update cert dapp

plugin/dapp/cert/authority/authority.go

@@ -11,6 +11,8 @@ import (
 	"runtime"
 	"sync"
 
+	"bytes"
+
 	"github.com/33cn/chain33/common/crypto"
 	log "github.com/33cn/chain33/common/log/log15"
 	"github.com/33cn/chain33/types"
@@ -43,6 +45,8 @@ type Authority struct {
 	validator core.Validator
 	// 签名类型
 	signType int
+	// 有效证书缓存
+	validCertCache [][]byte
 	// 历史证书缓存
 	HistoryCertCache *HistoryCertData
 }
@@ -87,6 +91,7 @@ func (auth *Authority) Init(conf *ty.Authority) error {
 	}
 	auth.validator = vldt
 
+	auth.validCertCache = make([][]byte, 0)
 	auth.HistoryCertCache = &HistoryCertData{authConfig, -1, -1}
 
 	IsAuthEnable = true
@@ -134,6 +139,9 @@ func (auth *Authority) ReloadCert(store *types.HistoryCertStore) error {
 		auth.validator = vldt
 	}
 
+	// 清空有效证书缓存
+	auth.validCertCache = auth.validCertCache[:0]
+
 	// 更新最新历史数据
 	auth.HistoryCertCache = &HistoryCertData{auth.authConfig, store.CurHeigth, store.NxtHeight}
 
@@ -160,6 +168,9 @@ func (auth *Authority) ReloadCertByHeght(currentHeight int64) error {
 	}
 	auth.validator = vldt
 
+	// 清空有效证书缓存
+	auth.validCertCache = auth.validCertCache[:0]
+
 	// 更新最新历史数据
 	auth.HistoryCertCache = &HistoryCertData{auth.authConfig, currentHeight, -1}
 
@@ -237,11 +248,11 @@ func (auth *Authority) Validate(signature *types.Signature) error {
 	}
 
 	// 是否在有效证书缓存中
-	//for _, v := range auth.validCertCache {
-	//	if bytes.Equal(v, cert) {
-	//		return nil
-	//	}
-	//}
+	for _, v := range auth.validCertCache {
+		if bytes.Equal(v, cert) {
+			return nil
+		}
+	}
 
 	// 校验
 	err = auth.validator.Validate(cert, signature.GetPubkey())
@@ -249,10 +260,16 @@ func (auth *Authority) Validate(signature *types.Signature) error {
 		alog.Error(fmt.Sprintf("validate cert failed. %s", err.Error()))
 		return fmt.Errorf("validate cert failed. error:%s", err.Error())
 	}
+	auth.validCertCache = append(auth.validCertCache, cert)
 
 	return nil
 }
 
+// GetSnFromSig 解析证书序列号
+func (auth *Authority) GetSnFromByte(signature *types.Signature) ([]byte, error) {
+	return auth.validator.GetCertSnFromSignature(signature.Signature)
+
+}
 // ToHistoryCertStore 历史数据转成store可存储的历史数据
 func (certdata *HistoryCertData) ToHistoryCertStore(store *types.HistoryCertStore) {
 	if store == nil {

plugin/dapp/cert/authority/core/ecdsaimpl.go

@@ -162,7 +162,7 @@ func (validator *ecdsaValidator) Validate(certByte []byte, pubKey []byte) error
 		return fmt.Errorf("Could not obtain certification chain, err %s", err)
 	}
 
-	err = validator.validateCertAgainstChain(cert, validationChain)
+	err = validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 	if err != nil {
 		return fmt.Errorf("Could not validate identity against certification chain, err %s", err)
 	}
@@ -360,10 +360,10 @@ func (validator *ecdsaValidator) validateCAIdentity(cert *x509.Certificate) erro
 		return nil
 	}
 
-	return validator.validateCertAgainstChain(cert, validationChain)
+	return validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 }
 
-func (validator *ecdsaValidator) validateCertAgainstChain(cert *x509.Certificate, validationChain []*x509.Certificate) error {
+func (validator *ecdsaValidator) validateCertAgainstChain(serialNumber *big.Int, validationChain []*x509.Certificate) error {
 	SKI, err := getSubjectKeyIdentifierFromCert(validationChain[1])
 	if err != nil {
 		return fmt.Errorf("Could not obtain Subject Key Identifier for signer cert, err %s", err)
@@ -377,7 +377,7 @@ func (validator *ecdsaValidator) validateCertAgainstChain(cert *x509.Certificate
 
 		if bytes.Equal(aki, SKI) {
 			for _, rc := range crl.TBSCertList.RevokedCertificates {
-				if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+				if rc.SerialNumber.Cmp(serialNumber) == 0 {
 					err = validationChain[1].CheckCRLSignature(crl)
 					if err != nil {
 						authLogger.Warn("Invalid signature over the identified CRL, error %s", err)
@@ -418,3 +418,18 @@ func (validator *ecdsaValidator) GetCertFromSignature(signature []byte) ([]byte,
 
 	return certSign.Cert, nil
 }
+
+func (validator *ecdsaValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	certByte, err := validator.GetCertFromSignature(signature)
+	if err != nil {
+		authLogger.Error(fmt.Sprintf("GetCertSnFromSignature from signature failed. %s", err.Error()))
+		return nil, err
+	}
+
+	cert, err := validator.getCertFromPem(certByte)
+	if err != nil {
+		return nil, fmt.Errorf("ParseCertificate failed %s", err)
+	}
+
+	return cert.SerialNumber.Bytes(), nil
+}
\ No newline at end of file

plugin/dapp/cert/authority/core/gmimpl.go

@@ -12,6 +12,7 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
+	"math/big"
 	"reflect"
 	"time"
 
@@ -100,7 +101,7 @@ func (validator *gmValidator) Validate(certByte []byte, pubKey []byte) error {
 		return fmt.Errorf("Could not obtain certification chain, err %s", err)
 	}
 
-	err = validator.validateCertAgainstChain(cert, validationChain)
+	err = validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 	if err != nil {
 		return fmt.Errorf("Could not validate identity against certification chain, err %s", err)
 	}
@@ -292,10 +293,10 @@ func (validator *gmValidator) validateCAIdentity(cert *sm2.Certificate) error {
 		return nil
 	}
 
-	return validator.validateCertAgainstChain(cert, validationChain)
+	return validator.validateCertAgainstChain(cert.SerialNumber, validationChain)
 }
 
-func (validator *gmValidator) validateCertAgainstChain(cert *sm2.Certificate, validationChain []*sm2.Certificate) error {
+func (validator *gmValidator) validateCertAgainstChain(serialNumber *big.Int, validationChain []*sm2.Certificate) error {
 	SKI, err := getSubjectKeyIdentifierFromSm2Cert(validationChain[1])
 	if err != nil {
 		return fmt.Errorf("Could not obtain Subject Key Identifier for signer cert, err %s", err)
@@ -309,7 +310,7 @@ func (validator *gmValidator) validateCertAgainstChain(cert *sm2.Certificate, va
 
 		if bytes.Equal(aki, SKI) {
 			for _, rc := range crl.TBSCertList.RevokedCertificates {
-				if rc.SerialNumber.Cmp(cert.SerialNumber) == 0 {
+				if rc.SerialNumber.Cmp(serialNumber) == 0 {
 					err = validationChain[1].CheckCRLSignature(crl)
 					if err != nil {
 						authLogger.Warn(fmt.Sprintf("Invalid signature over the identified CRL, error %s", err))
@@ -352,3 +353,18 @@ func (validator *gmValidator) GetCertFromSignature(signature []byte) ([]byte, er
 
 	return cert.Cert, nil
 }
+
+func (validator *gmValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	certByte, err := validator.GetCertFromSignature(signature)
+	if err != nil {
+		authLogger.Error(fmt.Sprintf("GetCertSnFromSignature from signature failed. %s", err.Error()))
+		return nil, err
+	}
+
+	cert, err := validator.getCertFromPem(certByte)
+	if err != nil {
+		return nil, fmt.Errorf("ParseCertificate failed %s", err)
+	}
+
+	return cert.SerialNumber.Bytes(), nil
+}
\ No newline at end of file

plugin/dapp/cert/authority/core/noneimpl.go

@@ -23,3 +23,7 @@ func (validator *noneValidator) Validate(certByte []byte, pubKey []byte) error {
 func (validator *noneValidator) GetCertFromSignature(signature []byte) ([]byte, error) {
 	return []byte(""), nil
 }
+
+func (validator *noneValidator) GetCertSnFromSignature(signature []byte) ([]byte, error) {
+	return []byte(""), nil
+}

plugin/dapp/cert/authority/core/validator.go

@@ -11,6 +11,8 @@ type Validator interface {
 	Validate(cert []byte, pubKey []byte) error
 
 	GetCertFromSignature(signature []byte) ([]byte, error)
+
+	GetCertSnFromSignature(signature []byte) ([]byte, error)
 }
 
 // AuthConfig 校验器配置

plugin/dapp/cert/executor/cert.go

@@ -51,6 +51,7 @@ func newCert() drivers.Driver {
 	c := &Cert{}
 	c.SetChild(c)
 	c.SetIsFree(true)
+	c.SetExecutorType(types.LoadExecutorType(driverName))
 	return c
 }
 

plugin/dapp/cert/executor/cert_test.go

+package executor
+
+import (
+	"fmt"
+	"github.com/33cn/chain33/account"
+	"github.com/33cn/chain33/client"
+	apimock "github.com/33cn/chain33/client/mocks"
+	"github.com/33cn/chain33/common"
+	"github.com/33cn/chain33/common/address"
+	"github.com/33cn/chain33/common/crypto"
+	dbm "github.com/33cn/chain33/common/db"
+	_ "github.com/33cn/chain33/system"
+	"github.com/33cn/chain33/system/dapp"
+	pty "github.com/33cn/chain33/system/dapp/manage/types"
+	"github.com/33cn/chain33/types"
+	"github.com/33cn/chain33/util"
+	_ "github.com/33cn/plugin/plugin/crypto/init"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority/utils"
+	ct "github.com/33cn/plugin/plugin/dapp/cert/types"
+	pkt "github.com/33cn/plugin/plugin/dapp/collateralize/types"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	"testing"
+	"time"
+)
+
+type execEnv struct {
+	blockTime   int64
+	blockHeight int64
+	difficulty  uint64
+	kvdb        dbm.KVDB
+	api         client.QueueProtocolAPI
+	db          dbm.KV
+	execAddr    string
+	cfg         *types.Chain33Config
+	ldb         dbm.DB
+	user        *authority.User
+}
+
+var (
+	PrivKeyA = "0x6da92a632ab7deb67d38c0f6560bcfed28167998f6496db64c258d5e8393a81b" // 1KSBd17H7ZK8iT37aJztFB22XGwsPTdwE4
+	Nodes    = [][]byte{
+		[]byte("1KSBd17H7ZK8iT37aJztFB22XGwsPTdwE4"),
+	}
+	total      = 100 * types.Coin
+	USERNAME = "User"
+	SIGNTYPE = ct.AuthSM2
+
+	transfer1 = &ct.CertAction{Value: &ct.CertAction_Normal{Normal:&ct.CertNormal{Key: "", Value: nil}}, Ty: ct.CertActionNormal}
+	tx1      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer1), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+
+	transfer2 = &ct.CertAction{Value: &ct.CertAction_New{New:&ct.CertNew{Key: "", Value: nil}}, Ty: ct.CertActionNew}
+	tx2      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer2), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+
+	transfer3 = &ct.CertAction{Value: &ct.CertAction_Update{Update:&ct.CertUpdate{Key: "", Value: nil}}, Ty: ct.CertActionUpdate}
+	tx3      = &types.Transaction{Execer: []byte("cert"), Payload: types.Encode(transfer3), Fee: 100000000, Expire: 0, To: dapp.ExecAddress("cert")}
+)
+
+func manageKeySet(key string, value string, db dbm.KV) {
+	var item types.ConfigItem
+	item.Key = key
+	item.Addr = value
+	item.Ty = pty.ConfigItemArrayConfig
+	emptyValue := &types.ArrayConfig{Value: make([]string, 0)}
+	arr := types.ConfigItem_Arr{Arr: emptyValue}
+	item.Value = &arr
+	item.GetArr().Value = append(item.GetArr().Value, value)
+
+	manageKey := types.ManageKey(key)
+	valueSave := types.Encode(&item)
+	db.Set([]byte(manageKey), valueSave)
+}
+
+func initEnv() (*execEnv, error) {
+	cfg := types.NewChain33Config(types.ReadFile("./test/chain33.toml"))
+	cfg.SetTitleOnlyForTest("chain33")
+
+	sub := cfg.GetSubConfig()
+	var subcfg ct.Authority
+	if sub.Exec["cert"] != nil {
+		types.MustDecode(sub.Exec["cert"], &subcfg)
+	}
+	Init(ct.CertX, cfg, sub.Exec["cert"])
+
+	userLoader := &authority.UserLoader{}
+	err := userLoader.Init(subcfg.CryptoPath, subcfg.SignType)
+	if err != nil {
+		fmt.Printf("Init user loader falied -> %v", err)
+		return nil, err
+	}
+
+	user, err := userLoader.Get(USERNAME)
+	if err != nil {
+		fmt.Printf("Get user failed")
+		return nil, err
+	}
+
+	_, ldb, kvdb := util.CreateTestDB()
+
+	accountA := types.Account{
+		Balance: total,
+		Frozen:  0,
+		Addr:    string(Nodes[0]),
+	}
+
+	api := new(apimock.QueueProtocolAPI)
+	api.On("GetConfig", mock.Anything).Return(cfg, nil)
+
+	execAddr := dapp.ExecAddress(ct.CertX)
+	stateDB, _ := dbm.NewGoMemDB("1", "2", 100)
+
+	accA := account.NewCoinsAccount(cfg)
+	accA.SetDB(stateDB)
+	accA.SaveExecAccount(execAddr, &accountA)
+	manageKeySet(ct.AdminKey, accountA.Addr, stateDB)
+
+	return &execEnv{
+		blockTime:   time.Now().Unix(),
+		blockHeight: cfg.GetDappFork(ct.CertX, "Enable"),
+		difficulty:  1539918074,
+		kvdb:        kvdb,
+		api:         api,
+		db:          stateDB,
+		execAddr:    execAddr,
+		cfg:         cfg,
+		ldb:         ldb,
+		user:        user,
+	}, nil
+}
+
+func signCertTx(tx *types.Transaction, priv crypto.PrivKey, cert []byte) {
+	tx.Sign(int32(SIGNTYPE), priv)
+	tx.Signature.Signature = utils.EncodeCertToSignature(tx.Signature.Signature, cert, nil)
+}
+
+func signTx(tx *types.Transaction, hexPrivKey string) (*types.Transaction, error) {
+	signType := types.SECP256K1
+	c, err := crypto.New(types.GetSignName(pkt.CollateralizeX, signType))
+	if err != nil {
+		return tx, err
+	}
+
+	bytes, err := common.FromHex(hexPrivKey[:])
+	if err != nil {
+		return tx, err
+	}
+
+	privKey, err := c.PrivKeyFromBytes(bytes)
+	if err != nil {
+		return tx, err
+	}
+
+	tx.Sign(int32(signType), privKey)
+	return tx, nil
+}
+
+func TestCert(t *testing.T) {
+	env, err := initEnv()
+	if err != nil {
+		panic(err)
+	}
+
+	signCertTx(tx1, env.user.Key, env.user.Cert)
+
+	// tx1
+	exec := newCert()
+	exec.SetAPI(env.api)
+	exec.SetStateDB(env.db)
+	assert.Equal(t, exec.GetCoinsAccount().LoadExecAccount(string(Nodes[0]), env.execAddr).GetBalance(), total)
+	exec.SetLocalDB(env.kvdb)
+	exec.SetEnv(env.blockHeight, env.blockTime, env.difficulty)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err := exec.Exec(tx1, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData := &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err := exec.ExecLocal(tx1, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+
+	addr := address.PubKeyToAddr(env.user.Key.PubKey().Bytes())
+	res, err := exec.Query("CertValidSNByAddr", types.Encode(&ct.ReqQueryValidCertSN{Addr: addr}))
+	assert.Nil(t, err)
+	assert.NotNil(t, res)
+
+	// tx2
+	signTx(tx2, PrivKeyA)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err = exec.Exec(tx2, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData = &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err = exec.ExecLocal(tx2, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+
+	// tx3
+	signTx(tx3, PrivKeyA)
+	exec.SetEnv(env.blockHeight+1, env.blockTime+1, env.difficulty)
+	receipt, err = exec.Exec(tx3, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, receipt)
+	t.Log(receipt)
+	for _, kv := range receipt.KV {
+		env.db.Set(kv.Key, kv.Value)
+	}
+
+	receiptData = &types.ReceiptData{Ty: receipt.Ty, Logs: receipt.Logs}
+	set, err = exec.ExecLocal(tx3, receiptData, int(1))
+	assert.Nil(t, err)
+	assert.NotNil(t, set)
+	util.SaveKVList(env.ldb, set.KV)
+}
+

plugin/dapp/cert/executor/exec.go

+package executor
+
+import (
+	dbm "github.com/33cn/chain33/common/db"
+	"github.com/33cn/chain33/types"
+	"github.com/33cn/plugin/plugin/dapp/cert/authority"
+	ct "github.com/33cn/plugin/plugin/dapp/cert/types"
+)
+
+func CertUserStoreKey(addr string) (key []byte) {
+	key = append(key, []byte("mavl-"+ct.CertX+"-"+addr)...)
+	return key
+}
+
+func isAdminAddr(addr string, db dbm.KV) bool {
+	manageKey := types.ManageKey(ct.AdminKey)
+	data, err := db.Get([]byte(manageKey))
+	if err != nil {
+		clog.Error("getSuperAddr", "error", err)
+		return false
+	}
+
+	var item types.ConfigItem
+	err = types.Decode(data, &item)
+	if err != nil {
+		clog.Error("isSuperAddr", "Decode", data)
+		return false
+	}
+
+	for _, op := range item.GetArr().Value {
+		if op == addr {
+			return true
+		}
+	}
+
+	return false
+}
+
+func (c *Cert) Exec_New(payload *ct.CertNew, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	if !isAdminAddr(tx.From(), c.GetStateDB()) {
+		clog.Error("Exec_New", "error", "Exec_New need admin address")
+		return nil, ct.ErrPermissionDeny
+	}
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Exec_Update(payload *ct.CertUpdate, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	if !isAdminAddr(tx.From(), c.GetStateDB()) {
+		clog.Error("Exec_Update", "error", "Exec_Update need admin address")
+		return nil, ct.ErrPermissionDeny
+	}
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Exec_Normal(payload *ct.CertNormal, tx *types.Transaction, index int) (*types.Receipt, error) {
+	var logs []*types.ReceiptLog
+	var kv []*types.KeyValue
+	var receipt *types.Receipt
+
+	// 从proto中解码signature
+	sn, err := authority.Author.GetSnFromByte(tx.Signature)
+	if err != nil {
+		clog.Error("Exec_Normal get sn from signature failed", "error", err)
+		return nil, err
+	}
+
+	storekv := &types.KeyValue{Key: CertUserStoreKey(tx.From()), Value: sn}
+	c.GetStateDB().Set(storekv.Key, storekv.Value)
+	kv = append(kv, storekv)
+
+	receipt = &types.Receipt{Ty: types.ExecOk, KV: kv, Logs: logs}
+	return receipt, nil
+}
+
+func (c *Cert) Query_CertValidSNByAddr(req *ct.ReqQueryValidCertSN) (types.Message, error) {
+	sn, err := c.GetStateDB().Get(CertUserStoreKey(req.Addr))
+	if err != nil {
+		clog.Error("Query_CertValidSNByAddr", "error", err)
+		return nil, err
+	}
+
+	return &ct.RepQueryValidCertSN{Sn: sn}, nil
+}
\ No newline at end of file

plugin/dapp/cert/proto/cert.proto

@@ -43,4 +43,12 @@ message CertSignature {
     bytes signature = 1;
     bytes cert      = 2;
     bytes uid       = 3;
+}
+
+message ReqQueryValidCertSN {
+    string addr = 1;
+}
+
+message RepQueryValidCertSN {
+    bytes sn = 1;
 }
\ No newline at end of file

plugin/dapp/cert/types/cert.pb.go

@@ -437,6 +437,84 @@ func (m *CertSignature) GetUid() []byte {
 	return nil
 }
 
+type ReqQueryValidCertSN struct {
+	Addr                 string   `protobuf:"bytes,1,opt,name=addr,proto3" json:"addr,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *ReqQueryValidCertSN) Reset()         { *m = ReqQueryValidCertSN{} }
+func (m *ReqQueryValidCertSN) String() string { return proto.CompactTextString(m) }
+func (*ReqQueryValidCertSN) ProtoMessage()    {}
+func (*ReqQueryValidCertSN) Descriptor() ([]byte, []int) {
+	return fileDescriptor_a142e29cbef9b1cf, []int{7}
+}
+
+func (m *ReqQueryValidCertSN) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_ReqQueryValidCertSN.Unmarshal(m, b)
+}
+func (m *ReqQueryValidCertSN) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_ReqQueryValidCertSN.Marshal(b, m, deterministic)
+}
+func (m *ReqQueryValidCertSN) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_ReqQueryValidCertSN.Merge(m, src)
+}
+func (m *ReqQueryValidCertSN) XXX_Size() int {
+	return xxx_messageInfo_ReqQueryValidCertSN.Size(m)
+}
+func (m *ReqQueryValidCertSN) XXX_DiscardUnknown() {
+	xxx_messageInfo_ReqQueryValidCertSN.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_ReqQueryValidCertSN proto.InternalMessageInfo
+
+func (m *ReqQueryValidCertSN) GetAddr() string {
+	if m != nil {
+		return m.Addr
+	}
+	return ""
+}
+
+type RepQueryValidCertSN struct {
+	Sn                   []byte   `protobuf:"bytes,1,opt,name=sn,proto3" json:"sn,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *RepQueryValidCertSN) Reset()         { *m = RepQueryValidCertSN{} }
+func (m *RepQueryValidCertSN) String() string { return proto.CompactTextString(m) }
+func (*RepQueryValidCertSN) ProtoMessage()    {}
+func (*RepQueryValidCertSN) Descriptor() ([]byte, []int) {
+	return fileDescriptor_a142e29cbef9b1cf, []int{8}
+}
+
+func (m *RepQueryValidCertSN) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_RepQueryValidCertSN.Unmarshal(m, b)
+}
+func (m *RepQueryValidCertSN) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_RepQueryValidCertSN.Marshal(b, m, deterministic)
+}
+func (m *RepQueryValidCertSN) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_RepQueryValidCertSN.Merge(m, src)
+}
+func (m *RepQueryValidCertSN) XXX_Size() int {
+	return xxx_messageInfo_RepQueryValidCertSN.Size(m)
+}
+func (m *RepQueryValidCertSN) XXX_DiscardUnknown() {
+	xxx_messageInfo_RepQueryValidCertSN.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_RepQueryValidCertSN proto.InternalMessageInfo
+
+func (m *RepQueryValidCertSN) GetSn() []byte {
+	if m != nil {
+		return m.Sn
+	}
+	return nil
+}
+
 func init() {
 	proto.RegisterType((*Cert)(nil), "types.Cert")
 	proto.RegisterType((*CertAction)(nil), "types.CertAction")
@@ -445,32 +523,36 @@ func init() {
 	proto.RegisterType((*CertNormal)(nil), "types.CertNormal")
 	proto.RegisterType((*Authority)(nil), "types.Authority")
 	proto.RegisterType((*CertSignature)(nil), "types.CertSignature")
+	proto.RegisterType((*ReqQueryValidCertSN)(nil), "types.ReqQueryValidCertSN")
+	proto.RegisterType((*RepQueryValidCertSN)(nil), "types.RepQueryValidCertSN")
 }
 
 func init() { proto.RegisterFile("cert.proto", fileDescriptor_a142e29cbef9b1cf) }
 
 var fileDescriptor_a142e29cbef9b1cf = []byte{
-	// 340 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x52, 0xdd, 0x4a, 0xf3, 0x40,
-	0x10, 0x6d, 0x92, 0xfe, 0x65, 0xda, 0xaf, 0x7c, 0x2e, 0x22, 0x41, 0x44, 0x4a, 0xae, 0x0a, 0x42,
-	0xc1, 0xea, 0x0b, 0x54, 0x6f, 0xea, 0x4d, 0x91, 0x6d, 0xbd, 0x96, 0x6d, 0x3b, 0xb6, 0xc1, 0x36,
-	0x1b, 0xb6, 0x13, 0xcb, 0x3e, 0x8f, 0x2f, 0x2a, 0xfb, 0x53, 0x8d, 0xe0, 0x85, 0xde, 0xed, 0x99,
-	0x73, 0x66, 0xe7, 0x1c, 0x66, 0x00, 0x96, 0xa8, 0x68, 0x58, 0x28, 0x49, 0x92, 0x35, 0x48, 0x17,
-	0xb8, 0x4f, 0x5f, 0xa0, 0x7e, 0x8f, 0x8a, 0xd8, 0x19, 0x34, 0x0d, 0xf9, 0xb0, 0x4a, 0x82, 0x7e,
-	0x30, 0xe8, 0x72, 0x8f, 0xd8, 0x25, 0xc0, 0x52, 0xa1, 0x20, 0x9c, 0x67, 0x3b, 0x4c, 0xc2, 0x7e,
-	0x30, 0x88, 0x78, 0xa5, 0xc2, 0xfe, 0x43, 0xf4, 0x8a, 0x3a, 0x89, 0xfa, 0xc1, 0x20, 0xe6, 0xe6,
-	0xc9, 0x4e, 0xa1, 0xf1, 0x26, 0xb6, 0x25, 0x26, 0x75, 0xfb, 0x91, 0x03, 0xe9, 0x7b, 0x00, 0x60,
-	0x06, 0x8d, 0x97, 0x94, 0xc9, 0x9c, 0xa5, 0x10, 0xe5, 0x78, 0xb0, 0xb3, 0x3a, 0xa3, 0xde, 0xd0,
-	0x7a, 0x19, 0x1a, 0x7e, 0x8a, 0x87, 0x49, 0x8d, 0x1b, 0x92, 0x5d, 0x41, 0xb3, 0x2c, 0x56, 0x82,
-	0xdc, 0xd8, 0xce, 0xe8, 0xa4, 0x22, 0x7b, 0xb2, 0xc4, 0xa4, 0xc6, 0xbd, 0xc4, 0x88, 0x73, 0xa9,
-	0x76, 0x62, 0x6b, 0xad, 0x7c, 0x17, 0x4f, 0x2d, 0x61, 0xc4, 0x4e, 0xc2, 0x7a, 0x10, 0x92, 0xb6,
-	0xfe, 0x1a, 0x3c, 0x24, 0x7d, 0xd7, 0xf2, 0x96, 0xd3, 0x6b, 0x68, 0x79, 0x13, 0xc7, 0x60, 0xc1,
-	0x0f, 0xc1, 0xc2, 0x6a, 0xb0, 0x5b, 0x97, 0xcb, 0x19, 0xfa, 0x6b, 0x97, 0x73, 0xf6, 0xeb, 0xae,
-	0x67, 0x88, 0xc7, 0x25, 0x6d, 0xa4, 0xca, 0x48, 0x9b, 0x8d, 0x61, 0x2e, 0x16, 0x5b, 0xb4, 0x7d,
-	0x6d, 0xee, 0x91, 0xdb, 0x98, 0x2e, 0x48, 0x3e, 0x0a, 0xda, 0xd8, 0xfe, 0x98, 0x57, 0x2a, 0xec,
-	0x1c, 0xda, 0xfb, 0x6c, 0x9d, 0xcf, 0x75, 0x81, 0x7e, 0x6d, 0x9f, 0x38, 0x9d, 0xc1, 0x3f, 0x63,
-	0x6b, 0x96, 0xad, 0x73, 0x41, 0xa5, 0x42, 0x76, 0x01, 0xf1, 0xfe, 0x08, 0xfc, 0x65, 0x7c, 0x15,
-	0x18, 0x83, 0xba, 0x39, 0x13, 0x6f, 0xd2, 0xbe, 0x4d, 0x96, 0x32, 0x5b, 0xd9, 0x9f, 0xbb, 0xdc,
-	0x3c, 0x17, 0x4d, 0x7b, 0x70, 0x37, 0x1f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x97, 0xaa, 0x8b, 0x1d,
-	0x7e, 0x02, 0x00, 0x00,
+	// 380 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x52, 0x5d, 0x4b, 0xeb, 0x40,
+	0x10, 0x6d, 0x92, 0x7e, 0x65, 0xda, 0x5b, 0xee, 0xdd, 0x2b, 0x12, 0x44, 0xa4, 0x04, 0x84, 0x8a,
+	0x50, 0xb0, 0xfa, 0x07, 0xaa, 0x2f, 0xf5, 0xa5, 0xe8, 0xb6, 0xfa, 0x2a, 0xdb, 0x66, 0x6c, 0x83,
+	0xe9, 0x26, 0x6e, 0x36, 0x96, 0xfd, 0x3d, 0xfe, 0x51, 0xd9, 0xcd, 0x56, 0x23, 0xfa, 0xa0, 0x6f,
+	0x33, 0x3b, 0xe7, 0xec, 0x39, 0x87, 0x19, 0x80, 0x25, 0x0a, 0x39, 0xcc, 0x44, 0x2a, 0x53, 0xd2,
+	0x90, 0x2a, 0xc3, 0x3c, 0x7c, 0x84, 0xfa, 0x15, 0x0a, 0x49, 0xf6, 0xa1, 0xa9, 0x87, 0xd7, 0x51,
+	0xe0, 0xf4, 0x9d, 0x41, 0x97, 0xda, 0x8e, 0x1c, 0x01, 0x2c, 0x05, 0x32, 0x89, 0xf3, 0x78, 0x83,
+	0x81, 0xdb, 0x77, 0x06, 0x1e, 0xad, 0xbc, 0x90, 0xbf, 0xe0, 0x3d, 0xa1, 0x0a, 0xbc, 0xbe, 0x33,
+	0xf0, 0xa9, 0x2e, 0xc9, 0x1e, 0x34, 0x5e, 0x58, 0x52, 0x60, 0x50, 0x37, 0x1f, 0x95, 0x4d, 0xf8,
+	0xea, 0x00, 0x68, 0xa1, 0xf1, 0x52, 0xc6, 0x29, 0x27, 0x21, 0x78, 0x1c, 0xb7, 0x46, 0xab, 0x33,
+	0xea, 0x0d, 0x8d, 0x97, 0xa1, 0x9e, 0x4f, 0x71, 0x3b, 0xa9, 0x51, 0x3d, 0x24, 0xa7, 0xd0, 0x2c,
+	0xb2, 0x88, 0xc9, 0x52, 0xb6, 0x33, 0xfa, 0x57, 0x81, 0xdd, 0x99, 0xc1, 0xa4, 0x46, 0x2d, 0x44,
+	0x83, 0x79, 0x2a, 0x36, 0x2c, 0x31, 0x56, 0x3e, 0x83, 0xa7, 0x66, 0xa0, 0xc1, 0x25, 0x84, 0xf4,
+	0xc0, 0x95, 0xca, 0xf8, 0x6b, 0x50, 0x57, 0xaa, 0xcb, 0x96, 0xb5, 0x1c, 0x9e, 0x41, 0xcb, 0x9a,
+	0xd8, 0x05, 0x73, 0xbe, 0x09, 0xe6, 0x56, 0x83, 0x5d, 0x94, 0xb9, 0x4a, 0x43, 0xbf, 0x65, 0x95,
+	0xce, 0x7e, 0xcc, 0x7a, 0x00, 0x7f, 0x5c, 0xc8, 0x75, 0x2a, 0x62, 0xa9, 0xf4, 0xc6, 0x90, 0xb3,
+	0x45, 0x82, 0x86, 0xd7, 0xa6, 0xb6, 0x2b, 0x37, 0xa6, 0x32, 0x99, 0xde, 0x30, 0xb9, 0x36, 0x7c,
+	0x9f, 0x56, 0x5e, 0xc8, 0x01, 0xb4, 0xf3, 0x78, 0xc5, 0xe7, 0x2a, 0x43, 0xbb, 0xb6, 0xf7, 0x3e,
+	0x9c, 0xc1, 0x1f, 0x6d, 0x6b, 0x16, 0xaf, 0x38, 0x93, 0x85, 0x40, 0x72, 0x08, 0x7e, 0xbe, 0x6b,
+	0xec, 0x65, 0x7c, 0x3c, 0x10, 0x02, 0x75, 0x7d, 0x26, 0xd6, 0xa4, 0xa9, 0x75, 0x96, 0x22, 0x8e,
+	0xcc, 0xcf, 0x5d, 0xaa, 0xcb, 0xf0, 0x04, 0xfe, 0x53, 0x7c, 0xbe, 0x2d, 0x50, 0xa8, 0x7b, 0x96,
+	0xc4, 0x91, 0x51, 0x98, 0x6a, 0x32, 0x8b, 0x22, 0x61, 0x53, 0x9b, 0x3a, 0x3c, 0xd6, 0xd0, 0xec,
+	0x0b, 0xb4, 0x07, 0x6e, 0xce, 0xad, 0xbc, 0x9b, 0xf3, 0x45, 0xd3, 0x9c, 0xf0, 0xf9, 0x5b, 0x00,
+	0x00, 0x00, 0xff, 0xff, 0x7e, 0x07, 0x28, 0x2a, 0xd0, 0x02, 0x00, 0x00,
 }

plugin/dapp/cert/types/const.go

@@ -14,4 +14,6 @@ var (
 		"Update": CertActionUpdate,
 		"Normal": CertActionNormal,
 	}
+
+	AdminKey = "Auth-cert-admin"
 )

plugin/dapp/cert/types/errors.go

@@ -15,4 +15,6 @@ var (
 	ErrUnknowAuthSignType = errors.New("ErrUnknowAuthSignType")
 	// ErrInitializeAuthority 初始化校验器失败
 	ErrInitializeAuthority = errors.New("ErrInitializeAuthority")
+	// ErrPermissionDeny 权限校验失败
+	ErrPermissionDeny = errors.New("ErrPermissionDeny")
 )