2018-04-13 13:27:01 +03:00
|
|
|
// +build !rpctest
|
|
|
|
|
2019-01-24 16:28:25 +03:00
|
|
|
package lnd
|
2017-12-16 02:06:20 +03:00
|
|
|
|
2019-06-23 07:07:10 +03:00
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
|
|
|
"crypto/x509/pkix"
|
|
|
|
"encoding/pem"
|
|
|
|
"io/ioutil"
|
|
|
|
"math/big"
|
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"testing"
|
|
|
|
"time"
|
|
|
|
)
|
2017-12-16 02:06:20 +03:00
|
|
|
|
|
|
|
func TestParseHexColor(t *testing.T) {
|
2018-11-04 05:00:19 +03:00
|
|
|
var colorTestCases = []struct {
|
|
|
|
test string
|
|
|
|
valid bool // If valid format
|
|
|
|
R byte
|
|
|
|
G byte
|
|
|
|
B byte
|
|
|
|
}{
|
|
|
|
{"#123", false, 0, 0, 0},
|
|
|
|
{"#1234567", false, 0, 0, 0},
|
|
|
|
{"$123456", false, 0, 0, 0},
|
|
|
|
{"#12345+", false, 0, 0, 0},
|
|
|
|
{"#fFGG00", false, 0, 0, 0},
|
|
|
|
{"", false, 0, 0, 0},
|
|
|
|
{"#123456", true, 0x12, 0x34, 0x56},
|
|
|
|
{"#C0FfeE", true, 0xc0, 0xff, 0xee},
|
2017-12-16 02:06:20 +03:00
|
|
|
}
|
|
|
|
|
2018-11-04 05:00:19 +03:00
|
|
|
// Perform the table driven tests.
|
|
|
|
for _, ct := range colorTestCases {
|
2017-12-16 02:06:20 +03:00
|
|
|
|
2018-11-04 05:00:19 +03:00
|
|
|
color, err := parseHexColor(ct.test)
|
|
|
|
if !ct.valid && err == nil {
|
|
|
|
t.Fatalf("Invalid color string: %s, should return "+
|
|
|
|
"error, but did not", ct.test)
|
|
|
|
}
|
2017-12-16 02:06:20 +03:00
|
|
|
|
2018-11-04 05:00:19 +03:00
|
|
|
if ct.valid && err != nil {
|
|
|
|
t.Fatalf("Color %s valid to parse: %s", ct.test, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Ensure that the string to hex decoding is working properly.
|
|
|
|
if color.R != ct.R || color.G != ct.G || color.B != ct.B {
|
|
|
|
t.Fatalf("Color %s incorrectly parsed as %v", ct.test, color)
|
|
|
|
}
|
2017-12-16 02:06:20 +03:00
|
|
|
}
|
|
|
|
}
|
2019-06-23 07:07:10 +03:00
|
|
|
|
|
|
|
// TestTLSAutoRegeneration creates an expired TLS certificate, to test that a
|
|
|
|
// new TLS certificate pair is regenerated when the old pair expires. This is
|
|
|
|
// necessary because the pair expires after a little over a year.
|
|
|
|
func TestTLSAutoRegeneration(t *testing.T) {
|
|
|
|
tempDirPath, err := ioutil.TempDir("", ".testLnd")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("couldn't create temporary cert directory")
|
|
|
|
}
|
|
|
|
defer os.RemoveAll(tempDirPath)
|
|
|
|
|
|
|
|
certPath := tempDirPath + "/tls.cert"
|
|
|
|
keyPath := tempDirPath + "/tls.key"
|
|
|
|
|
|
|
|
certDerBytes, keyBytes := genExpiredCertPair(t, tempDirPath)
|
|
|
|
expiredCert, err := x509.ParseCertificate(certDerBytes)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to parse certificate: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
certBuf := bytes.Buffer{}
|
|
|
|
err = pem.Encode(
|
|
|
|
&certBuf, &pem.Block{
|
|
|
|
Type: "CERTIFICATE",
|
|
|
|
Bytes: certDerBytes,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to encode certificate: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyBuf := bytes.Buffer{}
|
|
|
|
err = pem.Encode(
|
|
|
|
&keyBuf, &pem.Block{
|
|
|
|
Type: "EC PRIVATE KEY",
|
|
|
|
Bytes: keyBytes,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to encode private key: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Write cert and key files.
|
|
|
|
err = ioutil.WriteFile(tempDirPath+"/tls.cert", certBuf.Bytes(), 0644)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to write cert file: %v", err)
|
|
|
|
}
|
|
|
|
err = ioutil.WriteFile(tempDirPath+"/tls.key", keyBuf.Bytes(), 0600)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to write key file: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
rpcListener := net.IPAddr{IP: net.ParseIP("127.0.0.1"), Zone: ""}
|
|
|
|
rpcListeners := make([]net.Addr, 0)
|
|
|
|
rpcListeners = append(rpcListeners, &rpcListener)
|
|
|
|
|
|
|
|
// Now let's run getTLSConfig. If it works properly, it should delete
|
|
|
|
// the cert and create a new one.
|
2020-05-14 15:35:11 +03:00
|
|
|
cfg := &Config{
|
|
|
|
TLSCertPath: certPath,
|
|
|
|
TLSKeyPath: keyPath,
|
|
|
|
RPCListeners: rpcListeners,
|
|
|
|
}
|
|
|
|
_, _, _, err = getTLSConfig(cfg)
|
2019-06-23 07:07:10 +03:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("couldn't retrieve TLS config")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Grab the certificate to test that getTLSConfig did its job correctly
|
|
|
|
// and generated a new cert.
|
|
|
|
newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("couldn't grab new certificate")
|
|
|
|
}
|
|
|
|
|
|
|
|
newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("couldn't parse new certificate")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check that the expired certificate was successfully deleted and
|
|
|
|
// replaced with a new one.
|
|
|
|
if !newCert.NotAfter.After(expiredCert.NotAfter) {
|
|
|
|
t.Fatalf("New certificate expiration is too old")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// genExpiredCertPair generates an expired key/cert pair to test that expired
|
|
|
|
// certificates are being regenerated correctly.
|
|
|
|
func genExpiredCertPair(t *testing.T, certDirPath string) ([]byte, []byte) {
|
|
|
|
// Max serial number.
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
|
|
|
|
// Generate a serial number that's below the serialNumberLimit.
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to generate serial number: %s", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
host := "lightning"
|
|
|
|
|
|
|
|
// Create a simple ip address for the fake certificate.
|
|
|
|
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
|
|
|
|
|
|
|
|
dnsNames := []string{host, "unix", "unixpacket"}
|
|
|
|
|
|
|
|
// Construct the certificate template.
|
|
|
|
template := x509.Certificate{
|
|
|
|
SerialNumber: serialNumber,
|
|
|
|
Subject: pkix.Name{
|
|
|
|
Organization: []string{"lnd autogenerated cert"},
|
|
|
|
CommonName: host,
|
|
|
|
},
|
|
|
|
NotBefore: time.Now().Add(-time.Hour * 24),
|
|
|
|
NotAfter: time.Now(),
|
|
|
|
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment |
|
|
|
|
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
|
|
IsCA: true, // so can sign self.
|
|
|
|
BasicConstraintsValid: true,
|
|
|
|
|
|
|
|
DNSNames: dnsNames,
|
|
|
|
IPAddresses: ipAddresses,
|
|
|
|
}
|
|
|
|
|
|
|
|
// Generate a private key for the certificate.
|
|
|
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to generate a private key")
|
|
|
|
}
|
|
|
|
|
|
|
|
certDerBytes, err := x509.CreateCertificate(
|
2019-07-22 10:26:25 +03:00
|
|
|
rand.Reader, &template, &template, &priv.PublicKey, priv,
|
|
|
|
)
|
2019-06-23 07:07:10 +03:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to create certificate: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
keyBytes, err := x509.MarshalECPrivateKey(priv)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("unable to encode privkey: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return certDerBytes, keyBytes
|
|
|
|
}
|