Read the additional root certificate directly from the config file...

tankyleo · tankyleo · commit 983adc5e6c6b · 2026-01-14T22:06:59.000Z
...just like we do for the RSA public key used to authenticate incoming
JWTs.

Also parse the root certificate in `PostgresTlsBackend::new`. This makes
`PostgresTlsBackend` consistent with `JWTAuthorizer`; both structs take
cryptographic objects as `&amp;str`'s and parse them in their constructors.
diff --git a/rust/impls/src/postgres_store.rs b/rust/impls/src/postgres_store.rs
@@ -141,11 +141,17 @@ impl PostgresPlaintextBackend {
 impl PostgresTlsBackend {
 	/// Constructs a [`PostgresTlsBackend`] using `postgres_endpoint` for PostgreSQL connection information.
 	pub async fn new(
-		postgres_endpoint: &str, db_name: &str, additional_certificate: Option<Certificate>,
+		postgres_endpoint: &str, db_name: &str, crt_pem: Option<&str>,
 	) -> Result<Self, Error> {
 		let mut builder = TlsConnector::builder();
-		if let Some(cert) = additional_certificate {
-			builder.add_root_certificate(cert);
+		if let Some(pem) = crt_pem {
+			let crt = Certificate::from_pem(pem.as_bytes()).map_err(|e| {
+				Error::new(
+					ErrorKind::Other,
+					format!("Failed to parse the PEM formatted certificate: {}", e),
+				)
+			})?;
+			builder.add_root_certificate(crt);
 		}
 		let connector = builder.build().map_err(|e| {
 			Error::new(ErrorKind::Other, format!("Error building tls connector: {}", e))
diff --git a/rust/server/src/main.rs b/rust/server/src/main.rs
@@ -24,7 +24,7 @@ use api::kv_store::KvStore;
 use auth_impls::jwt::JWTAuthorizer;
 #[cfg(feature = "sigs")]
 use auth_impls::signature::SignatureValidatingAuthorizer;
-use impls::postgres_store::{Certificate, PostgresPlaintextBackend, PostgresTlsBackend};
+use impls::postgres_store::{PostgresPlaintextBackend, PostgresTlsBackend};
 use util::config::{Config, ServerConfig};
 use vss_service::VssService;
 
@@ -115,24 +115,10 @@ fn main() {
 		let endpoint = postgresql_config.to_postgresql_endpoint();
 		let db_name = postgresql_config.database;
 		let store: Arc<dyn KvStore> = if let Some(tls_config) = postgresql_config.tls {
-			let additional_certificate = tls_config.ca_file.map(|file| {
-				let certificate = match std::fs::read(&file) {
-					Ok(cert) => cert,
-					Err(e) => {
-						println!("Failed to read certificate file: {}", e);
-						std::process::exit(-1);
-					},
-				};
-				match Certificate::from_pem(&certificate) {
-					Ok(cert) => cert,
-					Err(e) => {
-						println!("Failed to parse certificate file: {}", e);
-						std::process::exit(-1);
-					},
-				}
-			});
 			let postgres_tls_backend =
-				match PostgresTlsBackend::new(&endpoint, &db_name, additional_certificate).await {
+				match PostgresTlsBackend::new(&endpoint, &db_name, tls_config.crt_pem.as_deref())
+					.await
+				{
 					Ok(backend) => backend,
 					Err(e) => {
 						println!("Failed to start postgres tls backend: {}", e);
diff --git a/rust/server/src/util/config.rs b/rust/server/src/util/config.rs
@@ -30,7 +30,7 @@ pub(crate) struct PostgreSQLConfig {
 
 #[derive(Deserialize)]
 pub(crate) struct TlsConfig {
-	pub(crate) ca_file: Option<String>,
+	pub(crate) crt_pem: Option<String>,
 }
 
 impl PostgreSQLConfig {
diff --git a/rust/server/vss-server-config.toml b/rust/server/vss-server-config.toml
@@ -7,13 +7,6 @@ port = 8080
 # [jwt_auth_config]
 # rsa_pem = """
 # -----BEGIN PUBLIC KEY-----
-# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAstPJs4ut+tFAI0qrOyGt
-# /3FN5jWc5gLv/j9Rc6lgr4hm7lyR05PU/G+4rfxdXGNyGTlQ6dRqcVy78CjxWz9f
-# 8l08EKLERPh8JhE5el6vr+ehWD5iQxSP3ejpx0Mr977fKMNKg6jlFiL+y50hOEp2
-# 6iN9QzZQjLxotDT3aQvbCA/DZpI+fV6WKDKWGS+pZGDVgOz5x/RcStJQXxkX3ACK
-# WhVdrtN3h6mHlhIt7ZIqVvQmY4NL03QPyljt13sYHoiFaoxINF/funBMCjrfSLcB
-# ko1rWE2BWdOrFqi27RtBs5AHOSAWXuz/2SUGpFuTQuJi7U68QUfjKeQO46JpQf+v
-# kQIDAQAB
 # -----END PUBLIC KEY-----
 # """
 
@@ -23,5 +16,12 @@ password = "postgres"  # Optional in TOML, can be overridden by env var `VSS_POS
 host = "localhost"
 port = 5432
 database = "postgres"
-# tls = { }                        # Uncomment to make TLS connections to the postgres database using your machine's PKI
-# tls = { ca_file = "ca.pem" }     # Uncomment to make TLS connections to the postgres database with an additional root certificate
+
+# [postgresql_config.tls]  # Uncomment to make TLS connections to the postgres database
+#
+# Uncomment the lines below to add a root certificate to your trusted root certificates
+#
+# crt_pem = """
+# -----BEGIN CERTIFICATE-----
+# -----END CERTIFICATE-----
+# """

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ pub(crate) struct PostgreSQLConfig {`
`30`	`30`
`31`	`31`	`#[derive(Deserialize)]`
`32`	`32`	`pub(crate) struct TlsConfig {`
`33`		`- pub(crate) ca_file: Option<String>,`
	`33`	`+ pub(crate) crt_pem: Option<String>,`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`impl PostgreSQLConfig {`