OpenAtomFoundation · springrain · Nov 9, 2021 · Nov 9, 2021 · Nov 9, 2021 · Nov 10, 2021
diff --git a/bcs/network/p2pv1/server.go b/bcs/network/p2pv1/server.go
@@ -131,7 +131,7 @@ func (p *P2PServerV1) serve() {
 	)
 
 	if p.config.IsTls {
-		creds, err := p2p.NewTLS(p.config.KeyPath, p.config.ServiceName)
+		creds, err := p2p.ServerNewTLS(p.config.KeyPath, p.config.CertKeyPath, p.config.GMCertKeyPath)
 		if err != nil {
 			panic(err)
 		}

diff --git a/go.mod b/go.mod
@@ -3,19 +3,16 @@ module github.com/xuperchain/xupercore
 go 1.14
 
 require (
-	github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 // indirect
 	github.com/aws/aws-sdk-go v1.32.4
 	github.com/btcsuite/btcutil v0.0.0-20190425235716-9e5f4b9a998d
 	github.com/dgraph-io/badger/v3 v3.2103.1
-	github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df // indirect
 	github.com/docker/go-units v0.4.0
 	github.com/emirpasic/gods v1.12.1-0.20201118132343-79df803e554c
 	github.com/fsouza/go-dockerclient v1.6.0
 	github.com/gammazero/deque v0.1.0
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.4.3
 	github.com/golang/snappy v0.0.3
-	github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/hyperledger/burrow v0.30.5
@@ -34,6 +31,7 @@ require (
 	github.com/spf13/cobra v1.0.0
 	github.com/spf13/viper v1.6.2
 	github.com/syndtr/goleveldb v1.0.1-0.20200815110645-5c35d600f0ca
+	github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540
 	github.com/xuperchain/crypto v0.0.0-20211221122406-302ac826ac90
 	github.com/xuperchain/log15 v0.0.0-20190620081506-bc88a9198230
 	github.com/xuperchain/xvm v0.0.0-20210126142521-68fd016c56d7

diff --git a/go.sum b/go.sum
@@ -7,9 +7,8 @@ github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f h1:4O1om+UVU+Hfcihr1timk8YNXHxzZWgCo7ofnrZRApw=
 github.com/ChainSafe/go-schnorrkel v0.0.0-20200102211924-4bcbc698314f/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4=
-github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816 h1:X5jJ3e/jgFSnSoYOep/mf6pF1RuLZfvF1ts8NZIyzqE=
-github.com/ChainSafe/go-schnorrkel v0.0.0-20200626160457-b38283118816/go.mod h1:URdX5+vg25ts3aCh8H5IFZybJYKWhJHYMTnf+ULtoC4=
 github.com/Kubuxu/go-os-helper v0.0.1/go.mod h1:N8B+I7vPCT80IcP58r50u4+gEEcsZETFUpAzWW2ep1Y=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5 h1:ygIc8M6trr62pF5DucadTWGdEB4mEyvzi0e2nbcmcyA=
 github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
@@ -112,9 +111,8 @@ github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BU
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23 h1:oqgGT9O61YAYvI41EBsLePOr+LE6roB0xY4gpkZuFSE=
 github.com/docker/docker v1.4.2-0.20191101170500-ac7306503d23/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df h1:cGbd/ECh4QPOc6+Tbvdk5NjCcOYESiwc1RjXp0XciVg=
-github.com/docker/go-connections v0.4.1-0.20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
 github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
@@ -207,9 +205,8 @@ github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa h1:Q75Upo5UN4JbPFURXZ8nLKYUvF85dyFRop/vQ0Rv+64=
-github.com/google/gofuzz v1.1.1-0.20200604201612-c04b05f3adfa/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gopacket v1.1.17 h1:rMrlX2ZY2UbvT+sdz3+6J+pp2z+msCq9MxTU6ymxbBY=
 github.com/google/gopacket v1.1.17/go.mod h1:UdDNZ1OO62aGYVnPhxT1U6aI7ukYtA/kB8vaU0diBUM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
@@ -760,6 +757,8 @@ github.com/tendermint/tendermint v0.33.1/go.mod h1:fBOKyrlXOETqQ+heL8x/TZgSdmItO
 github.com/tendermint/tm-db v0.4.0/go.mod h1:+Cwhgowrf7NBGXmsqFMbwEtbo80XmyrlY5Jsk95JubQ=
 github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE=
 github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540 h1:Q7nxhP4rDahaXbLofX2fRX1dcEoQRvlJA0Hd2hGgh9k=
+github.com/tjfoc/gmsm v1.4.2-0.20220114090716-36b992c51540/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d h1:2QXSQjy/gDm0QeP9G9NaO9Hm2Cl1LAle4ZV0JeYK7XY=
 github.com/tmthrgd/atomics v0.0.0-20190904060638-dc7a5fcc7e0d/go.mod h1:J2+dTgaX/1g3PkyL6sLBglBWfaLmAp5bQbRhSfKw9XI=
@@ -853,6 +852,7 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200423211502-4bdfaf469ed5/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2 h1:It14KIkyBFYkHkwZ7k45minvA9aorojkyjGk9KJ5B/w=
 golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -894,6 +894,7 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20200813134508-3edf25e44fcc/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110 h1:qWPm9rbaAMKs8Bq/9LRpbMqxWRVUAQwMI9fVrssnTfw=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -998,6 +999,7 @@ google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8=
 google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=

diff --git a/kernel/network/config/config.go b/kernel/network/config/config.go
@@ -59,6 +59,10 @@ type NetConf struct {
 	IsTls bool `yaml:"isTls,omitempty"`
 	// ServiceName
 	ServiceName string `yaml:"serviceName,omitempty"`
+	// Server  not GM cert path
+	CertKeyPath string `yaml:"certKeyPath,omitempty"`
+	// Server GM cert path
+	GMCertKeyPath string `yaml:"gmCertKeyPath,omitempty"`
 }
 
 func LoadP2PConf(cfgFile string) (*NetConf, error) {

diff --git a/kernel/network/context/context.go b/kernel/network/context/context.go
@@ -35,6 +35,8 @@ func NewNetCtx(envCfg *xconf.EnvConf) (*NetCtx, error) {
 
 	// 配置路径转为绝对路径
 	cfg.KeyPath = envCfg.GenDataAbsPath(cfg.KeyPath)
+	cfg.GMCertKeyPath = envCfg.GenDataAbsPath(cfg.GMCertKeyPath)
+	cfg.CertKeyPath = envCfg.GenDataAbsPath(cfg.CertKeyPath)
 
 	log, err := logs.NewLogger("", def.SubModName)
 	if err != nil {

diff --git a/kernel/network/p2p/util.go b/kernel/network/p2p/util.go
@@ -2,8 +2,6 @@ package p2p
 
 import (
 	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/pem"
 	"io/ioutil"
@@ -12,6 +10,10 @@ import (
 	"path/filepath"
 	"time"
 
+	tls "github.com/tjfoc/gmsm/gmtls"
+	"github.com/tjfoc/gmsm/gmtls/gmcredentials"
+	"github.com/tjfoc/gmsm/x509"
+
 	iaddr "github.com/ipfs/go-ipfs-addr"
 	"github.com/libp2p/go-libp2p-core/crypto"
 	"github.com/libp2p/go-libp2p-core/peer"
@@ -21,24 +23,35 @@ import (
 )
 
 func NewTLS(path, serviceName string) (credentials.TransportCredentials, error) {
+	//读取 cacert.pem 证书
 	bs, err := ioutil.ReadFile(filepath.Join(path, "cacert.pem"))
 	if err != nil {
 		return nil, err
 	}
-
 	certPool := x509.NewCertPool()
 	ok := certPool.AppendCertsFromPEM(bs)
 	if !ok {
 		return nil, err
 	}
-
 	certificate, err := tls.LoadX509KeyPair(filepath.Join(path, "cert.pem"), filepath.Join(path, "private.key"))
 	if err != nil {
 		return nil, err
 	}
+	var tlsGMSupport *tls.GMSupport
 
-	creds := credentials.NewTLS(
+	pb, _ := pem.Decode(bs)
+	x509cert, err := x509.ParseCertificate(pb.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	if x509cert.SignatureAlgorithm == x509.SM2WithSM3 { //国密
+		tlsGMSupport = tls.NewGMSupport()
+	} else {
+		tlsGMSupport = nil
+	}
+	creds := gmcredentials.NewTLS(
 		&tls.Config{
+			GMSupport:    tlsGMSupport,
 			ServerName:   serviceName,
 			Certificates: []tls.Certificate{certificate},
 			RootCAs:      certPool,
@@ -48,6 +61,73 @@ func NewTLS(path, serviceName string) (credentials.TransportCredentials, error)
 	return creds, nil
 }
 
+func ServerNewTLS(defaultCertPath string, commonCertPath string, gmCertPath string) (credentials.TransportCredentials, error) {
+	// 加载默认 netKeys 下的证书
+	certificate, err := tls.LoadX509KeyPair(filepath.Join(defaultCertPath, "cert.pem"), filepath.Join(defaultCertPath, "private.key"))
+	if err != nil {
+		return nil, err
+	}
+	defaultCaPem, err := ioutil.ReadFile(filepath.Join(defaultCertPath, "cacert.pem"))
+	if err != nil {
+		return nil, err
+	}
+
+	certPool := x509.NewCertPool()
+	certPool.AppendCertsFromPEM(defaultCaPem)
+
+	fncGetEncCertKeypair := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		return &certificate, nil
+	}
+
+	fncGetCertificate := func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		gmFlag := false
+		// 检查支持协议中是否包含GMSSL
+		for _, v := range info.SupportedVersions {
+			if v == tls.VersionGMSSL {
+				gmFlag = true
+				break
+			}
+		}
+		if gmFlag { // GM Cert
+			gmCert, err := tls.LoadX509KeyPair(filepath.Join(gmCertPath, "cert.pem"), filepath.Join(gmCertPath, "private.key"))
+			if err != nil {
+				return &certificate, nil
+			}
+			bs, err := ioutil.ReadFile(filepath.Join(gmCertPath, "cacert.pem"))
+			if err != nil {
+				return &certificate, nil
+			}
+			certPool.AppendCertsFromPEM(bs)
+			fncGetEncCertKeypair = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+				return &gmCert, nil
+			}
+			return &gmCert, nil
+		} else { // not GM cert
+			commonCert, err := tls.LoadX509KeyPair(filepath.Join(commonCertPath, "cert.pem"), filepath.Join(commonCertPath, "private.key"))
+			if err != nil {
+				return &certificate, nil
+			}
+			bs, err := ioutil.ReadFile(filepath.Join(commonCertPath, "cacert.pem"))
+			if err != nil {
+				return &certificate, nil
+			}
+			certPool.AppendCertsFromPEM(bs)
+			return &commonCert, nil
+		}
+	}
+	creds := gmcredentials.NewTLS(&tls.Config{
+		GMSupport: &tls.GMSupport{
+			WorkMode: tls.ModeAutoSwitch,
+		},
+		RootCAs:          certPool,
+		ClientCAs:        certPool,
+		GetKECertificate: fncGetEncCertKeypair,
+		GetCertificate:   fncGetCertificate,
+		ClientAuth:       tls.RequireAndVerifyClientCert,
+	})
+	return creds, nil
+}
+
 // GenerateKeyPairWithPath generate xuper net key pair
 func GenerateKeyPairWithPath(path string) error {
 	priv, _, err := crypto.GenerateKeyPairWithReader(crypto.RSA, 2048, rand.Reader)