lnd.xprv/cert/selfsigned_test.go

package cert_test

import (
	"io/ioutil"
	"testing"
	"time"

	"github.com/lightningnetwork/lnd/cert"
	"github.com/stretchr/testify/require"
)

const (
	testTLSCertDuration = 42 * time.Hour
)

var (
	extraIPs     = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}
	extraDomains = []string{"home", "and", "away"}
)

// TestIsOutdatedCert checks that we'll consider the TLS certificate outdated
// if the ip addresses or dns names don't match.
func TestIsOutdatedCert(t *testing.T) {
	tempDir, err := ioutil.TempDir("", "certtest")
	if err != nil {
		t.Fatal(err)
	}

	certPath := tempDir + "/tls.cert"
	keyPath := tempDir + "/tls.key"

	// Generate TLS files with two extra IPs and domains.
	err = cert.GenCertPair(
		"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
		extraDomains[:2], false, testTLSCertDuration,
	)
	if err != nil {
		t.Fatal(err)
	}

	// We'll attempt to check up-to-date status for all variants of 1-3
	// number of IPs and domains.
	for numIPs := 1; numIPs <= len(extraIPs); numIPs++ {
		for numDomains := 1; numDomains <= len(extraDomains); numDomains++ {
			_, parsedCert, err := cert.LoadCert(
				certPath, keyPath,
			)
			if err != nil {
				t.Fatal(err)
			}

			// Using the test case's number of IPs and domains, get
			// the outdated status of the certificate we created
			// above.
			outdated, err := cert.IsOutdated(
				parsedCert, extraIPs[:numIPs],
				extraDomains[:numDomains], false,
			)
			if err != nil {
				t.Fatal(err)
			}

			// We expect it to be considered outdated if the IPs or
			// domains don't match exactly what we created.
			expected := numIPs != 2 || numDomains != 2
			if outdated != expected {
				t.Fatalf("expected certificate to be "+
					"outdated=%v, got=%v", expected,
					outdated)
			}
		}
	}
}

// TestIsOutdatedPermutation tests that the order of listed IPs or DNS names,
// nor dulicates in the lists, matter for whether we consider the certificate
// outdated.
func TestIsOutdatedPermutation(t *testing.T) {
	tempDir, err := ioutil.TempDir("", "certtest")
	if err != nil {
		t.Fatal(err)
	}

	certPath := tempDir + "/tls.cert"
	keyPath := tempDir + "/tls.key"

	// Generate TLS files from the IPs and domains.
	err = cert.GenCertPair(
		"lnd autogenerated cert", certPath, keyPath, extraIPs[:],
		extraDomains[:], false, testTLSCertDuration,
	)
	if err != nil {
		t.Fatal(err)
	}
	_, parsedCert, err := cert.LoadCert(certPath, keyPath)
	if err != nil {
		t.Fatal(err)
	}

	// If we have duplicate IPs or DNS names listed, that shouldn't matter.
	dupIPs := make([]string, len(extraIPs)*2)
	for i := range dupIPs {
		dupIPs[i] = extraIPs[i/2]
	}

	dupDNS := make([]string, len(extraDomains)*2)
	for i := range dupDNS {
		dupDNS[i] = extraDomains[i/2]
	}

	outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false)
	if err != nil {
		t.Fatal(err)
	}

	if outdated {
		t.Fatalf("did not expect duplicate IPs or DNS names be " +
			"considered outdated")
	}

	// Similarly, the order of the lists shouldn't matter.
	revIPs := make([]string, len(extraIPs))
	for i := range revIPs {
		revIPs[i] = extraIPs[len(extraIPs)-1-i]
	}

	revDNS := make([]string, len(extraDomains))
	for i := range revDNS {
		revDNS[i] = extraDomains[len(extraDomains)-1-i]
	}

	outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false)
	if err != nil {
		t.Fatal(err)
	}

	if outdated {
		t.Fatalf("did not expect reversed IPs or DNS names be " +
			"considered outdated")
	}
}

// TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag
// does not add interface ip addresses or hostnames to the cert.
func TestTLSDisableAutofill(t *testing.T) {
	tempDir, err := ioutil.TempDir("", "certtest")
	if err != nil {
		t.Fatal(err)
	}

	certPath := tempDir + "/tls.cert"
	keyPath := tempDir + "/tls.key"

	// Generate TLS files with two extra IPs and domains and no interface IPs.
	err = cert.GenCertPair(
		"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],
		extraDomains[:2], true, testTLSCertDuration,
	)
	require.NoError(
		t, err,
		"unable to generate tls certificate pair",
	)

	_, parsedCert, err := cert.LoadCert(
		certPath, keyPath,
	)
	require.NoError(
		t, err,
		"unable to load tls certificate pair",
	)

	// Check if the TLS cert is outdated while still preventing
	// interface IPs from being used. Should not be outdated
	shouldNotBeOutdated, err := cert.IsOutdated(
		parsedCert, extraIPs[:2],
		extraDomains[:2], true,
	)
	require.NoError(t, err)

	require.Equal(
		t, false, shouldNotBeOutdated,
		"TLS Certificate was marked as outdated when it should not be",
	)

	// Check if the TLS cert is outdated while allowing for
	// interface IPs to be used. Should report as outdated.
	shouldBeOutdated, err := cert.IsOutdated(
		parsedCert, extraIPs[:2],
		extraDomains[:2], false,
	)
	require.NoError(t, err)

	require.Equal(
		t, true, shouldBeOutdated,
		"TLS Certificate was not marked as outdated when it should be",
	)
}
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`package cert_test`

			`import (`
			`"io/ioutil"`
			`"testing"`
cert: allow cert expiry to be set in config 2021-04-06 06:23:33 +03:00			`"time"`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00
			`"github.com/lightningnetwork/lnd/cert"`
config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00			`"github.com/stretchr/testify/require"`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`)`

cert: allow cert expiry to be set in config 2021-04-06 06:23:33 +03:00			`const (`
			`testTLSCertDuration = 42 * time.Hour`
			`)`

cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`var (`
			`extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"}`
			`extraDomains = []string{"home", "and", "away"}`
			`)`

			`// TestIsOutdatedCert checks that we'll consider the TLS certificate outdated`
			`// if the ip addresses or dns names don't match.`
			`func TestIsOutdatedCert(t *testing.T) {`
			`tempDir, err := ioutil.TempDir("", "certtest")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`certPath := tempDir + "/tls.cert"`
			`keyPath := tempDir + "/tls.key"`

			`// Generate TLS files with two extra IPs and domains.`
			`err = cert.GenCertPair(`
			`"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],`
cert: allow cert expiry to be set in config 2021-04-06 06:23:33 +03:00			`extraDomains[:2], false, testTLSCertDuration,`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// We'll attempt to check up-to-date status for all variants of 1-3`
			`// number of IPs and domains.`
			`for numIPs := 1; numIPs <= len(extraIPs); numIPs++ {`
			`for numDomains := 1; numDomains <= len(extraDomains); numDomains++ {`
			`_, parsedCert, err := cert.LoadCert(`
			`certPath, keyPath,`
			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// Using the test case's number of IPs and domains, get`
			`// the outdated status of the certificate we created`
			`// above.`
			`outdated, err := cert.IsOutdated(`
			`parsedCert, extraIPs[:numIPs],`
config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00			`extraDomains[:numDomains], false,`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// We expect it to be considered outdated if the IPs or`
			`// domains don't match exactly what we created.`
			`expected := numIPs != 2 \|\| numDomains != 2`
			`if outdated != expected {`
			`t.Fatalf("expected certificate to be "+`
			`"outdated=%v, got=%v", expected,`
			`outdated)`
			`}`
			`}`
			`}`
			`}`

			`// TestIsOutdatedPermutation tests that the order of listed IPs or DNS names,`
			`// nor dulicates in the lists, matter for whether we consider the certificate`
			`// outdated.`
			`func TestIsOutdatedPermutation(t *testing.T) {`
			`tempDir, err := ioutil.TempDir("", "certtest")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`certPath := tempDir + "/tls.cert"`
			`keyPath := tempDir + "/tls.key"`

			`// Generate TLS files from the IPs and domains.`
			`err = cert.GenCertPair(`
			`"lnd autogenerated cert", certPath, keyPath, extraIPs[:],`
cert: allow cert expiry to be set in config 2021-04-06 06:23:33 +03:00			`extraDomains[:], false, testTLSCertDuration,`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`
			`_, parsedCert, err := cert.LoadCert(certPath, keyPath)`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`// If we have duplicate IPs or DNS names listed, that shouldn't matter.`
			`dupIPs := make([]string, len(extraIPs)*2)`
			`for i := range dupIPs {`
			`dupIPs[i] = extraIPs[i/2]`
			`}`

			`dupDNS := make([]string, len(extraDomains)*2)`
			`for i := range dupDNS {`
			`dupDNS[i] = extraDomains[i/2]`
			`}`

config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00			`outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false)`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if outdated {`
			`t.Fatalf("did not expect duplicate IPs or DNS names be " +`
			`"considered outdated")`
			`}`

			`// Similarly, the order of the lists shouldn't matter.`
			`revIPs := make([]string, len(extraIPs))`
			`for i := range revIPs {`
			`revIPs[i] = extraIPs[len(extraIPs)-1-i]`
			`}`

			`revDNS := make([]string, len(extraDomains))`
			`for i := range revDNS {`
			`revDNS[i] = extraDomains[len(extraDomains)-1-i]`
			`}`

config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00			`outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false)`
cert+test: IsOutdated check for TLS files if IPs or DNS changed This commit creates a new utility method IsOutdated that can be used to check whether a TLS certificate mathces the extra IPs and domains given in the lnd config. 2020-02-05 15:51:48 +03:00			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if outdated {`
			`t.Fatalf("did not expect reversed IPs or DNS names be " +`
			`"considered outdated")`
			`}`
			`}`
config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00
			`// TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag`
			`// does not add interface ip addresses or hostnames to the cert.`
			`func TestTLSDisableAutofill(t *testing.T) {`
			`tempDir, err := ioutil.TempDir("", "certtest")`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`certPath := tempDir + "/tls.cert"`
			`keyPath := tempDir + "/tls.key"`

			`// Generate TLS files with two extra IPs and domains and no interface IPs.`
			`err = cert.GenCertPair(`
			`"lnd autogenerated cert", certPath, keyPath, extraIPs[:2],`
cert: allow cert expiry to be set in config 2021-04-06 06:23:33 +03:00			`extraDomains[:2], true, testTLSCertDuration,`
config+lnd+cert: add --tlsdisableautofill to prevent information leaks. This adds in a new boolean flag that when set, prevents LND from writing the system hostname and network interface IPs to the TLS certificate. This will ensure privacy for those that don't want private IP addresses to be exposed on a public facing LND node. 2020-06-26 20:53:05 +03:00			`)`
			`require.NoError(`
			`t, err,`
			`"unable to generate tls certificate pair",`
			`)`

			`_, parsedCert, err := cert.LoadCert(`
			`certPath, keyPath,`
			`)`
			`require.NoError(`
			`t, err,`
			`"unable to load tls certificate pair",`
			`)`

			`// Check if the TLS cert is outdated while still preventing`
			`// interface IPs from being used. Should not be outdated`
			`shouldNotBeOutdated, err := cert.IsOutdated(`
			`parsedCert, extraIPs[:2],`
			`extraDomains[:2], true,`
			`)`
			`require.NoError(t, err)`

			`require.Equal(`
			`t, false, shouldNotBeOutdated,`
			`"TLS Certificate was marked as outdated when it should not be",`
			`)`

			`// Check if the TLS cert is outdated while allowing for`
			`// interface IPs to be used. Should report as outdated.`
			`shouldBeOutdated, err := cert.IsOutdated(`
			`parsedCert, extraIPs[:2],`
			`extraDomains[:2], false,`
			`)`
			`require.NoError(t, err)`

			`require.Equal(`
			`t, true, shouldBeOutdated,`
			`"TLS Certificate was not marked as outdated when it should be",`
			`)`
			`}`