diff --git a/.github/workflows/e2e-polybft-test.yml b/.github/workflows/e2e-polybft-test.yml index e7b591724e..b5f284c85a 100644 --- a/.github/workflows/e2e-polybft-test.yml +++ b/.github/workflows/e2e-polybft-test.yml @@ -26,19 +26,19 @@ jobs: go-version: 1.21.x check-latest: true - name: Generate OpenSSL certificate - run: openssl req -x509 -out jsontls.crt -keyout jsontls.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <(printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") + run: openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -extensions EXT -config <(printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") - name: Copy certificate key - run: sudo cp jsontls.key /etc/ssl/private/jsontls.key + run: sudo cp localhost.key /etc/ssl/private/localhost.key - name: Copy certificate itself - run: sudo cp jsontls.crt /usr/local/share/ca-certificates/jsontls.crt + run: sudo cp localhost.crt /usr/local/share/ca-certificates/localhost.crt - name: Add certificate to trusted list run: sudo update-ca-certificates - name: Update certificate key folder permissions run: sudo chmod -R 755 /etc/ssl/private - name: Update certificate key file permissions - run: sudo chmod 644 /etc/ssl/private/jsontls.key + run: sudo chmod 644 /etc/ssl/private/localhost.key - name: Check certificate key permissions - run: ls -l /etc/ssl/private/jsontls.key + run: ls -l /etc/ssl/private/localhost.key - name: Run tests run: make test-e2e-polybft - name: Run tests failed diff --git a/command/secrets/init/params.go b/command/secrets/init/params.go index 21e3c7649e..fd5da82d89 100644 --- a/command/secrets/init/params.go +++ b/command/secrets/init/params.go @@ -18,6 +18,7 @@ const ( privateKeyFlag = "private" insecureLocalStoreFlag = "insecure" networkFlag = "network" + jsonTLSCertFlag = "json-tls-cert" numFlag = "num" outputFlag = "output" @@ -29,8 +30,9 @@ type initParams struct { accountDir string accountConfig string - generatesAccount bool - generatesNetwork bool + generatesAccount bool + generatesNetwork bool + generatesJSONTLSCert bool printPrivateKey bool @@ -96,6 +98,13 @@ func (ip *initParams) setFlags(cmd *cobra.Command) { "the flag indicating whether new Network key is created", ) + cmd.Flags().BoolVar( + &ip.generatesJSONTLSCert, + jsonTLSCertFlag, + true, + "the flag indicating whether a new self signed TLS certificate is created for JSON RPC", + ) + cmd.Flags().BoolVar( &ip.printPrivateKey, privateKeyFlag, @@ -171,6 +180,12 @@ func (ip *initParams) initKeys(secretsManager secrets.SecretsManager) ([]string, } } + if ip.generatesJSONTLSCert { + if err := ip.generateJSONTLSCert(secretsManager, &generated); err != nil { + return generated, err + } + } + return generated, nil } @@ -207,6 +222,20 @@ func (ip *initParams) generateAccount(secretsManager secrets.SecretsManager, gen return nil } +func (ip *initParams) generateJSONTLSCert(secretsManager secrets.SecretsManager, generated *[]string) error { + if secretsManager.HasSecret(secrets.JSONTLSCert) && secretsManager.HasSecret(secrets.JSONTLSKey) { + return nil + } + + if err := helper.InitJSONTLSCert(secretsManager); err != nil { + return fmt.Errorf("error initializing json tls certificate: %w", err) + } + + *generated = append(*generated, secrets.JSONTLSCert, secrets.JSONTLSKey) + + return nil +} + // getResult gets keys from secret manager and return result to display func (ip *initParams) getResult( secretsManager secrets.SecretsManager, diff --git a/command/secrets/init/params_test.go b/command/secrets/init/params_test.go index a27671d73f..8d2aa38e01 100644 --- a/command/secrets/init/params_test.go +++ b/command/secrets/init/params_test.go @@ -28,8 +28,9 @@ func Test_initKeys(t *testing.T) { require.NoError(t, err) ip := &initParams{ - generatesAccount: false, - generatesNetwork: false, + generatesAccount: false, + generatesNetwork: false, + generatesJSONTLSCert: false, } _, err = ip.initKeys(sm) @@ -38,6 +39,8 @@ func Test_initKeys(t *testing.T) { assert.False(t, fileExists(path.Join(dir, "consensus/validator.key"))) assert.False(t, fileExists(path.Join(dir, "consensus/validator-bls.key"))) assert.False(t, fileExists(path.Join(dir, "libp2p/libp2p.key"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.pem"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.key"))) ip.generatesAccount = true res, err := ip.initKeys(sm) @@ -47,6 +50,8 @@ func Test_initKeys(t *testing.T) { assert.True(t, fileExists(path.Join(dir, "consensus/validator.key"))) assert.True(t, fileExists(path.Join(dir, "consensus/validator-bls.key"))) assert.False(t, fileExists(path.Join(dir, "libp2p/libp2p.key"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.pem"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.key"))) ip.generatesNetwork = true res, err = ip.initKeys(sm) @@ -54,6 +59,16 @@ func Test_initKeys(t *testing.T) { assert.Len(t, res, 1) assert.True(t, fileExists(path.Join(dir, "libp2p/libp2p.key"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.pem"))) + assert.False(t, fileExists(path.Join(dir, "jsontls/jsontls.key"))) + + ip.generatesJSONTLSCert = true + res, err = ip.initKeys(sm) + require.NoError(t, err) + assert.Len(t, res, 2) + + assert.True(t, fileExists(path.Join(dir, "jsontls/jsontls.pem"))) + assert.True(t, fileExists(path.Join(dir, "jsontls/jsontls.key"))) } func fileExists(filename string) bool { @@ -78,9 +93,10 @@ func Test_getResult(t *testing.T) { require.NoError(t, err) ip := &initParams{ - generatesAccount: true, - generatesNetwork: true, - printPrivateKey: true, + generatesAccount: true, + generatesNetwork: true, + generatesJSONTLSCert: true, + printPrivateKey: true, } _, err = ip.initKeys(sm) diff --git a/command/secrets/output/params.go b/command/secrets/output/params.go index 55b8c189a1..5954880be7 100644 --- a/command/secrets/output/params.go +++ b/command/secrets/output/params.go @@ -115,13 +115,14 @@ func (op *outputParams) parseConfig() error { func (op *outputParams) initLocalSecretsManager() error { validatorPathPrefix := filepath.Join(op.dataDir, secrets.ConsensusFolderLocal) networkPathPrefix := filepath.Join(op.dataDir, secrets.NetworkFolderLocal) + jsonTLSPathPrefix := filepath.Join(op.dataDir, secrets.JSONTLSFolderLocal) dataDirAbs, _ := filepath.Abs(op.dataDir) if !common.DirectoryExists(op.dataDir) { return fmt.Errorf("the data directory provided does not exist: %s", dataDirAbs) } - errs := make([]string, 0, 2) + errs := make([]string, 0, 3) if !common.DirectoryExists(validatorPathPrefix) { errs = append(errs, fmt.Sprintf("no validator keys found in the data directory provided: %s", dataDirAbs)) } @@ -130,6 +131,10 @@ func (op *outputParams) initLocalSecretsManager() error { errs = append(errs, fmt.Sprintf("no network key found in the data directory provided: %s", dataDirAbs)) } + if !common.DirectoryExists(jsonTLSPathPrefix) { + errs = append(errs, fmt.Sprintf("no json tls certificate found in the data directory provided: %s", dataDirAbs)) + } + if len(errs) > 0 { return fmt.Errorf(strings.Join(errs, "\n")) } diff --git a/command/server/config/config.go b/command/server/config/config.go index 5f70afc062..ad5c7fb464 100644 --- a/command/server/config/config.go +++ b/command/server/config/config.go @@ -33,6 +33,8 @@ type Config struct { JSONLogFormat bool `json:"json_log_format" yaml:"json_log_format"` CorsAllowedOrigins []string `json:"cors_allowed_origins" yaml:"cors_allowed_origins"` UseTLS bool `json:"use_tls" yaml:"use_tls"` + TLSCertFile string `json:"tls_cert_file" yaml:"tls_cert_file"` + TLSKeyFile string `json:"tls_key_file" yaml:"tls_key_file"` Relayer bool `json:"relayer" yaml:"relayer"` @@ -146,6 +148,8 @@ func DefaultConfig() *Config { }, LogFilePath: "", UseTLS: false, + TLSCertFile: "", + TLSKeyFile: "", JSONRPCBatchRequestLimit: DefaultJSONRPCBatchRequestLimit, JSONRPCBlockRangeLimit: DefaultJSONRPCBlockRangeLimit, Relayer: false, diff --git a/command/server/params.go b/command/server/params.go index 7a4a74022d..358eba8e31 100644 --- a/command/server/params.go +++ b/command/server/params.go @@ -38,6 +38,8 @@ const ( corsOriginFlag = "access-control-allow-origins" logFileLocationFlag = "log-to" useTLSFlag = "use-tls" + tlsCertFileLocationFlag = "tls-cert-file" + tlsKeyFileLocationFlag = "tls-key-file" relayerFlag = "relayer" @@ -185,6 +187,8 @@ func (p *serverParams) generateConfig() *server.Config { JSONLogFormat: p.rawConfig.JSONLogFormat, LogFilePath: p.logFileLocation, UseTLS: p.rawConfig.UseTLS, + TLSCertFile: p.rawConfig.TLSCertFile, + TLSKeyFile: p.rawConfig.TLSKeyFile, Relayer: p.relayer, MetricsInterval: p.rawConfig.MetricsInterval, diff --git a/command/server/server.go b/command/server/server.go index ef9b87af82..0d3d986426 100644 --- a/command/server/server.go +++ b/command/server/server.go @@ -221,6 +221,20 @@ func setFlags(cmd *cobra.Command) { "start json rpc endpoint with tls enabled", ) + cmd.Flags().StringVar( + ¶ms.rawConfig.TLSCertFile, + tlsCertFileLocationFlag, + defaultConfig.TLSCertFile, + "path to TLS cert file, if no file is provided then cert file is loaded from secrets manager", + ) + + cmd.Flags().StringVar( + ¶ms.rawConfig.TLSKeyFile, + tlsKeyFileLocationFlag, + defaultConfig.TLSKeyFile, + "path to TLS key file, if no file is provided then key file is loaded from secrets manager", + ) + cmd.Flags().BoolVar( ¶ms.rawConfig.Relayer, relayerFlag, diff --git a/e2e-polybft/e2e/jsonrpc_test.go b/e2e-polybft/e2e/jsonrpc_test.go index c5700ed81b..83682d9ba7 100644 --- a/e2e-polybft/e2e/jsonrpc_test.go +++ b/e2e-polybft/e2e/jsonrpc_test.go @@ -1,7 +1,9 @@ package e2e import ( + "crypto/tls" "math/big" + "net/http" "testing" "time" @@ -32,6 +34,7 @@ func TestE2E_JsonRPC(t *testing.T) { framework.WithPremine(preminedAcct.Address()), framework.WithBurnContract(&polybft.BurnContractInfo{BlockNumber: 0, Address: types.ZeroAddress}), framework.WithHTTPS(), + framework.WithTLSCertificate("/etc/ssl/certs/localhost.pem", "/etc/ssl/private/localhost.key"), ) defer cluster.Stop() @@ -310,3 +313,27 @@ func TestE2E_JsonRPC(t *testing.T) { require.Equal(t, txReceipt.BlockHash, ethgo.Hash(header.Hash)) }) } + +func TestE2E_JsonRPCSelfSignedTLS(t *testing.T) { + cluster := framework.NewTestCluster(t, 4, + framework.WithHTTPS(), + ) + defer cluster.Stop() + + // Wait for endpoint to start, can't use cluster.WaitForReady because server certificate is not trusted by client + time.Sleep(1 * time.Second) + + addr := cluster.Servers[0].JSONRPCAddr() + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + client := &http.Client{Transport: tr} + _, err := client.Get(addr) + require.NoError(t, err) + + // This will fail with certificate signed by unknown authority error + client = &http.Client{} + _, err = client.Get(addr) + require.Error(t, err) + require.ErrorContains(t, err, "x509: certificate signed by unknown authority") +} diff --git a/e2e-polybft/framework/test-cluster.go b/e2e-polybft/framework/test-cluster.go index 03ed2aa834..2b554ebf6b 100644 --- a/e2e-polybft/framework/test-cluster.go +++ b/e2e-polybft/framework/test-cluster.go @@ -147,7 +147,9 @@ type TestClusterConfig struct { logsDirOnce sync.Once - UseTLS bool + UseTLS bool + TLSCertFile string + TLSKeyFile string } func (c *TestClusterConfig) Dir(name string) string { @@ -469,6 +471,13 @@ func WithHTTPS() ClusterOption { } } +func WithTLSCertificate(certFile string, keyFile string) ClusterOption { + return func(h *TestClusterConfig) { + h.TLSCertFile = certFile + h.TLSKeyFile = keyFile + } +} + func isTrueEnv(e string) bool { return strings.ToLower(os.Getenv(e)) == "true" } @@ -812,6 +821,8 @@ func (c *TestCluster) InitTestServer(t *testing.T, config.NumBlockConfirmations = c.Config.NumBlockConfirmations config.BridgeJSONRPC = bridgeJSONRPC config.UseTLS = c.Config.UseTLS + config.TLSCertFile = c.Config.TLSCertFile + config.TLSKeyFile = c.Config.TLSKeyFile }) // watch the server for stop signals. It is important to fix the specific diff --git a/e2e-polybft/framework/test-server.go b/e2e-polybft/framework/test-server.go index c281c6bc0c..96fe506a8a 100644 --- a/e2e-polybft/framework/test-server.go +++ b/e2e-polybft/framework/test-server.go @@ -40,6 +40,8 @@ type TestServerConfig struct { NumBlockConfirmations uint64 BridgeJSONRPC string UseTLS bool + TLSCertFile string + TLSKeyFile string } type TestServerConfigCallback func(*TestServerConfig) @@ -170,6 +172,10 @@ func (t *TestServer) Start() { "--jsonrpc", fmt.Sprintf(":%d", config.JSONRPCPort), // minimal number of child blocks required for the parent block to be considered final "--num-block-confirmations", strconv.FormatUint(config.NumBlockConfirmations, 10), + // TLS certificate file + "--tls-cert-file", config.TLSCertFile, + // TLS key file + "--tls-key-file", config.TLSKeyFile, } if len(config.LogLevel) > 0 { diff --git a/jsonrpc/jsonrpc.go b/jsonrpc/jsonrpc.go index 7199b8620d..c018ecad40 100644 --- a/jsonrpc/jsonrpc.go +++ b/jsonrpc/jsonrpc.go @@ -53,6 +53,8 @@ type Config struct { ConcurrentRequestsDebug uint64 WebSocketReadLimit uint64 UseTLS bool + TLSCertFile string + TLSKeyFile string SecretsManager secrets.SecretsManager } @@ -116,23 +118,36 @@ func (j *JSONRPC) setupHTTP() error { if j.config.UseTLS { j.logger.Info("configuring http server with tls...") - cert, err := loadTLSCertificate(j.config.SecretsManager) - if err != nil { - j.logger.Error("loading tls certificate", "err", err) + if j.config.TLSCertFile != "" && j.config.TLSKeyFile != "" { + j.logger.Info("TLS", "cert file", j.config.TLSCertFile) + j.logger.Info("TLS", "key file", j.config.TLSKeyFile) - return err - } + go func() { + if err := srv.ServeTLS(lis, j.config.TLSCertFile, j.config.TLSKeyFile); err != nil { + j.logger.Error("closed https connection", "err", err) + } + }() + } else { + j.logger.Info("loading tls certificate from secrets manager...") - srv.TLSConfig = &tls.Config{ - Certificates: []tls.Certificate{*cert}, - MinVersion: tls.VersionTLS12, - } + cert, err := loadTLSCertificate(j.config.SecretsManager) + if err != nil { + j.logger.Error("loading tls certificate", "err", err) - go func() { - if err := srv.ServeTLS(lis, "", ""); err != nil { - j.logger.Error("closed https connection", "err", err) + return err } - }() + + srv.TLSConfig = &tls.Config{ + Certificates: []tls.Certificate{*cert}, + MinVersion: tls.VersionTLS12, + } + + go func() { + if err := srv.ServeTLS(lis, "", ""); err != nil { + j.logger.Error("closed https connection", "err", err) + } + }() + } } else { go func() { if err := srv.Serve(lis); err != nil { diff --git a/secrets/helper/helper.go b/secrets/helper/helper.go index 2dab3d362e..677a50ef7e 100644 --- a/secrets/helper/helper.go +++ b/secrets/helper/helper.go @@ -1,8 +1,16 @@ package helper import ( + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/asn1" + "encoding/pem" "errors" "fmt" + "math/big" + "time" "github.com/hashicorp/go-hclog" libp2pCrypto "github.com/libp2p/go-libp2p/core/crypto" @@ -115,6 +123,77 @@ func InitNetworkingPrivateKey(secretsManager secrets.SecretsManager) (libp2pCryp return libp2pKey, keyErr } +func genX509KeyPair() ([]byte, []byte, error) { + rawValues := []asn1.RawValue{} + rawValues = append(rawValues, asn1.RawValue{ + Bytes: []byte("localhost"), + Class: asn1.ClassContextSpecific, + Tag: 2, // DNS name + }) + + asn, err := asn1.Marshal(rawValues) + if err != nil { + return nil, nil, err + } + + now := time.Now().UTC() + template := &x509.Certificate{ + SerialNumber: big.NewInt(now.Unix()), + Subject: pkix.Name{ + CommonName: "localhost", + }, + ExtraExtensions: []pkix.Extension{ + { + Id: asn1.ObjectIdentifier{2, 5, 29, 17}, + Value: asn, + }, + }, + NotBefore: now, + NotAfter: now.AddDate(10, 0, 0), // Valid for 10 years + SubjectKeyId: []byte{113, 117, 105, 99, 107, 115, 101, 114, 118, 101}, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageKeyEncipherment | + x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + } + + priv, err := rsa.GenerateKey(rand.Reader, 2048) + if err != nil { + return nil, nil, err + } + + cert, err := x509.CreateCertificate(rand.Reader, template, template, + priv.Public(), priv) + if err != nil { + return nil, nil, err + } + + key := x509.MarshalPKCS1PrivateKey(priv) + certBlock := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert}) + keyBlock := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: key}) + + return certBlock, keyBlock, nil +} + +func InitJSONTLSCert(secretsManager secrets.SecretsManager) error { + // Generate certificate files + cert, key, err := genX509KeyPair() + if err != nil { + return err + } + + // Write the certificate file to the secrets manager storage + if err = secretsManager.SetSecret(secrets.JSONTLSCert, cert); err != nil { + return err + } + + // Write the certificate key to the secrets manager storage + if err = secretsManager.SetSecret(secrets.JSONTLSKey, key); err != nil { + return err + } + + return nil +} + // LoadValidatorAddress loads ECDSA key by SecretsManager and returns validator address func LoadValidatorAddress(secretsManager secrets.SecretsManager) (types.Address, error) { if !secretsManager.HasSecret(secrets.ValidatorKey) { diff --git a/secrets/local/local.go b/secrets/local/local.go index ac675d2c7c..c17cf3b505 100644 --- a/secrets/local/local.go +++ b/secrets/local/local.go @@ -63,7 +63,7 @@ func (l *LocalSecretsManager) Setup() error { l.secretPathMapLock.Lock() defer l.secretPathMapLock.Unlock() - subDirectories := []string{secrets.ConsensusFolderLocal, secrets.NetworkFolderLocal} + subDirectories := []string{secrets.ConsensusFolderLocal, secrets.NetworkFolderLocal, secrets.JSONTLSFolderLocal} // Set up the local directories if err := common.SetupDataDir(l.path, subDirectories, 0770); err != nil { @@ -91,14 +91,16 @@ func (l *LocalSecretsManager) Setup() error { secrets.NetworkKeyLocal, ) - // /etc/ssl/certs/jsonrpc.pem + // baseDir/jsontls/jsontls.pem l.secretPathMap[secrets.JSONTLSCert] = filepath.Join( + l.path, secrets.JSONTLSFolderLocal, secrets.JSONTLSCertLocal, ) - // /etc/ssl/private/jsonrpc.key + // baseDir/jsontls/jsontls.key l.secretPathMap[secrets.JSONTLSKey] = filepath.Join( + l.path, secrets.JSONTLSFolderLocal, secrets.JSONTLSKeyLocal, ) diff --git a/secrets/local/local_test.go b/secrets/local/local_test.go index 21d57def50..435a440c6c 100644 --- a/secrets/local/local_test.go +++ b/secrets/local/local_test.go @@ -77,7 +77,7 @@ func getLocalSecretsManager(t *testing.T) secrets.SecretsManager { t.Fatalf("Unable to instantiate local secrets manager directories, %v", tempErr) } - setupErr := common.SetupDataDir(workingDirectory, []string{secrets.ConsensusFolderLocal, secrets.NetworkFolderLocal}, 0770) + setupErr := common.SetupDataDir(workingDirectory, []string{secrets.ConsensusFolderLocal, secrets.NetworkFolderLocal, secrets.JSONTLSFolderLocal}, 0770) if setupErr != nil { t.Fatalf("Unable to instantiate local secrets manager directories, %v", setupErr) } diff --git a/secrets/secrets.go b/secrets/secrets.go index 5690359b2a..aad1998fcc 100644 --- a/secrets/secrets.go +++ b/secrets/secrets.go @@ -44,15 +44,15 @@ const ( ValidatorKeyLocal = "validator.key" ValidatorBLSKeyLocal = "validator-bls.key" NetworkKeyLocal = "libp2p.key" - JSONTLSKeyLocal = "/private/jsontls.key" - JSONTLSCertLocal = "/certs/jsontls.pem" + JSONTLSKeyLocal = "jsontls.key" + JSONTLSCertLocal = "jsontls.pem" ) // Define constant folder names for the local StorageManager const ( ConsensusFolderLocal = "consensus" NetworkFolderLocal = "libp2p" - JSONTLSFolderLocal = "/etc/ssl" + JSONTLSFolderLocal = "jsontls" ) var ( diff --git a/server/config.go b/server/config.go index e08292a749..5639726af9 100644 --- a/server/config.go +++ b/server/config.go @@ -44,6 +44,10 @@ type Config struct { UseTLS bool + TLSCertFile string + + TLSKeyFile string + Relayer bool MetricsInterval time.Duration diff --git a/server/server.go b/server/server.go index f6862a2f3b..a02e81d549 100644 --- a/server/server.go +++ b/server/server.go @@ -876,6 +876,8 @@ func (s *Server) setupJSONRPC() error { ConcurrentRequestsDebug: s.config.JSONRPC.ConcurrentRequestsDebug, WebSocketReadLimit: s.config.JSONRPC.WebSocketReadLimit, UseTLS: s.config.UseTLS, + TLSCertFile: s.config.TLSCertFile, + TLSKeyFile: s.config.TLSKeyFile, SecretsManager: s.secretsManager, }