mirror of
https://github.com/lightningnetwork/lnd.git
synced 2024-11-19 18:10:34 +01:00
237 lines
5.9 KiB
Go
237 lines
5.9 KiB
Go
//go:build !rpctest
|
|
// +build !rpctest
|
|
|
|
package lnd
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"crypto/x509/pkix"
|
|
"encoding/pem"
|
|
"io/ioutil"
|
|
"math/big"
|
|
"net"
|
|
"os"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/lightningnetwork/lnd/lncfg"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// TestTLSAutoRegeneration creates an expired TLS certificate, to test that a
|
|
// new TLS certificate pair is regenerated when the old pair expires. This is
|
|
// necessary because the pair expires after a little over a year.
|
|
func TestTLSAutoRegeneration(t *testing.T) {
|
|
tempDirPath, err := ioutil.TempDir("", ".testLnd")
|
|
if err != nil {
|
|
t.Fatalf("couldn't create temporary cert directory")
|
|
}
|
|
defer os.RemoveAll(tempDirPath)
|
|
|
|
certPath := tempDirPath + "/tls.cert"
|
|
keyPath := tempDirPath + "/tls.key"
|
|
|
|
certDerBytes, keyBytes := genExpiredCertPair(t, tempDirPath)
|
|
expiredCert, err := x509.ParseCertificate(certDerBytes)
|
|
require.NoError(t, err, "failed to parse certificate")
|
|
|
|
certBuf := bytes.Buffer{}
|
|
err = pem.Encode(
|
|
&certBuf, &pem.Block{
|
|
Type: "CERTIFICATE",
|
|
Bytes: certDerBytes,
|
|
},
|
|
)
|
|
require.NoError(t, err, "failed to encode certificate")
|
|
|
|
keyBuf := bytes.Buffer{}
|
|
err = pem.Encode(
|
|
&keyBuf, &pem.Block{
|
|
Type: "EC PRIVATE KEY",
|
|
Bytes: keyBytes,
|
|
},
|
|
)
|
|
require.NoError(t, err, "failed to encode private key")
|
|
|
|
// Write cert and key files.
|
|
err = ioutil.WriteFile(tempDirPath+"/tls.cert", certBuf.Bytes(), 0644)
|
|
require.NoError(t, err, "failed to write cert file")
|
|
err = ioutil.WriteFile(tempDirPath+"/tls.key", keyBuf.Bytes(), 0600)
|
|
require.NoError(t, err, "failed to write key file")
|
|
|
|
rpcListener := net.IPAddr{IP: net.ParseIP("127.0.0.1"), Zone: ""}
|
|
rpcListeners := make([]net.Addr, 0)
|
|
rpcListeners = append(rpcListeners, &rpcListener)
|
|
|
|
// Now let's run getTLSConfig. If it works properly, it should delete
|
|
// the cert and create a new one.
|
|
cfg := &Config{
|
|
TLSCertPath: certPath,
|
|
TLSKeyPath: keyPath,
|
|
TLSCertDuration: 42 * time.Hour,
|
|
RPCListeners: rpcListeners,
|
|
}
|
|
_, _, _, cleanUp, err := getTLSConfig(cfg)
|
|
if err != nil {
|
|
t.Fatalf("couldn't retrieve TLS config")
|
|
}
|
|
defer cleanUp()
|
|
|
|
// Grab the certificate to test that getTLSConfig did its job correctly
|
|
// and generated a new cert.
|
|
newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
if err != nil {
|
|
t.Fatalf("couldn't grab new certificate")
|
|
}
|
|
|
|
newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
|
|
if err != nil {
|
|
t.Fatalf("couldn't parse new certificate")
|
|
}
|
|
|
|
// Check that the expired certificate was successfully deleted and
|
|
// replaced with a new one.
|
|
if !newCert.NotAfter.After(expiredCert.NotAfter) {
|
|
t.Fatalf("New certificate expiration is too old")
|
|
}
|
|
}
|
|
|
|
// genExpiredCertPair generates an expired key/cert pair to test that expired
|
|
// certificates are being regenerated correctly.
|
|
func genExpiredCertPair(t *testing.T, certDirPath string) ([]byte, []byte) {
|
|
// Max serial number.
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
// Generate a serial number that's below the serialNumberLimit.
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
require.NoError(t, err, "failed to generate serial number")
|
|
|
|
host := "lightning"
|
|
|
|
// Create a simple ip address for the fake certificate.
|
|
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
|
|
|
|
dnsNames := []string{host, "unix", "unixpacket"}
|
|
|
|
// Construct the certificate template.
|
|
template := x509.Certificate{
|
|
SerialNumber: serialNumber,
|
|
Subject: pkix.Name{
|
|
Organization: []string{"lnd autogenerated cert"},
|
|
CommonName: host,
|
|
},
|
|
NotBefore: time.Now().Add(-time.Hour * 24),
|
|
NotAfter: time.Now(),
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment |
|
|
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
IsCA: true, // so can sign self.
|
|
BasicConstraintsValid: true,
|
|
|
|
DNSNames: dnsNames,
|
|
IPAddresses: ipAddresses,
|
|
}
|
|
|
|
// Generate a private key for the certificate.
|
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatalf("failed to generate a private key")
|
|
}
|
|
|
|
certDerBytes, err := x509.CreateCertificate(
|
|
rand.Reader, &template, &template, &priv.PublicKey, priv,
|
|
)
|
|
require.NoError(t, err, "failed to create certificate")
|
|
|
|
keyBytes, err := x509.MarshalECPrivateKey(priv)
|
|
require.NoError(t, err, "unable to encode privkey")
|
|
|
|
return certDerBytes, keyBytes
|
|
}
|
|
|
|
// TestShouldPeerBootstrap tests that we properly skip network bootstrap for
|
|
// the developer networks, and also if bootstrapping is explicitly disabled.
|
|
func TestShouldPeerBootstrap(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
testCases := []struct {
|
|
cfg *Config
|
|
shouldBoostrap bool
|
|
}{
|
|
// Simnet active, no bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
SimNet: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
},
|
|
},
|
|
|
|
// Regtest active, no bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
RegTest: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
},
|
|
},
|
|
|
|
// Signet active, no bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
SigNet: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
},
|
|
},
|
|
|
|
// Mainnet active, but bootstrap disabled, no bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
MainNet: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
NoNetBootstrap: true,
|
|
},
|
|
},
|
|
|
|
// Mainnet active, should bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
MainNet: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
},
|
|
shouldBoostrap: true,
|
|
},
|
|
|
|
// Testnet active, should bootstrap.
|
|
{
|
|
cfg: &Config{
|
|
Bitcoin: &lncfg.Chain{
|
|
TestNet3: true,
|
|
},
|
|
Litecoin: &lncfg.Chain{},
|
|
},
|
|
shouldBoostrap: true,
|
|
},
|
|
}
|
|
for i, testCase := range testCases {
|
|
bootstrapped := shouldPeerBootstrap(testCase.cfg)
|
|
if bootstrapped != testCase.shouldBoostrap {
|
|
t.Fatalf("#%v: expected bootstrap=%v, got bootstrap=%v",
|
|
i, testCase.shouldBoostrap, bootstrapped)
|
|
}
|
|
}
|
|
}
|