Skip to content

rfq: add tls support for price oracles #1775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

rfq: add tls support for price oracles #1775

wants to merge 7 commits into from

Conversation

jtobin
Copy link
Member

@jtobin jtobin commented Aug 30, 2025
edited
Loading

(Draft, for now, as the test suite still needs a little work.)

Adds TLS support for communication with price oracles, mostly following the suggestions proposed in #1278. Adds configuration options for skipping certificate verification, distrusting the operating system's root CA list, and using a custom certificate.

Resolves #1278.

@jtobin
rfq: introduce, use tls module
166bc8c 
Introduces rfq/tls.go, which contains a basic TLSConfig type and default
value of such. The default value, which for now only indicates that
certificate verification should be skipped, is used in place of the
'dialInsecure' bool when setting up the price oracle RPC.
@jtobin jtobin added security mainnet preparedness Goal issues to be completed before mainnet release RFQ Work relating to TAP channel Request For Quote (RFQ). oracle labels Aug 30, 2025
@coveralls
Copy link

coveralls commented Aug 30, 2025
edited
Loading

Pull Request Test Coverage Report for Build 17361316751

Details

  • 57 of 69 (82.61%) changed or added relevant lines in 5 files are covered.
  • 35 unchanged lines in 9 files lost coverage.
  • Overall coverage increased (+8.1%) to 56.705%
Changes Missing Coverage Covered Lines Changed/Added Lines %
rfq/tls.go 23 25 92.0%
tapcfg/server.go 3 6 50.0%
tapcfg/config.go 26 33 78.79%
Files with Coverage Reduction New Missed Lines %
tapdb/addrs.go 2 78.23%
tapdb/mssmt.go 2 91.36%
tapgarden/custodian.go 2 77.02%
itest/assertions.go 3 89.08%
itest/multisig.go 3 97.91%
proof/verifier.go 3 86.82%
mssmt/compacted_tree.go 4 80.0%
tapdb/assets_store.go 7 79.61%
universe/archive.go 9 80.05%
Totals Coverage Status
Change from base Build 17301129198: 8.1%
Covered Lines: 61073
Relevant Lines: 107703
💛 - Coveralls

@jtobin
rfq: allow os, custom certificates
bf0387b 
Adds both 'TrustSystemRootCAs' and 'CustomCertificates' to the rfq
TLSConfig. The former indicates whether or not to trust the operating
system's root CA list; the latter allows additional certificates (CA or
self-signed) to be trusted.

Also adds a basic unit test skeleton.
jtobin added 4 commits August 31, 2025 10:57
@jtobin
tapcfg: add price oracle TLS config
138eef4 
We don't skip certificate verification by default, and also default to
trusting the operating system's root CA list.
@jtobin
rfq: add tls test cases
ea7c0ca 
Adds some basic test cases for configuring transport credentials.
@jtobin
itest: use insecure connection with oracle harness
a9fcc6c 
Ensures that certificate verification is skipped when constructing a
communication channel with the itest oracle harness.
@jtobin
docs: add release notes
9910220
@jtobin
rfq+tapcfg: disable tls when flag present
f03cb78 
Ensures the price oracle TLS toggle fits the existing pattern of flags
defaulting to false.
@jtobin jtobin requested review from ffranr and GeorgeTsagk August 31, 2025 19:59
@jtobin jtobin marked this pull request as ready for review August 31, 2025 20:00
@jtobin
Copy link
Member Author

jtobin commented Aug 31, 2025

(Changed this from draft; I think the litd tests are failing for an unrelated reason.)

@jtobin
Copy link
Member Author

jtobin commented Sep 3, 2025

(As pointed out by @ZZiigguurraatt, to be more precise: TLS support already existed for price oracles, but certificate verification was skipped entirely.)

jtobin
jtobin commented Sep 3, 2025
View reviewed changes
rfq/cli.go

PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable price oracle certificate verification."`

PriceOracleTLSNoSystemCAs bool `long:"priceoracletlsnosystemcas" description:"Disable use of the operating system's list of root CA's when verifiying price oracle certificates."`
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: s/verifiying/verifying

@levmi levmi moved this from 🆕 New to 🏗 In progress in Taproot-Assets Project Board Sep 4, 2025
@levmi levmi moved this from 🏗 In progress to 👀 In review in Taproot-Assets Project Board Sep 4, 2025
ffranr
ffranr reviewed Sep 16, 2025
View reviewed changes
Copy link
Contributor

@ffranr ffranr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other cases where we need more precise control over TLS behavior. For example:

taproot-assets/proof/courier.go

Lines 309 to 320 in a17a67a

// serverDialOpts returns the set of server options needed to connect to the
// server using a TLS connection.
func serverDialOpts() ([]grpc.DialOption, error) {
var opts []grpc.DialOption
// Skip TLS certificate verification.
tlsConfig := tls.Config{InsecureSkipVerify: true}
transportCredentials := credentials.NewTLS(&tlsConfig)
opts = append(opts, grpc.WithTransportCredentials(transportCredentials))
return opts, nil
}

With that in mind, I wonder if we could define a more general, reusable solution in something like the new rfq/tls.go file, especially given the need for configuration and the importance of which package owns this logic.

rfq/tls_test.go
Comment on lines +116 to +124
name: "invalid custom certificate",
expectInsecure: false,
tlsConfig: &TLSConfig{
Enabled: true,
InsecureSkipVerify: false,
TrustSystemRootCAs: false,
CustomCertificates: []byte(invalidCertificate),
},
},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I see the purpose of invalidCertificate here. It doesn't look like the test actually exercises its invalidity.

More broadly, do we need certificate examples in our unit tests at all? It seems like we're testing the behavior of the underlying TLS/certificate library rather than the logic we're adding on top of it.

@jtobin jtobin added this to the v0.8 milestone Sep 29, 2025
@lightninglabs-deploy
Copy link

@jtobin, remember to re-request review from reviewers when ready

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ffranr ffranr ffranr left review comments

@GeorgeTsagk GeorgeTsagk Awaiting requested review from GeorgeTsagk

At least 2 approving reviews are required to merge this pull request.

Assignees

@jtobin jtobin

Labels
mainnet preparedness Goal issues to be completed before mainnet release oracle RFQ Work relating to TAP channel Request For Quote (RFQ). security
Projects
Taproot-Assets Project Board
Status: 👀 In review
Milestone
v0.8
Development

Successfully merging this pull request may close these issues.

[bug]: price oracle TLS/SSL certificate validation missing
4 participants
@jtobin @coveralls @lightninglabs-deploy @ffranr