Tessera 0.10.0 - Documentation update (#801)

Tessera 0.10.0 Release updates
2019-08-13 23:29:02 +01:00 · 2019-08-13 23:29:02 +01:00 · 6a3a6900bc
parent 7e87e40340
commit 6a3a6900bc
5 changed files with 166 additions and 5 deletions
--- a/Started/api.md
+++ b/Started/api.md
@ -70,13 +70,14 @@ __Important:__ Please note that before calling this API, a `storeraw` api need t
    - `privateFor`: `List<String>`  - When sending a private transaction, an array of the recipients' base64-encoded public keys.
 3. `Function` - (optional) If you pass a callback the HTTP request is made asynchronous. See [this note](#using-callbacks) for details.

- ##### Returns
+##### Returns
 `String` - The 32 Bytes transaction hash as HEX string.
 If the transaction was a contract creation use [web3.eth.getTransactionReceipt()](#web3ethgettransactionreceipt) to get the contract address, after the transaction was mined.
 
 
- ##### Example
-  ```js
+##### Example
+
+```js
 var Tx = require('ethereumjs-tx');
 var privateKey = new Buffer('e331b6d69882b4cb4ea581d88e0b604039a3de5967688d3dcffdd2270c0fd109', 'hex')
  var rawTx = {
@ -97,7 +98,7 @@ __Important:__ Please note that before calling this API, a `storeraw` api need t
   if (!err)
     console.log(hash); // "0x7f9fade1c0d57a7af66ab4ead79fade1c0d57a7af66ab4ead7c2c2eb7b11a91385"
 });
- ```
+```
 
 

--- a/docs/Privacy/Tessera/Configuration/Configuration
+++ b/docs/Privacy/Tessera/Configuration/Configuration
@ -181,3 +181,17 @@ It is possible to configure a node that will be sent a copy of every transaction

 ---

+### Remote-Key-Validation
+Tessera provides an API `/partyinfo` on Tessera P2P server to discover all the peers in the network. In order to prevent attackers trying to inject malicious addresses against public keys, where they will try to assign the address to direct private transactions to them instead of the real owner of the key, we have added a feature to enable node level validation on the remote key that checks the remote node does in fact own the keys that were advertised. Only after the keys are validated with the remote node to ensure they own them, the keys are added to the local network info (partyinfo) store.
+
+Default configuration for this is `false` as this is BREAKABLE change to lower versions to Tessera 0.10.0. To enable this, simple set below parameter to true in the configuration:
+
+```
+ "features": {
+    "enableRemoteKeyValidation": true
+  }
+```
+
+---
+
+
--- a/docs/Privacy/Tessera/Configuration/Sample
+++ b/docs/Privacy/Tessera/Configuration/Sample
@ -4,6 +4,8 @@ Tessera configuration varies by version as new features are added or changed. Be

 | Version       |
 | ------------- |
-| [0.9 - latest release](../Tessera%20v0.9%20sample%20settings) |
+| [0.10 - latest release](../Tessera%20v0.10.0%20sample%20settings) |
+| [0.9](../Tessera%20v0.9%20sample%20settings) |
 | [0.8](../Tessera%20v0.8%20sample%20settings)      |
 | [0.7.3](../Tessera%20v0.7.3%20sample%20settings)      |
+
--- a/docs/Privacy/Tessera/Configuration/Tessera
+++ b/docs/Privacy/Tessera/Configuration/Tessera
@ -0,0 +1,139 @@
+**Changes:**
+- Added configuration for remote key validation.Default is set to false
+
+e.g.
+```json
+ "unixSocketFile": "Path",
+  "features": {
+    "enableRemoteKeyValidation": false
+  }
+```
+
+**Sample:**
+
+```json
+{
+  "useWhiteList": "boolean",
+  "jdbc": {
+    "url": "String",
+    "username": "String",
+    "password": "String"
+  },
+  "serverConfigs": [
+    {
+      "app": "ENCLAVE",
+      // Defines us using a remote enclave, leave out if using built-in enclave
+      "enabled": true,
+      "serverAddress": "http://localhost:9081",
+      //Where to find the remote enclave
+      "communicationType": "REST"
+    },
+    {
+      "app": "ThirdParty",
+      "enabled": true,
+      "serverAddress": "http://localhost:9081",
+      "bindingAddress": "String - url with port e.g. http://127.0.0.1:9081",
+      "communicationType": "REST"
+    },
+    {
+      "app": "Q2T",
+      "enabled": true,
+      "serverAddress": "unix:/tmp/tm.ipc",
+      "communicationType": "REST"
+    },
+    {
+      "app": "P2P",
+      "enabled": true,
+      "serverAddress": "http://localhost:9001",
+      "bindingAddress": "String - url with port e.g. http://127.0.0.1:9001",
+      "sslConfig": {
+        "tls": "enum STRICT,OFF",
+        "generateKeyStoreIfNotExisted": "boolean",
+        "serverKeyStore": "Path",
+        "serverTlsKeyPath": "Path",
+        "serverTlsCertificatePath": "Path",
+        "serverKeyStorePassword": "String",
+        "serverTrustStore": "Path",
+        "serverTrustCertificates": [
+          "Path..."
+        ],
+        "serverTrustStorePassword": "String",
+        "serverTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE",
+        "clientKeyStore": "Path",
+        "clientTlsKeyPath": "Path",
+        "clientTlsCertificatePath": "Path",
+        "clientKeyStorePassword": "String",
+        "clientTrustStore": "Path",
+        "clientTrustCertificates": [
+          "Path..."
+        ],
+        "clientTrustStorePassword": "String",
+        "clientTrustMode": "Enumeration: CA, TOFU, WHITELIST, CA_OR_TOFU, NONE",
+        "knownClientsFile": "Path",
+        "knownServersFile": "Path"
+      },
+      "communicationType": "REST"
+    }
+  ],
+  "peer": [
+    {
+      "url": "url e.g. http://127.0.0.1:9000/"
+    }
+  ],
+  "keys": {
+    "passwords": [
+      "String..."
+    ],
+    "passwordFile": "Path",
+    "azureKeyVaultConfig": {
+      "url": "Azure Key Vault url"
+    },
+    "hashicorpKeyVaultConfig": {
+      "url": "Hashicorp Vault url",
+      "approlePath": "String (defaults to 'approle' if not set)",
+      "tlsKeyStorePath": "Path to jks key store",
+      "tlsTrustStorePath": "Path to jks trust store"
+    },
+    "keyData": [
+      {
+        "config": {
+          "data": {
+            "aopts": {
+              "variant": "Enum : id,d or i",
+              "memory": "int",
+              "iterations": "int",
+              "parallelism": "int"
+            },
+            "bytes": "String",
+            "snonce": "String",
+            "asalt": "String",
+            "sbox": "String",
+            "password": "String"
+          },
+          "type": "Enum: argon2sbox or unlocked. If unlocked is defined then config data is required. "
+        },
+        "privateKey": "String",
+        "privateKeyPath": "Path",
+        "azureVaultPrivateKeyId": "String",
+        "azureVaultPrivateKeyVersion": "String",
+        "publicKey": "String",
+        "publicKeyPath": "Path",
+        "azureVaultPublicKeyId": "String",
+        "azureVaultPublicKeyVersion": "String",
+        "hashicorpVaultSecretEngineName": "String",
+        "hashicorpVaultSecretName": "String",
+        "hashicorpVaultSecretVersion": "Integer (defaults to 0 (latest) if not set)",
+        "hashicorpVaultPrivateKeyId": "String",
+        "hashicorpVaultPublicKeyId": "String"
+      }
+    ]
+  },
+  "alwaysSendTo": [
+    "String..."
+  ],
+  "unixSocketFile": "Path",
+  "features": {
+    "enableRemoteKeyValidation": false
+  }
+}
+```
--- a/docs/Privacy/Tessera/Usage/Interface
+++ b/docs/Privacy/Tessera/Usage/Interface
@ -28,6 +28,7 @@ The following endpoints are advertised on this interface:
 * `/push`
 * `/resend`
 * `/partyinfo`
+* `/partyinfo/validate`

 ### Third Party - Public API 

@ -89,6 +90,10 @@ The following endpoints are advertised on this API:
 - GET: Request public keys/url of all known peer nodes.
 - POST: accepts a stream that contains the caller node's network information, and returns a merged copy with the callee node's network information

+**`partyinfo/validate`** - _Validates a node possesses a key_ 
+
+- Will request a node to decrypt a transaction in order to prove that it has access to the private part of its advertised public key.
+
 **`sendraw`** - _Send transaction bytestring_

 - Send transaction payload bytestring from Quorum to Tessera node. Tessera sends the transaction hash in the response back.