CN113242130B - Equipment digital certificate revocation method, electronic equipment and computer readable storage medium - Google Patents

Equipment digital certificate revocation method, electronic equipment and computer readable storage medium Download PDF

Info

Publication number
CN113242130B
CN113242130B CN202110355189.6A CN202110355189A CN113242130B CN 113242130 B CN113242130 B CN 113242130B CN 202110355189 A CN202110355189 A CN 202110355189A CN 113242130 B CN113242130 B CN 113242130B
Authority
CN
China
Prior art keywords
equipment
digital certificate
certificate
scheme
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110355189.6A
Other languages
Chinese (zh)
Other versions
CN113242130A (en
Inventor
吴宇杰
余小龙
常林
徐林玉
李新国
宫俊
徐培秋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen National Real Testing Technology Co ltd
Original Assignee
Shenzhen National Real Testing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen National Real Testing Technology Co ltd filed Critical Shenzhen National Real Testing Technology Co ltd
Priority to CN202110355189.6A priority Critical patent/CN113242130B/en
Publication of CN113242130A publication Critical patent/CN113242130A/en
Application granted granted Critical
Publication of CN113242130B publication Critical patent/CN113242130B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Abstract

The invention discloses a device digital certificate revoking method, electronic equipment and a computer readable storage medium. The device digital certificate revoking method comprises the steps of obtaining a digital certificate of target equipment to be verified, obtaining a preset revoking list, wherein a revoking scheme is preset in the revoking list, obtaining target parameters in the digital certificate, judging whether the digital certificate is revoked or not based on the revoking scheme and the target parameters, and determining that the target equipment is illegal equipment if the digital certificate is revoked. The invention can save terminal equipment resources and can quickly judge whether the equipment digital certificate is revoked by the certificate revocation list.

Description

Equipment digital certificate revoking method, electronic equipment and computer readable storage medium
Technical Field
The present invention relates to the field of information security and digital certificate technologies, and in particular, to a device digital certificate revocation method, an electronic device, and a computer-readable storage medium.
Background
At x.509, an organization obtains a signed certificate by initiating a Certificate Signing Request (CSR). First, a pair of keys needs to be generated, then the CSR is signed by the private key in the pair of keys, and the private key is securely stored. The CSR further includes identity information of the initiator of the request, a public key used to authenticate the request, and the proper name of the requested certificate. The CSR may also carry other identification related information required by the CA (Certificate Authority). The CA then issues a certificate for this proper name and binds a public key, and the organization can distribute the trusted root certificate to all members.
The CRL (Certificate Revocation List) is a Certificate Revocation List issued by a CA authority, listing serial numbers of certificates that are considered to be unusable. The complete CRL lists all the revoked but unexpired certificate serial numbers issued by the CA, and the verifier can exclude the entity corresponding to the revoked certificate from the system by inquiring the CRL, thereby maintaining the integrity of the system.
In the field of internet of things, an entity corresponding to a digital certificate is often equipment, and a revoke certificate processed by a CRL is also specific to the equipment. Because the scale of the internet of things equipment is huge, the traditional CRL mechanism aiming at the certificate serial number is very huge and is not suitable for direct application. To this end, DTCP defines a proprietary compact format. However, this extension does not conform to the x.509 standard and still requires extensive modifications to existing PKI.
In the traditional PKI (Public Key Infrastructure) application field, the serial numbers of certificates are added into a certificate revocation list one by one, the method is not suitable for being directly applied to the field of Internet of things, an improved DTCP revocation mechanism does not conform to an X.509 standard, and is incompatible with a CA (certificate Authority) mechanism, the integration and modification cost is high, and the digital certificates are low in query efficiency in the certificate revocation list, which are technical problems to be solved urgently in the prior art.
Word interpretation:
CA: certificate Authority, Certificate Authority.
CRL: certificate Revocation List, Certificate Revocation List.
PKI: public Key Infrastructure is a technology and specification that follows a standard and utilizes Public Key encryption technology to provide a set of secure foundation platform for the development of electronic commerce.
ASN.1: abstract Syntax Notation (Abstract Syntax Notation One). Asn.1 is an ISO/ITU-T standard describing a data format for representing, encoding, transmitting and decoding data.
X.509: x.509 is the format standard for public key certificates in cryptography.
And (3) DTCP (direct Transmission control protocol): digital Transmission Content Protection, Digital Transmission Content Protection protocol.
ISO: the International Organization for Standardization (International Organization for Standardization).
IEC: the International Electrotechnical Commission (International Electrotechnical Commission).
ITU-T: international Telecommunication Union, Telecommunication standards office (ITU-T for ITU Telecommunication Standardization Sector).
ANSI: the American NATIONAL STANDARDS INSTITUTE (American NATIONAL STANDARDS INSTITUTE).
Disclosure of Invention
The present invention is directed to solving at least one of the problems of the prior art. Therefore, the invention provides an equipment digital certificate revoking method, electronic equipment and a computer storage medium, which can quickly judge whether the equipment digital certificate is revoked by a certificate revocation list and can save terminal resources.
The application also provides the electronic equipment with the equipment digital certificate revoking method.
The application also provides a computer readable storage medium with the device digital certificate revoking method.
According to the equipment digital certificate revoking method of the embodiment of the first aspect of the application, the method comprises the following steps:
acquiring a digital certificate of target equipment to be verified, and acquiring a preset revoking list, wherein a revoking scheme is preset in the revoking list;
acquiring target parameters in the digital certificate;
judging whether the digital certificate is revoked based on the revocation scheme and the target parameter;
and if the digital certificate is revoked, determining that the target equipment is illegal equipment.
According to the equipment digital certificate revoking method provided by the embodiment of the application, the following beneficial effects are at least achieved:
the method comprises the steps of obtaining a digital certificate of target equipment and a revoke list with various revoke schemes, obtaining target parameters in the digital certificate, judging whether the digital certificate is revoked according to the target parameters and the revoke schemes, and determining the target equipment to be detected as illegal equipment if the digital certificate is revoked.
The application provides a method for revoking a certificate of various devices, so as to meet the requirements of terminal devices in multiple scenes, and a private definition extension item allowed by an X.509 standard is used, so that the size of a certificate revocation list is smaller, the resources of the terminal devices are saved, and whether the digital certificate of the device is revoked by the certificate revocation list can be quickly judged.
According to some embodiments of the present application, the digital certificate is issued to the target device by:
writing a plurality of target parameters into a digital certificate to be issued;
signing a digital certificate with a plurality of target parameters;
and issuing the digital certificate to the target equipment.
According to some embodiments of the application, the preset revoke list is generated by:
adding a private expansion item to the initial revoke list to obtain an expandable revoke list;
and presetting a plurality of hoisting schemes based on the expandable hoisting pin list to obtain a preset hoisting pin list.
According to some embodiments of the present application,
the target parameters include: the equipment sub-certificate is identified, and the revoking scheme comprises a first scheme;
correspondingly, whether the digital certificate is revoked is judged based on the revocation scheme and the target parameter, and the method comprises the following steps:
acquiring equipment lifting pin certificate parameters in the first scheme;
judging whether the parameter of the equipment revocation sub-certificate is the same as the equipment sub-certificate identifier;
if the parameter of the equipment hang pin certificate is the same as the equipment sub-certificate identifier, the digital certificate is judged to be hung
According to some embodiments of the present application,
the target parameters include: equipment organization identification, wherein the lifting pin scheme comprises a second scheme;
correspondingly, whether the digital certificate is revoked is judged based on the revocation scheme and the target parameter, and the method comprises the following steps:
if the equipment hoisting pin certificate parameter is different from the equipment sub-certificate identifier, acquiring an equipment hoisting pin organization parameter in a second scheme;
judging whether the equipment hoisting organization parameters are the same as the equipment organization identification;
and if the equipment revocation organization parameters are the same as the equipment revocation organization identifiers, judging that the digital certificate is revoked.
According to some embodiments of the present application,
the target parameters include: equipment identification, wherein the lifting pin scheme comprises a third scheme;
correspondingly, whether the digital certificate is revoked is judged based on the revocation scheme and the target parameter, and the method comprises the following steps:
if the equipment hoisting pin organization parameters are different from the equipment organization identifiers, acquiring equipment hoisting pin parameter intervals in a third scheme;
judging whether the equipment hoisting parameter interval comprises an equipment identifier or not;
and if the equipment revoking parameter interval comprises the equipment identification, judging that the digital certificate is revoked.
According to some embodiments of the present application,
the target parameters include: equipment identification, wherein the lifting pin scheme comprises a fourth scheme;
correspondingly, whether the digital certificate is revoked is judged based on the revocation scheme and the target parameter, and the method comprises the following steps:
if the equipment hoisting pin parameter interval does not comprise the equipment identification, acquiring the equipment hoisting pin parameter in the fourth scheme;
judging whether the equipment lifting pin parameters are the same as the equipment identification or not;
and if the equipment revoking parameter is the same as the equipment identifier, judging that the digital certificate is revoked.
According to some embodiments of the present application,
if the equipment revoke parameter is different from the equipment identifier, judging that the digital certificate is not revoked;
and if the digital certificate is not revoked, determining that the target equipment is legal equipment.
Apparatus digital certificate revocation electronics in accordance with embodiments of the second aspect of the present application, comprising:
a processor;
a memory for storing an executable program;
when the executable program is executed by the processor, the device digital certificate revoking electronic device is obtained to implement the device digital certificate revoking method according to the first aspect of the present application.
According to the device digital certificate revocation computer-readable storage medium of an embodiment of the third aspect of the present application,
a computer-readable storage medium having stored thereon executable instructions that are executable by a computer to cause the computer to perform the method for revoking a digital certificate for a device according to the first aspect of the present invention.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The invention is further described with reference to the following figures and examples, in which:
FIG. 1 is a schematic flow chart of a method for revoking a digital certificate of an apparatus according to the present invention;
fig. 2 is a schematic diagram of a first specific flowchart of step S100 in the method for revoking the digital certificate of the device according to the present invention;
fig. 3 is a second detailed flowchart illustrating step S100 in the method for revoking the digital certificate of the device according to the present invention;
fig. 4 is a schematic flowchart of step S300 in the method for revoking the digital certificate of the device according to the present invention.
Detailed Description
Reference will now be made in detail to embodiments of the present invention, examples of which are illustrated in the accompanying drawings. The embodiments described below with reference to the accompanying drawings are illustrative only for the purpose of explaining the present invention and are not to be construed as limiting the present invention.
In the description of the present invention, a plurality of means is two or more, and greater than, less than, more than, etc. are understood as excluding the present number, and greater than, less than, etc. are understood as including the present number. If there is a description of first and second for the purpose of distinguishing technical features only, this is not to be understood as indicating or implying a relative importance or implicitly indicating the number of technical features indicated or implicitly indicating the precedence of technical features indicated.
In the description of the present invention, reference to the description of "one embodiment", "some embodiments", "illustrative embodiments", "examples", "specific examples", or "some examples", etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
The invention provides a method, equipment and a storage medium for revoking a digital certificate of equipment, which save terminal equipment resources and can improve the query efficiency of a certificate revocation list.
The preferred embodiments of the present invention will be described in conjunction with the accompanying drawings, it being understood that the preferred embodiments described herein are for purposes of illustration and explanation only and are not intended to limit the present invention, and that the embodiments and features of the embodiments may be combined without conflict.
A Certificate Revocation List (CRL) is a certificate revocation list issued by a Certificate Authority (CA) listing the serial numbers of certificates that are considered to be unusable, and a complete CRL (certificate revocation list) listing all revoked but unexpired certificate serial numbers issued by the CA (certificate authority), and an authenticator can maintain the integrity of the system by querying the CRL to exclude entities corresponding to revoked certificates from the system.
CRL Extensions (CRL Extensions) and CRL Entry Extensions (CRL Entry Extensions) are defined by ISO/IEC, ITU-T, and ANSI X9, where the standard x.509v2 CRL format allows both generic and proprietary Extensions to be defined for CRL Extensions and CRL Entry Extensions to carry additional information, with the provision that if a CRL Extensions item is defined, then an authorization key identifier and the CRL number extension in all published CRLs must be included, but other Extensions are optional for the definition of the CRL Entry Extensions item.
As shown in fig. 1, which is a schematic diagram of an implementation flow of an apparatus digital certificate revoking method according to an embodiment of the present invention, the method may include the following steps:
s100, acquiring a digital certificate of the target equipment to be verified, and acquiring a preset revoke list, wherein a revoke scheme is preset in the revoke list.
Acquiring a digital certificate is actually based on the x.509 standard, by initiating a Certificate Signing Request (CSR).
The preset revoke list is used for identifying signature information of related signature certificates and identifying related information of the signature certificates needing to be revoked; a plurality of revoking schemes are preset in the preset revoking list, and the revoking scheme is a method for revoking according to signature information related to the signature certificate to be revoked and contained in the preset revoking list. In practical application, the preset revoke list contains version number of CRL version, signature algorithm, issuer identification, issue date, revoke type and revoke certificate item. The issuer identifies the subject of the suspensor certificate CA certificate, the suspensor certificate item means to select which suspensor scheme to use, and the suspensor type includes crlEntryExtensions extension and various suspensor schemes. Different revoking schemes represent different types of revoking actions on the signature certificates according to the related signature information, such as revoking a specific single signature certificate; or revoking a single signed certificate belonging to the same manufacturer; or revoking all certificates in the preset revoking interval; or revoke all belonging certificates of the device sub-certificate.
In some embodiments, referring to fig. 2, the generation of the preset lift pin list comprises the steps of:
and S111, adding private expansion items to the initial revoke list to obtain an expandable revoke list.
It should be noted that the initial suspension pin list refers to a current common suspension pin list which cannot be adjusted, and the suspension pin list does not have the suspension pin scheme required by the present application for the time being, so that the suspension pin list is changed into an adjustable suspension pin list by adding a private expansion item, that is, the suspension pin list can be expanded; the private extension item is used for adding an adjustable extension protocol to the initial suspension pin list, specifically, a suspension pin scheme needing suspension pin is added to the initial suspension pin list, different suspension pin schemes have different suspension pin type fields in the suspension pin list, and different suspension pin schemes are set by setting the corresponding suspension pin type fields.
The added private extension item may be used as a carrier, for example, in this application, an revoking type field parameter is added in an initial revoking list, where the revoking type field includes a crlntryeextensions extension, and the field has different enumeration values, and may record four revoking scheme parameters in the revoking list respectively: the value of revokedSingle is 1, and the DeviceID of the revoked certificate is recorded; the value of revokedRange is 2, recording DeviceID range of revoked certificate; the value of revokedOrganization is 3, and the ID of the certificate to which the manufacturer of the revoked equipment belongs is recorded; the value of revokedSubCA is 4, the ID of the certificate to which the revoked SubCA belongs is recorded, the value of unspecified (not described) is 0, the field parameters are written into the private extension items to be in a not-started state for reserving the fields, and the private extension items with the not-started parameter fields are added into the initial revocation list to obtain the extensible revocation list.
The expandable suspension pin list is an initial suspension pin list added with private expansion items, and the initial suspension pin list contains field parameters of various suspension pin schemes or selectable suspension pin schemes, wherein the selectable suspension pin schemes are in an inactivated state.
Generally, the universal and private Extensions are allowed to be defined for CRL Extensions (CRL Extensions) and CRL Entry Extensions (CRL Entry Extensions) according to the standard x.509v2 CRL format to carry extra information, and other Extensions are optional for defining the CRL Entry Extensions project, so that the private Entry Extensions are added in the initial revocation list, thereby reducing some non-essential information in the certificate revocation list, such as revocation reasons, invalid dates, certificate issuers and the like, so that system resources in equipment query can be greatly saved, efficiency is higher when the certificate revocation list is used for judgment, and the extensible revocation list is obtained.
And S112, presetting a plurality of suspension pin schemes based on the expandable suspension pin list to obtain a preset suspension pin list.
And further, presetting a plurality of suspension pin schemes according to the expandable suspension pin list so as to obtain the suspension pin list comprising the plurality of suspension pin schemes, wherein the specific implementation of presetting the plurality of suspension pin schemes is to start the field parameters of the private expansion items added into the expandable suspension pin list so as to select the plurality of implementable schemes in the preset suspension pin list.
In some embodiments, referring to fig. 3, the digital certificate is issued to the target device through the following steps, which specifically include:
and S121, writing the target parameters into the digital certificate to be issued.
In specific implementation, when a certificate issuing center of a certificate authority issues a certificate, a plurality of target device parameters are defined, and the plurality of target device parameters are respectively written into different digital certificates to be issued, for example: target parameters include the slave certificate identification (SubCAID), the device organization identification (organization id), the device identification (DeviceID), where DeviceID and organization id are written in the device certificate body name and SubCAID is written in the device sub-certificate authority certificate body name.
And S122, signing the digital certificate with the target parameters.
Generally, a certificate authority issues a plurality of digital certificates into which target parameters have been written, and signs the digital certificates.
And S123, issuing the digital certificate to the target equipment.
And further, issuing the issued digital certificates containing the target parameters to the corresponding target equipment to be detected.
In specific implementation, in the field of the internet of things, an entity corresponding to a digital certificate is generally equipment, and an expense certificate processed by a certificate expense list is also generally processed for the equipment, so that the description takes the equipment entity of the internet of things as a main embodiment object; the method comprises the steps that a certificate issuer issues a set of specific digital certificates for each device, the digital certificates of the target devices are obtained from the target devices to be verified, a signed certificate revocation list is used for appointing a set of certificates which are considered invalid by the certificate issuer, a certificate revocation list is issued by a certificate authority, serial numbers of the certificates which are considered to be unusable are listed, and the certificate revocation list issued by the certificate authority is obtained, wherein the obtained revocation list comprises a plurality of revocation schemes.
S200, acquiring target parameters in the digital certificate.
The target parameters refer to relevant information for identifying the digital certificate, and different target parameters have different identification functions, for example, device sub-certificate identification (SubCAID), device organization identification (organization id), and device identification (DeviceID).
In specific implementation, when the certificate issuing authority issues a digital certificate, a uniformly assigned DeviceID (device ID), organization ID (organization ID), and subcategory ID (sub-certificate issuing authority ID) are defined, and the three parameter information is respectively written into corresponding x.509 certificates, specifically, the DeviceID and the organization ID are written into a device certificate subject name, and the subcategory ID is written into a device sub-certificate issuing authority certificate subject name, and a verifier acquires a plurality of target parameters in the different digital certificates from a certificate chain.
And S300, judging whether the digital certificate is revoked based on the revocation scheme and the target parameter.
Further, according to the multiple revoking schemes in the obtained revoking list, multiple parameters in the digital certificate of the target device to be verified are judged, so that whether the digital certificate of the target device is revoked or not can be judged.
In specific implementation, after receiving the certificate issued by the certificate issuing authority, the verifier extracts target parameters in the certificate of the target device to be detected, wherein the target parameters include DeviceID and organization id in the device certificate main name and SubCAID in the device sub-CA certificate main name, and respectively judges with multiple revoking schemes according to the following sequence, thereby obtaining a judgment result.
The revoking scheme is to extract a plurality of revoking scheme parameters and compare the revoking scheme parameters with the target parameters, so as to determine whether the digital certificate is revoked, and may include, for example, the following four revoking schemes: RevokedSingle records the DeviceID of the revoked certificate and acts on recording the identification of a single revoked certificate; the revokedRange records the DeviceID range of the revoked certificate and acts on the identification range of the revoked certificate; the revokedOrganization records the ID of the certificate belonging to the manufacturer of the revoked equipment, and acts on all the certificate identifications belonging to the manufacturer of the revoked equipment; the revokedSubCA records the affiliated certificate ID of the revoked subCA, and acts on the affiliated certificate identification of the revoked subcertificate.
In some embodiments, referring to fig. 4, step S300 further includes the following steps:
by executing step S200, target parameters in the digital certificate are obtained, where the target parameters include: a device sub-certificate identity;
the revoking scheme comprises a first scheme, and correspondingly, whether the digital certificate is revoked is judged based on the revoking scheme and the target parameter, and the method comprises the following steps:
s311, acquiring the certificate parameter of the lifting pin of the equipment in the first scheme;
s312, judging whether the equipment revoke sub-certificate parameter is the same as the equipment sub-certificate identifier.
If the parameter of the device revoke certificate is the same as the identifier of the device sub-certificate, step S400 is executed to determine that the digital certificate has been revoked.
If the equipment revoke certificate parameter is not the same as the equipment sub-certificate identifier, step S321 is executed to obtain the equipment revoke organization parameter in the second scheme.
Specifically, the device sub-certificate identifier of the target parameter, i.e., subcoAID, is a digital certificate obtained from the target device to be verified, and the target parameter is extracted from the digital certificate, where the target parameter includes the device sub-certificate identifier and is used to compare with the device revoke certificate parameter in the revoke scheme, so as to determine whether the digital certificate has been revoked.
The first scheme in the revoking scheme is to judge whether the extracted device sub-certificate identity is the same as the device revoke sub-certificate parameter list value.
The device revoke sub-certificate parameter mark is used for identifying the mark of the revoked sub-certificate, and is used for comparing with the device sub-certificate mark in the target parameter to judge whether the digital certificate is revoked. It may be defined as the revokedSubCA parameter, which is extracted by the revoking scheme in the preset revoking list.
In specific implementation, after receiving a digital certificate of a target device, a verifier analyzes a certificate revocation list in the digital certificate to obtain a revokedSubCA (device revocation sub-certificate parameter) list value, and then extracts parameter information of a SubCAID (device sub-certificate identifier) of the target parameter, wherein a revocation scheme preset in the certificate revocation list comprises a first scheme: and judging whether the extracted equipment sub-certificate identification is the same as the parameter list value of the equipment revocation sub-certificate.
Further specifically explained is: and performing one-to-one matching judgment on the extracted subcode and a revokedSubCA list, inquiring whether the same subcode exists in the revokedSubCA (equipment revoke sub-certificate parameter), and if the subcode exists in the revokedSubCA list, indicating that the certificate belongs to the revoked subcode, indicating that the digital certificate has been revoked, and making the certificate chain illegal.
In some embodiments, referring to fig. 4, step S300 further includes the following steps:
by executing step S200, target parameters in the digital certificate are obtained, where the target parameters include: a device organization identifier;
the revoking scheme comprises a second scheme, correspondingly, whether the digital certificate is revoked is judged based on the revoking scheme and the target parameters, and the method comprises the following steps:
s321, if the equipment revoke certificate parameter is different from the equipment sub-certificate identifier, acquiring an equipment revoke organization parameter in the second scheme;
s322, judging whether the equipment hoisting organization parameters are the same as the equipment organization marks.
If the equipment revocation organization parameter is the same as the equipment revocation organization identifier, step S400 is executed to determine that the digital certificate is revoked.
If the equipment hoisting organization parameter is not the same as the equipment organization identifier, step S331 is executed to obtain an equipment hoisting parameter interval in the third scenario.
Further, the device organization identifier, i.e., organization id, of the target parameter is a digital certificate obtained from the target device to be verified, and the target parameter is extracted from the digital certificate, where the target parameter includes the device organization identifier and is used for comparing with the device revoke organization parameter in the revoke scheme, so as to determine whether the digital certificate has been revoked.
The second scheme in the lifting pin scheme is as follows: if the equipment suspension pin certificate parameter in the first scheme is different from the equipment sub-certificate identifier, extracting the parameter information of organization id (equipment organization identifier) of the target parameter, and judging whether the extracted equipment organization identifier is the same as the equipment suspension pin organization parameter list value.
The equipment revoke organization parameter mark is the affiliated certificate mark of the revoked equipment manufacturer, and is used for comparing with the equipment organization mark in the target parameter and judging whether the digital certificate is revoked. It can be defined as the revokedOrganization parameter, which is extracted from the suspension pin solution by presetting the suspension pin list.
In specific implementation, after receiving the digital certificate of the target device, the verifier analyzes a certificate revocation list in the digital certificate to obtain a revokedOrganization (device revocation organization parameter) list value, and a revocation scheme preset in the certificate revocation list includes a second scheme: if the equipment revoke pin certificate parameter in the first scheme is different from the equipment sub-certificate identifier, extracting parameter information of organization id (equipment organization identifier) of the target parameter, and judging whether the extracted equipment organization identifier is the same as the list value of the equipment revoke pin organization parameter.
The further concrete explanation is: and performing one-to-one matching judgment on the extracted organization ID and a revokedOrganization list, inquiring whether the same organization ID exists in the revokedOrganization list, and if the organization ID exists in the revokedOrganization list, indicating that the certificate belongs to a certificate belonging to an equipment manufacturer which is already revoked, indicating that the digital certificate is already revoked, and indicating that the equipment certificate is illegal.
In some embodiments, referring to fig. 4, step S300 further includes the following steps:
by executing step S200, target parameters in the digital certificate are obtained, where the target parameters include: a device identification;
the revoking scheme comprises a third scheme, correspondingly, whether the digital certificate is revoked is judged based on the revoking scheme and the target parameter, and the method comprises the following steps:
s331, if the equipment hoisting organization parameters are different from the equipment organization identifiers, acquiring equipment hoisting parameter intervals in a third scheme;
and S332, judging whether the equipment hoisting parameter interval comprises an equipment identifier.
If the equipment revoke parameter interval includes the equipment identifier, step S400 is executed to determine that the digital certificate has been revoked.
If the equipment revoking parameter interval does not include the equipment identifier, step S341 is executed to obtain the equipment revoking parameter interval in the fourth scenario.
Further, a device identifier, i.e., DeviceID, of the target parameter is a digital certificate obtained from the target device to be verified, and the target parameter is extracted from the digital certificate, where the target parameter includes the device identifier and is used for comparing with a device revoking parameter interval in the revoking scheme, so as to determine whether the digital certificate has been revoked.
The third scheme in the lifting pin scheme is as follows: if the device organization identifier in the second scheme is different from the device suspension sales organization parameter list value, extracting the parameter information of the DeviceID (device identifier) of the target parameter, and judging whether the extracted device suspension sales section includes the device identifier.
The equipment revoking interval acts on the identification range for recording the revoked certificate, and is used for comparing with the equipment identification in the target parameter and judging whether the digital certificate is revoked. It can be defined as the revokedlange parameter, which is extracted by the suspension pin scheme in the preset suspension pin list.
In specific implementation, after receiving the digital certificate of the target device, the verifier analyzes a certificate revocation list in the digital certificate to obtain a revokedlange (device revocation interval) list value, and a revocation scheme preset in the certificate revocation list includes a third scheme: if the equipment suspension and distribution organization parameter in the second scheme is different from the equipment distribution identification, extracting the parameter information of the DeviceID (equipment identification) of the target parameter, and judging whether the extracted equipment suspension and distribution section comprises the equipment identification.
Further specifically explained is: and (3) performing one-to-one matching judgment on the extracted DeviceID and the list values of the rescokedRange, wherein the first 40bit of any one of the rescokedRange is used as a starting certificate ID1, the last 40bit is read as an ending certificate ID2 (all revoking certificates between the starting certificate ID1 and the ending certificate ID 2), and whether the DeviceID is between the starting certificate ID1 and the ending certificate ID2 is inquired, if the rescokedRange includes the DeviceID, the certificate belongs to the revoked device certificate, the digital certificate is revoked, and the device certificate is illegal.
In some embodiments, referring to fig. 4, step S300 further includes the following steps:
by executing step S200, target parameters in the digital certificate are obtained, where the target parameters include: a device identification;
the revoking scheme comprises a fourth scheme, correspondingly, whether the digital certificate is revoked is judged based on the revoking scheme and the target parameters, and the method comprises the following steps:
s341, if the equipment hoisting parameter interval does not comprise the equipment identifier, acquiring the equipment hoisting parameters in the fourth scheme;
and S342, judging whether the equipment hoisting parameters are the same as the equipment identification.
If the equipment revoke parameter is the same as the equipment identifier, step S400 is executed to determine that the digital certificate has been revoked, and determine that the target equipment is illegal.
If the equipment revoking parameter is different from the equipment identifier, step S500 is executed to determine that the digital certificate is not revoked, and determine that the target equipment is legal equipment.
Further, the device id of the target parameter is a digital certificate obtained from the target device to be verified, and the target parameter is extracted from the digital certificate, where the target parameter includes the device id and is used for comparing with the device revoking parameter in the revoking scheme, so as to determine whether the digital certificate has been revoked.
The fourth scheme in the lifting pin scheme is as follows: if the equipment revoking section in the third aspect does not include the equipment id, extracting the parameter information of the DeviceID (equipment id) of the target parameter, and determining whether the extracted equipment revoking parameter is the same as the equipment id.
The equipment revoke parameter records the identification of a single revoke certificate, and is used for comparing the identification with the equipment identification in the target parameter and judging whether the digital certificate is revoked. It can be defined as the revokedsile parameter, which is extracted by the revoking scheme in the preset revoking pin list.
In specific implementation, after receiving the digital certificate of the target device, the verifier analyzes a certificate revocation list in the digital certificate to obtain a revokedsile (device revocation parameter) list value, and a revocation scheme preset in the certificate revocation list includes a fourth scheme: if the equipment revoking parameter interval in the third solution does not include the equipment id, extracting the parameter information of DeviceID (equipment id) of the target parameter, and determining whether the extracted equipment revoking parameter is the same as the equipment id.
Further specifically explained is: and performing one-to-one matching judgment on the extracted DeviceID and the RevokedSingle list value, inquiring whether the same DeviceID exists in RevokedSingle, and if the RevokedSingle list value comprises the DeviceID, indicating that the certificate belongs to the revoked device certificate, indicating that the digital certificate is revoked, and indicating that the device certificate is illegal.
If the equipment revoke parameter is not the same as the equipment identification, the digital certificate is not revoked, and the equipment certificate is legal.
S400, if the digital certificate is revoked, the target device is determined to be illegal.
And if the digital certificate of the target equipment is revoked, the target equipment to be detected can be determined to be illegal equipment.
In some embodiments, referring to fig. 4, the embodiments of the present application specifically further include:
step S500, if the equipment revoke parameter is different from the equipment identification, the digital certificate is judged not to be revoked, and the target equipment is determined to be legal equipment.
And if the equipment revoking parameter is different from the equipment identifier, judging that the digital certificate is not revoked, so that the target equipment to be detected can be determined to be legal equipment.
Generally, in the fourth one of the revocation approaches described above, when the apparatus revocation parameter is different from the apparatus identification, it is determined that the digital certificate is not revoked.
Further, in the above-mentioned multiple revoking schemes, when the digital certificate is not revoked, it is determined that the target device to be detected is a legal device.
In some embodiments, a device digital certificate revocation electronic device, comprising: a processor and a memory, wherein the memory is for storing an executable program which when executed performs the method as described above.
In some embodiments, the computer-readable storage medium stores executable instructions that are executable by a computer.
The memory is used for storing information, and storing programs and data necessary for the operation of the computer. It includes an internal memory and an external memory.
This section describes in detail specific embodiments of the present invention, and the drawings are for the purpose of graphically presenting an intuitive and visual understanding of each feature and every technical solution of the present invention, and are not to be construed as limiting the scope of the present invention.
While the present invention has been described with reference to the preferred embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications, additions, substitutions and equivalents which may be made by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (9)

1. The equipment digital certificate revoking method is characterized by comprising the following steps:
acquiring a digital certificate of target equipment to be verified, and acquiring a preset revoke list, wherein a revoke scheme is preset in the revoke list;
acquiring target parameters in the digital certificate; the target parameters include: an equipment sub-certificate identifier, the revocation scheme comprising a first scheme;
determining whether the digital certificate has been revoked based on the revocation scheme and the target parameter; acquiring the certificate parameter of the lifting pin of the equipment in the first scheme; judging whether the equipment hanger pin certificate parameter is the same as the equipment sub-certificate identifier;
if the parameter of the equipment revoke pin certificate is the same as the equipment sub-certificate identifier, the digital certificate is judged to be revoked, and the target equipment is determined to be illegal equipment.
2. The device digital certificate revoking method according to claim 1, wherein the digital certificate is issued to the target device by the steps of:
writing a plurality of target parameters into a digital certificate to be issued;
signing the digital certificate with the plurality of target parameters;
and issuing the digital certificate to the target equipment.
3. The device digital certificate revocation method of claim 1, wherein said preset revocation list is generated by:
adding a private expansion item to the initial revoke list to obtain an expandable revoke list;
and presetting a plurality of hoisting schemes based on the expandable hoisting pin list to obtain the preset hoisting pin list.
4. The device digital certificate revocation method according to claim 3,
the target parameters include: an equipment organization identifier, the lift pin scheme comprising a second scheme;
correspondingly, the determining whether the digital certificate has been revoked based on the revocation scheme and the target parameter includes:
if the equipment revoke certificate parameter is different from the equipment sub-certificate identifier, acquiring an equipment revoke organization parameter in the second scheme;
judging whether the equipment hoisting organization parameters are the same as the equipment organization identification;
and if the equipment revoke organization parameters are the same as the equipment organization identifiers, judging that the digital certificate is revoked.
5. The device digital certificate revocation method of claim 4,
the target parameters include: equipment identification, wherein the lift pin schemes comprise a third scheme;
correspondingly, the judging whether the digital certificate is revoked based on the revocation scheme and the target parameter comprises the following steps:
if the equipment lifting pin organization parameters are different from the equipment organization identifications, acquiring equipment lifting pin parameter intervals in the third scheme;
judging whether the equipment hoisting parameter interval comprises the equipment identification or not;
and if the equipment revoking parameter interval comprises the equipment identification, judging that the digital certificate is revoked.
6. The apparatus digital certificate revocation method of claim 5,
the target parameters include: equipment identification, wherein the lift pin schemes comprise a fourth scheme;
correspondingly, the determining whether the digital certificate has been revoked based on the revocation scheme and the target parameter includes:
if the equipment hoisting pin parameter interval does not comprise the equipment identification, acquiring equipment hoisting pin parameters in the fourth scheme;
judging whether the equipment hoisting pin parameters are the same as the equipment identification;
and if the equipment revoking parameters are the same as the equipment identification, judging that the digital certificate is revoked.
7. The apparatus digital certificate revoking method according to claim 6, further comprising:
if the equipment revoke parameter is different from the equipment identifier, judging that the digital certificate is not revoked;
and if the digital certificate is not revoked, determining that the target equipment is legal equipment.
8. Equipment digital certificate revokes electronic equipment, its characterized in that includes:
a processor;
a memory for storing an executable program;
when the executable program is executed by the processor, the device digital certificate revocation electronic device is obtained to realize the device digital certificate revocation method according to any one of claims 1 to 6.
9. A computer-readable storage medium having stored thereon executable instructions that are executable by a computer to cause the computer to perform the apparatus digital certificate revocation method according to any one of claims 1 to 6.
CN202110355189.6A 2021-04-01 2021-04-01 Equipment digital certificate revocation method, electronic equipment and computer readable storage medium Active CN113242130B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110355189.6A CN113242130B (en) 2021-04-01 2021-04-01 Equipment digital certificate revocation method, electronic equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110355189.6A CN113242130B (en) 2021-04-01 2021-04-01 Equipment digital certificate revocation method, electronic equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113242130A CN113242130A (en) 2021-08-10
CN113242130B true CN113242130B (en) 2022-07-22

Family

ID=77130903

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110355189.6A Active CN113242130B (en) 2021-04-01 2021-04-01 Equipment digital certificate revocation method, electronic equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113242130B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117360B1 (en) * 2001-07-09 2006-10-03 Sun Microsystems, Inc. CRL last changed extension or attribute
CN106330449A (en) * 2015-07-02 2017-01-11 西安西电捷通无线网络通信股份有限公司 Method for verifying validity of digital certificate and authentication server
CN110858804A (en) * 2018-08-25 2020-03-03 华为技术有限公司 Method for determining certificate status

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020073310A1 (en) * 2000-12-11 2002-06-13 Ibm Corporation Method and system for a secure binding of a revoked X.509 certificate to its corresponding certificate revocation list
CN1477565A (en) * 2003-07-18 2004-02-25 新 李 Improvement on digital certificale revoking mode
US8280020B2 (en) * 2007-02-06 2012-10-02 Alcatel Lucent Transparent caller name authentication for authorized third party callers

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117360B1 (en) * 2001-07-09 2006-10-03 Sun Microsystems, Inc. CRL last changed extension or attribute
CN106330449A (en) * 2015-07-02 2017-01-11 西安西电捷通无线网络通信股份有限公司 Method for verifying validity of digital certificate and authentication server
CN110858804A (en) * 2018-08-25 2020-03-03 华为技术有限公司 Method for determining certificate status

Also Published As

Publication number Publication date
CN113242130A (en) 2021-08-10

Similar Documents

Publication Publication Date Title
US7461250B1 (en) System and method for certificate exchange
US8380982B2 (en) Communication device and communication method
KR100739809B1 (en) Method and apparatus for managing stations which are associated with wpa-psk wireless network
JP4624926B2 (en) Authentication system
CN108768933B (en) Autonomous supervision digital identity authentication system on block chain platform
CN108667780B (en) Identity authentication method, system, server and terminal
US20160034693A1 (en) Certificate authority operation apparatus and method
US11924616B2 (en) Rights management in a hearing device
EP3326321B1 (en) Method and apparatus for providing secure communication among constrained devices
CN112689833B (en) Information communication device, authentication program for information communication device, and authentication method
JP3971890B2 (en) Signature verification support apparatus, signature verification support method, and electronic signature verification method
JP4699368B2 (en) Method and apparatus for efficiently revoking certificates
US20040003239A1 (en) Authentication communication system, authentication communication apparatus, and authentication communication method
US20030014365A1 (en) Information processing method and program
US20210067507A1 (en) Information processing apparatus and processing method for the same
US20060168357A1 (en) Information input/output system
JP5856352B2 (en) Digital certificate automatic application method, apparatus and system
CN108199834B (en) Method and device for working intelligent secret key equipment
CN101051896B (en) Certifying method and system
CN104735064B (en) The method that safety is cancelled and updated is identified in a kind of id password system
CN111737766B (en) Method for judging validity of digital certificate signature data in block chain
JP2018174507A (en) Communication device
CN113242130B (en) Equipment digital certificate revocation method, electronic equipment and computer readable storage medium
JP2003115840A (en) Method and system for exchanging certiftcate invalidity list, and server device
Ford Advances in public-key certificate standards

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant