tapcfg: add price oracle TLS config

We don't skip certificate verification by default, and also default to
trusting the operating system's root CA list.

Author: jtobin

rfq/cli.go

@@ -22,6 +22,14 @@ const (
 type CliConfig struct {
 	PriceOracleAddress string `long:"priceoracleaddress" description:"Price oracle gRPC server address (rfqrpc://<hostname>:<port>). To use the integrated mock, use the following value: use_mock_price_oracle_service_promise_to_not_use_on_mainnet"`
 
+	PriceOracleTLS bool `long:"priceoracletls" description:"Enable TLS for communication with a price oracle."`
+
+	PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable verification of price oracle certificates."`
+
+	PriceOracleTLSNoSystemCAs bool `long:"priceoracletlsnosystemcas" description:"Disable use of the operating system's list of root CA's when verifiying price oracle certificates."`
+
+	PriceOracleTLSCertPath string `long:"priceoracletlscertpath" description:"Path to a PEM-encoded x509 certificate to use when constructing a TLS connection with a price oracle."`
+
 	SendPriceHint bool `long:"sendpricehint" description:"Send a price hint from the local price oracle to the RFQ peer when requesting a quote. For privacy reasons, this should only be turned on for self-hosted or trusted price oracles."`
 
 	PriceOracleSendPeerId bool `long:"priceoraclesendpeerid" description:"Send the peer ID (public key of the peer) to the price oracle when requesting a price rate. For privacy reasons, this should only be turned on for self-hosted or trusted price oracles."`

rfq/tls.go

@@ -25,13 +25,6 @@ type TLSConfig struct {
 	CustomCertificates []byte
 }
 
-// DefaultTLSConfig returns a default TLS configuration.
-func DefaultTLSConfig() *TLSConfig {
-	return &TLSConfig{
-		InsecureSkipVerify: true,
-	}
-}
-
 // configureTransportCredentials configures the TLS transport credentials to
 // be used for RPC connections.
 func configureTransportCredentials(

sample-tapd.conf

@@ -11,8 +11,8 @@
 ; always set to false.
 
 ; If only one value is specified for an option, then this is also the
-; default value used by tapd. In case of multiple (example) values, the default 
-; is explicitly mentioned. 
+; default value used by tapd. In case of multiple (example) values, the default
+; is explicitly mentioned.
 ; If the part after the equal sign is empty then tapd has no default for this
 ; option.
 
@@ -435,6 +435,21 @@
 ; use_mock_price_oracle_service_promise_to_not_use_on_mainnet
 ; experimental.rfq.priceoracleaddress=
 
+; Enable TLS for price oracle communication.
+; experimental.rfq.priceoracletls=true
+
+; Skip price oracle certificate verification, yielding an insecure (cleartext)
+; channel with the price oracle. Should only be used for testing.
+; experimental.rfq.priceoracletlsinsecure=false
+
+; Disable use of the operating system's root CA list when verifying a
+; price oracle's certificate.
+; experimental.rfq.priceoracletlsnosystemcas=false
+
+; Path to a custom certificate (root CA or self-signed) to be used to
+; secure communication with a price oracle.
+; experimental.rfq.priceoracletlscertpath=
+
 ; Send a price hint from the local price oracle to the RFQ peer when requesting
 ; a quote. For privacy reasons, this should only be turned on for self-hosted or
 ; trusted price oracles.
@@ -445,7 +460,7 @@
 ; self-hosted or trusted price oracles.
 ; experimental.rfq.priceoraclesendpeerid=false
 
-; The default price deviation inparts per million that is accepted by 
+; The default price deviation inparts per million that is accepted by
 ; the RFQ negotiator.
 ; Example: 50,000 ppm => price deviation is set to 5% .
 ; experimental.rfq.acceptpricedeviationppm=50000

tapcfg/config.go

@@ -143,6 +143,24 @@ const (
 	// defaultMailboxAuthTimeout is the default timeout we'll use for
 	// mailbox message retrieval client authentication.
 	defaultMailboxAuthTimeout = 10 * time.Second
+
+	// defaultPriceOracleTLS is the default TLS setting to use when
+	// communicating with price oracles.
+	defaultPriceOracleTLS = true
+
+	// defaultPriceOracleTLSInsecure is the default value we'll use for
+	// deciding to verify certificates in TLS connections with price
+	// oracles.
+	defaultPriceOracleTLSInsecure = false
+
+	// defaultPriceOracleNoSystemCAs is the default value we'll use
+	// regarding trust of the operating system's root CA list. We'll use
+	// 'false', i.e. we will trust the OS root CA list by default.
+	defaultPriceOracleTLSNoSystemCAs = false
+
+	// defaultPriceOracleTLSCertPath is the default (empty) path to a
+	// certificate to use for securing price oracle communication.
+	defaultPriceOracleTLSCertPath = ""
 )
 
 var (
@@ -317,8 +335,11 @@ type ExperimentalConfig struct {
 	Rfq rfq.CliConfig `group:"rfq" namespace:"rfq"`
 }
 
-// Validate returns an error if the configuration is invalid.
-func (c *ExperimentalConfig) Validate() error {
+// CleanAndValidate performs final processing on the ExperimentalConfig,
+// returning an error if the configuration is invalid.
+func (c *ExperimentalConfig) CleanAndValidate() error {
+	c.Rfq.PriceOracleTLSCertPath = CleanAndExpandPath(
+		c.Rfq.PriceOracleTLSCertPath)
 	return c.Rfq.Validate()
 }
 
@@ -478,7 +499,11 @@ func DefaultConfig() Config {
 		},
 		Experimental: &ExperimentalConfig{
 			Rfq: rfq.CliConfig{
-				AcceptPriceDeviationPpm: rfq.DefaultAcceptPriceDeviationPpm,
+				AcceptPriceDeviationPpm:   rfq.DefaultAcceptPriceDeviationPpm,
+				PriceOracleTLS:            defaultPriceOracleTLS,
+				PriceOracleTLSInsecure:    defaultPriceOracleTLSInsecure,
+				PriceOracleTLSNoSystemCAs: defaultPriceOracleTLSNoSystemCAs,
+				PriceOracleTLSCertPath:    defaultPriceOracleTLSCertPath,
 			},
 		},
 	}
@@ -914,8 +939,8 @@ func ValidateConfig(cfg Config, cfgLogger btclog.Logger) (*Config, error) {
 		}
 	}
 
-	// Validate the experimental command line config.
-	err = cfg.Experimental.Validate()
+	// Clean and validate the experimental command line config.
+	err = cfg.Experimental.CleanAndValidate()
 	if err != nil {
 		return nil, fmt.Errorf("error in experimental command line "+
 			"config: %w", err)
@@ -1150,6 +1175,35 @@ func getCertificateConfig(cfg *Config, cfgLogger btclog.Logger) (*tls.Config,
 	return tlsCfg, restCreds, nil
 }
 
+// getPriceOracleTLSConfig returns a TLS configuration for a price oracle,
+// given a valid RFQ CLI configuration.
+func getPriceOracleTLSConfig(rfqCfg rfq.CliConfig) (*rfq.TLSConfig, error) {
+	var certBytes []byte
+
+	// Read any specified certificate data.
+	if rfqCfg.PriceOracleTLSCertPath != "" {
+		var err error
+		certBytes, err = os.ReadFile(
+			rfqCfg.PriceOracleTLSCertPath)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read "+
+				"price oracle certificate: %w", err)
+		}
+	}
+
+	// Construct the oracle's TLS configuration.
+	tlsConfig := &rfq.TLSConfig{
+		Enabled:            rfqCfg.PriceOracleTLS,
+		InsecureSkipVerify: rfqCfg.PriceOracleTLSInsecure,
+		// Note the subtle flip on the flag, since the user has
+		// configured whether to *not* trust the system CA's.
+		TrustSystemRootCAs: !rfqCfg.PriceOracleTLSNoSystemCAs,
+		CustomCertificates: certBytes,
+	}
+
+	return tlsConfig, nil
+}
+
 // fileExists reports whether the named file or directory exists.
 // This function is taken from https://github.com/btcsuite/btcd
 func fileExists(name string) bool {

tapcfg/server.go

@@ -461,8 +461,14 @@ func genServerConfig(cfg *Config, cfgLogger btclog.Logger,
 		// skip setting suggested prices for outgoing quote requests.
 
 	default:
+		tlsConfig, err := getPriceOracleTLSConfig(rfqCfg)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't construct price "+
+				"oracle configuration: %w", err)
+		}
+
 		priceOracle, err = rfq.NewRpcPriceOracle(
-			rfqCfg.PriceOracleAddress, rfq.DefaultTLSConfig(),
+			rfqCfg.PriceOracleAddress, tlsConfig,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create price "+