CN101674301B - Method for storing certificate - Google Patents
Method for storing certificate Download PDFInfo
- Publication number
- CN101674301B CN101674301B CN200910086342A CN200910086342A CN101674301B CN 101674301 B CN101674301 B CN 101674301B CN 200910086342 A CN200910086342 A CN 200910086342A CN 200910086342 A CN200910086342 A CN 200910086342A CN 101674301 B CN101674301 B CN 101674301B
- Authority
- CN
- China
- Prior art keywords
- data
- file
- read
- byte
- value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a method for storing certificate, belonging to the field of information safety. The method comprises the steps: a client computer sends command of selecting an application catalog file, an object catalog file, a storage catalog file and a storage file to safety equipment, and leads the certificate to be written into the storage file of the safety equipment. By the interactive operation between the client computer and the safety equipment, the certificate can be written into a specified file of the safety equipment, so that share storage of the certificate can be realized.
Description
Technical field
The present invention relates to information security field, particularly a kind of method of Store Credentials.
Background technology
Fast development along with information industry; The development of information technology brings great convenience not only for people's life; Also fundamentally changed people's life style, behavior and values, the extensive use of information technology in commerce simultaneously also produced huge and deep effect to economy and social development.The user can utilize various safety means to carry out transmission, storage or the authentication etc. of information.
Safety means (like smart card and USB KEY etc.) are a kind of devices that has processor and memory; Be mainly used in the safety of message transmission, information stores; And, having anti-characteristic of attacking to the audit and the authentication of the Network Transmission information content, fail safe is high.Just because of these characteristics of safety means, they can be handled authentication information (like digital certificate and power, mandate and encryption key etc.), and can safe storage and computational tool be provided for sensitive information in today of high speed information prosperity.Wherein, sensitive information possibly comprise: the value of private key and key segment, counting and preservation, password and shared secret, mandate and permission etc.
Yet in the prior art; These safety means that are used for authentication and authorization etc. lack the interoperability on different stage; And the form of depositing of the digital certificate on safety means also lacks industrial standard; Feasible establishment can use the application from the certificate work of different techniques manufacturer to become very difficult, and addresses this problem the cost that also will inevitably increase exploitation and safeguard in application; And certificate and under specific hardware configuration, use the certain applications of certain applications DLL to bind together, brought very big problem also for the user of client; Simultaneously, allowing multiple application effectively to share the mechanism of digital certificate, that also is that all right is ripe, can not realize sharing of certificate in the prior art, and this makes application developer and user receive very big restriction.
Summary of the invention
In order to realize sharing of certificate, making can be general mutually between the safety means that different vendor produces, and the embodiment of the invention provides a kind of method of Store Credentials.Said technical scheme is following:
A kind of method of Store Credentials, said method comprises:
Safety means and client computer connect;
Said safety means receive the instruction of the selection application directory file of said client computer transmission, carry the file ID of said application directory file in the instruction of said selection application directory file;
Said safety means are selected the application directory file according to the file ID of said application file catalogue;
Said safety means receive the instruction of the alternative catalogue file of said client computer transmission, carry the file ID of said object directory file in the instruction of said alternative catalogue file;
Said safety means are according to the file ID alternative catalogue file of said object directory file;
Said safety means receive the instruction of the reading object catalogue file content of said client computer transmission, and the content of the said object directory file that will read sends to said client computer;
Said client computer is according to the type of info of the certificate of desiring to write said safety means; From the content of said object directory file, obtain the corresponding data storage file of type of info of said certificate, and the information of said certificate is write in the said data storage file.
The file ID of said application directory file is 0x5015.
The file ID of said object directory file is 0x5031.
The type of info of said certificate comprises: certificate information also comprises private key information and/or public key information.
After said safety means and client computer connected, said method also comprised:
In said safety means, create respectively and be used to store the file of said private key information, the file that is used to store the file of said public key information and is used to store said certificate information;
In said safety means, creating file ID is the object directory file of 0x5031, and the content that the content of the said content that is used for storing the file of said private key information, the said file that is used for storing said public key information and said is used for storing the file of said certificate information is write in the said object directory file.
Said client computer obtains the corresponding data storage file of type of info of said certificate according to the type of info of the certificate of desiring to write said safety means from the content of said object directory file, specifically comprise:
Said client computer obtains the corresponding storage directory file ID of type of info of said certificate according to the content of the said object directory file that receives;
Said safety means receive the instruction of the selection storage directory file of said client computer transmission, carry said storage directory file ID in the instruction of said selection storage directory file;
Said safety means are selected the storage directory file according to said storage directory file ID;
Said safety means receive the instruction of reading said storage directory file that said client computer sends, and the content of the said storage directory file that will read sends to said client computer;
Said client computer obtains the data storage file ID of said certificate according to the content of the said storage directory file that receives.
When the type of info of said certificate was certificate information, the content of the said object directory file that said client computer basis receives obtained the corresponding storage directory file ID of type of info of said certificate, specifically comprises:
Said client computer is searched the A4 data in the content of said object directory file, said A4 data are the sign of certificate information;
If there are said A4 data, read the value of the data of the 1st byte after the said A4 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said certificate information;
If do not have said A4 data, finish said method.
When the type of info of said certificate was private key information, the content of the said object directory file that said client computer basis receives obtained the corresponding storage directory file ID of type of info of said certificate, specifically comprises:
Said client computer is searched the A0 data in the content of said object directory file, said A0 data are the sign of private key information;
If there are said A0 data, read the value of the data of the 1st byte after the said A0 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said private key information;
If do not have said A0 data, finish said method.
When the information type of said certificate was public key information, the content of the said object directory file that said client computer basis receives obtained the corresponding storage directory file ID of type of info of said certificate, specifically comprises:
Said client computer is searched the A1 data in the content of said object directory file, said A1 data are the sign of public key information;
If there are said A1 data, read the value of the data of the 1st byte after the said A1 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said public key information;
If do not have said A1 data, finish said method.
Said client computer obtains the data storage file ID of the information of said certificate according to the content of the said storage directory file that receives, and specifically comprises:
Said client computer is searched the A1 data in the content of said storage directory file;
If there are said A1 data:
Read the value of the data of first byte after the said A1 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte;
Whether the data of judging the 1st byte in the data of a said third reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the 4th read value; If, do not finish said method;
Read the data of said the 4th a read value byte, as the storage file ID of said certificate;
Read the data of the 1st byte after the data of said the 4th a read value byte, take a decision as to whether 02;
If read the value of the data of the 1st byte after said 02 data, as the 5th read value; If, do not finish said method;
Read the data of said the 5th a read value byte, as the offset address of information in said data storage file of said certificate;
Read the data of the 1st byte after the data of said the 5th a read value byte, take a decision as to whether 08;
If read the value of the data of the 1st byte after said 08 data, as the 6th read value; If, do not finish said method;
Read the data of said the 6th a read value byte, as the length of said certificate;
If do not have said A1 data, finish said method.
Said information with said certificate writes in the said data storage file, specifically comprises:
Said safety means receive the instruction of the selection data storage file of said client computer transmission, carry said data storage file ID in the instruction of said selection data storage file;
Said safety means are selected data storage file according to said data storage file ID;
Said client computer sends the write data instruction to said safety means, the information of carrying said certificate in the write data instruction;
Said safety means write the information of said certificate in the said data storage file.
The beneficial effect that the technical scheme that the embodiment of the invention provides is brought is:
The interactive operation of computer and safety means through client is written to certificate in the specified file of safety means, has realized the shared storage of certificate.
Description of drawings
Fig. 1 is the method flow diagram of the Store Credentials that provides in the embodiment of the invention 1;
Fig. 2 is the method flow diagram of the Store Credentials that provides in the embodiment of the invention 2;
Fig. 3 is the method flow diagram of the Store Credentials that provides in the embodiment of the invention 3.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, will combine accompanying drawing that embodiment of the present invention is done to describe in detail further below.
Embodiment 1
Present embodiment provides a kind of method of Store Credentials; In embodiments of the present invention; The information type of certificate comprises certificate information at least; Further can also comprise in private key information, the public key information one or two, safety means are example with the smart card, and the various information that how to specify certificate are written in the safety means respectively.
Before the method for explanation Store Credentials, the initialization procedure of smart card once at first is described, specific as follows:
Step 001: the file of on smart card, creating storage private key information, public key information, certificate information respectively;
Wherein, in the present embodiment, the file ID of the file of storage private key information can be that the file ID of the file of 0x4401, Store Credentials information can be 0x4404 for the file ID of the file of 0x4400, storage of public keys information.
Step 002: on smart card, creating file ID is the file of 0x5031, and is the information of the file created in the write step 001 in the file of 0x5031 at this document ID.
Wherein, the information of file can but be not limited to comprise TLV (tag length value, label length value) coded format of file etc.
Wherein, in the present embodiment, write data can for:
A006300404024400 (file ID is the TLV coded format of 0x4400)
A106300404024401 (file ID is the TLV coded format of 0x4401)
A406300404024404 (file ID is the TLV coded format of 0x4404)
So far, completion is to the initialization procedure of smart card.
After smart card is accomplished initialization, referring to Fig. 1, provide a kind of private key information in the certificate has been write the method for smart card, specifically comprise:
Step 101: smart card and client computer connect;
Step 102: client computer sends the select File instruction of selecting application directory file (file ID is 0x5015) to smart card;
Wherein, the select File ID in this step be 0x5015 the application directory file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x5015).
Step 103: it is the select File instruction of the application directory file of 0x5015 that smart card receives the select File ID that client computer sends, and select File ID is the file of 0x5015, and execution result is returned to client computer;
When smart card select File when success, execution result is the pairing successfully sign of application directory file success that select File ID is 0x5015, need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the application directory file of the 0x5015 pairing failure sign of failing that execution result is select File ID.
Step 104: whether the execution result that the smart card that the client computer judgement receives returns is for successfully identifying;
If then client computer is judged the success of smart card select File, execution in step 105;
If, do not finish the storage operation of certificate.
Step 105: client computer sends the select File instruction of alternative catalogue file (file ID is 0x5031) to smart card;
Wherein, the select File of the alternative catalogue file in this step instruction specifically can for: APDUapdu (0x00,0xA4,0x00,0x00,0x02,0x5031).
Step 106: it is the select File instruction of the object directory file of 0x5031 that smart card receives the select File ID that client computer sends, and select File ID is the file of 0x5031, execution result is returned to the computer of client;
When smart card select File when success, execution result is the pairing successfully sign of object directory file success that select File ID is 0x5031, need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the object directory file of the 0x5031 pairing failure sign of failing that execution result is select File ID.
Step 107: whether the execution result that the smart card that the client computer judgement receives returns is for successfully identifying;
If then client computer is judged the success of smart card select File, execution in step 108;
If, do not finish the storage operation of certificate.
Step 108: client computer sends the file instruction that reads of reading object catalogue file (file ID is 0x5031) to smart card;
Wherein, read file ID in this step and be 0x5031 the object directory file read file instruction specifically can for: APDU apdu (0x80,0xB0,0x00,0x00,0x00,0x00).
Step 109: smart card receives that client computer sends read file ID be 0x5031 the object directory file read file instruction, and execution result is sent to client computer;
When smart card reads file when success, execution result is to read the pairing successfully sign of object directory file success that file ID is 0x5031, and file ID is the data content in the object directory file of 0x5031.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card reads file when failure, execution result is and reads file ID is the object directory file of the 0x5031 pairing failure sign of failing.
Step 110: client computer judges whether comprise successfully sign in the execution result that smart card returns;
If comprise successfully sign, explain that then client computer has got access to the content of the object directory file in the smart card.Client computer can no longer repeat to obtain the content in this object directory file before smart card pulls away computer, therefore, the various information types in the certificate are being write under the situation of smart card one by one, and no longer repeating step 101 is to step 109.
Comprise also in the execution result that client computer receives that file ID is the data content of the object directory file of 0x5031, concrete data content can be as follows:
A0?06?30?04?04?02?44?00
A1?06?30?04?04?02?44?01
A4?06?30?04?04?02?44?04
Client computer is selected the pairing storage directory file ID of this information type according to the information type of desiring to write the certificate in the smart card from the data content that receives.
When the information type of the certificate of desiring to write smart card was private key information, concrete operation was as follows:
(1) search A0 data in the data, wherein, the A0 representative be the private key sign.
(2) if find the A0 data, the data (data of A0 back are 06 in the present embodiment) that then read 1 byte in A0 back are as first read value; If search, then finish the storage operation of certificate less than A0;
(3) read the data of 6 bytes of first read value, 06 back; Search the 1st byte of data streams read; If finding the 1st byte is 30, the data (data of the 1st of 30 back the byte are 04 in the present embodiment) that then read 1 byte of 30 back are as the second reading value; If finding the 1st byte is not 30, then finish the storage operation of certificate;
(4) read 4 bytes of second reading value 04 back, the 1st byte of searching data streams read, if find 04, the data (data of 1 of 04 back byte are 02 in the present embodiment) that then read 1 byte of 04 back are as the third reading value; If finding the 1st byte is not 04, then finish the storage operation of certificate;
(5) read 2 bytes of third reading value 02 back, the data that obtain are the store path (be 4400 in the present embodiment, promptly the store path of private key data is that file ID is the file of 0x4400) of the data of A0 representative, and execution in step 111.
If do not comprise successfully sign, finish the storage operation of certificate.
Step 111: client computer sends the select File instruction of selecting storage directory file (file ID is 0x4400) to smart card;
Wherein, in this step select File ID be 0x4400 the storage directory file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4400).
Step 112: smart card receives the select File instruction that select File ID is the storage directory file of 0x4400, and select File ID is the file of 0x4400, and execution result is returned to client computer;
When the success of smart card select File, execution result is the pairing successfully sign of storage directory file success of 0x4400 for select File ID.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4400 pairing failure sign of failing that execution result is select File ID.
Step 113: whether the execution result that the smart card that the client computer judgement receives returns is for successfully identifying;
If then client computer is judged the success of smart card select File, then execution in step 114;
If, then do not finish the storage operation of certificate.
Step 114: client computer sends the file instruction that reads that reads storage directory file (file ID is 0x4400) to smart card;
Wherein, read file ID in this step and be 0x4400 the storage directory file read file instruction specifically can for: APDU apdu (0x80,0xB0,0x00,0x00,0x00,0x00).
Step 115: smart card receive and carry out read file ID be 0x4400 the storage directory file read file instruction, and execution result is returned to client computer;
When smart card reads file when success, execution result is to read the pairing successfully sign of storage directory file success that file ID is 0x4400, and file ID is the data content in the storage directory file of 0x4400.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card reads file when failure, execution result is and reads file ID is the storage directory file of the 0x4400 pairing failure sign of failing.
Step 116: client computer judges whether comprise successfully sign in the execution result that smart card returns;
If comprise successfully sign, then comprise that also file ID is the data content of the storage directory file of 0x4400 in the received execution result of client computer, concrete data content is following:
A1?13?30?11?30?0B?04?02?43?01?02?01?00?80?02?00?8D?02?02?04?00
Client computer is operated according to the data content that receives as follows:
(1) searches A1 data in the data;
If find A1, the data (being 13 in the present embodiment) that then read the 1st byte of A1 back are as first read value;
If search, then finish the storage operation of certificate less than A1.
(2) read the data of 0x13 byte of first read value, 13 back, the 1st byte of searching data streams read, if 30, the data (being 11 in the present embodiment) that then read the 1st byte of 30 back are as the second reading value; If not 30, then finish the storage operation of certificate;
(3) read the data of 0x11 byte of second reading value 11 back, the 1st byte of searching data streams read, if 30, the data (being 0B in the present embodiment) that then read the 1st byte of 30 back are as the third reading value; If not 30, then finish the storage operation of certificate;
(4) read the data of 0x0B byte of third reading value 0B back, the 1st byte of searching data streams read, if 04, the data (present embodiment meta 02) of the 1st byte that then read 04 back are as the 4th read value; If not 04, then finish the storage operation of certificate;
(5) read the data of 0x02 byte of the 4th read value 02 back, resulting data are the store path (be 4301 in the present embodiment, promptly the store path of private key data is 0x4301) of private key data;
(6) read the data of 4301 back, the 1st byte of searching data streams read, if 02, the data (being 01 in the present embodiment) that read 1 byte of 02 back are as the 5th read value; If not 02, then finish the storage operation of certificate;
(7) read the data of 0x01 byte of the 5th read value 01 back, said data are the offset address (in present embodiment be 00, promptly private key data offset address in data storage file be 00) of private key data in data storage file;
(8) read the data of 00 back, the 1st byte of searching data streams read, if 80,1 byte data (being 02 in the present embodiment) that then reads after 80s is as the 6th read value; If not 80, then finish the storage operation of certificate;
(9) read the data of 0x02 byte of the 6th read value 02 back, the length of gained data bit private key data (be 008D in the present embodiment, promptly the length of private key data is 008D)
So far; Client computer obtains following information: the file ID that will deposit the data storage file of private key data is 0x4301; The private key data that will deposit is 00 at the offset address of data storage file, and the space that the private key data that will deposit takies data storage file is 0x8D.
If do not comprise successfully sign, then finish the storage operation of certificate.
Step 117: client computer sends the select File instruction of selecting data storage file (file ID is 0x4301) to smart card;
Wherein, select File ID be 0x4301 data storage file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4301).
Step 118: smart card receives the select File instruction that select File ID is the data storage file of 0x4301, and select File ID is the file of 0x4301, again execution result is returned to client computer;
When the success of smart card select File, execution result is the pairing successfully sign of data storage file success of 0x4301 for select File ID.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4301 pairing failure sign of failing that execution result is select File ID.
Step 119: client computer judges that whether execution result that smart card returns is for successfully identifying;
If then client computer is judged the success of smart card select File, execution in step 120;
If, do not finish the storage operation of certificate.
Step 120: client computer sends the write data instruction to smart card, and wherein, the data of desiring to write smart card are private key information;
Wherein, write data instruction specifically can for: APDU apdu (0x80,0xD6,0x00,0x00,0x00,0x00).
Step 121: smart card receives and carries out the write data instruction, private key information is write in the data storage file that file ID is 0x4301, and execution result is returned to client computer;
When smart card write the data success, execution result was to write the pairing successfully sign of data storage file success that file ID is 0x4301.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card writes file when failure, execution result is and writes file ID is the data storage file of the 0x4301 pairing failure sign of failing.
Step 122: client computer judges that whether execution result that smart card returns is for successfully identifying;
If then store the private key data success;
If, then do not finish the storage operation of certificate.
Replaceable, in above-mentioned steps 110, when the information type of the certificate of desiring to write smart card was public key information, concrete operation was as follows:
(1) search A1 data in the data, wherein, the A1 representative be the PKI sign.
(2) if find the A1 data, the data (data of A1 back are 06 in the present embodiment) that then read 1 byte in A1 back are as first read value; If search data, then finish the storage operation of certificate less than A1;
(3) read the data of 6 bytes of first read value, 06 back; Search the 1st byte of data streams read; If finding the 1st byte is 30, the data (data of the 1st of 30 back the byte are 04 in the present embodiment) that then read 1 byte of 30 back are as the second reading value; If finding the 1st byte is not 30, then finish the storage operation of certificate;
(4) read 4 bytes of second reading value 04 back, the 1st byte of searching data streams read, if find 04, the data (data of 1 of 04 back byte are 02 in the present embodiment) that then read 1 byte of 04 back are as the third reading value; If finding the 1st byte is not 04, then finish the storage operation of certificate;
(5) read 2 bytes of third reading value 02 back, the data that obtain are the store path (be 4401 in the present embodiment, promptly the store path of public key data is that file ID is the file of 0x4401) of the data of A1 representative, and execution in step 211.
If do not comprise successfully sign, finish the storage operation of certificate.
Step 211: client computer sends the select File instruction of selecting storage directory file (file ID is 0x4401) to smart card;
Wherein, in this step select File ID be 0x4401 the storage directory file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4401).
Step 212: smart card receives the select File instruction that select File ID is the storage directory file of 0x4401, and select File ID is the file of 0x4401, and execution result is returned to client computer;
When the success of smart card select File, execution result is the pairing successfully sign of storage directory file success of 0x4401 for select File ID.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4401 pairing failure sign of failing that execution result is select File ID.
Step 213: whether the execution result that the smart card that the client computer judgement receives returns is for successfully identifying;
If then client computer is judged the success of smart card select File, then execution in step 214;
If, then do not finish the storage operation of certificate.
Step 214: client computer sends the file instruction that reads that reads storage directory file (file ID is 0x4401) to smart card;
Wherein, read file ID in this step and be 0x4401 the storage directory file read file instruction specifically can for: APDU apdu (0x80,0xB0,0x00,0x00,0x00,0x00).
Step 215: smart card receive and carry out read file ID be 0x4401 the storage directory file read file instruction, and execution result is returned to client computer;
When smart card reads file when success, execution result is to read the pairing successfully sign of storage directory file success that file ID is 0x4401, and file ID is the data content in the storage directory file of 0x4401.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card reads file when failure, execution result is and reads file ID is the storage directory file of the 0x4401 pairing failure sign of failing.
Step 216: client computer judges whether comprise successfully sign in the execution result that smart card returns;
If comprise successfully sign, then comprise that also file ID is the data content of the storage directory file of 0x4401 in the received execution result of client computer, concrete data content is following:
A1?13?30?11?30?0B?04?02?43?00?02?01?00?80?02?00?8D?02?02?04?00
Client computer is operated according to the data content that receives as follows:
(1) searches A1 data in the data;
If find A1, the data (being 13 in the present embodiment) that then read the 1st byte of A1 back are as first read value;
If search, then finish the storage operation of certificate less than A1.
(2) read the data of 0x13 byte of first read value, 13 back, the 1st byte of searching data streams read, if 30, the data (being 11 in the present embodiment) that then read the 1st byte of 30 back are as the second reading value; If not 30, then finish the storage operation of certificate;
(3) read the data of 0x11 byte of second reading value 11 back, the 1st byte of searching data streams read, if 30, the data (being 0B in the present embodiment) that then read the 1st byte of 30 back are as the third reading value; If not 30, then finish the storage operation of certificate;
(4) read the data of 0x0B byte of third reading value 0B back, the 1st byte of searching data streams read, if 04, the data (present embodiment meta 02) of the 1st byte that then read 04 back are as the 4th read value; If not 04, then finish the storage operation of certificate;
(5) read the data of 0x02 byte of the 4th read value 02 back, resulting data are the store path (be 4301 in the present embodiment, promptly the store path of public key data is 0x4300) of public key data;
(6) read the data of 4300 back, the 1st byte of searching data streams read, if 02, the data (being 01 in the present embodiment) that read 1 byte of 02 back are as the 5th read value; If not 02, then finish the storage operation of certificate;
(7) read the data of 0x01 byte of the 5th read value 01 back, said data are the offset address (in present embodiment be 00, promptly public key data offset address in data storage file be 00) of public key data in data storage file;
(8) read the data of 00 back, the 1st byte of searching data streams read, if 80,1 byte data (being 02 in the present embodiment) that then reads after 80s is as the 6th read value; If not 80, then finish the storage operation of certificate;
(9) read the data of 0x02 byte of the 6th read value 02 back, the length of gained data bit public key data (be 008D in the present embodiment, promptly the length of public key data is 008D)
So far; Client computer obtains following information: the file ID that will deposit the data storage file of public key data is 0x4300; The public key data that will deposit is 00 at the offset address of data storage file, and the space that the public key data that will deposit takies data storage file is 0x8D.
If do not comprise successfully sign, then finish the storage operation of certificate.
Step 217: client computer sends the select File instruction of selecting data storage file (file ID is 0x4300) to smart card;
Wherein, select File ID be 0x4300 data storage file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4300).
Step 218: smart card receives the select File instruction that select File ID is the data storage file of 0x4300, and select File ID is the file of 0x4300, again execution result is returned to client computer;
When the success of smart card select File, execution result is to read the pairing successfully sign of data storage file success that file ID is 0x4300.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4300 pairing failure sign of failing that execution result is select File ID.
Step 219: client computer judges that whether execution result that smart card returns is for successfully identifying;
If then client computer is judged the success of smart card select File, execution in step 220;
If, do not finish the storage operation of certificate.
Step 220: client computer sends the write data instruction to smart card, and wherein, the data of desiring to write smart card are public key information;
Wherein, write data instruction specifically can for: APDU apdu (0x80,0xD6,0x00,0x00,0x00,0x00).
Step 221: smart card receives and carries out the write data instruction, public key information is write in the data storage file that file ID is 0x4300, and execution result is returned to client computer;
When smart card write the data success, execution result was to write the pairing successfully sign of data storage file success that file ID is 0x4300.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card writes file when failure, execution result is and writes file ID is the data storage file of the 0x4300 pairing failure sign of failing.
Step 222: client computer judges that whether execution result that smart card returns is for successfully identifying;
If, then storage of public keys data success;
If, then do not finish the storage operation of certificate.
Replaceable, in above-mentioned steps 110, when the information type of the certificate of desiring to write smart card was certificate information, concrete operation was as follows:
(1) search A4 data in the data, wherein, the A4 representative be the certificate sign.
(2) if find the A4 data, the data (data of A4 back are 06 in the present embodiment) that then read 1 byte in A4 back are as first read value; If search data, then finish the storage operation of certificate less than A4;
(3) read the data of 6 bytes of first read value, 06 back; Search the 1st byte of data streams read; If finding the 1st byte is 30, the data (data of the 1st of 30 back the byte are 04 in the present embodiment) that then read 1 byte of 30 back are as the second reading value; If finding the 1st byte is not 30, then finish the storage operation of certificate;
(4) read 4 bytes of second reading value 04 back, the 1st byte of searching data streams read, if find 04, the data (data of 1 of 04 back byte are 02 in the present embodiment) that then read 1 byte of 04 back are as the third reading value; If finding the 1st byte is not 04, then finish the storage operation of certificate;
(5) read 2 bytes of third reading value 02 back, the data that obtain are the store path (be 4404 in the present embodiment, promptly the store path of certificate data is that file ID is the file of 0x4404) of the data of A1 representative, and execution in step 211.
If do not comprise successfully sign, finish the storage operation of certificate.
Step 311: client computer sends the select File instruction of selecting storage directory file (file ID is 0x4404) to smart card;
Wherein, in this step select File ID be 0x4404 the storage directory file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4404).
Step 312: smart card receives the select File instruction that select File ID is the storage directory file of 0x4404, and select File ID is the file of 0x4404, and execution result is returned to client computer;
When the success of smart card select File, execution result is the pairing successfully sign of storage directory file success of 0x4404 for select File ID.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4404 pairing failure sign of failing that execution result is select File ID.
Step 313: whether the execution result that the smart card that the client computer judgement receives returns is for successfully identifying;
If then client computer is judged the success of smart card select File, then execution in step 314;
If, then do not finish the storage operation of certificate.
Step 314: client computer sends the file instruction that reads that reads storage directory file (file ID is 0x4404) to smart card;
Wherein, read file ID in this step and be 0x4404 the storage directory file read file instruction specifically can for: APDU apdu (0x80,0xB0,0x00,0x00,0x00,0x00).
Step 315: smart card receive and carry out read file ID be 0x4404 the storage directory file read file instruction, and execution result is returned to client computer;
When smart card reads file when success, execution result is to read the pairing successfully sign of storage directory file success that file ID is 0x4404, and file ID is the data content in the storage directory file of 0x4404.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card reads file when failure, execution result is and reads file ID is the storage directory file of the 0x4404 pairing failure sign of failing.
Step 316: client computer judges whether comprise successfully sign in the execution result that smart card returns;
If comprise successfully sign, then comprise that also file ID is the data content of the storage directory file of 0x4404 in the received execution result of client computer, concrete data content is following:
A1?10?30?0E?30?0C?04?02?43?00?02?02?00?8D?80?02?06?5E?00
Client computer is operated according to the data content that receives as follows:
(1) searches A4 data in the data;
If find A4, the data (being 10 in the present embodiment) that then read the 1st byte of A4 back are as first read value;
If search, then finish the storage operation of certificate less than A4.
(2) read the data of 10 bytes of first read value, 10 back, the 1st byte of searching data streams read, if 30, the data (being 0E in the present embodiment) that then read the 1st byte of 30 back are as the second reading value; If not 30, then finish the storage operation of certificate;
(3) read the data of 0E byte of second reading value 0E back, the 1st byte of searching data streams read, if 30, the data (being 0C in the present embodiment) that then read the 1st byte of 30 back are as the third reading value; If not 30, then finish the storage operation of certificate;
(4) read the data of 0C byte of third reading value 0C back, the 1st byte of searching data streams read, if 04, the data (present embodiment meta 02) of the 1st byte that then read 04 back are as the 4th read value; If not 04, then finish the storage operation of certificate;
(5) read the data of 2 bytes of the 4th read value 02 back, resulting data are the store path (be 4300 in the present embodiment, promptly the store path of certificate data is 0x4300) of certificate data;
(6) read the data of 4300 back, the 1st byte of searching data streams read, if 02, the data (being 02 in the present embodiment) that read 1 byte of 02 back are as the 5th read value; If not 02, then finish the storage operation of certificate;
(7) read the data of 2 bytes of the 5th read value 02 back, said data are the offset address (in present embodiment be 008D, promptly certificate data offset address in data storage file be 008D) of certificate data in data storage file;
(8) read the data of 008D back, the 1st byte of searching data streams read, if 80,1 byte data (being 02 in the present embodiment) that then reads after 80s is as the 6th read value; If not 80, then finish the storage operation of certificate;
(9) read the data of 2 bytes of the 6th read value 02 back, the length of gained data bit certificate data (be 065E in the present embodiment, promptly the length of certificate data is 065E)
So far; Client computer obtains following information: the file ID that will deposit the data storage file of certificate data is 0x4300; The certificate data that will deposit is 0x8D at the offset address of data storage file, and the space that the certificate data that will deposit takies data storage file is 0x65E.
If do not comprise successfully sign, then finish the storage operation of certificate.
Step 317: client computer sends the select File instruction of selecting data storage file (file ID is 0x4300) to smart card;
Wherein, select File ID be 0x4300 data storage file select File instruction specifically can for: APDU apdu (0x00,0xA4,0x00,0x00,0x02,0x4300).
Step 318: smart card receives the select File instruction that select File ID is the data storage file of 0x4300, and select File ID is the file of 0x4300, again execution result is returned to client computer;
When the success of smart card select File, execution result is the pairing successfully sign of data storage file success of 0x4300 for select File ID.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When the smart card select File was failed, it was the 0x4300 pairing failure sign of failing that execution result is select File ID.
Step 319: client computer judges that whether execution result that smart card returns is for successfully identifying;
If then client computer is judged the success of smart card select File, execution in step 320;
If, do not finish the storage operation of certificate.
Step 320: client computer sends the write data instruction to smart card, and wherein, the data of desiring to write smart card are certificate information;
Wherein, write data instruction specifically can for: APDU apdu (0x80,0xD6,0x00,0x00,0x00,0x00).
Step 321: smart card receives and carries out the write data instruction, certificate information is write in the data storage file that file ID is 0x4300, and execution result is returned to client computer;
When smart card write the data success, execution result was to write the pairing successfully sign of data storage file success that file ID is 0x4300.Need to prove, successfully sign can comprise a variety of, like 0x9000 etc.;
When smart card writes file when failure, execution result is and writes file ID is the data storage file of the 0x4300 pairing failure sign of failing.
Step 322: client computer judges that whether execution result that smart card returns is for successfully identifying;
If, then Store Credentials data success;
If, then do not finish the storage operation of certificate.
To sum up; Need to prove that certificate information is to have to be written in the smart card, private key information and public key information are optional writing; If have 2 kinds and above needs to write the certificate information type of smart card; Then write one by one, but for the sequencing that writes, present embodiment is not done strict restriction.
The embodiment of the invention provides a kind of method of Store Credentials; Through the interactive operation between client computer and the safety means; Certificate is written in the specified file of safety means, accomplishes the process that writes certificate to safety means, realized the shared storage of certificate.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (11)
1. the method for a Store Credentials is characterized in that, said method comprises:
Safety means and client computer connect;
Said safety means receive the instruction of the selection application directory file of said client computer transmission, carry the file ID of said application directory file in the instruction of said selection application directory file;
Said safety means are selected the application directory file according to the file ID of said application file catalogue;
Said safety means receive the instruction of the alternative catalogue file of said client computer transmission, carry the file ID of said object directory file in the instruction of said alternative catalogue file;
Said safety means are according to the file ID alternative catalogue file of said object directory file;
Said safety means receive the instruction of the reading object catalogue file content of said client computer transmission, and the content of the said object directory file that will read sends to said client computer;
Said client computer is according to the type of info of the certificate of desiring to write said safety means; From the content of said object directory file, obtain the corresponding data storage file of type of info of said certificate, and the information of said certificate is write in the said data storage file.
2. the method for Store Credentials as claimed in claim 1 is characterized in that, the file ID of said application directory file is 0x5015.
3. the method for Store Credentials as claimed in claim 1 is characterized in that, the file ID of said object directory file is 0x5031.
4. the method for the Store Credentials described in claim 1 is characterized in that, the type of info of said certificate comprises: certificate information also comprises private key information and/or public key information.
5. the method for Store Credentials as claimed in claim 4 is characterized in that, after said safety means and client computer connected, said method also comprised:
In said safety means, create respectively and be used to store the file of said private key information, the file that is used to store the file of said public key information and is used to store said certificate information;
In said safety means, creating file ID is the object directory file of 0x5031, and the content that the content of the said content that is used for storing the file of said private key information, the said file that is used for storing said public key information and said is used for storing the file of said certificate information is write in the said object directory file.
6. the method for Store Credentials as claimed in claim 1; It is characterized in that; Said client computer is according to the type of info of the certificate of desiring to write said safety means; From the content of said object directory file, obtain the corresponding data storage file of type of info of said certificate, specifically comprise:
Said client computer obtains the corresponding storage directory file ID of type of info of said certificate according to the content of the said object directory file that receives;
Said safety means receive the instruction of the selection storage directory file of said client computer transmission, carry said storage directory file ID in the instruction of said selection storage directory file;
Said safety means are selected the storage directory file according to said storage directory file ID;
Said safety means receive the instruction of reading said storage directory file that said client computer sends, and the content of the said storage directory file that will read sends to said client computer;
Said client computer obtains the data storage file ID of the information of said certificate according to the content of the said storage directory file that receives.
7. the method for Store Credentials as claimed in claim 6; It is characterized in that; When the type of info of said certificate was certificate information, said client computer obtained the corresponding storage directory file ID of said certificate information according to the content of the said object directory file that receives, and specifically comprises:
Said client computer is searched the A4 data in the content of said object directory file, said A4 data are the sign of certificate information;
If there are said A4 data, read the value of the data of the 1st byte after the said A4 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said certificate information;
If do not have said A4 data, finish said method.
8. the method for Store Credentials as claimed in claim 6; It is characterized in that; When the type of info of said certificate was private key information, said client computer obtained the corresponding storage directory file ID of said private key information according to the content of the said object directory file that receives, and specifically comprises:
Said client computer is searched the A0 data in the content of said object directory file, said A0 data are the sign of private key information;
If there are said A0 data, read the value of the data of the 1st byte after the said A0 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said private key information;
If do not have said A0 data, finish said method.
9. the method for Store Credentials as claimed in claim 6; It is characterized in that; When the type of info of said certificate was public key information, said client computer obtained the corresponding storage directory file ID of said public key information according to the content of the said object directory file that receives, and specifically comprises:
Said client computer is searched the A1 data in the content of said object directory file, said A1 data are the sign of public key information;
If there are said A1 data, read the value of the data of the 1st byte after the said A1 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte, with the data of a said third reading value byte storage directory file ID as said public key information;
If do not have said A1 data, finish said method.
10. the method for Store Credentials as claimed in claim 6 is characterized in that, said client computer obtains the data storage file ID of the information of said certificate according to the content of the said storage directory file that receives, and specifically comprises:
Said client computer is searched the A1 data in the content of said storage directory file;
If there are said A1 data:
Read the value of the data of first byte after the said A1 data, as first read value;
Read the data of said first read value byte;
Whether the data of judging the 1st byte in the data of said first read value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the second reading value; If, do not finish said method;
Read the data of a said second reading value byte;
Whether the data of judging the 1st byte in the data of a said second reading value byte are 30;
If read the value of the data of the 1st byte after said 30 data, as the third reading value; If, do not finish said method;
Read the data of a said third reading value byte;
Whether the data of judging the 1st byte in the data of a said third reading value byte are 04;
If read the value of the data of the 1st byte after said 04 data, as the 4th read value; If, do not finish said method;
Read the data of said the 4th a read value byte, as the data storage file ID of the information of said certificate;
Read the data of the 1st byte after the data of said the 4th a read value byte, take a decision as to whether 02;
If read the value of the data of the 1st byte after said 02 data, as the 5th read value; If, do not finish said method;
Read the data of said the 5th a read value byte, as the offset address of information in said data storage file of said certificate;
Read the data of the 1st byte after the data of said the 5th a read value byte, take a decision as to whether 80;
If read the value of the data of the 1st byte after said 80 data, as the 6th read value; If, do not finish said method;
Read the data of said the 6th a read value byte, as the length of the information of said certificate;
If do not have said A1 data, finish said method.
11. the method for Store Credentials as claimed in claim 6 is characterized in that, said information with said certificate writes in the said data storage file, specifically comprises:
Said safety means receive the instruction of the selection data storage file of said client computer transmission, carry said data storage file ID in the instruction of said selection data storage file;
Said safety means are selected data storage file according to said data storage file ID;
Said client computer sends the write data instruction to said safety means, the information of carrying said certificate in the write data instruction;
Said safety means write the information of said certificate in the said data storage file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910086342A CN101674301B (en) | 2009-05-31 | 2009-05-31 | Method for storing certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910086342A CN101674301B (en) | 2009-05-31 | 2009-05-31 | Method for storing certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101674301A CN101674301A (en) | 2010-03-17 |
| CN101674301B true CN101674301B (en) | 2012-09-05 |
Family
ID=42021288
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910086342A Active CN101674301B (en) | 2009-05-31 | 2009-05-31 | Method for storing certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101674301B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101763270B (en) | 2010-01-28 | 2011-06-15 | 华为终端有限公司 | Method for displaying and processing assembly and user equipment |
| CN108183804B (en) * | 2018-03-28 | 2021-01-26 | 湖南东方华龙信息科技有限公司 | Certificate sharing method |
| CN113141353B (en) * | 2021-04-08 | 2023-03-07 | 深圳云里物里科技股份有限公司 | Storage method, reading method and device of digital certificate and gateway |
| CN117314476B (en) * | 2023-11-28 | 2024-02-27 | 四川隧唐科技股份有限公司 | Certificate data integration method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1838593A (en) * | 2005-03-07 | 2006-09-27 | 富士施乐株式会社 | Certificate acquisition system, certificate acquisition method, management communication apparatus and certification authority |
| CN1894968A (en) * | 2003-12-18 | 2007-01-10 | 松下电器产业株式会社 | Method for storing, authenticating and executing an application program |
| CN101122938A (en) * | 2007-09-25 | 2008-02-13 | 北大方正集团有限公司 | Data file safe treatment method and system |
-
2009
- 2009-05-31 CN CN200910086342A patent/CN101674301B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1894968A (en) * | 2003-12-18 | 2007-01-10 | 松下电器产业株式会社 | Method for storing, authenticating and executing an application program |
| CN1838593A (en) * | 2005-03-07 | 2006-09-27 | 富士施乐株式会社 | Certificate acquisition system, certificate acquisition method, management communication apparatus and certification authority |
| CN101122938A (en) * | 2007-09-25 | 2008-02-13 | 北大方正集团有限公司 | Data file safe treatment method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101674301A (en) | 2010-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7526625B2 (en) | Semiconductor memory card, and program for controlling the same | |
| JP2000148567A (en) | Method for storing data object in memory of smart card | |
| US9983827B1 (en) | Key-based memory deduplication protection | |
| CN101674301B (en) | Method for storing certificate | |
| CN101872334A (en) | Compound type usb equipment and implementation method thereof | |
| CN110020544A (en) | The Hash information processing method and system of record are stored in the block of block chain | |
| JP2006222787A (en) | Radio communication system, reader/writer device, key management method, and computer program | |
| CN106713334B (en) | Encryption method, decryption method, access method and device for virtual storage volume | |
| CN101086718A (en) | Memory system | |
| CN111597075B (en) | Method for recovering data from data storage device encrypted by hardware | |
| CN102037456A (en) | Identification of memory cards by host | |
| CN111191252A (en) | Encryption and decryption method and device for smart card operating system and storage medium | |
| CN104484628A (en) | Multi-application intelligent card with encryption and decryption functions | |
| US10331365B2 (en) | Accessing a serial number of a removable non-volatile memory device | |
| CN101282347B (en) | Method for controlling intelligent storing card | |
| CN112887297B (en) | Privacy-protecting differential data determining method, device, equipment and system | |
| KR20130069186A (en) | Storage device providing utilizing multiple keys | |
| CN101650700B (en) | Method and device for supporting multi-logical channel communication | |
| CN100361165C (en) | Update management for encoded data in memory | |
| Yamamoto et al. | A tamper detection method for RFID tag data | |
| CN106878252A (en) | Foundation is exempted from the method for close login relation, removes the method and its device of account | |
| JP6755539B2 (en) | Methods and equipment for publishing copyrighted works on networks | |
| JP2004252968A (en) | Semiconductor memory card and control program | |
| CN101751450A (en) | Information sharing realizing method for CPU card with multi-application COS | |
| CN104636659A (en) | Register data generation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |