feat: support custom root certificates in WASM bindings (#618)

Add `root_certs` option to `ProverConfig` and `VerifierConfig` in
sdk-core and WASM bindings, allowing custom DER-encoded root
certificates for TLS server verification. When not provided, Mozilla
root certificates are used as the default.

- Add `root_certs: Option<Vec<Vec<u8>>>` to sdk-core configs with
  builder methods
- Add `mozilla-certs` feature flag to sdk-core for conditional fallback
- Wire custom root certs through WASM prover/verifier config layers
- Remove stale `tests.rs` and unused `test` feature from wasm crate
- Clean up unused wasm dependencies (tlsn, tlsn-core, tlsn-tls-core,
  tlsn-server-fixture-certs)
- Add `sdk_core` harness test plugin exercising the full MPC-TLS flow
  with custom root certs

Closes #618

Author: heeckhau

Cargo.lock

@@ -17,6 +17,7 @@ crate-type = ["cdylib", "rlib"]
 [dependencies]
 tlsn-harness-core = { workspace = true }
 tlsn = { workspace = true }
+tlsn-sdk-core = { workspace = true }
 tlsn-server-fixture-certs = { workspace = true }
 
 inventory = { workspace = true }

crates/harness/executor/Cargo.toml

@@ -0,0 +1,75 @@
+use tlsn_sdk_core::{
+    HttpRequest, NetworkSetting, ProverConfig, Reveal, SdkProver, SdkVerifier, VerifierConfig,
+};
+use tlsn_server_fixture_certs::{CA_CERT_DER, SERVER_DOMAIN};
+
+use crate::IoProvider;
+
+// Maximum number of bytes that can be sent from prover to server
+const MAX_SENT_DATA: usize = 1 << 11;
+// Maximum number of bytes that can be received by prover from server
+const MAX_RECV_DATA: usize = 1 << 11;
+
+crate::test!("sdk_core", prover, verifier);
+
+async fn prover(provider: &IoProvider) {
+    let config = ProverConfig::builder(SERVER_DOMAIN)
+        .max_sent_data(MAX_SENT_DATA)
+        .max_recv_data(MAX_RECV_DATA)
+        .defer_decryption_from_start(true)
+        .network(NetworkSetting::Latency)
+        .root_certs(vec![CA_CERT_DER.to_vec()])
+        .build();
+
+    let mut prover = SdkProver::new(config).unwrap();
+
+    let proto_io = provider.provide_proto_io().await.unwrap();
+    prover.setup(proto_io).await.unwrap();
+
+    let server_io = provider.provide_server_io().await.unwrap();
+    let request = HttpRequest::get(&format!(
+        "https://{}/bytes?size={}",
+        SERVER_DOMAIN,
+        MAX_RECV_DATA - 256
+    ))
+    .header("Host", SERVER_DOMAIN)
+    .header("Connection", "close");
+
+    let response = prover.send_request(server_io, request).await.unwrap();
+    assert_eq!(response.status, 200);
+
+    let transcript = prover.transcript().unwrap();
+    let sent_len = transcript.sent.len();
+    let recv_len = transcript.recv.len();
+
+    prover
+        .reveal(
+            Reveal::new()
+                .sent(0..sent_len - 1)
+                .recv(2..recv_len)
+                .server_identity(true),
+        )
+        .await
+        .unwrap();
+
+    assert!(prover.is_complete());
+}
+
+async fn verifier(provider: &IoProvider) {
+    let config = VerifierConfig::builder()
+        .max_sent_data(MAX_SENT_DATA)
+        .max_recv_data(MAX_RECV_DATA)
+        .root_certs(vec![CA_CERT_DER.to_vec()])
+        .build();
+
+    let mut verifier = SdkVerifier::new(config);
+
+    let proto_io = provider.provide_proto_io().await.unwrap();
+    verifier.connect(proto_io).await.unwrap();
+
+    let output = verifier.verify().await.unwrap();
+
+    assert_eq!(output.server_name.as_deref(), Some(SERVER_DOMAIN));
+    assert!(output.transcript.is_some());
+    assert!(verifier.is_complete());
+}

crates/harness/executor/test_plugins/sdk_core.rs

@@ -13,6 +13,7 @@ workspace = true
 
 [features]
 default = []
+mozilla-certs = ["tlsn/mozilla-certs"]
 wasm = ["wasm-bindgen-futures"]
 
 [dependencies]

crates/sdk-core/Cargo.toml

@@ -1,6 +1,11 @@
 //! Configuration types for the SDK.
 
 use serde::{Deserialize, Serialize};
+use tlsn::webpki::{CertificateDer, RootCertStore};
+
+use crate::error::Result;
+#[cfg(not(feature = "mozilla-certs"))]
+use crate::error::SdkError;
 
 /// Configuration for the Prover.
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -23,6 +28,10 @@ pub struct ProverConfig {
     pub network: NetworkSetting,
     /// Optional client authentication credentials (certificates, private key).
     pub client_auth: Option<ClientAuth>,
+    /// Custom root certificates (DER-encoded) for TLS server verification.
+    ///
+    /// If `None`, the Mozilla root certificates are used.
+    pub root_certs: Option<Vec<Vec<u8>>>,
 }
 
 impl ProverConfig {
@@ -44,6 +53,7 @@ pub struct ProverConfigBuilder {
     defer_decryption_from_start: Option<bool>,
     network: NetworkSetting,
     client_auth: Option<ClientAuth>,
+    root_certs: Option<Vec<Vec<u8>>>,
 }
 
 impl ProverConfigBuilder {
@@ -59,6 +69,7 @@ impl ProverConfigBuilder {
             defer_decryption_from_start: None,
             network: NetworkSetting::Latency,
             client_auth: None,
+            root_certs: None,
         }
     }
 
@@ -110,6 +121,14 @@ impl ProverConfigBuilder {
         self
     }
 
+    /// Sets custom root certificates (DER-encoded) for TLS server verification.
+    ///
+    /// If not set, the Mozilla root certificates are used.
+    pub fn root_certs(mut self, certs: Vec<Vec<u8>>) -> Self {
+        self.root_certs = Some(certs);
+        self
+    }
+
     /// Builds the ProverConfig.
     pub fn build(self) -> ProverConfig {
         ProverConfig {
@@ -122,6 +141,7 @@ impl ProverConfigBuilder {
             defer_decryption_from_start: self.defer_decryption_from_start,
             network: self.network,
             client_auth: self.client_auth,
+            root_certs: self.root_certs,
         }
     }
 }
@@ -137,6 +157,10 @@ pub struct VerifierConfig {
     pub max_sent_records: Option<usize>,
     /// Maximum number of received records during online phase.
     pub max_recv_records_online: Option<usize>,
+    /// Custom root certificates (DER-encoded) for TLS server verification.
+    ///
+    /// If `None`, the Mozilla root certificates are used.
+    pub root_certs: Option<Vec<Vec<u8>>>,
 }
 
 impl Default for VerifierConfig {
@@ -146,6 +170,7 @@ impl Default for VerifierConfig {
             max_recv_data: 16384,
             max_sent_records: None,
             max_recv_records_online: None,
+            root_certs: None,
         }
     }
 }
@@ -164,6 +189,7 @@ pub struct VerifierConfigBuilder {
     max_recv_data: usize,
     max_sent_records: Option<usize>,
     max_recv_records_online: Option<usize>,
+    root_certs: Option<Vec<Vec<u8>>>,
 }
 
 impl Default for VerifierConfigBuilder {
@@ -173,6 +199,7 @@ impl Default for VerifierConfigBuilder {
             max_recv_data: 16384,
             max_sent_records: None,
             max_recv_records_online: None,
+            root_certs: None,
         }
     }
 }
@@ -202,13 +229,22 @@ impl VerifierConfigBuilder {
         self
     }
 
+    /// Sets custom root certificates (DER-encoded) for TLS server verification.
+    ///
+    /// If not set, the Mozilla root certificates are used.
+    pub fn root_certs(mut self, certs: Vec<Vec<u8>>) -> Self {
+        self.root_certs = Some(certs);
+        self
+    }
+
     /// Builds the VerifierConfig.
     pub fn build(self) -> VerifierConfig {
         VerifierConfig {
             max_sent_data: self.max_sent_data,
             max_recv_data: self.max_recv_data,
             max_sent_records: self.max_sent_records,
             max_recv_records_online: self.max_recv_records_online,
+            root_certs: self.root_certs,
         }
     }
 }
@@ -240,3 +276,31 @@ pub struct ClientAuth {
     /// Client private key (DER encoded).
     pub key: Vec<u8>,
 }
+
+/// Builds a [`RootCertStore`] from optional DER-encoded root certificates.
+///
+/// If `root_certs` is `Some`, builds a store from the provided certificates.
+/// If `None`, falls back to Mozilla root certificates (requires `mozilla-certs`
+/// feature).
+pub(crate) fn build_root_store(root_certs: &Option<Vec<Vec<u8>>>) -> Result<RootCertStore> {
+    match root_certs {
+        Some(certs) => Ok(RootCertStore {
+            roots: certs
+                .iter()
+                .map(|cert| CertificateDer(cert.clone()))
+                .collect(),
+        }),
+        None => {
+            #[cfg(feature = "mozilla-certs")]
+            {
+                Ok(RootCertStore::mozilla())
+            }
+            #[cfg(not(feature = "mozilla-certs"))]
+            {
+                Err(SdkError::config(
+                    "no root certificates provided and mozilla-certs feature is not enabled",
+                ))
+            }
+        }
+    }
+}

crates/sdk-core/src/config.rs

@@ -10,13 +10,13 @@ use tlsn::{
     },
     connection::ServerName,
     prover::{state, Prover, TlsConnection},
-    webpki::{CertificateDer, PrivateKeyDer, RootCertStore},
+    webpki::{CertificateDer, PrivateKeyDer},
     Session, SessionHandle,
 };
 use tracing::{error, info};
 
 use crate::{
-    config::ProverConfig,
+    config::{build_root_store, ProverConfig},
     error::{Result, SdkError},
     io::{HyperIo, Io},
     types::*,
@@ -170,6 +170,8 @@ impl SdkProver {
             ));
         };
 
+        let root_store = build_root_store(&self.config.root_certs)?;
+
         let mut builder = TlsClientConfig::builder()
             .server_name(ServerName::Dns(
                 self.config
@@ -178,7 +180,7 @@ impl SdkProver {
                     .try_into()
                     .map_err(|_| SdkError::config("invalid server name"))?,
             ))
-            .root_store(RootCertStore::mozilla());
+            .root_store(root_store);
 
         if let Some(ref client_auth) = self.config.client_auth {
             let certs = client_auth

crates/sdk-core/src/prover.rs

@@ -5,13 +5,12 @@ use tlsn::{
     connection::{ConnectionInfo, ServerName, TranscriptLength},
     transcript::ContentType,
     verifier::{state, Verifier},
-    webpki::RootCertStore,
     Session, SessionHandle,
 };
 use tracing::info;
 
 use crate::{
-    config::VerifierConfig,
+    config::{build_root_store, VerifierConfig},
     error::{Result, SdkError},
     io::Io,
     types::VerifierOutput,
@@ -88,8 +87,9 @@ impl SdkVerifier {
             }
         });
 
+        let root_store = build_root_store(&self.config.root_certs)?;
         let verifier_config = tlsn::config::verifier::VerifierConfig::builder()
-            .root_store(RootCertStore::mozilla())
+            .root_store(root_store)
             .build()
             .map_err(|e| SdkError::config(e.to_string()))?;
         let verifier = handle

crates/sdk-core/src/verifier.rs

@@ -16,15 +16,10 @@ crate-type = ["cdylib", "rlib"]
 
 [features]
 default = []
-test = []
 no-bundler = ["web-spawn/no-bundler"]
 
 [dependencies]
-tlsn-core = { workspace = true }
-tlsn = { workspace = true, features = ["web", "mozilla-certs"] }
-tlsn-sdk-core = { workspace = true, features = ["wasm"] }
-tlsn-server-fixture-certs = { workspace = true }
-tlsn-tls-core = { workspace = true }
+tlsn-sdk-core = { workspace = true, features = ["wasm", "mozilla-certs"] }
 
 console_error_panic_hook = { version = "0.1" }
 futures = { workspace = true }

crates/wasm/Cargo.toml

@@ -8,8 +8,6 @@ pub mod handler;
 pub(crate) mod io;
 mod log;
 pub mod prover;
-#[cfg(feature = "test")]
-pub mod tests;
 pub mod types;
 pub mod verifier;
 
@@ -18,9 +16,6 @@ pub use log::{LoggingConfig, LoggingLevel};
 use wasm_bindgen::prelude::*;
 use wasm_bindgen_futures::JsFuture;
 
-#[cfg(feature = "test")]
-pub use tests::*;
-
 /// Initializes the module.
 #[wasm_bindgen]
 pub async fn initialize(

crates/wasm/src/lib.rs

@@ -14,4 +14,8 @@ pub struct ProverConfig {
     pub defer_decryption_from_start: Option<bool>,
     pub network: NetworkSetting,
     pub client_auth: Option<(Vec<Vec<u8>>, Vec<u8>)>,
+    /// Custom root certificates (DER-encoded) for TLS server verification.
+    ///
+    /// If not provided, Mozilla root certificates are used.
+    pub root_certs: Option<Vec<Vec<u8>>>,
 }