concept ACK requested: Generate tls certificate with CA

cert/selfsigned.go

@@ -2,6 +2,7 @@ package cert
 
 import (
 	"bytes"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -200,8 +201,8 @@ func IsOutdated(cert *x509.Certificate, tlsExtraIPs,
 // This function is adapted from https://github.com/btcsuite/btcd and
 // https://github.com/btcsuite/btcd/btcutil
 func GenCertPair(org string, tlsExtraIPs, tlsExtraDomains []string,
-	tlsDisableAutofill bool, certValidity time.Duration) (
-	[]byte, []byte, error) {
+	tlsDisableAutofill bool, certValidity time.Duration, caCertBytes []byte,
+	caKeyBytes []byte) ([]byte, []byte, error) {
 
 	now := time.Now()
 	validUntil := now.Add(certValidity)
@@ -232,6 +233,21 @@ func GenCertPair(org string, tlsExtraIPs, tlsExtraDomains []string,
 		return nil, nil, err
 	}
 
+	var caCert *x509.Certificate
+	isCa := true
+	var signerPriv crypto.PrivateKey = priv
+	if caKeyBytes != nil {
+		caCertData, parsedCaCert, err := LoadCertFromBytes(
+			caCertBytes, caKeyBytes,
+		)
+		if err != nil {
+			return nil, nil, err
+		}
+		isCa = false
+		signerPriv = caCertData.PrivateKey
+		caCert = parsedCaCert
+	}
+
 	// Construct the certificate template.
 	template := x509.Certificate{
 		SerialNumber: serialNumber,
@@ -248,16 +264,20 @@ func GenCertPair(org string, tlsExtraIPs, tlsExtraDomains []string,
 		ExtKeyUsage: []x509.ExtKeyUsage{
 			x509.ExtKeyUsageServerAuth,
 		},
-		IsCA:                  true, // so can sign self.
+		IsCA:                  isCa,
 		BasicConstraintsValid: true,
 
 		DNSNames:    dnsNames,
 		IPAddresses: ipAddresses,
 	}
 
+	if isCa {
+		caCert = &template
+	}
+
 	derBytes, err := x509.CreateCertificate(
 		rand.Reader, &template,
-		&template, &priv.PublicKey, priv,
+		caCert, &priv.PublicKey, signerPriv,
 	)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create certificate: %w",

cert/selfsigned_test.go

@@ -30,7 +30,7 @@ func TestIsOutdatedCert(t *testing.T) {
 	// Generate TLS files with two extra IPs and domains.
 	certBytes, keyBytes, err := cert.GenCertPair(
 		"lnd autogenerated cert", extraIPs[:2], extraDomains[:2],
-		false, testTLSCertDuration,
+		false, testTLSCertDuration, nil, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -90,7 +90,7 @@ func TestIsOutdatedPermutation(t *testing.T) {
 	// Generate TLS files from the IPs and domains.
 	certBytes, keyBytes, err := cert.GenCertPair(
 		"lnd autogenerated cert", extraIPs[:], extraDomains[:],
-		false, testTLSCertDuration,
+		false, testTLSCertDuration, nil, nil,
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -161,7 +161,7 @@ func TestTLSDisableAutofill(t *testing.T) {
 	// Generate TLS files with two extra IPs and domains and no interface IPs.
 	certBytes, keyBytes, err := cert.GenCertPair(
 		"lnd autogenerated cert", extraIPs[:2], extraDomains[:2],
-		true, testTLSCertDuration,
+		true, testTLSCertDuration, nil, nil,
 	)
 	require.NoError(
 		t, err,
@@ -223,7 +223,7 @@ func TestTLSConfig(t *testing.T) {
 	// Generate TLS files with an extra IP and domain.
 	certBytes, keyBytes, err := cert.GenCertPair(
 		"lnd autogenerated cert", []string{extraIPs[0]},
-		[]string{extraDomains[0]}, false, testTLSCertDuration,
+		[]string{extraDomains[0]}, false, testTLSCertDuration, nil, nil,
 	)
 	require.NoError(t, err)
 

config.go

@@ -51,6 +51,8 @@ const (
 	defaultChainSubDirname    = "chain"
 	defaultGraphSubDirname    = "graph"
 	defaultTowerSubDirname    = "watchtower"
+	defaultCACertFilename     = "ca.cert"
+	defaultCAKeyFilename      = "ca.key"
 	defaultTLSCertFilename    = "tls.cert"
 	defaultTLSKeyFilename     = "tls.key"
 	defaultAdminMacFilename   = "admin.macaroon"
@@ -264,6 +266,8 @@ var (
 
 	defaultTowerDir = filepath.Join(defaultDataDir, defaultTowerSubDirname)
 
+	defaultCACertPath     = filepath.Join(DefaultLndDir, defaultCACertFilename)
+	defaultCAKeyPath      = filepath.Join(DefaultLndDir, defaultCAKeyFilename)
 	defaultTLSCertPath    = filepath.Join(DefaultLndDir, defaultTLSCertFilename)
 	defaultTLSKeyPath     = filepath.Join(DefaultLndDir, defaultTLSKeyFilename)
 	defaultLetsEncryptDir = filepath.Join(DefaultLndDir, defaultLetsEncryptDirname)
@@ -299,6 +303,8 @@ type Config struct {
 	DataDir      string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
 	SyncFreelist bool   `long:"sync-freelist" description:"Whether the databases used within lnd should sync their freelist to disk. This is disabled by default resulting in improved memory performance during operation, but with an increase in startup time."`
 
+	CACertPath         string        `long:"cacertpath" description:"Path to write the CA certificate for lnd's RPC and REST services"`
+	CAKeyPath          string        `long:"cakeypath" description:"Path to write the CA private key for lnd's RPC and REST services"`
 	TLSCertPath        string        `long:"tlscertpath" description:"Path to write the TLS certificate for lnd's RPC and REST services"`
 	TLSKeyPath         string        `long:"tlskeypath" description:"Path to write the TLS private key for lnd's RPC and REST services"`
 	TLSExtraIPs        []string      `long:"tlsextraip" description:"Adds an extra ip to the generated certificate"`
@@ -556,6 +562,8 @@ func DefaultConfig() Config {
 		ConfigFile:        DefaultConfigFile,
 		DataDir:           defaultDataDir,
 		DebugLevel:        defaultLogLevel,
+		CACertPath:        defaultCACertPath,
+		CAKeyPath:         defaultCAKeyPath,
 		TLSCertPath:       defaultTLSCertPath,
 		TLSKeyPath:        defaultTLSKeyPath,
 		TLSCertDuration:   defaultTLSCertDuration,
@@ -880,6 +888,8 @@ func ValidateConfig(cfg Config, interceptor signal.Interceptor, fileParser,
 		cfg.LetsEncryptDir = filepath.Join(
 			lndDir, defaultLetsEncryptDirname,
 		)
+		cfg.CACertPath = filepath.Join(lndDir, defaultCACertFilename)
+		cfg.CAKeyPath = filepath.Join(lndDir, defaultCAKeyFilename)
 		cfg.TLSCertPath = filepath.Join(lndDir, defaultTLSCertFilename)
 		cfg.TLSKeyPath = filepath.Join(lndDir, defaultTLSKeyFilename)
 		cfg.LogDir = filepath.Join(lndDir, defaultLogDirname)
@@ -962,6 +972,8 @@ func ValidateConfig(cfg Config, interceptor signal.Interceptor, fileParser,
 	// to directories and files are cleaned and expanded before attempting
 	// to use them later on.
 	cfg.DataDir = CleanAndExpandPath(cfg.DataDir)
+	cfg.CACertPath = CleanAndExpandPath(cfg.CACertPath)
+	cfg.CAKeyPath = CleanAndExpandPath(cfg.CAKeyPath)
 	cfg.TLSCertPath = CleanAndExpandPath(cfg.TLSCertPath)
 	cfg.TLSKeyPath = CleanAndExpandPath(cfg.TLSKeyPath)
 	cfg.LetsEncryptDir = CleanAndExpandPath(cfg.LetsEncryptDir)
@@ -1382,6 +1394,7 @@ func ValidateConfig(cfg Config, interceptor signal.Interceptor, fileParser,
 	dirs := []string{
 		lndDir, cfg.DataDir, cfg.networkDir,
 		cfg.LetsEncryptDir, towerDir, cfg.graphDatabaseDir(),
+		filepath.Dir(cfg.CACertPath), filepath.Dir(cfg.CAKeyPath),
 		filepath.Dir(cfg.TLSCertPath), filepath.Dir(cfg.TLSKeyPath),
 		filepath.Dir(cfg.AdminMacPath), filepath.Dir(cfg.ReadMacPath),
 		filepath.Dir(cfg.InvoiceMacPath),

go.mod

@@ -207,6 +207,8 @@ replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2
 // allows us to specify that as an option.
 replace google.golang.org/protobuf => github.com/lightninglabs/protobuf-go-hex-display v1.30.0-hex-display
 
+replace github.com/lightningnetwork/lnd/cert => ./cert
+
 // If you change this please also update .github/pull_request_template.md,
 // docs/INSTALL.md and GO_IMAGE in lnrpc/gen_protos_docker.sh.
 go 1.22.6

lnd.go

@@ -265,6 +265,8 @@ func Main(cfg *Config, lisCfg ListenerCfg, implCfg *ImplementationCfg,
 	}
 
 	tlsManagerCfg := &TLSManagerCfg{
+		CACertPath:         cfg.CACertPath,
+		CAKeyPath:          cfg.CAKeyPath,
 		TLSCertPath:        cfg.TLSCertPath,
 		TLSKeyPath:         cfg.TLSKeyPath,
 		TLSEncryptKey:      cfg.TLSEncryptKey,