{"id":13766192,"url":"https://github.com/ConsenSys/tessera","last_synced_at":"2025-05-10T21:33:15.399Z","repository":{"id":37742459,"uuid":"134236467","full_name":"Consensys/tessera","owner":"Consensys","description":"Tessera - Enterprise Implementation of Quorum's transaction manager","archived":false,"fork":false,"pushed_at":"2025-03-24T23:53:20.000Z","size":1628819,"stargazers_count":184,"open_issues_count":65,"forks_count":109,"subscribers_count":36,"default_branch":"master","last_synced_at":"2025-04-14T20:58:11.965Z","etag":null,"topics":["blockchain","encryption","java","peer-to-peer","privacy","quorum"],"latest_commit_sha":null,"homepage":"https://docs.tessera.consensys.net/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Consensys.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"security/build.gradle","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-05-21T07:50:46.000Z","updated_at":"2025-04-04T03:04:47.000Z","dependencies_parsed_at":"2024-11-17T02:33:14.639Z","dependency_job_id":"eb7e9a7b-811c-46ac-904c-9ff028253e04","html_url":"https://github.com/Consensys/tessera","commit_stats":null,"previous_names":["jpmorganchase/tessera"],"tags_count":58,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Consensys%2Ftessera","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Consensys%2Ftessera/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Consensys%2Ftessera/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Consensys%2Ftessera/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Consensys","download_url":"https://codeload.github.com/Consensys/tessera/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253486249,"owners_count":21916134,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blockchain","encryption","java","peer-to-peer","privacy","quorum"],"created_at":"2024-08-03T16:00:52.495Z","updated_at":"2025-05-10T21:33:12.278Z","avatar_url":"https://github.com/Consensys.png","language":"Java","readme":"![Build Status](https://github.com/consensys/tessera/actions/workflows/gradle.yml/badge.svg)\n[![codecov](https://codecov.io/gh/ConsenSys/tessera/branch/master/graph/badge.svg?token=XMRVPC5FLQ)](https://codecov.io/gh/ConsenSys/tessera)\n![Docker Pulls](https://img.shields.io/docker/pulls/quorumengineering/tessera)\n\n# \u003cimg src=\"https://raw.githubusercontent.com/consensys/tessera/master/tessera-logo.png\" width=\"150\" height=\"36\"/\u003e\n\n\u003e __Important: Breaking change__ \u003cbr/\u003eUsers running on [21.10.0](https://github.com/ConsenSys/tessera/releases/tag/tessera-21.10.0) and previous versions will need to perform a database upgrade to work with the latest version of Tessera.\u003cli\u003e For non-H2 users, existing database schema will need to be updated. Execute the appropriate [alter script](ddls/add-codec) provided.\u003c/li\u003e \u003cli\u003e For H2 users, a complete database migration is required before running the [alter script](ddls/add-codec). This is due to the considerable number of changes between version 1.4.200 and version 2.0.202 onwards. See more details from [H2 release](https://github.com/h2database/h2database/releases/tag/version-2.0.202) and their recommended [upgrade process](https://h2database.com/html/tutorial.html#upgrade_backup_restore). Example migration scripts can be found [here](ddls/scripts/h2-upgrade.sh)\n\n\u003e __Important: If using version 21.4.1 and earlier__ \u003cbr/\u003eTessera is now released as a zipped distribution instead of an uber jar.  If using version 21.4.1 and earlier, see the [previous README](https://github.com/ConsenSys/tessera/tree/tessera-21.4.1).\n\nTessera is a stateless Java system that is used to enable the encryption, decryption, and distribution of private transactions for [Quorum](https://github.com/consensys/quorum/) and/or [Besu](http://github.com/hyperledger/besu)\n\nEach Tessera node:\n\n* Generates and maintains a number of private/public key pairs\n\n* Self manages and discovers all nodes in the network (i.e. their public keys) by connecting to as few as one other node\n\n* Provides Private and Public API interfaces for communication:\n    * Private API - This is used for communication with Quorum\n    * Public API - This is used for communication between Tessera peer nodes\n\n* Provides two way SSL using TLS certificates and various trust models like Trust On First Use (TOFU), whitelist,\n    certificate authority, etc.\n\n* Supports IP whitelist\n\n* Connects to any SQL DB which supports the JDBC client\n\n## Documentation\n[Docs](https://docs.tessera.consensys.net/en/stable/)\n\n## Artefacts\n\n### Runnable distributions\n\n#### Tessera\n- [Tessera distribution](https://github.com/consensys/tessera/releases): Start a Tessera node\n\n#### Remote Enclave Server\n- [Remote Enclave Server distribution](enclave/enclave-jaxrs): Start a remote enclave\n\n### Optional Artefacts\n\nThe following artefacts can be [added to a distribution](#supplementing-the-distribution) to provide additional functionality.\n\n#### Key Vaults\n- [Azure](key-vault/azure-key-vault): Add support for key pairs stored in Azure Key Vault \n- [AWS](key-vault/aws-key-vault): Add support for key pairs stored in AWS Secret Store\n- [Hashicorp](key-vault/hashicorp-key-vault): Add support for key pairs stored in Hashicorp Vault\n\n#### Encryptors\n- [jnacl](encryption/encryption-jnacl): (already included in Tessera and Remote Enclave Server distributions) Add support for NaCl key pairs using [jnacl](https://github.com/neilalexander/jnacl) library\n- [Elliptical Curve](encryption/encryption-ec): Add support for elliptic curve key pairs\n- [kalium](encryption/encryption-kalium): Add support for NaCl key pairs using [kalium](https://github.com/abstractj/kalium) library\n\n## Prerequisites\n- [Java](https://www.oracle.com/technetwork/java/javase/downloads/index.html)\n    - Java 17+\n\n- [Optional: Gradle](https://gradle.org/install/)\u003cbr/\u003e\n    - If you want to use a locally installed Gradle rather than the included wrapper. Note: wrapper currently uses Gradle 7.0.2.\n\n## Building Tessera from source\nTo build and install Tessera:\n1. Clone this repo\n1. Build using the included Gradle Wrapper file\n    ```\n    ./gradlew build   \n    ```\n\n## Installing Tessera\nDownload and unpack distribution:\n```\n$ tar xvf tessera-[version].tar\n$ tree tessera-[version]\ntessera-[version]\n├── bin\n│   ├── tessera\n│   └── tessera.bat\n└── lib\n    ├── HikariCP-3.2.0.jar\n    ...\n```\nRun Tessera (use correct `/bin` script for your system): \n```\n./tessera-[version]/bin/tessera help\n```\n\n## Supplementing the distribution\n\nAdditional functionality can be added to a distribution by adding `.jar` files to the `/lib` directory.\n\n### Adding Tessera artefacts\n\nDownload and unpack the artefact:\n```\n$ tar xvf aws-key-vault-[version].tar\n$ tree aws-key-vault-[version]\naws-key-vault-[version].tar\n└── lib\n    ├── annotations-2.10.25.jar\n    ...\n```\n\nCopy the contents of the artefact's `/lib` into the distribution `/lib` (make sure to resolve any version conflicts/duplicated `.jar` files introduced during the copy):\n\n```\n cp -a aws-key-vault-[version]/lib/. tessera-[version]/lib/\n```\n\n### Supporting alternate databases\n\nBy default, Tessera uses an H2 database.  To use an alternative database, add the necessary drivers to the `lib/` dir:\n\nFor example, to use Oracle database:\n```\ncp ojdbc7.jar tessera-[version]/lib/\n```\n\n[DDLs](ddls/create-table) have been provided to help with defining these databases.\n\nSince Tessera 0.7 a timestamp is recorded with each encrypted transaction stored in the Tessera DB.  To update an existing DB to work with Tessera 0.7+, execute one of the provided [alter scripts](ddls/add-timestamp).\n\n## Docker images\n\n* See [quorumengineering/tessera](https://hub.docker.com/repository/docker/quorumengineering/tessera) Docker repository for available images\n    * See [docker/README.md](docker) for details on the various images available \n\n* To build images from source see [docker/README.md](docker)\n\n## Configuration\n\n### Config File\n\nA configuration file detailing database, server and network peer information must be provided using the `-configfile`\ncommand line property.\n\nAn in-depth look at configuring Tessera can be found in the [Tessera Documentation](https://docs.tessera.consensys.net/en/latest/HowTo/Configure/Tessera) and includes details on all aspects of configuration including:\n* Cryptographic key config:\n    * Using existing private/public key pairs with Tessera\n    * How to use Tessera to generate new key pairs\n* TLS config\n    * How to enable TLS\n    * Choosing a trust mode\n\n#### Obfuscate database password in config file\n\nCertain entries in Tessera config file must be obfuscated in order to prevent any attempts from attackers to gain access to critical part of the application (i.e. database). For the time being, Tessera users have the ability to enable encryption for database password to avoid it being exposed as plain text in the configuration file.\n\nIn Tessera, [jasypt](http://www.jasypt.org) library was used together with its Jaxb integration to encrypt/decrypt config values.\n\nTo enable this feature, simply replace your plain-text database password with its encrypted value and wrap it inside an `ENC()` function.\n\n```json\n    \"jdbc\": {\n        \"username\": \"sa\",\n        \"password\": \"ENC(ujMeokIQ9UFHSuBYetfRjQTpZASgaua3)\",\n        \"url\": \"jdbc:h2:/qdata/c1/db1\",\n        \"autoCreateTables\": true\n    }\n```\n\nBeing a Password-Based Encryptor, Jasypt requires a secret key (password) and a configured algorithm to encrypt/decrypt this config entry. This password can either be loaded into Tessera from file system or user input. For file system input, the location of this secret file needs to be set in Environment Variable `TESSERA_CONFIG_SECRET`\n\nIf the database password is not being wrapped inside `ENC()` function, Tessera will simply treat it as a plain-text password however this approach is not recommended for production environment.\n\n* Please note at the moment jasypt encryption is only enabled on `jdbc.password` field.\n\n##### Encrypt database password\n\nDownload and unzip the [jasypt](http://www.jasypt.org) package. Redirect to bin directory and the follow commands can be used to encrypt a string\n\n```bash\nbash-3.2$ ./encrypt.sh input=dbpassword password=quorum\n\n----ENVIRONMENT-----------------\n\nRuntime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.171-b11\n\n\n\n----ARGUMENTS-------------------\n\ninput: dbpassword\npassword: quorum\n\n\n\n----OUTPUT----------------------\n\nrJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb\n\n```\n\nPick up this output and wrap it inside `ENC()` function, we should have the following `ENC(rJ70hNidkrpkTwHoVn2sGSp3h3uBWxjb)` in the config json file.\n\n## Further reading\n* The [Tessera Documentation](https://docs.tessera.consensys.net/en/latest/) provides additional information on how Tessera works, migrating from Constellation to Tessera, configuration details, and more.\n* [Quorum](https://github.com/consensys/quorum/) is an Ethereum-based distributed ledger protocol that uses Tessera to provide transaction privacy.\n* Follow the [Quorum Examples](https://github.com/consensys/quorum-examples) to see Tessera in action in a demo Quorum network.\n\n## Reporting Security Bugs\nSecurity is part of our commitment to our users. At Quorum we have a close relationship with the security community, we understand the realm, and encourage security researchers to become part of our mission of building secure reliable software. This section explains how to submit security bugs, and what to expect in return.\n\nAll security bugs in Quorum and its ecosystem (Tessera, Constellation, Cakeshop, ..etc) should be reported by email to security-quorum@consensys.net. Please use the prefix [security] in your subject. This email is delivered to Quorum security team. Your email will be acknowledged, and you'll receive a more detailed response to your email as soon as possible indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement.\n\nIf you have not received a reply to your email or you have not heard from the security team please contact any team member through [Discord](https://discord.com/channels/697535391594446898/905421497416433704). *Please note* that Discord channels are public discussion forum. When escalating to this medium, please do not disclose the details of the issue. Simply state that you're trying to reach a member of the security team.\n\n## Responsible Disclosure Process\nQuorum project uses the following responsible disclosure process:\n\nOnce the security report is received it is assigned a primary handler. This person coordinates the fix and release process.\nThe issue is confirmed and a list of affected software is determined.\nCode is audited to find any potential similar problems.\nIf it is determined, in consultation with the submitter, that a CVE-ID is required, the primary handler will trigger the process.\nFixes are applied to the public repository and a new release is issued.\nOn the date that the fixes are applied, announcements are sent to Quorum-announce.\nAt this point you would be able to disclose publicly your finding.\n\n*Note:* This process can take some time. Every effort will be made to handle the security bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.\n\n## Receiving Security Updates\nThe best way to receive security announcements is to subscribe to the Quorum-announce mailing list/channel. Any messages pertaining to a security issue will be prefixed with [security].\n\nComments on This Policy If you have any suggestions to improve this policy, please send an email to info@goquorum.com for discussion.\n\n## Contributing\nTessera is built open source and we welcome external contribution on features and enhancements. Upon review you will be required to complete a Contributor License Agreement (CLA) before we are able to merge. If you have any questions about the contribution process, please feel free to send an email to [info@goquorum.com](mailto:info@goquorum.com). Please see the [Contributors guide](.github/CONTRIBUTING.md) for more information about the process.\n\n# Getting Help\nStuck at some step? Please join our  \u003ca href=\"https://discord.com/channels/697535391594446898/905421497416433704\" target=\"_blank\" rel=\"noopener\"\u003ecommunity\u003c/a\u003e for support.\n","funding_links":[],"categories":["Software components"],"sub_categories":["Private Transaction Manager"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FConsenSys%2Ftessera","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FConsenSys%2Ftessera","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FConsenSys%2Ftessera/lists"}