Merge pull request #3237 from orbitalturtle/auto-regenerate-cert
Unit test for autoregenerating expired cert pairs
This commit is contained in:
commit
e2a35ae089
31
lnd.go
31
lnd.go
@ -184,7 +184,11 @@ func Main() error {
|
|||||||
ctx, cancel := context.WithCancel(ctx)
|
ctx, cancel := context.WithCancel(ctx)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
tlsCfg, restCreds, restProxyDest, err := getTLSConfig(cfg)
|
tlsCfg, restCreds, restProxyDest, err := getTLSConfig(
|
||||||
|
cfg.TLSCertPath,
|
||||||
|
cfg.TLSKeyPath,
|
||||||
|
cfg.RPCListeners,
|
||||||
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
err := fmt.Errorf("Unable to load TLS credentials: %v", err)
|
err := fmt.Errorf("Unable to load TLS credentials: %v", err)
|
||||||
ltndLog.Error(err)
|
ltndLog.Error(err)
|
||||||
@ -551,18 +555,19 @@ func Main() error {
|
|||||||
|
|
||||||
// getTLSConfig returns a TLS configuration for the gRPC server and credentials
|
// getTLSConfig returns a TLS configuration for the gRPC server and credentials
|
||||||
// and a proxy destination for the REST reverse proxy.
|
// and a proxy destination for the REST reverse proxy.
|
||||||
func getTLSConfig(cfg *config) (*tls.Config, *credentials.TransportCredentials,
|
func getTLSConfig(tlsCertPath string, tlsKeyPath string,
|
||||||
string, error) {
|
rpcListeners []net.Addr) (*tls.Config,
|
||||||
|
*credentials.TransportCredentials, string, error) {
|
||||||
|
|
||||||
// Ensure we create TLS key and certificate if they don't exist
|
// Ensure we create TLS key and certificate if they don't exist
|
||||||
if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
|
if !fileExists(tlsCertPath) && !fileExists(tlsKeyPath) {
|
||||||
err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath)
|
err := genCertPair(tlsCertPath, tlsKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
certData, err := tls.LoadX509KeyPair(cfg.TLSCertPath, cfg.TLSKeyPath)
|
certData, err := tls.LoadX509KeyPair(tlsCertPath, tlsKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
@ -576,17 +581,17 @@ func getTLSConfig(cfg *config) (*tls.Config, *credentials.TransportCredentials,
|
|||||||
if time.Now().After(cert.NotAfter) {
|
if time.Now().After(cert.NotAfter) {
|
||||||
ltndLog.Info("TLS certificate is expired, generating a new one")
|
ltndLog.Info("TLS certificate is expired, generating a new one")
|
||||||
|
|
||||||
err := os.Remove(cfg.TLSCertPath)
|
err := os.Remove(tlsCertPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = os.Remove(cfg.TLSKeyPath)
|
err = os.Remove(tlsKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
err = genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath)
|
err = genCertPair(tlsCertPath, tlsKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
@ -599,12 +604,12 @@ func getTLSConfig(cfg *config) (*tls.Config, *credentials.TransportCredentials,
|
|||||||
MinVersion: tls.VersionTLS12,
|
MinVersion: tls.VersionTLS12,
|
||||||
}
|
}
|
||||||
|
|
||||||
restCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
restCreds, err := credentials.NewClientTLSFromFile(tlsCertPath, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, "", err
|
return nil, nil, "", err
|
||||||
}
|
}
|
||||||
|
|
||||||
restProxyDest := cfg.RPCListeners[0].String()
|
restProxyDest := rpcListeners[0].String()
|
||||||
switch {
|
switch {
|
||||||
case strings.Contains(restProxyDest, "0.0.0.0"):
|
case strings.Contains(restProxyDest, "0.0.0.0"):
|
||||||
restProxyDest = strings.Replace(
|
restProxyDest = strings.Replace(
|
||||||
@ -682,6 +687,7 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if cfg != nil {
|
||||||
// Add extra IPs to the slice.
|
// Add extra IPs to the slice.
|
||||||
for _, ip := range cfg.TLSExtraIPs {
|
for _, ip := range cfg.TLSExtraIPs {
|
||||||
ipAddr := net.ParseIP(ip)
|
ipAddr := net.ParseIP(ip)
|
||||||
@ -689,6 +695,7 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
addIP(ipAddr)
|
addIP(ipAddr)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Collect the host's names into a slice.
|
// Collect the host's names into a slice.
|
||||||
host, err := os.Hostname()
|
host, err := os.Hostname()
|
||||||
@ -702,7 +709,9 @@ func genCertPair(certFile, keyFile string) error {
|
|||||||
if host != "localhost" {
|
if host != "localhost" {
|
||||||
dnsNames = append(dnsNames, "localhost")
|
dnsNames = append(dnsNames, "localhost")
|
||||||
}
|
}
|
||||||
|
if cfg != nil {
|
||||||
dnsNames = append(dnsNames, cfg.TLSExtraDomains...)
|
dnsNames = append(dnsNames, cfg.TLSExtraDomains...)
|
||||||
|
}
|
||||||
|
|
||||||
// Also add fake hostnames for unix sockets, otherwise hostname
|
// Also add fake hostnames for unix sockets, otherwise hostname
|
||||||
// verification will fail in the client.
|
// verification will fail in the client.
|
||||||
|
@ -4,21 +4,13 @@ package itest
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"crypto/ecdsa"
|
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/tls"
|
|
||||||
"crypto/x509"
|
|
||||||
"crypto/x509/pkix"
|
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"encoding/pem"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"math"
|
"math"
|
||||||
"math/big"
|
|
||||||
"net"
|
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"reflect"
|
"reflect"
|
||||||
@ -13911,133 +13903,6 @@ func testHoldInvoicePersistence(net *lntest.NetworkHarness, t *harnessTest) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// testTLSAutoRegeneration creates an expired TLS certificate, to test that a
|
|
||||||
// new TLS certificate pair is regenerated when the old pair expires. This is
|
|
||||||
// necessary because the pair expires after a little over a year.
|
|
||||||
func testTLSAutoRegeneration(lnNet *lntest.NetworkHarness, t *harnessTest) {
|
|
||||||
certPath := lnNet.Alice.TLSCertStr()
|
|
||||||
keyPath := lnNet.Alice.TLSKeyStr()
|
|
||||||
|
|
||||||
// Create an expired certificate.
|
|
||||||
expiredCert := genExpiredCertPair(
|
|
||||||
t, lnNet, certPath, keyPath,
|
|
||||||
)
|
|
||||||
|
|
||||||
// Restart the node to test that the cert is automatically regenerated.
|
|
||||||
lnNet.RestartNode(lnNet.Alice, nil, nil)
|
|
||||||
|
|
||||||
// Grab the newly generated certificate.
|
|
||||||
newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("couldn't grab new certificate")
|
|
||||||
}
|
|
||||||
|
|
||||||
newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("couldn't parse new certificate")
|
|
||||||
}
|
|
||||||
|
|
||||||
// Check that the expired certificate was successfully deleted and
|
|
||||||
// replaced with a new one.
|
|
||||||
if !newCert.NotAfter.After(expiredCert.NotAfter) {
|
|
||||||
t.Fatalf("New certificate expiration is too old")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// genExpiredCertPair generates an expired key/cert pair to the paths
|
|
||||||
// provided to test that expired certificates are being regenerated correctly.
|
|
||||||
func genExpiredCertPair(t *harnessTest, lnNet *lntest.NetworkHarness, certPath,
|
|
||||||
keyPath string) *x509.Certificate {
|
|
||||||
// Max serial number.
|
|
||||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
||||||
|
|
||||||
// Generate a serial number that's below the serialNumberLimit.
|
|
||||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to generate serial number: %s", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
host := "lightning"
|
|
||||||
|
|
||||||
// Create a simple ip address for the fake certificate.
|
|
||||||
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
|
|
||||||
|
|
||||||
dnsNames := []string{host, "unix", "unixpacket"}
|
|
||||||
|
|
||||||
// Construct the certificate template.
|
|
||||||
template := x509.Certificate{
|
|
||||||
SerialNumber: serialNumber,
|
|
||||||
Subject: pkix.Name{
|
|
||||||
Organization: []string{"lnd autogenerated cert"},
|
|
||||||
CommonName: host,
|
|
||||||
},
|
|
||||||
NotBefore: time.Now().Add(-time.Hour * 24),
|
|
||||||
NotAfter: time.Now(),
|
|
||||||
|
|
||||||
KeyUsage: x509.KeyUsageKeyEncipherment |
|
|
||||||
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
|
||||||
IsCA: true, // so can sign self.
|
|
||||||
BasicConstraintsValid: true,
|
|
||||||
|
|
||||||
DNSNames: dnsNames,
|
|
||||||
IPAddresses: ipAddresses,
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generate a private key for the certificate.
|
|
||||||
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to generate a private key")
|
|
||||||
}
|
|
||||||
|
|
||||||
derBytes, err := x509.CreateCertificate(
|
|
||||||
rand.Reader, &template, &template, &priv.PublicKey, priv)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to create certificate: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
expiredCert, err := x509.ParseCertificate(derBytes)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to parse certificate: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
certBuf := bytes.Buffer{}
|
|
||||||
err = pem.Encode(
|
|
||||||
&certBuf, &pem.Block{
|
|
||||||
Type: "CERTIFICATE",
|
|
||||||
Bytes: derBytes,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to encode certificate: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
keybytes, err := x509.MarshalECPrivateKey(priv)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("unable to encode privkey: %v", err)
|
|
||||||
}
|
|
||||||
keyBuf := bytes.Buffer{}
|
|
||||||
err = pem.Encode(
|
|
||||||
&keyBuf, &pem.Block{
|
|
||||||
Type: "EC PRIVATE KEY",
|
|
||||||
Bytes: keybytes,
|
|
||||||
},
|
|
||||||
)
|
|
||||||
if err != nil {
|
|
||||||
t.Fatalf("failed to encode private key: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// Write cert and key files.
|
|
||||||
if err = ioutil.WriteFile(certPath, certBuf.Bytes(), 0644); err != nil {
|
|
||||||
t.Fatalf("failed to write cert file: %v", err)
|
|
||||||
}
|
|
||||||
if err = ioutil.WriteFile(keyPath, keyBuf.Bytes(), 0600); err != nil {
|
|
||||||
os.Remove(certPath)
|
|
||||||
t.Fatalf("failed to write key file: %v", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
return expiredCert
|
|
||||||
}
|
|
||||||
|
|
||||||
type testCase struct {
|
type testCase struct {
|
||||||
name string
|
name string
|
||||||
test func(net *lntest.NetworkHarness, t *harnessTest)
|
test func(net *lntest.NetworkHarness, t *harnessTest)
|
||||||
@ -14289,10 +14154,6 @@ var testsCases = []*testCase{
|
|||||||
name: "cpfp",
|
name: "cpfp",
|
||||||
test: testCPFP,
|
test: testCPFP,
|
||||||
},
|
},
|
||||||
{
|
|
||||||
name: "automatic certificate regeneration",
|
|
||||||
test: testTLSAutoRegeneration,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestLightningNetworkDaemon performs a series of integration tests amongst a
|
// TestLightningNetworkDaemon performs a series of integration tests amongst a
|
||||||
|
158
server_test.go
158
server_test.go
@ -2,7 +2,22 @@
|
|||||||
|
|
||||||
package lnd
|
package lnd
|
||||||
|
|
||||||
import "testing"
|
import (
|
||||||
|
"bytes"
|
||||||
|
"crypto/ecdsa"
|
||||||
|
"crypto/elliptic"
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"encoding/pem"
|
||||||
|
"io/ioutil"
|
||||||
|
"math/big"
|
||||||
|
"net"
|
||||||
|
"os"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
func TestParseHexColor(t *testing.T) {
|
func TestParseHexColor(t *testing.T) {
|
||||||
var colorTestCases = []struct {
|
var colorTestCases = []struct {
|
||||||
@ -41,3 +56,144 @@ func TestParseHexColor(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TestTLSAutoRegeneration creates an expired TLS certificate, to test that a
|
||||||
|
// new TLS certificate pair is regenerated when the old pair expires. This is
|
||||||
|
// necessary because the pair expires after a little over a year.
|
||||||
|
func TestTLSAutoRegeneration(t *testing.T) {
|
||||||
|
tempDirPath, err := ioutil.TempDir("", ".testLnd")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("couldn't create temporary cert directory")
|
||||||
|
}
|
||||||
|
defer os.RemoveAll(tempDirPath)
|
||||||
|
|
||||||
|
certPath := tempDirPath + "/tls.cert"
|
||||||
|
keyPath := tempDirPath + "/tls.key"
|
||||||
|
|
||||||
|
certDerBytes, keyBytes := genExpiredCertPair(t, tempDirPath)
|
||||||
|
|
||||||
|
expiredCert, err := x509.ParseCertificate(certDerBytes)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to parse certificate: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
certBuf := bytes.Buffer{}
|
||||||
|
err = pem.Encode(
|
||||||
|
&certBuf, &pem.Block{
|
||||||
|
Type: "CERTIFICATE",
|
||||||
|
Bytes: certDerBytes,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to encode certificate: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
keyBuf := bytes.Buffer{}
|
||||||
|
err = pem.Encode(
|
||||||
|
&keyBuf, &pem.Block{
|
||||||
|
Type: "EC PRIVATE KEY",
|
||||||
|
Bytes: keyBytes,
|
||||||
|
},
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to encode private key: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write cert and key files.
|
||||||
|
err = ioutil.WriteFile(tempDirPath+"/tls.cert", certBuf.Bytes(), 0644)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to write cert file: %v", err)
|
||||||
|
}
|
||||||
|
err = ioutil.WriteFile(tempDirPath+"/tls.key", keyBuf.Bytes(), 0600)
|
||||||
|
if err != nil {
|
||||||
|
os.Remove(tempDirPath + "tls.cert")
|
||||||
|
t.Fatalf("failed to write key file: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
rpcListener := net.IPAddr{IP: net.ParseIP("127.0.0.1"), Zone: ""}
|
||||||
|
rpcListeners := make([]net.Addr, 0)
|
||||||
|
rpcListeners = append(rpcListeners, &rpcListener)
|
||||||
|
|
||||||
|
// Now let's run getTLSConfig. If it works properly, it should delete
|
||||||
|
// the cert and create a new one.
|
||||||
|
_, _, _, err = getTLSConfig(certPath, keyPath, rpcListeners)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("couldn't retrieve TLS config")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Grab the certificate to test that getTLSConfig did its job correctly
|
||||||
|
// and generated a new cert.
|
||||||
|
newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("couldn't grab new certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("couldn't parse new certificate")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check that the expired certificate was successfully deleted and
|
||||||
|
// replaced with a new one.
|
||||||
|
if !newCert.NotAfter.After(expiredCert.NotAfter) {
|
||||||
|
t.Fatalf("New certificate expiration is too old")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// genExpiredCertPair generates an expired key/cert pair to test that expired
|
||||||
|
// certificates are being regenerated correctly.
|
||||||
|
func genExpiredCertPair(t *testing.T, certDirPath string) ([]byte, []byte) {
|
||||||
|
// Max serial number.
|
||||||
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||||
|
|
||||||
|
// Generate a serial number that's below the serialNumberLimit.
|
||||||
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to generate serial number: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
host := "lightning"
|
||||||
|
|
||||||
|
// Create a simple ip address for the fake certificate.
|
||||||
|
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
|
||||||
|
|
||||||
|
dnsNames := []string{host, "unix", "unixpacket"}
|
||||||
|
|
||||||
|
// Construct the certificate template.
|
||||||
|
template := x509.Certificate{
|
||||||
|
SerialNumber: serialNumber,
|
||||||
|
Subject: pkix.Name{
|
||||||
|
Organization: []string{"lnd autogenerated cert"},
|
||||||
|
CommonName: host,
|
||||||
|
},
|
||||||
|
NotBefore: time.Now().Add(-time.Hour * 24),
|
||||||
|
NotAfter: time.Now(),
|
||||||
|
|
||||||
|
KeyUsage: x509.KeyUsageKeyEncipherment |
|
||||||
|
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||||
|
IsCA: true, // so can sign self.
|
||||||
|
BasicConstraintsValid: true,
|
||||||
|
|
||||||
|
DNSNames: dnsNames,
|
||||||
|
IPAddresses: ipAddresses,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Generate a private key for the certificate.
|
||||||
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to generate a private key")
|
||||||
|
}
|
||||||
|
|
||||||
|
certDerBytes, err := x509.CreateCertificate(
|
||||||
|
rand.Reader, &template, &template, &priv.PublicKey, priv)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("failed to create certificate: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
keyBytes, err := x509.MarshalECPrivateKey(priv)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("unable to encode privkey: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
return certDerBytes, keyBytes
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user