From b9b76f60812a8d0adc1706b6f1f08db22efb0aaa Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Tue, 9 Nov 2021 11:41:37 +0800
Subject: [PATCH 1/9] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=9B=BD=E5=AF=86?=
 =?UTF-8?q?=E6=94=AF=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 go.mod                     |  6 ++--
 kernel/network/p2p/util.go | 71 +++++++++++++++++++++++++++++---------
 2 files changed, 56 insertions(+), 21 deletions(-)

diff --git a/go.mod b/go.mod
index 082a4805..35998020 100644
--- a/go.mod
+++ b/go.mod
@@ -3,11 +3,9 @@ module github.com/xuperchain/xupercore
 go 1.14
 
 require (
-	github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 // indirect
 	github.com/aws/aws-sdk-go v1.32.4
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
 	github.com/dgraph-io/badger/v3 v3.2103.1
-	github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df // indirect
 	github.com/docker/go-units v0.4.0
 	github.com/emirpasic/gods v1.12.1-0.20201118132343-79df803e554c
 	github.com/fsouza/go-dockerclient v1.6.0
@@ -15,7 +13,6 @@ require (
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.4.3
 	github.com/golang/snappy v0.0.3
-	github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hyperledger/burrow v0.30.5
@@ -33,10 +30,11 @@ require (
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/viper v1.6.2
 	github.com/syndtr/goleveldb v1.0.1-0.20200815110645-5c35d600f0ca
+	github.com/tjfoc/gmsm v1.4.1
 	github.com/xuperchain/crypto v0.0.0-20201028025054-4d560674bcd6
 	github.com/xuperchain/log15 v0.0.0-20190620081506-bc88a9198230
 	github.com/xuperchain/xvm v0.0.0-20210126142521-68fd016c56d7
-	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
+	golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee
 	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
 	google.golang.org/grpc v1.35.0
 )
diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 22222168..849f1b7d 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -2,16 +2,21 @@ package p2p
 
 import (
 	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
+	defaulttls "crypto/tls"
+	defaultx509 "crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"io/ioutil"
 	math_rand "math/rand"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 
+	tls "github.com/tjfoc/gmsm/gmtls"
+	"github.com/tjfoc/gmsm/gmtls/gmcredentials"
+	"github.com/tjfoc/gmsm/x509"
+
 	iaddr "github.com/ipfs/go-ipfs-addr"
 	"github.com/libp2p/go-libp2p-core/crypto"
 	"github.com/libp2p/go-libp2p-core/peer"
@@ -25,27 +30,59 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 	if err != nil {
 		return nil, err
 	}
-
-	certPool := x509.NewCertPool()
-	ok := certPool.AppendCertsFromPEM(bs)
-	if !ok {
+	cacert, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
+	if err != nil {
 		return nil, err
 	}
-
-	certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
+	pb, _ := pem.Decode(cacert)
+	x509cert, err := x509.ParseCertificate(pb.Bytes)
 	if err != nil {
 		return nil, err
 	}
+	if strings.Contains(strings.ToLower(x509cert.SignatureAlgorithm.String()), "sm") {
+		certPool := x509.NewCertPool()
+		ok := certPool.AppendCertsFromPEM(bs)
+		if !ok {
+			return nil, err
+		}
+		certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
+		if err != nil {
+			return nil, err
+		}
+		creds := gmcredentials.NewTLS(
+			&tls.Config{
+				GMSupport:    &tls.GMSupport{},
+				ServerName:   serviceName,
+				Certificates: []tls.Certificate{certificate, certificate},
+				RootCAs:      certPool,
+				ClientCAs:    certPool,
+				ClientAuth:   tls.RequireAndVerifyClientCert,
+			})
+		return creds, nil
+	} else {
+
+		certPool := defaultx509.NewCertPool()
+		ok := certPool.AppendCertsFromPEM(bs)
+		if !ok {
+			return nil, err
+		}
+
+		certificate, err := defaulttls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
+		if err != nil {
+			return nil, err
+		}
+
+		creds := credentials.NewTLS(
+			&defaulttls.Config{
+				ServerName:   serviceName,
+				Certificates: []defaulttls.Certificate{certificate},
+				RootCAs:      certPool,
+				ClientCAs:    certPool,
+				ClientAuth:   defaulttls.RequireAndVerifyClientCert,
+			})
+		return creds, nil
+	}
 
-	creds := credentials.NewTLS(
-		&tls.Config{
-			ServerName:   serviceName,
-			Certificates: []tls.Certificate{certificate},
-			RootCAs:      certPool,
-			ClientCAs:    certPool,
-			ClientAuth:   tls.RequireAndVerifyClientCert,
-		})
-	return creds, nil
 }
 
 // GenerateKeyPairWithPath generate xuper net key pair

From ac1d616429ffb7f1ca9fe2818f39e49c5d03effe Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Tue, 9 Nov 2021 14:04:38 +0800
Subject: [PATCH 2/9] =?UTF-8?q?xpoaConfig.Version=E5=AD=97=E6=AE=B5?=
 =?UTF-8?q?=E5=85=BC=E5=AE=B9=E8=80=81=E7=89=88=E6=9C=AC=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bcs/consensus/xpoa/xpoa.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/bcs/consensus/xpoa/xpoa.go b/bcs/consensus/xpoa/xpoa.go
index dae38209..82eb2207 100644
--- a/bcs/consensus/xpoa/xpoa.go
+++ b/bcs/consensus/xpoa/xpoa.go
@@ -66,6 +66,10 @@ func NewXpoaConsensus(cCtx cctx.ConsensusCtx, cCfg def.ConsensusConfig) base.Con
 		cCtx.XLog.Error("consensus:xpoa:NewXpoaConsensus: xpoa struct unmarshal error", "error", err)
 		return nil
 	}
+	//兼容老的配置文件
+	if len(xconfig.Version) < 1 {
+		xconfig.Version = "2"
+	}
 	version, err := strconv.ParseInt(xconfig.Version, 10, 64)
 	if err != nil {
 		cCtx.XLog.Error("consensus:xpoa:NewXpoaConsensus: version error", "error", err)

From da89cbed0e56e1e78565f026092054a258cb44ae Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Tue, 9 Nov 2021 15:04:22 +0800
Subject: [PATCH 3/9] =?UTF-8?q?=E5=85=BC=E5=AE=B9=E8=80=81=E7=89=88?=
 =?UTF-8?q?=E6=9C=AC=E9=85=8D=E7=BD=AE=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bcs/consensus/xpoa/xpoa.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bcs/consensus/xpoa/xpoa.go b/bcs/consensus/xpoa/xpoa.go
index 82eb2207..88948095 100644
--- a/bcs/consensus/xpoa/xpoa.go
+++ b/bcs/consensus/xpoa/xpoa.go
@@ -66,9 +66,9 @@ func NewXpoaConsensus(cCtx cctx.ConsensusCtx, cCfg def.ConsensusConfig) base.Con
 		cCtx.XLog.Error("consensus:xpoa:NewXpoaConsensus: xpoa struct unmarshal error", "error", err)
 		return nil
 	}
-	//兼容老的配置文件
+	//兼容老版本配置文件
 	if len(xconfig.Version) < 1 {
-		xconfig.Version = "2"
+		xconfig.Version = "0"
 	}
 	version, err := strconv.ParseInt(xconfig.Version, 10, 64)
 	if err != nil {

From a1550e81c7cfa97b467fa6b5c1648a50ca1464dc Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Wed, 10 Nov 2021 14:31:44 +0800
Subject: [PATCH 4/9] =?UTF-8?q?serverName=20=20=E4=B8=BAkey,=E7=BC=93?=
 =?UTF-8?q?=E5=AD=98=20creds?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/network/p2p/util.go | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 849f1b7d..84523485 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -6,6 +6,7 @@ import (
 	defaultx509 "crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
+	"errors"
 	"io/ioutil"
 	math_rand "math/rand"
 	"os"
@@ -25,7 +26,20 @@ import (
 	"github.com/xuperchain/xupercore/kernel/network/config"
 )
 
+// serverName  为key,缓存 creds
+var serverNameMap = make(map[string]credentials.TransportCredentials)
+
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
+
+	if len(serviceName) < 1 {
+		return nil, errors.New("serviceName is empty")
+	}
+
+	//如果缓存中有值
+	if creds, ok := serverNameMap[serviceName]; ok {
+		return creds, nil
+	}
+
 	bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
 	if err != nil {
 		return nil, err
@@ -39,7 +53,8 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 	if err != nil {
 		return nil, err
 	}
-	if strings.Contains(strings.ToLower(x509cert.SignatureAlgorithm.String()), "sm") {
+
+	if strings.Contains(strings.ToLower(x509cert.SignatureAlgorithm.String()), "sm") { //国密
 		certPool := x509.NewCertPool()
 		ok := certPool.AppendCertsFromPEM(bs)
 		if !ok {
@@ -51,16 +66,16 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 		}
 		creds := gmcredentials.NewTLS(
 			&tls.Config{
-				GMSupport:    &tls.GMSupport{},
+				GMSupport:    tls.NewGMSupport(),
 				ServerName:   serviceName,
 				Certificates: []tls.Certificate{certificate, certificate},
 				RootCAs:      certPool,
 				ClientCAs:    certPool,
 				ClientAuth:   tls.RequireAndVerifyClientCert,
 			})
+		serverNameMap[serviceName] = creds
 		return creds, nil
-	} else {
-
+	} else { //非国密
 		certPool := defaultx509.NewCertPool()
 		ok := certPool.AppendCertsFromPEM(bs)
 		if !ok {
@@ -80,6 +95,7 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 				ClientCAs:    certPool,
 				ClientAuth:   defaulttls.RequireAndVerifyClientCert,
 			})
+		serverNameMap[serviceName] = creds
 		return creds, nil
 	}
 

From e69054b268148eacf8ca23051ac83152fd2b3a93 Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Mon, 29 Nov 2021 10:36:53 +0800
Subject: [PATCH 5/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=85=A8=E5=B1=80?=
 =?UTF-8?q?=E5=8F=98=E9=87=8F=20serverNameMap=20=E5=8A=A0=E9=94=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/network/p2p/util.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 84523485..073c7a2a 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -12,6 +12,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"time"
 
 	tls "github.com/tjfoc/gmsm/gmtls"
@@ -39,7 +40,11 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 	if creds, ok := serverNameMap[serviceName]; ok {
 		return creds, nil
 	}
-
+	//修改全局变量 serverNameMap 加锁
+	mu := &sync.Mutex{}
+	mu.Lock()
+	defer mu.Unlock()
+	//读取 cacert.pem 证书
 	bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
 	if err != nil {
 		return nil, err

From 19aad142d037e22d5073be4f750176871c010490 Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Mon, 29 Nov 2021 18:23:06 +0800
Subject: [PATCH 6/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=85=A8=E5=B1=80?=
 =?UTF-8?q?=E5=8F=98=E9=87=8F=20serverNameMap=20=E5=8A=A0=E9=94=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/network/p2p/util.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 073c7a2a..818d1757 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -30,6 +30,9 @@ import (
 // serverName  为key,缓存 creds
 var serverNameMap = make(map[string]credentials.TransportCredentials)
 
+//修改全局变量 serverNameMap 加锁
+var mu = &sync.Mutex{}
+
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
 
 	if len(serviceName) < 1 {
@@ -40,8 +43,7 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 	if creds, ok := serverNameMap[serviceName]; ok {
 		return creds, nil
 	}
-	//修改全局变量 serverNameMap 加锁
-	mu := &sync.Mutex{}
+
 	mu.Lock()
 	defer mu.Unlock()
 	//读取 cacert.pem 证书

From f62c59aa2504bafc2b9bb02c79dd2981a5e87807 Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Tue, 30 Nov 2021 10:17:21 +0800
Subject: [PATCH 7/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9Mutex=E5=A3=B0=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/network/p2p/util.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 818d1757..87ecf723 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -31,7 +31,7 @@ import (
 var serverNameMap = make(map[string]credentials.TransportCredentials)
 
 //修改全局变量 serverNameMap 加锁
-var mu = &sync.Mutex{}
+var mu sync.Mutex
 
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
 

From 6eb724ed5b09e250122563857afe4355abb6bc9a Mon Sep 17 00:00:00 2001
From: springrain <chunanyong@163.com>
Date: Wed, 29 Dec 2021 16:54:35 +0800
Subject: [PATCH 8/9] =?UTF-8?q?=E5=8E=BB=E6=8E=89=E6=97=A0=E7=94=A8?=
 =?UTF-8?q?=E7=9A=84=E9=80=BB=E8=BE=91=E5=88=A4=E6=96=AD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 kernel/network/p2p/util.go | 29 +++--------------------------
 1 file changed, 3 insertions(+), 26 deletions(-)

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 87ecf723..0f90f1f0 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -6,13 +6,11 @@ import (
 	defaultx509 "crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
-	"errors"
 	"io/ioutil"
 	math_rand "math/rand"
 	"os"
 	"path/filepath"
 	"strings"
-	"sync"
 	"time"
 
 	tls "github.com/tjfoc/gmsm/gmtls"
@@ -27,35 +25,15 @@ import (
 	"github.com/xuperchain/xupercore/kernel/network/config"
 )
 
-// serverName  为key,缓存 creds
-var serverNameMap = make(map[string]credentials.TransportCredentials)
-
-//修改全局变量 serverNameMap 加锁
-var mu sync.Mutex
-
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
 
-	if len(serviceName) < 1 {
-		return nil, errors.New("serviceName is empty")
-	}
-
-	//如果缓存中有值
-	if creds, ok := serverNameMap[serviceName]; ok {
-		return creds, nil
-	}
-
-	mu.Lock()
-	defer mu.Unlock()
 	//读取 cacert.pem 证书
 	bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
 	if err != nil {
 		return nil, err
 	}
-	cacert, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
-	if err != nil {
-		return nil, err
-	}
-	pb, _ := pem.Decode(cacert)
+
+	pb, _ := pem.Decode(bs)
 	x509cert, err := x509.ParseCertificate(pb.Bytes)
 	if err != nil {
 		return nil, err
@@ -80,7 +58,7 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 				ClientCAs:    certPool,
 				ClientAuth:   tls.RequireAndVerifyClientCert,
 			})
-		serverNameMap[serviceName] = creds
+
 		return creds, nil
 	} else { //非国密
 		certPool := defaultx509.NewCertPool()
@@ -102,7 +80,6 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 				ClientCAs:    certPool,
 				ClientAuth:   defaulttls.RequireAndVerifyClientCert,
 			})
-		serverNameMap[serviceName] = creds
 		return creds, nil
 	}
 

From 1713c7c08b02b9fa48afc0ab1b1c23fd16f902ad Mon Sep 17 00:00:00 2001
From: chimengnan <948695387@qq.com>
Date: Thu, 10 Feb 2022 18:06:42 +0800
Subject: [PATCH 9/9] Modify:TLS Server Cert Crypto AtuoSwitch

---
 bcs/network/p2pv1/server.go       |   2 +-
 go.mod                            |   3 +-
 go.sum                            |  14 ++--
 kernel/network/config/config.go   |   4 +
 kernel/network/context/context.go |   2 +
 kernel/network/p2p/util.go        | 131 ++++++++++++++++++++----------
 6 files changed, 103 insertions(+), 53 deletions(-)

diff --git a/bcs/network/p2pv1/server.go b/bcs/network/p2pv1/server.go
index cbbaa689..55b5be27 100644
--- a/bcs/network/p2pv1/server.go
+++ b/bcs/network/p2pv1/server.go
@@ -131,7 +131,7 @@ func (p *P2PServerV1) serve() {
 	)
 
 	if p.config.IsTls {
-		creds, err := p2p.NewTLS(p.config.KeyPath, p.config.ServiceName)
+		creds, err := p2p.ServerNewTLS(p.config.KeyPath, p.config.CertKeyPath, p.config.GMCertKeyPath)
 		if err != nil {
 			panic(err)
 		}
diff --git a/go.mod b/go.mod
index 168876d5..ffecd41f 100644
--- a/go.mod
+++ b/go.mod
@@ -31,14 +31,13 @@ require (
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/viper v1.6.2
 	github.com/syndtr/goleveldb v1.0.1-0.20200815110645-5c35d600f0ca
+	github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540
 	github.com/xuperchain/crypto v0.0.0-20211221122406-302ac826ac90
 	github.com/xuperchain/log15 v0.0.0-20190620081506-bc88a9198230
 	github.com/xuperchain/xvm v0.0.0-20210126142521-68fd016c56d7
 	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
 	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
 	google.golang.org/grpc v1.35.0
-
-	github.com/tjfoc/gmsm v1.4.1
 )
 
 replace github.com/hyperledger/burrow => github.com/xuperchain/burrow v0.30.6-0.20211229032028-fbee6a05ab0f
diff --git a/go.sum b/go.sum
index 614e9a17..ef5957ee 100644
--- a/go.sum
+++ b/go.sum
@@ -7,9 +7,8 @@ github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f h1:4O1om+UVU+Hfcihr1timk8YNXHxzZWgCo7ofnrZRApw=
 github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4=
-github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 h1:X5jJ3e/jgFSnSoYOep/mf6pF1RuLZfvF1ts8NZIyzqE=
-github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4=
 github.com/Kubuxu/go-os-helper v0.0.1/go.mod h1:N8B+I7vPCT80IcP58r50u4+gEEcsZETFUpAzWW2ep1Y=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
@@ -112,9 +111,8 @@ github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BU
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23 h1:oqgGT9O61YAYvI41EBsLePOr+LE6roB0xY4gpkZuFSE=
 github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df h1:cGbd/ECh4QPOc6+Tbvdk5NjCcOYESiwc1RjXp0XciVg=
-github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
@@ -207,9 +205,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa h1:Q75Upo5UN4JbPFURXZ8nLKYUvF85dyFRop/vQ0Rv+64=
-github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.17 h1:rMrlX2ZY2UbvT+sdz3+6J+pp2z+msCq9MxTU6ymxbBY=
 github.com/google/gopacket v1.1.17/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
@@ -760,6 +757,8 @@ github.com/tendermint/tendermint v0.33.1/go.mod h1:fBOKyrlXOETqQ+heL8x/TZgSdmItO
 github.com/tendermint/tm-db v0.4.0/go.mod h1:+Cwhgowrf7NBGXmsqFMbwEtbo80XmyrlY5Jsk95JubQ=
 github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE=
 github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540 h1:Q7nxhP4rDahaXbLofX2fRX1dcEoQRvlJA0Hd2hGgh9k=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d h1:2QXSQjy/gDm0QeP9G9NaO9Hm2Cl1LAle4ZV0JeYK7XY=
 github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d/go.mod h1:J2+dTgaX/1g3PkyL6sLBglBWfaLmAp5bQbRhSfKw9XI=
@@ -853,6 +852,7 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -894,6 +894,7 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -998,6 +999,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
diff --git a/kernel/network/config/config.go b/kernel/network/config/config.go
index 9141be74..66b316ce 100644
--- a/kernel/network/config/config.go
+++ b/kernel/network/config/config.go
@@ -59,6 +59,10 @@ type NetConf struct {
 	IsTls bool `yaml:"isTls,omitempty"`
 	// ServiceName
 	ServiceName string `yaml:"serviceName,omitempty"`
+	// Server  not GM cert path
+	CertKeyPath string `yaml:"certKeyPath,omitempty"`
+	// Server GM cert path
+	GMCertKeyPath string `yaml:"gmCertKeyPath,omitempty"`
 }
 
 func LoadP2PConf(cfgFile string) (*NetConf, error) {
diff --git a/kernel/network/context/context.go b/kernel/network/context/context.go
index 029398b8..5ea9f620 100644
--- a/kernel/network/context/context.go
+++ b/kernel/network/context/context.go
@@ -35,6 +35,8 @@ func NewNetCtx(envCfg *xconf.EnvConf) (*NetCtx, error) {
 
 	// 配置路径转为绝对路径
 	cfg.KeyPath = envCfg.GenDataAbsPath(cfg.KeyPath)
+	cfg.GMCertKeyPath = envCfg.GenDataAbsPath(cfg.GMCertKeyPath)
+	cfg.CertKeyPath = envCfg.GenDataAbsPath(cfg.CertKeyPath)
 
 	log, err := logs.NewLogger("", def.SubModName)
 	if err != nil {
diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
index 0f90f1f0..b6388973 100644
--- a/kernel/network/p2p/util.go
+++ b/kernel/network/p2p/util.go
@@ -2,15 +2,12 @@ package p2p
 
 import (
 	"crypto/rand"
-	defaulttls "crypto/tls"
-	defaultx509 "crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"io/ioutil"
 	math_rand "math/rand"
 	"os"
 	"path/filepath"
-	"strings"
 	"time"
 
 	tls "github.com/tjfoc/gmsm/gmtls"
@@ -26,63 +23,109 @@ import (
 )
 
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
-
 	//读取 cacert.pem 证书
 	bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
 	if err != nil {
 		return nil, err
 	}
+	certPool := x509.NewCertPool()
+	ok := certPool.AppendCertsFromPEM(bs)
+	if !ok {
+		return nil, err
+	}
+	certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
+	if err != nil {
+		return nil, err
+	}
+	var tlsGMSupport *tls.GMSupport
 
 	pb, _ := pem.Decode(bs)
 	x509cert, err := x509.ParseCertificate(pb.Bytes)
 	if err != nil {
 		return nil, err
 	}
+	if x509cert.SignatureAlgorithm == x509.SM2WithSM3 { //国密
+		tlsGMSupport = tls.NewGMSupport()
+	} else {
+		tlsGMSupport = nil
+	}
+	creds := gmcredentials.NewTLS(
+		&tls.Config{
+			GMSupport:    tlsGMSupport,
+			ServerName:   serviceName,
+			Certificates: []tls.Certificate{certificate},
+			RootCAs:      certPool,
+			ClientCAs:    certPool,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+		})
+	return creds, nil
+}
 
-	if strings.Contains(strings.ToLower(x509cert.SignatureAlgorithm.String()), "sm") { //国密
-		certPool := x509.NewCertPool()
-		ok := certPool.AppendCertsFromPEM(bs)
-		if !ok {
-			return nil, err
-		}
-		certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
-		if err != nil {
-			return nil, err
-		}
-		creds := gmcredentials.NewTLS(
-			&tls.Config{
-				GMSupport:    tls.NewGMSupport(),
-				ServerName:   serviceName,
-				Certificates: []tls.Certificate{certificate, certificate},
-				RootCAs:      certPool,
-				ClientCAs:    certPool,
-				ClientAuth:   tls.RequireAndVerifyClientCert,
-			})
-
-		return creds, nil
-	} else { //非国密
-		certPool := defaultx509.NewCertPool()
-		ok := certPool.AppendCertsFromPEM(bs)
-		if !ok {
-			return nil, err
-		}
+func ServerNewTLS(defaultCertPath string, commonCertPath string, gmCertPath string) (credentials.TransportCredentials, error) {
+	// 加载默认 netKeys 下的证书
+	certificate, err := tls.LoadX509KeyPair(filepath.Join(defaultCertPath, "cert.pem"), filepath.Join(defaultCertPath, "private.key"))
+	if err != nil {
+		return nil, err
+	}
+	defaultCaPem, err := ioutil.ReadFile(filepath.Join(defaultCertPath, "cacert.pem"))
+	if err != nil {
+		return nil, err
+	}
 
-		certificate, err := defaulttls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
-		if err != nil {
-			return nil, err
-		}
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(defaultCaPem)
 
-		creds := credentials.NewTLS(
-			&defaulttls.Config{
-				ServerName:   serviceName,
-				Certificates: []defaulttls.Certificate{certificate},
-				RootCAs:      certPool,
-				ClientCAs:    certPool,
-				ClientAuth:   defaulttls.RequireAndVerifyClientCert,
-			})
-		return creds, nil
+	fncGetEncCertKeypair := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return &certificate, nil
 	}
 
+	fncGetCertificate := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		gmFlag := false
+		// 检查支持协议中是否包含GMSSL
+		for _, v := range info.SupportedVersions {
+			if v == tls.VersionGMSSL {
+				gmFlag = true
+				break
+			}
+		}
+		if gmFlag { // GM Cert
+			gmCert, err := tls.LoadX509KeyPair(filepath.Join(gmCertPath, "cert.pem"), filepath.Join(gmCertPath, "private.key"))
+			if err != nil {
+				return &certificate, nil
+			}
+			bs, err := ioutil.ReadFile(filepath.Join(gmCertPath, "cacert.pem"))
+			if err != nil {
+				return &certificate, nil
+			}
+			certPool.AppendCertsFromPEM(bs)
+			fncGetEncCertKeypair = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				return &gmCert, nil
+			}
+			return &gmCert, nil
+		} else { // not GM cert
+			commonCert, err := tls.LoadX509KeyPair(filepath.Join(commonCertPath, "cert.pem"), filepath.Join(commonCertPath, "private.key"))
+			if err != nil {
+				return &certificate, nil
+			}
+			bs, err := ioutil.ReadFile(filepath.Join(commonCertPath, "cacert.pem"))
+			if err != nil {
+				return &certificate, nil
+			}
+			certPool.AppendCertsFromPEM(bs)
+			return &commonCert, nil
+		}
+	}
+	creds := gmcredentials.NewTLS(&tls.Config{
+		GMSupport: &tls.GMSupport{
+			WorkMode: tls.ModeAutoSwitch,
+		},
+		RootCAs:          certPool,
+		ClientCAs:        certPool,
+		GetKECertificate: fncGetEncCertKeypair,
+		GetCertificate:   fncGetCertificate,
+		ClientAuth:       tls.RequireAndVerifyClientCert,
+	})
+	return creds, nil
 }
 
 // GenerateKeyPairWithPath generate xuper net key pair