mirror of
https://github.com/lightningnetwork/lnd.git
synced 2024-11-19 01:43:16 +01:00
634 lines
17 KiB
Go
634 lines
17 KiB
Go
package lnd
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net"
|
|
"net/http"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/lightningnetwork/lnd/cert"
|
|
"github.com/lightningnetwork/lnd/keychain"
|
|
"github.com/lightningnetwork/lnd/lncfg"
|
|
"github.com/lightningnetwork/lnd/lnencrypt"
|
|
"github.com/lightningnetwork/lnd/lnrpc"
|
|
"golang.org/x/crypto/acme/autocert"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/credentials"
|
|
)
|
|
|
|
const (
|
|
// modifyFilePermissons is the file permission used for writing
|
|
// encrypted tls files.
|
|
modifyFilePermissions = 0600
|
|
|
|
// validityHours is the number of hours the ephemeral tls certificate
|
|
// will be valid, if encrypting tls certificates is turned on.
|
|
validityHours = 24
|
|
)
|
|
|
|
var (
|
|
// privateKeyPrefix is the prefix to a plaintext TLS key.
|
|
// It should match these two key formats:
|
|
// - `-----BEGIN PRIVATE KEY-----` (PKCS8).
|
|
// - `-----BEGIN EC PRIVATE KEY-----` (SEC1/rfc5915, the legacy format).
|
|
privateKeyPrefix = []byte("-----BEGIN ")
|
|
)
|
|
|
|
// TLSManagerCfg houses a set of values and methods that is passed to the
|
|
// TLSManager for it to properly manage LND's TLS options.
|
|
type TLSManagerCfg struct {
|
|
TLSCertPath string
|
|
TLSKeyPath string
|
|
TLSEncryptKey bool
|
|
TLSExtraIPs []string
|
|
TLSExtraDomains []string
|
|
TLSAutoRefresh bool
|
|
TLSDisableAutofill bool
|
|
TLSCertDuration time.Duration
|
|
|
|
LetsEncryptDir string
|
|
LetsEncryptDomain string
|
|
LetsEncryptListen string
|
|
|
|
DisableRestTLS bool
|
|
|
|
HTTPHeaderTimeout time.Duration
|
|
}
|
|
|
|
// TLSManager generates/renews a TLS cert/key pair when needed. When required,
|
|
// it encrypts the TLS key. It also returns the certificate configuration
|
|
// options needed for gRPC and REST.
|
|
type TLSManager struct {
|
|
cfg *TLSManagerCfg
|
|
|
|
// tlsReloader is able to reload the certificate with the
|
|
// GetCertificate function. In getConfig, tlsCfg.GetCertificate is
|
|
// pointed towards t.tlsReloader.GetCertificateFunc(). When
|
|
// TLSReloader's AttemptReload is called, the cert that tlsReloader
|
|
// holds is changed, in turn changing the cert data
|
|
// tlsCfg.GetCertificate will return.
|
|
tlsReloader *cert.TLSReloader
|
|
|
|
// These options are only used if we're currently using an ephemeral
|
|
// TLS certificate, used when we're encrypting the TLS key.
|
|
ephemeralKey []byte
|
|
ephemeralCert []byte
|
|
ephemeralCertPath string
|
|
}
|
|
|
|
// NewTLSManager returns a reference to a new TLSManager.
|
|
func NewTLSManager(cfg *TLSManagerCfg) *TLSManager {
|
|
return &TLSManager{
|
|
cfg: cfg,
|
|
}
|
|
}
|
|
|
|
// getConfig returns a TLS configuration for the gRPC server and credentials
|
|
// and a proxy destination for the REST reverse proxy.
|
|
func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption,
|
|
func(net.Addr) (net.Listener, error), func(), error) {
|
|
|
|
var (
|
|
keyBytes, certBytes []byte
|
|
err error
|
|
)
|
|
if t.ephemeralKey != nil {
|
|
keyBytes = t.ephemeralKey
|
|
certBytes = t.ephemeralCert
|
|
} else {
|
|
certBytes, keyBytes, err = cert.GetCertBytesFromPath(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
if err != nil {
|
|
return nil, nil, nil, nil, err
|
|
}
|
|
}
|
|
|
|
certData, _, err := cert.LoadCertFromBytes(certBytes, keyBytes)
|
|
if err != nil {
|
|
return nil, nil, nil, nil, err
|
|
}
|
|
|
|
if t.tlsReloader == nil {
|
|
tlsr, err := cert.NewTLSReloader(certBytes, keyBytes)
|
|
if err != nil {
|
|
return nil, nil, nil, nil, err
|
|
}
|
|
t.tlsReloader = tlsr
|
|
}
|
|
|
|
tlsCfg := cert.TLSConfFromCert(certData)
|
|
tlsCfg.GetCertificate = t.tlsReloader.GetCertificateFunc()
|
|
|
|
// If Let's Encrypt is enabled, we need to set up the autocert manager
|
|
// and override the TLS config's GetCertificate function.
|
|
cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
|
|
|
|
// Now that we know that we have a certificate, let's generate the
|
|
// required config options.
|
|
serverCreds := credentials.NewTLS(tlsCfg)
|
|
serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
|
|
|
|
// For our REST dial options, we skip TLS verification, and we also
|
|
// increase the max message size that we'll decode to allow clients to
|
|
// hit endpoints which return more data such as the DescribeGraph call.
|
|
// We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
|
|
// in cmd/lncli/main.go.
|
|
restDialOpts := []grpc.DialOption{
|
|
// We are forwarding the requests directly to the address of our
|
|
// own local listener. To not need to mess with the TLS
|
|
// certificate (which might be tricky if we're using Let's
|
|
// Encrypt or if the ephemeral tls cert is being used), we just
|
|
// skip the certificate verification. Injecting a malicious
|
|
// hostname into the listener address will result in an error
|
|
// on startup so this should be quite safe.
|
|
grpc.WithTransportCredentials(credentials.NewTLS(
|
|
&tls.Config{InsecureSkipVerify: true},
|
|
)),
|
|
grpc.WithDefaultCallOptions(
|
|
grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
|
|
),
|
|
}
|
|
|
|
// Return a function closure that can be used to listen on a given
|
|
// address with the current TLS config.
|
|
restListen := func(addr net.Addr) (net.Listener, error) {
|
|
// For restListen we will call ListenOnAddress if TLS is
|
|
// disabled.
|
|
if t.cfg.DisableRestTLS {
|
|
return lncfg.ListenOnAddress(addr)
|
|
}
|
|
|
|
return lncfg.TLSListenOnAddress(addr, tlsCfg)
|
|
}
|
|
|
|
return serverOpts, restDialOpts, restListen, cleanUp, nil
|
|
}
|
|
|
|
// generateOrRenewCert generates a new TLS certificate if we're not using one
|
|
// yet or renews it if it's outdated.
|
|
func (t *TLSManager) generateOrRenewCert() (*tls.Config, error) {
|
|
// Generete a TLS pair if we don't have one yet.
|
|
var emptyKeyRing keychain.SecretKeyRing
|
|
err := t.generateCertPair(emptyKeyRing)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
certData, parsedCert, err := cert.LoadCert(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Check to see if the certificate needs to be renewed. If it does, we
|
|
// return the newly generated certificate data instead.
|
|
reloadedCertData, err := t.maintainCert(parsedCert)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if reloadedCertData != nil {
|
|
certData = *reloadedCertData
|
|
}
|
|
|
|
tlsCfg := cert.TLSConfFromCert(certData)
|
|
|
|
return tlsCfg, nil
|
|
}
|
|
|
|
// generateCertPair creates and writes a TLS pair to disk if the pair
|
|
// doesn't exist yet. If the TLSEncryptKey setting is on, and a plaintext key
|
|
// is already written to disk, this function overwrites the plaintext key with
|
|
// the encrypted form.
|
|
func (t *TLSManager) generateCertPair(keyRing keychain.SecretKeyRing) error {
|
|
// Ensure we create TLS key and certificate if they don't exist.
|
|
if lnrpc.FileExists(t.cfg.TLSCertPath) ||
|
|
lnrpc.FileExists(t.cfg.TLSKeyPath) {
|
|
|
|
// Handle discrepencies related to the TLSEncryptKey setting.
|
|
return t.ensureEncryption(keyRing)
|
|
}
|
|
|
|
rpcsLog.Infof("Generating TLS certificates...")
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
|
"lnd autogenerated cert", t.cfg.TLSExtraIPs,
|
|
t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
|
|
t.cfg.TLSCertDuration,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if t.cfg.TLSEncryptKey {
|
|
var b bytes.Buffer
|
|
e, err := lnencrypt.KeyRingEncrypter(keyRing)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to create "+
|
|
"encrypt key %v", err)
|
|
}
|
|
|
|
err = e.EncryptPayloadToWriter(
|
|
keyBytes, &b,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
keyBytes = b.Bytes()
|
|
}
|
|
|
|
err = cert.WriteCertPair(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath, certBytes, keyBytes,
|
|
)
|
|
|
|
rpcsLog.Infof("Done generating TLS certificates")
|
|
|
|
return err
|
|
}
|
|
|
|
// ensureEncryption takes a look at a couple of things:
|
|
// 1) If the TLS key is in plaintext, but TLSEncryptKey is set, we need to
|
|
// encrypt the file and rewrite it to disk.
|
|
// 2) On the flip side, if TLSEncryptKey is not set, but the key on disk
|
|
// is encrypted, we need to error out and warn the user.
|
|
func (t *TLSManager) ensureEncryption(keyRing keychain.SecretKeyRing) error {
|
|
_, keyBytes, err := cert.GetCertBytesFromPath(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if t.cfg.TLSEncryptKey && bytes.HasPrefix(keyBytes, privateKeyPrefix) {
|
|
var b bytes.Buffer
|
|
e, err := lnencrypt.KeyRingEncrypter(keyRing)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to generate encrypt key %w",
|
|
err)
|
|
}
|
|
|
|
err = e.EncryptPayloadToWriter(keyBytes, &b)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
err = ioutil.WriteFile(
|
|
t.cfg.TLSKeyPath, b.Bytes(), modifyFilePermissions,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
// If the private key is encrypted but the user didn't pass
|
|
// --tlsencryptkey we error out. This is because the wallet is not
|
|
// unlocked yet and we don't have access to the keys yet for decryption.
|
|
if !t.cfg.TLSEncryptKey && !bytes.HasPrefix(keyBytes,
|
|
privateKeyPrefix) {
|
|
|
|
ltndLog.Errorf("The TLS private key is encrypted on disk.")
|
|
|
|
return errors.New("the TLS key is encrypted but the " +
|
|
"--tlsencryptkey flag is not passed. Please either " +
|
|
"restart lnd with the --tlsencryptkey flag or delete " +
|
|
"the TLS files for regeneration")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// decryptTLSKeyBytes decrypts the TLS key.
|
|
func decryptTLSKeyBytes(keyRing keychain.SecretKeyRing,
|
|
encryptedData []byte) ([]byte, error) {
|
|
|
|
reader := bytes.NewReader(encryptedData)
|
|
encrypter, err := lnencrypt.KeyRingEncrypter(keyRing)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
plaintext, err := encrypter.DecryptPayloadFromReader(
|
|
reader,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return plaintext, nil
|
|
}
|
|
|
|
// maintainCert checks if the certificate IP and domains matches the config,
|
|
// and renews the certificate if either this data is outdated or the
|
|
// certificate is expired.
|
|
func (t *TLSManager) maintainCert(
|
|
parsedCert *x509.Certificate) (*tls.Certificate, error) {
|
|
|
|
// We check whether the certificate we have on disk match the IPs and
|
|
// domains specified by the config. If the extra IPs or domains have
|
|
// changed from when the certificate was created, we will refresh the
|
|
// certificate if auto refresh is active.
|
|
refresh := false
|
|
var err error
|
|
if t.cfg.TLSAutoRefresh {
|
|
refresh, err = cert.IsOutdated(
|
|
parsedCert, t.cfg.TLSExtraIPs,
|
|
t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
// If the certificate expired or it was outdated, delete it and the TLS
|
|
// key and generate a new pair.
|
|
if !time.Now().After(parsedCert.NotAfter) && !refresh {
|
|
return nil, nil
|
|
}
|
|
|
|
ltndLog.Info("TLS certificate is expired or outdated, " +
|
|
"generating a new one")
|
|
|
|
err = os.Remove(t.cfg.TLSCertPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = os.Remove(t.cfg.TLSKeyPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
rpcsLog.Infof("Renewing TLS certificates...")
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
|
"lnd autogenerated cert", t.cfg.TLSExtraIPs,
|
|
t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
|
|
t.cfg.TLSCertDuration,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = cert.WriteCertPair(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath, certBytes, keyBytes,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
rpcsLog.Infof("Done renewing TLS certificates")
|
|
|
|
// Reload the certificate data.
|
|
reloadedCertData, _, err := cert.LoadCert(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
|
|
return &reloadedCertData, err
|
|
}
|
|
|
|
// setUpLetsEncrypt automatically generates a Let's Encrypt certificate if the
|
|
// option is set.
|
|
func (t *TLSManager) setUpLetsEncrypt(certData *tls.Certificate,
|
|
tlsCfg *tls.Config) func() {
|
|
|
|
// If Let's Encrypt is enabled, instantiate autocert to request/renew
|
|
// the certificates.
|
|
cleanUp := func() {}
|
|
if t.cfg.LetsEncryptDomain == "" {
|
|
return cleanUp
|
|
}
|
|
|
|
ltndLog.Infof("Using Let's Encrypt certificate for domain %v",
|
|
t.cfg.LetsEncryptDomain)
|
|
|
|
manager := autocert.Manager{
|
|
Cache: autocert.DirCache(t.cfg.LetsEncryptDir),
|
|
Prompt: autocert.AcceptTOS,
|
|
HostPolicy: autocert.HostWhitelist(
|
|
t.cfg.LetsEncryptDomain,
|
|
),
|
|
}
|
|
|
|
srv := &http.Server{
|
|
Addr: t.cfg.LetsEncryptListen,
|
|
Handler: manager.HTTPHandler(nil),
|
|
ReadHeaderTimeout: t.cfg.HTTPHeaderTimeout,
|
|
}
|
|
shutdownCompleted := make(chan struct{})
|
|
cleanUp = func() {
|
|
err := srv.Shutdown(context.Background())
|
|
if err != nil {
|
|
ltndLog.Errorf("Autocert listener shutdown "+
|
|
" error: %v", err)
|
|
|
|
return
|
|
}
|
|
<-shutdownCompleted
|
|
ltndLog.Infof("Autocert challenge listener stopped")
|
|
}
|
|
|
|
go func() {
|
|
ltndLog.Infof("Autocert challenge listener started "+
|
|
"at %v", t.cfg.LetsEncryptListen)
|
|
|
|
err := srv.ListenAndServe()
|
|
if err != http.ErrServerClosed {
|
|
ltndLog.Errorf("autocert http: %v", err)
|
|
}
|
|
close(shutdownCompleted)
|
|
}()
|
|
|
|
getCertificate := func(h *tls.ClientHelloInfo) (
|
|
*tls.Certificate, error) {
|
|
|
|
lecert, err := manager.GetCertificate(h)
|
|
if err != nil {
|
|
ltndLog.Errorf("GetCertificate: %v", err)
|
|
return certData, nil
|
|
}
|
|
|
|
return lecert, err
|
|
}
|
|
|
|
// The self-signed tls.cert remains available as fallback.
|
|
tlsCfg.GetCertificate = getCertificate
|
|
|
|
return cleanUp
|
|
}
|
|
|
|
// SetCertificateBeforeUnlock takes care of loading the certificate before
|
|
// the wallet is unlocked. If the TLSEncryptKey setting is on, we need to
|
|
// generate an ephemeral certificate we're able to use until the wallet is
|
|
// unlocked and a new TLS pair can be encrypted to disk. Otherwise we can
|
|
// process the certificate normally.
|
|
func (t *TLSManager) SetCertificateBeforeUnlock() ([]grpc.ServerOption,
|
|
[]grpc.DialOption, func(net.Addr) (net.Listener, error), func(),
|
|
error) {
|
|
|
|
if t.cfg.TLSEncryptKey {
|
|
_, err := t.loadEphemeralCertificate()
|
|
if err != nil {
|
|
return nil, nil, nil, nil, fmt.Errorf("unable to load "+
|
|
"ephemeral certificate: %v", err)
|
|
}
|
|
} else {
|
|
_, err := t.generateOrRenewCert()
|
|
if err != nil {
|
|
return nil, nil, nil, nil, fmt.Errorf("unable to "+
|
|
"generate or renew TLS certificate: %v", err)
|
|
}
|
|
}
|
|
|
|
serverOpts, restDialOpts, restListen, cleanUp, err := t.getConfig()
|
|
if err != nil {
|
|
return nil, nil, nil, nil, fmt.Errorf("unable to load TLS "+
|
|
"credentials: %v", err)
|
|
}
|
|
|
|
return serverOpts, restDialOpts, restListen, cleanUp, nil
|
|
}
|
|
|
|
// loadEphemeralCertificate creates and loads the ephemeral certificate which
|
|
// is used temporarily for secure communications before the wallet is unlocked.
|
|
func (t *TLSManager) loadEphemeralCertificate() ([]byte, error) {
|
|
rpcsLog.Infof("Generating ephemeral TLS certificates...")
|
|
|
|
tmpValidity := validityHours * time.Hour
|
|
// Append .tmp to the end of the cert for differentiation.
|
|
tmpCertPath := t.cfg.TLSCertPath + ".tmp"
|
|
|
|
// Pass in a blank string for the key path so the
|
|
// function doesn't write them to disk.
|
|
certBytes, keyBytes, err := cert.GenCertPair(
|
|
"lnd ephemeral autogenerated cert", t.cfg.TLSExtraIPs,
|
|
t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill, tmpValidity,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
t.setEphemeralSettings(keyBytes, certBytes)
|
|
|
|
err = cert.WriteCertPair(tmpCertPath, "", certBytes, keyBytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
rpcsLog.Infof("Done generating ephemeral TLS certificates")
|
|
|
|
return keyBytes, nil
|
|
}
|
|
|
|
// LoadPermanentCertificate deletes the ephemeral certificate file and
|
|
// generates a new one with the real keyring.
|
|
func (t *TLSManager) LoadPermanentCertificate(
|
|
keyRing keychain.SecretKeyRing) error {
|
|
|
|
if !t.cfg.TLSEncryptKey {
|
|
return nil
|
|
}
|
|
|
|
tmpCertPath := t.cfg.TLSCertPath + ".tmp"
|
|
err := os.Remove(tmpCertPath)
|
|
if err != nil {
|
|
ltndLog.Warn("Unable to delete temp cert at %v",
|
|
tmpCertPath)
|
|
}
|
|
|
|
err = t.generateCertPair(keyRing)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
certBytes, encryptedKeyBytes, err := cert.GetCertBytesFromPath(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
reader := bytes.NewReader(encryptedKeyBytes)
|
|
e, err := lnencrypt.KeyRingEncrypter(keyRing)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to generate encrypt key %w",
|
|
err)
|
|
}
|
|
|
|
keyBytes, err := e.DecryptPayloadFromReader(reader)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// Switch the server's TLS certificate to the persistent one. By
|
|
// changing the cert data the TLSReloader points to,
|
|
err = t.tlsReloader.AttemptReload(certBytes, keyBytes)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
t.deleteEphemeralSettings()
|
|
|
|
return nil
|
|
}
|
|
|
|
// setEphemeralSettings sets the TLSManager settings needed when an ephemeral
|
|
// certificate is created.
|
|
func (t *TLSManager) setEphemeralSettings(keyBytes, certBytes []byte) {
|
|
t.ephemeralKey = keyBytes
|
|
t.ephemeralCert = certBytes
|
|
t.ephemeralCertPath = t.cfg.TLSCertPath + ".tmp"
|
|
}
|
|
|
|
// deleteEphemeralSettings deletes the TLSManager ephemeral settings that are
|
|
// no longer needed when the ephemeral certificate is deleted so the Manager
|
|
// knows we're no longer using it.
|
|
func (t *TLSManager) deleteEphemeralSettings() {
|
|
t.ephemeralKey = nil
|
|
t.ephemeralCert = nil
|
|
t.ephemeralCertPath = ""
|
|
}
|
|
|
|
// IsCertExpired checks if the current TLS certificate is expired.
|
|
func (t *TLSManager) IsCertExpired(keyRing keychain.SecretKeyRing) (bool,
|
|
time.Time, error) {
|
|
|
|
certBytes, keyBytes, err := cert.GetCertBytesFromPath(
|
|
t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
|
|
)
|
|
if err != nil {
|
|
return false, time.Time{}, err
|
|
}
|
|
|
|
// If TLSEncryptKey is set, there are two states the
|
|
// certificate can be in: ephemeral or permanent.
|
|
// Retrieve the key depending on which state it is in.
|
|
if t.ephemeralKey != nil {
|
|
keyBytes = t.ephemeralKey
|
|
} else if t.cfg.TLSEncryptKey {
|
|
keyBytes, err = decryptTLSKeyBytes(keyRing, keyBytes)
|
|
if err != nil {
|
|
return false, time.Time{}, err
|
|
}
|
|
}
|
|
|
|
_, parsedCert, err := cert.LoadCertFromBytes(
|
|
certBytes, keyBytes,
|
|
)
|
|
if err != nil {
|
|
return false, time.Time{}, err
|
|
}
|
|
|
|
// If the current time is passed the certificate's
|
|
// expiry time, then it is considered expired
|
|
if time.Now().After(parsedCert.NotAfter) {
|
|
return true, parsedCert.NotAfter, nil
|
|
}
|
|
|
|
return false, parsedCert.NotAfter, nil
|
|
}
|