update engine API spec ref URLs from alpha.9 to beta.1 (#4030)

* update engine API spec ref URLs from alpha.9 to beta.1

* require exactly 256-bit JWT keys

beacon_chain/conf.nim

@@ -213,7 +213,7 @@ type
       desc: "Number of worker threads (\"0\" = use as many threads as there are CPU cores available)"
       name: "num-threads" .}: int
 
-    # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
+    # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
     jwtSecret* {.
       desc: "A file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens"
       name: "jwt-secret" .}: Option[string]

beacon_chain/eth1/eth1_monitor.nim

@@ -1100,8 +1100,8 @@ proc detectPrimaryProviderComingOnline(m: Eth1Monitor) {.async.} =
     var tempProvider = tempProviderRes.get
 
     # Use one of the get/request-type methods from
-    # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#underlying-protocol
-    # which does nit take parameters and returns a small structure, to ensure
+    # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#underlying-protocol
+    # which doesn't take parameters and returns a small structure, to ensure
     # this works with engine API endpoints.
     let testRequest = tempProvider.web3.provider.eth_syncing()
 

beacon_chain/nimbus_beacon_node.nim

@@ -1366,7 +1366,7 @@ proc onSecond(node: BeaconNode, time: Moment) =
   updateThreadMetrics()
 
   ## This procedure will be called once per minute.
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#engine_exchangetransitionconfigurationv1
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#engine_exchangetransitionconfigurationv1
   if time > node.nextExchangeTransitionConfTime and not node.eth1Monitor.isNil:
     node.nextExchangeTransitionConfTime = time + chronos.minutes(1)
     traceAsyncErrors node.eth1Monitor.exchangeTransitionConfiguration()

beacon_chain/spec/datatypes/bellatrix.nim

@@ -31,10 +31,10 @@ const
   # https://github.com/ethereum/consensus-specs/blob/v1.2.0-rc.1/specs/bellatrix/beacon-chain.md#transition-settings
   TERMINAL_BLOCK_HASH_ACTIVATION_EPOCH* = FAR_FUTURE_EPOCH
 
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request-1
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request-1
   FORKCHOICEUPDATED_TIMEOUT* = 8.seconds
 
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request
   NEWPAYLOAD_TIMEOUT* = 8.seconds
 
 type

beacon_chain/spec/engine_authentication.nim

@@ -25,9 +25,9 @@ proc base64urlEncode(x: auto): string =
   base64.encode(x, safe = true).replace("=", "")
 
 func getIatToken*(time: int64): JsonNode =
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#jwt-claims
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#jwt-claims
   # "Required: iat (issued-at) claim. The EL SHOULD only accept iat timestamps
-  # which are within +-5 seconds from the current time."
+  # which are within +-60 seconds from the current time."
   #
   # https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6 describes iat
   # claims.
@@ -37,7 +37,7 @@ func getIatToken*(time: int64): JsonNode =
   %* {"iat": time}
 
 proc getSignedToken*(key: openArray[byte], payload: string): string =
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#jwt-specifications
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#jwt-specifications
   # "The EL MUST support at least the following alg: HMAC + SHA256 (HS256)"
 
   # https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.1.1
@@ -57,12 +57,11 @@ proc getSignedIatToken*(key: openArray[byte], time: int64): string =
 proc checkJwtSecret*(
     rng: var HmacDrbgContext, dataDir: string, jwtSecret: Option[string]):
     Result[seq[byte], cstring] =
-
   # If such a parameter is given, but the file cannot be read, or does not
-  # contain a hex-encoded key of at least 256 bits, the client should treat
-  # this as an error: either abort the startup, or show error and continue
-  # without exposing the authenticated port.
-  const MIN_SECRET_LEN = 32
+  # contain a hex-encoded key of 256 bits, the client should treat this as an
+  # error: either abort the startup, or show error and continue without
+  # exposing the authenticated port.
+  const SECRET_LEN = 32
 
   if jwtSecret.isNone:
     # If such a parameter is not given, the client SHOULD generate such a
@@ -70,11 +69,11 @@ proc checkJwtSecret*(
     # hex-encoded secret as a jwt.hex file on the filesystem. This file can
     # then be used to provision the counterpart client.
     #
-    # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
+    # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
     const jwtSecretFilename = "jwt.hex"
     let jwtSecretPath = dataDir / jwtSecretFilename
 
-    let newSecret = rng.generateBytes(MIN_SECRET_LEN)
+    let newSecret = rng.generateBytes(SECRET_LEN)
     try:
       writeFile(jwtSecretPath, newSecret.to0xHex())
     except IOError as exc:
@@ -92,10 +91,10 @@ proc checkJwtSecret*(
       # Secret JWT key is parsed in constant time using nimcrypto:
       # https://github.com/cheatfate/nimcrypto/pull/44
       let secret = utils.fromHex(lines[0])
-      if secret.len >= MIN_SECRET_LEN:
+      if secret.len == SECRET_LEN:
         ok(secret)
       else:
-        err("JWT secret not at least 256 bits")
+        err("JWT secret not 256 bits")
     else:
       err("no hex string found")
   except IOError:

beacon_chain/validators/validator_duties.nim

@@ -390,7 +390,7 @@ proc getExecutionPayload(
     # Minimize window for Eth1 monitor to shut down connection
     await node.consensusManager.eth1Monitor.ensureDataProvider()
 
-    # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request-2
+    # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request-2
     const GETPAYLOAD_TIMEOUT = 1.seconds
 
     let

scripts/test_merge_node.nim

@@ -29,11 +29,11 @@ from ../beacon_chain/spec/presets import Eth1Address, defaultRuntimeConfig
 # TODO factor this out and have a version with the result of the JWT secret
 # slurp for testing purposes
 proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
   # If such a parameter is given, but the file cannot be read, or does not
-  # contain a hex-encoded key of at least 256 bits, the client should treat
-  # this as an error: either abort the startup, or show error and continue
-  # without exposing the authenticated port.
+  # contain a hex-encoded key of 256 bits, the client should treat this as an
+  # error: either abort the startup, or show error and continue without
+  # exposing the authenticated port.
   const MIN_SECRET_LEN = 32
 
   try:

scripts/test_merge_vectors.nim

@@ -28,11 +28,11 @@ else:
 # TODO hm, actually factor this out into a callable function
 # and have a version with the result of the JWT secret slurp for testing purposes
 proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
-  # https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
+  # https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
   # If such a parameter is given, but the file cannot be read, or does not
-  # contain a hex-encoded key of at least 256 bits, the client should treat
-  # this as an error: either abort the startup, or show error and continue
-  # without exposing the authenticated port.
+  # contain a hex-encoded key of 256 bits, the client should treat this as an
+  # error: either abort the startup, or show error and continue without
+  # exposing the authenticated port.
   const MIN_SECRET_LEN = 32
 
   try: