chore(examples): inline custom crypto provider for clarity (#815)

Co-authored-by: sinu.eth <65924192+sinui0@users.noreply.github.com>
2026-01-09 14:48:13 -05:00 · 2025-04-30 08:41:07 +02:00
parent 19447aabe5
commit a28718923b
5 changed files with 81 additions and 43 deletions
--- a/crates/examples/attestation/present.rs
+++ b/crates/examples/attestation/present.rs
@@ -2,13 +2,13 @@
 // attestation and the corresponding connection secrets. See the `prove.rs`
 // example to learn how to acquire an attestation from a Notary.

+use clap::Parser;
 use hyper::header;
+
 use tlsn_core::{attestation::Attestation, presentation::Presentation, CryptoProvider, Secrets};
 use tlsn_examples::ExampleType;
 use tlsn_formats::http::HttpTranscript;

-use clap::Parser;
-
 #[derive(Parser, Debug)]
 #[command(version, about, long_about = None)]
 struct Args {
--- a/crates/examples/attestation/prove.rs
+++ b/crates/examples/attestation/prove.rs
@@ -4,23 +4,23 @@

 use std::env;

+use clap::Parser;
 use http_body_util::Empty;
 use hyper::{body::Bytes, Request, StatusCode};
 use hyper_util::rt::TokioIo;
 use spansy::Spanned;
-use tlsn_examples::ExampleType;
 use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
+use tracing::debug;

 use notary_client::{Accepted, NotarizationRequest, NotaryClient};
-use tls_server_fixture::SERVER_DOMAIN;
+use tls_core::verify::WebPkiVerifier;
+use tls_server_fixture::{CA_CERT_DER, SERVER_DOMAIN};
 use tlsn_common::config::ProtocolConfig;
-use tlsn_core::{request::RequestConfig, transcript::TranscriptCommitConfig};
+use tlsn_core::{request::RequestConfig, transcript::TranscriptCommitConfig, CryptoProvider};
+use tlsn_examples::ExampleType;
 use tlsn_formats::http::{DefaultHttpCommitter, HttpCommit, HttpTranscript};
 use tlsn_prover::{Prover, ProverConfig};
 use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
-use tracing::debug;
-
-use clap::Parser;

 // Setting of the application server.
 const USER_AGENT: &str = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36";
@@ -90,6 +90,20 @@ async fn notarize(
        .await
        .expect("Could not connect to notary. Make sure it is running.");

+    // Create a crypto provider accepting the server-fixture's self-signed
+    // root certificate.
+    //
+    // This is only required for offline testing with the server-fixture. In
+    // production, use `CryptoProvider::default()` instead.
+    let mut root_store = tls_core::anchors::RootCertStore::empty();
+    root_store
+        .add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
+        .unwrap();
+    let crypto_provider = CryptoProvider {
+        cert: WebPkiVerifier::new(root_store, None),
+        ..Default::default()
+    };
+
    // Set up protocol configuration for prover.
    // Prover configuration.
    let prover_config = ProverConfig::builder()
@@ -103,7 +117,7 @@ async fn notarize(
                .max_recv_data(tlsn_examples::MAX_RECV_DATA)
                .build()?,
        )
-        .crypto_provider(tlsn_examples::get_crypto_provider_with_server_fixture())
+        .crypto_provider(crypto_provider)
        .build()?;

    // Create a new prover and perform necessary setup.
--- a/crates/examples/attestation/verify.rs
+++ b/crates/examples/attestation/verify.rs
@@ -4,12 +4,15 @@

 use std::time::Duration;

+use clap::Parser;
+
+use tls_core::verify::WebPkiVerifier;
+use tls_server_fixture::CA_CERT_DER;
 use tlsn_core::{
    presentation::{Presentation, PresentationOutput},
    signing::VerifyingKey,
+    CryptoProvider,
 };
-
-use clap::Parser;
 use tlsn_examples::ExampleType;

 #[derive(Parser, Debug)]
@@ -33,7 +36,19 @@ async fn verify_presentation(example_type: &ExampleType) -> Result<(), Box<dyn s

    let presentation: Presentation = bincode::deserialize(&std::fs::read(presentation_path)?)?;

-    let provider = tlsn_examples::get_crypto_provider_with_server_fixture();
+    // Create a crypto provider accepting the server-fixture's self-signed
+    // root certificate.
+    //
+    // This is only required for offline testing with the server-fixture. In
+    // production, use `CryptoProvider::default()` instead.
+    let mut root_store = tls_core::anchors::RootCertStore::empty();
+    root_store
+        .add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
+        .unwrap();
+    let crypto_provider = CryptoProvider {
+        cert: WebPkiVerifier::new(root_store, None),
+        ..Default::default()
+    };

    let VerifyingKey {
        alg,
@@ -52,7 +67,7 @@ async fn verify_presentation(example_type: &ExampleType) -> Result<(), Box<dyn s
        transcript,
        // extensions, // Optionally, verify any custom extensions from prover/notary.
        ..
-    } = presentation.verify(&provider).unwrap();
+    } = presentation.verify(&crypto_provider).unwrap();

    // The time at which the connection was started.
    let time = chrono::DateTime::UNIX_EPOCH + Duration::from_secs(connection_info.time);
--- a/crates/examples/interactive/interactive.rs
+++ b/crates/examples/interactive/interactive.rs
@@ -6,18 +6,19 @@ use std::{
 use http_body_util::Empty;
 use hyper::{body::Bytes, Request, StatusCode, Uri};
 use hyper_util::rt::TokioIo;
-use tlsn_common::config::{ProtocolConfig, ProtocolConfigValidator};
-use tlsn_core::transcript::Idx;
-use tlsn_examples::get_crypto_provider_with_server_fixture;
-use tlsn_prover::{state::Prove, Prover, ProverConfig};
-
-use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
-use tlsn_server_fixture_certs::SERVER_DOMAIN;
-use tlsn_verifier::{SessionInfo, Verifier, VerifierConfig};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_util::compat::{FuturesAsyncReadCompatExt, TokioAsyncReadCompatExt};
 use tracing::instrument;

+use tls_core::verify::WebPkiVerifier;
+use tls_server_fixture::CA_CERT_DER;
+use tlsn_common::config::{ProtocolConfig, ProtocolConfigValidator};
+use tlsn_core::{transcript::Idx, CryptoProvider};
+use tlsn_prover::{state::Prove, Prover, ProverConfig};
+use tlsn_server_fixture::DEFAULT_FIXTURE_PORT;
+use tlsn_server_fixture_certs::SERVER_DOMAIN;
+use tlsn_verifier::{SessionInfo, Verifier, VerifierConfig};
+
 const SECRET: &str = "TLSNotary's private key 🤡";

 // Maximum number of bytes that can be sent from prover to server.
@@ -64,6 +65,20 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
    assert_eq!(uri.scheme().unwrap().as_str(), "https");
    let server_domain = uri.authority().unwrap().host();

+    // Create a crypto provider accepting the server-fixture's self-signed
+    // root certificate.
+    //
+    // This is only required for offline testing with the server-fixture. In
+    // production, use `CryptoProvider::default()` instead.
+    let mut root_store = tls_core::anchors::RootCertStore::empty();
+    root_store
+        .add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
+        .unwrap();
+    let crypto_provider = CryptoProvider {
+        cert: WebPkiVerifier::new(root_store, None),
+        ..Default::default()
+    };
+
    // Create prover and connect to verifier.
    //
    // Perform the setup phase with the verifier.
@@ -77,7 +92,7 @@ async fn prover<T: AsyncWrite + AsyncRead + Send + Unpin + 'static>(
                    .build()
                    .unwrap(),
            )
-            .crypto_provider(get_crypto_provider_with_server_fixture())
+            .crypto_provider(crypto_provider)
            .build()
            .unwrap(),
    )
@@ -143,9 +158,23 @@ async fn verifier<T: AsyncWrite + AsyncRead + Send + Sync + Unpin + 'static>(
        .build()
        .unwrap();

+    // Create a crypto provider accepting the server-fixture's self-signed
+    // root certificate.
+    //
+    // This is only required for offline testing with the server-fixture. In
+    // production, use `CryptoProvider::default()` instead.
+    let mut root_store = tls_core::anchors::RootCertStore::empty();
+    root_store
+        .add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
+        .unwrap();
+    let crypto_provider = CryptoProvider {
+        cert: WebPkiVerifier::new(root_store, None),
+        ..Default::default()
+    };
+
    let verifier_config = VerifierConfig::builder()
        .protocol_config_validator(config_validator)
-        .crypto_provider(get_crypto_provider_with_server_fixture())
+        .crypto_provider(crypto_provider)
        .build()
        .unwrap();
    let verifier = Verifier::new(verifier_config);
--- a/crates/examples/src/lib.rs
+++ b/crates/examples/src/lib.rs
@@ -1,30 +1,10 @@
 use std::fmt;
-use tls_core::verify::WebPkiVerifier;
-use tls_server_fixture::CA_CERT_DER;
-use tlsn_core::CryptoProvider;

 // Maximum number of bytes that can be sent from prover to server.
 pub const MAX_SENT_DATA: usize = 1 << 12;
 // Maximum number of bytes that can be received by prover from server.
 pub const MAX_RECV_DATA: usize = 1 << 14;

-/// Crypto provider accepting the server-fixture's self-signed certificate.
-///
-/// This is only required for offline testing with the server-fixture. In
-/// production, use `CryptoProvider::default()` instead.
-pub fn get_crypto_provider_with_server_fixture() -> CryptoProvider {
-    // custom root store with server-fixture
-    let mut root_store = tls_core::anchors::RootCertStore::empty();
-    root_store
-        .add(&tls_core::key::Certificate(CA_CERT_DER.to_vec()))
-        .unwrap();
-
-    CryptoProvider {
-        cert: WebPkiVerifier::new(root_store, None),
-        ..Default::default()
-    }
-}
-
 #[derive(clap::ValueEnum, Clone, Default, Debug)]
 pub enum ExampleType {
    #[default]