feat(p3): implement wasi:tls (#12834)

* Split off p2-specific bits into submodule

* Vendor the 0.3.0-draft WIT files

* Host traits scaffolding

* Rename p2 test

* Work around bug in `tokio-native-tls`

* Create error type

* Implement p3

Co-authored-by: Roman Volosatovs <rvolosatovs@riseup.net>

* Fix test on Windows' SChannel

Same reason as described in #11064

* Satisfy clippy

* Fix typo

---------

Co-authored-by: Roman Volosatovs <rvolosatovs@riseup.net>

Author: badeend

.github/workflows/main.yml

@@ -429,6 +429,8 @@ jobs:
           - name: wasmtime-wasi-tls
             checks: |
               -p wasmtime-wasi-tls --no-default-features
+              -p wasmtime-wasi-tls --no-default-features --features p2
+              -p wasmtime-wasi-tls --no-default-features --features p3
               -p wasmtime-wasi-tls --no-default-features --features rustls
               -p wasmtime-wasi-tls --no-default-features --features nativetls
               -p wasmtime-wasi-tls --no-default-features --features openssl

Cargo.lock

@@ -528,6 +528,7 @@ component-model-async = [
   "component-model",
   "wasmtime-wasi?/p3",
   "wasmtime-wasi-http?/p3",
+  "wasmtime-wasi-tls?/p3",
   "dep:futures",
 ]
 rr = ["wasmtime/rr", "component-model", "wasmtime-cli-flags/rr", "run"]

Cargo.toml

@@ -10,27 +10,29 @@ set -ex
 cache_dir=$(mktemp -d)
 trap "rm -rf $cache_dir" EXIT
 
-# Helper to download the `WebAssembly/$repo` dir at the `$tag` (or rev)
-# specified. The `wit/*.wit` files are placed in `$path`.
+# Helper to download content from `WebAssembly/$repo` at the `$tag` (or rev)
+# specified. By default `wit/*` is copied into `$path`, or a different
+# subdirectory can be specified with the optional fourth argument.
 get_github() {
   local repo=$1
   local tag=$2
   local path=$3
+  local prefix=${4:-wit}
 
   rm -rf "$path"
   mkdir -p "$path"
 
-  cached_extracted_dir="$cache_dir/$repo-$tag"
+  cached_extracted_dir="$cache_dir/$prefix/$repo-$tag"
 
   if [[ ! -d $cached_extracted_dir ]]; then
     mkdir -p $cached_extracted_dir
     curl --retry 5 --retry-all-errors -sLO https://github.com/WebAssembly/$repo/archive/$tag.tar.gz
     tar xzf $tag.tar.gz --strip-components=1 -C $cached_extracted_dir
     rm $tag.tar.gz
-    rm -rf $cached_extracted_dir/wit/deps*
+    rm -rf $cached_extracted_dir/${prefix}/deps*
   fi
 
-  cp -r $cached_extracted_dir/wit/* $path
+  cp -r $cached_extracted_dir/${prefix}/* $path
 }
 
 p2=0.2.6
@@ -65,6 +67,10 @@ mkdir -p crates/wasi-tls/wit/deps
 wkg get --format wit --overwrite "wasi:io@$p2" -o "crates/wasi-tls/wit/deps/io.wit"
 get_github wasi-tls v0.2.0-draft+505fc98 crates/wasi-tls/wit/deps/tls
 
+rm -rf crates/wasi-tls/src/p3/wit/deps
+mkdir -p crates/wasi-tls/src/p3/wit/deps
+get_github wasi-tls 6781ae2 crates/wasi-tls/src/p3/wit/deps/tls wit-0.3.0-draft
+
 rm -rf crates/wasi-config/wit/deps
 mkdir -p crates/wasi-config/wit/deps
 get_github wasi-config v0.2.0-rc.1 crates/wasi-config/wit/deps/config

ci/vendor-wit.sh

@@ -87,9 +87,11 @@ impl Artifacts {
                 s if s.starts_with("p1_") => "p1",
                 s if s.starts_with("p2_http_") => "p2_http",
                 s if s.starts_with("p2_api_") => "p2_api",
+                s if s.starts_with("p2_tls_") => "p2_tls",
                 s if s.starts_with("p2_") => "p2",
                 s if s.starts_with("p3_http_") => "p3_http",
                 s if s.starts_with("p3_api_") => "p3_api",
+                s if s.starts_with("p3_tls_") => "p3_tls",
                 s if s.starts_with("p3_") => "p3",
                 s if s.starts_with("nn_") => "nn",
                 s if s.starts_with("piped_") => "piped",
@@ -98,7 +100,6 @@ impl Artifacts {
                 s if s.starts_with("dwarf_") => "dwarf",
                 s if s.starts_with("config_") => "config",
                 s if s.starts_with("keyvalue_") => "keyvalue",
-                s if s.starts_with("tls_") => "tls",
                 s if s.starts_with("async_") => "async",
                 s if s.starts_with("fuzz_") => "fuzz",
                 // If you're reading this because you hit this panic, either add

crates/test-programs/artifacts/build.rs

@@ -0,0 +1,130 @@
+use anyhow::{Context as _, Result, anyhow};
+use core::future::Future;
+use test_programs::p3::wasi::sockets::ip_name_lookup::resolve_addresses;
+use test_programs::p3::wasi::sockets::types::{IpAddress, IpSocketAddress, TcpSocket};
+use test_programs::p3::wasi::tls::client::Connector;
+use test_programs::p3::wit_stream;
+
+struct Component;
+
+test_programs::p3::export!(Component);
+
+const PORT: u16 = 443;
+
+async fn test_tls_sample_application(domain: &str, ip: IpAddress) -> Result<()> {
+    let request = format!(
+        "GET / HTTP/1.1\r\nHost: {domain}\r\nUser-Agent: wasmtime-wasi-rust\r\nConnection: close\r\n\r\n"
+    );
+
+    let sock = TcpSocket::create(ip.family()).unwrap();
+    sock.connect(IpSocketAddress::new(ip, PORT))
+        .await
+        .context("tcp connect failed")?;
+
+    let conn = Connector::new();
+
+    let (sock_rx, sock_rx_fut) = sock.receive();
+    let (tls_rx, tls_rx_fut) = conn.receive(sock_rx);
+
+    let (mut data_tx, data_rx) = wit_stream::new();
+    let (tls_tx, tls_tx_err_fut) = conn.send(data_rx);
+    let sock_tx_fut = sock.send(tls_tx);
+
+    Connector::connect(conn, domain.into())
+        .await
+        .context("tls handshake failed")?;
+    let buf = data_tx.write_all(request.into()).await;
+    assert!(buf.is_empty());
+
+    let response = tls_rx.collect().await;
+    let response = String::from_utf8(response)?;
+    if !response.contains("HTTP/1.1 200 OK") {
+        return Err(anyhow!("server did not respond with 200 OK: {response}"));
+    }
+    drop(data_tx);
+    sock_rx_fut.await.context("tcp recv")?;
+    sock_tx_fut.await.context("tcp send")?;
+    tls_rx_fut.await.context("tls recv")?;
+    tls_tx_err_fut.await.context("tls send")?;
+
+    Ok(())
+}
+
+/// This test sets up a TCP connection using one domain, and then attempts to
+/// perform a TLS handshake using another unrelated domain. This should result
+/// in a handshake error.
+async fn test_tls_invalid_certificate(_domain: &str, ip: IpAddress) -> Result<()> {
+    const BAD_DOMAIN: &str = "wrongdomain.localhost";
+
+    let sock = TcpSocket::create(ip.family()).unwrap();
+    sock.connect(IpSocketAddress::new(ip, PORT))
+        .await
+        .context("tcp connect failed")?;
+
+    let (_, data_rx) = wit_stream::new();
+    let conn = Connector::new();
+
+    conn.receive(sock.receive().0);
+    sock.send(conn.send(data_rx).0);
+
+    match Connector::connect(conn, BAD_DOMAIN.into()).await {
+        Err(e) => {
+            let debug_string = e.to_debug_string();
+            // We're expecting an error regarding certificates in some form or
+            // another. When we add more TLS backends this naive check will
+            // likely need to be revisited/expanded:
+            if debug_string.contains("certificate") || debug_string.contains("HandshakeFailure") {
+                return Ok(());
+            }
+            Err(anyhow!(debug_string))
+        }
+        Ok(_) => panic!("expecting server name mismatch"),
+    }
+}
+
+async fn try_live_endpoints<'a, Fut>(test: impl Fn(&'a str, IpAddress) -> Fut)
+where
+    Fut: Future<Output = Result<()>> + 'a,
+{
+    // since this is testing remote endpoints to ensure system cert store works
+    // the test uses a couple different endpoints to reduce the number of flakes
+    const DOMAINS: &[&str] = &[
+        "example.com",
+        "api.github.com",
+        "docs.wasmtime.dev",
+        "bytecodealliance.org",
+        "www.rust-lang.org",
+    ];
+
+    for &domain in DOMAINS {
+        let result = (|| async {
+            let ip = resolve_addresses(domain.into())
+                .await?
+                .first()
+                .map(|a| a.to_owned())
+                .ok_or_else(|| anyhow!("DNS lookup failed."))?;
+            test(domain, ip).await
+        })();
+
+        match result.await {
+            Ok(()) => return,
+            Err(e) => {
+                eprintln!("test for {domain} failed: {e:#}");
+            }
+        }
+    }
+
+    panic!("all tests failed");
+}
+
+impl test_programs::p3::exports::wasi::cli::run::Guest for Component {
+    async fn run() -> Result<(), ()> {
+        println!("sample app");
+        try_live_endpoints(test_tls_sample_application).await;
+        println!("invalid cert");
+        try_live_endpoints(test_tls_invalid_certificate).await;
+        Ok(())
+    }
+}
+
+fn main() {}

…ograms/src/bin/tls_sample_application.rs …ams/src/bin/p2_tls_sample_application.rscrates/test-programs/src/bin/tls_sample_application.rs renamed to crates/test-programs/src/bin/p2_tls_sample_application.rs crates/test-programs/src/bin/tls_sample_application.rs renamed to crates/test-programs/src/bin/p2_tls_sample_application.rs

@@ -7,14 +7,18 @@ wit_bindgen::generate!({
 
         world testp3 {
             include wasi:cli/imports@0.3.0-rc-2026-03-15;
+            include wasi:tls/imports@0.3.0-draft;
             import wasi:http/types@0.3.0-rc-2026-03-15;
             import wasi:http/client@0.3.0-rc-2026-03-15;
             import wasi:http/handler@0.3.0-rc-2026-03-15;
 
             export wasi:cli/run@0.3.0-rc-2026-03-15;
         }
     ",
-    path: "../wasi-http/src/p3/wit",
+    path: [
+        "../wasi-http/src/p3/wit",
+        "../wasi-tls/src/p3/wit",
+    ],
     world: "wasmtime:test/testp3",
     default_bindings_module: "test_programs::p3",
     pub_export_macro: true,
@@ -44,3 +48,11 @@ pub mod service {
         },
     });
 }
+
+impl std::fmt::Display for wasi::tls::types::Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(&self.to_debug_string())
+    }
+}
+
+impl std::error::Error for wasi::tls::types::Error {}

crates/test-programs/src/bin/p3_tls_sample_application.rs

@@ -12,7 +12,9 @@ description = "Wasmtime implementation of the wasi-tls API"
 workspace = true
 
 [features]
-default = ["rustls"]
+default = ["p2", "rustls"]
+p2 = ["wasmtime-wasi/p2"]
+p3 = ["wasmtime-wasi/p3", "wasmtime/component-model-async", "tracing"]
 rustls = ["dep:rustls", "dep:tokio-rustls", "dep:webpki-roots"]
 nativetls = ["dep:native-tls", "dep:tokio-native-tls"]
 openssl = ["dep:openssl", "dep:tokio-openssl"]
@@ -27,6 +29,7 @@ tokio = { workspace = true, features = [
 ] }
 wasmtime = { workspace = true, features = ["runtime", "component-model"] }
 wasmtime-wasi = { workspace = true }
+tracing = { workspace = true, optional = true }
 cfg-if = { workspace = true }
 tokio-rustls = { workspace = true, optional = true }
 rustls = { workspace = true, optional = true }

crates/test-programs/src/p3/mod.rs

@@ -0,0 +1,44 @@
+use std::sync::Arc;
+
+/// TLS error
+pub struct Error(Arc<String>);
+
+impl Error {
+    /// Creates a new error with the given message.
+    pub fn msg<M>(message: M) -> Self
+    where
+        M: ToString,
+    {
+        Self(Arc::new(message.to_string()))
+    }
+}
+impl Clone for Error {
+    fn clone(&self) -> Self {
+        Self(Arc::clone(&self.0))
+    }
+}
+impl std::fmt::Debug for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        std::fmt::Debug::fmt(&self.0, f)
+    }
+}
+impl std::fmt::Display for Error {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        std::fmt::Display::fmt(&self.0, f)
+    }
+}
+impl std::error::Error for Error {}
+impl From<std::io::Error> for Error {
+    fn from(err: std::io::Error) -> Self {
+        // Try to recover the original error:
+        match err.downcast::<Error>() {
+            Ok(e) => e,
+            Err(io_err) => Self::msg(io_err),
+        }
+    }
+}
+impl From<Error> for std::io::Error {
+    fn from(err: Error) -> Self {
+        std::io::Error::other(err)
+    }
+}