[configtls] add include_system_ca_certs_pool (#9142)

**Description:** Add `include_system_ca_certs_pool` to configtls, allowing to load system certs and additional custom certs. **Link to tracking Issue:** Fixes #7774
open-telemetry · Feb 29, 2024 · 62050a2 · 62050a2
1 parent 9a83b0a
commit 62050a2
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 1 deletion.
diff --git a/.chloggen/UseSystemCACerts.yaml b/.chloggen/UseSystemCACerts.yaml
@@ -0,0 +1,25 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. otlpreceiver)
+component: configtls
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Add `include_system_ca_certs_pool` to configtls, allowing to load system certs and additional custom certs.
+
+# One or more tracking issues or pull requests related to the change
+issues: [7774]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
diff --git a/config/configtls/README.md b/config/configtls/README.md
@@ -31,6 +31,11 @@ A certificate authority may also need to be defined:
   system root CA. Should only be used if `insecure` is set to false.
   - `ca_pem`: Alternative to `ca_file`. Provide the CA cert contents as a string instead of a filepath.
 
+You can also combine defining a certificate authority with the system certificate authorities.
+
+- `include_system_ca_certs_pool` (default = false): whether to load the system certificate authorities pool
+  alongside the certificate authority.
+
 Additionally you can configure TLS to be enabled but skip verifying the server's
 certificate chain. This cannot be combined with `insecure` since `insecure`
 won't use TLS at all.

diff --git a/config/configtls/configtls.go b/config/configtls/configtls.go
@@ -23,6 +23,8 @@ const defaultMinTLSVersion = tls.VersionTLS12
 // Uses the default MaxVersion from "crypto/tls" which is the maximum supported version
 const defaultMaxTLSVersion = 0
 
+var systemCertPool = x509.SystemCertPool
+
 // TLSSetting exposes the common client and server TLS configurations.
 // Deprecated: [v0.96.0] Use Config instead.
 type TLSSetting = Config
@@ -39,6 +41,10 @@ type Config struct {
 	// In memory PEM encoded cert. (optional)
 	CAPem configopaque.String `mapstructure:"ca_pem"`
 
+	// If true, load system CA certificates pool in addition to the certificates
+	// configured in this struct.
+	IncludeSystemCACertsPool bool `mapstructure:"include_system_ca_certs_pool"`
+
 	// Path to the TLS cert to use for TLS required connections. (optional)
 	CertFile string `mapstructure:"cert_file"`
 
@@ -318,7 +324,15 @@ func (c Config) loadCert(caPath string) (*x509.CertPool, error) {
 		return nil, fmt.Errorf("failed to load CA %s: %w", caPath, err)
 	}
 
-	certPool := x509.NewCertPool()
+	var certPool *x509.CertPool
+	if c.IncludeSystemCACertsPool {
+		if certPool, err = systemCertPool(); err != nil {
+			return nil, err
+		}
+	}
+	if certPool == nil {
+		certPool = x509.NewCertPool()
+	}
 	if !certPool.AppendCertsFromPEM(caPEM) {
 		return nil, fmt.Errorf("failed to parse CA %s", caPath)
 	}

diff --git a/config/configtls/configtls_test.go b/config/configtls/configtls_test.go
@@ -6,6 +6,7 @@ package configtls
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -33,6 +34,10 @@ func TestOptionsToConfig(t *testing.T) {
 			name:    "should load custom CA",
 			options: Config{CAFile: filepath.Join("testdata", "ca-1.crt")},
 		},
+		{
+			name:    "should load system CA and custom CA",
+			options: TLSSetting{IncludeSystemCACertsPool: true, CAFile: filepath.Join("testdata", "ca-1.crt")},
+		},
 		{
 			name:        "should fail with invalid CA file path",
 			options:     Config{CAFile: filepath.Join("testdata", "not/valid")},
@@ -676,3 +681,65 @@ invalid TLS cipher suite: "BAR"`,
 		})
 	}
 }
+
+func TestSystemCertPool(t *testing.T) {
+	anError := errors.New("my error")
+	tests := []struct {
+		name         string
+		tlsSetting   TLSSetting
+		wantErr      error
+		systemCertFn func() (*x509.CertPool, error)
+	}{
+		{
+			name: "not using system cert pool",
+			tlsSetting: TLSSetting{
+				IncludeSystemCACertsPool: false,
+			},
+			wantErr:      nil,
+			systemCertFn: x509.SystemCertPool,
+		},
+		{
+			name: "using system cert pool",
+			tlsSetting: TLSSetting{
+				IncludeSystemCACertsPool: true,
+			},
+			wantErr:      nil,
+			systemCertFn: x509.SystemCertPool,
+		},
+		{
+			name: "error loading system cert pool",
+			tlsSetting: TLSSetting{
+				IncludeSystemCACertsPool: true,
+			},
+			wantErr: anError,
+			systemCertFn: func() (*x509.CertPool, error) {
+				return nil, anError
+			},
+		},
+		{
+			name: "nil system cert pool",
+			tlsSetting: TLSSetting{
+				IncludeSystemCACertsPool: true,
+			},
+			wantErr: nil,
+			systemCertFn: func() (*x509.CertPool, error) {
+				return nil, nil
+			},
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			oldSystemCertPool := systemCertPool
+			systemCertPool = test.systemCertFn
+			defer func() {
+				systemCertPool = oldSystemCertPool
+			}()
+			certPool, err := test.tlsSetting.loadCert(filepath.Join("testdata", "ca-1.crt"))
+			if test.wantErr != nil {
+				assert.Equal(t, test.wantErr, err)
+			} else {
+				assert.NotNil(t, certPool)
+			}
+		})
+	}
+}