github.com/decred/dcrlnd@v0.7.6/cert/selfsigned_test.go (about) 1 package cert_test 2 3 import ( 4 "io/ioutil" 5 "testing" 6 "time" 7 8 "github.com/decred/dcrlnd/cert" 9 "github.com/stretchr/testify/require" 10 ) 11 12 const ( 13 testTLSCertDuration = 42 * time.Hour 14 ) 15 16 var ( 17 extraIPs = []string{"1.1.1.1", "123.123.123.1", "199.189.12.12"} 18 extraDomains = []string{"home", "and", "away"} 19 ) 20 21 // TestIsOutdatedCert checks that we'll consider the TLS certificate outdated 22 // if the ip addresses or dns names don't match. 23 func TestIsOutdatedCert(t *testing.T) { 24 tempDir, err := ioutil.TempDir("", "certtest") 25 if err != nil { 26 t.Fatal(err) 27 } 28 29 certPath := tempDir + "/tls.cert" 30 keyPath := tempDir + "/tls.key" 31 32 // Generate TLS files with two extra IPs and domains. 33 err = cert.GenCertPair( 34 "lnd autogenerated cert", certPath, keyPath, extraIPs[:2], 35 extraDomains[:2], false, testTLSCertDuration, 36 ) 37 if err != nil { 38 t.Fatal(err) 39 } 40 41 // We'll attempt to check up-to-date status for all variants of 1-3 42 // number of IPs and domains. 43 for numIPs := 1; numIPs <= len(extraIPs); numIPs++ { 44 for numDomains := 1; numDomains <= len(extraDomains); numDomains++ { 45 _, parsedCert, err := cert.LoadCert( 46 certPath, keyPath, 47 ) 48 if err != nil { 49 t.Fatal(err) 50 } 51 52 // Using the test case's number of IPs and domains, get 53 // the outdated status of the certificate we created 54 // above. 55 outdated, err := cert.IsOutdated( 56 parsedCert, extraIPs[:numIPs], 57 extraDomains[:numDomains], false, 58 ) 59 if err != nil { 60 t.Fatal(err) 61 } 62 63 // We expect it to be considered outdated if the IPs or 64 // domains don't match exactly what we created. 65 expected := numIPs != 2 || numDomains != 2 66 if outdated != expected { 67 t.Fatalf("expected certificate to be "+ 68 "outdated=%v, got=%v", expected, 69 outdated) 70 } 71 } 72 } 73 } 74 75 // TestIsOutdatedPermutation tests that the order of listed IPs or DNS names, 76 // nor dulicates in the lists, matter for whether we consider the certificate 77 // outdated. 78 func TestIsOutdatedPermutation(t *testing.T) { 79 tempDir, err := ioutil.TempDir("", "certtest") 80 if err != nil { 81 t.Fatal(err) 82 } 83 84 certPath := tempDir + "/tls.cert" 85 keyPath := tempDir + "/tls.key" 86 87 // Generate TLS files from the IPs and domains. 88 err = cert.GenCertPair( 89 "lnd autogenerated cert", certPath, keyPath, extraIPs[:], 90 extraDomains[:], false, testTLSCertDuration, 91 ) 92 if err != nil { 93 t.Fatal(err) 94 } 95 _, parsedCert, err := cert.LoadCert(certPath, keyPath) 96 if err != nil { 97 t.Fatal(err) 98 } 99 100 // If we have duplicate IPs or DNS names listed, that shouldn't matter. 101 dupIPs := make([]string, len(extraIPs)*2) 102 for i := range dupIPs { 103 dupIPs[i] = extraIPs[i/2] 104 } 105 106 dupDNS := make([]string, len(extraDomains)*2) 107 for i := range dupDNS { 108 dupDNS[i] = extraDomains[i/2] 109 } 110 111 outdated, err := cert.IsOutdated(parsedCert, dupIPs, dupDNS, false) 112 if err != nil { 113 t.Fatal(err) 114 } 115 116 if outdated { 117 t.Fatalf("did not expect duplicate IPs or DNS names be " + 118 "considered outdated") 119 } 120 121 // Similarly, the order of the lists shouldn't matter. 122 revIPs := make([]string, len(extraIPs)) 123 for i := range revIPs { 124 revIPs[i] = extraIPs[len(extraIPs)-1-i] 125 } 126 127 revDNS := make([]string, len(extraDomains)) 128 for i := range revDNS { 129 revDNS[i] = extraDomains[len(extraDomains)-1-i] 130 } 131 132 outdated, err = cert.IsOutdated(parsedCert, revIPs, revDNS, false) 133 if err != nil { 134 t.Fatal(err) 135 } 136 137 if outdated { 138 t.Fatalf("did not expect reversed IPs or DNS names be " + 139 "considered outdated") 140 } 141 } 142 143 // TestTLSDisableAutofill checks that setting the --tlsdisableautofill flag 144 // does not add interface ip addresses or hostnames to the cert. 145 func TestTLSDisableAutofill(t *testing.T) { 146 tempDir, err := ioutil.TempDir("", "certtest") 147 if err != nil { 148 t.Fatal(err) 149 } 150 151 certPath := tempDir + "/tls.cert" 152 keyPath := tempDir + "/tls.key" 153 154 // Generate TLS files with two extra IPs and domains and no interface IPs. 155 err = cert.GenCertPair( 156 "lnd autogenerated cert", certPath, keyPath, extraIPs[:2], 157 extraDomains[:2], true, testTLSCertDuration, 158 ) 159 require.NoError( 160 t, err, 161 "unable to generate tls certificate pair", 162 ) 163 164 _, parsedCert, err := cert.LoadCert( 165 certPath, keyPath, 166 ) 167 require.NoError( 168 t, err, 169 "unable to load tls certificate pair", 170 ) 171 172 // Check if the TLS cert is outdated while still preventing 173 // interface IPs from being used. Should not be outdated 174 shouldNotBeOutdated, err := cert.IsOutdated( 175 parsedCert, extraIPs[:2], 176 extraDomains[:2], true, 177 ) 178 require.NoError(t, err) 179 180 require.Equal( 181 t, false, shouldNotBeOutdated, 182 "TLS Certificate was marked as outdated when it should not be", 183 ) 184 185 // Check if the TLS cert is outdated while allowing for 186 // interface IPs to be used. Should report as outdated. 187 shouldBeOutdated, err := cert.IsOutdated( 188 parsedCert, extraIPs[:2], 189 extraDomains[:2], false, 190 ) 191 require.NoError(t, err) 192 193 require.Equal( 194 t, true, shouldBeOutdated, 195 "TLS Certificate was not marked as outdated when it should be", 196 ) 197 }