Commit boost API - Generate Proxy Key, Signing Request

CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Features Added
 - Java 21 for build and runtime. [#995](https://github.com/Consensys/web3signer/pull/995)
 - Electra fork support. [#1020](https://github.com/Consensys/web3signer/pull/1020) and [#1023](https://github.com/Consensys/web3signer/pull/1023)
+- Commit boost API - Get Public Keys. [#1031](https://github.com/Consensys/web3signer/pull/1031)
 
 ### Bugs fixed
 - Override protobuf-java to 3.25.5 which is a transitive dependency from google-cloud-secretmanager. It fixes CVE-2024-7254.

commandline/src/main/java/tech/pegasys/web3signer/commandline/config/PicoCommitBoostApiParameters.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2022 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.commandline.config;
+
+import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PATH_FORMAT_HELP;
+
+import tech.pegasys.web3signer.signing.config.KeystoresParameters;
+
+import java.nio.file.Path;
+
+import picocli.CommandLine;
+import picocli.CommandLine.Model.CommandSpec;
+import picocli.CommandLine.Option;
+import picocli.CommandLine.ParameterException;
+import picocli.CommandLine.Spec;
+
+public class PicoCommitBoostApiParameters implements KeystoresParameters {
+  @Spec private CommandSpec commandSpec; // injected by picocli
+
+  @CommandLine.Option(
+      names = {"--commit-boost-api-enabled"},
+      paramLabel = "<BOOL>",
+      description = "Enable the commit boost API (default: ${DEFAULT-VALUE}).",
+      arity = "1")
+  private boolean isCommitBoostApiEnabled = false;
+
+  @Option(
+      names = {"--proxy-keystores-path"},
+      description =
+          "The path to a writeable directory to store v3 and v4 proxy keystores for commit boost API.",
+      paramLabel = PATH_FORMAT_HELP)
+  private Path keystoresPath;
+
+  @Option(
+      names = {"--proxy-keystores-password-file"},
+      description =
+          "The path to the password file used to encrypt/decrypt proxy keystores for commit boost API.",
+      paramLabel = PATH_FORMAT_HELP)
+  private Path keystoresPasswordFile;
+
+  @Override
+  public Path getKeystoresPath() {
+    return keystoresPath;
+  }
+
+  @Override
+  public Path getKeystoresPasswordsPath() {
+    return null;
+  }
+
+  @Override
+  public Path getKeystoresPasswordFile() {
+    return keystoresPasswordFile;
+  }
+
+  @Override
+  public boolean isEnabled() {
+    return isCommitBoostApiEnabled;
+  }
+
+  public void validateParameters() throws ParameterException {
+    if (!isCommitBoostApiEnabled) {
+      return;
+    }
+
+    if (keystoresPath == null) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Commit boost API is enabled, but --proxy-keystores-path not set");
+    }
+
+    if (keystoresPasswordFile == null) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Commit boost API is enabled, but --proxy-keystores-password-file not set");
+    }
+  }
+}

commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java

@@ -24,18 +24,22 @@
 import tech.pegasys.teku.networks.Eth2NetworkConfiguration;
 import tech.pegasys.teku.spec.ForkSchedule;
 import tech.pegasys.teku.spec.SpecMilestone;
+import tech.pegasys.teku.spec.datastructures.state.beaconstate.BeaconState;
+import tech.pegasys.teku.spec.datastructures.util.ChainDataLoader;
 import tech.pegasys.teku.spec.networks.Eth2Network;
 import tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters;
 import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters;
 import tech.pegasys.web3signer.commandline.PicoCliGcpSecretManagerParameters;
 import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters;
+import tech.pegasys.web3signer.commandline.config.PicoCommitBoostApiParameters;
 import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters;
 import tech.pegasys.web3signer.common.config.AwsAuthenticationMode;
 import tech.pegasys.web3signer.core.Eth2Runner;
 import tech.pegasys.web3signer.core.Runner;
 import tech.pegasys.web3signer.signing.config.KeystoresParameters;
 import tech.pegasys.web3signer.slashingprotection.SlashingProtectionParameters;
 
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -44,8 +48,10 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.Lists;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.apache.tuweni.bytes.Bytes32;
 import picocli.CommandLine;
 import picocli.CommandLine.Command;
 import picocli.CommandLine.HelpCommand;
@@ -90,6 +96,15 @@ private static class NetworkCliCompletionCandidates extends ArrayList<String> {
       arity = "1")
   private String network;
 
+  @CommandLine.Option(
+      names = {"--genesis-state"},
+      paramLabel = "<STRING>",
+      description =
+          "The genesis state. This value should be a file or URL pointing to an SSZ-encoded finalized checkpoint "
+              + "state.",
+      arity = "1")
+  private String genesisState;
+
   @CommandLine.Option(
       names = {"--Xnetwork-altair-fork-epoch"},
       hidden = true,
@@ -164,7 +179,9 @@ private static class NetworkCliCompletionCandidates extends ArrayList<String> {
   @Mixin private PicoKeystoresParameters keystoreParameters;
   @Mixin private PicoCliAwsSecretsManagerParameters awsSecretsManagerParameters;
   @Mixin private PicoCliGcpSecretManagerParameters gcpSecretManagerParameters;
+  @Mixin private PicoCommitBoostApiParameters commitBoostApiParameters;
   private tech.pegasys.teku.spec.Spec eth2Spec;
+  private Bytes32 genesisValidatorRoot;
 
   public Eth2SubCommand() {
     network = "mainnet";
@@ -182,8 +199,10 @@ public Runner createRunner() {
         awsSecretsManagerParameters,
         gcpSecretManagerParameters,
         eth2Spec,
+        genesisValidatorRoot,
         isKeyManagerApiEnabled,
-        signingExtEnabled);
+        signingExtEnabled,
+        commitBoostApiParameters);
   }
 
   private void logNetworkSpecInformation() {
@@ -230,20 +249,15 @@ private Eth2NetworkConfiguration createEth2NetworkConfig() {
     if (trustedSetup != null) {
       builder.trustedSetup(trustedSetup);
     }
+    if (StringUtils.isNotBlank(genesisState)) {
+      builder.customGenesisState(genesisState);
+    }
     return builder.build();
   }
 
   @Override
   protected void validateArgs() {
-    try {
-      Eth2NetworkConfiguration eth2NetworkConfig = createEth2NetworkConfig();
-      eth2Spec = eth2NetworkConfig.getSpec();
-    } catch (final IllegalArgumentException e) {
-      throw new ParameterException(
-          commandSpec.commandLine(),
-          "Failed to load network " + network + " due to " + e.getMessage(),
-          e);
-    }
+    validateAndInitGenesisValidatorRoot(validateAndInitSpec());
 
     if (slashingProtectionParameters.isEnabled()
         && slashingProtectionParameters.getDbUrl() == null) {
@@ -261,6 +275,49 @@ protected void validateArgs() {
     validateKeystoreParameters(keystoreParameters);
     validateAwsSecretsManageParameters();
     validateGcpSecretManagerParameters();
+    commitBoostApiParameters.validateParameters();
+  }
+
+  private void validateAndInitGenesisValidatorRoot(
+      final Eth2NetworkConfiguration eth2NetworkConfig) {
+    final String genesisState =
+        eth2NetworkConfig
+            .getNetworkBoostrapConfig()
+            .getGenesisState()
+            .orElseThrow(
+                () ->
+                    new ParameterException(
+                        commandSpec.commandLine(),
+                        "Unable to load genesis state for network "
+                            + network
+                            + ". Please provide a valid genesis state resource."));
+    try {
+      final BeaconState beaconState = ChainDataLoader.loadState(eth2Spec, genesisState);
+      this.genesisValidatorRoot = beaconState.getGenesisValidatorsRoot();
+    } catch (final IOException | NullPointerException e) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Unable to load genesis state for network "
+              + network
+              + " from "
+              + genesisState
+              + ": "
+              + e.getMessage());
+    }
+  }
+
+  private Eth2NetworkConfiguration validateAndInitSpec() {
+    final Eth2NetworkConfiguration eth2NetworkConfig;
+    try {
+      eth2NetworkConfig = createEth2NetworkConfig();
+      eth2Spec = eth2NetworkConfig.getSpec();
+    } catch (final IllegalArgumentException e) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Failed to load network " + network + " due to " + e.getMessage(),
+          e);
+    }
+    return eth2NetworkConfig;
   }
 
   private void validateGcpSecretManagerParameters() {

commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java

@@ -37,6 +37,7 @@
 import java.net.InetAddress;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 import java.util.function.Supplier;
 
 import io.vertx.core.Vertx;
@@ -612,6 +613,47 @@ void vertxWorkerPoolSizeParsesSuccessfully() {
     assertThat(mockEth2SubCommand.getConfig().getVertxWorkerPoolSize()).isEqualTo(40);
   }
 
+  @Test
+  void commitBoostApiEnabledWithoutKeystorePathFailsToParse() {
+    String cmdline = validBaseCommandOptions();
+    cmdline += "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isNotZero();
+    assertThat(commandError.toString())
+        .contains(
+            "Error parsing parameters: Commit boost API is enabled, but --proxy-keystores-path not set");
+  }
+
+  @Test
+  void commitBoostApiEnabledWithoutKeystorePasswordFileFailsToParse() {
+    String cmdline = validBaseCommandOptions();
+    cmdline +=
+        "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true --proxy-keystores-path=./keystore";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isNotZero();
+    assertThat(commandError.toString())
+        .contains(
+            "Error parsing parameters: Commit boost API is enabled, but --proxy-keystores-password-file not set");
+  }
+
+  @Test
+  void commitBoostApiEnabledWithKeystorePathAndKeystorePasswordFileParsesSuccessfully() {
+    String cmdline = validBaseCommandOptions();
+    cmdline +=
+        "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true --proxy-keystores-path=./keystore --proxy-keystores-password-file=./password";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isZero();
+  }
+
   private <T> void missingOptionalParameterIsValidAndMeetsDefault(
       final String paramToRemove, final Supplier<T> actualValueGetter, final T expectedValue) {
 
@@ -646,7 +688,7 @@ public void run() {}
     @Override
     protected List<ArtifactSignerProvider> createArtifactSignerProvider(
         final Vertx vertx, final MetricsSystem metricsSystem) {
-      return List.of(new DefaultArtifactSignerProvider(Collections::emptyList));
+      return List.of(new DefaultArtifactSignerProvider(Collections::emptyList, Optional.empty()));
     }
 
     @Override

core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java

@@ -50,6 +50,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 
 import io.vertx.core.Vertx;
 import io.vertx.core.json.JsonObject;
@@ -114,7 +115,8 @@ protected List<ArtifactSignerProvider> createArtifactSignerProvider(
                           awsKmsSignerFactory)
                       .getValues());
               return signers;
-            });
+            },
+            Optional.empty());
 
     // uses eth1 address as identifier
     final ArtifactSignerProvider secpArtifactSignerProvider =

core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java

@@ -25,6 +25,8 @@
 import tech.pegasys.web3signer.core.config.BaseConfig;
 import tech.pegasys.web3signer.core.routes.PublicKeysListRoute;
 import tech.pegasys.web3signer.core.routes.ReloadRoute;
+import tech.pegasys.web3signer.core.routes.eth2.CommitBoostGenerateProxyKeyRoute;
+import tech.pegasys.web3signer.core.routes.eth2.CommitBoostPublicKeysRoute;
 import tech.pegasys.web3signer.core.routes.eth2.Eth2SignExtensionRoute;
 import tech.pegasys.web3signer.core.routes.eth2.Eth2SignRoute;
 import tech.pegasys.web3signer.core.routes.eth2.HighWatermarkRoute;
@@ -86,8 +88,10 @@ public class Eth2Runner extends Runner {
   private final boolean pruningEnabled;
   private final KeystoresParameters keystoresParameters;
   private final Spec eth2Spec;
+  private final Bytes32 genesisValidatorsRoot;
   private final boolean isKeyManagerApiEnabled;
   private final boolean signingExtEnabled;
+  private final KeystoresParameters commitBoostApiParameters;
 
   public Eth2Runner(
       final BaseConfig baseConfig,
@@ -97,19 +101,23 @@ public Eth2Runner(
       final AwsVaultParameters awsVaultParameters,
       final GcpSecretManagerParameters gcpSecretManagerParameters,
       final Spec eth2Spec,
+      final Bytes32 genesisValidatorsRoot,
       final boolean isKeyManagerApiEnabled,
-      final boolean signingExtEnabled) {
+      final boolean signingExtEnabled,
+      final KeystoresParameters commitBoostApiParameters) {
     super(baseConfig);
     this.slashingProtectionContext = createSlashingProtection(slashingProtectionParameters);
     this.azureKeyVaultParameters = azureKeyVaultParameters;
     this.slashingProtectionParameters = slashingProtectionParameters;
     this.pruningEnabled = slashingProtectionParameters.isPruningEnabled();
     this.keystoresParameters = keystoresParameters;
     this.eth2Spec = eth2Spec;
+    this.genesisValidatorsRoot = genesisValidatorsRoot;
     this.isKeyManagerApiEnabled = isKeyManagerApiEnabled;
     this.awsVaultParameters = awsVaultParameters;
     this.gcpSecretManagerParameters = gcpSecretManagerParameters;
     this.signingExtEnabled = signingExtEnabled;
+    this.commitBoostApiParameters = commitBoostApiParameters;
   }
 
   private Optional<SlashingProtectionContext> createSlashingProtection(
@@ -137,6 +145,12 @@ public void populateRouter(final Context context) {
     if (isKeyManagerApiEnabled) {
       new KeyManagerApiRoute(context, baseConfig, slashingProtectionContext).register();
     }
+    if (commitBoostApiParameters.isEnabled()) {
+      new CommitBoostPublicKeysRoute(context).register();
+      new CommitBoostGenerateProxyKeyRoute(
+              context, commitBoostApiParameters, eth2Spec, genesisValidatorsRoot)
+          .register();
+    }
   }
 
   @Override
@@ -166,7 +180,8 @@ protected List<ArtifactSignerProvider> createArtifactSignerProvider(
 
                 return signers;
               }
-            }));
+            },
+            Optional.of(commitBoostApiParameters)));
   }
 
   private MappedResults<ArtifactSigner> loadSignersFromKeyConfigFiles(