//go:build !rpctest // +build !rpctest package lnd import ( "bytes" "crypto/ecdsa" "crypto/elliptic" "crypto/rand" "crypto/tls" "crypto/x509" "crypto/x509/pkix" "encoding/pem" "io/ioutil" "math/big" "net" "testing" "time" "github.com/lightningnetwork/lnd/lncfg" "github.com/stretchr/testify/require" ) // TestTLSAutoRegeneration creates an expired TLS certificate, to test that a // new TLS certificate pair is regenerated when the old pair expires. This is // necessary because the pair expires after a little over a year. func TestTLSAutoRegeneration(t *testing.T) { tempDirPath := t.TempDir() certPath := tempDirPath + "/tls.cert" keyPath := tempDirPath + "/tls.key" certDerBytes, keyBytes := genExpiredCertPair(t, tempDirPath) expiredCert, err := x509.ParseCertificate(certDerBytes) require.NoError(t, err, "failed to parse certificate") certBuf := bytes.Buffer{} err = pem.Encode( &certBuf, &pem.Block{ Type: "CERTIFICATE", Bytes: certDerBytes, }, ) require.NoError(t, err, "failed to encode certificate") keyBuf := bytes.Buffer{} err = pem.Encode( &keyBuf, &pem.Block{ Type: "EC PRIVATE KEY", Bytes: keyBytes, }, ) require.NoError(t, err, "failed to encode private key") // Write cert and key files. err = ioutil.WriteFile(tempDirPath+"/tls.cert", certBuf.Bytes(), 0644) require.NoError(t, err, "failed to write cert file") err = ioutil.WriteFile(tempDirPath+"/tls.key", keyBuf.Bytes(), 0600) require.NoError(t, err, "failed to write key file") rpcListener := net.IPAddr{IP: net.ParseIP("127.0.0.1"), Zone: ""} rpcListeners := make([]net.Addr, 0) rpcListeners = append(rpcListeners, &rpcListener) // Now let's run getTLSConfig. If it works properly, it should delete // the cert and create a new one. cfg := &Config{ TLSCertPath: certPath, TLSKeyPath: keyPath, TLSCertDuration: 42 * time.Hour, RPCListeners: rpcListeners, } _, _, _, cleanUp, err := getTLSConfig(cfg) if err != nil { t.Fatalf("couldn't retrieve TLS config") } t.Cleanup(cleanUp) // Grab the certificate to test that getTLSConfig did its job correctly // and generated a new cert. newCertData, err := tls.LoadX509KeyPair(certPath, keyPath) if err != nil { t.Fatalf("couldn't grab new certificate") } newCert, err := x509.ParseCertificate(newCertData.Certificate[0]) if err != nil { t.Fatalf("couldn't parse new certificate") } // Check that the expired certificate was successfully deleted and // replaced with a new one. if !newCert.NotAfter.After(expiredCert.NotAfter) { t.Fatalf("New certificate expiration is too old") } } // genExpiredCertPair generates an expired key/cert pair to test that expired // certificates are being regenerated correctly. func genExpiredCertPair(t *testing.T, certDirPath string) ([]byte, []byte) { // Max serial number. serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) // Generate a serial number that's below the serialNumberLimit. serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) require.NoError(t, err, "failed to generate serial number") host := "lightning" // Create a simple ip address for the fake certificate. ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")} dnsNames := []string{host, "unix", "unixpacket"} // Construct the certificate template. template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"lnd autogenerated cert"}, CommonName: host, }, NotBefore: time.Now().Add(-time.Hour * 24), NotAfter: time.Now(), KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, IsCA: true, // so can sign self. BasicConstraintsValid: true, DNSNames: dnsNames, IPAddresses: ipAddresses, } // Generate a private key for the certificate. priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { t.Fatalf("failed to generate a private key") } certDerBytes, err := x509.CreateCertificate( rand.Reader, &template, &template, &priv.PublicKey, priv, ) require.NoError(t, err, "failed to create certificate") keyBytes, err := x509.MarshalECPrivateKey(priv) require.NoError(t, err, "unable to encode privkey") return certDerBytes, keyBytes } // TestShouldPeerBootstrap tests that we properly skip network bootstrap for // the developer networks, and also if bootstrapping is explicitly disabled. func TestShouldPeerBootstrap(t *testing.T) { t.Parallel() testCases := []struct { cfg *Config shouldBoostrap bool }{ // Simnet active, no bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ SimNet: true, }, Litecoin: &lncfg.Chain{}, }, }, // Regtest active, no bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ RegTest: true, }, Litecoin: &lncfg.Chain{}, }, }, // Signet active, no bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ SigNet: true, }, Litecoin: &lncfg.Chain{}, }, }, // Mainnet active, but bootstrap disabled, no bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ MainNet: true, }, Litecoin: &lncfg.Chain{}, NoNetBootstrap: true, }, }, // Mainnet active, should bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ MainNet: true, }, Litecoin: &lncfg.Chain{}, }, shouldBoostrap: true, }, // Testnet active, should bootstrap. { cfg: &Config{ Bitcoin: &lncfg.Chain{ TestNet3: true, }, Litecoin: &lncfg.Chain{}, }, shouldBoostrap: true, }, } for i, testCase := range testCases { bootstrapped := shouldPeerBootstrap(testCase.cfg) if bootstrapped != testCase.shouldBoostrap { t.Fatalf("#%v: expected bootstrap=%v, got bootstrap=%v", i, testCase.shouldBoostrap, bootstrapped) } } }