Implement VC API (#1657)

## Issue Addressed NA ## Proposed Changes - Implements a HTTP API for the validator client. - Creates EIP-2335 keystores with an empty `description` field, instead of a missing `description` field. Adds option to set name. - Be more graceful with setups without any validators (yet) - Remove an error log when there are no validators. - Create the `validator` dir if it doesn't exist. - Allow building a `ValidatorDir` without a withdrawal keystore (required for the API method where we only post a voting keystore). - Add optional `description` field to `validator_definitions.yml` ## TODO - [x] Signature header, as per https://github.com/sigp/lighthouse/issues/1269#issuecomment-649879855 - [x] Return validator descriptions - [x] Return deposit data - [x] Respect the mnemonic offset - [x] Check that mnemonic can derive returned keys - [x] Be strict about non-localhost - [x] Allow graceful start without any validators (+ create validator dir) - [x] Docs final pass - [x] Swap to EIP-2335 description field. - [x] Fix Zerioze TODO in VC api types. - [x] Zeroize secp256k1 key ## Endpoints - [x] `GET /lighthouse/version` - [x] `GET /lighthouse/health` - [x] `GET /lighthouse/validators` - [x] `POST /lighthouse/validators/hd` - [x] `POST /lighthouse/validators/keystore` - [x] `PATCH /lighthouse/validators/:validator_pubkey` - [ ] ~~`POST /lighthouse/validators/:validator_pubkey/exit/:epoch`~~ Future works ## Additional Info TBC
2026-03-19 21:04:41 +00:00 · 2020-10-02 09:42:19 +00:00
parent 1d278aaa83
commit 6ea3bc5e52
43 changed files with 2882 additions and 172 deletions
--- a/book/src/api-vc-sig-header.md
+++ b/book/src/api-vc-sig-header.md
@@ -0,0 +1,108 @@
+# Validator Client API: Signature Header
+
+## Overview
+
+The validator client HTTP server adds the following header to all responses:
+
+- Name: `Signature`
+- Value: a secp256k1 signature across the SHA256 of the response body.
+
+Example `Signature` header:
+
+```
+Signature: 0x304402205b114366444112580bf455d919401e9c869f5af067cd496016ab70d428b5a99d0220067aede1eb5819eecfd5dd7a2b57c5ac2b98f25a7be214b05684b04523aef873
+```
+
+## Verifying the Signature
+
+Below is a browser-ready example of signature verification.
+
+### HTML
+
+```html
+<script src="https://rawgit.com/emn178/js-sha256/master/src/sha256.js" type="text/javascript"></script>
+<script src="https://rawgit.com/indutny/elliptic/master/dist/elliptic.min.js" type="text/javascript"></script>
+```
+
+### Javascript
+
+```javascript
+// Helper function to turn a hex-string into bytes.
+function hexStringToByte(str) {
+  if (!str) {
+    return new Uint8Array();
+  }
+
+  var a = [];
+  for (var i = 0, len = str.length; i < len; i+=2) {
+    a.push(parseInt(str.substr(i,2),16));
+  }
+
+  return new Uint8Array(a);
+}
+
+// This example uses the secp256k1 curve from the "elliptic" library:
+//
+// https://github.com/indutny/elliptic
+var ec = new elliptic.ec('secp256k1');
+
+// The public key is contained in the API token:
+//
+// Authorization: Basic api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123
+var pk_bytes = hexStringToByte('03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123');
+
+// The signature is in the `Signature` header of the response:
+//
+// Signature: 0x304402205b114366444112580bf455d919401e9c869f5af067cd496016ab70d428b5a99d0220067aede1eb5819eecfd5dd7a2b57c5ac2b98f25a7be214b05684b04523aef873
+var sig_bytes = hexStringToByte('304402205b114366444112580bf455d919401e9c869f5af067cd496016ab70d428b5a99d0220067aede1eb5819eecfd5dd7a2b57c5ac2b98f25a7be214b05684b04523aef873');
+
+// The HTTP response body.
+var response_body = "{\"data\":{\"version\":\"Lighthouse/v0.2.11-fc0654fbe+/x86_64-linux\"}}";
+
+// The HTTP response body is hashed (SHA256) to determine the 32-byte message.
+let hash = sha256.create();
+hash.update(response_body);
+let message = hash.array();
+
+// The 32-byte message hash, the signature and the public key are verified.
+if (ec.verify(message, sig_bytes, pk_bytes)) {
+  console.log("The signature is valid")
+} else {
+  console.log("The signature is invalid")
+}
+```
+
+*This example is also available as a [JSFiddle](https://jsfiddle.net/wnqd74Lz/).*
+
+## Example
+
+The previous Javascript example was written using the output from the following
+`curl` command:
+
+```bash
+curl -v localhost:5062/lighthouse/version -H "Authorization: Basic api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123"
+```
+
+```
+*   Trying ::1:5062...
+* connect to ::1 port 5062 failed: Connection refused
+*   Trying 127.0.0.1:5062...
+* Connected to localhost (127.0.0.1) port 5062 (#0)
+> GET /lighthouse/version HTTP/1.1
+> Host: localhost:5062
+> User-Agent: curl/7.72.0
+> Accept: */*
+> Authorization: Basic api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123
+>
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 200 OK
+< content-type: application/json
+< signature: 0x304402205b114366444112580bf455d919401e9c869f5af067cd496016ab70d428b5a99d0220067aede1eb5819eecfd5dd7a2b57c5ac2b98f25a7be214b05684b04523aef873
+< server: Lighthouse/v0.2.11-fc0654fbe+/x86_64-linux
+< access-control-allow-origin:
+< content-length: 65
+< date: Tue, 29 Sep 2020 04:23:46 GMT
+<
+* Connection #0 to host localhost left intact
+{"data":{"version":"Lighthouse/v0.2.11-fc0654fbe+/x86_64-linux"}}
+```