diff --git a/bcs/network/p2pv1/server.go b/bcs/network/p2pv1/server.go index cbbaa689..55b5be27 100644 --- a/bcs/network/p2pv1/server.go +++ b/bcs/network/p2pv1/server.go @@ -131,7 +131,7 @@ func (p *P2PServerV1) serve() { ) if p.config.IsTls { - creds, err := p2p.NewTLS(p.config.KeyPath, p.config.ServiceName) + creds, err := p2p.ServerNewTLS(p.config.KeyPath, p.config.CertKeyPath, p.config.GMCertKeyPath) if err != nil { panic(err) } diff --git a/go.mod b/go.mod index d92f7749..ffecd41f 100644 --- a/go.mod +++ b/go.mod @@ -3,11 +3,9 @@ module github.com/xuperchain/xupercore go 1.14 require ( - github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 // indirect github.com/aws/aws-sdk-go v1.32.4 github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d github.com/dgraph-io/badger/v3 v3.2103.1 - github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df // indirect github.com/docker/go-units v0.4.0 github.com/emirpasic/gods v1.12.1-0.20201118132343-79df803e554c github.com/fsouza/go-dockerclient v1.6.0 @@ -15,7 +13,6 @@ require ( github.com/gogo/protobuf v1.3.2 github.com/golang/protobuf v1.4.3 github.com/golang/snappy v0.0.3 - github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa // indirect github.com/grpc-ecosystem/go-grpc-middleware v1.2.2 github.com/hashicorp/golang-lru v0.5.4 github.com/hyperledger/burrow v0.30.5 @@ -34,6 +31,7 @@ require ( github.com/spf13/cobra v1.0.0 github.com/spf13/viper v1.6.2 github.com/syndtr/goleveldb v1.0.1-0.20200815110645-5c35d600f0ca + github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540 github.com/xuperchain/crypto v0.0.0-20211221122406-302ac826ac90 github.com/xuperchain/log15 v0.0.0-20190620081506-bc88a9198230 github.com/xuperchain/xvm v0.0.0-20210126142521-68fd016c56d7 diff --git a/go.sum b/go.sum index 614e9a17..ef5957ee 100644 --- a/go.sum +++ b/go.sum @@ -7,9 +7,8 @@ github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f h1:4O1om+UVU+Hfcihr1timk8YNXHxzZWgCo7ofnrZRApw= github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4= -github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 h1:X5jJ3e/jgFSnSoYOep/mf6pF1RuLZfvF1ts8NZIyzqE= -github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4= github.com/Kubuxu/go-os-helper v0.0.1/go.mod h1:N8B+I7vPCT80IcP58r50u4+gEEcsZETFUpAzWW2ep1Y= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= @@ -112,9 +111,8 @@ github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BU github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23 h1:oqgGT9O61YAYvI41EBsLePOr+LE6roB0xY4gpkZuFSE= github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= -github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df h1:cGbd/ECh4QPOc6+Tbvdk5NjCcOYESiwc1RjXp0XciVg= -github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= @@ -207,9 +205,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa h1:Q75Upo5UN4JbPFURXZ8nLKYUvF85dyFRop/vQ0Rv+64= -github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gopacket v1.1.17 h1:rMrlX2ZY2UbvT+sdz3+6J+pp2z+msCq9MxTU6ymxbBY= github.com/google/gopacket v1.1.17/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= @@ -760,6 +757,8 @@ github.com/tendermint/tendermint v0.33.1/go.mod h1:fBOKyrlXOETqQ+heL8x/TZgSdmItO github.com/tendermint/tm-db v0.4.0/go.mod h1:+Cwhgowrf7NBGXmsqFMbwEtbo80XmyrlY5Jsk95JubQ= github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE= github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU= +github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540 h1:Q7nxhP4rDahaXbLofX2fRX1dcEoQRvlJA0Hd2hGgh9k= +github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d h1:2QXSQjy/gDm0QeP9G9NaO9Hm2Cl1LAle4ZV0JeYK7XY= github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d/go.mod h1:J2+dTgaX/1g3PkyL6sLBglBWfaLmAp5bQbRhSfKw9XI= @@ -853,6 +852,7 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w= golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -894,6 +894,7 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A= golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -998,6 +999,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk= google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk= +google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8= google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= diff --git a/kernel/network/config/config.go b/kernel/network/config/config.go index 9141be74..66b316ce 100644 --- a/kernel/network/config/config.go +++ b/kernel/network/config/config.go @@ -59,6 +59,10 @@ type NetConf struct { IsTls bool `yaml:"isTls,omitempty"` // ServiceName ServiceName string `yaml:"serviceName,omitempty"` + // Server not GM cert path + CertKeyPath string `yaml:"certKeyPath,omitempty"` + // Server GM cert path + GMCertKeyPath string `yaml:"gmCertKeyPath,omitempty"` } func LoadP2PConf(cfgFile string) (*NetConf, error) { diff --git a/kernel/network/context/context.go b/kernel/network/context/context.go index 029398b8..5ea9f620 100644 --- a/kernel/network/context/context.go +++ b/kernel/network/context/context.go @@ -35,6 +35,8 @@ func NewNetCtx(envCfg *xconf.EnvConf) (*NetCtx, error) { // 配置路径转为绝对路径 cfg.KeyPath = envCfg.GenDataAbsPath(cfg.KeyPath) + cfg.GMCertKeyPath = envCfg.GenDataAbsPath(cfg.GMCertKeyPath) + cfg.CertKeyPath = envCfg.GenDataAbsPath(cfg.CertKeyPath) log, err := logs.NewLogger("", def.SubModName) if err != nil { diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go index 22222168..b6388973 100644 --- a/kernel/network/p2p/util.go +++ b/kernel/network/p2p/util.go @@ -2,8 +2,6 @@ package p2p import ( "crypto/rand" - "crypto/tls" - "crypto/x509" "encoding/base64" "encoding/pem" "io/ioutil" @@ -12,6 +10,10 @@ import ( "path/filepath" "time" + tls "github.com/tjfoc/gmsm/gmtls" + "github.com/tjfoc/gmsm/gmtls/gmcredentials" + "github.com/tjfoc/gmsm/x509" + iaddr "github.com/ipfs/go-ipfs-addr" "github.com/libp2p/go-libp2p-core/crypto" "github.com/libp2p/go-libp2p-core/peer" @@ -21,24 +23,35 @@ import ( ) func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) { + //读取 cacert.pem 证书 bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem")) if err != nil { return nil, err } - certPool := x509.NewCertPool() ok := certPool.AppendCertsFromPEM(bs) if !ok { return nil, err } - certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key")) if err != nil { return nil, err } + var tlsGMSupport *tls.GMSupport - creds := credentials.NewTLS( + pb, _ := pem.Decode(bs) + x509cert, err := x509.ParseCertificate(pb.Bytes) + if err != nil { + return nil, err + } + if x509cert.SignatureAlgorithm == x509.SM2WithSM3 { //国密 + tlsGMSupport = tls.NewGMSupport() + } else { + tlsGMSupport = nil + } + creds := gmcredentials.NewTLS( &tls.Config{ + GMSupport: tlsGMSupport, ServerName: serviceName, Certificates: []tls.Certificate{certificate}, RootCAs: certPool, @@ -48,6 +61,73 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) return creds, nil } +func ServerNewTLS(defaultCertPath string, commonCertPath string, gmCertPath string) (credentials.TransportCredentials, error) { + // 加载默认 netKeys 下的证书 + certificate, err := tls.LoadX509KeyPair(filepath.Join(defaultCertPath, "cert.pem"), filepath.Join(defaultCertPath, "private.key")) + if err != nil { + return nil, err + } + defaultCaPem, err := ioutil.ReadFile(filepath.Join(defaultCertPath, "cacert.pem")) + if err != nil { + return nil, err + } + + certPool := x509.NewCertPool() + certPool.AppendCertsFromPEM(defaultCaPem) + + fncGetEncCertKeypair := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &certificate, nil + } + + fncGetCertificate := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + gmFlag := false + // 检查支持协议中是否包含GMSSL + for _, v := range info.SupportedVersions { + if v == tls.VersionGMSSL { + gmFlag = true + break + } + } + if gmFlag { // GM Cert + gmCert, err := tls.LoadX509KeyPair(filepath.Join(gmCertPath, "cert.pem"), filepath.Join(gmCertPath, "private.key")) + if err != nil { + return &certificate, nil + } + bs, err := ioutil.ReadFile(filepath.Join(gmCertPath, "cacert.pem")) + if err != nil { + return &certificate, nil + } + certPool.AppendCertsFromPEM(bs) + fncGetEncCertKeypair = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { + return &gmCert, nil + } + return &gmCert, nil + } else { // not GM cert + commonCert, err := tls.LoadX509KeyPair(filepath.Join(commonCertPath, "cert.pem"), filepath.Join(commonCertPath, "private.key")) + if err != nil { + return &certificate, nil + } + bs, err := ioutil.ReadFile(filepath.Join(commonCertPath, "cacert.pem")) + if err != nil { + return &certificate, nil + } + certPool.AppendCertsFromPEM(bs) + return &commonCert, nil + } + } + creds := gmcredentials.NewTLS(&tls.Config{ + GMSupport: &tls.GMSupport{ + WorkMode: tls.ModeAutoSwitch, + }, + RootCAs: certPool, + ClientCAs: certPool, + GetKECertificate: fncGetEncCertKeypair, + GetCertificate: fncGetCertificate, + ClientAuth: tls.RequireAndVerifyClientCert, + }) + return creds, nil +} + // GenerateKeyPairWithPath generate xuper net key pair func GenerateKeyPairWithPath(path string) error { priv, _, err := crypto.GenerateKeyPairWithReader(crypto.RSA, 2048, rand.Reader)