CN106888094B - A kind of endorsement method and server - Google Patents

A kind of endorsement method and server Download PDF

Info

Publication number
CN106888094B
CN106888094B CN201710084356.1A CN201710084356A CN106888094B CN 106888094 B CN106888094 B CN 106888094B CN 201710084356 A CN201710084356 A CN 201710084356A CN 106888094 B CN106888094 B CN 106888094B
Authority
CN
China
Prior art keywords
signature
countersignature
data packet
information
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710084356.1A
Other languages
Chinese (zh)
Other versions
CN106888094A (en
Inventor
邱勤
张滨
赵刚
袁捷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710084356.1A priority Critical patent/CN106888094B/en
Publication of CN106888094A publication Critical patent/CN106888094A/en
Application granted granted Critical
Publication of CN106888094B publication Critical patent/CN106888094B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of endorsement method and server, this method may include: the signature operation request of reception user, and according to the first data packet of signature operation request;First data packet is pre-processed, the first signature original text is obtained;When allowing to carry out countersignature operation, response signature operation request carries out countersignature operation to the first signature original text by signature tool, obtains the first countersignature information;First countersignature information is added in the first data packet, the second data packet is obtained.

Description

A kind of endorsement method and server
Technical field
The present invention relates to the information security technology of mobile Internet field more particularly to a kind of endorsement methods and server.
Background technique
As the universal of mobile terminal, mobile Internet business flourish, information security is transferred to from internet The prelude for having opened mobile Internet industry development, mobile terminal are changed in mobile Internet, the subversiveness that mobile terminal causes Strong influence the life style of user, but mobile terminal to intelligence, Opening develop while, also face more next More security threats.The Android operation system of Google is an open platform, therefore, becomes mobile terminal from malicious software master The platform to be infected, but can not developer's identity to Android mobile phone Malware carry out effectively tracing to the source and then investigating its method Responsibility is restrained, causes Malware developer's WeiZhao's Notes low, is that cause Android platform mobile terminal from malicious software to spread unchecked main One of reason.
In the prior art, ensure that application is safe by trusted code signature technology, and the identity of developer is chased after It traces back, specifically, the code signature for requiring developer to issue using third party's legitimate code signature (CA, Code Signing) mechanism Digital certificate carrys out completion code signature operation, and the identity of developer has third party CA mechanism close scrutiny and verifies, it is ensured that exploitation Person's identity is genuine and believable, if necessary, can be by reading the digital signature information in application program, to confirm application development The identity of person carries out Liability Retroact to it.
However, existing Android trusted code signature technology scheme, will lead to cannot be normally smooth after storage application signature The problem of upgrading, multi-party trusted signature can not be carried out.
Summary of the invention
In order to solve the above technical problems, can make to deposit an embodiment of the present invention is intended to provide a kind of endorsement method and server Smooth upgrade and multi-party trusted signature can be carried out after amount application signature.
The embodiment of the present invention provides a kind of endorsement method, which is characterized in that the described method includes:
The signature operation request of user is received, and according to first data packet of signature operation request;
First data packet is pre-processed, the first signature original text is obtained;
When allowing to carry out countersignature operation, the signature operation request is responded, by signature tool to described first Signature original text carries out countersignature operation, obtains the first countersignature information;
The first countersignature information is added in first data packet, the second data packet is obtained.
In the above-mentioned methods, described that first data packet is pre-processed, obtain the first signature original text, comprising:
First data packet is parsed, and obtains corresponding first application file of first data packet;
Hash calculation is carried out to first application file, obtains the first signature original text.
In the above-mentioned methods, it is described obtain the first signature original text after, before response signature operation request, institute State method further include:
First data packet is parsed, and obtains the corresponding first former signature file of first data packet;
Described first former signature file is parsed, the first primary signing messages is obtained;
By carrying out the first primary signature verification according to the first signature original text and the first primary signing messages, come It determines whether to carry out the countersignature operation;
When first primary signature verification success, characterization allows to carry out the countersignature operation;
When first primary signature verification failure, characterization does not allow to carry out the countersignature operation.
In the above-mentioned methods, it is described obtain the second data packet after, the method also includes:
The countersignature checking request of user is received, and second data are obtained according to the countersignature checking request Packet;
Second data packet is parsed, and obtains corresponding second application file of second data packet and the second original Signature file;
Hash calculation is carried out to second application file, obtains the second signature original text;
Described second former signature file is parsed, the second primary signing messages is obtained;
The second primary signature verification is carried out according to the second signature original text and the second primary signing messages;
When second primary signature verification success, the countersignature checking request is responded, extracts second number It is verified according to the second countersignature information in packet, and to the second countersignature information, generates verification result.
In the above-mentioned methods, described that the first countersignature information is added in first data packet, obtain the Two data packets, comprising:
The first countersignature information is added in the non-authentication attribute set of the described first former signature file, is generated Third original signature file comprising the first countersignature information, the non-authentication attribute set are all first countersignatures The set of information;
The third original signature file is packaged, second data packet is generated.
The embodiment of the present invention provides a kind of signature server, which is characterized in that the server includes:
Program to be signed obtains module, and the signature operation for receiving user is requested, and is requested according to the signature operation Obtain the first data packet;
Signature original text generation module obtains the first signature original text for pre-processing to first data packet;
Processing module of countersigning is led to for when allowing to carry out countersignature operation, responding the signature operation request It crosses signature tool and countersignature operation is carried out to the first signature original text, obtain the first countersignature information;
Data packet generation module is obtained for the first countersignature information to be added in first data packet Second data packet.
In above-mentioned signature server, the signature server further include: data packet handing module and signature original text calculate Module;
The data packet handing module, for parsing first data packet, and it is corresponding to obtain first data packet Application file and the first former signature file;
The signature original text computing module obtains described first for carrying out Hash calculation to the application file Signature original text.
In above-mentioned signature server, the signature server further include: encrypt grammer standard (PKCS#7) text of message Part processing module;
The PKCS#7 document processing module obtains primary signature for parsing to the described first former signature file Information;
The PKCS#7 document processing module is also used to by according to the first signature original text and the primary A.L.S. Breath carries out the first primary signature verification, to determine whether allowing to carry out countersignature operation;When the described first primary signature verification When success, characterization allows to carry out countersignature operation;When first primary signature verification failure, characterization does not allow to carry out secondary Affix one's name to signature operation.
In above-mentioned signature server, the program to be signed obtains module, and the countersignature for being also used to receive user is tested Card request, and second data packet is obtained according to the countersignature checking request;
The data packet handing module is also used to parse second data packet, and it is corresponding to obtain second data packet The second application file and the second former signature file;
The signature original text computing module is also used to carry out Hash calculation to second application file, obtains the Two signature original texts;
The PKCS#7 document processing module is also used to parse the described first former signature file, obtains the second original Raw signing messages;The second primary signature is carried out according to the second signature original text and the second primary signing messages to test Card;
The countersignature processing module is also used to countersign described in response when second primary signature verification success Signature verification request extracts the first countersignature information in second data packet, and to first countersignature Information is verified, and verification result is generated.
In above-mentioned signature server, the PKSC#7 document processing module is also used to the first countersignature letter Breath is added in the non-authentication attribute set of the described first former signature file, and it is former to generate the third comprising the first countersignature information Signature file, the non-authentication attribute set are the set of all first countersignature information;
The data packet handing module is also used to for the third original signature file of encapsulation being packaged, described in generation Second data packet.
The embodiment of the invention provides a kind of endorsement method and server, this method may include: the signature for receiving user Operation requests, and according to the first data packet of signature operation request;First data packet is pre-processed, the first signature is obtained Original text;When allowing to carry out countersignature operation, response signature operation request carries out the first signature original text by signature tool Countersignature operation, obtains the first countersignature information;First countersignature information is added in the first data packet, obtains the Two data packets.Using above-mentioned technic relization scheme, since this programme can add under the premise of not influencing primary signing messages One or more countersignature information, and the first countersignature information is stored into the non-authentication category arranged side by side to authentication property set Property in, do not influence original application program packing signature process, therefore, this programme can be smooth after capable of making storage application signature Upgrade and carries out multi-party trusted signature.
Detailed description of the invention
Fig. 1 is a kind of flow chart one of endorsement method provided in an embodiment of the present invention;
Fig. 2 is a kind of flowchart 2 of endorsement method provided in an embodiment of the present invention;
Fig. 3 is a kind of storage schematic diagram of illustrative countersignature information provided in an embodiment of the present invention;
Fig. 4 is the flow chart that one kind provided in an embodiment of the present invention is illustratively countersigned;
Fig. 5 is a kind of flow chart 3 of endorsement method provided in an embodiment of the present invention;
Fig. 6 is a kind of illustrative flow chart countersignature verifying and extracted provided in an embodiment of the present invention;
Fig. 7 is a kind of structural schematic diagram one of signature server provided in an embodiment of the present invention;
Fig. 8 is a kind of structural schematic diagram two of signature server provided in an embodiment of the present invention;
Fig. 9 is a kind of structural schematic diagram three of signature server provided in an embodiment of the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description.
Embodiment one
The embodiment of the present invention provides a kind of endorsement method, as shown in Figure 1, this method may include:
S101, the signature operation request for receiving user, and according to the first data packet of signature operation request.
A kind of endorsement method provided in an embodiment of the present invention is suitable for the application program of digital signature has been carried out again Under the secondary scene for carrying out signature operation.
In the embodiment of the present invention, when user needs to carry out signature behaviour again to the application program that digital signature has been carried out When making, user sends signature operation request to signature server, carries out countersigning label to the application program come the server that asks for an autograph Name operation, at this point, signature server requests to obtain comprising the first signature original text and the first former signature text according to the signature operation First data packet of part.
In the embodiment of the present invention, in the links of application program life cycle, include the rings such as exploitation, detection and publication Section, requires to be digitally signed, and after first link of application program has carried out primary signature operation, user's request Digital signature each time all be request countersignature.
Illustratively, when the APK application detection distributed when user is split is completed, user needs to be digitally signed to recognize Card detects the person liable of APK application, at this point, user sends signature operation request to signature server.
S102, the first data packet is pre-processed, obtains the first signature original text.
After signature server gets the first data packet to be signed, signature server is extracted from the first data packet First signature original text to be signed.
In the embodiment of the present invention, it is corresponding to obtain the first data packet for the first data packet that signature server is analyzed and acquired by Then first application file carries out Hash calculation to the first application file, obtain the first signature original text to be signed.
S103, when allow to carry out countersignature operation when, response signature operation request, by signature tool to first sign Original text carries out countersignature operation, obtains the first countersignature information.
After signature server gets the first signature original text, signature server is it is first determined whether allow to be countersigned Signature operation, when being judged as allows to carry out countersignature operation, signature server is using signature tool to the first signature original text Countersignature operation is carried out, and obtains the first countersignature information.
In the embodiment of the present invention, it is corresponding to obtain the first data packet for the first data packet that signature server is analyzed and acquired by First former signature file, and the first former signature file is parsed, the first primary signing messages is obtained, it is then primary by first Signing messages carries out the first primary signature verification with the first signature original text obtained in step S102, when the first primary signature verification When success, the first application file of characterization is not maliciously tampered, at this point, allowing to carry out countersignature operation;When the first original When raw signature verification failure, characterizes application program to be signed and carried out maliciously distorting, at this point, not allowing to be countersigned Signature operation.
In the embodiment of the present invention, when signature server judgement allows to carry out countersignature operation, signature server response The signature operation of user is requested, and carries out countersignature operation to the first signature original text using signature tool.
Optionally, the signature tool in the embodiment of the present invention can be the code signature certificate etc. that third party CA mechanism is signed and issued The signature tool that can carry out countersignature operation, is specifically selected, the embodiment of the present invention, which is not done, to be had according to the actual situation Body limits.
S104, the first countersignature information is added in the first data packet, obtains the second data packet.
After signature server obtains the first countersignature information, signature server adds the first countersignature information Into the first data packet, the second data packet comprising the first countersignature information is obtained.
In the embodiment of the present invention, the first countersignature information is added to the first former the non-of signature file by signature server recognizes Demonstrate,prove in attribute set, generate the third original signature file comprising the first countersignature information, then by the second former signature file into Row is packaged, and generates the second data packet.
In the embodiment of the present invention, user can carry out repeatedly countersignature operation to same application program to be signed, obtain Multiple countersignature information determine the number for information of countersigning the embodiment of the present invention, which is not done, to be had according to the actual situation Body limits.
It is understood that in the embodiment of the present invention in application program to be signed primary signing messages can not influenced Under the premise of, one or more countersignature information is added, multi-party trusted signature is able to carry out;And signature server is by first Countersignature information is stored into the non-authentication attribute arranged side by side with authentication property set, does not influence the packing label of original application program Name process, being capable of smooth upgrade after signed again.
Embodiment two
The embodiment of the present invention provides a kind of endorsement method, as shown in Fig. 2, this method may include:
S201, signature server receive the signature operation request of user, and according to the first data of signature operation request Packet.
A kind of endorsement method provided in an embodiment of the present invention is suitable for the application program of digital signature has been carried out again Under the secondary scene for carrying out signature operation.
In the embodiment of the present invention, when user needs to carry out signature behaviour again to the application program that digital signature has been carried out When making, user sends signature operation request to signature server, carries out countersigning label to the application program come the server that asks for an autograph Name operation is requested according to the signature operation at this point, the program to be signed of signature server obtains module to obtain comprising the first label First data packet of name original text and the first former signature file.
In the embodiment of the present invention, in the links of application program life cycle, include the rings such as exploitation, detection and publication Section, requires to be digitally signed, and after first link of application program has carried out primary signature operation, user's request Digital signature each time all be request countersignature.
Illustratively, when the APK application detection distributed when user is split is completed, user needs to be digitally signed to recognize Card detects the person liable of APK application, at this point, user sends signature operation request to signature server.
S202, signature server parse the first data packet, and obtain corresponding first application file of the first data packet.
After signature server gets the first data packet, the data packet handing module of signature server will be to first Corresponding first application file of data packet carries out countersignature and operates, specifically, data packet handing module first first leads to The first data packet of parsing is crossed to obtain the first data packet correspondence and obtain the first application file.
In the embodiment of the present invention, the data packet handing module of signature server obtains the first number by the first data packet of parsing It include the first signature original text to be signed in first application file according to corresponding first application file is wrapped.
S203, signature server carry out Hash calculation to the first application file, obtain the first signature original text.
It is answered after signature server gets the first data packet corresponding first application file it is necessary to obtain first With the first signature original text in program file.
In the embodiment of the present invention, the signature original text computing module of signature server is by carrying out the first application file Hash calculation come obtain the first application file it is corresponding first signature original text.
Further, the embodiment of the present invention does not limit must obtain the first application file correspondence using hash algorithm First signature original text, specifically selected according to the actual situation, the embodiment of the present invention is not specifically limited.
S204, signature server parse the first data packet, and obtain the corresponding first former signature file of the first data packet.
After signature server gets the first signature original text, signature server will be to the legal of the first signature original text Property judged, specifically, signature server obtains the corresponding first former signature file of the first data packet first.
In the embodiment of the present invention, grammer standard (PKCS#7) document processing module of the encryption message of signature server passes through The first data packet is parsed to obtain the corresponding first former signature file of the first data packet, includes the in the first former signature file One primary signing messages.
S205, signature server parse the first former signature file, obtain the first primary signing messages.
After signature server obtains the first former signature file, PKCS#7 document processing module is to the first former signature file It is parsed, obtains the first primary signing messages.
In the embodiment of the present invention, PKCS#7 document processing module is primary to obtain first by the former signature file of parsing first Signing messages, so that signature server judges the legitimacy of the first application file.
S206, signature server are by carrying out the first primary signature according to the first signature original text and the first primary signing messages Verifying, to determine whether allowing to carry out the countersignature operation.
Signature server is by judging the first application according to the first of acquisition the signature original text and the first primary signing messages The legitimacy of program file.
In the embodiment of the present invention, PKCS#7 document processing module is according to the first signature original text and the first primary signing messages the One primary signature verification, when the first primary signature verification success, the first application file of characterization is not maliciously tampered, this When judge that the first application file is legal;When the first primary signature verification failure, the first application file of characterization is It is maliciously tampered, judges that the first application file is illegal at this time, and situation only legal in the first application file Under, it is just meaningful that countersignature operation is carried out to the first application file.
S207, when the first primary signature verification success when, characterization signature server allow to carry out countersignature operation.
When the first primary signature verification success, characterization allows to carry out countersignature operation.
In the embodiment of the present invention, when the first application file is not maliciously tampered, characterization allows to carry out to countersign label Name operation.
S208, when allow to carry out countersignature operation when, signature server respond signature operation request, the signature server Countersignature operation is carried out to the first signature original text by signature tool, obtains the first countersignature information.
When signature server judgement allows to carry out countersignature operation, the countersignature module of signature server is to first Signature original text carries out countersignature operation, obtains the first countersignature information.
In the embodiment of the present invention, when signature server judgement allows to carry out countersignature operation, signature server response The signature operation of user is requested, and carries out countersignature operation to the first signature original text using signature tool.
Optionally, the signature tool in the embodiment of the present invention can be the code signature certificate etc. that third party CA mechanism is signed and issued The signature tool that can carry out countersignature operation, is specifically selected, the embodiment of the present invention, which is not done, to be had according to the actual situation Body limits.
First countersignature information is added to the non-authentication attribute set of the first former signature file by S209, signature server In, the third original signature file comprising the first countersignature information is generated, non-authentication attribute set is all first countersignatures The set of information.
After signature server gets the first countersignature information, the first countersignature information is added to the first former label In the non-authentication attribute set of name file.
In the embodiment of the present invention, the first countersignature information is added to by the PKCS#7 document processing module of signature server In the non-authentication attribute set of first former signature file, the third original signature file comprising the first countersignature information is generated.
Third original signature file is packaged by S210, signature server, generates the second data packet.
After signature server is to third original signature file is got, third original signature file is packed into the first data Bao Zhong generates the second data packet.
In the embodiment of the present invention, third original signature file is added to the first number by the data packet handing module of signature server According to the second data packet in packet, is obtained, at this point, completing the process countersigned to the first data packet to be signed.
In the embodiment of the present invention, user can carry out repeatedly countersignature operation to same application program to be signed, obtain Multiple countersignature information determine the number for information of countersigning the embodiment of the present invention, which is not done, to be had according to the actual situation Body limits.
S211, when the first primary signature verification failure when, characterization signature server do not allow to carry out countersignature operation.
When the first primary signature verification failure, the first application file of characterization has been maliciously tampered, at this point, not permitting Permitted to carry out countersignature operation.
Illustratively, as shown in figure 3, the signature operation carried out to application program follows PKCS#7 Standard signatures structure, one It include altogether directory information, digital certificate and these three parts of all information of signer, wherein the signing certificate of developer is stored in In digital certificate, the signing certificate of countersignature person certificate and developer in the embodiment of the present invention is stored together to digital certificate In, the signing messages of developer is stored in the signer information of all information of signer, is added under signer information non- Authentication property set, the countersignature information in the embodiment of the present invention are stored under non-authentication attribute set, thereby realize The storage mode of the countersignature relevant information of the embodiment of the present invention.
Illustratively, as shown in figure 4, the process countersigned of signature server is as follows:
1, program to be signed obtains module and receives the request countersigned to APK packet that user sends, and acquisition to The APK packet countersigned.
2, data packet handing module parses APK packet, obtains the application file in APK packet.
3, signature original text computing module carries out Hash calculation to application file, obtains signature original text.
4, PKCS#7 document processing module parses signature file, obtains primary signing messages.
5, PKCS#7 document processing module is carried out according to signature original text and primary signing messages to verify primary signing messages Legitimacy.
6, when primary signing messages is legal, the code signature issued using third party CA mechanism of countersignature processing module Certificate carries out countersignature operation to signature original text, and returns to signature value.
7, PKCS#7 document processing module is packaged signature value, generates the signature file comprising countersignature information.
8, data packet handing module is packaged signature file, forms new APK packet, completes countersignature operation.
9, when primary signing messages is illegal, PKCS#7 document processing module returns to countersignature failure information to data Packet handing module.
It is understood that in the embodiment of the present invention in application program to be signed primary signing messages can not influenced Under the premise of, one or more countersignature information is added, multi-party trusted signature is able to carry out;And signature server is by first Countersignature information is stored into the non-authentication attribute arranged side by side with authentication property set, does not influence the packing label of original application program Name process, being capable of smooth upgrade after signed again.
Further, after step S211, the embodiment of the invention also includes countersignature information verifying extracting method, As shown in figure 5, this method may include:
S212, signature server receive the countersignature checking request of user, and are obtained according to countersignature checking request Second data packet.
After signature server gets the second data packet comprising countersignature information, signature server can be carried out The verifying and extraction for information of countersigning, firstly, signature server receives the countersignature checking request of user, and according to countersigning Signature verification request obtains the second data packet.
In the embodiment of the present invention, when user needs to confirm the signer information of each link of application program, user is to label Name server sends countersignature checking request, and signature server program to be signed obtains module and receives countersigning for user's transmission After signature verification request, the second data packet is obtained.
S213, signature server parse the second data packet, and obtain corresponding second application file of the second data packet With the second former signature file.
After signature server gets the second data packet, signature server needs to judge the first application file Legitimacy, firstly, signature server obtains corresponding second application file of the second data packet and the second former signature file.
In the embodiment of the present invention, the data packet handing module of signature server obtains second by the second data packet of parsing Corresponding second application file of data packet and the second former signature file.
In the embodiment of the present invention, the second application file can be identical with the first application file, the second former signature File can be identical with the first former signature file, is specifically judged according to the actual situation, the embodiment of the present invention is not done specifically It limits.
S214, signature server carry out Hash calculation to the second application file, obtain the second signature original text.
After signature server gets the second application file, the signature original text computing module pair of signature server Second application file carries out Hash calculation, obtains the second signature original text.
Optionally, the embodiment of the present invention does not limit must obtain the second signature original text, specific root using hash algorithm It is selected according to actual conditions, the embodiment of the present invention is not specifically limited.
S215, signature server parse the second former signature file, obtain the second primary signing messages.
After signature server gets the second former signature file, the PKCS#7 document processing module pair of signature server Second former signature file is parsed, and the second primary signing messages is obtained.
S216, signature server carry out the second primary signature according to the second signature original text and the second primary signing messages and test Card.
Signature server carries out the second primary signature according to the second signature original text and the second primary signing messages that get Verifying, to judge the legitimacy of the second application file.
In the embodiment of the present invention, the PKCS#7 document processing module of signature server is former according to the second signature original text and second Raw signing messages carries out the second primary signature verification, when the second primary signature verification success, characterizes the second application file It is not maliciously tampered, at this point, verifying and extraction that PKCS#7 document processing module allows to countersign;When second primary Signature verification fail when, characterization the second application file be maliciously tampered, at this point, PKCS#7 document processing module do not allow into The verifying and extraction operation of row countersignature.
S217, when the second primary signature verification success when, signature server response countersignature checking request, Digital signature service Device extracts the second countersignature information in the second data packet, and verifies to the second countersignature information, generates verifying knot Fruit.
When the second primary signature verification success, signature server responds signature verification request, completes testing for countersignature Card and extraction operation.
In the embodiment of the present invention, the countersignature module of signature server can be extracted from the second countersignature information to be referred to Fixed countersignature information can also extract the second whole countersignature information, specifically be selected according to the actual situation, The embodiment of the present invention does not do specific restriction.
In the embodiment of the present invention, when the second primary signature verification success, the countersignature module of signature server is from the The second countersignature information is extracted in three former signature files, and the second countersignature information is verified, most rear line Return to the verification result and signer information of countersignature.
Illustratively, as shown in fig. 6, signature server carry out countersignature information verifying and extraction process it is as follows:
1, what program acquisition module reception user to be signed sent carries out countersignature verifying and signer information to APK packet The request of extraction, and obtain pending APK packet countersignature verifying and extracted.
2, data packet handing module parses APK packet, and be applied program file.
3, signature original text computing module carries out Hash calculation to application file, obtains signature original text.
4, PKCS#7 document processing module parses signature file, obtains primary signing messages.
5, PKCS#7 document processing module is by verifying primary signing messages according to signature original text and primary signing messages Legitimacy.
6, when primary signing messages is legal, countersignature processing module extracts countersignature information, and to countersignature Information is verified.
7, countersignature processing module returns to countersignature verification result and signer information to user, completes countersignature The extraction of information and verification operation.
8, when primary signing messages is illegal, PKCS#7 document processing module returns to the instruction of signature verification failure.
It is understood that demonstrate primary signing messages it is legal in the case where, to countersignature information verify And extraction, can in more accurate locking applications each link person liable.
Embodiment three
The embodiment of the present invention provides a kind of signature server 1, as shown in fig. 7, the signature server 1 may include:
Program to be signed obtains module 10, and the signature operation for receiving user is requested, and is asked according to the signature operation It asks and obtains the first data packet.
Signature original text generation module 11 obtains the first signature original text for pre-processing to first data packet.
Countersignature processing module 12, for when allowing to carry out countersignature operation, responding the signature operation request, Countersignature operation is carried out to the first signature original text by signature tool, obtains the first countersignature information.
Data packet generation module 13 is obtained for the first countersignature information to be added in first data packet To the second data packet.
Optionally, based on Fig. 7 as shown in figure 8, the signature server 1 further include: data packet handing module 14 and signature Original text computing module 15.
The data packet handing module 14, for parsing first data packet, and it is corresponding to obtain first data packet Application file and the first former signature file.
The signature original text computing module 15 obtains described for carrying out Hash calculation to the application file One signature original text.
Optionally, based on Fig. 8 as shown in figure 9, the signature server 1 further include: encrypt the grammer standard of message (PKCS#7) document processing module 16.
The PKCS#7 document processing module 16 obtains primary label for parsing to the described first former signature file Name information.
The PKCS#7 document processing module 16 is also used to by according to the first signature original text and the primary signature Information carries out the first primary signature verification, to determine whether allowing to carry out countersignature operation;When the described first primary signature is tested When demonstrate,proving successfully, characterization allows to carry out countersignature operation;When first primary signature verification failure, characterization does not allow to carry out Countersignature operation.
Optionally, the program to be signed obtains module 10, is also used to receive the countersignature checking request of user, and root Second data packet is obtained according to the countersignature checking request.
The data packet handing module 14 is also used to parse second data packet, and obtains second data packet pair The second application file answered and the second former signature file.
The signature original text computing module 15 is also used to carry out Hash calculation to second application file, obtain Second signature original text.
The PKCS#7 document processing module 16 is also used to parse the described second former signature file, obtains second Primary signing messages;The second primary signature verification is carried out according to the second signature original text and the second primary signing messages.
The countersignature processing module 12 is also used to respond the pair when second primary signature verification success Signature verification request is affixed one's name to, extracts the second countersignature information in second data packet, and believe first countersignature Breath is verified, and verification result is generated.
Optionally, the PKSC#7 document processing module 16 is also used to the first countersignature information being added to institute In the non-authentication attribute set for stating the first former signature file, the third original signature file comprising the first countersignature information is generated, The non-authentication attribute set is the set of all first countersignature information.
The data packet handing module 14 is also used to for the third original signature file being packaged, and generates described second Data packet.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program Product.Therefore, the shape of hardware embodiment, software implementation or embodiment combining software and hardware aspects can be used in the present invention Formula.Moreover, the present invention, which can be used, can use storage in the computer that one or more wherein includes computer usable program code The form for the computer program product implemented on medium (including but not limited to magnetic disk storage and optical memory etc.).
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The foregoing is only a preferred embodiment of the present invention, is not intended to limit the scope of the present invention.

Claims (8)

1. a kind of endorsement method, which is characterized in that the described method includes:
The signature operation request of user is received, and according to first data packet of signature operation request;
First data packet is pre-processed, the first signature original text is obtained;
When allowing to carry out countersignature operation, the signature operation request is responded, by signature tool to first signature Original text carries out countersignature operation, obtains the first countersignature information;
The first countersignature information is added in the non-authentication attribute set of the first former signature file, generating includes first The third original signature file for information of countersigning, the non-authentication attribute set are the collection of all first countersignature information It closes;
The third original signature file is packaged, the second data packet is obtained.
2. being obtained the method according to claim 1, wherein described pre-process first data packet First signature original text, comprising:
First data packet is parsed, and obtains corresponding first application file of first data packet;
Hash calculation is carried out to first application file, obtains the first signature original text.
3. according to the method described in claim 2, it is characterized in that, it is described obtain the first signature original text after, the response institute Before stating signature operation request, the method also includes:
First data packet is parsed, and obtains the corresponding first former signature file of first data packet;
Described first former signature file is parsed, the first primary signing messages is obtained;
By carrying out the first primary signature verification according to the first signature original text and the first primary signing messages, to judge Whether allow to carry out the countersignature operation;
When first primary signature verification success, characterization allows to carry out the countersignature operation;
When first primary signature verification failure, characterization does not allow to carry out the countersignature operation.
4. the method according to claim 1, wherein it is described obtain the second data packet after, the method is also wrapped It includes:
The countersignature checking request of user is received, and second data packet is obtained according to the countersignature checking request;
Second data packet is parsed, and obtains corresponding second application file of second data packet and the second former signature File;
Hash calculation is carried out to second application file, obtains the second signature original text;
Described second former signature file is parsed, the second primary signing messages is obtained;
The second primary signature verification is carried out according to the second signature original text and the second primary signing messages;
When second primary signature verification success, the countersignature checking request is responded, extracts second data packet In second countersignature information, and to it is described second countersignature information verify, generate verification result.
5. a kind of signature server, which is characterized in that the server includes:
Program to be signed obtains module, and the signature operation for receiving user is requested, and according to the signature operation request First data packet;
Signature original text generation module obtains the first signature original text for pre-processing to first data packet;
Processing module of countersigning passes through label for when allowing to carry out countersignature operation, responding the signature operation request Name tool carries out countersignature operation to the first signature original text, obtains the first countersignature information;
Data packet generation module obtains second for the first countersignature information to be added in first data packet Data packet;
The grammer standard PKCS#7 document processing module for encrypting message, for the first countersignature information to be added to first In the non-authentication attribute set of former signature file, the third original signature file comprising the first countersignature information is generated, it is described non- Authentication property set is the set of all first countersignature information;
Data packet handing module obtains second data packet for the third original signature file to be packaged.
6. a kind of signature server, which is characterized in that the signature server includes:
Program to be signed obtains module, and the signature operation for receiving user is requested, and according to the signature operation request First data packet;
Data packet handing module for parsing first data packet, and obtains the corresponding application program of first data packet File and the first former signature file;
Signature original text computing module obtains the first signature original text for carrying out Hash calculation to the application file;
Processing module of countersigning passes through label for when allowing to carry out countersignature operation, responding the signature operation request Name tool carries out countersignature operation to the first signature original text, obtains the first countersignature information;
Data packet generation module obtains second for the first countersignature information to be added in first data packet Data packet;
The grammer standard PKCS#7 document processing module for encrypting message, for the first countersignature information to be added to first In the non-authentication attribute set of former signature file, the third original signature file comprising the first countersignature information is generated, it is described non- Authentication property set is the set of all first countersignature information;
The data packet handing module is also used to for the third original signature file being packaged, obtains second data packet.
7. signature server according to claim 6, which is characterized in that
The PKCS#7 document processing module is also used to parse the described first former signature file, obtains primary A.L.S. Breath;
The PKCS#7 document processing module, be also used to by according to it is described first signature original text and the primary signing messages into The primary signature verification of row first, to determine whether allowing to carry out countersignature operation;When the described first primary signature verification success When, characterization allows to carry out countersignature operation;When first primary signature verification failure, characterization does not allow to carry out to countersign label Name operation.
8. signature server according to claim 6, which is characterized in that
The program to be signed obtains module, is also used to receive the countersignature checking request of user, and countersign label according to described Name checking request obtains second data packet;
The data packet handing module is also used to parse second data packet, and obtains second data packet corresponding Two application files and the second former signature file;
The signature original text computing module is also used to carry out Hash calculation to second application file, obtains the second label Name original text;
The PKCS#7 document processing module is also used to parse the described second former signature file, obtains the second primary label Name information;The second primary signature verification is carried out according to the second signature original text and the second primary signing messages;
The countersignature processing module is also used to respond the countersignature when second primary signature verification success Checking request is extracted the second countersignature information in second data packet, and is carried out to the first countersignature information Verifying generates verification result.
CN201710084356.1A 2017-02-16 2017-02-16 A kind of endorsement method and server Active CN106888094B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710084356.1A CN106888094B (en) 2017-02-16 2017-02-16 A kind of endorsement method and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710084356.1A CN106888094B (en) 2017-02-16 2017-02-16 A kind of endorsement method and server

Publications (2)

Publication Number Publication Date
CN106888094A CN106888094A (en) 2017-06-23
CN106888094B true CN106888094B (en) 2019-06-14

Family

ID=59178782

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710084356.1A Active CN106888094B (en) 2017-02-16 2017-02-16 A kind of endorsement method and server

Country Status (1)

Country Link
CN (1) CN106888094B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107911222B (en) * 2017-11-21 2020-08-28 沃通电子认证服务有限公司 Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program
CN113094659B (en) * 2021-03-17 2022-10-21 青岛海尔科技有限公司 Method, device, platform equipment and system for publishing application file
CN112989435A (en) * 2021-03-26 2021-06-18 武汉深之度科技有限公司 Digital signature method and computing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105320900A (en) * 2014-07-24 2016-02-10 方正国际软件(北京)有限公司 PDF digital signature method and system and PDF digital signature verification method and system
CN105873030A (en) * 2015-01-22 2016-08-17 卓望数码技术(深圳)有限公司 Method for performing countersigning on an application of terminal
CN106209379A (en) * 2016-07-04 2016-12-07 江苏先安科技有限公司 A kind of Android APK countersignature verification method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105320900A (en) * 2014-07-24 2016-02-10 方正国际软件(北京)有限公司 PDF digital signature method and system and PDF digital signature verification method and system
CN105873030A (en) * 2015-01-22 2016-08-17 卓望数码技术(深圳)有限公司 Method for performing countersigning on an application of terminal
CN106209379A (en) * 2016-07-04 2016-12-07 江苏先安科技有限公司 A kind of Android APK countersignature verification method

Also Published As

Publication number Publication date
CN106888094A (en) 2017-06-23

Similar Documents

Publication Publication Date Title
CN107463806B (en) Signature and signature verification method for Android application program installation package
CN104156638B (en) A kind of implementation method of extension signature towards Android system software
CN104426658B (en) The method and device of authentication is carried out to the application on mobile terminal
CN112507328B (en) File signature method, computing device and storage medium
CN106055936B (en) Executable program data packet encrypting/decrypting method and device
US10148440B2 (en) Binary code authentication
CN109960903A (en) A kind of method, apparatus, electronic equipment and storage medium that application is reinforced
CN108259479B (en) Business data processing method, client and computer readable storage medium
CN107301343A (en) Secure data processing method, device and electronic equipment
CN108496323B (en) Certificate importing method and terminal
CN106888094B (en) A kind of endorsement method and server
CN109586920A (en) A kind of trust authentication method and device
CN109634615A (en) Dissemination method, verification method and the device of application installation package
CN110830257B (en) File signature method and device, electronic equipment and readable storage medium
CN106330817A (en) Webpage access method, device and terminal
CN104123488A (en) Method and device for verifying application program
CN106709281B (en) Patch granting and acquisition methods, device
CN105873044B (en) application program publishing method based on android platform, developer tracing method and device
CN115952560A (en) Method, system, equipment and medium for verifying authenticity of electronic archive file based on original handwriting signature
CN111045722A (en) Intelligent contract packaging method, device, system, computer equipment and storage medium
CN109670289A (en) A kind of method and system identifying background server legitimacy
CN110602051B (en) Information processing method based on consensus protocol and related device
CN111222181B (en) AI model supervision method, system, server and storage medium
Ma et al. Finding flaws from password authentication code in android apps
CN115550060B (en) Trusted certificate verification method, device, equipment and medium based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant