Commit boost API - Generate Proxy Key

CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Features Added
 - Java 21 for build and runtime. [#995](https://github.com/Consensys/web3signer/pull/995)
 - Electra fork support. [#1020](https://github.com/Consensys/web3signer/pull/1020) and [#1023](https://github.com/Consensys/web3signer/pull/1023)
+- Commit boost API - Get Public Keys. [#1031](https://github.com/Consensys/web3signer/pull/1031)
 
 ### Bugs fixed
 - Override protobuf-java to 3.25.5 which is a transitive dependency from google-cloud-secretmanager. It fixes CVE-2024-7254.

commandline/src/main/java/tech/pegasys/web3signer/commandline/config/PicoCommitBoostApiParameters.java

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2022 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.commandline.config;
+
+import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PATH_FORMAT_HELP;
+
+import tech.pegasys.web3signer.signing.config.KeystoresParameters;
+
+import java.nio.file.Path;
+
+import picocli.CommandLine;
+import picocli.CommandLine.Model.CommandSpec;
+import picocli.CommandLine.Option;
+import picocli.CommandLine.ParameterException;
+import picocli.CommandLine.Spec;
+
+public class PicoCommitBoostApiParameters implements KeystoresParameters {
+  @Spec private CommandSpec commandSpec; // injected by picocli
+
+  @CommandLine.Option(
+      names = {"--commit-boost-api-enabled"},
+      paramLabel = "<BOOL>",
+      description = "Enable the commit boost API (default: ${DEFAULT-VALUE}).",
+      arity = "1")
+  private boolean isCommitBoostApiEnabled = false;
+
+  @Option(
+      names = {"--proxy-keystores-path"},
+      description =
+          "The path to a writeable directory to store v3 and v4 proxy keystores for commit boost API.",
+      paramLabel = PATH_FORMAT_HELP)
+  private Path keystoresPath;
+
+  @Option(
+      names = {"--proxy-keystores-password-file"},
+      description =
+          "The path to the password file used to encrypt/decrypt proxy keystores for commit boost API.",
+      paramLabel = PATH_FORMAT_HELP)
+  private Path keystoresPasswordFile;
+
+  @Override
+  public Path getKeystoresPath() {
+    return keystoresPath;
+  }
+
+  @Override
+  public Path getKeystoresPasswordsPath() {
+    return null;
+  }
+
+  @Override
+  public Path getKeystoresPasswordFile() {
+    return keystoresPasswordFile;
+  }
+
+  @Override
+  public boolean isEnabled() {
+    return isCommitBoostApiEnabled;
+  }
+
+  public void validateParameters() throws ParameterException {
+    if (!isCommitBoostApiEnabled) {
+      return;
+    }
+
+    if (keystoresPath == null) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Commit boost API is enabled, but --proxy-keystores-path not set");
+    }
+
+    if (keystoresPasswordFile == null) {
+      throw new ParameterException(
+          commandSpec.commandLine(),
+          "Commit boost API is enabled, but --proxy-keystores-password-file not set");
+    }
+  }
+}

commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java

@@ -29,6 +29,7 @@
 import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters;
 import tech.pegasys.web3signer.commandline.PicoCliGcpSecretManagerParameters;
 import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters;
+import tech.pegasys.web3signer.commandline.config.PicoCommitBoostApiParameters;
 import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters;
 import tech.pegasys.web3signer.common.config.AwsAuthenticationMode;
 import tech.pegasys.web3signer.core.Eth2Runner;
@@ -164,6 +165,7 @@ private static class NetworkCliCompletionCandidates extends ArrayList<String> {
   @Mixin private PicoKeystoresParameters keystoreParameters;
   @Mixin private PicoCliAwsSecretsManagerParameters awsSecretsManagerParameters;
   @Mixin private PicoCliGcpSecretManagerParameters gcpSecretManagerParameters;
+  @Mixin private PicoCommitBoostApiParameters commitBoostApiParameters;
   private tech.pegasys.teku.spec.Spec eth2Spec;
 
   public Eth2SubCommand() {
@@ -183,7 +185,8 @@ public Runner createRunner() {
         gcpSecretManagerParameters,
         eth2Spec,
         isKeyManagerApiEnabled,
-        signingExtEnabled);
+        signingExtEnabled,
+        commitBoostApiParameters);
   }
 
   private void logNetworkSpecInformation() {
@@ -261,6 +264,7 @@ protected void validateArgs() {
     validateKeystoreParameters(keystoreParameters);
     validateAwsSecretsManageParameters();
     validateGcpSecretManagerParameters();
+    commitBoostApiParameters.validateParameters();
   }
 
   private void validateGcpSecretManagerParameters() {

commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java

@@ -37,6 +37,7 @@
 import java.net.InetAddress;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 import java.util.function.Supplier;
 
 import io.vertx.core.Vertx;
@@ -612,6 +613,47 @@ void vertxWorkerPoolSizeParsesSuccessfully() {
     assertThat(mockEth2SubCommand.getConfig().getVertxWorkerPoolSize()).isEqualTo(40);
   }
 
+  @Test
+  void commitBoostApiEnabledWithoutKeystorePathFailsToParse() {
+    String cmdline = validBaseCommandOptions();
+    cmdline += "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isNotZero();
+    assertThat(commandError.toString())
+        .contains(
+            "Error parsing parameters: Commit boost API is enabled, but --proxy-keystores-path not set");
+  }
+
+  @Test
+  void commitBoostApiEnabledWithoutKeystorePasswordFileFailsToParse() {
+    String cmdline = validBaseCommandOptions();
+    cmdline +=
+        "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true --proxy-keystores-path=./keystore";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isNotZero();
+    assertThat(commandError.toString())
+        .contains(
+            "Error parsing parameters: Commit boost API is enabled, but --proxy-keystores-password-file not set");
+  }
+
+  @Test
+  void commitBoostApiEnabledWithKeystorePathAndKeystorePasswordFileParsesSuccessfully() {
+    String cmdline = validBaseCommandOptions();
+    cmdline +=
+        "eth2 --slashing-protection-enabled=false --commit-boost-api-enabled=true --proxy-keystores-path=./keystore --proxy-keystores-password-file=./password";
+
+    parser.registerSubCommands(new MockEth2SubCommand());
+    final int result = parser.parseCommandLine(cmdline.split(" "));
+
+    assertThat(result).isZero();
+  }
+
   private <T> void missingOptionalParameterIsValidAndMeetsDefault(
       final String paramToRemove, final Supplier<T> actualValueGetter, final T expectedValue) {
 
@@ -646,7 +688,7 @@ public void run() {}
     @Override
     protected List<ArtifactSignerProvider> createArtifactSignerProvider(
         final Vertx vertx, final MetricsSystem metricsSystem) {
-      return List.of(new DefaultArtifactSignerProvider(Collections::emptyList));
+      return List.of(new DefaultArtifactSignerProvider(Collections::emptyList, Optional.empty()));
     }
 
     @Override

core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java

@@ -50,6 +50,7 @@
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Optional;
 
 import io.vertx.core.Vertx;
 import io.vertx.core.json.JsonObject;
@@ -114,7 +115,8 @@ protected List<ArtifactSignerProvider> createArtifactSignerProvider(
                           awsKmsSignerFactory)
                       .getValues());
               return signers;
-            });
+            },
+            Optional.empty());
 
     // uses eth1 address as identifier
     final ArtifactSignerProvider secpArtifactSignerProvider =

core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java

@@ -25,6 +25,8 @@
 import tech.pegasys.web3signer.core.config.BaseConfig;
 import tech.pegasys.web3signer.core.routes.PublicKeysListRoute;
 import tech.pegasys.web3signer.core.routes.ReloadRoute;
+import tech.pegasys.web3signer.core.routes.eth2.CommitBoostGenerateProxyKeyRoute;
+import tech.pegasys.web3signer.core.routes.eth2.CommitBoostPublicKeysRoute;
 import tech.pegasys.web3signer.core.routes.eth2.Eth2SignExtensionRoute;
 import tech.pegasys.web3signer.core.routes.eth2.Eth2SignRoute;
 import tech.pegasys.web3signer.core.routes.eth2.HighWatermarkRoute;
@@ -88,6 +90,7 @@ public class Eth2Runner extends Runner {
   private final Spec eth2Spec;
   private final boolean isKeyManagerApiEnabled;
   private final boolean signingExtEnabled;
+  private final KeystoresParameters commitBoostApiParameters;
 
   public Eth2Runner(
       final BaseConfig baseConfig,
@@ -98,7 +101,8 @@ public Eth2Runner(
       final GcpSecretManagerParameters gcpSecretManagerParameters,
       final Spec eth2Spec,
       final boolean isKeyManagerApiEnabled,
-      final boolean signingExtEnabled) {
+      final boolean signingExtEnabled,
+      final KeystoresParameters commitBoostApiParameters) {
     super(baseConfig);
     this.slashingProtectionContext = createSlashingProtection(slashingProtectionParameters);
     this.azureKeyVaultParameters = azureKeyVaultParameters;
@@ -110,6 +114,7 @@ public Eth2Runner(
     this.awsVaultParameters = awsVaultParameters;
     this.gcpSecretManagerParameters = gcpSecretManagerParameters;
     this.signingExtEnabled = signingExtEnabled;
+    this.commitBoostApiParameters = commitBoostApiParameters;
   }
 
   private Optional<SlashingProtectionContext> createSlashingProtection(
@@ -137,6 +142,10 @@ public void populateRouter(final Context context) {
     if (isKeyManagerApiEnabled) {
       new KeyManagerApiRoute(context, baseConfig, slashingProtectionContext).register();
     }
+    if (commitBoostApiParameters.isEnabled()) {
+      new CommitBoostPublicKeysRoute(context).register();
+      new CommitBoostGenerateProxyKeyRoute(context, commitBoostApiParameters).register();
+    }
   }
 
   @Override
@@ -166,7 +175,8 @@ protected List<ArtifactSignerProvider> createArtifactSignerProvider(
 
                 return signers;
               }
-            }));
+            },
+            Optional.of(commitBoostApiParameters)));
   }
 
   private MappedResults<ArtifactSigner> loadSignersFromKeyConfigFiles(

core/src/main/java/tech/pegasys/web3signer/core/routes/eth2/CommitBoostGenerateProxyKeyRoute.java

@@ -0,0 +1,92 @@
+/*
+ * Copyright 2024 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.web3signer.core.routes.eth2;
+
+import static tech.pegasys.web3signer.signing.KeyType.BLS;
+
+import tech.pegasys.web3signer.core.Context;
+import tech.pegasys.web3signer.core.routes.Web3SignerRoute;
+import tech.pegasys.web3signer.core.service.http.handlers.commitboost.CommitBoostGenerateProxyKeyHandler;
+import tech.pegasys.web3signer.core.service.http.handlers.signing.SignerForIdentifier;
+import tech.pegasys.web3signer.signing.ArtifactSignerProvider;
+import tech.pegasys.web3signer.signing.BlsArtifactSignature;
+import tech.pegasys.web3signer.signing.config.DefaultArtifactSignerProvider;
+import tech.pegasys.web3signer.signing.config.KeystoresParameters;
+
+import io.vertx.core.http.HttpMethod;
+import io.vertx.core.json.JsonObject;
+
+public class CommitBoostGenerateProxyKeyRoute implements Web3SignerRoute {
+  private static final String PATH = "/signer/v1/generate_proxy_key";
+  private final Context context;
+  private final SignerForIdentifier<BlsArtifactSignature> blsSigner;
+  private final KeystoresParameters commitBoostApiParameters;
+
+  public CommitBoostGenerateProxyKeyRoute(
+      final Context context, final KeystoresParameters commitBoostApiParameters) {
+    this.context = context;
+    this.commitBoostApiParameters = commitBoostApiParameters;
+
+    // there should be only one DefaultArtifactSignerProvider in eth2 mode
+    final ArtifactSignerProvider artifactSignerProvider =
+        context.getArtifactSignerProviders().stream()
+            .filter(p -> p instanceof DefaultArtifactSignerProvider)
+            .findFirst()
+            .orElseThrow();
+
+    blsSigner =
+        new SignerForIdentifier<>(
+            artifactSignerProvider, sig -> sig.getSignatureData().toString(), BLS);
+  }
+
+  @Override
+  public void register() {
+    context
+        .getRouter()
+        .route(HttpMethod.POST, PATH)
+        .blockingHandler(
+            new CommitBoostGenerateProxyKeyHandler(blsSigner, commitBoostApiParameters), false)
+        .failureHandler(context.getErrorHandler())
+        .failureHandler(
+            ctx -> {
+              final int statusCode = ctx.statusCode();
+              if (statusCode == 400) {
+                ctx.response()
+                    .setStatusCode(statusCode)
+                    .end(
+                        new JsonObject()
+                            .put("code", statusCode)
+                            .put("message", "Bad Request")
+                            .encode());
+              } else if (statusCode == 404) {
+                ctx.response()
+                    .setStatusCode(statusCode)
+                    .end(
+                        new JsonObject()
+                            .put("code", statusCode)
+                            .put("message", "Identifier not found.")
+                            .encode());
+              } else if (statusCode == 500) {
+                ctx.response()
+                    .setStatusCode(statusCode)
+                    .end(
+                        new JsonObject()
+                            .put("code", statusCode)
+                            .put("message", "Internal Server Error")
+                            .encode());
+              } else {
+                ctx.next(); // go to global failure handler
+              }
+            });
+  }
+}