-
Notifications
You must be signed in to change notification settings - Fork 257
CA工具使用说明
linj edited this page Nov 23, 2022
·
1 revision
chain33-ca-tool是chain33联盟链自带的CA证书生成工具,可根据配置文件生成证书文件,包含根证书,中间证书和用户证书。
wget https://bty33.oss-cn-shanghai.aliyuncs.com/chain33-ca-tool.tar.gz下载后解压到任意指定目录
tar -xzvf chain33-ca-tool.tar.gz
cd chain33-ca-tool软件包包含
chain33-ca-tool -- 工具可执行文件
chain33.cryptogen.yaml -- 配置文件
根据实际场景修改chain33.cryptogen.yaml
#签名方式,默认auth_sm2,支持auth_ecdsa
SignType: auth_sm2
#根证书配置
Root:
#证书名
Name: ca
#签发证书配置
CA:
CommonName: Chain33CA
Country: China
Province: Zhejiang
Locality: Hangzhou
Expire: 100
#用户名
User:
- Name: org1
- Name: org2
#中间证书配置
Organizations:
#企业org1证书配置
- Name: org1
CA:
CommonName: org1CA
Country: China
Province: Zhejiang
Locality: Hangzhou
Expire: 100
User:
- Name: user1
- Name: user2
#企业org2证书配置
- Name: org2
CA:
CommonName: org2CA
Country: China
Province: Zhejiang
Locality: Hangzhou
Expire: 100
User:
- Name: user1
- Name: user2
./chain33-ca-tool [-f configfile] [-o output directory]
配置文件默认chain33.cryptogen.yaml,输出路径默认./authdir/crypto
eg.
./chain33-ca-tool -f chain33.cryptogen.yaml├── cacerts //根证书目录
│ ├── ca-cert.pem //根证书文件
│ └── d9443c03c7c272a8a96c35cd9d76203780e84707e4174ada0b82a74f3a9be5df_sk //根证书私钥
├── org1 //企业1目录
│ ├── cacerts //企业根证书
│ │ └── ca-cert.pem
│ ├── intermediatecerts //中间证书
│ │ └── org1-cert.pem
│ ├── keystore //企业证书私钥
│ │ └── 434d7b55dec2534008449bc60a8d8b4c9d334b4b4e85e3269030a27206438070_sk
│ ├── signcerts //企业签名证书
│ │ └── [email protected]
│ ├── user1 //企业用户目录
│ │ ├── cacerts //用户根证书
│ │ │ └── org1-cert.pem
│ │ ├── keystore //用户私钥
│ │ │ └── b01568b358e336f28d86baaa27df2a07dd01b6991f82f9bc680896ce4ceeaf77_sk
│ │ └── signcerts //用户签名证书
│ │ └── [email protected]
│ └── user2 //与user1类似
│ ...
└── org2 //与org1类似
...
chain33.toml配置文件打开证书校验开关
[exec.sub.cert]
# 是否启用证书验证和签名
enable=true
# 加密文件路径
cryptoPath="."
# 带证书签名类型,支持"auth_ecdsa", "auth_sm2"
signType="auth_sm2"
将生成的org1目录下的cacerts和intermediatecerts目录拷贝到配置文件cryptoPath配置的目录,启动节点
将企业用户org1/user1目录下的keystore和signcerts拷贝到./test目录下
- Java
// chain33节点
static RpcClient chain33client = new RpcClient("http://127.0.0.1:8801");
// 从文件加载账户
Account account = new Account();
AccountInfo accountInfo = account.loadGMAccountLocal("test", "", "./test/keystore/b01568b358e336f28d86baaa27df2a07dd01b6991f82f9bc680896ce4ceeaf77_sk");
// 加载用户证书
byte[] certBytes = CertUtils.getCertFromFile("./test/signcerts/[email protected]");
// 构造交易
CertService.CertNormal.Builder normal = CertService.CertNormal.newBuilder();
normal.setValue(ByteString.copyFrom("value123".getBytes()));
normal.setKey("key123");
CertService.CertNormal normalAction = normal.build();
CertService.CertAction.Builder builder = CertService.CertAction.newBuilder();
builder.setTy(CertUtils.CertActionNormal);
builder.setNormal(normalAction);
byte[] reqBytes = builder.build().toByteArray();
String transactionHash = TransactionUtil.createTxWithCert(accountInfo.getPrivateKey(), "cert", reqBytes, SignType.SM2, certBytes, "ca test".getBytes());
// 发送交易
String hash = chain33client.submitTransaction(transactionHash);- Go
var (
keyFilePath = "./test/keystore/5c3682a5719cf5bc1bd6280938670c3acfcb67cc15744a7b9b348066795a4e62_sk"
certFilePath = "./test/signcerts/[email protected]"
)
// chain33节点
jsonclient, err := client.NewJSONClient("", "http://127.0.0.1:8801")
// 从文件加载账户
account,err := sdk.NewAccountFromLocal(crypto.SM2, keyFilePath)
// 加载用户证书
certByte,err := types.ReadFile(certFilePath)
// 构造交易
tx, err := CreateCertNormalTx("", account.PrivateKey, certByte, []byte("cert test"), "key1", []byte("value1"))
// 发送交易
signTx := types.ToHexPrefix(types.Encode(tx))
reply, err := jsonclient.SendTransaction(signTx)
// 查询交易
txhash := types.ToHexPrefix(sdk.Hash(tx))
time.Sleep(2 * time.Second)
detail, err := jsonclient.QueryTransaction(txhash)- 主链 将工具生成的cacerts目录和所有企业下的intermediatecerts目录拷贝到配置文件cryptoPath配置的目录,启动节点
├── cacerts
│ ├── ca-cert.pem
├── intermediatecerts
│ │── org1-cert.pem
│ │── org2-cert.pem
│ ...
主链校验所有平行链的用户身份,只要是所有平行链下的用户,都可以校验通过
- 平行链 在配置文件cryptoPath配置的目录下创建cacerts目录,将工具生成的对应本平行链的企业目录下的intermediatecerts目录下的证书拷贝到cacerts目录下,启动节点
├── cacerts
│ └── org1-cert.pem //工具生成的企业org1的intermediatecerts目录
平行链校验本企业的用户,其他平行链用户校验不通过
hello world