123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372 |
- package lnd
- import (
- "bytes"
- "crypto/ecdsa"
- "crypto/elliptic"
- "crypto/rand"
- "crypto/tls"
- "crypto/x509"
- "crypto/x509/pkix"
- "encoding/pem"
- "math/big"
- "net"
- "os"
- "testing"
- "time"
- "github.com/btcsuite/btcd/btcec/v2"
- "github.com/lightningnetwork/lnd/cert"
- "github.com/lightningnetwork/lnd/keychain"
- "github.com/lightningnetwork/lnd/lnencrypt"
- "github.com/lightningnetwork/lnd/lntest/channels"
- "github.com/lightningnetwork/lnd/lntest/mock"
- "github.com/stretchr/testify/require"
- )
- const (
- testTLSCertDuration = 42 * time.Hour
- )
- var (
- privKeyBytes = channels.AlicesPrivKey
- privKey, _ = btcec.PrivKeyFromBytes(privKeyBytes)
- )
- // TestGenerateOrRenewCert creates an expired TLS certificate, to test that a
- // new TLS certificate pair is regenerated when the old pair expires. This is
- // necessary because the pair expires after a little over a year.
- func TestGenerateOrRenewCert(t *testing.T) {
- t.Parallel()
- // Write an expired certificate to disk.
- certPath, keyPath, expiredCert := writeTestCertFiles(
- t, true, false, nil,
- )
- // Now let's run the TLSManager's getConfig. If it works properly, it
- // should delete the cert and create a new one.
- cfg := &TLSManagerCfg{
- TLSCertPath: certPath,
- TLSKeyPath: keyPath,
- TLSCertDuration: testTLSCertDuration,
- }
- tlsManager := NewTLSManager(cfg)
- _, err := tlsManager.generateOrRenewCert()
- require.NoError(t, err)
- _, _, _, cleanUp, err := tlsManager.getConfig()
- require.NoError(t, err, "couldn't retrieve TLS config")
- t.Cleanup(cleanUp)
- // Grab the certificate to test that getTLSConfig did its job correctly
- // and generated a new cert.
- newCertData, err := tls.LoadX509KeyPair(certPath, keyPath)
- require.NoError(t, err, "couldn't grab new certificate")
- newCert, err := x509.ParseCertificate(newCertData.Certificate[0])
- require.NoError(t, err, "couldn't parse new certificate")
- // Check that the expired certificate was successfully deleted and
- // replaced with a new one.
- require.True(t, newCert.NotAfter.After(expiredCert.NotAfter),
- "New certificate expiration is too old")
- }
- // TestTLSManagerGenCert tests that the new TLS Manager loads correctly,
- // whether the encrypted TLS key flag is set or not.
- func TestTLSManagerGenCert(t *testing.T) {
- t.Parallel()
- _, certPath, keyPath := newTestDirectory(t)
- cfg := &TLSManagerCfg{
- TLSCertPath: certPath,
- TLSKeyPath: keyPath,
- }
- tlsManager := NewTLSManager(cfg)
- _, err := tlsManager.generateOrRenewCert()
- require.NoError(t, err, "failed to generate new certificate")
- // After this is run, a new certificate should be created and written
- // to disk. Since the TLSEncryptKey flag isn't set, we should be able
- // to read it in plaintext from disk.
- _, keyBytes, err := cert.GetCertBytesFromPath(
- cfg.TLSCertPath, cfg.TLSKeyPath,
- )
- require.NoError(t, err, "unable to load certificate")
- require.True(t, bytes.HasPrefix(keyBytes, privateKeyPrefix),
- "key is encrypted, but shouldn't be")
- // Now test that if the TLSEncryptKey flag is set, an encrypted key is
- // created and written to disk.
- _, certPath, keyPath = newTestDirectory(t)
- cfg = &TLSManagerCfg{
- TLSEncryptKey: true,
- TLSCertPath: certPath,
- TLSKeyPath: keyPath,
- TLSCertDuration: testTLSCertDuration,
- }
- tlsManager = NewTLSManager(cfg)
- keyRing := &mock.SecretKeyRing{
- RootKey: privKey,
- }
- err = tlsManager.generateCertPair(keyRing)
- require.NoError(t, err, "failed to generate new certificate")
- _, keyBytes, err = cert.GetCertBytesFromPath(
- certPath, keyPath,
- )
- require.NoError(t, err, "unable to load certificate")
- require.False(t, bytes.HasPrefix(keyBytes, privateKeyPrefix),
- "key isn't encrypted, but should be")
- }
- // TestEnsureEncryption tests that ensureEncryption does a couple of things:
- // 1) If we have cfg.TLSEncryptKey set, but the tls file saved to disk is not
- // encrypted, generateOrRenewCert encrypts the file and rewrites it to disk.
- // 2) If cfg.TLSEncryptKey is not set, but the file *is* encrypted, then we
- // need to return an error to the user.
- func TestEnsureEncryption(t *testing.T) {
- t.Parallel()
- keyRing := &mock.SecretKeyRing{
- RootKey: privKey,
- }
- // Write an unencrypted cert file to disk.
- certPath, keyPath, _ := writeTestCertFiles(
- t, false, false, keyRing,
- )
- cfg := &TLSManagerCfg{
- TLSEncryptKey: true,
- TLSCertPath: certPath,
- TLSKeyPath: keyPath,
- }
- tlsManager := NewTLSManager(cfg)
- // Check that the keyBytes are initially plaintext.
- _, newKeyBytes, err := cert.GetCertBytesFromPath(
- cfg.TLSCertPath, cfg.TLSKeyPath,
- )
- require.NoError(t, err, "unable to load certificate files")
- require.True(t, bytes.HasPrefix(newKeyBytes, privateKeyPrefix),
- "key doesn't have correct plaintext prefix")
- // ensureEncryption should detect that the TLS key is in plaintext,
- // encrypt it, and rewrite the encrypted version to disk.
- err = tlsManager.ensureEncryption(keyRing)
- require.NoError(t, err, "failed to generate new certificate")
- // Grab the file from disk to check that the key is no longer
- // plaintext.
- _, newKeyBytes, err = cert.GetCertBytesFromPath(
- cfg.TLSCertPath, cfg.TLSKeyPath,
- )
- require.NoError(t, err, "unable to load certificate")
- require.False(t, bytes.HasPrefix(newKeyBytes, privateKeyPrefix),
- "key isn't encrypted, but should be")
- // Now let's flip the cfg.TLSEncryptKey to false. Since the key on file
- // is encrypted, ensureEncryption should error out.
- tlsManager.cfg.TLSEncryptKey = false
- err = tlsManager.ensureEncryption(keyRing)
- require.Error(t, err)
- }
- // TestGenerateEphemeralCert tests that an ephemeral certificate is created and
- // stored to disk in a .tmp file and that LoadPermanentCertificate deletes
- // file and replaces it with a fresh certificate pair.
- func TestGenerateEphemeralCert(t *testing.T) {
- t.Parallel()
- _, certPath, keyPath := newTestDirectory(t)
- tmpCertPath := certPath + ".tmp"
- cfg := &TLSManagerCfg{
- TLSCertPath: certPath,
- TLSKeyPath: keyPath,
- TLSEncryptKey: true,
- TLSCertDuration: testTLSCertDuration,
- }
- tlsManager := NewTLSManager(cfg)
- keyBytes, err := tlsManager.loadEphemeralCertificate()
- require.NoError(t, err, "failed to generate new certificate")
- certBytes, err := os.ReadFile(tmpCertPath)
- require.NoError(t, err)
- tlsr, err := cert.NewTLSReloader(certBytes, keyBytes)
- require.NoError(t, err)
- tlsManager.tlsReloader = tlsr
- // Make sure .tmp file is created at the tmp cert path.
- _, err = os.ReadFile(tmpCertPath)
- require.NoError(t, err, "couldn't find temp cert file")
- // But no key should be stored.
- _, err = os.ReadFile(cfg.TLSKeyPath)
- require.Error(t, err, "shouldn't have found file")
- // And no permanent cert file should be stored.
- _, err = os.ReadFile(cfg.TLSCertPath)
- require.Error(t, err, "shouldn't have found a permanent cert file")
- // Now test that when we reload the certificate it generates the new
- // certificate properly.
- keyRing := &mock.SecretKeyRing{
- RootKey: privKey,
- }
- err = tlsManager.LoadPermanentCertificate(keyRing)
- require.NoError(t, err, "unable to reload certificate")
- // Make sure .tmp file is deleted.
- _, _, err = cert.GetCertBytesFromPath(
- tmpCertPath, cfg.TLSKeyPath,
- )
- require.Error(t, err, ".tmp file should have been deleted")
- // Make sure a certificate now exists at the permanent cert path.
- _, _, err = cert.GetCertBytesFromPath(
- cfg.TLSCertPath, cfg.TLSKeyPath,
- )
- require.NoError(t, err, "error loading permanent certificate")
- }
- // genCertPair generates a key/cert pair, with the option of generating expired
- // certificates to make sure they are being regenerated correctly.
- func genCertPair(t *testing.T, expired bool) ([]byte, []byte) {
- t.Helper()
- // Max serial number.
- serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
- // Generate a serial number that's below the serialNumberLimit.
- serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
- require.NoError(t, err, "failed to generate serial number")
- host := "lightning"
- // Create a simple ip address for the fake certificate.
- ipAddresses := []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("::1")}
- dnsNames := []string{host, "unix", "unixpacket"}
- var notBefore, notAfter time.Time
- if expired {
- notBefore = time.Now().Add(-time.Hour * 24)
- notAfter = time.Now()
- } else {
- notBefore = time.Now()
- notAfter = time.Now().Add(time.Hour * 24)
- }
- // Construct the certificate template.
- template := x509.Certificate{
- SerialNumber: serialNumber,
- Subject: pkix.Name{
- Organization: []string{"lnd autogenerated cert"},
- CommonName: host,
- },
- NotBefore: notBefore,
- NotAfter: notAfter,
- KeyUsage: x509.KeyUsageKeyEncipherment |
- x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
- IsCA: true, // so can sign self.
- BasicConstraintsValid: true,
- DNSNames: dnsNames,
- IPAddresses: ipAddresses,
- }
- // Generate a private key for the certificate.
- priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
- if err != nil {
- t.Fatalf("failed to generate a private key")
- }
- certDerBytes, err := x509.CreateCertificate(
- rand.Reader, &template, &template, &priv.PublicKey, priv,
- )
- require.NoError(t, err, "failed to create certificate")
- keyBytes, err := x509.MarshalECPrivateKey(priv)
- require.NoError(t, err, "unable to encode privkey")
- return certDerBytes, keyBytes
- }
- // writeTestCertFiles creates test files and writes them to a temporary testing
- // directory.
- func writeTestCertFiles(t *testing.T, expiredCert, encryptTLSKey bool,
- keyRing keychain.KeyRing) (string, string, *x509.Certificate) {
- t.Helper()
- tempDir, certPath, keyPath := newTestDirectory(t)
- var certDerBytes, keyBytes []byte
- // Either create a valid certificate or an expired certificate pair,
- // depending on the test.
- if expiredCert {
- certDerBytes, keyBytes = genCertPair(t, true)
- } else {
- certDerBytes, keyBytes = genCertPair(t, false)
- }
- parsedCert, err := x509.ParseCertificate(certDerBytes)
- require.NoError(t, err, "failed to parse certificate")
- certBuf := bytes.Buffer{}
- err = pem.Encode(
- &certBuf, &pem.Block{
- Type: "CERTIFICATE",
- Bytes: certDerBytes,
- },
- )
- require.NoError(t, err, "failed to encode certificate")
- var keyBuf *bytes.Buffer
- if !encryptTLSKey {
- keyBuf = &bytes.Buffer{}
- err = pem.Encode(
- keyBuf, &pem.Block{
- Type: "EC PRIVATE KEY",
- Bytes: keyBytes,
- },
- )
- require.NoError(t, err, "failed to encode private key")
- } else {
- e, err := lnencrypt.KeyRingEncrypter(keyRing)
- require.NoError(t, err, "unable to generate key encrypter")
- err = e.EncryptPayloadToWriter(
- keyBytes, keyBuf,
- )
- require.NoError(t, err, "failed to encrypt private key")
- }
- err = os.WriteFile(tempDir+"/tls.cert", certBuf.Bytes(), 0644)
- require.NoError(t, err, "failed to write cert file")
- err = os.WriteFile(tempDir+"/tls.key", keyBuf.Bytes(), 0600)
- require.NoError(t, err, "failed to write key file")
- return certPath, keyPath, parsedCert
- }
- // newTestDirectory creates a new test directory and returns the location of
- // the test tls.cert and tls.key files.
- func newTestDirectory(t *testing.T) (string, string, string) {
- t.Helper()
- tempDir := t.TempDir()
- certPath := tempDir + "/tls.cert"
- keyPath := tempDir + "/tls.key"
- return tempDir, certPath, keyPath
- }
|