Merge branch 'develop' into million-dollars-tool-felix-pays

Author: Nicolás Tallar

README.md

@@ -130,6 +130,42 @@ projectRoot $ docker build -f ./docker/monitoring-client.Dockerfile -t mantis-mo
 projectRoot $ docker run --network=host mantis-monitoring-client
 ```
 
+### TLS setup
+
+Both the JSON RPC (on the node and faucet) can be additionally protected using TLS.
+On the development environment it's already properly configured with a development certificate.
+
+#### Generating a new certificate
+
+If a new certificate is required, create a new keystore with a certificate by running `./tls/gen-cert.sh`
+
+#### Configuring the node
+
+1. Configure the certificate and password file to be used at `mantis.network.rpc.http.certificate` key on the `application.conf` file:
+
+    keystore-path: path to the keystore storing the certificates (if generated through our script they are by default located in "./tls/mantisCA.p12")
+    keystore-type: type of certificate keystore being used (if generated through our script use "pkcs12")
+    password-file: path to the file with the password used for accessing the certificate keystore (if generated through our script they are by default located in "./tls/password")
+2. Enable TLS in specific config:
+    - For JSON RPC: `mantis.network.rpc.http.mode=https`
+
+#### Configuring the faucet
+
+1. Configure the certificate and password file to be used at `mantis.network.rpc.http.certificate` key on the `faucet.conf` file:
+
+    keystore-path: path to the keystore storing the certificates (if generated through our script they are by default located in "./tls/mantisCA.p12")
+    keystore-type: type of certificate keystore being used (if generated through our script use "pkcs12")
+    password-file: path to the file with the password used for accessing the certificate keystore (if generated through our script they are by default located in "./tls/password")
+2. Enable TLS in specific config:
+    - For JSON RPC: `mantis.network.rpc.http.mode=https`
+3. Configure the certificate used from RpcClient to connect with the node. Necessary if the node uses http secure. 
+   This certificate and password file to be used at `faucet.rpc-client.certificate` key on the `faucet.conf` file:
+
+    keystore-path: path to the keystore storing the certificates
+    keystore-type: type of certificate keystore being used (if generated through our script use "pkcs12")
+    password-file: path to the file with the password used for accessing the certificate keystore
+
+
 ### Feedback
 
 Feedback gratefully received through the Ethereum Classic Forum (http://forum.ethereumclassic.org/)

src/evmTest/scala/io/iohk/ethereum/vm/PrecompiledContractsSpecEvm.scala

@@ -4,7 +4,7 @@ import akka.util.ByteString
 import io.iohk.ethereum.crypto
 import io.iohk.ethereum.crypto._
 import io.iohk.ethereum.domain.SignedTransaction.{FirstByteOfAddress, LastByteOfAddress}
-import io.iohk.ethereum.nodebuilder.SecureRandomBuilder
+import io.iohk.ethereum.security.SecureRandomBuilder
 import io.iohk.ethereum.vm.utils.EvmTestEnv
 import org.bouncycastle.crypto.params.ECPublicKeyParameters
 import org.scalatest.funsuite.AnyFunSuite

src/it/scala/io/iohk/ethereum/sync/util/CommonFakePeer.scala

@@ -15,6 +15,7 @@ import io.iohk.ethereum.db.dataSource.{RocksDbConfig, RocksDbDataSource}
 import io.iohk.ethereum.db.storage.pruning.{ArchivePruning, PruningMode}
 import io.iohk.ethereum.db.storage.{AppStateStorage, Namespaces}
 import io.iohk.ethereum.domain.{Block, Blockchain, BlockchainImpl, ChainWeight}
+import io.iohk.ethereum.security.SecureRandomBuilder
 import io.iohk.ethereum.ledger.InMemoryWorldStateProxy
 import io.iohk.ethereum.mpt.MerklePatriciaTrie
 import io.iohk.ethereum.network.EtcPeerManagerActor.PeerInfo
@@ -33,7 +34,7 @@ import io.iohk.ethereum.network.{
   PeerManagerActor,
   ServerActor
 }
-import io.iohk.ethereum.nodebuilder.{PruningConfigBuilder, SecureRandomBuilder}
+import io.iohk.ethereum.nodebuilder.PruningConfigBuilder
 import io.iohk.ethereum.sync.util.SyncCommonItSpec._
 import io.iohk.ethereum.sync.util.SyncCommonItSpecUtils._
 import io.iohk.ethereum.utils.ServerStatus.Listening

src/it/scala/io/iohk/ethereum/txExecTest/util/DumpChainApp.scala

@@ -23,7 +23,8 @@ import io.iohk.ethereum.network.handshaker.{EtcHandshaker, EtcHandshakerConfigur
 import io.iohk.ethereum.network.p2p.EthereumMessageDecoder
 import io.iohk.ethereum.network.rlpx.RLPxConnectionHandler.RLPxConfiguration
 import io.iohk.ethereum.network.{ForkResolver, PeerEventBusActor, PeerManagerActor}
-import io.iohk.ethereum.nodebuilder.{AuthHandshakerBuilder, NodeKeyBuilder, SecureRandomBuilder}
+import io.iohk.ethereum.nodebuilder.{AuthHandshakerBuilder, NodeKeyBuilder}
+import io.iohk.ethereum.security.SecureRandomBuilder
 import io.iohk.ethereum.utils.{Config, NodeStatus, ServerStatus}
 import monix.reactive.Observable
 import org.bouncycastle.util.encoders.Hex

src/main/resources/application.conf

@@ -183,17 +183,20 @@ mantis {
         # Listening port of JSON-RPC HTTP(S) endpoint
         port = 8546
 
+        certificate = null
+        #certificate {
         # Path to the keystore storing the certificates (used only for https)
         # null value indicates HTTPS is not being used
-        certificate-keystore-path = null
+        #  keystore-path = "tls/mantisCA.p12"
 
         # Type of certificate keystore being used
         # null value indicates HTTPS is not being used
-        certificate-keystore-type = null
+        #  keystore-type = "pkcs12"
 
         # File with the password used for accessing the certificate keystore (used only for https)
         # null value indicates HTTPS is not being used
-        certificate-password-file = null
+        #  password-file = "tls/password"
+        #}
 
         # Domains allowed to query RPC endpoint. Use "*" to enable requests from
         # any domain.