Merge branch 'hyperledger:main' into fix-#7810

CHANGELOG.md

@@ -10,6 +10,7 @@
 
 ### Additions and Improvements
 - Fine tune already seen txs tracker when a tx is removed from the pool [#7755](https://github.com/hyperledger/besu/pull/7755)
+- Support for enabling and configuring TLS/mTLS in WebSocket service. [#7854](https://github.com/hyperledger/besu/pull/7854)
 - Create and publish Besu BOM (Bill of Materials) [#7615](https://github.com/hyperledger/besu/pull/7615) 
 - Update Java dependencies [#7786](https://github.com/hyperledger/besu/pull/7786)
 - Add a method to get all the transaction in the pool, to the `TransactionPoolService`, to easily access the transaction pool content from plugins [#7813](https://github.com/hyperledger/besu/pull/7813)

acceptance-tests/test-plugins/src/main/java/org/hyperledger/besu/tests/acceptance/plugins/TestMetricsPlugin.java

@@ -51,7 +51,7 @@ public void start() {
         .createGauge(
             TestMetricCategory.TEST_METRIC_CATEGORY,
             "test_metric",
-            "Returns 1 on succes",
+            "Returns 1 on success",
             () -> 1.0);
   }
 

besu/src/main/java/org/hyperledger/besu/cli/options/RpcWebsocketOptions.java

@@ -120,6 +120,71 @@ public class RpcWebsocketOptions {
       arity = "1")
   private final File rpcWsAuthenticationPublicKeyFile = null;
 
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-enabled"},
+      description = "Enable SSL/TLS for the WebSocket RPC service")
+  private final Boolean isRpcWsSslEnabled = false;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-keystore-file"},
+      paramLabel = DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP,
+      description = "Path to the keystore file for the WebSocket RPC service")
+  private String rpcWsKeyStoreFile = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-keystore-password"},
+      paramLabel = "<PASSWORD>",
+      description = "Password for the WebSocket RPC keystore file")
+  private String rpcWsKeyStorePassword = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-key-file"},
+      paramLabel = DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP,
+      description = "Path to the PEM key file for the WebSocket RPC service")
+  private String rpcWsKeyFile = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-cert-file"},
+      paramLabel = DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP,
+      description = "Path to the PEM cert file for the WebSocket RPC service")
+  private String rpcWsCertFile = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-keystore-type"},
+      paramLabel = "<TYPE>",
+      description = "Type of the WebSocket RPC keystore (JKS, PKCS12, PEM)")
+  private String rpcWsKeyStoreType = null;
+
+  // For client authentication (mTLS)
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-client-auth-enabled"},
+      description = "Enable client authentication for the WebSocket RPC service")
+  private final Boolean isRpcWsClientAuthEnabled = false;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-truststore-file"},
+      paramLabel = DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP,
+      description = "Path to the truststore file for the WebSocket RPC service")
+  private String rpcWsTrustStoreFile = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-truststore-password"},
+      paramLabel = "<PASSWORD>",
+      description = "Password for the WebSocket RPC truststore file")
+  private String rpcWsTrustStorePassword = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-trustcert-file"},
+      paramLabel = DefaultCommandValues.MANDATORY_FILE_FORMAT_HELP,
+      description = "Path to the PEM trustcert file for the WebSocket RPC service")
+  private String rpcWsTrustCertFile = null;
+
+  @CommandLine.Option(
+      names = {"--rpc-ws-ssl-truststore-type"},
+      paramLabel = "<TYPE>",
+      description = "Type of the truststore (JKS, PKCS12, PEM)")
+  private String rpcWsTrustStoreType = null;
+
   /** Default Constructor. */
   public RpcWebsocketOptions() {}
 
@@ -184,7 +249,61 @@ private void checkOptionDependencies(final Logger logger, final CommandLine comm
             "--rpc-ws-authentication-enabled",
             "--rpc-ws-authentication-credentials-file",
             "--rpc-ws-authentication-public-key-file",
-            "--rpc-ws-authentication-jwt-algorithm"));
+            "--rpc-ws-authentication-jwt-algorithm",
+            "--rpc-ws-ssl-enabled"));
+
+    CommandLineUtils.checkOptionDependencies(
+        logger,
+        commandLine,
+        "--rpc-ws-ssl-enabled",
+        !isRpcWsSslEnabled,
+        List.of(
+            "--rpc-ws-ssl-keystore-file",
+            "--rpc-ws-ssl-keystore-type",
+            "--rpc-ws-ssl-client-auth-enabled"));
+
+    CommandLineUtils.checkOptionDependencies(
+        logger,
+        commandLine,
+        "--rpc-ws-ssl-client-auth-enabled",
+        !isRpcWsClientAuthEnabled,
+        List.of(
+            "--rpc-ws-ssl-truststore-file",
+            "--rpc-ws-ssl-truststore-type",
+            "--rpc-ws-ssl-trustcert-file"));
+
+    if (isRpcWsSslEnabled) {
+      if ("PEM".equalsIgnoreCase(rpcWsKeyStoreType)) {
+        CommandLineUtils.checkOptionDependencies(
+            logger,
+            commandLine,
+            "--rpc-ws-ssl-key-file",
+            rpcWsKeyFile == null,
+            List.of("--rpc-ws-ssl-cert-file"));
+        CommandLineUtils.checkOptionDependencies(
+            logger,
+            commandLine,
+            "--rpc-ws-ssl-cert-file",
+            rpcWsCertFile == null,
+            List.of("--rpc-ws-ssl-key-file"));
+      } else {
+        CommandLineUtils.checkOptionDependencies(
+            logger,
+            commandLine,
+            "--rpc-ws-ssl-keystore-file",
+            rpcWsKeyStoreFile == null,
+            List.of("--rpc-ws-ssl-keystore-password"));
+      }
+    }
+
+    if (isRpcWsClientAuthEnabled && !"PEM".equalsIgnoreCase(rpcWsTrustStoreType)) {
+      CommandLineUtils.checkOptionDependencies(
+          logger,
+          commandLine,
+          "--rpc-ws-ssl-truststore-file",
+          rpcWsTrustStoreFile == null,
+          List.of("--rpc-ws-ssl-truststore-password"));
+    }
 
     if (isRpcWsAuthenticationEnabled) {
       CommandLineUtils.checkOptionDependencies(
@@ -222,6 +341,18 @@ public WebSocketConfiguration webSocketConfiguration(
     webSocketConfiguration.setAuthenticationPublicKeyFile(rpcWsAuthenticationPublicKeyFile);
     webSocketConfiguration.setAuthenticationAlgorithm(rpcWebsocketsAuthenticationAlgorithm);
     webSocketConfiguration.setTimeoutSec(wsTimoutSec);
+    webSocketConfiguration.setSslEnabled(isRpcWsSslEnabled);
+    webSocketConfiguration.setKeyStorePath(rpcWsKeyStoreFile);
+    webSocketConfiguration.setKeyStorePassword(rpcWsKeyStorePassword);
+    webSocketConfiguration.setKeyStoreType(rpcWsKeyStoreType);
+    webSocketConfiguration.setClientAuthEnabled(isRpcWsClientAuthEnabled);
+    webSocketConfiguration.setTrustStorePath(rpcWsTrustStoreFile);
+    webSocketConfiguration.setTrustStorePassword(rpcWsTrustStorePassword);
+    webSocketConfiguration.setTrustStoreType(rpcWsTrustStoreType);
+    webSocketConfiguration.setKeyPath(rpcWsKeyFile);
+    webSocketConfiguration.setCertPath(rpcWsCertFile);
+    webSocketConfiguration.setTrustCertPath(rpcWsTrustCertFile);
+
     return webSocketConfiguration;
   }
 

besu/src/main/java/org/hyperledger/besu/controller/BesuControllerBuilder.java

@@ -45,6 +45,7 @@
 import org.hyperledger.besu.ethereum.core.Difficulty;
 import org.hyperledger.besu.ethereum.core.MiningConfiguration;
 import org.hyperledger.besu.ethereum.core.PrivacyParameters;
+import org.hyperledger.besu.ethereum.core.Synchronizer;
 import org.hyperledger.besu.ethereum.eth.EthProtocol;
 import org.hyperledger.besu.ethereum.eth.EthProtocolConfiguration;
 import org.hyperledger.besu.ethereum.eth.SnapProtocol;
@@ -93,6 +94,7 @@
 import org.hyperledger.besu.ethereum.worldstate.DataStorageConfiguration;
 import org.hyperledger.besu.ethereum.worldstate.DiffBasedSubStorageConfiguration;
 import org.hyperledger.besu.ethereum.worldstate.WorldStateArchive;
+import org.hyperledger.besu.ethereum.worldstate.WorldStateArchive.WorldStateHealer;
 import org.hyperledger.besu.ethereum.worldstate.WorldStateKeyValueStorage;
 import org.hyperledger.besu.ethereum.worldstate.WorldStatePreimageStorage;
 import org.hyperledger.besu.ethereum.worldstate.WorldStateStorageCoordinator;
@@ -113,6 +115,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.OptionalLong;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.function.Supplier;
 
 import org.slf4j.Logger;
@@ -589,9 +592,14 @@ public BesuController build() {
             .map(BesuComponent::getCachedMerkleTrieLoader)
             .orElseGet(() -> new BonsaiCachedMerkleTrieLoader(metricsSystem));
 
+    final var worldStateHealerSupplier = new AtomicReference<WorldStateHealer>();
+
     final WorldStateArchive worldStateArchive =
         createWorldStateArchive(
-            worldStateStorageCoordinator, blockchain, bonsaiCachedMerkleTrieLoader);
+            worldStateStorageCoordinator,
+            blockchain,
+            bonsaiCachedMerkleTrieLoader,
+            worldStateHealerSupplier::get);
 
     if (maybeStoredGenesisBlockHash.isEmpty()) {
       genesisState.writeStateTo(worldStateArchive.getMutable());
@@ -713,6 +721,8 @@ public BesuController build() {
             ethProtocolManager,
             pivotBlockSelector);
 
+    worldStateHealerSupplier.set(synchronizer::healWorldState);
+
     ethPeers.setTrailingPeerRequirementsSupplier(synchronizer::calculateTrailingPeerRequirements);
 
     if (syncConfig.getSyncMode() == SyncMode.SNAP
@@ -723,11 +733,9 @@ public BesuController build() {
       ethPeers.snapServerPeersNeeded(false);
     }
 
-    protocolContext.setSynchronizer(synchronizer);
-
     final Optional<SnapProtocolManager> maybeSnapProtocolManager =
         createSnapProtocolManager(
-            protocolContext, worldStateStorageCoordinator, ethPeers, snapMessages);
+            protocolContext, worldStateStorageCoordinator, ethPeers, snapMessages, synchronizer);
 
     final MiningCoordinator miningCoordinator =
         createMiningCoordinator(
@@ -1079,20 +1087,23 @@ private Optional<SnapProtocolManager> createSnapProtocolManager(
       final ProtocolContext protocolContext,
       final WorldStateStorageCoordinator worldStateStorageCoordinator,
       final EthPeers ethPeers,
-      final EthMessages snapMessages) {
+      final EthMessages snapMessages,
+      final Synchronizer synchronizer) {
     return Optional.of(
         new SnapProtocolManager(
             worldStateStorageCoordinator,
             syncConfig.getSnapSyncConfiguration(),
             ethPeers,
             snapMessages,
-            protocolContext));
+            protocolContext,
+            synchronizer));
   }
 
   WorldStateArchive createWorldStateArchive(
       final WorldStateStorageCoordinator worldStateStorageCoordinator,
       final Blockchain blockchain,
-      final BonsaiCachedMerkleTrieLoader bonsaiCachedMerkleTrieLoader) {
+      final BonsaiCachedMerkleTrieLoader bonsaiCachedMerkleTrieLoader,
+      final Supplier<WorldStateHealer> worldStateHealerSupplier) {
     return switch (dataStorageConfiguration.getDataStorageFormat()) {
       case BONSAI -> {
         final BonsaiWorldStateKeyValueStorage worldStateKeyValueStorage =
@@ -1107,7 +1118,8 @@ yield new BonsaiWorldStateProvider(
                     .getMaxLayersToLoad()),
             bonsaiCachedMerkleTrieLoader,
             besuComponent.map(BesuComponent::getBesuPluginContext).orElse(null),
-            evmConfiguration);
+            evmConfiguration,
+            worldStateHealerSupplier);
       }
       case FOREST -> {
         final WorldStatePreimageStorage preimageStorage =

besu/src/test/resources/everything_config.toml

@@ -120,6 +120,19 @@ rpc-ws-max-frame-size=65535
 rpc-ws-authentication-enabled=false
 rpc-ws-authentication-credentials-file="none"
 rpc-ws-authentication-jwt-public-key-file="none"
+rpc-ws-ssl-enabled=false
+rpc-ws-ssl-keystore-file="none.pfx"
+rpc-ws-ssl-keystore-password="none.passwd"
+rpc-ws-ssl-keystore-type="none"
+rpc-ws-ssl-client-auth-enabled=false
+rpc-ws-ssl-truststore-file="none.pfx"
+rpc-ws-ssl-truststore-password="none.passwd"
+rpc-ws-ssl-truststore-type="none"
+rpc-ws-ssl-key-file="none.pfx"
+rpc-ws-ssl-cert-file="none.pfx"
+rpc-ws-ssl-trustcert-file="none.pfx"
+
+
 
 # API
 api-gas-price-blocks=100

consensus/merge/src/test/java/org/hyperledger/besu/consensus/merge/blockcreation/MergeCoordinatorTest.java

@@ -59,7 +59,6 @@
 import org.hyperledger.besu.ethereum.core.ImmutableMiningConfiguration.MutableInitValues;
 import org.hyperledger.besu.ethereum.core.ImmutableMiningConfiguration.Unstable;
 import org.hyperledger.besu.ethereum.core.MiningConfiguration;
-import org.hyperledger.besu.ethereum.core.Synchronizer;
 import org.hyperledger.besu.ethereum.core.TransactionTestFixture;
 import org.hyperledger.besu.ethereum.eth.manager.EthContext;
 import org.hyperledger.besu.ethereum.eth.manager.EthScheduler;
@@ -190,7 +189,6 @@ public void setUp() {
 
     protocolContext =
         new ProtocolContext(blockchain, worldStateArchive, mergeContext, badBlockManager);
-    protocolContext.setSynchronizer(mock(Synchronizer.class));
     var mutable = worldStateArchive.getMutable();
     genesisState.writeStateTo(mutable);
     mutable.persist(null);

docs/trace_rpc_apis.md

@@ -16,7 +16,7 @@ implementations of Besu might track gas refunds separately.
 
 ### Returned Memory from Calls
 
-In the `vmTrace` `ope.ex.mem` fields Besu only reports actual data returned
+In the `vmTrace` `op.ex.mem` fields Besu only reports actual data returned
 from a `RETURN` opcode.  Other implementations return the contents of the 
 reserved output space for the call operations.  Note two major differences: