Embodiment
In order that the technical scheme and advantage of the application are more clearly understood, below in conjunction with accompanying drawing to the application's
Exemplary embodiment is described in more detail, it is clear that described embodiment is only the one of the application
Section Example, rather than all embodiments exhaustion.And in the case where not conflicting, in the application
Feature in embodiment and embodiment can be combined with each other.
Although in addition, may describe each using term first, second, third, etc. in embodiments of the present invention
Digital certificate, CRL, transmitting terminal, the result, certificate acquisition request and certificate verification request etc. are planted, but
These digital certificates, CRL, transmitting terminal, the result, certificate acquisition request and certificate verification request should not
It is limited to these terms.These terms are only used for digital certificate, CRL, transmitting terminal, the result, certificate
Obtain request and certificate verification request is distinguished from each other out.
It is digital certificate updating method provided in an embodiment of the present invention and digital signature verification side referring to Fig. 1
The implementation environment schematic diagram of method.The implementation environment includes transmitting terminal 101, CA 102 and receiving terminal 103,
Receiving terminal 103 includes digital authenticating device 1031 provided in an embodiment of the present invention, and digital authenticating device 1031
Including administrative unit 10311 and verification unit 10312.
Wherein, administrative unit 10311 can using digital certificate updating method provided in an embodiment of the present invention with
Predetermined period, verifies the validity of the digital certificate of storage;If digital certificate fails, effective number is obtained
Word certificate;It is effective digital certificate by the updating digital certificate of failure;
Verification unit 10312 can apply digital signature verification method provided in an embodiment of the present invention, based on pipe
The digital certificate that reason unit 10311 is periodically updated, verifies the digital signature received.
Specifically, verification unit 10312 obtains digital signature;In the digital certificate of caching, it is determined whether
There is digital certificate corresponding with digital signature, if there is corresponding digital certificate, according to corresponding digital certificate
Pre- check digit signature, obtains the second check results;According to the second check results, check digit signature.
The digital certificate that verification unit 10312 is cached is advance from the acquisition of administrative unit 10311, by managing
The digital certificate that unit 10311 is updated with predetermined period.
With reference to above-mentioned implementation environment, a kind of method of updating digital certificate is present embodiments provided.Referring to Fig. 3,
The method flow that the present embodiment is provided is specific as follows:
301:Receiving terminal receives the second digital certificate that the second transmitting terminal is sent, and stores the second digital certificate;
, it is necessary to ensure that information exists by digital signature when transmitting terminal 101 carries out information exchange with receiving terminal 103
Safety in interaction, therefore, transmitting terminal 101 are carried out before information exchange with receiving terminal 103, transmitting terminal
The digital certificate of oneself can be sent to receiving terminal 103 by 101, so that receiving terminal 103 is according to the digital certificate
Verify whether the information that transmitting terminal 101 is sent is safe.
Because the digital certificate of different transmitting terminals 101 is different, therefore, if receiving terminal 103 and multiple transmitting terminals
During 101 existence information interactive relation, the digital certificate that multiple transmitting terminals 101 are sent can be received.
Based on described above, the administrative unit 10311 in receiving terminal 101 receive that the second transmitting terminal sends the
Two digital certificates, and store the second digital certificate.
With shown in Fig. 2, including:Alipay server 201 (equivalent to the transmitting terminal 101 in Fig. 1),
The implement scene of CA 202 and user A client 203 (equivalent to the receiving terminal 103 in Fig. 1) is
Example, if user A is paid the bill in client 203 using Alipay for the first time, now, client 203
In do not have the related digital certificate of Alipay server 201, in order to ensure the safety of transaction, Alipay clothes
The digital certificate of oneself can be sent to client 203 by business device 201.Client 203 receives Alipay service
The digital certificate that device 201 is sent, and store the digital certificate.
After user A is paid the bill using Alipay first, as user A is in the accumulative of Taobao's prestige,
Its prestige reaches preset standard, user A want by ant flower paid the bill.Now, client 203
In do not have the related digital certificate of ant flower server, in order to ensure the safety of transaction, ant flower clothes
The digital certificate of oneself can be sent to client 203 by business device.Client 203 receives ant flower server
The digital certificate of transmission, and store the digital certificate.
In summary, this step is only performed before transmitting terminal 101 and the first time of receiving terminal 103 are interacted,
And this step is after performing once, transmitting terminal 101 and other receiving terminal (connecing in addition to receiving terminal 103
Receiving end) it can also perform again when interacting for the first time, the present embodiment specific execution time not to this step,
Number of times is performed to be defined.
302:Receiving terminal verifies the validity of the first digital certificate of storage with predetermined period;
Wherein, the first digital certificate is the digital certificate of storage, i.e., second whether received in step 301
Digital certificate, or other digital certificates received in subsequent process, or, the numeral of the renewal of acquisition
Certificate, or, the digital certificate obtained by man-machine interface, as long as when performing this step, managing device
Storage device in store the digital certificate, as the first digital certificate.
Specifically, when reaching predetermined period, the administrative unit 10311 in receiving terminal 103 obtains storage
All first digital certificates, poll reads each first digital certificate, verifies the first digital certificate of reading
Validity.
The specific implementation of the validity of the first digital certificate read for verification, can pass through following 3
Individual step is realized.
Step 1:Determine effect phase and the current date of the first digital certificate;
Step 2:Judge the first digital certificate the effect phase and current date between relation;
If the term of validity of the first digital certificate is before current date, it is determined that the first digital certificate fails;
If the term of validity of the first digital certificate is not before current date, step 3 is performed;
Step 3:The validity of the first digital certificate is verified according to the first CRL.
Wherein, the first CRL is in advance from CA acquisition.
If specifically, the first CRL includes the first digital certificate, it is determined that the first digital certificate fails;
If not including the first digital certificate in the first CRL, it is determined that the first digital certificate is effective.
Perform after step 302, if the first digital certificate fails, perform step 303, if the first numeral
Certificate effectively, then selects next first digital certificate, verifies its validity, until the first all numerals
Certificate has been verified.
Still by taking the example shown in Fig. 2 as an example, client 203 is with predetermined period, the first numeral of verification storage
The validity of certificate.If reach current period, client stores 3 digital certificates, is respectively numeral
Certificate 1, digital certificate 2 and digital certificate 3, then first read digital certificate 1, determine the effect of digital certificate 1
Phase 2016-2-22 and as day before yesterday 2016-1-27.For digital certificate 1, its term of validity current date it
Afterwards, if not including digital certificate 1 in the CRL obtained in advance from CA, it is determined that digital certificate 1 is effective,
Continue to read digital certificate 2.If the effect phase 2016-1-27 of digital certificate 2, for digital certificate 2, its
The term of validity is identical with current date, now, if including digital certificate 2 from the CA CRL obtained in advance,
Then determine that digital certificate 2 fails, and continues executing with subsequent step.After the completion of subsequent step, then read numeral
Certificate 3, if the effect phase 2016-1-22 of digital certificate 3, for digital certificate 3, its term of validity is current
Before date, it is determined that digital certificate 3 fails, and continues executing with subsequent step.After the completion of subsequent step,
Then determine that digital certificates all in client 203 are verified.
303:Receiving terminal obtains effective first digital certificate, is effective the by the first updating digital certificate
One digital certificate;
Specifically, the administrative unit 10311 in receiving terminal 103 obtains effective first digital certificate, by
One updating digital certificate is effective first digital certificate.
Wherein, the method for obtaining effective first digital certificate, includes but is not limited to:Determine the first numeral card
First transmitting terminal of book;Effective first digital certificate is asked to the first transmitting terminal;Or, from man-machine interface
Obtain effective first digital certificate that user uploads.
Still by taking Fig. 2 as an example, if client 203 determines that digital certificate 2 fails in step 302, and numeral
Certificate 2 is in storage, and be also stored with corresponding attribute information, and digital certificate 2 is described in attribute information
Transmitting terminal, then client 203 digital certificate 2 can be determined according to the content of the attribute information of digital certificate 2
Transmitting terminal, ask effective digital certificate 2 to the transmitting terminal.
In addition to aforesaid way, if user A gets effective digital certificate by other modes such as purchases
2, user A can be uploaded the effective digital certificate 2 got by man-machine interface, now, client
End obtains effective digital certificate 2 from man-machine interface.
Digital authenticating device 1031 includes administrative unit 10311 and verification unit 10312, verification unit 10312
Need to use the digital certificate check digit signature that administrative unit 10311 is regularly updated, therefore, administrative unit
The digital certificate of renewal after step 303 is performed, can be also sent to verification unit 10312 by 10311,
So that verification unit 10312 updates digital certificate, signed according to the digital certificate check digit of renewal.
Administrative unit 10311 in receiving terminal 103 periodically performs step 301 to step 303, to protect
Demonstrate,prove the digital certificate timing renewal that administrative unit 10311 is stored.
Meanwhile, administrative unit 10311 periodically performs step 301 to step 303, is administrative unit 10311
Itself triggering, do not disturbed by other unit triggers.That is, no matter whether other units trigger administrative unit
10311 update its storage digital certificate, administrative unit 10311 can periodically perform step 301 to
Step 303.
Beneficial effect:
Administrative unit is verified for the digital certificate of storage with predetermined period, when digital certificate fails,
Effective digital certificate is obtained, and is effective digital certificate by updating digital certificate so that digital certificate is every
Once verified every predetermined period, rather than often get digital signature to be verified and once examined, kept away
Verification unit is exempted from and often gets digital signature to be verified to test the wasting of resources caused, also reduced
The latest digital certificate that subsequent check unit is obtained using the application is digitally signed the time of verification.
When the verification unit 10312 of digital authenticating device 1031 receives the information of digital signature, it can touch
The digital certificate authentication numeral label that hair verification unit 10312 is periodically verified according to administrative unit 10311
Name.With reference to above-mentioned implementation environment, the numeral that a kind of utilization embodiment illustrated in fig. 4 updates is present embodiments provided
The method that certificate is digitally signed verification.
Referring to Fig. 4, the method flow that the present embodiment is provided is specific as follows:
401:Receiving terminal obtains digital signature, in the 6th digital certificate of caching, it is determined whether have and number
Corresponding 7th digital certificate of word signature, if there is the 7th digital certificate, performs step 402 and step 403,
If without the 7th digital certificate, performing step 404;
The verification unit 10312 of receiving terminal 103 is obtained after digital signature, in owning that receiving terminal 103 is cached
In digital certificate, it is determined whether have digital certificate corresponding with the digital signature.
Wherein, the 6th digital certificate is that verification unit 10312 is obtained from administrative unit 10311 in advance, pipe
Unit 10311 is managed with predetermined period, the validity of the digital certificate of storage is verified, when digital certificate fails,
Effective digital certificate is obtained, and is effective digital certificate by updating digital certificate.
By taking Fig. 2 as an example, if after user A is paid the bill in client 203 using Alipay for the first time, then
Secondary use Alipay is paid the bill, and client 203 obtains the digital signature 1 that Alipay server 201 is sent
Afterwards, in all digital certificates of caching (digital certificate 1, digital certificate 2, digital certificate 3), it is determined that
Whether have and the corresponding digital certificate of digital signature 1.
402:Receiving terminal is signed according to the pre- check digit of the 7th digital certificate, obtains the second check results;
Specifically, the verification unit 10312 of receiving terminal 103 is signed according to the pre- check digit of the 7th digital certificate,
Obtain the second check results.
This step can be verified using existing digital signature verification method, in this present embodiment without tool
Body explanation.
Still by taking Fig. 2 as an example, if having and the corresponding number of digital signature 1 in 3 digital certificates of user A cachings
Word certificate 1, then sign according to the pre- check digit of digital certificate 1, the second check results obtained, wherein second
Check results are effective or invalid.
403:Receiving terminal is according to the second check results, check digit signature.
Specifically, if the second check results are effective, the verification unit 10312 of receiving terminal 103 determines number
Word signature is effective;
If the second check results are failure, step 4031 is performed to 4034.
Still by taking Fig. 2 as an example, if being signed according to the pre- check digit of digital certificate 1, obtained check results are to have
Effect, then illustrate that digital signature is not tampered with transmitting procedure, digital signature is safe and reliable, can be by this
Digital signature carries out continuation payment activity.If being signed according to the pre- check digit of digital certificate 1, obtained verification
As a result it is failure.
It should be noted that there is two kinds of situations that the verification unit 10312 of receiving terminal 103 can be made to obtain second
Check results are invalid conclusion:
The first situation:Digital signature is tampered during transmitting terminal 101 is transmitted to receiving terminal 103,
Digital signature is dangerous;
Second of situation:It is used to verify that the 7th digital certificate of digital signature is wrong in receiving terminal 103, with mistake
Digital certificate authentication digital signature, no matter whether digital signature is safe, checking failure by mistake.
Wherein, the reason for the 7th digital certificate is wrong in receiving terminal 103 may be caused, there is the following two kinds:
The first possibility:7th digital certificate of the administrative unit 10311 of receiving terminal 103 storage is wrong, by
The digital certificate used in verification unit 10312 is obtained from administrative unit 10311, so school
The 7th digital certificate in verification certificate member 10312 is also wrong;
Second of possibility:7th digital certificate of the administrative unit 10311 of receiving terminal 103 storage updates
(the 7th digital certificate that i.e. administrative unit 10311 is stored is correct), and verification unit 10312 is single from management
The 7th digital certificate of renewal is obtained in member 10311 to be needed to expend certain time, and pre- check digit signature is by chance
Occur within the time, therefore the 7th digital certificate in administrative unit 10311 is the 7th numeral not updated
Certificate, i.e., the 7th wrong digital certificate.
For receiving terminal 103 verification unit 10312 obtain the second check results for it is invalid in the case of, due to
Producing reason is more, in order to avoid being counted due to the 7th wrong digital signature verification by safety of digital certificate
Word signature failure is, it is necessary to continue executing with step 4031 to 4034, the reason for determine specific, lifts this reality
Apply the verification accuracy that example provides scheme.
4031:The verification unit administrative unit of receiving terminal sends the verification of the second certificate to administrative unit and asked;
Wherein, the second certificate verification request carries the 7th digital certificate, so that the numeral of administrative unit verification the 7th
The validity of certificate, and return to the 3rd check results.
4032:The administrative unit of receiving terminal receives First Certificate verification request;
Wherein, First Certificate verification request is sent by verification unit, and carries the 4th digital certificate.
In addition, digital authenticating device 1031 can include multiple verification units 10312, therefore administrative unit
The 10311 First Certificate verification requests received, can be that the verification unit 10312 in step 4031 is sent
Second certificate verification request, or in digital authenticating device 1031 other verification units send other
Certificate verification request.That is, the First Certificate verification request in step 4032 can be with the in step 4031
The verification request of two certificates is identical, can also be different.If First Certificate verification request and step in step 4032
The second certificate verification request in rapid 4031 is identical, then the 4th numeral card that First Certificate verification request is carried
Book is the 7th digital certificate of the second certificate verification request carrying in step 4031.If in step 4032
One certificate verification request is differed with the second certificate verification request in step 4031, then First Certificate is verified
The 4th digital certificate of carrying is asked for other digital certificates, non-7th digital certificate, therefore, the 4th numeral
Certificate can be identical with the 7th digital certificate, can also be different.
4033:The administrative unit of receiving terminal verifies the validity of the 4th digital certificate, obtains the first check results,
And return to the first check results to verification unit;
For the specific implementation for the validity for verifying the 4th digital certificate, following 3 steps can be passed through
Realize.
Step 1:Determine effect phase and the current date of the 4th digital certificate;
Step 2:Judge the 4th digital certificate the effect phase and current date between relation;
If the term of validity of the 4th digital certificate is before current date, it is determined that the 4th digital certificate fails;
If the term of validity of the 4th digital certificate is not before current date, step 3 is performed;
Step 3:The validity of the 4th digital certificate is verified according to the 2nd CRL.
Wherein, the 2nd CRL is in advance from CA acquisition.
If specifically, the 2nd CRL includes the 4th digital certificate, it is determined that the 4th digital certificate fails;
If not including the 4th digital certificate in the 2nd CRL, it is determined that the 4th digital certificate is effective.
In addition, in order to improve verification efficiency, administrative unit 10311 receives verification unit 10312 in step 4032
Transmission First Certificate verification request after, can be first in all first digital certificates, it is determined whether have with
The corresponding digital certificate of the 4th digital certificate carried in First Certificate verification request.
If digital certificate not corresponding with the 4th digital certificate carried in First Certificate verification request, says
Bright 4th digital certificate non-management unit 10311 is sent, or, due to other reasonses administrative unit 10311
Deleted again after transmission, it is invalid that can directly determine the first check results, and without carrying out in step 4033
The step of verifying the validity of the 4th digital certificate.
If there is digital certificate corresponding with the 4th digital certificate carried in First Certificate verification request, then determine
Whether the 4th digital certificate is identical with corresponding digital certificate, if the 4th digital certificate and corresponding digital certificate
Differ, then illustrate that mistake occurs in the 4th digital certificate, can directly determine the first check results to be invalid,
And without carrying out in step 4033 verify the 4th digital certificate validity the step of.If the 4th digital certificate
It is identical with corresponding digital certificate, then perform the step for the validity that the 4th digital certificate is verified in step 4033
Suddenly, the first check results are obtained.
It should be noted that, although administrative unit 10311 itself is periodically updating the step of digital certificate process
In rapid 302, the first CRL can be also obtained from certificate authorization center CA, but because CA is also periodically more
New CRL, the second CRL for being to ensure step 4033 is newest CRL, and step 4033 is still advance
The 2nd CRL can be obtained from CA, if step 4033 obtains the 2nd CRL time with being obtained in step 302
First CRL time is located in same period, then the 2nd CRL is identical with the first CRL, if step 4033
Time of the time for obtaining the 2nd CRL with obtaining the first CRL in step 302 is located in different cycles, then
2nd CRL and the first CRL is differed.Whether the present embodiment is not identical with the first CRL to the 2nd CRL
Make specific limit.
In addition, if the first check results are failure, administrative unit 10311 needs to carry to verification unit 10312
For effective digital certificate, so that verification unit 10312 smoothly check digit can sign, therefore, pipe
It is that after failing, can also obtain effectively that reason unit 10311, which is put and the first check results are obtained in step 4033,
The 4th digital certificate, effective 4th digital certificate is sent to calibration equipment, so that calibration equipment is according to having
The digital certificate authentication digital signature of effect.
Wherein, the method for obtaining effective 4th digital certificate, includes but is not limited to:Administrative unit 10311
Determine the 4th transmitting terminal of the 4th digital certificate;Effective 4th digital certificate is asked to the 4th transmitting terminal;Or
Person, administrative unit 10311 obtains effective 4th digital certificate that user uploads from man-machine interface.
In order to which the digital certificate ensured in administrative unit 10311 can upgrade in time, the effective 4th is being obtained
After digital certificate, administrative unit 10311 can also be in all first digital certificates, it is determined whether have with effectively
Corresponding 5th digital certificate of the 4th digital certificate;If managing device has the 5th digital certificate, by the 5th
Updating digital certificate is effective 4th digital certificate;If managing device does not have the 5th digital certificate, store
Effective 4th digital certificate.
4034:Verification unit receives the 3rd check results, and according to the 3rd check results, check digit signature;
Wherein, the 3rd check results are sent by administrative unit.
If specifically, the 3rd check results are effective, it is determined that digital signature is effective;
If the 3rd check results are failure, verification unit 10312 receives having for the transmission of administrative unit 10311
7th digital certificate of effect;Verification unit 10312 is signed according to effective 7th digital certificate check digit.
In addition, in order to ensure it is follow-up be digitally signed verification when, directly using effective 7th digital certificate,
Verification unit 10312, can also be by the 7th after effective 7th digital certificate that managing device is sent is received
Updating digital certificate is effective 7th digital certificate.
404:Receiving terminal obtains the 7th digital certificate, is signed, obtained according to the pre- check digit of the 7th digital certificate
To the 4th check results, according to the 4th check results, check digit signature.
This step can be realized in specific perform by following step 4041 to 4045
4041:Receiving terminal verification unit sends the request of the second certificate acquisition to administrative unit;
Wherein, the request of the second certificate acquisition carries the second mark of the 7th digital certificate, so that administrative unit
10311 return to the 7th digital certificate according to the second mark;
4042:Administrative unit receives First Certificate and obtains request;
Wherein, First Certificate obtains request and sent by verification unit 10312, and carries the first mark.
In addition, digital authenticating device 1031 can include multiple verification units 10312, therefore administrative unit
10311 First Certificates received obtain request, can be that the verification unit 10312 in step 4041 is sent
Second certificate acquisition ask, or in digital authenticating device 1031 other calibration equipments send other
Certificate acquisition is asked, therefore, First Certificate in step 4042 obtain request can with step 4041
The request of second certificate acquisition is identical, can also be different.If First Certificate in step 4042 obtain request with
The second certificate acquisition request in step 4041 is identical, then First Certificate obtains the first mark that request is carried
Ask the second mark carried identical with the second certificate acquisition.First Certificate in step 4042 obtains request
Differed with the second certificate acquisition request in step 4041, then the first mark is differed with the second mark,
Therefore, the first mark can be with identical with the second mark, can also difference.
4043:Administrative unit returns to the 3rd digital certificate corresponding with the first mark to verification unit;
Specifically, administrative unit 10311 is in all first digital certificates, it is determined whether have and the first mark
Corresponding 3rd digital certificate, if there is the 3rd digital certificate, the 3rd numeral is returned to verification unit 10312
Certificate, if not there is the 3rd digital certificate, obtains the 3rd digital certificate, and return to verification unit 10312
The 3rd digital certificate obtained;
Wherein, the concrete mode of the 3rd digital certificate is obtained, is included but is not limited to:Determined according to the first mark
3rd transmitting terminal of the 3rd digital certificate, and ask the 3rd digital certificate to the 3rd transmitting terminal;Or, management
Device obtains the 3rd digital certificate that user uploads from man-machine interface.
In addition, administrative unit 10311 is obtained in step 4043 after the 3rd new digital certificate, it can also store
The 3rd digital certificate obtained.
4044:Verification unit receives the 7th digital certificate that administrative unit is returned, according to the 7th of return the numeral
The pre- check digit signature of certificate, obtains the 4th check results;
Wherein, after verification unit 10312 receives the 7th digital certificate that administrative unit 10311 is returned, go back
The 7th digital certificate can be cached, directly to use the 7th digital certificate in following digital signature check.
4045:Verification unit is according to the 4th check results, check digit signature.
If specifically, the 4th check results are effective, it is determined that digital signature is effective;
If the 4th check results are failure, send the verification of the 3rd certificate to administrative unit and ask, obtain management
Unit verifies the 5th check results that request is returned based on the 3rd certificate, according to the 5th check results, check number
Word is signed.
Wherein, the 3rd certificate verification request carries the 7th digital certificate returned, so that administrative unit 10311
The validity of the 7th digital certificate returned is verified, and returns to the 5th check results;
Administrative unit 10311 receives the verification request of the 3rd certificate, and returns to the implementation process of the 5th check results
It is identical with step 4042 and step 4043, only it is that the digital certificate carried during certificate verification is asked is different.Tool
Body embodiment is referring to step 4042 and step 4043, and here is omitted.
In addition, for according to the 5th check results, check digit signature step, with step 4044 and step
4045 is identical, is only that digital certificate is different, for details, reference can be made to step 4044 and step 4045, herein no longer
Repeat.
By above-mentioned steps 401 to step 404, administrative unit 10311 is handed over verification unit 10312
Mutually, the digital certificate authentication numeral that verification unit 10312 is periodically verified according to administrative unit 10311 is completed
The process of signature.
In the process, the digital certificate directly cached using verification unit 10312 carries out school to digital signature
Test, for verifying successful situation, it is no longer necessary to carry out the checking of digital certificate validity, shorten numeral
The signature check time.
In addition, in embodiment described in Fig. 3, administrative unit 10311 can be to when updating digital certificate,
Verification unit 10312 sends effective digital certificate, therefore, the verification unit 10312 in the present embodiment,
While step 401 to step 404 is performed, the 8th numeral of the transmission of administrative unit 10311 can be also received
Certificate;Verification unit 10312 is in all 6th digital certificates of caching, it is determined whether demonstrate,proved with the 8th numeral
Corresponding 9th digital certificate of book;If verification unit 10312 has the 9th digital certificate, the 9th numeral is demonstrate,proved
Book is updated to the 8th digital certificate;If verification unit 10312 does not have the 9th digital certificate, caching the 8th is counted
Word certificate, to ensure the digital certificate in the caching of receiving terminal 103 and the digital certificate in administrative unit 10311
It is synchronous.
Discussed above, the digital certificate that the utilization embodiment illustrated in fig. 3 to the application updates is digitally signed
The method of verification is illustrated.
Below, with reference to above-mentioned implementation environment, by taking the implement scene shown in Fig. 5 as an example, the present embodiment is provided
Method illustrated again.Wherein, the implement scene shown in Fig. 5 includes:Administrative unit 501 and verification
Unit 502, administrative unit 501 include certificate veritify subelement 5011, CRL request subelement 5012,
Automatic regular polling subelement 5013, certificate upload subelement 5014, certificate request subelement 5015, and verification is single
Member 502 includes signature and veritifies subelement 5021 and certificate cache subelement 5022.
Wherein, certificate veritifies the verification that subelement 5011 is responsible for completing certificate validity, specific saddlebag
Include the fractionation to certificate and the inspection of validity.
CRL request subelements 5012 are the subelements that a timing comes into force, and main task is that request is newest
CRL。
Automatic regular polling subelement 5013 is operated by regular schedule, is responsible for triggering certificate and is veritified subelement 5011
Operation.
Certificate, which uploads subelement 5014, to be provided for the certificate of some special channels, and these channels do not pass through
Message transmits new certificate, is transmitted by other media, and it is single then to upload son by certificate by manually
What member was uploaded.
Certificate request subelement 5015 undertakes communication work, and effective certificate is asked in the way of agreement.
Signature veritifies subelement 5021, has according to default algorithms of different and signature key element to the signature field of message
Effect property is veritified.
Certificate cache subelement 5022, the digital certificate that terminal where for caching is received.
Referring to Fig. 6, the flow of digital authenticating system operation is:
First, it is to specify its term of validity information at the time of certificate is issued, and information is attached on certificate,
Whether certificate veritifies subelement 5011 can check the term of validity of each certificate before current date.If it is,
Then illustrate the Certificate Revocation, it is necessary to the certificate that please be look for novelty.Otherwise the certificate continues to keep effective.Further,
Certificate, which veritifies subelement 5011, can check certificate whether in CRL, if it is, explanation certificate is explicitly
Be revoked, it is invalid still to need certificate being set to, and further by certificate upload subelement 5014 or
Certificate request subelement 5015 obtains valid certificate.
CRL request subelements 5012 are the subelements that a timing comes into force, and it veritifies subelement by certificate
Scheduled in 5011, main task is the newest CRL of request.The CRL got will give certificate and veritify son
Unit 5011 is used.
Alternatively, certificate veritifies subelement 5011 after current certificates failure is found, please can also draw lots before idols first
Name veritifies subelement 5021 and updates the caching of oneself, stops being continuing with the certificate of failure.Taking renewal
Certificate when, by certificate be pushed to signature veritify subelement 5021, make it possible to continue veritify signature.
The above-mentioned action that certificate veritifies subelement 5011 is by the automatic regular polling subelement 5013 shown in Fig. 7
Periodically trigger, the certificate rotation behaviour of a upper frequency can be kept on the premise of service logic is not influenceed
Make, when there is new authentication to need to be acquired, whole system can be in most fast Time Perception.
Signature veritifies the core that subelement 5021 is whole digital authenticating system operating, is transmitted when there is message
During needing checking to sign, signature can be called to veritify the execution signature of subelement 5021 and veritified.
In application, certificate is veritified and digital signature is veritified to split and, signature is veritified subelement 5021 and existed
Perform signature veritify not by when, the operation preferentially done be active reverse request certificate veritify subelement
5011, certificate veritifies subelement 5011 and now there are several possibility, and one is not yet to perceive the certificate to have renewal
Version, can repeat the action of above-mentioned certificate update, one is that known credentials have more redaction, simply not yet notify to
Application person, now directly can be issued to signature by new authentication and veritify subelement 5021, and notify all signatures
Veritify subelement 5021 and update the certificate pair that this certificate is cached at it locally by certificate cache subelement 5022
This.
Beneficial effect:
Verification unit is obtained after digital signature, in the digital certificate of caching, it is determined whether have and digital signature
Corresponding digital certificate, if there is corresponding digital certificate, according to the pre- check digit label of corresponding digital certificate
Name, obtains the second check results, further according to the second check results, check digit signature so that digital signature
Verification is separated with digital certificate verification, in digital signature verification success, no longer carries out digital certificate verification,
Shorten the time of digital signature verification.In addition, the digital certificate in caching is in advance from administrative unit acquisition
, administrative unit verifies the validity of the digital certificate of storage with predetermined period, when digital certificate fails,
Effective digital certificate is obtained, and is effective digital certificate by updating digital certificate, it is ensured that in caching
Digital certificate is latest digital certificate, it is to avoid verification unit often gets digital signature to be verified and carried out
Examine the wasting of resources caused.
Based on same inventive concept, a kind of digital authenticating device is present embodiments provided, due to digital authenticating dress
Put the digital signature shown in a kind of digital certificate updating method and Fig. 4 certainly shown in the principle and Fig. 3 of problem
Method of calibration is similar, therefore the implementation of digital authenticating device may refer to method shown in Fig. 3 and Fig. 4
Embodiment, repeats part and repeats no more.
Referring to Fig. 7, the digital authenticating device includes:
Administrative unit 701 and verification unit 702;
Administrative unit 701, for predetermined period, verifying the validity of the first digital certificate of storage;When
When first digital certificate fails, effective first digital certificate is obtained;It is effective by the first updating digital certificate
The first digital certificate;
Verification unit 702, for obtaining digital signature;In the 4th digital certificate of caching, it is determined whether
There is the 5th digital certificate corresponding with digital signature, the 4th digital certificate is to be obtained in advance from administrative unit 701
's;When there is five digital certificates, signed according to the pre- check digit of the 5th digital certificate, obtain the second verification
As a result;According to the second check results, check digit signature.
Alternatively, administrative unit 701, the transmitting terminal for determining the first digital certificate, are asked to transmitting terminal
Effective first digital certificate;Or, obtain effective first digital certificate that user uploads from man-machine interface.
Alternatively, administrative unit 701, are additionally operable to send effective first digital certificate to verification unit 702,
So that verification unit 702 is signed according to effective first digital certificate check digit.
Alternatively, verification unit 702, are additionally operable to when without five digital certificates, send out to administrative unit 701
The second certificate acquisition is sent to ask, the request of the second certificate acquisition carries the second mark of the 5th digital certificate;According to
The pre- check digit signature of the 5th digital certificate returned, obtains the 4th check results;According to the 4th check results,
Check digit is signed;
Administrative unit 701, is additionally operable to receive the First Certificate acquisition request that verification unit 702 is sent, first
Certificate acquisition request carries first and identified;In all first digital certificates, it is determined whether have and the first mark
Corresponding second digital certificate;When there is the second digital certificate, return to the second numeral to verification unit 702 and demonstrate,prove
Book;When not there is the second digital certificate, the second digital certificate is obtained, and acquisition is returned to verification unit 702
The second digital certificate.
Alternatively, verification unit 702, for when the second check results are effective, determining that digital signature has
Effect;When the second check results is failures, send the verification of the second certificate to administrative unit 701 and ask, second
Certificate verification request carries the 5th digital certificate;According to the 3rd check results of return, check digit signature;
Administrative unit 701, is additionally operable to receive the First Certificate verification request that verification unit 702 is sent, first
Certificate verification request carries the 3rd digital certificate;The validity of the 3rd digital certificate is verified, the first verification is obtained
As a result;The first check results are returned to verification unit 702.
Alternatively, verification unit 702, for determining that digital signature is effective;When the 3rd check results are failure
When, receive effective 5th digital certificate that administrative unit 701 is sent;According to effective 5th digital certificate
Check digit is signed;
Administrative unit 701, is additionally operable to, when the first check results is failures, obtain effective 3rd numeral card
Book;Effective 3rd digital certificate is sent to verification unit 702, so that verification unit 702 is according to effective
3rd digital certificate check digit is signed.
Have the beneficial effect that:
Verification unit is obtained after digital signature, in the digital certificate of caching, it is determined whether have and digital signature
Corresponding digital certificate, if there is corresponding digital certificate, according to the pre- check digit label of corresponding digital certificate
Name, obtains the second check results, further according to the second check results, check digit signature so that digital signature
Verification is separated with digital certificate verification, in digital signature verification success, no longer carries out digital certificate verification,
Shorten the time of digital signature verification.In addition, the digital certificate in caching is in advance from administrative unit acquisition
, administrative unit verifies the validity of the digital certificate of storage with predetermined period, when digital certificate fails,
Effective digital certificate is obtained, and is effective digital certificate by updating digital certificate, it is ensured that in caching
Digital certificate is latest digital certificate, it is to avoid verification unit often gets digital signature to be verified and carried out
Examine the wasting of resources caused.
In above-described embodiment, it can be implemented using existing function component module.For example, processing mould
Block can use existing data processing component, at least, the location-server used in existing location technology
On just possess and realize the function component;Then it is that any one possesses signal transfer functions as receiving module
The component that all possesses of equipment;Meanwhile, A, n parameter that processing module is carried out are calculated, intensity is adjusted etc.
What is used is all existing technological means, and those skilled in the art can be achieved by corresponding design and develop.
For convenience of description, each several part of apparatus described above is divided into various modules with function or unit is distinguished
Description.Certainly, can be each module or the function of unit in same or multiple softwares when implementing the present invention
Or realized in hardware.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can be using complete hardware embodiment, complete software embodiment or knot
The form of embodiment in terms of conjunction software and hardware.Wherein wrapped one or more moreover, the present invention can be used
Containing computer usable program code computer-usable storage medium (include but is not limited to magnetic disk storage,
CD-ROM, optical memory etc.) on the form of computer program product implemented.
The present invention is with reference to the production of method according to embodiments of the present invention, equipment (system) and computer program
The flow chart and/or block diagram of product is described.It should be understood that can by computer program instructions implementation process figure and
/ or each flow and/or square frame in block diagram and the flow in flow chart and/or block diagram and/
Or the combination of square frame.These computer program instructions can be provided to all-purpose computer, special-purpose computer, insertion
Formula processor or the processor of other programmable data processing devices are to produce a machine so that pass through and calculate
The instruction of the computing device of machine or other programmable data processing devices is produced for realizing in flow chart one
The device for the function of being specified in individual flow or multiple flows and/or one square frame of block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or the processing of other programmable datas to set
In the standby computer-readable memory worked in a specific way so that be stored in the computer-readable memory
Instruction produce include the manufacture of command device, the command device realization in one flow or multiple of flow chart
The function of being specified in one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices, made
Obtain and perform series of operation steps on computer or other programmable devices to produce computer implemented place
Reason, so that the instruction performed on computer or other programmable devices is provided for realizing in flow chart one
The step of function of being specified in flow or multiple flows and/or one square frame of block diagram or multiple square frames.
, but those skilled in the art once know basic wound although preferred embodiments of the present invention have been described
The property made concept, then can make other change and modification to these embodiments.So, appended claims meaning
It is intended to be construed to include preferred embodiment and falls into having altered and changing for the scope of the invention.