Merge pull request #57 from FISCO-BCOS/dev

Dev
FISCO-BCOS · Jul 16, 2018 · 2be9b52 · 2be9b52
2 parents de5d255 + 73b3c47
commit 2be9b52
Showing 1 changed file with 39 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -145,9 +145,45 @@ $ gradle build
 
 ### 3.2.2 生成客户端证书
 
-<br>
+web3sdk客户端证书ca.crt, client.keystore生成方法请参考[FISCO-BCOS区块链操作手册的生成sdk证书](https://github.com/FISCO-BCOS/FISCO-BCOS/tree/master/doc/manual#24-生成sdk证书)一节。<br>
+具体步骤可以参考[sdk.sh](https://github.com/FISCO-BCOS/FISCO-BCOS/blob/master/cert/sdk.sh),详细解释如下：<br>
+(1)将链的根ca证书ca.crt和次级的机构ca证书agency.crt合成证书链ca证书ca.crt。此证书用来验证sdk连接节点的节点证书的合法性。具体步骤为：<br>
+
+```shell
+cp ca.crt ca-agency.crt
+more agency.crt | cat >>ca-agency.crt
+mv ca-agency.crt ca.crt
+```
+
+(2)生成client.keystore。其中的client证书有三种用途：1、用作和节点连接是sdk的身份证书，由节点的ca.crt和agency.crt来验证合法性。2、用作和其他sdk（前置）连接的身份证书，由其他sdk的ca.crt来验证合法性。3、用作sdk发交易的私钥证书。<br>
+先用openssl生成一张secp256k1的证书sdk.crt。<br>
+
+```shell
+    openssl ecparam -out sdk.param -name secp256k1
+    openssl ecparam -out sdk.param -name secp256k1
+    openssl genpkey -paramfile sdk.param -out sdk.key
+    openssl pkey -in sdk.key -pubout -out sdk.pubkey
+    openssl req -new -key sdk.key -config cert.cnf  -out sdk.csr
+    openssl x509 -req -days 3650 -in sdk.csr -CAkey agency.key -CA agency.crt -force_pubkey sdk.pubkey -out sdk.crt -CAcreateserial -extensions v3_req -extfile cert.cnf
+```
 
-> web3sdk客户端证书ca.crt, client.keystore生成方法请参考[FISCO-BCOS区块链操作手册的生成sdk证书](https://github.com/FISCO-BCOS/FISCO-BCOS/tree/master/doc/manual#24-生成sdk证书)一节
+再将生成的sdk证书导入到client.keystore中。下面步骤中的第一步是中间步骤，用于生成导入keystore的p12文件。<br>
+
+```shell
+    openssl pkcs12 -export -name client -in sdk.crt -inkey sdk.key -out keystore.p12
+    keytool -importkeystore -destkeystore client.keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias client
+```
+
+(3)加载client.keystore中私钥作为交易私钥的示例代码<br>
+
+```
+   KeyStore ks = KeyStore.getInstance("JKS");
+   ksInputStream =  Ethereum.class.getClassLoader().getResourceAsStream(keyStoreFileName);
+   ks.load(ksInputStream, keyStorePassword.toCharArray());
+   Key key = ks.getKey("client", keyPassword.toCharArray());
+   ECKeyPair keyPair = ECKeyPair.create(((ECPrivateKey) key).getS());
+   Credentials credentials = Credentials.create(keyPair);
+```
 
 <br>
 
@@ -965,4 +1001,4 @@ web3sdk部署合约的代码如下：
 
 [返回目录](#目录)
 
-<br>
+<br>