Merge branch 'cert-auth'

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/rs/cors v1.6.0
 	github.com/spf13/cobra v0.0.5
 	github.com/stretchr/testify v1.4.0
-	github.com/tjfoc/gmsm v1.3.1
+	github.com/tjfoc/gmsm v1.3.2
 	github.com/valyala/fasthttp v1.5.0
 	github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2 // indirect
 	go.uber.org/atomic v1.4.0 // indirect

go.sum

@@ -633,6 +633,8 @@ github.com/syndtr/goleveldb v1.0.1-0.20190923125748-758128399b1d/go.mod h1:9OrXJ
 github.com/timakin/bodyclose v0.0.0-20190721030226-87058b9bfcec/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
 github.com/tjfoc/gmsm v1.3.1 h1:+k3IAlF81c31/TllJmIfuCYnjl8ziMdTWGWJcP9J1uo=
 github.com/tjfoc/gmsm v1.3.1/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
+github.com/tjfoc/gmsm v1.3.2 h1:7JVkAn5bvUJ7HtU08iW6UiD+UTmJTIToHCfeFzkcCxM=
+github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
 github.com/tyler-smith/go-bip39 v1.0.1-0.20181017060643-dbb3b84ba2ef h1:wHSqTBrZW24CsNJDfeh9Ex6Pm0Rcpc7qrgKBiL44vF4=
 github.com/tyler-smith/go-bip39 v1.0.1-0.20181017060643-dbb3b84ba2ef/go.mod h1:sJ5fKU0s6JVwZjjcUEX2zFOnvq0ASQ2K9Zr6cf67kNs=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=

plugin/crypto/sm2/sm2.go

@@ -2,21 +2,253 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// Package sm2 带证书交易的签名
 package sm2
 
 import (
+	"bytes"
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+	"github.com/33cn/chain33/types"
+	pkt "github.com/33cn/plugin/plugin/dapp/cert/types"
+	"math/big"
+
 	"github.com/33cn/chain33/common/crypto"
-	"github.com/33cn/chain33/system/crypto/sm2"
+	"github.com/tjfoc/gmsm/sm2"
+)
+
+//const
+const (
+	SM2PrivateKeyLength    = 32
+	SM2PublicKeyLength     = 65
+	SM2PublicKeyCompressed = 33
 )
 
-type sm2Driver struct {
-	sm2.Driver
+//Driver 驱动
+type Driver struct{}
+
+//GenKey 生成私钥
+func (d Driver) GenKey() (crypto.PrivKey, error) {
+	privKeyBytes := [SM2PrivateKeyLength]byte{}
+	copy(privKeyBytes[:], crypto.CRandBytes(SM2PrivateKeyLength))
+	priv, _ := privKeyFromBytes(sm2.P256Sm2(), privKeyBytes[:])
+	copy(privKeyBytes[:], SerializePrivateKey(priv))
+	return PrivKeySM2(privKeyBytes), nil
+}
+
+//PrivKeyFromBytes 字节转为私钥
+func (d Driver) PrivKeyFromBytes(b []byte) (privKey crypto.PrivKey, err error) {
+	if len(b) != SM2PrivateKeyLength {
+		return nil, errors.New("invalid priv key byte")
+	}
+	privKeyBytes := new([SM2PrivateKeyLength]byte)
+	copy(privKeyBytes[:], b[:SM2PrivateKeyLength])
+
+	priv, _ := privKeyFromBytes(sm2.P256Sm2(), privKeyBytes[:])
+
+	copy(privKeyBytes[:], SerializePrivateKey(priv))
+	return PrivKeySM2(*privKeyBytes), nil
+}
+
+//PubKeyFromBytes 字节转为公钥
+func (d Driver) PubKeyFromBytes(b []byte) (pubKey crypto.PubKey, err error) {
+	if len(b) != SM2PublicKeyLength && len(b) != SM2PublicKeyCompressed {
+		return nil, errors.New("invalid pub key byte")
+	}
+	pubKeyBytes := new([SM2PublicKeyLength]byte)
+	copy(pubKeyBytes[:], b[:])
+	return PubKeySM2(*pubKeyBytes), nil
+}
+
+//SignatureFromBytes 字节转为签名
+func (d Driver) SignatureFromBytes(b []byte) (sig crypto.Signature, err error) {
+	var certSignature pkt.CertSignature
+	err = types.Decode(b, &certSignature)
+	if err != nil {
+		return SignatureSM2(b), nil
+	}
+
+	return &SignatureS{
+		Signature: SignatureSM2(certSignature.Signature),
+		uid:       certSignature.Uid,
+	}, nil
+}
+
+//PrivKeySM2 私钥
+type PrivKeySM2 [SM2PrivateKeyLength]byte
+
+//Bytes 字节格式
+func (privKey PrivKeySM2) Bytes() []byte {
+	s := make([]byte, SM2PrivateKeyLength)
+	copy(s, privKey[:])
+	return s
+}
+
+//Sign 签名
+func (privKey PrivKeySM2) Sign(msg []byte) crypto.Signature {
+	priv, _ := privKeyFromBytes(sm2.P256Sm2(), privKey[:])
+	r, s, err := sm2.Sm2Sign(priv, msg, nil)
+	if err != nil {
+		return nil
+	}
+	//sm2不需要LowS转换
+	//s = ToLowS(pub, s)
+	return SignatureSM2(Serialize(r, s))
+}
+
+//PubKey 私钥生成公钥
+func (privKey PrivKeySM2) PubKey() crypto.PubKey {
+	_, pub := privKeyFromBytes(sm2.P256Sm2(), privKey[:])
+	var pubSM2 PubKeySM2
+	copy(pubSM2[:], sm2.Compress(pub))
+	return pubSM2
+}
+
+//Equals 公钥
+func (privKey PrivKeySM2) Equals(other crypto.PrivKey) bool {
+	if otherSecp, ok := other.(PrivKeySM2); ok {
+		return bytes.Equal(privKey[:], otherSecp[:])
+	}
+
+	return false
+}
+
+func (privKey PrivKeySM2) String() string {
+	return fmt.Sprintf("PrivKeySM2{*****}")
 }
 
-const name = "auth_sm2"
-const id = 258
+//PubKeySM2 公钥
+type PubKeySM2 [SM2PublicKeyLength]byte
+
+//Bytes 字节格式
+func (pubKey PubKeySM2) Bytes() []byte {
+	length := SM2PublicKeyLength
+	if pubKey.isCompressed() {
+		length = SM2PublicKeyCompressed
+	}
+	s := make([]byte, length)
+	copy(s, pubKey[0:length])
+	return s
+}
+
+func (pubKey PubKeySM2) isCompressed() bool {
+	return pubKey[0] != pubkeyUncompressed
+}
+
+//VerifyBytes 验证字节
+func (pubKey PubKeySM2) VerifyBytes(msg []byte, sig crypto.Signature) bool {
+	var uid []byte
+	if wrap, ok := sig.(*SignatureS); ok {
+		sig = wrap.Signature
+		uid = wrap.uid
+	}
+	sigSM2, ok := sig.(SignatureSM2)
+	if !ok {
+		fmt.Printf("convert failed\n")
+		return false
+	}
+	var pub *sm2.PublicKey
+	if pubKey.isCompressed() {
+		pub = sm2.Decompress(pubKey[0:SM2PublicKeyCompressed])
+	} else {
+		var err error
+		pub, err = parsePubKey(pubKey[:], sm2.P256Sm2())
+		if err != nil {
+			fmt.Printf("parse pubkey failed\n")
+			return false
+		}
+	}
+	r, s, err := Deserialize(sigSM2)
+	if err != nil {
+		fmt.Printf("unmarshal sign failed")
+		return false
+	}
+	//国密签名算法和ecdsa不一样，-s验签不通过，所以不需要LowS检查
+	//fmt.Printf("verify:%x, r:%d, s:%d\n", crypto.Sm3Hash(msg), r, s)
+	//lowS := IsLowS(s)
+	//if !lowS {
+	//	fmt.Printf("lowS check failed")
+	//	return false
+	//}
+
+	return sm2.Sm2Verify(pub, msg, uid, r, s)
+}
+
+func (pubKey PubKeySM2) String() string {
+	return fmt.Sprintf("PubKeySM2{%X}", pubKey[:])
+}
+
+//KeyString Must return the full bytes in hex.
+// Used for map keying, etc.
+func (pubKey PubKeySM2) KeyString() string {
+	return fmt.Sprintf("%X", pubKey[:])
+}
+
+//Equals 相等
+func (pubKey PubKeySM2) Equals(other crypto.PubKey) bool {
+	if otherSecp, ok := other.(PubKeySM2); ok {
+		return bytes.Equal(pubKey[:], otherSecp[:])
+	}
+	return false
+}
+
+//SignatureSM2 签名
+type SignatureSM2 []byte
+
+//SignatureS 签名
+type SignatureS struct {
+	crypto.Signature
+	uid []byte
+}
+
+//Bytes 字节格式
+func (sig SignatureSM2) Bytes() []byte {
+	s := make([]byte, len(sig))
+	copy(s, sig[:])
+	return s
+}
+
+//IsZero 是否为0
+func (sig SignatureSM2) IsZero() bool { return len(sig) == 0 }
+
+func (sig SignatureSM2) String() string {
+	fingerprint := make([]byte, len(sig[:]))
+	copy(fingerprint, sig[:])
+	return fmt.Sprintf("/%X.../", fingerprint)
+
+}
+
+//Equals 相等
+func (sig SignatureSM2) Equals(other crypto.Signature) bool {
+	if otherEd, ok := other.(SignatureSM2); ok {
+		return bytes.Equal(sig[:], otherEd[:])
+	}
+	return false
+}
+
+//const
+const (
+	Name = "auth_sm2"
+	ID   = 258
+)
 
 func init() {
-	crypto.Register(name, &sm2Driver{}, false)
-	crypto.RegisterType(name, id)
+	crypto.Register(Name, &Driver{}, false)
+	crypto.RegisterType(Name, ID)
+}
+
+func privKeyFromBytes(curve elliptic.Curve, pk []byte) (*sm2.PrivateKey, *sm2.PublicKey) {
+	x, y := curve.ScalarBaseMult(pk)
+
+	priv := &sm2.PrivateKey{
+		PublicKey: sm2.PublicKey{
+			Curve: curve,
+			X:     x,
+			Y:     y,
+		},
+		D: new(big.Int).SetBytes(pk),
+	}
+
+	return priv, &priv.PublicKey
 }

plugin/crypto/sm2/utils.go

+// Copyright Fuzamei Corp. 2018 All Rights Reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package sm2
+
+import (
+	"crypto/elliptic"
+	"errors"
+	"fmt"
+	"math/big"
+
+	"github.com/btcsuite/btcd/btcec"
+	"github.com/tjfoc/gmsm/sm2"
+)
+
+const (
+	pubkeyUncompressed byte = 0x4 // x coord + y coord
+)
+
+func canonicalizeInt(val *big.Int) []byte {
+	b := val.Bytes()
+	if len(b) == 0 {
+		b = []byte{0x00}
+	}
+	if b[0]&0x80 != 0 {
+		paddedBytes := make([]byte, len(b)+1)
+		copy(paddedBytes[1:], b)
+		b = paddedBytes
+	}
+	return b
+}
+
+//Serialize 序列化
+func Serialize(r, s *big.Int) []byte {
+	rb := canonicalizeInt(r)
+	sb := canonicalizeInt(s)
+
+	length := 6 + len(rb) + len(sb)
+	b := make([]byte, length)
+
+	b[0] = 0x30
+	b[1] = byte(length - 2)
+	b[2] = 0x02
+	b[3] = byte(len(rb))
+	offset := copy(b[4:], rb) + 4
+	b[offset] = 0x02
+	b[offset+1] = byte(len(sb))
+	copy(b[offset+2:], sb)
+
+	return b
+}
+
+//Deserialize 反序列化
+func Deserialize(sigStr []byte) (*big.Int, *big.Int, error) {
+	sig, err := btcec.ParseDERSignature(sigStr, sm2.P256Sm2())
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return sig.R, sig.S, nil
+}
+
+func parsePubKey(pubKeyStr []byte, curve elliptic.Curve) (key *sm2.PublicKey, err error) {
+	pubkey := sm2.PublicKey{}
+	pubkey.Curve = curve
+
+	if len(pubKeyStr) == 0 {
+		return nil, errors.New("pubkey string is empty")
+	}
+
+	pubkey.X = new(big.Int).SetBytes(pubKeyStr[1:33])
+	pubkey.Y = new(big.Int).SetBytes(pubKeyStr[33:])
+	if pubkey.X.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey X parameter is >= to P")
+	}
+	if pubkey.Y.Cmp(pubkey.Curve.Params().P) >= 0 {
+		return nil, fmt.Errorf("pubkey Y parameter is >= to P")
+	}
+	if !pubkey.Curve.IsOnCurve(pubkey.X, pubkey.Y) {
+		return nil, fmt.Errorf("pubkey isn't on secp256k1 curve")
+	}
+	return &pubkey, nil
+}
+
+//SerializePublicKey 公钥序列化
+func SerializePublicKey(p *sm2.PublicKey, isCompress bool) []byte {
+	if isCompress {
+		return sm2.Compress(p)
+	}
+
+	b := make([]byte, 0, SM2PublicKeyLength)
+	b = append(b, pubkeyUncompressed)
+	b = paddedAppend(32, b, p.X.Bytes())
+	return paddedAppend(32, b, p.Y.Bytes())
+}
+
+//SerializePrivateKey 私钥序列化
+func SerializePrivateKey(p *sm2.PrivateKey) []byte {
+	b := make([]byte, 0, SM2PrivateKeyLength)
+	return paddedAppend(SM2PrivateKeyLength, b, p.D.Bytes())
+}
+
+func paddedAppend(size uint, dst, src []byte) []byte {
+	for i := 0; i < int(size)-len(src); i++ {
+		dst = append(dst, 0)
+	}
+	return append(dst, src...)
+}

plugin/dapp/cert/authority/authority.go

@@ -265,6 +265,11 @@ func (auth *Authority) Validate(signature *types.Signature) error {
 	return nil
 }
 
+// GetSnFromSig 解析证书序列号
+func (auth *Authority) GetSnFromByte(signature *types.Signature) ([]byte, error) {
+	return auth.validator.GetCertSnFromSignature(signature.Signature)
+
+}
 // ToHistoryCertStore 历史数据转成store可存储的历史数据
 func (certdata *HistoryCertData) ToHistoryCertStore(store *types.HistoryCertStore) {
 	if store == nil {

plugin/dapp/cert/authority/authority_test.go

@@ -59,7 +59,7 @@ var SIGNTYPE = ct.AuthSM2
 
 func signtx(tx *types.Transaction, priv crypto.PrivKey, cert []byte) {
 	tx.Sign(int32(SIGNTYPE), priv)
-	tx.Signature.Signature, _ = utils.EncodeCertToSignature(tx.Signature.Signature, cert)
+	tx.Signature.Signature = utils.EncodeCertToSignature(tx.Signature.Signature, cert, nil)
 }
 
 func signtxs(priv crypto.PrivKey, cert []byte) {

plugin/dapp/cert/authority/core/ecdsaimpl.go

@@ -162,7 +162,7 @@ func (validator *ecdsaValidator) Validate(certByte []byte, pubKey []byte) error
 		return fmt.Errorf("Could not obtain certification chain, err %s", err)
 	}
 
-	err = validator.validateCertAgainstChain(cert, validationChain)
+	err = validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 	if err != nil {
 		return fmt.Errorf("Could not validate identity against certification chain, err %s", err)
 	}
@@ -360,10 +360,10 @@ func (validator *ecdsaValidator) validateCAIdentity(cert *x509.Certificate) erro
 		return nil
 	}
 
-	return validator.validateCertAgainstChain(cert, validationChain)
+	return validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 }
 
-func (validator *ecdsaValidator) validateCertAgainstChain(cert *x509.Certificate, validationChain []*x509.Certificate) error {
+func (validator *ecdsaValidator) validateCertAgainstChain(serialNumber *big.Int, validationChain []*x509.Certificate) error {
 	SKI, err := getSubjectKeyIdentifierFromCert(validationChain[1])
 	if err != nil {
 		return fmt.Errorf("Could not obtain Subject Key Identifier for signer cert, err %s", err)
@@ -377,7 +377,7 @@ func (validator *ecdsaValidator) validateCertAgainstChain(cert *x509.Certificate
 
 		if bytes.Equal(aki, SKI) {
 			for _, rc := range crl.TBSCertList.RevokedCertificates {
-				if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+				if rc.SerialNumber.Cmp(serialNumber) == 0 {
 					err = validationChain[1].CheckCRLSignature(crl)
 					if err != nil {
 						authLogger.Warn("Invalid signature over the identified CRL, error %s", err)
@@ -405,16 +405,31 @@ func (validator *ecdsaValidator) getValidityOptsForCert(cert *x509.Certificate)
 }
 
 func (validator *ecdsaValidator) GetCertFromSignature(signature []byte) ([]byte, error) {
-	cert, _, err := utils.DecodeCertFromSignature(signature)
+	certSign, err := utils.DecodeCertFromSignature(signature)
 	if err != nil {
 		authLogger.Error(fmt.Sprintf("unmashal certificate from signature failed. %s", err.Error()))
 		return nil, err
 	}
 
-	if len(cert) == 0 {
+	if len(certSign.Cert) == 0 {
 		authLogger.Error("cert can not be null")
 		return nil, types.ErrInvalidParam
 	}
 
-	return cert, nil
+	return certSign.Cert, nil
 }
+
+func (validator *ecdsaValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	certByte, err := validator.GetCertFromSignature(signature)
+	if err != nil {
+		authLogger.Error(fmt.Sprintf("GetCertSnFromSignature from signature failed. %s", err.Error()))
+		return nil, err
+	}
+
+	cert, err := validator.getCertFromPem(certByte)
+	if err != nil {
+		return nil, fmt.Errorf("ParseCertificate failed %s", err)
+	}
+
+	return cert.SerialNumber.Bytes(), nil
+}
\ No newline at end of file

plugin/dapp/cert/authority/core/gmimpl.go

@@ -12,6 +12,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
 	"reflect"
 	"time"
 
@@ -100,7 +101,7 @@ func (validator *gmValidator) Validate(certByte []byte, pubKey []byte) error {
 		return fmt.Errorf("Could not obtain certification chain, err %s", err)
 	}
 
-	err = validator.validateCertAgainstChain(cert, validationChain)
+	err = validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 	if err != nil {
 		return fmt.Errorf("Could not validate identity against certification chain, err %s", err)
 	}
@@ -292,10 +293,10 @@ func (validator *gmValidator) validateCAIdentity(cert *sm2.Certificate) error {
 		return nil
 	}
 
-	return validator.validateCertAgainstChain(cert, validationChain)
+	return validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 }
 
-func (validator *gmValidator) validateCertAgainstChain(cert *sm2.Certificate, validationChain []*sm2.Certificate) error {
+func (validator *gmValidator) validateCertAgainstChain(serialNumber *big.Int, validationChain []*sm2.Certificate) error {
 	SKI, err := getSubjectKeyIdentifierFromSm2Cert(validationChain[1])
 	if err != nil {
 		return fmt.Errorf("Could not obtain Subject Key Identifier for signer cert, err %s", err)
@@ -309,7 +310,7 @@ func (validator *gmValidator) validateCertAgainstChain(cert *sm2.Certificate, va
 
 		if bytes.Equal(aki, SKI) {
 			for _, rc := range crl.TBSCertList.RevokedCertificates {
-				if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+				if rc.SerialNumber.Cmp(serialNumber) == 0 {
 					err = validationChain[1].CheckCRLSignature(crl)
 					if err != nil {
 						authLogger.Warn(fmt.Sprintf("Invalid signature over the identified CRL, error %s", err))
@@ -339,16 +340,31 @@ func (validator *gmValidator) getValidityOptsForCert(cert *sm2.Certificate) sm2.
 
 func (validator *gmValidator) GetCertFromSignature(signature []byte) ([]byte, error) {
 	// 从proto中解码signature
-	cert, _, err := utils.DecodeCertFromSignature(signature)
+	cert, err := utils.DecodeCertFromSignature(signature)
 	if err != nil {
 		authLogger.Error(fmt.Sprintf("unmashal certificate from signature failed. %s", err.Error()))
 		return nil, err
 	}
 
-	if len(cert) == 0 {
+	if len(cert.Cert) == 0 {
 		authLogger.Error("cert can not be null")
 		return nil, types.ErrInvalidParam
 	}
 
-	return cert, nil
+	return cert.Cert, nil
 }
+
+func (validator *gmValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	certByte, err := validator.GetCertFromSignature(signature)
+	if err != nil {
+		authLogger.Error(fmt.Sprintf("GetCertSnFromSignature from signature failed. %s", err.Error()))
+		return nil, err
+	}
+
+	cert, err := validator.getCertFromPem(certByte)
+	if err != nil {
+		return nil, fmt.Errorf("ParseCertificate failed %s", err)
+	}
+
+	return cert.SerialNumber.Bytes(), nil
+}
\ No newline at end of file

plugin/dapp/cert/authority/core/noneimpl.go

@@ -23,3 +23,7 @@ func (validator *noneValidator) Validate(certByte []byte, pubKey []byte) error {
 func (validator *noneValidator) GetCertFromSignature(signature []byte) ([]byte, error) {
 	return []byte(""), nil
 }
+
+func (validator *noneValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	return []byte(""), nil
+}

plugin/dapp/cert/authority/core/validator.go

@@ -11,6 +11,8 @@ type Validator interface {
 	Validate(cert []byte, pubKey []byte) error
 
 	GetCertFromSignature(signature []byte) ([]byte, error)
+
+	GetCertSnFromSignature(signature []byte) ([]byte, error)
 }
 
 // AuthConfig 校验器配置

plugin/dapp/cert/authority/test/authdir/crypto/cacerts/ca-cert.pem

 -----BEGIN CERTIFICATE-----
-MIIB6zCCAZGgAwIBAgIQVq9SxucwdINw2WUMlNFpdjAKBggqgRzPVQGDdTBHMQsw
+MIIB7DCCAZGgAwIBAgIQETH0EMzvdWOEEg3FoAe/iDAKBggqgRzPVQGDdTBHMQsw
 CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
-YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwNjE4MDMxNDQ2WhcNMzAwNjE2MDMx
-NDQ2WjBHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwODE0MDkyNTIwWhcNMzAwODEyMDky
+NTIwWjBHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqgRzP
-VQGCLQNCAARACzXYM8dLleVhjAwyljePO1Vltf2YL2xGKCLAB1/YITkM4q3GVE8D
-LZxsydaG0zncKUswQA97HM6F1qarbFuvo18wXTAOBgNVHQ8BAf8EBAMCAaYwDwYD
-VR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCDpAuHxKpzW
-gxCIZxodcdzpHpzKFhlEJARmhKOPuN1yaTAKBggqgRzPVQGDdQNIADBFAiEAowXR
-RYYCWcBT0gVSbHk7k+aJzG3uRdORTbbvmLgbG2QCIF3e0/m0aNRlvF6gPxBJ+JBR
-R0sbv9eyrSEFMwx/ZyGJ
+VQGCLQNCAAQlKmH6RVHN/nBE4qR+uF7lHmlc62jQA4kpoAwtJFRiFbczZx/KNDaD
+9+USLAo9ecxcdOKR4lIcuT7jvKX6tXQ7o18wXTAOBgNVHQ8BAf8EBAMCAaYwDwYD
+VR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCC8fKlLiayf
++80blLEiRIzTyY7uYDUpP5K2RtOmfY0NKjAKBggqgRzPVQGDdQNJADBGAiEA8vh+
+3joELxPxq0n1h07XFGeEnmpxutVoIocuky2HkF4CIQDnWIavlpJOq3tU76cmn3ur
+KQeyi9GM7Uoi25S1QIxu9A==
 -----END CERTIFICATE-----

plugin/dapp/cert/authority/test/authdir/crypto/keystore/68fe61b66aa6d9cd39b7eabbe756c179c69889ce70421b8b67bb2373be84fa24_sk

------BEGIN PRIVATE KEY-----
-MIGTAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBHkwdwIBAQQg86AAL0bRgFW6RhFX
-no7CVphI1U2csfrjwPuYn3FXaF2gCgYIKoEcz1UBgi2hRANCAASR8Yb//+y/GMLy
-D36FLLO80oxUPtD6AtVoh9UIuC1b0QzA4+zkUDUk3zwdZ1pMZZKGZ48vE6KtAcFB
-uqU7L784
------END PRIVATE KEY-----

plugin/dapp/cert/authority/test/authdir/crypto/keystore/c26e4e9eb45028c297c0bc925e5890b27ad017865ab6208f7bf5346919019260_sk

+-----BEGIN PRIVATE KEY-----
+MIGTAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBHkwdwIBAQQg4Ork9oT6d6CRxg0f
+EbHlr5eQPUcHWniEgRhDCi2dA/GgCgYIKoEcz1UBgi2hRANCAAQqXuEWh+sW/YtP
+FlHmxiFhYi0o3Tb8He9NAaJ6uKe+OF5/eXa+VmRrKKGeE+dG8LrMiJ5+AlIj+ryd
+blX5UKZ8
+-----END PRIVATE KEY-----

plugin/dapp/cert/authority/test/authdir/crypto/signcerts/User@Chain33-cert.pem

 -----BEGIN CERTIFICATE-----
-MIIB4zCCAYmgAwIBAgIQdKBE3pdDBMaadMbZ30K7aTAKBggqgRzPVQGDdTBHMQsw
+MIIB4zCCAYmgAwIBAgIQVs0txvOG+iVu/oISaV2KyzAKBggqgRzPVQGDdTBHMQsw
 CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
-YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwNjE4MDMxNDQ2WhcNMzAwNjE2MDMx
-NDQ2WjBRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwODE0MDkyNTIwWhcNMzAwODEyMDky
+NTIwWjBRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
 BxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEAwwMVXNlckBDaGFpbjMzMFkwEwYHKoZI
-zj0CAQYIKoEcz1UBgi0DQgAEkfGG///svxjC8g9+hSyzvNKMVD7Q+gLVaIfVCLgt
-W9EMwOPs5FA1JN88HWdaTGWShmePLxOirQHBQbqlOy+/OKNNMEswDgYDVR0PAQH/
-BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAg6QLh8Sqc1oMQiGcaHXHc
-6R6cyhYZRCQEZoSjj7jdcmkwCgYIKoEcz1UBg3UDSAAwRQIgBSqSzSkoXopLR830
-zMjWsMVlZERtUuW3+uYm+bCRjOgCIQDZf8dKxkBd155hiilDQ4RR4Xa8+ZGcPslm
-Nm+S1txiqA==
+zj0CAQYIKoEcz1UBgi0DQgAEKl7hFofrFv2LTxZR5sYhYWItKN02/B3vTQGierin
+vjhef3l2vlZkayihnhPnRvC6zIiefgJSI/q8nW5V+VCmfKNNMEswDgYDVR0PAQH/
+BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAgvHypS4msn/vNG5SxIkSM
+08mO7mA1KT+StkbTpn2NDSowCgYIKoEcz1UBg3UDSAAwRQIhAND6HO/EN/dTeokX
+mIvczQBcxPHTAq3+QIa2NHIC8bYvAiAZ5N4C4rwRJCqTw8J6As69MFO10XixWHxH
+qrTJ9LnI3g==
 -----END CERTIFICATE-----

plugin/dapp/cert/authority/utils/keys.go

@@ -11,13 +11,11 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
+	"github.com/33cn/chain33/types"
 	"math/big"
 
-	"encoding/asn1"
-
 	"fmt"
 
-	"github.com/33cn/chain33/common/crypto"
 	sm2_util "github.com/33cn/chain33/system/crypto/sm2"
 	ecdsa_util "github.com/33cn/plugin/plugin/crypto/ecdsa"
 	ty "github.com/33cn/plugin/plugin/dapp/cert/types"
@@ -65,22 +63,23 @@ func GetPublicKeySKIFromCert(cert []byte, signType int) (string, error) {
 }
 
 // EncodeCertToSignature 证书编码进签名
-func EncodeCertToSignature(signByte []byte, cert []byte) ([]byte, error) {
-	certSign := crypto.CertSignature{}
+func EncodeCertToSignature(signByte []byte, cert []byte, uid []byte) []byte {
+	var certSign ty.CertSignature
 	certSign.Signature = append(certSign.Signature, signByte...)
 	certSign.Cert = append(certSign.Cert, cert...)
-	return asn1.Marshal(certSign)
+	certSign.Uid = append(certSign.Uid, uid...)
+	return types.Encode(&certSign)
 }
 
 // DecodeCertFromSignature 从签名中解码证书
-func DecodeCertFromSignature(signByte []byte) ([]byte, []byte, error) {
-	var certSignature crypto.CertSignature
-	_, err := asn1.Unmarshal(signByte, &certSignature)
+func DecodeCertFromSignature(signByte []byte) (*ty.CertSignature, error) {
+	var certSign ty.CertSignature
+	err := types.Decode(signByte, &certSign)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 
-	return certSignature.Cert, certSignature.Signature, nil
+	return &certSign, nil
 }
 
 // PrivKeyByteFromRaw pem结构转成byte类型私钥

plugin/dapp/cert/executor/cert.go

@@ -51,6 +51,7 @@ func newCert() drivers.Driver {
 	c := &Cert{}
 	c.SetChild(c)
 	c.SetIsFree(true)
+	c.SetExecutorType(types.LoadExecutorType(driverName))
 	return c
 }
 

plugin/dapp/cert/executor/cert_test.go

+package executor
+
+import (
+	"fmt"
+	"github.com/33cn/chain33/account"
+	"github.com/33cn/chain33/client"
+	apimock "github.com/33cn/chain33/client/mocks"
+	"github.com/33cn/chain33/common"
+	"github.com/33cn/chain33/common/address"
+	"github.com/33cn/chain33/common/crypto"
+	dbm "github.com/33cn/chain33/common/db"
+	_ "github.com/33cn/chain33/system"
+	"github.com/33cn/chain33/system/dapp"
+	pty "github.com/33cn/chain33/system/dapp/manage/types"
+	"github.com/33cn/chain33/types"
+	"github.com/33cn/chain33/util"
+	_ "github.com/33cn/plugin/plugin/crypto/init"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority/utils"
+	ct "github.com/33cn/plugin/plugin/dapp/cert/types"
+	pkt "github.com/33cn/plugin/plugin/dapp/collateralize/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"testing"
+	"time"
+)
+
+type execEnv struct {
+	blockTime   int64
+	blockHeight int64
+	difficulty  uint64
+	kvdb        dbm.KVDB
+	api         client.QueueProtocolAPI
+	db          dbm.KV
+	execAddr    string
+	cfg         *types.Chain33Config
+	ldb         dbm.DB
+	user        *authority.User
+}
+
+var (
+	PrivKeyA = "0x6da92a632ab7deb67d38c0f6560bcfed28167998f6496db64c258d5e8393a81b" // 1KSBd17H7ZK8iT37aJztFB22XGwsPTdwE4
+	Nodes    = [][]byte{
+		[]byte("1KSBd17H7ZK8iT37aJztFB22XGwsPTdwE4"),
+	}
+	total      = 100 * types.Coin
+	USERNAME = "User"
+	SIGNTYPE = ct.AuthSM2
+
+	transfer1 = &ct.CertAction{Value: &ct.CertAction_Normal{Normal:&ct.CertNormal{Key: "", Value: nil}}, Ty: ct.CertActionNormal}
+	tx1      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer1), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+
+	transfer2 = &ct.CertAction{Value: &ct.CertAction_New{New:&ct.CertNew{Key: "", Value: nil}}, Ty: ct.CertActionNew}
+	tx2      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer2), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+
+	transfer3 = &ct.CertAction{Value: &ct.CertAction_Update{Update:&ct.CertUpdate{Key: "", Value: nil}}, Ty: ct.CertActionUpdate}
+	tx3      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer3), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+)
+
+func manageKeySet(key string, value string, db dbm.KV) {
+	var item types.ConfigItem
+	item.Key = key
+	item.Addr = value
+	item.Ty = pty.ConfigItemArrayConfig
+	emptyValue := &types.ArrayConfig{Value: make([]string, 0)}
+	arr := types.ConfigItem_Arr{Arr: emptyValue}
+	item.Value = &arr
+	item.GetArr().Value = append(item.GetArr().Value, value)
+
+	manageKey := types.ManageKey(key)
+	valueSave := types.Encode(&item)
+	db.Set([]byte(manageKey), valueSave)
+}
+
+func initEnv() (*execEnv, error) {
+	cfg := types.NewChain33Config(types.ReadFile("./test/chain33.toml"))
+	cfg.SetTitleOnlyForTest("chain33")
+
+	sub := cfg.GetSubConfig()
+	var subcfg ct.Authority
+	if sub.Exec["cert"] != nil {
+		types.MustDecode(sub.Exec["cert"], &subcfg)
+	}
+	Init(ct.CertX, cfg, sub.Exec["cert"])
+
+	userLoader := &authority.UserLoader{}
+	err := userLoader.Init(subcfg.CryptoPath, subcfg.SignType)
+	if err != nil {
+		fmt.Printf("Init user loader falied -> %v", err)
+		return nil, err
+	}
+
+	user, err := userLoader.Get(USERNAME)
+	if err != nil {
+		fmt.Printf("Get user failed")
+		return nil, err
+	}
+
+	_, ldb, kvdb := util.CreateTestDB()
+
+	accountA := types.Account{
+		Balance: total,
+		Frozen:  0,
+		Addr:    string(Nodes[0]),
+	}
+
+	api := new(apimock.QueueProtocolAPI)
+	api.On("GetConfig", mock.Anything).Return(cfg, nil)
+
+	execAddr := dapp.ExecAddress(ct.CertX)
+	stateDB, _ := dbm.NewGoMemDB("1", "2", 100)
+
+	accA := account.NewCoinsAccount(cfg)
+	accA.SetDB(stateDB)
+	accA.SaveExecAccount(execAddr, &accountA)
+	manageKeySet(ct.AdminKey, accountA.Addr, stateDB)
+
+	return &execEnv{
+		blockTime:   time.Now().Unix(),
+		blockHeight: cfg.GetDappFork(ct.CertX, "Enable"),
+		difficulty:  1539918074,
+		kvdb:        kvdb,
+		api:         api,
+		db:          stateDB,
+		execAddr:    execAddr,
+		cfg:         cfg,
+		ldb:         ldb,
+		user:        user,
+	}, nil
+}
+
+func signCertTx(tx *types.Transaction, priv crypto.PrivKey, cert []byte) {
+	tx.Sign(int32(SIGNTYPE), priv)
+	tx.Signature.Signature = utils.EncodeCertToSignature(tx.Signature.Signature, cert, nil)
+}
+
+func signTx(tx *types.Transaction, hexPrivKey string) (*types.Transaction, error) {
+	signType := types.SECP256K1
+	c, err := crypto.New(types.GetSignName(pkt.CollateralizeX, signType))
+	if err != nil {
+		return tx, err
+	}
+
+	bytes, err := common.FromHex(hexPrivKey[:])
+	if err != nil {
+		return tx, err
+	}
+
+	privKey, err := c.PrivKeyFromBytes(bytes)
+	if err != nil {
+		return tx, err
+	}
+
+	tx.Sign(int32(signType), privKey)
+	return tx, nil
+}
+
+func TestCert(t *testing.T) {
+	env, err := initEnv()
+	if err != nil {
+		panic(err)
+	}
+
+	signCertTx(tx1, env.user.Key, env.user.Cert)
+
+	// tx1
+	exec := newCert()
+	exec.SetAPI(env.api)
+	exec.SetStateDB(env.db)
+	assert.Equal(t, exec.GetCoinsAccount().LoadExecAccount(string(Nodes[0]), env.execAddr).GetBalance(), total)
+	exec.SetLocalDB(env.kvdb)
+	exec.SetEnv(env.blockHeight, env.blockTime, env.difficulty)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err := exec.Exec(tx1, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData := &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err := exec.ExecLocal(tx1, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+
+	addr := address.PubKeyToAddr(env.user.Key.PubKey().Bytes())
+	res, err := exec.Query("CertValidSNByAddr", types.Encode(&ct.ReqQueryValidCertSN{Addr: addr}))
+	assert.Nil(t, err)
+	assert.NotNil(t, res)
+
+	// tx2
+	signTx(tx2, PrivKeyA)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err = exec.Exec(tx2, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData = &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err = exec.ExecLocal(tx2, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+
+	// tx3
+	signTx(tx3, PrivKeyA)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err = exec.Exec(tx3, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData = &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err = exec.ExecLocal(tx3, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+}
+

plugin/dapp/cert/executor/exec.go

+package executor
+
+import (
+	dbm "github.com/33cn/chain33/common/db"
+	"github.com/33cn/chain33/types"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority"
+	ct "github.com/33cn/plugin/plugin/dapp/cert/types"
+)
+
+func CertUserStoreKey(addr string) (key []byte) {
+	key = append(key, []byte("mavl-"+ct.CertX+"-"+addr)...)
+	return key
+}
+
+func isAdminAddr(addr string, db dbm.KV) bool {
+	manageKey := types.ManageKey(ct.AdminKey)
+	data, err := db.Get([]byte(manageKey))
+	if err != nil {
+		clog.Error("getSuperAddr", "error", err)
+		return false
+	}
+
+	var item types.ConfigItem
+	err = types.Decode(data, &item)
+	if err != nil {
+		clog.Error("isSuperAddr", "Decode", data)
+		return false
+	}
+
+	for _, op := range item.GetArr().Value {
+		if op == addr {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (c *Cert) Exec_New(payload *ct.CertNew, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	if !isAdminAddr(tx.From(), c.GetStateDB()) {
+		clog.Error("Exec_New", "error", "Exec_New need admin address")
+		return nil, ct.ErrPermissionDeny
+	}
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Exec_Update(payload *ct.CertUpdate, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	if !isAdminAddr(tx.From(), c.GetStateDB()) {
+		clog.Error("Exec_Update", "error", "Exec_Update need admin address")
+		return nil, ct.ErrPermissionDeny
+	}
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Exec_Normal(payload *ct.CertNormal, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	// 从proto中解码signature
+	sn, err := authority.Author.GetSnFromByte(tx.Signature)
+	if err != nil {
+		clog.Error("Exec_Normal get sn from signature failed", "error", err)
+		return nil, err
+	}
+
+	storekv := &types.KeyValue{Key: CertUserStoreKey(tx.From()), Value: sn}
+	c.GetStateDB().Set(storekv.Key, storekv.Value)
+	kv = append(kv, storekv)
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Query_CertValidSNByAddr(req *ct.ReqQueryValidCertSN) (types.Message, error) {
+	sn, err := c.GetStateDB().Get(CertUserStoreKey(req.Addr))
+	if err != nil {
+		clog.Error("Query_CertValidSNByAddr", "error", err)
+		return nil, err
+	}
+
+	return &ct.RepQueryValidCertSN{Sn: sn}, nil
+}
\ No newline at end of file

plugin/dapp/cert/executor/test/authdir/crypto/cacerts/ca-cert.pem

+-----BEGIN CERTIFICATE-----
+MIIB7DCCAZGgAwIBAgIQETH0EMzvdWOEEg3FoAe/iDAKBggqgRzPVQGDdTBHMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwODE0MDkyNTIwWhcNMzAwODEyMDky
+NTIwWjBHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqgRzP
+VQGCLQNCAAQlKmH6RVHN/nBE4qR+uF7lHmlc62jQA4kpoAwtJFRiFbczZx/KNDaD
+9+USLAo9ecxcdOKR4lIcuT7jvKX6tXQ7o18wXTAOBgNVHQ8BAf8EBAMCAaYwDwYD
+VR0lBAgwBgYEVR0lADAPBgNVHRMBAf8EBTADAQH/MCkGA1UdDgQiBCC8fKlLiayf
++80blLEiRIzTyY7uYDUpP5K2RtOmfY0NKjAKBggqgRzPVQGDdQNJADBGAiEA8vh+
+3joELxPxq0n1h07XFGeEnmpxutVoIocuky2HkF4CIQDnWIavlpJOq3tU76cmn3ur
+KQeyi9GM7Uoi25S1QIxu9A==
+-----END CERTIFICATE-----

plugin/dapp/cert/executor/test/authdir/crypto/keystore/c26e4e9eb45028c297c0bc925e5890b27ad017865ab6208f7bf5346919019260_sk

+-----BEGIN PRIVATE KEY-----
+MIGTAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBHkwdwIBAQQg4Ork9oT6d6CRxg0f
+EbHlr5eQPUcHWniEgRhDCi2dA/GgCgYIKoEcz1UBgi2hRANCAAQqXuEWh+sW/YtP
+FlHmxiFhYi0o3Tb8He9NAaJ6uKe+OF5/eXa+VmRrKKGeE+dG8LrMiJ5+AlIj+ryd
+blX5UKZ8
+-----END PRIVATE KEY-----

plugin/dapp/cert/executor/test/authdir/crypto/signcerts/User@Chain33-cert.pem

+-----BEGIN CERTIFICATE-----
+MIIB4zCCAYmgAwIBAgIQVs0txvOG+iVu/oISaV2KyzAKBggqgRzPVQGDdTBHMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZy
+YW5jaXNjbzELMAkGA1UEAxMCY2EwHhcNMjAwODE0MDkyNTIwWhcNMzAwODEyMDky
+NTIwWjBRMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
+BxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEAwwMVXNlckBDaGFpbjMzMFkwEwYHKoZI
+zj0CAQYIKoEcz1UBgi0DQgAEKl7hFofrFv2LTxZR5sYhYWItKN02/B3vTQGierin
+vjhef3l2vlZkayihnhPnRvC6zIiefgJSI/q8nW5V+VCmfKNNMEswDgYDVR0PAQH/
+BAQDAgeAMAwGA1UdEwEB/wQCMAAwKwYDVR0jBCQwIoAgvHypS4msn/vNG5SxIkSM
+08mO7mA1KT+StkbTpn2NDSowCgYIKoEcz1UBg3UDSAAwRQIhAND6HO/EN/dTeokX
+mIvczQBcxPHTAq3+QIa2NHIC8bYvAiAZ5N4C4rwRJCqTw8J6As69MFO10XixWHxH
+qrTJ9LnI3g==
+-----END CERTIFICATE-----

plugin/dapp/cert/executor/test/chain33.toml

+Title="chain33"
+TestNet=true
+FixTime=false
+version="6.3.0"
+
+
+[log]
+# 日志级别，支持debug(dbug)/info/warn/error(eror)/crit
+loglevel = "debug"
+logConsoleLevel = "info"
+# 日志文件名，可带目录，所有生成的日志文件都放到此目录下
+logFile = "logs/chain33.log"
+# 单个日志文件的最大值（单位：兆）
+maxFileSize = 300
+# 最多保存的历史日志文件个数
+maxBackups = 100
+# 最多保存的历史日志消息（单位：天）
+maxAge = 28
+# 日志文件名是否使用本地事件（否则使用UTC时间）
+localTime = true
+# 历史日志文件是否压缩（压缩格式为gz）
+compress = true
+# 是否打印调用源文件和行号
+callerFile = false
+# 是否打印调用方法
+callerFunction = false
+
+[blockchain]
+defCacheSize=128
+maxFetchBlockNum=128
+timeoutSeconds=5
+batchBlockNum=128
+driver="leveldb"
+dbPath="datadir"
+dbCache=64
+isStrongConsistency=false
+singleMode=true
+batchsync=false
+isRecordBlockSequence=true
+isParaChain=false
+enableTxQuickIndex=true
+enableReExecLocal=true
+
+[p2p]
+# p2p类型
+types=["dht", "gossip"]
+# 是否启动P2P服务
+enable=true
+# 使用的数据库类型
+driver="leveldb"
+# 使用的数据库类型
+dbPath="datadir/addrbook"
+# 数据库缓存大小
+dbCache=4
+# GRPC请求日志文件
+grpcLogFile="grpc33.log"
+#waitPid 等待seed导入
+waitPid=false
+
+
+[p2p.sub.gossip]
+seeds=[]
+isSeed=false
+serverStart=true
+innerSeedEnable=true
+useGithub=true
+innerBounds=300
+
+[p2p.sub.dht]
+
+[rpc]
+jrpcBindAddr="localhost:8801"
+grpcBindAddr="localhost:8802"
+whitelist=["127.0.0.1"]
+jrpcFuncWhitelist=["*"]
+grpcFuncWhitelist=["*"]
+
+
+[mempool]
+name="price"
+poolCacheSize=10240
+minTxFee=100000
+maxTxNumPerAccount=100
+maxTxFee=1000000000
+isLevelFee=true
+[mempool.sub.timeline]
+poolCacheSize=10240
+
+[mempool.sub.score]
+poolCacheSize=10240
+timeParam=1      #时间占价格比例
+priceConstant=10  #手续费相对于时间的一个的常量,排队时手续费高1e3的分数~=快1h的分数
+pricePower=1     #常量比例
+
+[mempool.sub.price]
+poolCacheSize=10240
+
+[consensus]
+name="solo"
+minerstart=true
+genesisBlockTime=1514533394
+genesis="14KEKbYtKKQm4wMthSK9J4La4nAiidGozt"
+minerExecs=["ticket", "autonomy"]
+
+[mver.consensus]
+fundKeyAddr = "1BQXS6TxaYYG5mADaWij4AxhZZUTpw95a5"
+powLimitBits="0x1f00ffff"
+maxTxNumber = 1600      #160
+
+[mver.consensus.ForkChainParamV1]
+maxTxNumber = 1500
+
+[mver.consensus.ForkTicketFundAddrV1]
+fundKeyAddr = "1Ji3W12KGScCM7C2p8bg635sNkayDM8MGY"
+
+[mver.consensus.ticket]
+coinReward = 18
+coinDevFund = 12
+ticketPrice = 10000
+retargetAdjustmentFactor = 4
+futureBlockTime = 16
+ticketFrozenTime = 5    #5s only for test
+ticketWithdrawTime = 10 #10s only for test
+ticketMinerWaitTime = 2 #2s only for test
+targetTimespan=2304
+targetTimePerBlock=16
+
+[mver.consensus.ticket.ForkChainParamV1]
+futureBlockTime = 15
+ticketFrozenTime = 43200
+ticketWithdrawTime = 172800
+ticketMinerWaitTime = 7200
+targetTimespan=2160
+targetTimePerBlock=15
+
+[mver.consensus.ticket.ForkChainParamV2]
+coinReward = 5
+coinDevFund = 3
+targetTimespan=720
+targetTimePerBlock=5
+ticketPrice = 3000
+
+
+
+[consensus.sub.ticket]
+genesisBlockTime=1514533394
+[[consensus.sub.ticket.genesis]]
+minerAddr="12qyocayNF7Lv6C9qW4avxs2E7U41fKSfv"
+returnAddr="14KEKbYtKKQm4wMthSK9J4La4nAiidGozt"
+count=10000
+
+[[consensus.sub.ticket.genesis]]
+minerAddr="1PUiGcbsccfxW3zuvHXZBJfznziph5miAo"
+returnAddr="1EbDHAXpoiewjPLX9uqoz38HsKqMXayZrF"
+count=10000
+
+[[consensus.sub.ticket.genesis]]
+minerAddr="1EDnnePAZN48aC2hiTDzhkczfF39g1pZZX"
+returnAddr="1KcCVZLSQYRUwE5EXTsAoQs9LuJW6xwfQa"
+count=10000
+
+[store]
+name="kvmvccmavl"
+driver="leveldb"
+dbPath="datadir/mavltree"
+dbCache=128
+# store数据库版本
+storedbVersion="2.0.0"
+
+[store.sub.mavl]
+enableMavlPrefix=false
+enableMVCC=false
+enableMavlPrune=false
+pruneHeight=10000
+# 是否使能mavl数据载入内存
+enableMemTree=true
+# 是否使能mavl叶子节点数据载入内存
+enableMemVal=true
+# 缓存close ticket数目，该缓存越大同步速度越快，最大设置到1500000
+tkCloseCacheLen=100000
+
+[store.sub.kvmvccmavl]
+enableMVCCIter=true
+enableMavlPrefix=false
+enableMVCC=false
+enableMavlPrune=false
+pruneMavlHeight=10000
+enableMVCCPrune=false
+pruneMVCCHeight=10000
+# 是否使能mavl数据载入内存
+enableMemTree=true
+# 是否使能mavl叶子节点数据载入内存
+enableMemVal=true
+# 缓存close ticket数目，该缓存越大同步速度越快，最大设置到1500000
+tkCloseCacheLen=100000
+# 该参数针对平行链，主链无需开启此功能
+enableEmptyBlockHandle=false
+
+[wallet]
+minFee=100000
+driver="leveldb"
+dbPath="wallet"
+dbCache=16
+signType="secp256k1"
+
+[wallet.sub.ticket]
+minerdisable=false
+minerwhitelist=["*"]
+
+[wallet.sub.multisig]
+rescanMultisigAddr=false
+
+[exec]
+isFree=false
+minExecFee=100000
+maxExecFee=1000000000
+enableStat=false
+enableMVCC=false
+alias=["token1:token","token2:token","token3:token"]
+
+[exec.sub.token]
+saveTokenTxList=true
+tokenApprs = [
+	"1Bsg9j6gW83sShoee1fZAt9TkUjcrCgA9S",
+	"1Q8hGLfoGe63efeWa8fJ4Pnukhkngt6poK",
+	"1LY8GFia5EiyoTodMLfkB5PHNNpXRqxhyB",
+	"1GCzJDS6HbgTQ2emade7mEJGGWFfA15pS9",
+	"1JYB8sxi4He5pZWHCd3Zi2nypQ4JMB6AxN",
+	"12qyocayNF7Lv6C9qW4avxs2E7U41fKSfv",
+	"16ui7XJ1VLM7YXcNhWwWsWS6CRC3ZA2sJ1",
+]
+
+[exec.sub.cert]
+# 是否启用证书验证和签名
+enable=true
+# 加密文件路径
+cryptoPath="test/authdir/crypto"
+# 带证书签名类型，支持"auth_ecdsa", "auth_sm2"
+signType="auth_sm2"
+
+[exec.sub.relay]
+genesis="12qyocayNF7Lv6C9qW4avxs2E7U41fKSfv"
+
+[exec.sub.manage]
+superManager=[
+    "1Bsg9j6gW83sShoee1fZAt9TkUjcrCgA9S", 
+    "12qyocayNF7Lv6C9qW4avxs2E7U41fKSfv", 
+    "1Q8hGLfoGe63efeWa8fJ4Pnukhkngt6poK",
+	"16ui7XJ1VLM7YXcNhWwWsWS6CRC3ZA2sJ1",
+]
+[exec.sub.paracross]
+nodeGroupFrozenCoins=0
+#平行链共识停止后主链等待的高度
+paraConsensusStopBlocks=30000
+
+[exec.sub.autonomy]
+total="16htvcBNSEA7fZhAdLJphDwQRQJaHpyHTp"
+useBalance=false
+
+#系统中所有的fork,默认用chain33的测试网络的
+#但是我们可以替换
+[fork.system]
+ForkChainParamV1= 0
+ForkCheckTxDup=0
+ForkBlockHash= 1	
+ForkMinerTime= 0
+ForkTransferExec=0
+ForkExecKey=0
+ForkTxGroup=0
+ForkResetTx0=0
+ForkWithdraw=0
+ForkExecRollback=0
+ForkCheckBlockTime=0
+ForkTxHeight=0
+ForkTxGroupPara=0
+ForkChainParamV2=0
+ForkMultiSignAddress=0
+ForkStateDBSet=0
+ForkLocalDBAccess=0
+ForkBlockCheck=0
+ForkBase58AddressCheck=0
+#平行链上使能平行链执行器如user.p.x.coins执行器的注册，缺省为0，对已有的平行链需要设置一个fork高度
+ForkEnableParaRegExec=0
+ForkCacheDriver=0
+ForkTicketFundAddrV1=-1 #fork6.3
+#主链和平行链都使用同一个fork高度
+ForkRootHash= 4500000
+
+[fork.sub.cert]
+Enable=0
+
+[metrics]
+#是否使能发送metrics数据的发送
+enableMetrics=false
+#数据保存模式
+dataEmitMode="influxdb"
+
+[metrics.sub.influxdb]
+#以纳秒为单位的发送间隔
+duration=1000000000
+url="http://influxdb:8086"
+database="chain33metrics"
+username=""
+password=""
+namespace=""
\ No newline at end of file

plugin/dapp/cert/proto/cert.proto

@@ -37,4 +37,18 @@ message Authority {
     bool   enable     = 1;
     string cryptoPath = 2;
     string signType   = 3;
+}
+
+message CertSignature {
+    bytes signature = 1;
+    bytes cert      = 2;
+    bytes uid       = 3;
+}
+
+message ReqQueryValidCertSN {
+    string addr = 1;
+}
+
+message RepQueryValidCertSN {
+    bytes sn = 1;
 }
\ No newline at end of file

plugin/dapp/cert/types/cert.pb.go

@@ -5,9 +5,8 @@ package types
 
 import (
 	fmt "fmt"
-	math "math"
-
 	proto "github.com/golang/protobuf/proto"
+	math "math"
 )
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -383,6 +382,139 @@ func (m *Authority) GetSignType() string {
 	return ""
 }
 
+type CertSignature struct {
+	Signature            []byte   `protobuf:"bytes,1,opt,name=signature,proto3" json:"signature,omitempty"`
+	Cert                 []byte   `protobuf:"bytes,2,opt,name=cert,proto3" json:"cert,omitempty"`
+	Uid                  []byte   `protobuf:"bytes,3,opt,name=uid,proto3" json:"uid,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *CertSignature) Reset()         { *m = CertSignature{} }
+func (m *CertSignature) String() string { return proto.CompactTextString(m) }
+func (*CertSignature) ProtoMessage()    {}
+func (*CertSignature) Descriptor() ([]byte, []int) {
+	return fileDescriptor_a142e29cbef9b1cf, []int{6}
+}
+
+func (m *CertSignature) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CertSignature.Unmarshal(m, b)
+}
+func (m *CertSignature) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CertSignature.Marshal(b, m, deterministic)
+}
+func (m *CertSignature) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CertSignature.Merge(m, src)
+}
+func (m *CertSignature) XXX_Size() int {
+	return xxx_messageInfo_CertSignature.Size(m)
+}
+func (m *CertSignature) XXX_DiscardUnknown() {
+	xxx_messageInfo_CertSignature.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_CertSignature proto.InternalMessageInfo
+
+func (m *CertSignature) GetSignature() []byte {
+	if m != nil {
+		return m.Signature
+	}
+	return nil
+}
+
+func (m *CertSignature) GetCert() []byte {
+	if m != nil {
+		return m.Cert
+	}
+	return nil
+}
+
+func (m *CertSignature) GetUid() []byte {
+	if m != nil {
+		return m.Uid
+	}
+	return nil
+}
+
+type ReqQueryValidCertSN struct {
+	Addr                 string   `protobuf:"bytes,1,opt,name=addr,proto3" json:"addr,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ReqQueryValidCertSN) Reset()         { *m = ReqQueryValidCertSN{} }
+func (m *ReqQueryValidCertSN) String() string { return proto.CompactTextString(m) }
+func (*ReqQueryValidCertSN) ProtoMessage()    {}
+func (*ReqQueryValidCertSN) Descriptor() ([]byte, []int) {
+	return fileDescriptor_a142e29cbef9b1cf, []int{7}
+}
+
+func (m *ReqQueryValidCertSN) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReqQueryValidCertSN.Unmarshal(m, b)
+}
+func (m *ReqQueryValidCertSN) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReqQueryValidCertSN.Marshal(b, m, deterministic)
+}
+func (m *ReqQueryValidCertSN) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReqQueryValidCertSN.Merge(m, src)
+}
+func (m *ReqQueryValidCertSN) XXX_Size() int {
+	return xxx_messageInfo_ReqQueryValidCertSN.Size(m)
+}
+func (m *ReqQueryValidCertSN) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReqQueryValidCertSN.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReqQueryValidCertSN proto.InternalMessageInfo
+
+func (m *ReqQueryValidCertSN) GetAddr() string {
+	if m != nil {
+		return m.Addr
+	}
+	return ""
+}
+
+type RepQueryValidCertSN struct {
+	Sn                   []byte   `protobuf:"bytes,1,opt,name=sn,proto3" json:"sn,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *RepQueryValidCertSN) Reset()         { *m = RepQueryValidCertSN{} }
+func (m *RepQueryValidCertSN) String() string { return proto.CompactTextString(m) }
+func (*RepQueryValidCertSN) ProtoMessage()    {}
+func (*RepQueryValidCertSN) Descriptor() ([]byte, []int) {
+	return fileDescriptor_a142e29cbef9b1cf, []int{8}
+}
+
+func (m *RepQueryValidCertSN) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_RepQueryValidCertSN.Unmarshal(m, b)
+}
+func (m *RepQueryValidCertSN) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_RepQueryValidCertSN.Marshal(b, m, deterministic)
+}
+func (m *RepQueryValidCertSN) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RepQueryValidCertSN.Merge(m, src)
+}
+func (m *RepQueryValidCertSN) XXX_Size() int {
+	return xxx_messageInfo_RepQueryValidCertSN.Size(m)
+}
+func (m *RepQueryValidCertSN) XXX_DiscardUnknown() {
+	xxx_messageInfo_RepQueryValidCertSN.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_RepQueryValidCertSN proto.InternalMessageInfo
+
+func (m *RepQueryValidCertSN) GetSn() []byte {
+	if m != nil {
+		return m.Sn
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*Cert)(nil), "types.Cert")
 	proto.RegisterType((*CertAction)(nil), "types.CertAction")
@@ -390,31 +522,37 @@ func init() {
 	proto.RegisterType((*CertUpdate)(nil), "types.CertUpdate")
 	proto.RegisterType((*CertNormal)(nil), "types.CertNormal")
 	proto.RegisterType((*Authority)(nil), "types.Authority")
+	proto.RegisterType((*CertSignature)(nil), "types.CertSignature")
+	proto.RegisterType((*ReqQueryValidCertSN)(nil), "types.ReqQueryValidCertSN")
+	proto.RegisterType((*RepQueryValidCertSN)(nil), "types.RepQueryValidCertSN")
 }
 
-func init() {
-	proto.RegisterFile("cert.proto", fileDescriptor_a142e29cbef9b1cf)
-}
+func init() { proto.RegisterFile("cert.proto", fileDescriptor_a142e29cbef9b1cf) }
 
 var fileDescriptor_a142e29cbef9b1cf = []byte{
-	// 300 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x52, 0xcd, 0x4a, 0xf3, 0x40,
-	0x14, 0xed, 0x24, 0xfd, 0xbd, 0xfd, 0x28, 0x9f, 0x83, 0x48, 0x70, 0x21, 0x25, 0xab, 0x82, 0x10,
-	0xb0, 0xfa, 0x02, 0xd5, 0x4d, 0xdd, 0x14, 0x19, 0xea, 0x5a, 0xa6, 0xe9, 0xd5, 0x06, 0xd3, 0x4c,
-	0x98, 0xde, 0x58, 0xe6, 0x79, 0x7c, 0x51, 0x99, 0x1f, 0x25, 0x82, 0x0b, 0xdd, 0xe5, 0xdc, 0x73,
-	0x4e, 0xee, 0x39, 0xdc, 0x01, 0xc8, 0x51, 0x53, 0x56, 0x6b, 0x45, 0x8a, 0xf7, 0xc8, 0xd4, 0x78,
-	0x48, 0x9f, 0xa1, 0x7b, 0x87, 0x9a, 0xf8, 0x19, 0xf4, 0x2d, 0x79, 0xbf, 0x4d, 0xd8, 0x94, 0xcd,
-	0xfe, 0x89, 0x80, 0xf8, 0x05, 0x40, 0xae, 0x51, 0x12, 0xae, 0x8b, 0x3d, 0x26, 0xd1, 0x94, 0xcd,
-	0x62, 0xd1, 0x9a, 0xf0, 0xff, 0x10, 0xbf, 0xa2, 0x49, 0xe2, 0x29, 0x9b, 0x8d, 0x84, 0xfd, 0xe4,
-	0xa7, 0xd0, 0x7b, 0x93, 0x65, 0x83, 0x49, 0xd7, 0xfd, 0xc8, 0x83, 0xf4, 0x9d, 0x01, 0xd8, 0x45,
-	0x8b, 0x9c, 0x0a, 0x55, 0xf1, 0x14, 0xe2, 0x0a, 0x8f, 0x6e, 0xd7, 0x78, 0x3e, 0xc9, 0x5c, 0x96,
-	0xcc, 0xf2, 0x2b, 0x3c, 0x2e, 0x3b, 0xc2, 0x92, 0xfc, 0x12, 0xfa, 0x4d, 0xbd, 0x95, 0xe4, 0xd7,
-	0x8e, 0xe7, 0x27, 0x2d, 0xd9, 0xa3, 0x23, 0x96, 0x1d, 0x11, 0x24, 0x56, 0x5c, 0x29, 0xbd, 0x97,
-	0xa5, 0x8b, 0xf2, 0x5d, 0xbc, 0x72, 0x84, 0x15, 0x7b, 0x09, 0x9f, 0x40, 0x44, 0xc6, 0xe5, 0xeb,
-	0x89, 0x88, 0xcc, 0xed, 0x20, 0x44, 0x4e, 0xaf, 0x60, 0x10, 0x42, 0x7c, 0x16, 0x63, 0x3f, 0x14,
-	0x8b, 0xda, 0xc5, 0x6e, 0x7c, 0x2f, 0x1f, 0xe8, 0xaf, 0x2e, 0x9f, 0xec, 0xd7, 0xae, 0x27, 0x18,
-	0x2d, 0x1a, 0xda, 0x29, 0x5d, 0x90, 0xb1, 0x17, 0xc3, 0x4a, 0x6e, 0x4a, 0x74, 0xbe, 0xa1, 0x08,
-	0xc8, 0x5f, 0xcc, 0xd4, 0xa4, 0x1e, 0x24, 0xed, 0x9c, 0x7f, 0x24, 0x5a, 0x13, 0x7e, 0x0e, 0xc3,
-	0x43, 0xf1, 0x52, 0xad, 0x4d, 0x8d, 0xe1, 0x6c, 0x5f, 0x78, 0xd3, 0x77, 0x6f, 0xe3, 0xfa, 0x23,
-	0x00, 0x00, 0xff, 0xff, 0x1d, 0xbc, 0xa5, 0x33, 0x29, 0x02, 0x00, 0x00,
+	// 380 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x52, 0x5d, 0x4b, 0xeb, 0x40,
+	0x10, 0x6d, 0x92, 0x7e, 0x65, 0xda, 0x5b, 0xee, 0xdd, 0x2b, 0x12, 0x44, 0xa4, 0x04, 0x84, 0x8a,
+	0x50, 0xb0, 0xfa, 0x07, 0xaa, 0x2f, 0xf5, 0xa5, 0xe8, 0xb6, 0xfa, 0x2a, 0xdb, 0x66, 0x6c, 0x83,
+	0xe9, 0x26, 0x6e, 0x36, 0x96, 0xfd, 0x3d, 0xfe, 0x51, 0xd9, 0xcd, 0x56, 0x23, 0xfa, 0xa0, 0x6f,
+	0x33, 0x3b, 0xe7, 0xec, 0x39, 0x87, 0x19, 0x80, 0x25, 0x0a, 0x39, 0xcc, 0x44, 0x2a, 0x53, 0xd2,
+	0x90, 0x2a, 0xc3, 0x3c, 0x7c, 0x84, 0xfa, 0x15, 0x0a, 0x49, 0xf6, 0xa1, 0xa9, 0x87, 0xd7, 0x51,
+	0xe0, 0xf4, 0x9d, 0x41, 0x97, 0xda, 0x8e, 0x1c, 0x01, 0x2c, 0x05, 0x32, 0x89, 0xf3, 0x78, 0x83,
+	0x81, 0xdb, 0x77, 0x06, 0x1e, 0xad, 0xbc, 0x90, 0xbf, 0xe0, 0x3d, 0xa1, 0x0a, 0xbc, 0xbe, 0x33,
+	0xf0, 0xa9, 0x2e, 0xc9, 0x1e, 0x34, 0x5e, 0x58, 0x52, 0x60, 0x50, 0x37, 0x1f, 0x95, 0x4d, 0xf8,
+	0xea, 0x00, 0x68, 0xa1, 0xf1, 0x52, 0xc6, 0x29, 0x27, 0x21, 0x78, 0x1c, 0xb7, 0x46, 0xab, 0x33,
+	0xea, 0x0d, 0x8d, 0x97, 0xa1, 0x9e, 0x4f, 0x71, 0x3b, 0xa9, 0x51, 0x3d, 0x24, 0xa7, 0xd0, 0x2c,
+	0xb2, 0x88, 0xc9, 0x52, 0xb6, 0x33, 0xfa, 0x57, 0x81, 0xdd, 0x99, 0xc1, 0xa4, 0x46, 0x2d, 0x44,
+	0x83, 0x79, 0x2a, 0x36, 0x2c, 0x31, 0x56, 0x3e, 0x83, 0xa7, 0x66, 0xa0, 0xc1, 0x25, 0x84, 0xf4,
+	0xc0, 0x95, 0xca, 0xf8, 0x6b, 0x50, 0x57, 0xaa, 0xcb, 0x96, 0xb5, 0x1c, 0x9e, 0x41, 0xcb, 0x9a,
+	0xd8, 0x05, 0x73, 0xbe, 0x09, 0xe6, 0x56, 0x83, 0x5d, 0x94, 0xb9, 0x4a, 0x43, 0xbf, 0x65, 0x95,
+	0xce, 0x7e, 0xcc, 0x7a, 0x00, 0x7f, 0x5c, 0xc8, 0x75, 0x2a, 0x62, 0xa9, 0xf4, 0xc6, 0x90, 0xb3,
+	0x45, 0x82, 0x86, 0xd7, 0xa6, 0xb6, 0x2b, 0x37, 0xa6, 0x32, 0x99, 0xde, 0x30, 0xb9, 0x36, 0x7c,
+	0x9f, 0x56, 0x5e, 0xc8, 0x01, 0xb4, 0xf3, 0x78, 0xc5, 0xe7, 0x2a, 0x43, 0xbb, 0xb6, 0xf7, 0x3e,
+	0x9c, 0xc1, 0x1f, 0x6d, 0x6b, 0x16, 0xaf, 0x38, 0x93, 0x85, 0x40, 0x72, 0x08, 0x7e, 0xbe, 0x6b,
+	0xec, 0x65, 0x7c, 0x3c, 0x10, 0x02, 0x75, 0x7d, 0x26, 0xd6, 0xa4, 0xa9, 0x75, 0x96, 0x22, 0x8e,
+	0xcc, 0xcf, 0x5d, 0xaa, 0xcb, 0xf0, 0x04, 0xfe, 0x53, 0x7c, 0xbe, 0x2d, 0x50, 0xa8, 0x7b, 0x96,
+	0xc4, 0x91, 0x51, 0x98, 0x6a, 0x32, 0x8b, 0x22, 0x61, 0x53, 0x9b, 0x3a, 0x3c, 0xd6, 0xd0, 0xec,
+	0x0b, 0xb4, 0x07, 0x6e, 0xce, 0xad, 0xbc, 0x9b, 0xf3, 0x45, 0xd3, 0x9c, 0xf0, 0xf9, 0x5b, 0x00,
+	0x00, 0x00, 0xff, 0xff, 0x7e, 0x07, 0x28, 0x2a, 0xd0, 0x02, 0x00, 0x00,
 }

plugin/dapp/cert/types/const.go

@@ -14,4 +14,6 @@ var (
 		"Update": CertActionUpdate,
 		"Normal": CertActionNormal,
 	}
+
+	AdminKey = "Auth-cert-admin"
 )

plugin/dapp/cert/types/errors.go

@@ -15,4 +15,6 @@ var (
 	ErrUnknowAuthSignType = errors.New("ErrUnknowAuthSignType")
 	// ErrInitializeAuthority 初始化校验器失败
 	ErrInitializeAuthority = errors.New("ErrInitializeAuthority")
+	// ErrPermissionDeny 权限校验失败
+	ErrPermissionDeny = errors.New("ErrPermissionDeny")
 )