[BESU-77] - Enable TLS for JSON-RPC HTTP Service

besu/src/main/java/org/hyperledger/besu/cli/BesuCommand.java

@@ -71,6 +71,8 @@
 import org.hyperledger.besu.ethereum.api.jsonrpc.RpcApi;
 import org.hyperledger.besu.ethereum.api.jsonrpc.RpcApis;
 import org.hyperledger.besu.ethereum.api.jsonrpc.websocket.WebSocketConfiguration;
+import org.hyperledger.besu.ethereum.api.tls.TlsConfiguration;
+import org.hyperledger.besu.ethereum.api.tls.TlsConfigurationException;
 import org.hyperledger.besu.ethereum.core.Address;
 import org.hyperledger.besu.ethereum.core.Hash;
 import org.hyperledger.besu.ethereum.core.MiningParameters;
@@ -141,8 +143,10 @@
 import java.util.stream.Collectors;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Charsets;
 import com.google.common.base.Suppliers;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.io.Files;
 import com.google.common.io.Resources;
 import io.vertx.core.Vertx;
 import io.vertx.core.VertxOptions;
@@ -447,6 +451,32 @@ void setBannedNodeIds(final List<String> values) {
           "Require authentication for the JSON-RPC HTTP service (default: ${DEFAULT-VALUE})")
   private final Boolean isRpcHttpAuthenticationEnabled = false;
 
+  @Option(
+      names = {"--rpc-http-tls-enabled"},
+      description = "Enable TLS for the JSON-RPC HTTP service (default: ${DEFAULT-VALUE})")
+  private final Boolean isRpcHttpTlsEnabled = false;
+
+  @Option(
+      names = {"--rpc-http-tls-keystore-file"},
+      paramLabel = MANDATORY_FILE_FORMAT_HELP,
+      description =
+          "PKCS#12 format key store file for the JSON-RPC HTTP service. Required if TLS is enabled.")
+  private final Path rpcHttpTlsKeyStoreFile = null;
+
+  @Option(
+      names = {"--rpc-http-tls-keystore-password-file"},
+      paramLabel = MANDATORY_FILE_FORMAT_HELP,
+      description =
+          "Key store password file for the JSON-RPC HTTP service. Required if TLS is enabled.")
+  private final Path rpcHttpTlsKeyStorePasswordFile = null;
+
+  @Option(
+      names = {"--rpc-http-tls-known-clients-file"},
+      paramLabel = MANDATORY_FILE_FORMAT_HELP,
+      description =
+          "Known clients common name and fingerprints to enable TLS client authentication for the JSON-RPC HTTP service.")
+  private final Path rpcHttpTlsKnownClientsFile = null;
+
   @Option(
       names = {"--rpc-ws-enabled"},
       description = "Set to start the JSON-RPC WebSocket service (default: ${DEFAULT-VALUE})")
@@ -1154,6 +1184,15 @@ private GraphQLConfiguration graphQLConfiguration() {
   }
 
   private JsonRpcConfiguration jsonRpcConfiguration() {
+    CommandLineUtils.checkOptionDependencies(
+        logger,
+        commandLine,
+        "--rpc-http-tls-enabled",
+        !isRpcHttpTlsEnabled,
+        asList(
+            "--rpc-http-tls-keystore-file",
+            "--rpc-http-tls-keystore-password-file",
+            "--rpc-http-tls-known-clients-file"));
 
     CommandLineUtils.checkOptionDependencies(
         logger,
@@ -1168,7 +1207,11 @@ private JsonRpcConfiguration jsonRpcConfiguration() {
             "--rpc-http-port",
             "--rpc-http-authentication-enabled",
             "--rpc-http-authentication-credentials-file",
-            "--rpc-http-authentication-public-key-file"));
+            "--rpc-http-authentication-public-key-file",
+            "--rpc-http-tls-enabled",
+            "--rpc-http-tls-keystore-file",
+            "--rpc-http-tls-keystore-password-file",
+            "--rpc-http-tls-known-clients-file"));
 
     if (isRpcHttpAuthenticationEnabled
         && rpcHttpAuthenticationCredentialsFile() == null
@@ -1178,6 +1221,20 @@ && rpcHttpAuthenticationPublicKeyFile() == null) {
           "Unable to authenticate JSON-RPC HTTP endpoint without a supplied credentials file or authentication public key file");
     }
 
+    if (isRpcHttpEnabled && isRpcHttpTlsEnabled) {
+      if (rpcHttpTlsKeyStoreFile == null) {
+        throw new ParameterException(
+            commandLine,
+            "Key store file is required when TLS is enabled for JSON-RPC HTTP endpoint");
+      }
+
+      if (rpcHttpTlsKeyStorePasswordFile == null) {
+        throw new ParameterException(
+            commandLine,
+            "Key store password file is required when TLS is enabled for JSON-RPC HTTP endpoint");
+      }
+    }
+
     final JsonRpcConfiguration jsonRpcConfiguration = JsonRpcConfiguration.createDefault();
     jsonRpcConfiguration.setEnabled(isRpcHttpEnabled);
     jsonRpcConfiguration.setHost(rpcHttpHost);
@@ -1188,9 +1245,44 @@ && rpcHttpAuthenticationPublicKeyFile() == null) {
     jsonRpcConfiguration.setAuthenticationEnabled(isRpcHttpAuthenticationEnabled);
     jsonRpcConfiguration.setAuthenticationCredentialsFile(rpcHttpAuthenticationCredentialsFile());
     jsonRpcConfiguration.setAuthenticationPublicKeyFile(rpcHttpAuthenticationPublicKeyFile());
+
+    if (isRpcHttpEnabled && isRpcHttpTlsEnabled) {
+      jsonRpcConfiguration.setTlsConfiguration(getRpcHttpTlsConfiguration());
+    }
     return jsonRpcConfiguration;
   }
 
+  private TlsConfiguration getRpcHttpTlsConfiguration() {
+    final String password;
+    try {
+      password =
+          Files.asCharSource(rpcHttpTlsKeyStorePasswordFile.toFile(), Charsets.UTF_8)
+              .readFirstLine();
+      if (password == null) {
+        throw new ParameterException(
+            commandLine, "Unable to read key store password for JSON-RPC HTTP endpoint");
+      }
+    } catch (IOException e) {
+      throw new ParameterException(
+          commandLine, "Unable to read key store password file for JSON-RPC HTTP endpoint", e);
+    }
+
+    try {
+      return TlsConfiguration.TlsConfigurationBuilder.aTlsConfiguration()
+          .withKeyStorePath(rpcHttpTlsKeyStoreFile.normalize())
+          .withKeyStorePassword(password)
+          .withKnownClientsFile(rpcHttpTlsKnownClientsFile)
+          .build();
+    } catch (TlsConfigurationException e) {
+      throw new ParameterException(
+          commandLine,
+          String.format(
+              "Unable to initialize TLS configuration for JSON-RPC HTTP endpoint: %s",
+              e.getMessage()),
+          e);
+    }
+  }
+
   private WebSocketConfiguration webSocketConfiguration() {
 
     CommandLineUtils.checkOptionDependencies(

besu/src/test/resources/everything_config.toml

@@ -51,6 +51,10 @@ rpc-http-cors-origins=["none"]
 rpc-http-authentication-enabled=false
 rpc-http-authentication-credentials-file="none"
 rpc-http-authentication-jwt-public-key-file="none"
+rpc-http-tls-enabled=false
+rpc-http-tls-keystore-file="none.pfx"
+rpc-http-tls-keystore-password-file="none.passwd"
+rpc-http-tls-known-clients-file="rpc_tls_clients.txt"
 
 # GRAPHQL HTTP
 graphql-http-enabled=false

ethereum/api/build.gradle

@@ -49,6 +49,7 @@ dependencies {
   implementation 'io.vertx:vertx-unit'
   implementation 'io.vertx:vertx-web'
   implementation 'org.apache.tuweni:tuweni-bytes'
+  implementation 'org.apache.tuweni:tuweni-net'
   implementation 'org.apache.tuweni:tuweni-toml'
   implementation 'org.apache.tuweni:tuweni-units'
   implementation 'org.bouncycastle:bcprov-jdk15on'

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcConfiguration.java

@@ -14,13 +14,16 @@
  */
 package org.hyperledger.besu.ethereum.api.jsonrpc;
 
+import org.hyperledger.besu.ethereum.api.tls.TlsConfiguration;
+
 import java.io.File;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 
 import com.google.common.base.MoreObjects;
 
@@ -37,6 +40,7 @@ public class JsonRpcConfiguration {
   private boolean authenticationEnabled = false;
   private String authenticationCredentialsFile;
   private File authenticationPublicKeyFile;
+  private Optional<TlsConfiguration> tlsConfiguration = Optional.empty();
 
   public static JsonRpcConfiguration createDefault() {
     final JsonRpcConfiguration config = new JsonRpcConfiguration();
@@ -128,6 +132,14 @@ public void setAuthenticationPublicKeyFile(final File authenticationPublicKeyFil
     this.authenticationPublicKeyFile = authenticationPublicKeyFile;
   }
 
+  public Optional<TlsConfiguration> getTlsConfiguration() {
+    return tlsConfiguration;
+  }
+
+  public void setTlsConfiguration(final TlsConfiguration tlsConfiguration) {
+    this.tlsConfiguration = Optional.ofNullable(tlsConfiguration);
+  }
+
   @Override
   public String toString() {
     return MoreObjects.toStringHelper(this)

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpService.java

@@ -32,11 +32,13 @@
 import org.hyperledger.besu.ethereum.api.jsonrpc.internal.response.JsonRpcResponse;
 import org.hyperledger.besu.ethereum.api.jsonrpc.internal.response.JsonRpcResponseType;
 import org.hyperledger.besu.ethereum.api.jsonrpc.internal.response.JsonRpcUnauthorizedResponse;
+import org.hyperledger.besu.ethereum.api.tls.TlsConfiguration;
 import org.hyperledger.besu.metrics.BesuMetricCategory;
 import org.hyperledger.besu.nat.upnp.UpnpNatManager;
 import org.hyperledger.besu.plugin.services.MetricsSystem;
 import org.hyperledger.besu.plugin.services.metrics.LabelledMetric;
 import org.hyperledger.besu.plugin.services.metrics.OperationTimer;
+import org.hyperledger.besu.util.ExceptionUtils;
 import org.hyperledger.besu.util.NetworkUtility;
 
 import java.net.InetSocketAddress;
@@ -56,6 +58,8 @@
 import io.vertx.core.Future;
 import io.vertx.core.Handler;
 import io.vertx.core.Vertx;
+import io.vertx.core.VertxException;
+import io.vertx.core.http.ClientAuth;
 import io.vertx.core.http.HttpMethod;
 import io.vertx.core.http.HttpServer;
 import io.vertx.core.http.HttpServerOptions;
@@ -165,12 +169,7 @@ public CompletableFuture<?> start() {
     LOG.info("Starting JsonRPC service on {}:{}", config.getHost(), config.getPort());
 
     // Create the HTTP server and a router object.
-    httpServer =
-        vertx.createHttpServer(
-            new HttpServerOptions()
-                .setHost(config.getHost())
-                .setPort(config.getPort())
-                .setHandle100ContinueAutomatically(true));
+    httpServer = vertx.createHttpServer(getHttpServerOptions());
 
     // Handle json rpc requests
     final Router router = Router.router(vertx);
@@ -220,41 +219,85 @@ public CompletableFuture<?> start() {
     }
 
     final CompletableFuture<?> resultFuture = new CompletableFuture<>();
-    httpServer
-        .requestHandler(router)
-        .listen(
-            res -> {
-              if (!res.failed()) {
-                resultFuture.complete(null);
-                final int actualPort = httpServer.actualPort();
-                LOG.info(
-                    "JsonRPC service started and listening on {}:{}", config.getHost(), actualPort);
-                config.setPort(actualPort);
-                // Request that a NAT port forward for our server port
-                if (natManager.isPresent()) {
-                  natManager
-                      .get()
-                      .requestPortForward(
-                          config.getPort(), UpnpNatManager.Protocol.TCP, "besu-json-rpc");
+    try {
+      httpServer
+          .requestHandler(router)
+          .listen(
+              res -> {
+                if (!res.failed()) {
+                  resultFuture.complete(null);
+                  final int actualPort = httpServer.actualPort();
+                  LOG.info(
+                      "JsonRPC service started and listening on {}:{}{}",
+                      config.getHost(),
+                      actualPort,
+                      tlsLogMessage());
+                  config.setPort(actualPort);
+                  // Request that a NAT port forward for our server port
+                  if (natManager.isPresent()) {
+                    natManager
+                        .get()
+                        .requestPortForward(
+                            config.getPort(), UpnpNatManager.Protocol.TCP, "besu-json-rpc");
+                  }
+                  return;
                 }
-                return;
-              }
-              httpServer = null;
-              final Throwable cause = res.cause();
-              if (cause instanceof SocketException) {
-                resultFuture.completeExceptionally(
-                    new JsonRpcServiceException(
-                        String.format(
-                            "Failed to bind Ethereum JSON RPC listener to %s:%s: %s",
-                            config.getHost(), config.getPort(), cause.getMessage())));
-                return;
-              }
-              resultFuture.completeExceptionally(cause);
-            });
+                httpServer = null;
+                final Throwable cause = res.cause();
+                if (cause instanceof SocketException) {
+                  resultFuture.completeExceptionally(
+                      new JsonRpcServiceException(
+                          String.format(
+                              "Failed to bind Ethereum JSON RPC listener to %s:%s: %s",
+                              config.getHost(), config.getPort(), cause.getMessage())));
+                  return;
+                }
+                resultFuture.completeExceptionally(cause);
+              });
+    } catch (VertxException e) {
+      httpServer = null;
+      resultFuture.completeExceptionally(
+          new JsonRpcServiceException(
+              String.format(
+                  "Ethereum JSON RPC listener failed to start: %s",
+                  ExceptionUtils.rootCause(e).getMessage())));
+    }
 
     return resultFuture;
   }
 
+  private HttpServerOptions getHttpServerOptions() {
+    final HttpServerOptions httpServerOptions =
+        new HttpServerOptions()
+            .setHost(config.getHost())
+            .setPort(config.getPort())
+            .setHandle100ContinueAutomatically(true);
+
+    return applyTlsConfig(httpServerOptions);
+  }
+
+  private HttpServerOptions applyTlsConfig(final HttpServerOptions origHttpServerOptions) {
+    if (config.getTlsConfiguration().isEmpty()) {
+      return origHttpServerOptions;
+    }
+
+    final HttpServerOptions httpServerOptions = new HttpServerOptions(origHttpServerOptions);
+    final TlsConfiguration tlsConfiguration = config.getTlsConfiguration().get();
+    httpServerOptions.setSsl(true).setPfxKeyCertOptions(tlsConfiguration.getPfxKeyCertOptions());
+
+    if (tlsConfiguration.getTrustOptions().isPresent()) {
+      httpServerOptions
+          .setClientAuth(ClientAuth.REQUIRED)
+          .setTrustOptions(tlsConfiguration.getTrustOptions().get());
+    }
+
+    return httpServerOptions;
+  }
+
+  private String tlsLogMessage() {
+    return config.getTlsConfiguration().isPresent() ? " with TLS enabled." : "";
+  }
+
   private Handler<RoutingContext> checkWhitelistHostHeader() {
     return event -> {
       final Optional<String> hostHeader = getAndValidateHostHeader(event);
@@ -323,7 +366,11 @@ public String url() {
     if (httpServer == null) {
       return "";
     }
-    return NetworkUtility.urlForSocketAddress("http", socketAddress());
+    return NetworkUtility.urlForSocketAddress(getScheme(), socketAddress());
+  }
+
+  private String getScheme() {
+    return config.getTlsConfiguration().isPresent() ? "https" : "http";
   }
 
   private void handleJsonRPCRequest(final RoutingContext routingContext) {