mirror of
https://github.com/lightningnetwork/lnd.git
synced 2024-11-19 09:53:54 +01:00
21c29c33d7
This commit reworks the macaroon authentication framework to use the v2 macaroon format and bakery API. It also replaces the code in each RPC method which calls the macaroon verifier with interceptors which call the macaroon verifier instead. In addition, the operation permissions are reworked to fit the new format of "allow" commands (specifically, entity/operation permissions instead of method permissions).
798 lines
22 KiB
Go
798 lines
22 KiB
Go
// Copyright (c) 2013-2017 The btcsuite developers
|
|
// Copyright (c) 2015-2016 The Decred developers
|
|
// Copyright (C) 2015-2017 The Lightning Network Developers
|
|
|
|
package main
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"math/big"
|
|
"net"
|
|
"net/http"
|
|
_ "net/http/pprof"
|
|
"os"
|
|
"runtime"
|
|
"runtime/pprof"
|
|
"sync"
|
|
"time"
|
|
|
|
"gopkg.in/macaroon-bakery.v2/bakery"
|
|
|
|
"golang.org/x/net/context"
|
|
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
|
|
flags "github.com/jessevdk/go-flags"
|
|
"github.com/lightningnetwork/lnd/autopilot"
|
|
"github.com/lightningnetwork/lnd/channeldb"
|
|
"github.com/lightningnetwork/lnd/lnrpc"
|
|
"github.com/lightningnetwork/lnd/lnwallet"
|
|
"github.com/lightningnetwork/lnd/lnwire"
|
|
"github.com/lightningnetwork/lnd/macaroons"
|
|
"github.com/lightningnetwork/lnd/walletunlocker"
|
|
"github.com/roasbeef/btcd/btcec"
|
|
"github.com/roasbeef/btcutil"
|
|
)
|
|
|
|
const (
|
|
// Make certificate valid for 14 months.
|
|
autogenCertValidity = 14 /*months*/ * 30 /*days*/ * 24 * time.Hour
|
|
)
|
|
|
|
var (
|
|
cfg *config
|
|
shutdownChannel = make(chan struct{})
|
|
registeredChains = newChainRegistry()
|
|
|
|
macaroonDatabaseDir string
|
|
|
|
// End of ASN.1 time.
|
|
endOfTime = time.Date(2049, 12, 31, 23, 59, 59, 0, time.UTC)
|
|
|
|
// Max serial number.
|
|
serialNumberLimit = new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
/*
|
|
* These cipher suites fit the following criteria:
|
|
* - Don't use outdated algorithms like SHA-1 and 3DES
|
|
* - Don't use ECB mode or other insecure symmetric methods
|
|
* - Included in the TLS v1.2 suite
|
|
* - Are available in the Go 1.7.6 standard library (more are
|
|
* available in 1.8.3 and will be added after lnd no longer
|
|
* supports 1.7, including suites that support CBC mode)
|
|
*
|
|
* The cipher suites are ordered from strongest to weakest
|
|
* primitives, but the client's preference order has more
|
|
* effect during negotiation.
|
|
**/
|
|
tlsCipherSuites = []uint16{
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
|
|
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
|
}
|
|
)
|
|
|
|
// lndMain is the true entry point for lnd. This function is required since
|
|
// defers created in the top-level scope of a main method aren't executed if
|
|
// os.Exit() is called.
|
|
func lndMain() error {
|
|
// Load the configuration, and parse any command line options. This
|
|
// function will also set up logging properly.
|
|
loadedConfig, err := loadConfig()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
cfg = loadedConfig
|
|
defer func() {
|
|
if logRotator != nil {
|
|
logRotator.Close()
|
|
}
|
|
}()
|
|
|
|
// Show version at startup.
|
|
ltndLog.Infof("Version %s", version())
|
|
|
|
// Enable http profiling server if requested.
|
|
if cfg.Profile != "" {
|
|
go func() {
|
|
listenAddr := net.JoinHostPort("", cfg.Profile)
|
|
profileRedirect := http.RedirectHandler("/debug/pprof",
|
|
http.StatusSeeOther)
|
|
http.Handle("/", profileRedirect)
|
|
fmt.Println(http.ListenAndServe(listenAddr, nil))
|
|
}()
|
|
}
|
|
|
|
// Write cpu profile if requested.
|
|
if cfg.CPUProfile != "" {
|
|
f, err := os.Create(cfg.CPUProfile)
|
|
if err != nil {
|
|
ltndLog.Errorf("Unable to create cpu profile: %v", err)
|
|
return err
|
|
}
|
|
pprof.StartCPUProfile(f)
|
|
defer f.Close()
|
|
defer pprof.StopCPUProfile()
|
|
}
|
|
|
|
// Open the channeldb, which is dedicated to storing channel, and
|
|
// network related metadata.
|
|
chanDB, err := channeldb.Open(cfg.DataDir)
|
|
if err != nil {
|
|
ltndLog.Errorf("unable to open channeldb: %v", err)
|
|
return err
|
|
}
|
|
defer chanDB.Close()
|
|
|
|
// Only process macaroons if --no-macaroons isn't set.
|
|
ctx := context.Background()
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
|
|
var macaroonService *bakery.Bakery
|
|
if !cfg.NoMacaroons {
|
|
// Create the macaroon authentication/authorization service.
|
|
macaroonService, err = macaroons.NewService(macaroonDatabaseDir,
|
|
macaroons.IPLockChecker)
|
|
if err != nil {
|
|
srvrLog.Errorf("unable to create macaroon service: %v", err)
|
|
return err
|
|
}
|
|
|
|
// Create macaroon files for lncli to use if they don't exist.
|
|
if !fileExists(cfg.AdminMacPath) && !fileExists(cfg.ReadMacPath) {
|
|
err = genMacaroons(ctx, macaroonService,
|
|
cfg.AdminMacPath, cfg.ReadMacPath)
|
|
if err != nil {
|
|
ltndLog.Errorf("unable to create macaroon "+
|
|
"files: %v", err)
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
// Ensure we create TLS key and certificate if they don't exist
|
|
if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
|
|
if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
cert, err := tls.LoadX509KeyPair(cfg.TLSCertPath, cfg.TLSKeyPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
tlsConf := &tls.Config{
|
|
Certificates: []tls.Certificate{cert},
|
|
CipherSuites: tlsCipherSuites,
|
|
MinVersion: tls.VersionTLS12,
|
|
}
|
|
sCreds := credentials.NewTLS(tlsConf)
|
|
serverOpts := []grpc.ServerOption{grpc.Creds(sCreds)}
|
|
cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
|
if err != nil {
|
|
return err
|
|
}
|
|
proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
|
|
|
|
// We wait until the user provides a password over RPC. In case lnd is
|
|
// started with the --noencryptwallet flag, we use the default password
|
|
// "hello" for wallet encryption.
|
|
privateWalletPw := []byte("hello")
|
|
publicWalletPw := []byte("public")
|
|
if !cfg.NoEncryptWallet {
|
|
privateWalletPw, publicWalletPw, err = waitForWalletPassword(
|
|
cfg.RPCListeners, cfg.RESTListeners, serverOpts, proxyOpts,
|
|
tlsConf, macaroonService,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// With the information parsed from the configuration, create valid
|
|
// instances of the pertinent interfaces required to operate the
|
|
// Lightning Network Daemon.
|
|
activeChainControl, chainCleanUp, err := newChainControlFromConfig(cfg,
|
|
chanDB, privateWalletPw, publicWalletPw)
|
|
if err != nil {
|
|
fmt.Printf("unable to create chain control: %v\n", err)
|
|
return err
|
|
}
|
|
if chainCleanUp != nil {
|
|
defer chainCleanUp()
|
|
}
|
|
|
|
// Finally before we start the server, we'll register the "holy
|
|
// trinity" of interface for our current "home chain" with the active
|
|
// chainRegistry interface.
|
|
primaryChain := registeredChains.PrimaryChain()
|
|
registeredChains.RegisterChain(primaryChain, activeChainControl)
|
|
|
|
idPrivKey, err := activeChainControl.wallet.GetIdentitykey()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
idPrivKey.Curve = btcec.S256()
|
|
|
|
// Set up the core server which will listen for incoming peer
|
|
// connections.
|
|
server, err := newServer(cfg.Listeners, chanDB, activeChainControl,
|
|
idPrivKey)
|
|
if err != nil {
|
|
srvrLog.Errorf("unable to create server: %v\n", err)
|
|
return err
|
|
}
|
|
|
|
// Next, we'll initialize the funding manager itself so it can answer
|
|
// queries while the wallet+chain are still syncing.
|
|
nodeSigner := newNodeSigner(idPrivKey)
|
|
var chanIDSeed [32]byte
|
|
if _, err := rand.Read(chanIDSeed[:]); err != nil {
|
|
return err
|
|
}
|
|
fundingMgr, err := newFundingManager(fundingConfig{
|
|
IDKey: idPrivKey.PubKey(),
|
|
Wallet: activeChainControl.wallet,
|
|
Notifier: activeChainControl.chainNotifier,
|
|
FeeEstimator: activeChainControl.feeEstimator,
|
|
SignMessage: func(pubKey *btcec.PublicKey,
|
|
msg []byte) (*btcec.Signature, error) {
|
|
|
|
if pubKey.IsEqual(idPrivKey.PubKey()) {
|
|
return nodeSigner.SignMessage(pubKey, msg)
|
|
}
|
|
|
|
return activeChainControl.msgSigner.SignMessage(
|
|
pubKey, msg,
|
|
)
|
|
},
|
|
CurrentNodeAnnouncement: func() (lnwire.NodeAnnouncement, error) {
|
|
return server.genNodeAnnouncement(true)
|
|
},
|
|
SendAnnouncement: func(msg lnwire.Message) error {
|
|
errChan := server.authGossiper.ProcessLocalAnnouncement(msg,
|
|
idPrivKey.PubKey())
|
|
return <-errChan
|
|
},
|
|
ArbiterChan: server.breachArbiter.newContracts,
|
|
SendToPeer: server.SendToPeer,
|
|
NotifyWhenOnline: server.NotifyWhenOnline,
|
|
FindPeer: server.FindPeer,
|
|
TempChanIDSeed: chanIDSeed,
|
|
FindChannel: func(chanID lnwire.ChannelID) (*lnwallet.LightningChannel, error) {
|
|
dbChannels, err := chanDB.FetchAllChannels()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, channel := range dbChannels {
|
|
if chanID.IsChanPoint(&channel.FundingOutpoint) {
|
|
// TODO(rosbeef): populate baecon
|
|
return lnwallet.NewLightningChannel(
|
|
activeChainControl.signer,
|
|
server.witnessBeacon,
|
|
channel)
|
|
}
|
|
}
|
|
|
|
return nil, fmt.Errorf("unable to find channel")
|
|
},
|
|
DefaultRoutingPolicy: activeChainControl.routingPolicy,
|
|
NumRequiredConfs: func(chanAmt btcutil.Amount,
|
|
pushAmt lnwire.MilliSatoshi) uint16 {
|
|
// For large channels we increase the number
|
|
// of confirmations we require for the
|
|
// channel to be considered open. As it is
|
|
// always the responder that gets to choose
|
|
// value, the pushAmt is value being pushed
|
|
// to us. This means we have more to lose
|
|
// in the case this gets re-orged out, and
|
|
// we will require more confirmations before
|
|
// we consider it open.
|
|
// TODO(halseth): Use Litecoin params in case
|
|
// of LTC channels.
|
|
|
|
// In case the user has explicitly specified
|
|
// a default value for the number of
|
|
// confirmations, we use it.
|
|
defaultConf := uint16(cfg.Bitcoin.DefaultNumChanConfs)
|
|
if defaultConf != 0 {
|
|
return defaultConf
|
|
}
|
|
|
|
// If not we return a value scaled linearly
|
|
// between 3 and 6, depending on channel size.
|
|
// TODO(halseth): Use 1 as minimum?
|
|
minConf := uint64(3)
|
|
maxConf := uint64(6)
|
|
maxChannelSize := uint64(
|
|
lnwire.NewMSatFromSatoshis(maxFundingAmount))
|
|
stake := lnwire.NewMSatFromSatoshis(chanAmt) + pushAmt
|
|
conf := maxConf * uint64(stake) / maxChannelSize
|
|
if conf < minConf {
|
|
conf = minConf
|
|
}
|
|
if conf > maxConf {
|
|
conf = maxConf
|
|
}
|
|
return uint16(conf)
|
|
},
|
|
RequiredRemoteDelay: func(chanAmt btcutil.Amount) uint16 {
|
|
// We scale the remote CSV delay (the time the
|
|
// remote have to claim funds in case of a unilateral
|
|
// close) linearly from minRemoteDelay blocks
|
|
// for small channels, to maxRemoteDelay blocks
|
|
// for channels of size maxFundingAmount.
|
|
// TODO(halseth): Litecoin parameter for LTC.
|
|
|
|
// In case the user has explicitly specified
|
|
// a default value for the remote delay, we
|
|
// use it.
|
|
defaultDelay := uint16(cfg.Bitcoin.DefaultRemoteDelay)
|
|
if defaultDelay > 0 {
|
|
return defaultDelay
|
|
}
|
|
|
|
// If not we scale according to channel size.
|
|
delay := uint16(maxRemoteDelay *
|
|
chanAmt / maxFundingAmount)
|
|
if delay < minRemoteDelay {
|
|
delay = minRemoteDelay
|
|
}
|
|
if delay > maxRemoteDelay {
|
|
delay = maxRemoteDelay
|
|
}
|
|
return delay
|
|
},
|
|
WatchNewChannel: server.chainArb.WatchNewChannel,
|
|
})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err := fundingMgr.Start(); err != nil {
|
|
return err
|
|
}
|
|
server.fundingMgr = fundingMgr
|
|
|
|
// Check macaroon authentication if macaroons aren't disabled.
|
|
if macaroonService != nil {
|
|
serverOpts = append(serverOpts,
|
|
grpc.UnaryInterceptor(macaroons.UnaryServerInterceptor(
|
|
macaroonService, permissions)),
|
|
grpc.StreamInterceptor(macaroons.StreamServerInterceptor(
|
|
macaroonService, permissions)),
|
|
)
|
|
}
|
|
|
|
// Initialize, and register our implementation of the gRPC interface
|
|
// exported by the rpcServer.
|
|
rpcServer := newRPCServer(server)
|
|
if err := rpcServer.Start(); err != nil {
|
|
return err
|
|
}
|
|
|
|
grpcServer := grpc.NewServer(serverOpts...)
|
|
lnrpc.RegisterLightningServer(grpcServer, rpcServer)
|
|
|
|
// Next, Start the gRPC server listening for HTTP/2 connections.
|
|
for _, listener := range cfg.RPCListeners {
|
|
lis, err := net.Listen("tcp", listener)
|
|
if err != nil {
|
|
ltndLog.Errorf("RPC server unable to listen on %s", listener)
|
|
return err
|
|
}
|
|
defer lis.Close()
|
|
go func() {
|
|
rpcsLog.Infof("RPC server listening on %s", lis.Addr())
|
|
grpcServer.Serve(lis)
|
|
}()
|
|
}
|
|
|
|
// Finally, start the REST proxy for our gRPC server above.
|
|
mux := proxy.NewServeMux()
|
|
err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux,
|
|
cfg.RPCListeners[0], proxyOpts)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, restEndpoint := range cfg.RESTListeners {
|
|
listener, err := tls.Listen("tcp", restEndpoint, tlsConf)
|
|
if err != nil {
|
|
ltndLog.Errorf("gRPC proxy unable to listen on %s", restEndpoint)
|
|
return err
|
|
}
|
|
defer listener.Close()
|
|
go func() {
|
|
rpcsLog.Infof("gRPC proxy started at %s", listener.Addr())
|
|
http.Serve(listener, mux)
|
|
}()
|
|
}
|
|
|
|
// If we're not in simnet mode, We'll wait until we're fully synced to
|
|
// continue the start up of the remainder of the daemon. This ensures
|
|
// that we don't accept any possibly invalid state transitions, or
|
|
// accept channels with spent funds.
|
|
if !(cfg.Bitcoin.SimNet || cfg.Litecoin.SimNet) {
|
|
_, bestHeight, err := activeChainControl.chainIO.GetBestBlock()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ltndLog.Infof("Waiting for chain backend to finish sync, "+
|
|
"start_height=%v", bestHeight)
|
|
|
|
for {
|
|
synced, err := activeChainControl.wallet.IsSynced()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if synced {
|
|
break
|
|
}
|
|
|
|
time.Sleep(time.Second * 1)
|
|
}
|
|
|
|
_, bestHeight, err = activeChainControl.chainIO.GetBestBlock()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ltndLog.Infof("Chain backend is fully synced (end_height=%v)!",
|
|
bestHeight)
|
|
}
|
|
|
|
// With all the relevant chains initialized, we can finally start the
|
|
// server itself.
|
|
if err := server.Start(); err != nil {
|
|
srvrLog.Errorf("unable to start server: %v\n", err)
|
|
return err
|
|
}
|
|
|
|
// Now that the server has started, if the autopilot mode is currently
|
|
// active, then we'll initialize a fresh instance of it and start it.
|
|
var pilot *autopilot.Agent
|
|
if cfg.Autopilot.Active {
|
|
pilot, err := initAutoPilot(server, cfg.Autopilot)
|
|
if err != nil {
|
|
ltndLog.Errorf("unable to create autopilot agent: %v",
|
|
err)
|
|
return err
|
|
}
|
|
if err := pilot.Start(); err != nil {
|
|
ltndLog.Errorf("unable to start autopilot agent: %v",
|
|
err)
|
|
return err
|
|
}
|
|
}
|
|
|
|
addInterruptHandler(func() {
|
|
ltndLog.Infof("Gracefully shutting down the server...")
|
|
rpcServer.Stop()
|
|
fundingMgr.Stop()
|
|
server.Stop()
|
|
|
|
if pilot != nil {
|
|
pilot.Stop()
|
|
}
|
|
|
|
server.WaitForShutdown()
|
|
})
|
|
|
|
// Wait for shutdown signal from either a graceful server stop or from
|
|
// the interrupt handler.
|
|
<-shutdownChannel
|
|
ltndLog.Info("Shutdown complete")
|
|
return nil
|
|
}
|
|
|
|
func main() {
|
|
// Use all processor cores.
|
|
// TODO(roasbeef): remove this if required version # is > 1.6?
|
|
runtime.GOMAXPROCS(runtime.NumCPU())
|
|
|
|
// Call the "real" main in a nested manner so the defers will properly
|
|
// be executed in the case of a graceful shutdown.
|
|
if err := lndMain(); err != nil {
|
|
if e, ok := err.(*flags.Error); ok && e.Type == flags.ErrHelp {
|
|
} else {
|
|
fmt.Fprintln(os.Stderr, err)
|
|
}
|
|
os.Exit(1)
|
|
}
|
|
}
|
|
|
|
// fileExists reports whether the named file or directory exists.
|
|
// This function is taken from https://github.com/btcsuite/btcd
|
|
func fileExists(name string) bool {
|
|
if _, err := os.Stat(name); err != nil {
|
|
if os.IsNotExist(err) {
|
|
return false
|
|
}
|
|
}
|
|
return true
|
|
}
|
|
|
|
// genCertPair generates a key/cert pair to the paths provided. The
|
|
// auto-generated certificates should *not* be used in production for public
|
|
// access as they're self-signed and don't necessarily contain all of the
|
|
// desired hostnames for the service. For production/public use, consider a
|
|
// real PKI.
|
|
//
|
|
// This function is adapted from https://github.com/btcsuite/btcd and
|
|
// https://github.com/btcsuite/btcutil
|
|
func genCertPair(certFile, keyFile string) error {
|
|
rpcsLog.Infof("Generating TLS certificates...")
|
|
|
|
org := "lnd autogenerated cert"
|
|
now := time.Now()
|
|
validUntil := now.Add(autogenCertValidity)
|
|
|
|
// Check that the certificate validity isn't past the ASN.1 end of time.
|
|
if validUntil.After(endOfTime) {
|
|
validUntil = endOfTime
|
|
}
|
|
|
|
// Generate a serial number that's below the serialNumberLimit.
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate serial number: %s", err)
|
|
}
|
|
|
|
// Collect the host's IP addresses, including loopback, in a slice.
|
|
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
|
|
|
|
// addIP appends an IP address only if it isn't already in the slice.
|
|
addIP := func(ipAddr net.IP) {
|
|
for _, ip := range ipAddresses {
|
|
if bytes.Equal(ip, ipAddr) {
|
|
return
|
|
}
|
|
}
|
|
ipAddresses = append(ipAddresses, ipAddr)
|
|
}
|
|
|
|
// Add all the interface IPs that aren't already in the slice.
|
|
addrs, err := net.InterfaceAddrs()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
for _, a := range addrs {
|
|
ipAddr, _, err := net.ParseCIDR(a.String())
|
|
if err == nil {
|
|
addIP(ipAddr)
|
|
}
|
|
}
|
|
|
|
// Collect the host's names into a slice.
|
|
host, err := os.Hostname()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
dnsNames := []string{host}
|
|
if host != "localhost" {
|
|
dnsNames = append(dnsNames, "localhost")
|
|
}
|
|
|
|
// Generate a private key for the certificate.
|
|
priv, err := rsa.GenerateKey(rand.Reader, 4096)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Construct the certificate template.
|
|
template := x509.Certificate{
|
|
SerialNumber: serialNumber,
|
|
Subject: pkix.Name{
|
|
Organization: []string{org},
|
|
CommonName: host,
|
|
},
|
|
NotBefore: now.Add(-time.Hour * 24),
|
|
NotAfter: validUntil,
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment |
|
|
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
IsCA: true, // so can sign self.
|
|
BasicConstraintsValid: true,
|
|
|
|
DNSNames: dnsNames,
|
|
IPAddresses: ipAddresses,
|
|
|
|
// This signature algorithm is most likely to be compatible
|
|
// with clients using less-common TLS libraries like BoringSSL.
|
|
SignatureAlgorithm: x509.SHA256WithRSA,
|
|
}
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &template,
|
|
&template, &priv.PublicKey, priv)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create certificate: %v", err)
|
|
}
|
|
|
|
certBuf := &bytes.Buffer{}
|
|
err = pem.Encode(certBuf, &pem.Block{Type: "CERTIFICATE",
|
|
Bytes: derBytes})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encode certificate: %v", err)
|
|
}
|
|
|
|
keybytes := x509.MarshalPKCS1PrivateKey(priv)
|
|
keyBuf := &bytes.Buffer{}
|
|
err = pem.Encode(keyBuf, &pem.Block{Type: "RSA PRIVATE KEY",
|
|
Bytes: keybytes})
|
|
if err != nil {
|
|
return fmt.Errorf("failed to encode private key: %v", err)
|
|
}
|
|
|
|
// Write cert and key files.
|
|
if err = ioutil.WriteFile(certFile, certBuf.Bytes(), 0644); err != nil {
|
|
return err
|
|
}
|
|
if err = ioutil.WriteFile(keyFile, keyBuf.Bytes(), 0600); err != nil {
|
|
os.Remove(certFile)
|
|
return err
|
|
}
|
|
|
|
rpcsLog.Infof("Done generating TLS certificates")
|
|
return nil
|
|
}
|
|
|
|
// genMacaroons generates a pair of macaroon files; one admin-level and one
|
|
// read-only. These can also be used to generate more granular macaroons.
|
|
func genMacaroons(ctx context.Context, svc *bakery.Bakery, admFile,
|
|
roFile string) error {
|
|
|
|
// Generate the read-only macaroon and write it to a file.
|
|
roMacaroon, err := svc.Oven.NewMacaroon(ctx, bakery.LatestVersion, nil,
|
|
readPermissions...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
roBytes, err := roMacaroon.M().MarshalBinary()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err = ioutil.WriteFile(roFile, roBytes, 0644); err != nil {
|
|
os.Remove(admFile)
|
|
return err
|
|
}
|
|
|
|
// Generate the admin macaroon and write it to a file.
|
|
admMacaroon, err := svc.Oven.NewMacaroon(ctx, bakery.LatestVersion,
|
|
nil, append(readPermissions, writePermissions...)...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
admBytes, err := admMacaroon.M().MarshalBinary()
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err = ioutil.WriteFile(admFile, admBytes, 0600); err != nil {
|
|
return err
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// waitForWalletPassword will spin up gRPC and REST endpoints for the
|
|
// WalletUnlocker server, and block until a password is provided by
|
|
// the user to this RPC server.
|
|
func waitForWalletPassword(grpcEndpoints, restEndpoints []string,
|
|
serverOpts []grpc.ServerOption, proxyOpts []grpc.DialOption,
|
|
tlsConf *tls.Config, macaroonService *bakery.Bakery) ([]byte, []byte, error) {
|
|
|
|
// Set up a new PasswordService, which will listen
|
|
// for passwords provided over RPC.
|
|
grpcServer := grpc.NewServer(serverOpts...)
|
|
|
|
chainConfig := cfg.Bitcoin
|
|
if registeredChains.PrimaryChain() == litecoinChain {
|
|
chainConfig = cfg.Litecoin
|
|
}
|
|
pwService := walletunlocker.New(macaroonService,
|
|
chainConfig.ChainDir, activeNetParams.Params)
|
|
lnrpc.RegisterWalletUnlockerServer(grpcServer, pwService)
|
|
|
|
// Use a WaitGroup so we can be sure the instructions on how to input the
|
|
// password is the last thing to be printed to the console.
|
|
var wg sync.WaitGroup
|
|
|
|
for _, grpcEndpoint := range grpcEndpoints {
|
|
// Start a gRPC server listening for HTTP/2 connections, solely
|
|
// used for getting the encryption password from the client.
|
|
lis, err := net.Listen("tcp", grpcEndpoint)
|
|
if err != nil {
|
|
ltndLog.Errorf("password RPC server unable to listen on %s",
|
|
grpcEndpoint)
|
|
return nil, nil, err
|
|
}
|
|
defer lis.Close()
|
|
|
|
wg.Add(1)
|
|
go func() {
|
|
rpcsLog.Infof("password RPC server listening on %s", lis.Addr())
|
|
wg.Done()
|
|
grpcServer.Serve(lis)
|
|
}()
|
|
}
|
|
|
|
// Start a REST proxy for our gRPC server above.
|
|
ctx := context.Background()
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
|
|
mux := proxy.NewServeMux()
|
|
|
|
err := lnrpc.RegisterWalletUnlockerHandlerFromEndpoint(ctx, mux,
|
|
grpcEndpoints[0], proxyOpts)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
srv := &http.Server{Handler: mux}
|
|
defer func() {
|
|
// We must shut down this server, since we'll let
|
|
// the regular rpcServer listen on the same address.
|
|
if err := srv.Shutdown(ctx); err != nil {
|
|
rpcsLog.Errorf("unable to shutdown password gRPC proxy: %v", err)
|
|
}
|
|
}()
|
|
|
|
for _, restEndpoint := range restEndpoints {
|
|
lis, err := tls.Listen("tcp", restEndpoint, tlsConf)
|
|
if err != nil {
|
|
ltndLog.Errorf("password gRPC proxy unable to listen on %s",
|
|
restEndpoint)
|
|
return nil, nil, err
|
|
}
|
|
defer lis.Close()
|
|
|
|
wg.Add(1)
|
|
go func() {
|
|
rpcsLog.Infof("password gRPC proxy started at %s", lis.Addr())
|
|
wg.Done()
|
|
srv.Serve(lis)
|
|
}()
|
|
}
|
|
|
|
// Wait for gRPC and REST servers to be up running.
|
|
wg.Wait()
|
|
|
|
// Wait for user to provide the password.
|
|
ltndLog.Infof("Waiting for wallet encryption password. " +
|
|
"Use `lncli create` to create wallet, or " +
|
|
"`lncli unlock` to unlock already created wallet.")
|
|
|
|
// We currently don't distinguish between getting a password to
|
|
// be used for creation or unlocking, as a new wallet db will be
|
|
// created if none exists when creating the chain control.
|
|
select {
|
|
case walletPw := <-pwService.CreatePasswords:
|
|
return walletPw, walletPw, nil
|
|
case walletPw := <-pwService.UnlockPasswords:
|
|
return walletPw, walletPw, nil
|
|
case <-shutdownChannel:
|
|
return nil, nil, fmt.Errorf("shutting down")
|
|
}
|
|
}
|