feat: Support for using OS certs in Rust (#47)

Author: amunra

CMakeLists.txt

@@ -41,15 +41,18 @@ if(WIN32)
         DEFINE_SYMBOL "LINESENDER_DYN_LIB")
     target_link_libraries(
         questdb_client-shared
-        INTERFACE wsock32 ws2_32 ntdll)
+        INTERFACE wsock32 ws2_32 ntdll crypt32 Secur32 Ncrypt)
     target_link_libraries(
         questdb_client-static
-        INTERFACE wsock32 ws2_32 ntdll)
+        INTERFACE wsock32 ws2_32 ntdll crypt32 Secur32 Ncrypt)
 endif(WIN32)
 if(APPLE)
     target_link_libraries(
         questdb_client
         INTERFACE "-framework Security")
+    target_link_libraries(
+        questdb_client
+        INTERFACE "-framework CoreFoundation")
 endif()
 
 function(set_compile_flags TARGET_NAME)

cpp_test/test_line_sender.cpp

@@ -548,6 +548,15 @@ TEST_CASE("Bad CA path")
     }
 }
 
+TEST_CASE("os certs")
+{
+    // We're just checking these APIs don't throw.
+    questdb::ingress::test::mock_server server;
+    questdb::ingress::opts opts{"localhost", server.port()};
+    opts.tls_os_roots();
+    opts.tls_webpki_and_os_roots();
+}
+
 TEST_CASE("Opts copy ctor, assignment and move testing.")
 {
     {

doc/SECURITY.md

@@ -15,17 +15,27 @@ Authentication can be used independently of TLS encryption.
 
 ## TLS Encryption
 
-As of writing, whilst QuestDB itself can't be configured to support TLS natively
-it is recommended that you use [HAProxy](http://www.haproxy.org/) or other
+As of writing, only QuestDB Enterprise can be configured to support TLS natively.
+If you're using the open source edition, you can still use TLS encryption by setting
+up [HAProxy](http://www.haproxy.org/) or other proxy
 to secure the connection for any public-facing servers.
 
 TLS can be used independently and provides no authentication itself.
 
 The `tls_certs` directory of this project contains tests certificates, its
-[README](../tls_certs/README.md) page describes generating your own certs.
+[README](../tls_certs/README.md) page describes generating your own test certs.
+
+A few important technical details on TLS:
+  * The libraries use the `rustls` Rust crate for TLS support.
+  * They also, by default, use the `webpki_roots` Rust crate for root certificate verification
+    which require no OS-specific configuration.
+  * Alternatively, If you want to use your operating system's root certificates,
+    you can do so calling the `tls_os_roots` method when building the "sender" object.
+    The latter is especially desireable in corporate environments where the certificates
+    are managed centrally.
 
 For API usage:
 * Rust: `SenderBuilder`'s [`auth`](https://docs.rs/questdb-rs/3.0.0/questdb/ingress/struct.SenderBuilder.html#method.auth)
   and [`tls`](https://docs.rs/questdb-rs/3.0.0/questdb/ingress/struct.SenderBuilder.html#method.tls) methods.
 * C: [examples/line_sender_c_example_auth.c](../examples/line_sender_c_example_auth.c)
-* C++: [examples/line_sender_cpp_example_auth.cpp](../examples/line_sender_cpp_example_auth.cpp)
+* C++: [examples/line_sender_cpp_example_auth.cpp](../examples/line_sender_cpp_example_auth.cpp)

examples/line_sender_c_example_auth_tls.c

@@ -24,6 +24,9 @@ static bool example(const char* host, const char* port)
     // Enable TLS to accept connections using common trusted CAs.
     line_sender_opts_tls(opts);
 
+    //// Alternatively, to use the OS-provided root certificates:
+    // line_sender_opts_tls_os_roots(opts);
+
     // Use `QDB_UTF_8_FROM_STR_OR` to init from `const char*`.
     line_sender_utf8 key_id = QDB_UTF8_LITERAL("testUser1");
     line_sender_utf8 priv_key = QDB_UTF8_LITERAL(

examples/line_sender_cpp_example_auth_tls.cpp

@@ -15,6 +15,9 @@ static bool example(
         // Enable TLS to accept connections using common trusted CAs.
         opts.tls();
 
+        //// Alternatively, to use the OS-provided root certificates:
+        // opts.tls_os_roots(opts);
+
         // Follow our authentication documentation to generate your own keys:
         // https://questdb.io/docs/reference/api/ilp/authenticate
         opts.auth(

include/questdb/ingress/line_sender.h

@@ -559,6 +559,20 @@ void line_sender_opts_auth(
 LINESENDER_API
 void line_sender_opts_tls(line_sender_opts* opts);
 
+/**
+ * Enable full connection encryption via TLS, using OS-provided certificate roots.
+ */
+LINESENDER_API
+void line_sender_opts_tls_os_roots(line_sender_opts* opts);
+
+/*
+ * Enable full connection encryption via TLS, accepting certificates signed by either
+ * the OS-provided certificate roots or well-known certificate authorities as per
+ * the "webpki-roots" Rust crate.
+ */
+LINESENDER_API
+void line_sender_opts_tls_webpki_and_os_roots(line_sender_opts* opts);
+
 /**
  * Enable full connection encryption via TLS.
  * The connection will accept certificates by the specified certificate

include/questdb/ingress/line_sender.hpp

@@ -743,6 +743,26 @@ namespace questdb::ingress
                 return *this;
             }
 
+            /*
+             * Enable full connection encryption via TLS, using OS-provided certificate roots.
+             */
+            opts& tls_os_roots() noexcept
+            {
+                ::line_sender_opts_tls_os_roots(_impl);
+                return *this;
+            }
+
+            /*
+             * Enable full connection encryption via TLS, accepting certificates signed by either
+             * the OS-provided certificate roots or well-known certificate authorities as per
+             * the "webpki-roots" Rust crate.
+             */
+            opts& tls_webpki_and_os_roots() noexcept
+            {
+                ::line_sender_opts_tls_webpki_and_os_roots(_impl);
+                return *this;
+            }
+
             /**
              * Enable full connection encryption via TLS.
              * The connection will accept certificates by the specified certificate

questdb-rs-ffi/Cargo.lock

@@ -9,7 +9,7 @@ name = "questdb_client"
 crate-type = ["cdylib", "staticlib"]
 
 [dependencies]
-questdb-rs = { path = "../questdb-rs", features = ["insecure-skip-verify"] }
+questdb-rs = { path = "../questdb-rs", features = ["insecure-skip-verify", "tls-native-certs"] }
 libc = "0.2"
 
 [build-dependencies]

questdb-rs-ffi/Cargo.toml

@@ -476,6 +476,24 @@ pub unsafe extern "C" fn line_sender_opts_tls(opts: *mut line_sender_opts) {
     upd_opts!(opts, tls, Tls::Enabled(CertificateAuthority::WebpkiRoots));
 }
 
+/// Enable full connection encryption via TLS, using OS-provided certificate roots.
+#[no_mangle]
+pub unsafe extern "C" fn line_sender_opts_tls_os_roots(opts: *mut line_sender_opts) {
+    upd_opts!(opts, tls, Tls::Enabled(CertificateAuthority::OsRoots));
+}
+
+/// Enable full connection encryption via TLS, accepting certificates signed by either
+/// the OS-provided certificate roots or well-known certificate authorities as per
+/// the "webpki-roots" Rust crate.
+#[no_mangle]
+pub unsafe extern "C" fn line_sender_opts_tls_webpki_and_os_roots(opts: *mut line_sender_opts) {
+    upd_opts!(
+        opts,
+        tls,
+        Tls::Enabled(CertificateAuthority::WebpkiAndOsRoots)
+    );
+}
+
 /// Enable full connection encryption via TLS.
 /// The connection will accept certificates by the specified certificate
 /// authority file.