You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
205 lines
5.3 KiB
205 lines
5.3 KiB
// +build !rpctest |
|
|
|
package lnd |
|
|
|
import ( |
|
"bytes" |
|
"crypto/ecdsa" |
|
"crypto/elliptic" |
|
"crypto/rand" |
|
"crypto/tls" |
|
"crypto/x509" |
|
"crypto/x509/pkix" |
|
"encoding/pem" |
|
"io/ioutil" |
|
"math/big" |
|
"net" |
|
"os" |
|
"testing" |
|
"time" |
|
) |
|
|
|
func TestParseHexColor(t *testing.T) { |
|
var colorTestCases = []struct { |
|
test string |
|
valid bool // If valid format |
|
R byte |
|
G byte |
|
B byte |
|
}{ |
|
{"#123", false, 0, 0, 0}, |
|
{"#1234567", false, 0, 0, 0}, |
|
{"$123456", false, 0, 0, 0}, |
|
{"#12345+", false, 0, 0, 0}, |
|
{"#fFGG00", false, 0, 0, 0}, |
|
{"", false, 0, 0, 0}, |
|
{"#123456", true, 0x12, 0x34, 0x56}, |
|
{"#C0FfeE", true, 0xc0, 0xff, 0xee}, |
|
} |
|
|
|
// Perform the table driven tests. |
|
for _, ct := range colorTestCases { |
|
|
|
color, err := parseHexColor(ct.test) |
|
if !ct.valid && err == nil { |
|
t.Fatalf("Invalid color string: %s, should return "+ |
|
"error, but did not", ct.test) |
|
} |
|
|
|
if ct.valid && err != nil { |
|
t.Fatalf("Color %s valid to parse: %s", ct.test, err) |
|
} |
|
|
|
// Ensure that the string to hex decoding is working properly. |
|
if color.R != ct.R || color.G != ct.G || color.B != ct.B { |
|
t.Fatalf("Color %s incorrectly parsed as %v", ct.test, color) |
|
} |
|
} |
|
} |
|
|
|
// TestTLSAutoRegeneration creates an expired TLS certificate, to test that a |
|
// new TLS certificate pair is regenerated when the old pair expires. This is |
|
// necessary because the pair expires after a little over a year. |
|
func TestTLSAutoRegeneration(t *testing.T) { |
|
tempDirPath, err := ioutil.TempDir("", ".testLnd") |
|
if err != nil { |
|
t.Fatalf("couldn't create temporary cert directory") |
|
} |
|
defer os.RemoveAll(tempDirPath) |
|
|
|
certPath := tempDirPath + "/tls.cert" |
|
keyPath := tempDirPath + "/tls.key" |
|
|
|
certDerBytes, keyBytes := genExpiredCertPair(t, tempDirPath) |
|
expiredCert, err := x509.ParseCertificate(certDerBytes) |
|
if err != nil { |
|
t.Fatalf("failed to parse certificate: %v", err) |
|
} |
|
|
|
certBuf := bytes.Buffer{} |
|
err = pem.Encode( |
|
&certBuf, &pem.Block{ |
|
Type: "CERTIFICATE", |
|
Bytes: certDerBytes, |
|
}, |
|
) |
|
if err != nil { |
|
t.Fatalf("failed to encode certificate: %v", err) |
|
} |
|
|
|
keyBuf := bytes.Buffer{} |
|
err = pem.Encode( |
|
&keyBuf, &pem.Block{ |
|
Type: "EC PRIVATE KEY", |
|
Bytes: keyBytes, |
|
}, |
|
) |
|
if err != nil { |
|
t.Fatalf("failed to encode private key: %v", err) |
|
} |
|
|
|
// Write cert and key files. |
|
err = ioutil.WriteFile(tempDirPath+"/tls.cert", certBuf.Bytes(), 0644) |
|
if err != nil { |
|
t.Fatalf("failed to write cert file: %v", err) |
|
} |
|
err = ioutil.WriteFile(tempDirPath+"/tls.key", keyBuf.Bytes(), 0600) |
|
if err != nil { |
|
t.Fatalf("failed to write key file: %v", err) |
|
} |
|
|
|
rpcListener := net.IPAddr{IP: net.ParseIP("127.0.0.1"), Zone: ""} |
|
rpcListeners := make([]net.Addr, 0) |
|
rpcListeners = append(rpcListeners, &rpcListener) |
|
|
|
// Now let's run getTLSConfig. If it works properly, it should delete |
|
// the cert and create a new one. |
|
cfg := &Config{ |
|
TLSCertPath: certPath, |
|
TLSKeyPath: keyPath, |
|
TLSCertDuration: 42 * time.Hour, |
|
RPCListeners: rpcListeners, |
|
} |
|
_, _, _, cleanUp, err := getTLSConfig(cfg) |
|
if err != nil { |
|
t.Fatalf("couldn't retrieve TLS config") |
|
} |
|
defer cleanUp() |
|
|
|
// Grab the certificate to test that getTLSConfig did its job correctly |
|
// and generated a new cert. |
|
newCertData, err := tls.LoadX509KeyPair(certPath, keyPath) |
|
if err != nil { |
|
t.Fatalf("couldn't grab new certificate") |
|
} |
|
|
|
newCert, err := x509.ParseCertificate(newCertData.Certificate[0]) |
|
if err != nil { |
|
t.Fatalf("couldn't parse new certificate") |
|
} |
|
|
|
// Check that the expired certificate was successfully deleted and |
|
// replaced with a new one. |
|
if !newCert.NotAfter.After(expiredCert.NotAfter) { |
|
t.Fatalf("New certificate expiration is too old") |
|
} |
|
} |
|
|
|
// genExpiredCertPair generates an expired key/cert pair to test that expired |
|
// certificates are being regenerated correctly. |
|
func genExpiredCertPair(t *testing.T, certDirPath string) ([]byte, []byte) { |
|
// Max serial number. |
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) |
|
|
|
// Generate a serial number that's below the serialNumberLimit. |
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) |
|
if err != nil { |
|
t.Fatalf("failed to generate serial number: %s", err) |
|
} |
|
|
|
host := "lightning" |
|
|
|
// Create a simple ip address for the fake certificate. |
|
ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")} |
|
|
|
dnsNames := []string{host, "unix", "unixpacket"} |
|
|
|
// Construct the certificate template. |
|
template := x509.Certificate{ |
|
SerialNumber: serialNumber, |
|
Subject: pkix.Name{ |
|
Organization: []string{"lnd autogenerated cert"}, |
|
CommonName: host, |
|
}, |
|
NotBefore: time.Now().Add(-time.Hour * 24), |
|
NotAfter: time.Now(), |
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | |
|
x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, |
|
IsCA: true, // so can sign self. |
|
BasicConstraintsValid: true, |
|
|
|
DNSNames: dnsNames, |
|
IPAddresses: ipAddresses, |
|
} |
|
|
|
// Generate a private key for the certificate. |
|
priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) |
|
if err != nil { |
|
t.Fatalf("failed to generate a private key") |
|
} |
|
|
|
certDerBytes, err := x509.CreateCertificate( |
|
rand.Reader, &template, &template, &priv.PublicKey, priv, |
|
) |
|
if err != nil { |
|
t.Fatalf("failed to create certificate: %v", err) |
|
} |
|
|
|
keyBytes, err := x509.MarshalECPrivateKey(priv) |
|
if err != nil { |
|
t.Fatalf("unable to encode privkey: %v", err) |
|
} |
|
|
|
return certDerBytes, keyBytes |
|
}
|
|
|