crypto/tls API mismatch: missing tls.X509KeyPair and ClientAuth constants, LoadX509KeyPair stubbed

[M09Ic]

What happened?

While building a TinyGo Linux native binary (v0.40.1), we hit crypto/tls API mismatches compared with the Go stdlib surface.

Compile-time failures:

undefined: tls.X509KeyPair
undefined: tls.RequireAndVerifyClientCert

At the same time, tls.LoadX509KeyPair exists but returns not implemented at runtime in TinyGo's crypto/tls/tls.go.

This makes common stdlib-compatible TLS config code fail to compile (or fail at runtime), even for simple config helpers.

Reproducer

main.go:

package main

import (
    "crypto/tls"
    "fmt"
)

func main() {
    // 1) compile-time symbol check
    _ = tls.RequireAndVerifyClientCert

    // 2) compile-time symbol check
    _, _ = tls.X509KeyPair([]byte(""), []byte(""))

    // 3) runtime behavior check (if only this line is kept)
    _, err := tls.LoadX509KeyPair("cert.pem", "key.pem")
    fmt.Println(err)
}

Build:

tinygo build -o app ./main.go

Environment

• tinygo version 0.40.1 linux/amd64 (LLVM 20.1.1)
• also reproducible with tinygo 0.40.1 windows/amd64
• host: Ubuntu 24.04 (WSL2)

Source observations

In TinyGo 0.40.1 sources:

• src/crypto/tls/tls.go has LoadX509KeyPair but it returns errors.New("tls:LoadX509KeyPair not implemented").
• src/crypto/tls/common.go defines type ClientAuthType int but does not define stdlib constants like RequireAndVerifyClientCert.
• tls.X509KeyPair is missing from the package API.

Expected behavior

Either:

1. Expose stdlib-compatible symbols (X509KeyPair, ClientAuthType constants) with documented behavior, or
2. Clearly document/guard unsupported API so the failure mode is consistent and discoverable (preferably compile-time with actionable errors).

Related

• Possibly related in scope to broader TLS support discussion: Does tinygo not support TLS features? #4269