Added the utils for generating keys and certificates

go.mod

@@ -8,18 +8,12 @@ require (
 	github.com/aristanetworks/goarista v0.0.0-20210107181124-fad53805024e // indirect
 	github.com/btcsuite/btcd v0.21.0-beta // indirect
 	github.com/ethereum/go-ethereum v1.9.16
-	github.com/go-ole/go-ole v1.2.5 // indirect
-	github.com/golang/snappy v0.0.3-0.20201103224600-674baa8c7fc3 // indirect
-	github.com/google/uuid v1.1.1
-	github.com/holiman/uint256 v1.1.1 // indirect
-	github.com/shirou/gopsutil v3.20.12+incompatible // indirect
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.0.0
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.6.2
-	github.com/syndtr/goleveldb v1.0.1-0.20200815110645-5c35d600f0ca // indirect
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/sync v0.1.0 // indirect
+	github.com/google/uuid v1.3.0
+	github.com/liuxinfeng96/bc-crypto v0.2.12
+	github.com/sirupsen/logrus v1.9.0
+	github.com/spf13/cobra v1.5.0
+	github.com/spf13/viper v1.8.1
+	github.com/stretchr/testify v1.7.0
+	golang.org/x/crypto v0.12.0
 	gopkg.in/urfave/cli.v1 v1.20.0
 )

utils/certificate.go

@@ -0,0 +1,210 @@
+package utils
+
+import (
+	"crypto/rand"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"time"
+
+	bcx509 "github.com/liuxinfeng96/bc-crypto/x509"
+)
+
+const DefaultFiscoBcosCertOrganization = "fisco-bcos"
+
+const (
+	DefaultCertificateCountry  = "CN"
+	DefaultCertificateProvince = "GuangDong"
+	DefaultCertificateLocality = "ShenZhen"
+)
+
+// GenerateCertificateSigningRequest
+// create the CSR with X.509
+// return the CSR byte array with PEM
+func GenerateCertificateSigningRequest(privateKeyBytes []byte,
+	role, certName string) ([]byte, error) {
+
+	sk, err := bcx509.ParsePrivateKey(privateKeyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	signatureAlgorithm, err := bcx509.GetSignatureAlgorithm(sk)
+	if err != nil {
+		return nil, err
+	}
+
+	templateX509 := &bcx509.CertificateRequest{
+		SignatureAlgorithm: signatureAlgorithm,
+		Subject: pkix.Name{
+			Country:            []string{DefaultCertificateCountry},
+			Locality:           []string{DefaultCertificateLocality},
+			Province:           []string{DefaultCertificateProvince},
+			OrganizationalUnit: []string{role},
+			Organization:       []string{DefaultFiscoBcosCertOrganization},
+			CommonName:         certName,
+		},
+	}
+
+	data, err := bcx509.CreateCertificateRequest(rand.Reader, templateX509, sk)
+	if err != nil {
+		return nil, err
+	}
+
+	pemCSR := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE REQUEST", Bytes: data})
+
+	return pemCSR, nil
+}
+
+// GenerateCertificateSelf
+// create a self-signed digital certificate with X.509
+// return the certificate byte array with PEM
+func GenerateCertificateSelf(privateKeyBytes, csrBytes []byte,
+	days int) ([]byte, error) {
+
+	csr, err := bcx509.ParseCertificateRequestFromPEM(csrBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = csr.CheckSignature(); err != nil {
+		return nil, err
+	}
+
+	keyUsage, extKeyUsage := bcx509.GetKeyUsageAndExtKeyUsage(true)
+
+	notBefore := time.Now().UTC()
+
+	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		return nil, err
+	}
+
+	caKey, err := bcx509.ParsePrivateKey(privateKeyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	signatureAlgorithm, err := bcx509.GetSignatureAlgorithm(caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	template := &bcx509.Certificate{
+		SerialNumber:          sn,
+		NotBefore:             notBefore,
+		NotAfter:              notBefore.Add(time.Hour * 24 * time.Duration(days)).UTC(),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+		KeyUsage:              keyUsage,
+		ExtKeyUsage:           extKeyUsage,
+		DNSNames:              csr.DNSNames,
+		Subject:               csr.Subject,
+		Extensions:            csr.Extensions,
+		ExtraExtensions:       csr.ExtraExtensions,
+		SignatureAlgorithm:    signatureAlgorithm,
+		PublicKeyAlgorithm:    csr.PublicKeyAlgorithm,
+		PublicKey:             csr.PublicKey,
+	}
+
+	template.SubjectKeyId, err = bcx509.ComputeSKI(csr.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	templateOfIssuer := new(bcx509.Certificate)
+	templateOfIssuer = template
+
+	certDER, err := bcx509.CreateCertificate(rand.Reader, template, templateOfIssuer,
+		csr.PublicKey, caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	return certPEM, nil
+
+}
+
+// GenerateCertificate
+// create a certificate with X.509
+// return the certificate byte array with PEM
+func GenerateCertificate(caCertBytes, caKeyBytes, csrBytes []byte, isCa bool,
+	days int) ([]byte, error) {
+	csr, err := bcx509.ParseCertificateRequestFromPEM(csrBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = csr.CheckSignature(); err != nil {
+		return nil, err
+	}
+
+	keyUsage, extKeyUsage := bcx509.GetKeyUsageAndExtKeyUsage(isCa)
+
+	notBefore := time.Now().UTC()
+
+	sn, err := rand.Int(rand.Reader, big.NewInt(1<<62))
+	if err != nil {
+		return nil, err
+	}
+
+	caKey, err := bcx509.ParsePrivateKey(caKeyBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	signatureAlgorithm, err := bcx509.GetSignatureAlgorithm(caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	template := &bcx509.Certificate{
+		SerialNumber:          sn,
+		NotBefore:             notBefore,
+		NotAfter:              notBefore.Add(time.Hour * 24 * time.Duration(days)).UTC(),
+		BasicConstraintsValid: true,
+		IsCA:                  isCa,
+		KeyUsage:              keyUsage,
+		ExtKeyUsage:           extKeyUsage,
+		DNSNames:              csr.DNSNames,
+		Subject:               csr.Subject,
+		Extensions:            csr.Extensions,
+		ExtraExtensions:       csr.ExtraExtensions,
+		SignatureAlgorithm:    signatureAlgorithm,
+		PublicKeyAlgorithm:    csr.PublicKeyAlgorithm,
+		PublicKey:             csr.PublicKey,
+	}
+
+	template.SubjectKeyId, err = bcx509.ComputeSKI(csr.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+
+	certOfIssuer, err := bcx509.ParseCertificateFromPEM(caCertBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	template.Issuer = certOfIssuer.Subject
+
+	if certOfIssuer.SubjectKeyId != nil {
+		template.AuthorityKeyId = certOfIssuer.SubjectKeyId
+	} else {
+		template.AuthorityKeyId, err = bcx509.ComputeSKI(certOfIssuer.PublicKey)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	certDER, err := bcx509.CreateCertificate(rand.Reader, template, certOfIssuer,
+		csr.PublicKey, caKey)
+	if err != nil {
+		return nil, err
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
+
+	return certPEM, nil
+}

utils/certificate_test.go

@@ -0,0 +1,78 @@
+package utils
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateCertificateSigningRequest(t *testing.T) {
+	sk, err := GenerateSecp256k1Key()
+	require.Nil(t, err)
+
+	// sk, err := GenerateSm2Key()
+	// require.Nil(t, err)
+
+	// sk, err := GenerateRSA2048Key()
+	// require.Nil(t, err)
+
+	csrBytes, err := GenerateCertificateSigningRequest(sk, "node", "node1")
+	require.Nil(t, err)
+
+	fmt.Println(string(csrBytes))
+}
+
+func TestCreateCertificateSelf(t *testing.T) {
+	sk, err := GenerateSecp256k1Key()
+	require.Nil(t, err)
+
+	// sk, err := GenerateSm2Key()
+	// require.Nil(t, err)
+
+	// sk, err := GenerateRSA2048Key()
+	// require.Nil(t, err)
+
+	csrBytes, err := GenerateCertificateSigningRequest(sk, "group-ca", "ca1")
+	require.Nil(t, err)
+
+	caBytes, err := GenerateCertificateSelf(sk, csrBytes, 365)
+	require.Nil(t, err)
+
+	fmt.Println(string(caBytes))
+
+}
+
+func TestCreateCertificate(t *testing.T) {
+	// caSk, err := GenerateSecp256k1Key()
+	// require.Nil(t, err)
+
+	caSk, err := GenerateSm2Key()
+	require.Nil(t, err)
+
+	// caSk, err := GenerateRSA2048Key()
+	// require.Nil(t, err)
+
+	caCsrBytes, err := GenerateCertificateSigningRequest(caSk, "group-ca", "ca1")
+	require.Nil(t, err)
+
+	caBytes, err := GenerateCertificateSelf(caSk, caCsrBytes, 365)
+	require.Nil(t, err)
+
+	// sk, err := GenerateSecp256k1Key()
+	// require.Nil(t, err)
+
+	// sk, err := GenerateSm2Key()
+	// require.Nil(t, err)
+
+	sk, err := GenerateRSA2048Key()
+	require.Nil(t, err)
+
+	csrBytes, err := GenerateCertificateSigningRequest(sk, "node", "node1")
+	require.Nil(t, err)
+
+	certBytes, err := GenerateCertificate(caBytes, caSk, csrBytes, false, 365*10)
+	require.Nil(t, err)
+
+	fmt.Println(string(certBytes))
+}