[bug]: price oracle SSL certificate validation missing

[ZZiigguurraatt]

The price oracle client inside tapd does not seem to do SSL certificate validation of the price oracle server. This is a security issue as we have no confidence that we trust the price oracle we are talking to is the one we think we are talking to.

We should have the following choices:

1. Root CAs to trust (in addition to or instead of the operating system root CA list)
2. Trust operating system root CA list (yes or no)
3. Require certificate checking
4. Don't require certificate checking
5. Pin to a specific certificate (either signed by a CA or self signed)

[Roasbeef]

The issue is how we create the server dial opts in oracle.go:

taproot-assets/rfq/oracle.go

Lines 124 to 135 in 8719b40

	// serverDialOpts returns the set of server options needed to connect to the
	// price oracle RPC server using a TLS connection.
	func serverDialOpts() ([]grpc.DialOption, error) {
	var opts []grpc.DialOption
	// Skip TLS certificate verification.
	tlsConfig := tls.Config{InsecureSkipVerify: true}
	transportCredentials := credentials.NewTLS(&tlsConfig)
	opts = append(opts, grpc.WithTransportCredentials(transportCredentials))
	return opts, nil
	}

This should inherit dialInsecure from the earlier context.

[ZZiigguurraatt]

In addition to not verifying the signatures, I don't think tapd is currently verifying certificate expiry time either.