{WebSocketStream, tungstenite::protocol::WebSocketConfig};
 
 use crate::{
-    attestation::{measurements::MultiMeasurements, AttestationType},
     AttestedTlsClient, AttestedTlsError, AttestedTlsServer,
+    attestation::{AttestationType, measurements::MultiMeasurements},
 };
 
 /// Websocket message type re-exported for convenience
@@ -118,7 +118,7 @@ pub enum AttestedWsError {
 
 #[cfg(test)]
 mod tests {
-    use futures_util::{sink::SinkExt, StreamExt};
+    use futures_util::{StreamExt, sink::SinkExt};
     use tokio_tungstenite::tungstenite::protocol::Message;
 
     use super::*;
diff --git a/build.rs b/build.rs
index c63463c..beba533 100644
--- a/build.rs
+++ b/build.rs
@@ -37,7 +37,10 @@ fn emit_git_rerun_hints() {
     let manifest_dir =
         PathBuf::from(env::var("CARGO_MANIFEST_DIR").unwrap_or_else(|_| ".".to_owned()));
 
-    for git_dir in [manifest_dir.join(".git"), manifest_dir.join("..").join(".git")] {
+    for git_dir in [
+        manifest_dir.join(".git"),
+        manifest_dir.join("..").join(".git"),
+    ] {
         if git_dir.exists() {
             println!("cargo:rerun-if-changed={}", git_dir.join("HEAD").display());
             println!(
diff --git a/src/attested_get.rs b/src/attested_get.rs
index 45cdc3f..27e7ad3 100644
--- a/src/attested_get.rs
+++ b/src/attested_get.rs
@@ -69,10 +69,10 @@ async fn attested_get_with_client(
 mod tests {
     use super::*;
     use crate::{
+        ProxyServer,
         attestation::AttestationType,
         file_server::static_file_server,
         test_helpers::{generate_certificate_chain, generate_tls_config},
-        ProxyServer,
     };
     use tempfile::tempdir;
 
diff --git a/src/file_server.rs b/src/file_server.rs
index 2170127..bce4804 100644
--- a/src/file_server.rs
+++ b/src/file_server.rs
@@ -52,7 +52,7 @@ pub(crate) async fn static_file_server(path: PathBuf) -> Result<SocketAddr, Prox
 
 #[cfg(test)]
 mod tests {
-    use crate::{attestation::AttestationType, ProxyClient};
+    use crate::{ProxyClient, attestation::AttestationType};
 
     use super::*;
     use crate::test_helpers::{generate_certificate_chain, generate_tls_config};
diff --git a/src/health_check.rs b/src/health_check.rs
index 90a9d29..34ae0b4 100644
--- a/src/health_check.rs
+++ b/src/health_check.rs
@@ -1,5 +1,5 @@
 //! Provides health / version details for an attested proxy server or client
-use axum::{routing::get, Json, Router};
+use axum::{Json, Router, routing::get};
 use serde::{Deserialize, Serialize};
 use std::net::SocketAddr;
 use tokio::net::TcpListener;
diff --git a/src/lib.rs b/src/lib.rs
index c6afe8b..c4d1a97 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -16,8 +16,8 @@ mod test_helpers;
 
 use bytes::Bytes;
 use http::{HeaderMap, HeaderName, HeaderValue};
-use http_body_util::{combinators::BoxBody, BodyExt};
-use hyper::{service::service_fn, Response};
+use http_body_util::{BodyExt, combinators::BoxBody};
+use hyper::{Response, service::service_fn};
 use hyper_util::rt::TokioIo;
 use std::{net::SocketAddr, num::TryFromIntError, sync::Arc, time::Duration};
 use thiserror::Error;
@@ -25,15 +25,15 @@ use tokio::io;
 use tokio::net::{TcpListener, TcpStream, ToSocketAddrs};
 use tokio::sync::{mpsc, oneshot};
 use tokio_rustls::rustls::server::VerifierBuilderError;
-use tokio_rustls::rustls::{pki_types::CertificateDer, ClientConfig, ServerConfig};
+use tokio_rustls::rustls::{ClientConfig, ServerConfig, pki_types::CertificateDer};
 use tracing::{debug, error, warn};
 
-use crate::http_version::{HttpConnection, HttpSender, HttpVersion, ALPN_H2, ALPN_HTTP11};
+use crate::http_version::{ALPN_H2, ALPN_HTTP11, HttpConnection, HttpSender, HttpVersion};
 use attested_tls::{
+    AttestedTlsClient, AttestedTlsError, AttestedTlsServer, TlsCertAndKey,
     attestation::{
-        measurements::MultiMeasurements, AttestationError, AttestationType, AttestationVerifier,
+        AttestationError, AttestationType, AttestationVerifier, measurements::MultiMeasurements,
     },
-    AttestedTlsClient, AttestedTlsError, AttestedTlsServer, TlsCertAndKey,
 };
 
 /// The header name for giving attestation type
diff --git a/src/main.rs b/src/main.rs
index 78ba3f9..72b4398 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -10,16 +10,15 @@ use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
 use tracing::level_filters::LevelFilter;
 
 use attested_tls_proxy::{
+    AttestationGenerator, ProxyClient, ProxyServer,
     attested_get::attested_get,
     attested_tls::{
-        attestation::{measurements::MeasurementPolicy, AttestationType, AttestationVerifier},
         TlsCertAndKey,
+        attestation::{AttestationType, AttestationVerifier, measurements::MeasurementPolicy},
     },
     file_server::attested_file_server,
-    get_tls_cert,
-    health_check,
+    get_tls_cert, health_check,
     normalize_pem::normalize_private_key_pem_to_pkcs8,
-    AttestationGenerator, ProxyClient, ProxyServer,
 };
 
 const GIT_REV: &str = match option_env!("GIT_REV") {
@@ -351,9 +350,13 @@ async fn main() -> anyhow::Result<()> {
                 ),
                 None => None,
             };
-            let cert_chain =
-                get_tls_cert(server, attestation_verifier, remote_tls_cert, allow_self_signed)
-                    .await?;
+            let cert_chain = get_tls_cert(
+                server,
+                attestation_verifier,
+                remote_tls_cert,
+                allow_self_signed,
+            )
+            .await?;
             println!("{}", certs_to_pem_string(&cert_chain)?);
         }
         CliCommand::AttestedFileServer {
diff --git a/src/normalize_pem.rs b/src/normalize_pem.rs
index 671094f..810e9d4 100644
--- a/src/normalize_pem.rs
+++ b/src/normalize_pem.rs
@@ -1,4 +1,4 @@
-use anyhow::{anyhow, bail, Result};
+use anyhow::{Result, anyhow, bail};
 use pkcs8::EncodePrivateKey;
 use std::io::Cursor;
 use tokio_rustls::rustls::pki_types::{PrivateKeyDer, PrivatePkcs8KeyDer};
diff --git a/src/self_signed.rs b/src/self_signed.rs
index 2d2b3bb..e41e826 100644
--- a/src/self_signed.rs
+++ b/src/self_signed.rs
@@ -200,10 +200,10 @@ impl rustls::server::danger::ClientCertVerifier for SkipClientVerification {
 mod tests {
     use super::*;
     use crate::{
+        AttestationGenerator,
         attestation::{AttestationType, AttestationVerifier},
         attested_tls::{AttestedTlsClient, AttestedTlsServer},
         test_helpers::{generate_certificate_chain, generate_tls_config},
-        AttestationGenerator,
     };
     use tokio::net::TcpListener;
     use tokio_rustls::rustls::pki_types::ServerName;
diff --git a/src/test_helpers.rs b/src/test_helpers.rs
index 1dbc68c..8990734 100644
--- a/src/test_helpers.rs
+++ b/src/test_helpers.rs
@@ -7,17 +7,17 @@ use std::{
 };
 use tokio::net::TcpListener;
 use tokio_rustls::rustls::{
-    pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
-    server::{danger::ClientCertVerifier, WebPkiClientVerifier},
     ClientConfig, RootCertStore, ServerConfig,
+    pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer},
+    server::{WebPkiClientVerifier, danger::ClientCertVerifier},
 };
-use tracing_subscriber::{fmt, EnvFilter};
+use tracing_subscriber::{EnvFilter, fmt};
 
 static INIT: Once = Once::new();
 
 use crate::{
-    attestation::measurements::{DcapMeasurementRegister, MultiMeasurements},
     MEASUREMENT_HEADER,
+    attestation::measurements::{DcapMeasurementRegister, MultiMeasurements},
 };
 
 /// Helper to generate a self-signed certificate for testing

From 92b5d8ea09f2228c598e13eafd0c2dcd6a70a8a6 Mon Sep 17 00:00:00 2001
From: peg <ameba23@systemli.org>
Date: Thu, 26 Feb 2026 10:12:45 +0100
Subject: [PATCH 2/2] Add formatting check to CI

---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8fa1ea7..09d73f5 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -32,6 +32,9 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-cargo-
 
+    - name: Check formatting
+      run: cargo fmt --all -- --check
+
     - name: Run cargo clippy
       run: cargo clippy --workspace --features azure -- -D warnings