support clientcert to dcrd

dajohi · dajohi · commit 9b7ffcac544a · 2025-11-20T20:41:35.000Z
diff --git a/chainreg/chainregistry.go b/chainreg/chainregistry.go
@@ -300,19 +300,23 @@ func NewPartialChainControl(cfg *Config) (*PartialChainControl, func(), error) {
 				cfg.ActiveNetParams.RPCPort)
 		}
 
-		dcrdUser := dcrdMode.RPCUser
-		dcrdPass := dcrdMode.RPCPass
 		cc.RPCConfig = &rpcclient.ConnConfig{
 			Host:                 dcrdHost,
 			Endpoint:             "ws",
-			User:                 dcrdUser,
-			Pass:                 dcrdPass,
 			Certificates:         rpcCert,
 			DisableTLS:           false,
 			DisableConnectOnNew:  true,
 			DisableAutoReconnect: false,
 		}
-
+		if dcrdMode.RPCClientCert != "" {
+			cc.RPCConfig.AuthType = rpcclient.AuthTypeClientCert
+			cc.RPCConfig.ClientCert = dcrdMode.RPCClientCert
+			cc.RPCConfig.ClientKey = dcrdMode.RPCClientKey
+		} else {
+			cc.RPCConfig.AuthType = rpcclient.AuthTypeBasic
+			cc.RPCConfig.User = dcrdMode.RPCUser
+			cc.RPCConfig.Pass = dcrdMode.RPCPass
+		}
 		// Verify that the provided dcrd instance exists, is reachable,
 		// it's on the correct network and has the features required
 		// for dcrlnd to perform its work.
diff --git a/config.go b/config.go
@@ -5,6 +5,7 @@
 package dcrlnd
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"net"
@@ -1468,6 +1469,19 @@ func parseRPCParams(cConfig *lncfg.Chain, nodeConfig interface{},
 	var daemonName, confDir, confFile string
 	switch conf := nodeConfig.(type) {
 	case *lncfg.DcrdConfig:
+		// If either RPCClientCert or RPCClientKey are set, assume
+		// clientcert auth is wanted.
+		if conf.RPCClientCert != "" || conf.RPCClientKey != "" {
+			if conf.RPCUser != "" || conf.RPCPass != "" {
+				return fmt.Errorf("rpc user and pass may not be used with clientcert")
+			}
+			if _, err := tls.LoadX509KeyPair(conf.RPCClientCert,
+				conf.RPCClientKey); err != nil {
+				return fmt.Errorf("failed to load dcrd client keypair: %w", err)
+			}
+			return nil
+		}
+
 		// If both RPCUser and RPCPass are set, we assume those
 		// credentials are good to use.
 		if conf.RPCUser != "" && conf.RPCPass != "" {
diff --git a/go.mod b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/decred/dcrd/gcs/v4 v4.1.0
 	github.com/decred/dcrd/hdkeychain/v3 v3.1.2
 	github.com/decred/dcrd/rpc/jsonrpc/types/v4 v4.3.0
-	github.com/decred/dcrd/rpcclient/v8 v8.0.1
+	github.com/decred/dcrd/rpcclient/v8 v8.0.2-0.20251120183434-709b0d251ee0
 	github.com/decred/dcrd/txscript/v4 v4.1.1
 	github.com/decred/dcrd/wire v1.7.0
 	github.com/decred/dcrtest/dcrdtest v1.0.1-0.20240514160637-ade8c37ad1db
diff --git a/go.sum b/go.sum
@@ -180,8 +180,8 @@ github.com/decred/dcrd/peer/v3 v3.0.2 h1:akcB/L5tZcV/LV5LsiAAeShzvus8mjwvkLI20b1
 github.com/decred/dcrd/peer/v3 v3.0.2/go.mod h1:J3Wwi3biKzsIoQS61LnpFyjDgP7oigdoptf2r6yNMBQ=
 github.com/decred/dcrd/rpc/jsonrpc/types/v4 v4.3.0 h1:l0DnCcILTNrpy8APF3FLN312ChpkQaAuW30aC/RgBaw=
 github.com/decred/dcrd/rpc/jsonrpc/types/v4 v4.3.0/go.mod h1:j+kkRPXPJB5S9VFOsx8SQLcU7PTFkPKRc1aCHN4ENzA=
-github.com/decred/dcrd/rpcclient/v8 v8.0.1 h1:hd81e4w1KSqvPcozJlnz6XJfWKDNuahgooH/N5E8vOU=
-github.com/decred/dcrd/rpcclient/v8 v8.0.1/go.mod h1:97XD5P/XrZzedePPFPJzc8el2o00q2Kr+Epi4AvRL3o=
+github.com/decred/dcrd/rpcclient/v8 v8.0.2-0.20251120183434-709b0d251ee0 h1:baVG2rzOiP1i+oQMD5UH1REYpD/8FA4EpgY65GjAfsI=
+github.com/decred/dcrd/rpcclient/v8 v8.0.2-0.20251120183434-709b0d251ee0/go.mod h1:LsWk+nvhFZ1Xb6+TVjPfQObQzLQ16rEp8QoUkToT3rM=
 github.com/decred/dcrd/txscript/v4 v4.0.0/go.mod h1:OJtxNc5RqwQyfrRnG2gG8uMeNPo8IAJp+TD1UKXkqk8=
 github.com/decred/dcrd/txscript/v4 v4.1.1 h1:R4M2+jMujgQA91899SkL0cW66d6DC76Gx+1W1oEHjc0=
 github.com/decred/dcrd/txscript/v4 v4.1.1/go.mod h1:7ybmJoI+b6dxvQ+0aXdZpkyrj0PbnylJCzFxD1g8+/A=
diff --git a/lncfg/dcrd.go b/lncfg/dcrd.go
@@ -1,9 +1,11 @@
 package lncfg
 
 type DcrdConfig struct {
-	RPCHost    string `long:"rpchost" description:"The daemon's rpc listening address. If a port is omitted, then the default port for the selected chain parameters will be used."`
-	RPCUser    string `long:"rpcuser" description:"Username for RPC connections"`
-	RPCPass    string `long:"rpcpass" default-mask:"-" description:"Password for RPC connections"`
-	RPCCert    string `long:"rpccert" description:"File containing the daemon's certificate file"`
-	RawRPCCert string `long:"rawrpccert" description:"The raw bytes of the daemon's PEM-encoded certificate chain which will be used to authenticate the RPC connection."`
+	RPCHost       string `long:"rpchost" description:"The daemon's rpc listening address. If a port is omitted, then the default port for the selected chain parameters will be used."`
+	RPCUser       string `long:"rpcuser" description:"Username for RPC connections"`
+	RPCPass       string `long:"rpcpass" default-mask:"-" description:"Password for RPC connections"`
+	RPCCert       string `long:"rpccert" description:"File containing the daemon's certificate file"`
+	RawRPCCert    string `long:"rawrpccert" description:"The raw bytes of the daemon's PEM-encoded certificate chain which will be used to authenticate the RPC connection."`
+	RPCClientCert string `long:"rpcclientcert" description:"TLS client certificate to present to authenticate RPC connections to dcrd"`
+	RPCClientKey  string `long:"rpcclientkey" description:"Key for dcrd RPC client certificate"`
 }
diff --git a/lnwallet/dcrwallet/rpcsync.go b/lnwallet/dcrwallet/rpcsync.go
@@ -2,14 +2,14 @@ package dcrwallet
 
 import (
 	"context"
+	"os"
 	"sync"
 	"time"
 
-	"github.com/decred/dcrd/chaincfg/v3"
-	"github.com/decred/dcrd/rpcclient/v8"
-
 	"decred.org/dcrwallet/v4/chain"
 	"decred.org/dcrwallet/v4/errors"
+	"github.com/decred/dcrd/chaincfg/v3"
+	"github.com/decred/dcrd/rpcclient/v8"
 )
 
 // RPCSyncer implements the required methods for synchronizing a DcrWallet
@@ -38,12 +38,28 @@ func NewRPCSyncer(rpcConfig rpcclient.ConnConfig, net *chaincfg.Params) (*RPCSyn
 
 // start the syncer backend and begin synchronizing the given wallet.
 func (s *RPCSyncer) start(w *DcrWallet) error {
+	var clientCert, clientKey []byte
+	var err error
 
+	if s.rpcConfig.ClientCert != "" {
+		clientCert, err = os.ReadFile(s.rpcConfig.ClientCert)
+		if err != nil && !os.IsNotExist(err) {
+			return err
+		}
+	}
+	if s.rpcConfig.ClientKey != "" {
+		clientKey, err = os.ReadFile(s.rpcConfig.ClientKey)
+		if err != nil && !os.IsNotExist(err) {
+			return err
+		}
+	}
 	chainRpcOpts := chain.RPCOptions{
-		Address: s.rpcConfig.Host,
-		User:    s.rpcConfig.User,
-		Pass:    s.rpcConfig.Pass,
-		CA:      s.rpcConfig.Certificates,
+		Address:    s.rpcConfig.Host,
+		User:       s.rpcConfig.User,
+		Pass:       s.rpcConfig.Pass,
+		CA:         s.rpcConfig.Certificates,
+		ClientCert: clientCert,
+		ClientKey:  clientKey,
 	}
 
 	disableDiscoverAccts, err := w.cfg.DB.AccountDiscoveryDisabled()
