From 41ddffa472885c8a15dc9403256f0460261b8175 Mon Sep 17 00:00:00 2001 From: "lightclient@protonmail.com" Date: Thu, 25 Aug 2022 14:47:57 -0600 Subject: [PATCH 1/2] specify default jwt paths --- src/engine/authentication.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/engine/authentication.md b/src/engine/authentication.md index 4847c9e56..c5906f8a0 100644 --- a/src/engine/authentication.md +++ b/src/engine/authentication.md @@ -35,10 +35,24 @@ The HMAC algorithm implies that several consensus layer clients will be able to The execution layer and consensus layer clients **SHOULD** accept a configuration parameter: `jwt-secret`, which designates a file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens. -If such a parameter is not given, the client **SHOULD** generate such a token, valid for the duration of the execution, and **SHOULD** store the hex-encoded secret as a `jwt.hex` file on the filesystem. This file can then be used to provision the counterpart client. - If such a parameter _is_ given, but the file cannot be read, or does not contain a hex-encoded key of `256` bits, the client **SHOULD** treat this as an error: either abort the startup, or show error and continue without exposing the authenticated port. +If such a parameter _is not_ given, the client **MUST** attempt to read the secret from the default paths defined below, in the order they are listed. If a secret is found, but the file cannot be read, does not contain a hex-encoded key of `256` bit, or is rejected by the other client, the client **MUST** continue searching until all default paths are exhausted. Clients **MAY** search other locations beyond the default locations. + +If no existing JWT is located, the client **SHOULD** generate such a token, valid for the duration of the execution, and store the hex-encoded secret on the filesystem. The exact path is dependant on the host OS, see the default paths below. If the client is unable to write the secret to an OS-specific path, it **MUST** fallback to writing to its own data directory. + +### Default JWT secret locations + +For Linux: +* `$XDG_CACHE_DIR/ethereum/engine/jwt.hex` +* `$HOME/.cache/ethereum/engine/jwt.hex` + +For Mac: +* `$HOME/Library/Caches/Ethereum/Engine/jwt.hex` + +For Windows: +* `%LocalAppData%/Ethereum/Engine/jwt.hex` + ## JWT Claims This specification utilizes the following list of JWT claims: From e5c4763fa97af6fde85151caf90fa4f2abbe89d8 Mon Sep 17 00:00:00 2001 From: lightclient Date: Mon, 17 Jul 2023 16:01:25 -0600 Subject: [PATCH 2/2] only CL can search --- src/engine/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/engine/authentication.md b/src/engine/authentication.md index c5906f8a0..0e1bc721c 100644 --- a/src/engine/authentication.md +++ b/src/engine/authentication.md @@ -37,7 +37,7 @@ The execution layer and consensus layer clients **SHOULD** accept a configuratio If such a parameter _is_ given, but the file cannot be read, or does not contain a hex-encoded key of `256` bits, the client **SHOULD** treat this as an error: either abort the startup, or show error and continue without exposing the authenticated port. -If such a parameter _is not_ given, the client **MUST** attempt to read the secret from the default paths defined below, in the order they are listed. If a secret is found, but the file cannot be read, does not contain a hex-encoded key of `256` bit, or is rejected by the other client, the client **MUST** continue searching until all default paths are exhausted. Clients **MAY** search other locations beyond the default locations. +If such a parameter _is not_ given, the client **MUST** attempt to read the secret from the default paths defined below, in the order they are listed. If a secret is found, but the file cannot be read, does not contain a hex-encoded key of `256` bit, or is rejected by the other client, the client **MUST** continue searching until all default paths are exhausted. Consensus layer clients **MAY** search other locations, such as execution layer client data directories. If no existing JWT is located, the client **SHOULD** generate such a token, valid for the duration of the execution, and store the hex-encoded secret on the filesystem. The exact path is dependant on the host OS, see the default paths below. If the client is unable to write the secret to an OS-specific path, it **MUST** fallback to writing to its own data directory.