2020-02-05 13:51:48 +01:00
|
|
|
package cert_test
|
|
|
|
|
|
|
|
|
|
import (
|
2022-05-24 20:26:32 +02:00
|
|
|
"io/ioutil"
|
|
|
|
|
"path/filepath"
|
2020-02-05 13:51:48 +01:00
|
|
|
"testing"
|
2021-04-06 05:23:33 +02:00
|
|
|
"time"
|
2020-02-05 13:51:48 +01:00
|
|
|
|
|
|
|
|
"github.com/lightningnetwork/lnd/cert"
|
2020-06-26 19:53:05 +02:00
|
|
|
"github.com/stretchr/testify/require"
|
2020-02-05 13:51:48 +01:00
|
|
|
)
|
|
|
|
|
|
2021-04-06 05:23:33 +02:00
|
|
|
const (
|
|
|
|
|
testTLSCertDuration = 42 * time.Hour
|
|
|
|
|
)
|
|
|
|
|
|
2020-02-05 13:51:48 +01:00
|
|
|
var (
|
|
|
|
|
extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
|
|
|
|
|
extraDomains = []string{"home", "and", "away"}
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// TestIsOutdatedCert checks that we'll consider the TLS certificate outdated
|
|
|
|
|
// if the ip addresses or dns names don't match.
|
|
|
|
|
func TestIsOutdatedCert(t *testing.T) {
|
2022-08-15 15:04:51 +02:00
|
|
|
tempDir := t.TempDir()
|
2020-02-05 13:51:48 +01:00
|
|
|
|
|
|
|
|
certPath := tempDir + "/tls.cert"
|
|
|
|
|
keyPath := tempDir + "/tls.key"
|
|
|
|
|
|
|
|
|
|
// Generate TLS files with two extra IPs and domains.
|
2022-05-24 20:26:32 +02:00
|
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
2023-02-06 17:10:06 +01:00
|
|
|
"lnd autogenerated cert", extraIPs[:2], extraDomains[:2],
|
|
|
|
|
false, testTLSCertDuration,
|
2020-02-05 13:51:48 +01:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2022-05-24 20:26:32 +02:00
|
|
|
err = cert.WriteCertPair(certPath, keyPath, certBytes, keyBytes)
|
|
|
|
|
require.NoError(t, err)
|
2020-02-05 13:51:48 +01:00
|
|
|
|
|
|
|
|
// We'll attempt to check up-to-date status for all variants of 1-3
|
|
|
|
|
// number of IPs and domains.
|
|
|
|
|
for numIPs := 1; numIPs <= len(extraIPs); numIPs++ {
|
|
|
|
|
for numDomains := 1; numDomains <= len(extraDomains); numDomains++ {
|
2022-05-24 20:26:32 +02:00
|
|
|
certBytes, err := ioutil.ReadFile(certPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
keyBytes, err := ioutil.ReadFile(keyPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
_, parsedCert, err := cert.LoadCertFromBytes(
|
|
|
|
|
certBytes, keyBytes,
|
2020-02-05 13:51:48 +01:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Using the test case's number of IPs and domains, get
|
|
|
|
|
// the outdated status of the certificate we created
|
|
|
|
|
// above.
|
|
|
|
|
outdated, err := cert.IsOutdated(
|
|
|
|
|
parsedCert, extraIPs[:numIPs],
|
2020-06-26 19:53:05 +02:00
|
|
|
extraDomains[:numDomains], false,
|
2020-02-05 13:51:48 +01:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We expect it to be considered outdated if the IPs or
|
|
|
|
|
// domains don't match exactly what we created.
|
|
|
|
|
expected := numIPs != 2 || numDomains != 2
|
|
|
|
|
if outdated != expected {
|
|
|
|
|
t.Fatalf("expected certificate to be "+
|
|
|
|
|
"outdated=%v, got=%v", expected,
|
|
|
|
|
outdated)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// TestIsOutdatedPermutation tests that the order of listed IPs or DNS names,
|
|
|
|
|
// nor dulicates in the lists, matter for whether we consider the certificate
|
|
|
|
|
// outdated.
|
|
|
|
|
func TestIsOutdatedPermutation(t *testing.T) {
|
2022-08-15 15:04:51 +02:00
|
|
|
tempDir := t.TempDir()
|
2020-02-05 13:51:48 +01:00
|
|
|
|
|
|
|
|
certPath := tempDir + "/tls.cert"
|
|
|
|
|
keyPath := tempDir + "/tls.key"
|
|
|
|
|
|
|
|
|
|
// Generate TLS files from the IPs and domains.
|
2022-05-24 20:26:32 +02:00
|
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
2023-02-06 17:10:06 +01:00
|
|
|
"lnd autogenerated cert", extraIPs[:], extraDomains[:],
|
|
|
|
|
false, testTLSCertDuration,
|
2020-02-05 13:51:48 +01:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
2022-05-24 20:26:32 +02:00
|
|
|
err = cert.WriteCertPair(certPath, keyPath, certBytes, keyBytes)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
certBytes, err = ioutil.ReadFile(certPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
keyBytes, err = ioutil.ReadFile(keyPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
_, parsedCert, err := cert.LoadCertFromBytes(certBytes, keyBytes)
|
|
|
|
|
require.NoError(t, err)
|
2020-02-05 13:51:48 +01:00
|
|
|
|
|
|
|
|
// If we have duplicate IPs or DNS names listed, that shouldn't matter.
|
|
|
|
|
dupIPs := make([]string, len(extraIPs)*2)
|
|
|
|
|
for i := range dupIPs {
|
|
|
|
|
dupIPs[i] = extraIPs[i/2]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dupDNS := make([]string, len(extraDomains)*2)
|
|
|
|
|
for i := range dupDNS {
|
|
|
|
|
dupDNS[i] = extraDomains[i/2]
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-26 19:53:05 +02:00
|
|
|
outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false)
|
2020-02-05 13:51:48 +01:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if outdated {
|
|
|
|
|
t.Fatalf("did not expect duplicate IPs or DNS names be " +
|
|
|
|
|
"considered outdated")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Similarly, the order of the lists shouldn't matter.
|
|
|
|
|
revIPs := make([]string, len(extraIPs))
|
|
|
|
|
for i := range revIPs {
|
|
|
|
|
revIPs[i] = extraIPs[len(extraIPs)-1-i]
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
revDNS := make([]string, len(extraDomains))
|
|
|
|
|
for i := range revDNS {
|
|
|
|
|
revDNS[i] = extraDomains[len(extraDomains)-1-i]
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-26 19:53:05 +02:00
|
|
|
outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false)
|
2020-02-05 13:51:48 +01:00
|
|
|
if err != nil {
|
|
|
|
|
t.Fatal(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if outdated {
|
|
|
|
|
t.Fatalf("did not expect reversed IPs or DNS names be " +
|
|
|
|
|
"considered outdated")
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-06-26 19:53:05 +02:00
|
|
|
|
|
|
|
|
// TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag
|
|
|
|
|
// does not add interface ip addresses or hostnames to the cert.
|
|
|
|
|
func TestTLSDisableAutofill(t *testing.T) {
|
2022-08-15 15:04:51 +02:00
|
|
|
tempDir := t.TempDir()
|
2020-06-26 19:53:05 +02:00
|
|
|
|
|
|
|
|
certPath := tempDir + "/tls.cert"
|
|
|
|
|
keyPath := tempDir + "/tls.key"
|
|
|
|
|
|
|
|
|
|
// Generate TLS files with two extra IPs and domains and no interface IPs.
|
2022-05-24 20:26:32 +02:00
|
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
2023-02-06 17:10:06 +01:00
|
|
|
"lnd autogenerated cert", extraIPs[:2], extraDomains[:2],
|
|
|
|
|
true, testTLSCertDuration,
|
2020-06-26 19:53:05 +02:00
|
|
|
)
|
|
|
|
|
require.NoError(
|
|
|
|
|
t, err,
|
|
|
|
|
"unable to generate tls certificate pair",
|
|
|
|
|
)
|
2022-05-24 20:26:32 +02:00
|
|
|
err = cert.WriteCertPair(certPath, keyPath, certBytes, keyBytes)
|
|
|
|
|
require.NoError(t, err)
|
2020-06-26 19:53:05 +02:00
|
|
|
|
2022-05-24 20:26:32 +02:00
|
|
|
// Read certs from disk.
|
|
|
|
|
certBytes, err = ioutil.ReadFile(certPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
keyBytes, err = ioutil.ReadFile(keyPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// Load the certificate.
|
|
|
|
|
_, parsedCert, err := cert.LoadCertFromBytes(
|
|
|
|
|
certBytes, keyBytes,
|
2020-06-26 19:53:05 +02:00
|
|
|
)
|
|
|
|
|
require.NoError(
|
|
|
|
|
t, err,
|
|
|
|
|
"unable to load tls certificate pair",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Check if the TLS cert is outdated while still preventing
|
2022-05-24 20:26:32 +02:00
|
|
|
// interface IPs from being used. Should not be outdated.
|
2020-06-26 19:53:05 +02:00
|
|
|
shouldNotBeOutdated, err := cert.IsOutdated(
|
|
|
|
|
parsedCert, extraIPs[:2],
|
|
|
|
|
extraDomains[:2], true,
|
|
|
|
|
)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
require.Equal(
|
|
|
|
|
t, false, shouldNotBeOutdated,
|
|
|
|
|
"TLS Certificate was marked as outdated when it should not be",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Check if the TLS cert is outdated while allowing for
|
|
|
|
|
// interface IPs to be used. Should report as outdated.
|
|
|
|
|
shouldBeOutdated, err := cert.IsOutdated(
|
|
|
|
|
parsedCert, extraIPs[:2],
|
|
|
|
|
extraDomains[:2], false,
|
|
|
|
|
)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
require.Equal(
|
|
|
|
|
t, true, shouldBeOutdated,
|
|
|
|
|
"TLS Certificate was not marked as outdated when it should be",
|
|
|
|
|
)
|
|
|
|
|
}
|
2022-05-24 20:26:32 +02:00
|
|
|
|
|
|
|
|
// TestTLSConfig tests to ensure we can generate a TLS Config from
|
|
|
|
|
// a tls cert and tls key.
|
|
|
|
|
func TestTLSConfig(t *testing.T) {
|
|
|
|
|
tempDir := t.TempDir()
|
|
|
|
|
certPath := filepath.Join(tempDir, "/tls.cert")
|
|
|
|
|
keyPath := filepath.Join(tempDir, "/tls.key")
|
|
|
|
|
|
|
|
|
|
// Generate TLS files with an extra IP and domain.
|
|
|
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
2023-02-06 17:10:06 +01:00
|
|
|
"lnd autogenerated cert", []string{extraIPs[0]},
|
|
|
|
|
[]string{extraDomains[0]}, false, testTLSCertDuration,
|
2022-05-24 20:26:32 +02:00
|
|
|
)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
err = cert.WriteCertPair(certPath, keyPath, certBytes, keyBytes)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
certBytes, err = ioutil.ReadFile(certPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
keyBytes, err = ioutil.ReadFile(keyPath)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// Load the certificate.
|
|
|
|
|
certData, parsedCert, err := cert.LoadCertFromBytes(
|
|
|
|
|
certBytes, keyBytes,
|
|
|
|
|
)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
// Check to make sure the IP and domain are in the cert.
|
|
|
|
|
var foundIp bool
|
|
|
|
|
require.Contains(t, parsedCert.DNSNames, extraDomains[0])
|
|
|
|
|
for _, ip := range parsedCert.IPAddresses {
|
|
|
|
|
if ip.String() == extraIPs[0] {
|
|
|
|
|
foundIp = true
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
require.Equal(t, true, foundIp, "Did not find required ip inside of "+
|
|
|
|
|
"TLS Certificate.")
|
|
|
|
|
|
|
|
|
|
// Create TLS Config.
|
|
|
|
|
tlsCfg := cert.TLSConfFromCert(certData)
|
|
|
|
|
|
|
|
|
|
require.Equal(t, 1, len(tlsCfg.Certificates))
|
|
|
|
|
}
|
