From 7cfd8461960e1d875baf37e10201bc094332b525 Mon Sep 17 00:00:00 2001
From: WenyXu <wenymedia@gmail.com>
Date: Mon, 12 Aug 2024 10:57:59 +0000
Subject: [PATCH] feat: load system ca certs

---
 Cargo.lock                                |  5 +-
 src/common/wal/Cargo.toml                 |  1 +
 src/common/wal/src/config/kafka/common.rs | 68 ++---------------------
 src/common/wal/src/error.rs               |  8 +++
 4 files changed, 18 insertions(+), 64 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index d3f98114e217..0b1c80ec7e89 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2280,6 +2280,7 @@ dependencies = [
  "humantime-serde",
  "rskafka",
  "rustls 0.23.10",
+ "rustls-native-certs",
  "rustls-pemfile 2.1.2",
  "serde",
  "serde_json",
@@ -9446,9 +9447,9 @@ dependencies = [
 
 [[package]]
 name = "rustls-native-certs"
-version = "0.7.0"
+version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f1fb85efa936c42c6d5fc28d2629bb51e4b2f4b8a5211e297d599cc5a093792"
+checksum = "a88d6d420651b496bdd98684116959239430022a115c1240e6c3993be0b15fba"
 dependencies = [
  "openssl-probe",
  "rustls-pemfile 2.1.2",
diff --git a/src/common/wal/Cargo.toml b/src/common/wal/Cargo.toml
index 609b6bf6c22f..cb6d7ce2f664 100644
--- a/src/common/wal/Cargo.toml
+++ b/src/common/wal/Cargo.toml
@@ -20,6 +20,7 @@ humantime-serde.workspace = true
 rskafka.workspace = true
 rustls = { version = "0.23", default-features = false, features = ["ring", "logging", "std", "tls12"] }
 rustls-pemfile = "2.1"
+rustls-native-certs = "0.7.1"
 serde.workspace = true
 serde_with.workspace = true
 snafu.workspace = true
diff --git a/src/common/wal/src/config/kafka/common.rs b/src/common/wal/src/config/kafka/common.rs
index ebedd6741990..f68ddfa5d8b2 100644
--- a/src/common/wal/src/config/kafka/common.rs
+++ b/src/common/wal/src/config/kafka/common.rs
@@ -17,9 +17,7 @@ use std::sync::Arc;
 use std::time::Duration;
 
 use rskafka::client::{Credentials, SaslConfig};
-use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerified, ServerCertVerifier};
-use rustls::pki_types::{CertificateDer, ServerName};
-use rustls::{ClientConfig, DigitallySignedStruct, RootCertStore};
+use rustls::{ClientConfig, RootCertStore};
 use serde::{Deserialize, Serialize};
 use serde_with::with_prefix;
 use snafu::{OptionExt, ResultExt};
@@ -108,66 +106,13 @@ pub struct KafkaClientTls {
     pub client_key_path: Option<String>,
 }
 
-#[derive(Debug)]
-struct NoCertificateVerification;
-
-impl ServerCertVerifier for NoCertificateVerification {
-    fn verify_server_cert(
-        &self,
-        _end_entity: &CertificateDer,
-        _intermediates: &[CertificateDer],
-        _server_name: &ServerName,
-        _ocsp_response: &[u8],
-        _now: rustls::pki_types::UnixTime,
-    ) -> std::result::Result<ServerCertVerified, rustls::Error> {
-        Ok(ServerCertVerified::assertion())
-    }
-
-    fn verify_tls13_signature(
-        &self,
-        _message: &[u8],
-        _cert: &CertificateDer,
-        _dss: &DigitallySignedStruct,
-    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-    }
-
-    fn verify_tls12_signature(
-        &self,
-        _message: &[u8],
-        _cert: &CertificateDer,
-        _dss: &DigitallySignedStruct,
-    ) -> std::result::Result<HandshakeSignatureValid, rustls::Error> {
-        Ok(HandshakeSignatureValid::assertion())
-    }
-
-    fn supported_verify_schemes(&self) -> Vec<rustls::SignatureScheme> {
-        use rustls::SignatureScheme;
-        vec![
-            SignatureScheme::RSA_PKCS1_SHA1,
-            SignatureScheme::ECDSA_SHA1_Legacy,
-            SignatureScheme::RSA_PKCS1_SHA256,
-            SignatureScheme::ECDSA_NISTP256_SHA256,
-            SignatureScheme::RSA_PKCS1_SHA384,
-            SignatureScheme::ECDSA_NISTP384_SHA384,
-            SignatureScheme::RSA_PKCS1_SHA512,
-            SignatureScheme::ECDSA_NISTP521_SHA512,
-            SignatureScheme::RSA_PSS_SHA256,
-            SignatureScheme::RSA_PSS_SHA384,
-            SignatureScheme::RSA_PSS_SHA512,
-            SignatureScheme::ED25519,
-            SignatureScheme::ED448,
-        ]
-    }
-}
-
 impl KafkaClientTls {
     /// Builds the [`ClientConfig`].
     pub async fn to_tls_config(&self) -> Result<Arc<ClientConfig>> {
         let builder = ClientConfig::builder();
         let mut roots = RootCertStore::empty();
 
-        let builder = if let Some(server_ca_cert_path) = &self.server_ca_cert_path {
+        if let Some(server_ca_cert_path) = &self.server_ca_cert_path {
             let root_cert_bytes =
                 tokio::fs::read(&server_ca_cert_path)
                     .await
@@ -183,13 +128,12 @@ impl KafkaClientTls {
             {
                 roots.add(cert).context(error::AddCertSnafu)?;
             }
-            builder.with_root_certificates(roots)
-        } else {
-            builder
-                .dangerous()
-                .with_custom_certificate_verifier(Arc::new(NoCertificateVerification))
         };
+        roots.add_parsable_certificates(
+            rustls_native_certs::load_native_certs().context(error::LoadSystemCertsSnafu)?,
+        );
 
+        let builder = builder.with_root_certificates(roots);
         let config = if let (Some(cert_path), Some(key_path)) =
             (&self.client_cert_path, &self.client_key_path)
         {
diff --git a/src/common/wal/src/error.rs b/src/common/wal/src/error.rs
index 24953d400733..dc18f3eade92 100644
--- a/src/common/wal/src/error.rs
+++ b/src/common/wal/src/error.rs
@@ -84,6 +84,14 @@ pub enum Error {
         #[snafu(implicit)]
         location: Location,
     },
+
+    #[snafu(display("Failed to ca certs from system"))]
+    LoadSystemCerts {
+        #[snafu(source)]
+        error: std::io::Error,
+        #[snafu(implicit)]
+        location: Location,
+    },
 }
 
 pub type Result<T> = std::result::Result<T, Error>;