FISCO-BCOS · sagexueqi · Dec 15, 2022 · Dec 15, 2022 · Dec 15, 2022 · Dec 15, 2022
diff --git a/generator b/generator
@@ -99,6 +99,13 @@ def usage():
                              help='get sdk file')
     tools_group.add_argument('--console_version', nargs=1,
                              help='specify the downloaded console version')
+    tools_group.add_argument('--generate_agency_certificate_key_csr', nargs=2, metavar=('agency_dir',
+                                                                                        'agency_name'),
+                             help='generate agency certificate key and csr file')
+    tools_group.add_argument('--sign_agency_certificate', nargs=2, metavar=('chain_dir',
+                                                                            'agency_path'),
+                             help='sign agency certificate')
+
     args = parser.parse_args()
     if args.use_guomi:
         CONSOLER.info('======= BUILD_GM ============= ON =======')
@@ -197,6 +204,18 @@ def usage():
         build.build_console(args.download_console[0])
     elif args.get_sdk_file:
         build.get_sdk(args.get_sdk_file[0])
+    elif args.generate_agency_certificate_key_csr:
+        CONSOLER.info(' Agency cert key&csr begin.')
+        agency_dir = args.generate_agency_certificate_key_csr[0]
+        agency_name = args.generate_agency_certificate_key_csr[1]
+        ca.generator_agent_key_csr(agency_dir, agency_name)
+        CONSOLER.info(' Agency cert key&csr end.')
+    elif args.sign_agency_certificate:
+        CONSOLER.info(' Sign agency cert begin.')
+        chain_dir = args.sign_agency_certificate[0]
+        agency_path = args.sign_agency_certificate[1]
+        ca.sign_agent_cert(chain_dir, agency_path)
+        CONSOLER.info(' Sign agency cert end.')
     else:
         console_error(
             ' Invalid operation,  \"generator -h\" can be used to show detailed usage. ')

diff --git a/pys/tool/ca.py b/pys/tool/ca.py
@@ -199,3 +199,83 @@ def generator_sdk_ca(_dir, agent):
                 '{}/sdk/sdk.crt'.format(sdk_dir))
         shutil.copyfile('{}/sdk/node.key'.format(sdk_dir),
                 '{}/sdk/sdk.key'.format(sdk_dir))
+
+
+def generator_agent_key_csr(_dir, agent):
+    """[generate agency cert]
+    Arguments:
+        dir {[path]} -- [agency cert path]
+        agent {[string]} -- [agency name]
+    """
+    try:
+        agency_dir = os.path.abspath(_dir)
+        if utils.Status.gm_option:
+            os.chdir('{}/scripts/gm/'.format(path.get_path()))
+            (status, result) = utils.getstatusoutput('./cts.sh'
+                                                     ' gen_agency_key_csr {}/{}'
+                                                     .format(agency_dir, agent))
+            os.chdir('{}'.format(path.get_path()))
+        else:
+            os.chdir('{}/scripts'.format(path.get_path()))
+            (status, result) = utils.getstatusoutput('./cts.sh'
+                                                     ' gen_agency_key_csr {}/{}'
+                                                     .format(agency_dir, agent))
+            os.chdir('{}'.format(path.get_path()))
+        if not bool(status):
+            LOGGER.info(' Generate %s key&csr successful! dir is %s/%s.',
+                        agent, agency_dir, agent)
+        else:
+            # console_error(
+            #     '  Generate cert failed! Please check your network,'
+            #     ' and try to check your opennssl version.')
+            LOGGER.error('  Generate %s key&csr failed! Result is %s',
+                         agent, result)
+            raise MCError(' Generate %s key&csr failed! Result is %s' %
+                          (agent, result))
+    except MCError as cert_exp:
+        console_error('  %s ' % cert_exp)
+    except Exception as gen_cert_exp:
+        console_error(
+            '  Generate agency key&csr failed! excepion is %s.' % gen_cert_exp)
+        LOGGER.error('  Generate agency key&csr failed! Result is %s', result)
+        raise MCError(
+            'Generate agency key&csr failed! Result is %s' % gen_cert_exp)
+
+
+def sign_agent_cert(_dir, agent_path):
+    """[generate agency cert]
+    Arguments:
+        dir {[path]} -- [ca cert path]
+        agent_path {[string]} -- [agency cert output path]
+    """
+    try:
+        ca_dir = os.path.abspath(_dir)
+        if utils.Status.gm_option:
+            os.chdir('{}/scripts/gm/'.format(path.get_path()))
+            (status, result) = utils.getstatusoutput('./cts.sh'
+                                                     ' sign_agency_cert {} {}'
+                                                     .format(ca_dir, agent_path))
+            os.chdir('{}'.format(path.get_path()))
+        else:
+            os.chdir('{}/scripts'.format(path.get_path()))
+            (status, result) = utils.getstatusoutput('./cts.sh'
+                                                     ' sign_agency_cert {} {}'
+                                                     .format(ca_dir, agent_path))
+            os.chdir('{}'.format(path.get_path()))
+        if bool(status):
+            LOGGER.error(
+                ' cts.sh failed! status is %d, output is %s, dir is %s.', status, result, ca_dir)
+            raise MCError('cts.sh failed! status is %d, output is %s, dir is %s.' % (
+                status, result, ca_dir))
+        LOGGER.info(
+            ' cts.sh success! status is %d, output is %s, dir is %s.', status, result, ca_dir)
+        LOGGER.info(' Sign agency cert success, dir is %s', ca_dir)
+        CONSOLER.info(' Sign agency cert success, dir is %s', ca_dir)
+    except MCError as cert_exp:
+        console_error('  %s ' % cert_exp)
+    except Exception as gen_cert_exp:
+        console_error(
+            '  Sign agency cert failed! excepion is %s.' % gen_cert_exp)
+        LOGGER.error('  Sign agency cert failed! Result is %s', result)
+        raise MCError(
+            'Sign agency cert failed! Result is %s' % gen_cert_exp)
diff --git a/scripts/cts.sh b/scripts/cts.sh
@@ -84,6 +84,45 @@ gen_chain_cert() {
     fi
 }
 
+# 生成机构证书key,csr文件
+gen_agency_key_csr() {
+    agencypath="$1"
+    name=$(getname "$agencypath")
+
+    check_name agency "$name"
+    agencydir=$agencypath
+    dir_must_not_exists "$agencydir"
+    mkdir -p $agencydir
+
+    openssl ecparam -out "$agencydir/secp256k1.param" -name secp256k1 2> /dev/null
+    openssl genpkey -paramfile "$agencydir/secp256k1.param" -out "$agencydir/agency.key" 2> /dev/null
+    openssl req -new -sha256 -subj "/CN=$name/O=fisco-bcos/OU=agency" -key "$agencydir/agency.key" -config "${SHELL_FOLDER}/cert.cnf" -out "$agencydir/agency.csr" 2> /dev/null
+
+    rm -f "$agencydir/secp256k1.param"
+
+    echo "build $name agency cert key&csr successful!"
+}
+
+# 签发agency证书
+sign_agency_cert() {
+    chain="$1"
+    agencypath="$2"
+    name=$(getname "$agencypath")
+
+    dir_must_exists "$chain"
+    file_must_exists "$chain/ca.key"
+    check_name agency "$name"
+    agencydir=$agencypath
+    dir_must_exists "$agencydir"
+
+    openssl x509 -req -days 3650 -sha256 -CA "$chain/ca.crt" -CAkey "$chain/ca.key" -CAcreateserial\
+            -in "$agencydir/agency.csr" -out "$agencydir/agency.crt"  -extensions v4_req -extfile "${SHELL_FOLDER}/cert.cnf" 2> /dev/null
+    cp $chain/ca.crt $agencydir/
+    rm -f "$agencydir/agency.csr"
+
+    echo "sign $name agency cert successful!"
+}
+
 gen_agency_cert() {
     chain="$1"
     agencypath="$2"
@@ -195,12 +234,15 @@ gen_chain_cert)
 gen_agency_cert)
     gen_agency_cert "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"
     ;;
-sign_agency_cert)
-    sign_agency_cert "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"
-    ;;
 gen_node_cert)
     gen_node_cert "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"
     ;;
+gen_agency_key_csr)
+  gen_agency_key_csr "$2"
+  ;;
+sign_agency_cert)
+    sign_agency_cert "$2" "$3"
+    ;;
 help)
     usage
     ;;

diff --git a/scripts/gm/cts.sh b/scripts/gm/cts.sh
@@ -121,6 +121,41 @@ gen_chain_cert() {
     echo "build chain ca succussful!"
 }
 
+# 生成机构证书key,csr文件
+gen_agency_key_csr() {
+    agencypath="$1"
+    name=$(getname "$agencypath")
+
+    check_name agency "$name"
+    agencydir=$agencypath
+    dir_must_not_exists "$agencydir"
+    mkdir -p $agencydir
+
+    $TASSL_CMD genpkey -paramfile ${SHELL_FOLDER}/gmsm2.param -out $agencydir/gmagency.key
+    $TASSL_CMD req -new -subj "/CN=$name/O=fisco-bcos/OU=agency" -key $agencydir/gmagency.key -config ${SHELL_FOLDER}/gmcert.cnf -out $agencydir/gmagency.csr
+
+    echo "build $name agency cert key&csr successful!"
+}
+
+# 签发agency证书
+sign_agency_cert() {
+    chain="$1"
+    agencypath="$2"
+    name=$(getname "$agencypath")
+
+    dir_must_exists "$chain"
+    file_must_exists "$chain/gmca.key"
+    check_name agency "$name"
+    agencydir=$agencypath
+    dir_must_exists "$agencydir"
+
+    $TASSL_CMD x509 -req -CA $chain/gmca.crt -CAkey $chain/gmca.key -days 3650 -CAcreateserial -in $agencydir/gmagency.csr -out $agencydir/gmagency.crt -extfile ${SHELL_FOLDER}/gmcert.cnf -extensions v3_agency_root
+    cp $chain/gmca.crt $agencydir/
+    rm -f $agencydir/gmagency.csr
+
+    echo "sign $name agency cert successful!"
+}
+
 gen_agency_cert() {
     chain="$2"
     agencypath="$3"
@@ -219,6 +254,12 @@ gen_agency_cert)
 gen_node_cert)
     gen_node_cert "$1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9"
     ;;
+gen_agency_key_csr)
+  gen_agency_key_csr "$2"
+  ;;
+sign_agency_cert)
+  sign_agency_cert "$2" "$3"
+  ;;
 download_tassl)
     check_and_install_tassl
     ;;