refactor: move and rewrite configuration (#1034)

* refactor: move and rewrite configuration

* fix wasm

Author: sinui0

Cargo.lock

@@ -9,7 +9,7 @@ fixtures = ["tlsn-core/fixtures", "dep:tlsn-data-fixtures"]
 
 [dependencies]
 tlsn-tls-core = { workspace = true }
-tlsn-core = { workspace = true }
+tlsn-core = { workspace = true, features = ["mozilla-certs"] }
 tlsn-data-fixtures = { workspace = true, optional = true }
 
 bcs = { workspace = true }

crates/attestation/Cargo.toml

@@ -13,6 +13,7 @@ workspace = true
 
 [features]
 default = []
+mozilla-certs = ["dep:webpki-root-certs", "dep:webpki-roots"]
 fixtures = [
     "dep:hex",
     "dep:tlsn-data-fixtures",
@@ -44,7 +45,8 @@ sha2 = { workspace = true }
 thiserror = { workspace = true }
 tiny-keccak = { workspace = true, features = ["keccak"] }
 web-time = { workspace = true }
-webpki-roots = { workspace = true }
+webpki-roots = { workspace = true, optional = true }
+webpki-root-certs = { workspace = true, optional = true }
 rustls-webpki = { workspace = true, features = ["ring"] }
 rustls-pki-types = { workspace = true }
 itybity = { workspace = true }

crates/core/Cargo.toml

@@ -0,0 +1,7 @@
+//! Configuration types.
+
+pub mod prove;
+pub mod prover;
+pub mod tls;
+pub mod tls_commit;
+pub mod verifier;

crates/core/src/config.rs

@@ -0,0 +1,189 @@
+//! Proving configuration.
+
+use rangeset::{RangeSet, ToRangeSet, UnionMut};
+use serde::{Deserialize, Serialize};
+
+use crate::transcript::{Direction, Transcript, TranscriptCommitConfig, TranscriptCommitRequest};
+
+/// Configuration to prove information to the verifier.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProveConfig {
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitConfig>,
+}
+
+impl ProveConfig {
+    /// Creates a new builder.
+    pub fn builder(transcript: &Transcript) -> ProveConfigBuilder<'_> {
+        ProveConfigBuilder::new(transcript)
+    }
+
+    /// Returns `true` if the server identity is to be proven.
+    pub fn server_identity(&self) -> bool {
+        self.server_identity
+    }
+
+    /// Returns the sent and received ranges of the transcript to be revealed,
+    /// respectively.
+    pub fn reveal(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
+        self.reveal.as_ref()
+    }
+
+    /// Returns the transcript commitment configuration.
+    pub fn transcript_commit(&self) -> Option<&TranscriptCommitConfig> {
+        self.transcript_commit.as_ref()
+    }
+
+    /// Returns a request.
+    pub fn to_request(&self) -> ProveRequest {
+        ProveRequest {
+            server_identity: self.server_identity,
+            reveal: self.reveal.clone(),
+            transcript_commit: self
+                .transcript_commit
+                .clone()
+                .map(|config| config.to_request()),
+        }
+    }
+}
+
+/// Builder for [`ProveConfig`].
+#[derive(Debug)]
+pub struct ProveConfigBuilder<'a> {
+    transcript: &'a Transcript,
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitConfig>,
+}
+
+impl<'a> ProveConfigBuilder<'a> {
+    /// Creates a new builder.
+    pub fn new(transcript: &'a Transcript) -> Self {
+        Self {
+            transcript,
+            server_identity: false,
+            reveal: None,
+            transcript_commit: None,
+        }
+    }
+
+    /// Proves the server identity.
+    pub fn server_identity(&mut self) -> &mut Self {
+        self.server_identity = true;
+        self
+    }
+
+    /// Configures transcript commitments.
+    pub fn transcript_commit(&mut self, transcript_commit: TranscriptCommitConfig) -> &mut Self {
+        self.transcript_commit = Some(transcript_commit);
+        self
+    }
+
+    /// Reveals the given ranges of the transcript.
+    pub fn reveal(
+        &mut self,
+        direction: Direction,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        let idx = ranges.to_range_set();
+
+        if idx.end().unwrap_or(0) > self.transcript.len_of_direction(direction) {
+            return Err(ProveConfigError(ErrorRepr::IndexOutOfBounds {
+                direction,
+                actual: idx.end().unwrap_or(0),
+                len: self.transcript.len_of_direction(direction),
+            }));
+        }
+
+        let (sent, recv) = self.reveal.get_or_insert_default();
+        match direction {
+            Direction::Sent => sent.union_mut(&idx),
+            Direction::Received => recv.union_mut(&idx),
+        }
+
+        Ok(self)
+    }
+
+    /// Reveals the given ranges of the sent data transcript.
+    pub fn reveal_sent(
+        &mut self,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        self.reveal(Direction::Sent, ranges)
+    }
+
+    /// Reveals all of the sent data transcript.
+    pub fn reveal_sent_all(&mut self) -> Result<&mut Self, ProveConfigError> {
+        let len = self.transcript.len_of_direction(Direction::Sent);
+        let (sent, _) = self.reveal.get_or_insert_default();
+        sent.union_mut(&(0..len));
+        Ok(self)
+    }
+
+    /// Reveals the given ranges of the received data transcript.
+    pub fn reveal_recv(
+        &mut self,
+        ranges: &dyn ToRangeSet<usize>,
+    ) -> Result<&mut Self, ProveConfigError> {
+        self.reveal(Direction::Received, ranges)
+    }
+
+    /// Reveals all of the received data transcript.
+    pub fn reveal_recv_all(&mut self) -> Result<&mut Self, ProveConfigError> {
+        let len = self.transcript.len_of_direction(Direction::Received);
+        let (_, recv) = self.reveal.get_or_insert_default();
+        recv.union_mut(&(0..len));
+        Ok(self)
+    }
+
+    /// Builds the configuration.
+    pub fn build(self) -> Result<ProveConfig, ProveConfigError> {
+        Ok(ProveConfig {
+            server_identity: self.server_identity,
+            reveal: self.reveal,
+            transcript_commit: self.transcript_commit,
+        })
+    }
+}
+
+/// Request to prove statements about the connection.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProveRequest {
+    server_identity: bool,
+    reveal: Option<(RangeSet<usize>, RangeSet<usize>)>,
+    transcript_commit: Option<TranscriptCommitRequest>,
+}
+
+impl ProveRequest {
+    /// Returns `true` if the server identity is to be proven.
+    pub fn server_identity(&self) -> bool {
+        self.server_identity
+    }
+
+    /// Returns the sent and received ranges of the transcript to be revealed,
+    /// respectively.
+    pub fn reveal(&self) -> Option<&(RangeSet<usize>, RangeSet<usize>)> {
+        self.reveal.as_ref()
+    }
+
+    /// Returns the transcript commitment configuration.
+    pub fn transcript_commit(&self) -> Option<&TranscriptCommitRequest> {
+        self.transcript_commit.as_ref()
+    }
+}
+
+/// Error for [`ProveConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct ProveConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {
+    #[error("range is out of bounds of the transcript ({direction}): {actual} > {len}")]
+    IndexOutOfBounds {
+        direction: Direction,
+        actual: usize,
+        len: usize,
+    },
+}

crates/core/src/config/prove.rs

@@ -0,0 +1,33 @@
+//! Prover configuration.
+
+use serde::{Deserialize, Serialize};
+
+/// Prover configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ProverConfig {}
+
+impl ProverConfig {
+    /// Creates a new builder.
+    pub fn builder() -> ProverConfigBuilder {
+        ProverConfigBuilder::default()
+    }
+}
+
+/// Builder for [`ProverConfig`].
+#[derive(Debug, Default)]
+pub struct ProverConfigBuilder {}
+
+impl ProverConfigBuilder {
+    /// Builds the configuration.
+    pub fn build(self) -> Result<ProverConfig, ProverConfigError> {
+        Ok(ProverConfig {})
+    }
+}
+
+/// Error for [`ProverConfig`].
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct ProverConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+enum ErrorRepr {}

crates/core/src/config/prover.rs

@@ -0,0 +1,111 @@
+//! TLS client configuration.
+
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    connection::ServerName,
+    webpki::{CertificateDer, PrivateKeyDer, RootCertStore},
+};
+
+/// TLS client configuration.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct TlsClientConfig {
+    server_name: ServerName,
+    /// Root certificates.
+    root_store: RootCertStore,
+    /// Certificate chain and a matching private key for client
+    /// authentication.
+    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
+}
+
+impl TlsClientConfig {
+    /// Creates a new builder.
+    pub fn builder() -> TlsConfigBuilder {
+        TlsConfigBuilder::default()
+    }
+
+    /// Returns the server name.
+    pub fn server_name(&self) -> &ServerName {
+        &self.server_name
+    }
+
+    /// Returns the root certificates.
+    pub fn root_store(&self) -> &RootCertStore {
+        &self.root_store
+    }
+
+    /// Returns a certificate chain and a matching private key for client
+    /// authentication.
+    pub fn client_auth(&self) -> Option<&(Vec<CertificateDer>, PrivateKeyDer)> {
+        self.client_auth.as_ref()
+    }
+}
+
+/// Builder for [`TlsClientConfig`].
+#[derive(Debug, Default)]
+pub struct TlsConfigBuilder {
+    server_name: Option<ServerName>,
+    root_store: Option<RootCertStore>,
+    client_auth: Option<(Vec<CertificateDer>, PrivateKeyDer)>,
+}
+
+impl TlsConfigBuilder {
+    /// Sets the server name.
+    pub fn server_name(mut self, server_name: ServerName) -> Self {
+        self.server_name = Some(server_name);
+        self
+    }
+
+    /// Sets the root certificates to use for verifying the server's
+    /// certificate.
+    pub fn root_store(mut self, store: RootCertStore) -> Self {
+        self.root_store = Some(store);
+        self
+    }
+
+    /// Sets a DER-encoded certificate chain and a matching private key for
+    /// client authentication.
+    ///
+    /// Often the chain will consist of a single end-entity certificate.
+    ///
+    /// # Arguments
+    ///
+    /// * `cert_key` - A tuple containing the certificate chain and the private
+    ///   key.
+    ///
+    ///   - Each certificate in the chain must be in the X.509 format.
+    ///   - The key must be in the ASN.1 format (either PKCS#8 or PKCS#1).
+    pub fn client_auth(mut self, cert_key: (Vec<CertificateDer>, PrivateKeyDer)) -> Self {
+        self.client_auth = Some(cert_key);
+        self
+    }
+
+    /// Builds the TLS configuration.
+    pub fn build(self) -> Result<TlsClientConfig, TlsConfigError> {
+        let server_name = self.server_name.ok_or(ErrorRepr::MissingField {
+            field: "server_name",
+        })?;
+
+        let root_store = self.root_store.ok_or(ErrorRepr::MissingField {
+            field: "root_store",
+        })?;
+
+        Ok(TlsClientConfig {
+            server_name,
+            root_store,
+            client_auth: self.client_auth,
+        })
+    }
+}
+
+/// TLS configuration error.
+#[derive(Debug, thiserror::Error)]
+#[error(transparent)]
+pub struct TlsConfigError(#[from] ErrorRepr);
+
+#[derive(Debug, thiserror::Error)]
+#[error("tls config error")]
+enum ErrorRepr {
+    #[error("missing required field: {field}")]
+    MissingField { field: &'static str },
+}