Skip to content

Add WIT equivalent of WITX 0.10 spec #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Robbe-Haegeman wants to merge 15 commits into
base: main
Choose a base branch
from
Open

Add WIT equivalent of WITX 0.10 spec #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
6866946
feat: add transpiled wit
Robbe-Haegeman Apr 20, 2026
dbc7f6a
feat: clean up wit files and use new transpiler version
Robbe-Haegeman Jun 2, 2026
27487f9
fix: remove double hyphens
Robbe-Haegeman Jun 2, 2026
d54ddba
feat: add imports
Robbe-Haegeman Jun 2, 2026
78c7825
feat: move from handle derivatives to resources
Robbe-Haegeman Jun 2, 2026
bcce754
feat: use list<u8> where possible
Robbe-Haegeman Jun 2, 2026
a129d26
feat: add workaround for options-set-guest-buffer
Robbe-Haegeman Jun 2, 2026
a792f44
feat: change variants without data to enums
Robbe-Haegeman Jun 2, 2026
fc6932c
chore: run wit idl VS Code formatter
Robbe-Haegeman Jun 2, 2026
85184ef
feat: add borrowing where required
Robbe-Haegeman Jun 2, 2026
99f8a65
fix(batch): add same fixes to the batch variants
Robbe-Haegeman Jun 3, 2026
ff41c1c
docs(README): fix remaining mistakes
Robbe-Haegeman Jun 3, 2026
1bc18af
docs: fix typo based on feedback
Robbe-Haegeman Jun 4, 2026
a45cc89
fix: use version 0.11 to continue numbering WITX
Robbe-Haegeman Jun 4, 2026
b64e60c
feat: changes based on learning implementation
Robbe-Haegeman Jun 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 37 additions & 0 deletions wit/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
## Made changes

### Automatic

| WITX Type / Construct | Target WIT Construct | Transpilation Details & Notes |
| --------------------------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| **`TypeRef::Name`** | `Type::named(...)` | Map using kebab-case identifier. |
| **`BuiltinType::Char`** | `Type::Char` | Translated directly. |
| **`BuiltinType::U8 / U16 / U32 / U64`** | `Type::U8` to `Type::U64` | Translated directly. |
| **`BuiltinType::S8 / S16 / S32 / S64`** | `Type::S8` to `Type::S64` | Translated directly (Signed integer). |
| **`BuiltinType::F32 / F64`** | `Type::F32` / `Type::F64` | Translated directly (Floats). |
| **`Type::List(Type::Char)`** | `Type::String` | Special promotion applied (`list<char>` -> `string`). |
| **`Type::List(T)`** | `Type::list<T>` | Mapped to a WIT list. |
| **`Type::Variant` (Option style)** | `Type::option<T>` | Recognized via `general_as_option`. |
| **`Type::Variant` (Expected style)** | `Type::result<T, E>` | Recognized via `general_as_expected` (handles ok/err variations). |
| **`Type::Variant` (Enum style)** | `TypeDef::variant(...)` | Custom map to variant cases. |
| **`Type::Record` (Tuple style)** | `Type::tuple(...)` | Evaluated when `record.is_tuple()` is true. |
| **`Type::Record` (Bitflags)** | `TypeDef::flags(...)` | Evaluated when `record.bitflags_repr().is_some()`. |
| **`Type::Record` (Standard)** | `TypeDef::record(...)` | Maps fields to a named structure. |
| **`Type::Handle`** | `Type::named(...)` | Resolves to the name of the resource handle. |
| **`witx_module.constants()`** | `TypeDef::resource(...)` | **Workaround**: Grouped by type and modeled as a resource containing static-like `ResourceFunc::method` calls tagged with a `TODO` comment. |
| **`witx_module.resources()`** | `TypeDef::resource(...)` | Map to an isolated empty WIT resource type block. |
| **`witx_module.funcs()`** | `StandaloneFunc` | Maps parameters and the single return output. |
| **`Type::Pointer`** | **Not Supported** | ❌ Fails with `TranspileError::UnsupportedType`. Raw memory addresses are disallowed; recommend `list` or `resource`. |
| **`Type::ConstPointer`** | **Not Supported** | ❌ Fails with `TranspileError::UnsupportedType`. Raw memory addresses are disallowed; recommend `list` or `resource`. |

### Manual

| WITX Type / Construct | Target WIT Construct | Transpilation Details & Notes |
| ------------------------------------------------------------------ | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **`Pointer + len` (Output buffer)** | `list<u8>` | For `symmetric-state-encrypt`, `symmetric-state-encrypt-detached`, `symmetric-state-decrypt`, and `symmetric-state-decrypt-detached`; the ability to encrypt in-place had to be removed. |
| **`ConstPointer + len` (Input buffer)** | `list<u8>` | For `symmetric-state-encrypt`, `symmetric-state-encrypt-detached`, `symmetric-state-decrypt`, and `symmetric-state-decrypt-detached`; the ability to encrypt in-place had to be removed. |
| **Version constants** | `variant` | Mostly due to the lack of constants, with a variant being more suitable to display the same information than implicit values. |
| **`Variant`** without data | `enum` | There is nothing stopping the transpiler from handling this case as well. I just didn't notice and fixing it by hand was easier. |
| `type ... = handle` | `resource` | This required manually adding `borrow<>` where required. |
| **Imports** | `use wasi-ephemeral-crypto-common.{}` | This was done manually and verified using: |
| **`array-output-pull` / `symmetric-tag-pull` parameter ownership** | `borrow<T>` (WITX host closes as side-effect) | `T` (owned; Component Model destroys on function return) | In WITX the host explicitly closes the handle inside `pull`, enforcing single-use. WIT `borrow<T>` prevents the host from doing so. Taking ownership restores the invariant. The regression is minimal: WITX allowed retrying `pull` with a larger buffer on `Overflow`, but the WIT version already returns `list<u8>` (host-allocated), making `Overflow` impossible and retries unnecessary. |
100 changes: 100 additions & 0 deletions wit/batch/wasi_ephemeral_crypto_signatures_batch.wit
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
package wasi:crypto@0.11.0;

interface wasi-ephemeral-crypto-signatures-batch {
use wasi-ephemeral-crypto-common.{array-output, crypto-errno, signature-verification-state, signature, signature-state};

/// The result of a signature sign operation. A pair of the signature and an error code.
type signature-sign-result = tuple<array-output, crypto-errno>;

/// A list of signature_sign results.
type signature-results = list<signature-sign-result>;

/// A tuple of a signature verification state and the signature to verify.
///
/// Used for grouping signature verification state to be verified with the signature to verify.
/// Used with batch_signature_state_verify().
type signature-verification-input = tuple<borrow<signature-verification-state>, borrow<signature>>;

type signature-verification-results = list<crypto-errno>;

/// Compute a batch of signatures.
///
/// This is a batch version of the signature_state_sign operation and is an extension of the wasi_ephemeral_crypto_signatures module.
///
/// The batch operation returns an error code of type $crypto_errno that
/// indicates if the batch was processed or if the batch could not be
/// processed.
///
/// Batch processing error codes:
/// - `success`: Batch was processed. The status of each operation is indicated in the results list.
/// - `not_implemented`: Batch functionality is not supported.
/// - `unsupported_feature`: Inconsistent operations within the batch, e.g. not all operations in the batch use the same algorithm.
///
/// If the batch was processed, the result of each operation in the batch
/// is a pair of a $crypto_errno error code and a signature. The error code
/// indicates if that operation succeeded or failed. The signature is only
/// valid if the error code indicates success.
///
/// Example usage:
///
/// ```rust
/// let kp_handle = keypair_import(AlgorithmType::Signatures, "Ed25519", encoded, KeypairEncoding::Raw)?;
///
/// let mut state_handles = Vec::new();
///
/// let state_handle = signature_state_open(kp_handle)?;
/// signature_state_update(state_handle, b"message part 1")?;
/// signature_state_update(state_handle, b"message part 2")?;
/// state_handles.push(state_handle);
///
/// let state_handle = signature_state_open(kp_handle)?;
/// signature_state_update(state_handle, b"message part 1")?;
/// signature_state_update(state_handle, b"message part 2")?;
/// state_handles.push(state_handle);
///
/// let sig_handles = batch_signature_state_sign(state_handles)?;
///
/// let raw_sig1 = signature_export(sig_handle[0], SignatureEncoding::Raw)?;
/// let raw_sig2 = signature_export(sig_handle[1], SignatureEncoding::Raw)?;
/// ```
batch-signature-state-sign: func(states: list<borrow<signature-state>>) -> result<signature-results, crypto-errno>;

/// Verify a batch of signatures.
///
/// This is a batch version of the signature_state_verify operation and is
/// an extension of the wasi_ephemeral_crypto_signatures module.
///
/// The batch operation returns an error code of type $crypto_errno that
/// indicates if the batch was processed (`success`) or if the batch could
/// not be processed.
///
/// Batch processing failure cases are:
/// - `not_implemented`: Batch functionality is not supported.
/// - `unsupported_feature`: Inconsistent operations within the batch, e.g. not all operations in the batch use the same algorithm.
///
/// If the batch was processed, a list of verification results is produced.
/// Each entry in the input list has a corresponding error state returned
/// in the verification results list to indicate if the verification
/// succeeded or encountered an error.
///
/// Example usage:
///
/// ```rust
/// let kp_handle = keypair_import(AlgorithmType::Signatures, "Ed25519", encoded, KeypairEncoding::Raw)?;
///
/// let mut batch = Vec::new();
///
/// let state_handle = signature_verification_state_open(kp_handle)?;
/// signature_verification_state_update(state_handle, b"message part 1")?;
/// signature_verification_state_update(state_handle, b"message part 2")?;
/// state_handles.push((state_handle, signature1));
///
/// let state_handle = signature_verification_state_open(kp_handle)?;
/// signature_verification_state_update(state_handle, b"message part 1")?;
/// signature_verification_state_update(state_handle, b"message part 2")?;
/// state_handles.push((state_handle, signature2));
///
/// let results = batch_signature_state_verify(state_handles)?;
/// ```
batch-signature-state-verify: func(states: list<signature-verification-input>) -> result<signature-verification-results, crypto-errno>;
}
Loading