• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

lightningnetwork / lnd / 16911773184

12 Aug 2025 02:21PM UTC coverage: 57.471% (-9.4%) from 66.9%
16911773184

Pull #10103

github

web-flow
Merge d64a1234d into f3e1f2f35
Pull Request #10103: Rate limit outgoing gossip bandwidth by peer

57 of 77 new or added lines in 5 files covered. (74.03%)

28294 existing lines in 457 files now uncovered.

99110 of 172451 relevant lines covered (57.47%)

1.78 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

35.28
/tls_manager.go
1
package lnd
2

3
import (
4
        "bytes"
5
        "context"
6
        "crypto/tls"
7
        "crypto/x509"
8
        "errors"
9
        "fmt"
10
        "net"
11
        "net/http"
12
        "os"
13
        "time"
14

15
        "github.com/lightningnetwork/lnd/cert"
16
        "github.com/lightningnetwork/lnd/keychain"
17
        "github.com/lightningnetwork/lnd/lncfg"
18
        "github.com/lightningnetwork/lnd/lnencrypt"
19
        "github.com/lightningnetwork/lnd/lnrpc"
20
        "golang.org/x/crypto/acme/autocert"
21
        "google.golang.org/grpc"
22
        "google.golang.org/grpc/credentials"
23
)
24

25
const (
26
        // modifyFilePermissons is the file permission used for writing
27
        // encrypted tls files.
28
        modifyFilePermissions = 0600
29

30
        // validityHours is the number of hours the ephemeral tls certificate
31
        // will be valid, if encrypting tls certificates is turned on.
32
        validityHours = 24
33
)
34

35
var (
36
        // privateKeyPrefix is the prefix to a plaintext TLS key.
37
        // It should match these two key formats:
38
        // - `-----BEGIN PRIVATE KEY-----`    (PKCS8).
39
        // - `-----BEGIN EC PRIVATE KEY-----` (SEC1/rfc5915, the legacy format).
40
        privateKeyPrefix = []byte("-----BEGIN ")
41
)
42

43
// TLSManagerCfg houses a set of values and methods that is passed to the
44
// TLSManager for it to properly manage LND's TLS options.
45
type TLSManagerCfg struct {
46
        TLSCertPath        string
47
        TLSKeyPath         string
48
        TLSEncryptKey      bool
49
        TLSExtraIPs        []string
50
        TLSExtraDomains    []string
51
        TLSAutoRefresh     bool
52
        TLSDisableAutofill bool
53
        TLSCertDuration    time.Duration
54

55
        LetsEncryptDir    string
56
        LetsEncryptDomain string
57
        LetsEncryptListen string
58

59
        DisableRestTLS bool
60

61
        HTTPHeaderTimeout time.Duration
62
}
63

64
// TLSManager generates/renews a TLS cert/key pair when needed. When required,
65
// it encrypts the TLS key. It also returns the certificate configuration
66
// options needed for gRPC and REST.
67
type TLSManager struct {
68
        cfg *TLSManagerCfg
69

70
        // tlsReloader is able to reload the certificate with the
71
        // GetCertificate function. In getConfig, tlsCfg.GetCertificate is
72
        // pointed towards t.tlsReloader.GetCertificateFunc(). When
73
        // TLSReloader's AttemptReload is called, the cert that tlsReloader
74
        // holds is changed, in turn changing the cert data
75
        // tlsCfg.GetCertificate will return.
76
        tlsReloader *cert.TLSReloader
77

78
        // These options are only used if we're currently using an ephemeral
79
        // TLS certificate, used when we're encrypting the TLS key.
80
        ephemeralKey      []byte
81
        ephemeralCert     []byte
82
        ephemeralCertPath string
83
}
84

85
// NewTLSManager returns a reference to a new TLSManager.
86
func NewTLSManager(cfg *TLSManagerCfg) *TLSManager {
3✔
87
        return &TLSManager{
3✔
88
                cfg: cfg,
3✔
89
        }
3✔
90
}
3✔
91

92
// getConfig returns a TLS configuration for the gRPC server and credentials
93
// and a proxy destination for the REST reverse proxy.
94
func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption,
95
        func(net.Addr) (net.Listener, error), func(), error) {
3✔
96

3✔
97
        var (
3✔
98
                keyBytes, certBytes []byte
3✔
99
                err                 error
3✔
100
        )
3✔
101
        if t.ephemeralKey != nil {
3✔
102
                keyBytes = t.ephemeralKey
×
103
                certBytes = t.ephemeralCert
×
104
        } else {
3✔
105
                certBytes, keyBytes, err = cert.GetCertBytesFromPath(
3✔
106
                        t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
3✔
107
                )
3✔
108
                if err != nil {
3✔
109
                        return nil, nil, nil, nil, err
×
110
                }
×
111
        }
112

113
        certData, _, err := cert.LoadCertFromBytes(certBytes, keyBytes)
3✔
114
        if err != nil {
3✔
115
                return nil, nil, nil, nil, err
×
116
        }
×
117

118
        if t.tlsReloader == nil {
6✔
119
                tlsr, err := cert.NewTLSReloader(certBytes, keyBytes)
3✔
120
                if err != nil {
3✔
121
                        return nil, nil, nil, nil, err
×
122
                }
×
123
                t.tlsReloader = tlsr
3✔
124
        }
125

126
        tlsCfg := cert.TLSConfFromCert(certData)
3✔
127
        tlsCfg.GetCertificate = t.tlsReloader.GetCertificateFunc()
3✔
128

3✔
129
        // If Let's Encrypt is enabled, we need to set up the autocert manager
3✔
130
        // and override the TLS config's GetCertificate function.
3✔
131
        cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
3✔
132

3✔
133
        // Now that we know that we have a certificate, let's generate the
3✔
134
        // required config options.
3✔
135
        serverCreds := credentials.NewTLS(tlsCfg)
3✔
136
        serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
3✔
137

3✔
138
        // For our REST dial options, we skip TLS verification, and we also
3✔
139
        // increase the max message size that we'll decode to allow clients to
3✔
140
        // hit endpoints which return more data such as the DescribeGraph call.
3✔
141
        // We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
3✔
142
        // in cmd/lncli/main.go.
3✔
143
        restDialOpts := []grpc.DialOption{
3✔
144
                // We are forwarding the requests directly to the address of our
3✔
145
                // own local listener. To not need to mess with the TLS
3✔
146
                // certificate (which might be tricky if we're using Let's
3✔
147
                // Encrypt or if the ephemeral tls cert is being used), we just
3✔
148
                // skip the certificate verification. Injecting a malicious
3✔
149
                // hostname into the listener address will result in an error
3✔
150
                // on startup so this should be quite safe.
3✔
151
                grpc.WithTransportCredentials(credentials.NewTLS(
3✔
152
                        &tls.Config{InsecureSkipVerify: true},
3✔
153
                )),
3✔
154
                grpc.WithDefaultCallOptions(
3✔
155
                        grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
3✔
156
                ),
3✔
157
        }
3✔
158

3✔
159
        // Return a function closure that can be used to listen on a given
3✔
160
        // address with the current TLS config.
3✔
161
        restListen := func(addr net.Addr) (net.Listener, error) {
6✔
162
                // For restListen we will call ListenOnAddress if TLS is
3✔
163
                // disabled.
3✔
164
                if t.cfg.DisableRestTLS {
3✔
165
                        return lncfg.ListenOnAddress(addr)
×
166
                }
×
167

168
                return lncfg.TLSListenOnAddress(addr, tlsCfg)
3✔
169
        }
170

171
        return serverOpts, restDialOpts, restListen, cleanUp, nil
3✔
172
}
173

174
// generateOrRenewCert generates a new TLS certificate if we're not using one
175
// yet or renews it if it's outdated.
176
func (t *TLSManager) generateOrRenewCert() (*tls.Config, error) {
3✔
177
        // Generete a TLS pair if we don't have one yet.
3✔
178
        var emptyKeyRing keychain.SecretKeyRing
3✔
179
        err := t.generateCertPair(emptyKeyRing)
3✔
180
        if err != nil {
3✔
181
                return nil, err
×
182
        }
×
183

184
        certData, parsedCert, err := cert.LoadCert(
3✔
185
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
3✔
186
        )
3✔
187
        if err != nil {
3✔
188
                return nil, err
×
189
        }
×
190

191
        // Check to see if the certificate needs to be renewed. If it does, we
192
        // return the newly generated certificate data instead.
193
        reloadedCertData, err := t.maintainCert(parsedCert)
3✔
194
        if err != nil {
3✔
195
                return nil, err
×
196
        }
×
197
        if reloadedCertData != nil {
3✔
UNCOV
198
                certData = *reloadedCertData
×
UNCOV
199
        }
×
200

201
        tlsCfg := cert.TLSConfFromCert(certData)
3✔
202

3✔
203
        return tlsCfg, nil
3✔
204
}
205

206
// generateCertPair creates and writes a TLS pair to disk if the pair
207
// doesn't exist yet. If the TLSEncryptKey setting is on, and a plaintext key
208
// is already written to disk, this function overwrites the plaintext key with
209
// the encrypted form.
210
func (t *TLSManager) generateCertPair(keyRing keychain.SecretKeyRing) error {
3✔
211
        // Ensure we create TLS key and certificate if they don't exist.
3✔
212
        if lnrpc.FileExists(t.cfg.TLSCertPath) ||
3✔
213
                lnrpc.FileExists(t.cfg.TLSKeyPath) {
6✔
214

3✔
215
                // Handle discrepencies related to the TLSEncryptKey setting.
3✔
216
                return t.ensureEncryption(keyRing)
3✔
217
        }
3✔
218

219
        rpcsLog.Infof("Generating TLS certificates...")
3✔
220
        certBytes, keyBytes, err := cert.GenCertPair(
3✔
221
                "lnd autogenerated cert", t.cfg.TLSExtraIPs,
3✔
222
                t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
3✔
223
                t.cfg.TLSCertDuration,
3✔
224
        )
3✔
225
        if err != nil {
3✔
226
                return err
×
227
        }
×
228

229
        if t.cfg.TLSEncryptKey {
3✔
UNCOV
230
                var b bytes.Buffer
×
UNCOV
231
                e, err := lnencrypt.KeyRingEncrypter(keyRing)
×
UNCOV
232
                if err != nil {
×
233
                        return fmt.Errorf("unable to create "+
×
234
                                "encrypt key %v", err)
×
235
                }
×
236

UNCOV
237
                err = e.EncryptPayloadToWriter(
×
UNCOV
238
                        keyBytes, &b,
×
UNCOV
239
                )
×
UNCOV
240
                if err != nil {
×
241
                        return err
×
242
                }
×
243

UNCOV
244
                keyBytes = b.Bytes()
×
245
        }
246

247
        err = cert.WriteCertPair(
3✔
248
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath, certBytes, keyBytes,
3✔
249
        )
3✔
250

3✔
251
        rpcsLog.Infof("Done generating TLS certificates")
3✔
252

3✔
253
        return err
3✔
254
}
255

256
// ensureEncryption takes a look at a couple of things:
257
// 1) If the TLS key is in plaintext, but TLSEncryptKey is set, we need to
258
// encrypt the file and rewrite it to disk.
259
// 2) On the flip side, if TLSEncryptKey is not set, but the key on disk
260
// is encrypted, we need to error out and warn the user.
261
func (t *TLSManager) ensureEncryption(keyRing keychain.SecretKeyRing) error {
3✔
262
        _, keyBytes, err := cert.GetCertBytesFromPath(
3✔
263
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
3✔
264
        )
3✔
265
        if err != nil {
3✔
266
                return err
×
267
        }
×
268

269
        if t.cfg.TLSEncryptKey && bytes.HasPrefix(keyBytes, privateKeyPrefix) {
3✔
UNCOV
270
                var b bytes.Buffer
×
UNCOV
271
                e, err := lnencrypt.KeyRingEncrypter(keyRing)
×
UNCOV
272
                if err != nil {
×
273
                        return fmt.Errorf("unable to generate encrypt key %w",
×
274
                                err)
×
275
                }
×
276

UNCOV
277
                err = e.EncryptPayloadToWriter(keyBytes, &b)
×
UNCOV
278
                if err != nil {
×
279
                        return err
×
280
                }
×
UNCOV
281
                err = os.WriteFile(
×
UNCOV
282
                        t.cfg.TLSKeyPath, b.Bytes(), modifyFilePermissions,
×
UNCOV
283
                )
×
UNCOV
284
                if err != nil {
×
285
                        return err
×
286
                }
×
287
        }
288

289
        // If the private key is encrypted but the user didn't pass
290
        // --tlsencryptkey we error out. This is because the wallet is not
291
        // unlocked yet and we don't have access to the keys yet for decryption.
292
        if !t.cfg.TLSEncryptKey && !bytes.HasPrefix(keyBytes,
3✔
293
                privateKeyPrefix) {
3✔
UNCOV
294

×
UNCOV
295
                ltndLog.Errorf("The TLS private key is encrypted on disk.")
×
UNCOV
296

×
UNCOV
297
                return errors.New("the TLS key is encrypted but the " +
×
UNCOV
298
                        "--tlsencryptkey flag is not passed. Please either " +
×
UNCOV
299
                        "restart lnd with the --tlsencryptkey flag or delete " +
×
UNCOV
300
                        "the TLS files for regeneration")
×
UNCOV
301
        }
×
302

303
        return nil
3✔
304
}
305

306
// decryptTLSKeyBytes decrypts the TLS key.
307
func decryptTLSKeyBytes(keyRing keychain.SecretKeyRing,
308
        encryptedData []byte) ([]byte, error) {
×
309

×
310
        reader := bytes.NewReader(encryptedData)
×
311
        encrypter, err := lnencrypt.KeyRingEncrypter(keyRing)
×
312
        if err != nil {
×
313
                return nil, err
×
314
        }
×
315

316
        plaintext, err := encrypter.DecryptPayloadFromReader(
×
317
                reader,
×
318
        )
×
319
        if err != nil {
×
320
                return nil, err
×
321
        }
×
322

323
        return plaintext, nil
×
324
}
325

326
// maintainCert checks if the certificate IP and domains matches the config,
327
// and renews the certificate if either this data is outdated or the
328
// certificate is expired.
329
func (t *TLSManager) maintainCert(
330
        parsedCert *x509.Certificate) (*tls.Certificate, error) {
3✔
331

3✔
332
        // We check whether the certificate we have on disk match the IPs and
3✔
333
        // domains specified by the config. If the extra IPs or domains have
3✔
334
        // changed from when the certificate was created, we will refresh the
3✔
335
        // certificate if auto refresh is active.
3✔
336
        refresh := false
3✔
337
        var err error
3✔
338
        if t.cfg.TLSAutoRefresh {
3✔
339
                refresh, err = cert.IsOutdated(
×
340
                        parsedCert, t.cfg.TLSExtraIPs,
×
341
                        t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
×
342
                )
×
343
                if err != nil {
×
344
                        return nil, err
×
345
                }
×
346
        }
347

348
        // If the certificate expired or it was outdated, delete it and the TLS
349
        // key and generate a new pair.
350
        if !time.Now().After(parsedCert.NotAfter) && !refresh {
6✔
351
                return nil, nil
3✔
352
        }
3✔
353

UNCOV
354
        ltndLog.Info("TLS certificate is expired or outdated, " +
×
UNCOV
355
                "generating a new one")
×
UNCOV
356

×
UNCOV
357
        err = os.Remove(t.cfg.TLSCertPath)
×
UNCOV
358
        if err != nil {
×
359
                return nil, err
×
360
        }
×
361

UNCOV
362
        err = os.Remove(t.cfg.TLSKeyPath)
×
UNCOV
363
        if err != nil {
×
364
                return nil, err
×
365
        }
×
366

UNCOV
367
        rpcsLog.Infof("Renewing TLS certificates...")
×
UNCOV
368
        certBytes, keyBytes, err := cert.GenCertPair(
×
UNCOV
369
                "lnd autogenerated cert", t.cfg.TLSExtraIPs,
×
UNCOV
370
                t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill,
×
UNCOV
371
                t.cfg.TLSCertDuration,
×
UNCOV
372
        )
×
UNCOV
373
        if err != nil {
×
374
                return nil, err
×
375
        }
×
376

UNCOV
377
        err = cert.WriteCertPair(
×
UNCOV
378
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath, certBytes, keyBytes,
×
UNCOV
379
        )
×
UNCOV
380
        if err != nil {
×
381
                return nil, err
×
382
        }
×
383

UNCOV
384
        rpcsLog.Infof("Done renewing TLS certificates")
×
UNCOV
385

×
UNCOV
386
        // Reload the certificate data.
×
UNCOV
387
        reloadedCertData, _, err := cert.LoadCert(
×
UNCOV
388
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
×
UNCOV
389
        )
×
UNCOV
390

×
UNCOV
391
        return &reloadedCertData, err
×
392
}
393

394
// setUpLetsEncrypt automatically generates a Let's Encrypt certificate if the
395
// option is set.
396
func (t *TLSManager) setUpLetsEncrypt(certData *tls.Certificate,
397
        tlsCfg *tls.Config) func() {
3✔
398

3✔
399
        // If Let's Encrypt is enabled, instantiate autocert to request/renew
3✔
400
        // the certificates.
3✔
401
        cleanUp := func() {}
6✔
402
        if t.cfg.LetsEncryptDomain == "" {
6✔
403
                return cleanUp
3✔
404
        }
3✔
405

406
        ltndLog.Infof("Using Let's Encrypt certificate for domain %v",
×
407
                t.cfg.LetsEncryptDomain)
×
408

×
409
        manager := autocert.Manager{
×
410
                Cache:  autocert.DirCache(t.cfg.LetsEncryptDir),
×
411
                Prompt: autocert.AcceptTOS,
×
412
                HostPolicy: autocert.HostWhitelist(
×
413
                        t.cfg.LetsEncryptDomain,
×
414
                ),
×
415
        }
×
416

×
417
        srv := &http.Server{
×
418
                Addr:              t.cfg.LetsEncryptListen,
×
419
                Handler:           manager.HTTPHandler(nil),
×
420
                ReadHeaderTimeout: t.cfg.HTTPHeaderTimeout,
×
421
        }
×
422
        shutdownCompleted := make(chan struct{})
×
423
        cleanUp = func() {
×
424
                err := srv.Shutdown(context.Background())
×
425
                if err != nil {
×
426
                        ltndLog.Errorf("Autocert listener shutdown "+
×
427
                                " error: %v", err)
×
428

×
429
                        return
×
430
                }
×
431
                <-shutdownCompleted
×
432
                ltndLog.Infof("Autocert challenge listener stopped")
×
433
        }
434

435
        go func() {
×
436
                ltndLog.Infof("Autocert challenge listener started "+
×
437
                        "at %v", t.cfg.LetsEncryptListen)
×
438

×
439
                err := srv.ListenAndServe()
×
440
                if err != http.ErrServerClosed {
×
441
                        ltndLog.Errorf("autocert http: %v", err)
×
442
                }
×
443
                close(shutdownCompleted)
×
444
        }()
445

446
        getCertificate := func(h *tls.ClientHelloInfo) (
×
447
                *tls.Certificate, error) {
×
448

×
449
                lecert, err := manager.GetCertificate(h)
×
450
                if err != nil {
×
451
                        ltndLog.Errorf("GetCertificate: %v", err)
×
452
                        return certData, nil
×
453
                }
×
454

455
                return lecert, err
×
456
        }
457

458
        // The self-signed tls.cert remains available as fallback.
459
        tlsCfg.GetCertificate = getCertificate
×
460

×
461
        return cleanUp
×
462
}
463

464
// SetCertificateBeforeUnlock takes care of loading the certificate before
465
// the wallet is unlocked. If the TLSEncryptKey setting is on, we need to
466
// generate an ephemeral certificate we're able to use until the wallet is
467
// unlocked and a new TLS pair can be encrypted to disk. Otherwise we can
468
// process the certificate normally.
469
func (t *TLSManager) SetCertificateBeforeUnlock() ([]grpc.ServerOption,
470
        []grpc.DialOption, func(net.Addr) (net.Listener, error), func(),
471
        error) {
3✔
472

3✔
473
        if t.cfg.TLSEncryptKey {
3✔
474
                _, err := t.loadEphemeralCertificate()
×
475
                if err != nil {
×
476
                        return nil, nil, nil, nil, fmt.Errorf("unable to load "+
×
477
                                "ephemeral certificate: %v", err)
×
478
                }
×
479
        } else {
3✔
480
                _, err := t.generateOrRenewCert()
3✔
481
                if err != nil {
3✔
482
                        return nil, nil, nil, nil, fmt.Errorf("unable to "+
×
483
                                "generate or renew TLS certificate: %v", err)
×
484
                }
×
485
        }
486

487
        serverOpts, restDialOpts, restListen, cleanUp, err := t.getConfig()
3✔
488
        if err != nil {
3✔
489
                return nil, nil, nil, nil, fmt.Errorf("unable to load TLS "+
×
490
                        "credentials: %v", err)
×
491
        }
×
492

493
        return serverOpts, restDialOpts, restListen, cleanUp, nil
3✔
494
}
495

496
// loadEphemeralCertificate creates and loads the ephemeral certificate which
497
// is used temporarily for secure communications before the wallet is unlocked.
UNCOV
498
func (t *TLSManager) loadEphemeralCertificate() ([]byte, error) {
×
UNCOV
499
        rpcsLog.Infof("Generating ephemeral TLS certificates...")
×
UNCOV
500

×
UNCOV
501
        tmpValidity := validityHours * time.Hour
×
UNCOV
502
        // Append .tmp to the end of the cert for differentiation.
×
UNCOV
503
        tmpCertPath := t.cfg.TLSCertPath + ".tmp"
×
UNCOV
504

×
UNCOV
505
        // Pass in a blank string for the key path so the
×
UNCOV
506
        // function doesn't write them to disk.
×
UNCOV
507
        certBytes, keyBytes, err := cert.GenCertPair(
×
UNCOV
508
                "lnd ephemeral autogenerated cert", t.cfg.TLSExtraIPs,
×
UNCOV
509
                t.cfg.TLSExtraDomains, t.cfg.TLSDisableAutofill, tmpValidity,
×
UNCOV
510
        )
×
UNCOV
511
        if err != nil {
×
512
                return nil, err
×
513
        }
×
UNCOV
514
        t.setEphemeralSettings(keyBytes, certBytes)
×
UNCOV
515

×
UNCOV
516
        err = cert.WriteCertPair(tmpCertPath, "", certBytes, keyBytes)
×
UNCOV
517
        if err != nil {
×
518
                return nil, err
×
519
        }
×
520

UNCOV
521
        rpcsLog.Infof("Done generating ephemeral TLS certificates")
×
UNCOV
522

×
UNCOV
523
        return keyBytes, nil
×
524
}
525

526
// LoadPermanentCertificate deletes the ephemeral certificate file and
527
// generates a new one with the real keyring.
528
func (t *TLSManager) LoadPermanentCertificate(
529
        keyRing keychain.SecretKeyRing) error {
3✔
530

3✔
531
        if !t.cfg.TLSEncryptKey {
6✔
532
                return nil
3✔
533
        }
3✔
534

UNCOV
535
        tmpCertPath := t.cfg.TLSCertPath + ".tmp"
×
UNCOV
536
        err := os.Remove(tmpCertPath)
×
UNCOV
537
        if err != nil {
×
538
                ltndLog.Warn("Unable to delete temp cert at %v",
×
539
                        tmpCertPath)
×
540
        }
×
541

UNCOV
542
        err = t.generateCertPair(keyRing)
×
UNCOV
543
        if err != nil {
×
544
                return err
×
545
        }
×
546

UNCOV
547
        certBytes, encryptedKeyBytes, err := cert.GetCertBytesFromPath(
×
UNCOV
548
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
×
UNCOV
549
        )
×
UNCOV
550
        if err != nil {
×
551
                return err
×
552
        }
×
553

UNCOV
554
        reader := bytes.NewReader(encryptedKeyBytes)
×
UNCOV
555
        e, err := lnencrypt.KeyRingEncrypter(keyRing)
×
UNCOV
556
        if err != nil {
×
557
                return fmt.Errorf("unable to generate encrypt key %w",
×
558
                        err)
×
559
        }
×
560

UNCOV
561
        keyBytes, err := e.DecryptPayloadFromReader(reader)
×
UNCOV
562
        if err != nil {
×
563
                return err
×
564
        }
×
565

566
        // Switch the server's TLS certificate to the persistent one. By
567
        // changing the cert data the TLSReloader points to,
UNCOV
568
        err = t.tlsReloader.AttemptReload(certBytes, keyBytes)
×
UNCOV
569
        if err != nil {
×
570
                return err
×
571
        }
×
572

UNCOV
573
        t.deleteEphemeralSettings()
×
UNCOV
574

×
UNCOV
575
        return nil
×
576
}
577

578
// setEphemeralSettings sets the TLSManager settings needed when an ephemeral
579
// certificate is created.
UNCOV
580
func (t *TLSManager) setEphemeralSettings(keyBytes, certBytes []byte) {
×
UNCOV
581
        t.ephemeralKey = keyBytes
×
UNCOV
582
        t.ephemeralCert = certBytes
×
UNCOV
583
        t.ephemeralCertPath = t.cfg.TLSCertPath + ".tmp"
×
UNCOV
584
}
×
585

586
// deleteEphemeralSettings deletes the TLSManager ephemeral settings that are
587
// no longer needed when the ephemeral certificate is deleted so the Manager
588
// knows we're no longer using it.
UNCOV
589
func (t *TLSManager) deleteEphemeralSettings() {
×
UNCOV
590
        t.ephemeralKey = nil
×
UNCOV
591
        t.ephemeralCert = nil
×
UNCOV
592
        t.ephemeralCertPath = ""
×
UNCOV
593
}
×
594

595
// IsCertExpired checks if the current TLS certificate is expired.
596
func (t *TLSManager) IsCertExpired(keyRing keychain.SecretKeyRing) (bool,
597
        time.Time, error) {
×
598

×
599
        certBytes, keyBytes, err := cert.GetCertBytesFromPath(
×
600
                t.cfg.TLSCertPath, t.cfg.TLSKeyPath,
×
601
        )
×
602
        if err != nil {
×
603
                return false, time.Time{}, err
×
604
        }
×
605

606
        // If TLSEncryptKey is set, there are two states the
607
        // certificate can be in: ephemeral or permanent.
608
        // Retrieve the key depending on which state it is in.
609
        if t.ephemeralKey != nil {
×
610
                keyBytes = t.ephemeralKey
×
611
        } else if t.cfg.TLSEncryptKey {
×
612
                keyBytes, err = decryptTLSKeyBytes(keyRing, keyBytes)
×
613
                if err != nil {
×
614
                        return false, time.Time{}, err
×
615
                }
×
616
        }
617

618
        _, parsedCert, err := cert.LoadCertFromBytes(
×
619
                certBytes, keyBytes,
×
620
        )
×
621
        if err != nil {
×
622
                return false, time.Time{}, err
×
623
        }
×
624

625
        // If the current time is passed the certificate's
626
        // expiry time, then it is considered expired
627
        if time.Now().After(parsedCert.NotAfter) {
×
628
                return true, parsedCert.NotAfter, nil
×
629
        }
×
630

631
        return false, parsedCert.NotAfter, nil
×
632
}
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc