CN113300848B - Method and device for determining certificate state - Google Patents
Method and device for determining certificate state Download PDFInfo
- Publication number
- CN113300848B CN113300848B CN202110442910.5A CN202110442910A CN113300848B CN 113300848 B CN113300848 B CN 113300848B CN 202110442910 A CN202110442910 A CN 202110442910A CN 113300848 B CN113300848 B CN 113300848B
- Authority
- CN
- China
- Prior art keywords
- certificate
- response message
- verified
- cache
- storage area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Abstract
The invention discloses a method and a device for determining certificate status. Wherein, the method comprises the following steps: receiving a request message sent by a client, wherein the information carried in the request message at least comprises: a certificate to be verified; determining a cache keyword associated with a certificate to be verified; and when detecting that a response message corresponding to the cache key exists in the preset storage area, sending the response message to the client so that the client can determine whether the certificate to be verified is in an invalid state according to the response message. The invention solves the technical problem of high network resource consumption in the prior art when the certificate verification state is determined due to the direct association between the certificate and the response message.
Description
Technical Field
The present invention relates to the field of network communications, and in particular, to a method and an apparatus for determining a certificate status.
Background
In the field of the internet, digital certificates can be used to identify identity information of communicating parties in internet communications. When the digital certificate is transmitted and stored, the integrity of the data of the digital certificate needs to be guaranteed, otherwise, the digital certificate is considered as an invalid certificate.
In the prior art, an OCSP (Online Certificate Status Protocol) method may be used to verify the validity of the digital Certificate. Wherein, when the client needs to verify whether the x.509 certificate is valid at the current time, the client sends a request to the OCSP server. The OCSP server returns an OCSP response containing the timestamp and signs the OCSP response using the key of the certificate issuer. After obtaining the OCSP response, the client verifies the certificate by using the public key of the certificate issuer, thereby determining whether the certificate is valid at the current time.
In the above process, the reliability of the OCSP response is determined by the signature of the certificate issuer, regardless of the method by which the client obtains the OCSP response. The client can confirm the validity of the digital certificate as long as the client can obtain the OCSP response with the correct signature, so the OCSP server can be any server, and the client is not required to directly access the server controlled by the certificate issuer.
In practical application, when a client initiates a connection request to an OCSP server, a TLS (Transport Layer Security) server may substitute for the OCSP server, and an obtained OCSP response is placed in advance in the TLS handshake process and is sent to the client at the same time, so that the overhead of the client requesting the OCSP server by itself is saved, and the connection speed of the client is increased. In this process, the TLS server also buffers the OCSP response for reuse when the next client connects, avoiding repeated requests to the OCSP server. The above process is OCSP binding.
The entry point of the TLS server, such as a load balancing server, typically has an OCSP binding function to optimize the client connection speed. The following two processing methods are generally adopted by typical various load balancing server software for OCSP responses:
the first method is as follows: an OCSP response file used separately for each digital certificate needs to be specified by a user, and the user provides an OCSP response in the form of a file. In the operation process, the TLS server does not update the OCSP response, and there is no caching mechanism.
The second method comprises the following steps: when a user sets and starts an OCSP response function for a certain certificate, the TLS server initiates a request to the corresponding OCSP server to acquire an OCSP response, caches the OCSP response in a memory of the TLS server, and requests updating again before the valid time of the OCSP response expires.
The two modes can be realized by setting an OpenSSL (Open Secure Sockets Layer) callback function and creating an associated OCSP context structure for each certificate. When OpenSSL needs to send an OCSP response, an OpenSSL callback function is executed, which reads the OCSP response from the certificate-associated structure and passes it to OpenSSL for processing. Specifically, the TLS server loads the x.509 certificate to generate a certificate structure S1, the TLS server creates an associated OCSP response structure S2 for S1, associates S1 with S2, and the client requests the x.509 certificate in S1, at this time, the TLS server reads the OCSP response in S2 according to the association relationship and sends the OCSP response to the client.
However, in the conventional OCSP binding processing method, OCSP responses are usually associated with x.509 certificates one-to-one, and when there are a large number of x.509 certificates and there are duplicates, for example, a load balancing server uses a large number of domain names on a single server, and the certificates used by these domain names may contain duplicates, the cached OCSP responses will also be duplicated, thereby causing a waste of storage resources and increasing the number of times of requesting an OCSP server. In addition, when the x.509 certificate changes frequently, for example, when the certificate used in the TLS server connection needs to be dynamically selected according to the request of the client, the cached OCSP response is also deleted along with the deletion of the x.509 certificate, and when the same certificate is used next time, the OCSP response needs to be obtained again, so that the cache hit frequency of OCSP binding is reduced, and the request frequency of the client to the OCSP server is increased.
When the OCSP binding can not hit the cache, the TLS server generally selects to continue to handshake without carrying OCSP response, and at the moment, the client needs to request the OCSP server to obtain the OCSP response by self, so that the speed of connecting the client and the TLS server is reduced. Increasing the number of requests of the OCSP server wastes network resources of the TLS server itself, and also puts pressure on the OCSP server, and especially, a large number of TLS servers may exist in a large server cluster, which further increases the consumption of network resources.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
Embodiments of the present invention provide a method and an apparatus for determining a certificate status, so as to at least solve the technical problem in the prior art that network resource consumption is large when determining a certificate verification status due to direct association between a certificate and a response message.
According to an aspect of an embodiment of the present invention, a method for determining a certificate status is provided, including: receiving a request message sent by a client, wherein the information carried in the request message at least comprises: certificate information of a certificate to be verified; calculating a cache keyword corresponding to the certificate to be verified according to the certificate information; and when detecting that a response message corresponding to the cache key exists in the preset storage area, sending the response message to the client so that the client determines whether the certificate to be verified is in an invalid state according to the response message.
Further, the method for determining the certificate status further comprises: acquiring an issuer secret key identifier and a main body secret key identifier corresponding to a certificate to be verified; a cache key associated with the certificate to be verified is determined based on the issuer key identifier and the subject key identifier.
Further, the method for determining the certificate status further comprises: acquiring an issuer name corresponding to a certificate to be verified and a certificate serial number corresponding to the certificate to be verified; a cache key associated with the certificate to be verified is determined based on the issuer name and the certificate serial number.
Further, the method for determining the certificate status further comprises: acquiring certificate content corresponding to a certificate to be verified; and calculating the hash value of the certificate content to obtain a cache keyword associated with the certificate to be verified.
Further, the method for determining the certificate status further comprises: when detecting that no response message corresponding to the cache key word exists in the preset storage area, establishing the preset storage area; acquiring a response message corresponding to a certificate to be verified from a preset server; and storing the cache key and the response message into a preset storage area so as to associate the cache key and the response message.
Further, the method for determining the certificate status further comprises: after the cache key words and the response messages are stored in the preset storage area, a timer corresponding to the response messages is established, wherein the timer is used for recording the effective remaining duration of the response messages.
Further, the method for determining the certificate status further comprises: detecting the effective remaining duration corresponding to the response message; and sending a response message to the client under the condition that the effective remaining time length is greater than the first preset time length.
Further, the method for determining the certificate status further comprises: and updating the response message cached in the preset storage area under the condition that the effective residual time is less than or equal to the first preset time.
Further, the method for determining the certificate status further comprises: and acquiring the response message from the preset server, and resetting the timer corresponding to the response message.
Further, the method for determining the certificate status further comprises: detecting whether the certificate to be verified is in a destruction state; when the certificate to be verified is in a destruction state, releasing the memory occupied by the certificate to be verified, and detecting a first duration of a response message in an idle state; and deleting the timer corresponding to the response message and deleting the response message from the preset storage area when the first time length is longer than the second preset time length and the effective residual time length is shorter than the third preset time length.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for determining a certificate status, including: a receiving module, configured to receive a request message sent by a client, where information carried in the request message at least includes: certificate information of a certificate to be verified; the computing module is used for computing cache keywords corresponding to the certificate to be verified according to the certificate information; and the determining module is used for sending a response message to the client when detecting that the response message corresponding to the cache key exists in the preset storage area, so that the client determines whether the certificate to be verified is in an invalid state according to the response message.
According to another aspect of the embodiments of the present invention, there is also provided a non-volatile storage medium having a computer program stored therein, wherein the computer program is configured to execute the above-mentioned method for determining the status of the certificate when running.
According to another aspect of the embodiments of the present invention, there is also provided a processor for executing a program, where the program is configured to execute the above-mentioned method for determining the status of the certificate when running.
In the embodiment of the invention, a mode of associating the certificate to be verified with the response message through the cache key words is adopted, after a request message which is sent by a client and contains the certificate information of the certificate to be verified is received, the cache key words corresponding to the certificate to be verified are calculated according to the certificate information, and when the response message corresponding to the cache key words is detected to exist in the preset storage area, the response message is sent to the client, so that the client determines whether the certificate to be verified is in an invalid state or not according to the response message.
In the process, the certificate to be verified and the response message are decoupled, namely the certificate to be verified and the response message are not directly associated, but are associated by using the cache key words as an intermediate medium, and when the response message needs to be acquired, the cache key words are used for inquiring from the preset storage area to acquire the response message, so that the cache hit rate is improved, the frequency of sending requests to the server by the client side is reduced, and the load of the server is reduced.
Therefore, the scheme provided by the application achieves the purpose of caching the response message corresponding to the certificate, so that the technical effect of reducing network resource consumption is achieved, and the technical problem that in the prior art, the network resource consumption is large when the certificate state is determined due to the fact that the certificate and the response message are directly associated is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention and do not constitute a limitation of the invention. In the drawings:
FIG. 1 is a flow diagram of a method for determining certificate status according to an embodiment of the invention;
FIG. 2 is a schematic diagram of an alternative request response message in accordance with an embodiment of the present invention;
FIG. 3 is a schematic diagram of the creation of an alternative storage area according to an embodiment of the invention;
FIG. 4 is a diagram illustrating an alternative deletion of a certificate to be authenticated according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a certificate status determination apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a method for certificate status determination, it should be noted that the steps illustrated in the flowchart of the accompanying drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than that herein.
It should be noted that a proxy server, for example, a TLS (Transport Layer Security) server, may be used as the execution subject of the method provided in this embodiment.
Fig. 1 is a flowchart of a method for determining a certificate status according to an embodiment of the present invention, and as shown in fig. 1, the method includes the following steps:
step S102, receiving a request message sent by a client, wherein the information carried in the request message at least comprises: certificate information of the certificate to be verified.
In step S102, the client may be, but is not limited to, a TLS (Transport Layer Security) client, and the certificate to be verified may be a digital certificate, for example, an x.509 certificate. The certificate information of the certificate to be verified includes, but is not limited to, an issuer key identifier, a body key identifier, an issuer name, a serial number of the certificate to be verified, certificate contents, and the like.
Optionally, fig. 2 shows a schematic diagram of an optional request response message, in fig. 2, the TLS client sends a request message requesting the response message to the TLS server. After receiving the request message, the TLS server parses the request message to determine the certificate to be authenticated, which is to be authenticated by the user, for example, in fig. 2, the user needs to authenticate the x.509 certificate.
And step S104, calculating a cache keyword corresponding to the certificate to be verified according to the certificate information.
In step S104, the cache key is an identifier that uniquely determines the certificate to be verified, that is, for the same digital certificate, the corresponding cache key is unique.
Optionally, after acquiring the certificate to be verified, the TLS server parses the certificate to be verified to obtain the certificate information of the certificate to be verified, and then calculates to obtain the cache key of the certificate to be verified according to the certificate information of the certificate to be verified.
And step S106, when detecting that the response message corresponding to the cache key exists in the preset storage area, sending the response message to the client so that the client can determine whether the certificate to be verified is in an invalid state according to the response message.
In step S106, the preset storage area is set in a proxy server (e.g., TLS server), for example, an OCSP cache structure in fig. 2. As can be seen from fig. 2, the predetermined storage area stores a plurality of response messages (e.g., OCSP responses in fig. 2), wherein the OCSP responses include, but are not limited to, protocol versions, certificate issuer identifications, response generation times, hash values of issuer identifications, hash values of issuer keys, certificate serial numbers, certificate statuses (e.g., valid status, revocation status), response update times, signature algorithms, signature values, and the like.
In addition, the cache key is stored in a sub-storage area of the preset storage area together with the response message, for example, in fig. 2, each OCSP response corresponds to one sub-storage area of the preset storage area. It is easy to note that since the cache key and the response message are stored in the same sub-storage area, an association relationship between the cache key and the response message is established, and the TLS server can determine the response message corresponding to the certificate to be verified through the cache key corresponding to the certificate to be verified.
In an alternative embodiment, as shown in fig. 2, after obtaining the cache key associated with the certificate to be verified, the TLS server queries the OCSP response corresponding to the cache key from the preset storage area. And if the response message corresponding to the cache key exists in the preset storage area, the TLS server sends the OCSP response to the TLS client and simultaneously sends the public part in the X.509 certificate to the TLS client. After receiving the OCSP response, the TLS client verifies the OCSP response using the public key of the issuer included in the x.509 certificate, thereby determining whether the x.509 certificate is valid at the current time.
It should be noted that, in this embodiment, when the TLS server loads the certificate to be verified, the TLS server does not directly create the preset storage area, but uses the cache key to query the response message corresponding to the cache key from the preset storage area, so as to avoid reducing the number of cache hits of OCSP binding and reducing the number of requests to the OCSP server, which are caused by the TLS server directly obtaining the response message from the OCSP server.
Based on the schemes defined in steps S102 to S106, it can be known that, in the embodiment of the present invention, after receiving a request message including certificate information of a certificate to be verified sent by a client, a mode of associating the certificate to be verified with a response message through a cache keyword is adopted, and after receiving the request message including the certificate information of the certificate to be verified, the cache keyword corresponding to the certificate to be verified is calculated according to the certificate information, and when it is detected that the response message corresponding to the cache keyword exists in a preset storage area, a response message is sent to the client, so that the client determines whether the certificate to be verified is in an invalid state according to the response message.
It is easy to note that, in the above process, the certificate to be verified and the response message are decoupled, that is, the certificate to be verified and the response message are not directly associated but associated through a cache keyword as an intermediary, and when the response message needs to be acquired, the cache keyword is used to perform query from a preset storage area to acquire the response message, so that the cache hit rate is improved, the frequency and frequency of requests sent from the client to the server are reduced, and the load of the server is reduced.
Therefore, the scheme provided by the application achieves the purpose of caching the response message corresponding to the certificate, thereby achieving the technical effect of reducing the consumption of network resources, and further solving the technical problem of high consumption of network resources in the prior art when the certificate state is determined due to the direct association between the certificate and the response message.
In an alternative embodiment, the TLS server may calculate the cache key corresponding to the certificate to be verified in any one of three ways:
the first method is as follows: and acquiring an issuer secret key identifier and a main body secret key identifier corresponding to the certificate to be verified, and determining a cache key associated with the certificate to be verified based on the issuer secret key identifier and the main body secret key identifier. That is, in this manner, the TLS server calculates the cache Key corresponding to the x.509 certificate according to the AKID (Authority Key Identifier) and the SKID (Subject Key Identifier) of the certificate to be verified.
The second method comprises the following steps: the method comprises the steps of obtaining an issuer name corresponding to a certificate to be verified and a certificate serial number corresponding to the certificate to be verified, and determining a cache keyword associated with the certificate to be verified based on the issuer name and the certificate serial number.
The third method comprises the following steps: and acquiring certificate content corresponding to the certificate to be verified, and calculating the hash value of the certificate content to obtain a cache keyword associated with the certificate to be verified. That is, in this manner, the cache key corresponding to the certificate to be verified is determined according to the hash value of the certificate content of the certificate to be verified.
In an optional embodiment, after determining a cache key corresponding to a certificate to be verified, the TLS server detects whether a response message corresponding to the cache key exists in a preset storage area, wherein when it is detected that the response message corresponding to the cache key does not exist in the preset storage area, the TLS server creates the preset storage area, acquires the response message corresponding to the certificate to be verified from the preset server, and then stores the cache key and the response message into the preset storage area so as to associate the cache key with the response message.
Optionally, in the creating schematic diagram of the storage area shown in fig. 3, when the response message corresponding to the cache key does not exist in the preset storage area, the TLS server creates the preset storage area (i.e., an OCSP cache structure), and stores the cache key into the preset storage area. Meanwhile, the TLS server acquires an OCSP response corresponding to the certificate to be verified from the OCSP server according to the certificate information contained in the certificate to be verified, and stores the OCSP response into a preset storage area.
It should be noted that, as can be seen from the above, when the TLS server loads the x.509 certificate, the OCSP storage structure is not directly created, but a cache key is used to perform an inquiry from the OCSP cache structure, and if a matching OCSP response already exists in the OCSP cache structure, the TLS server directly uses the OCSP response and sends the OCSP response to the client, so that the client verifies the validity of the certificate to be verified, thereby reducing the overhead of creating the OCSP storage and updating the OCSP response; if the OCSP response which is consistent with the OCSP response does not exist in the OCSP cache structure body, the TLS server sends a request to the OCSP server so as to obtain the OCSP response corresponding to the certificate to be verified, and the obtained OCSP response is stored in the cache structure body.
In an optional embodiment, after storing the cache key and the response message into the preset storage area, the TLS server further creates a timer corresponding to the response message, where the timer is used to record the remaining effective duration of the response message.
It should be noted that the timer and the sub-storage area that is also stored in the preset storage area are also stored, and different response messages correspond to different timers, that is, there is a one-to-one correspondence between the response messages and the timers, that is, each response message has an independent effective duration.
In an alternative embodiment, upon detecting that a response message corresponding to the cache key exists in the preset storage area, the TLS server sends the response message to the client. Specifically, the TLS server detects an effective remaining duration corresponding to the response message, and sends the response message to the client when the effective remaining duration is greater than a first preset duration; and under the condition that the effective residual time is less than or equal to the first preset time, the TLS server updates the response message cached in the preset storage area.
It should be noted that, each time the TLS server reads the response message from the preset storage area, the TLS server also detects the valid remaining time corresponding to the response message. The valid remaining time length corresponding to the response message represents the valid time length that the response message can be used. If the valid remaining time is less than or equal to a first preset time (e.g., 30 minutes), an update procedure of the response message is started to request a new response message from the OCSP server.
Specifically, the TLS server obtains a response message from the preset server, and resets a timer corresponding to the response message. The preset server is an OCSP server.
It should be noted that, if a plurality of certificates to be verified correspond to the same response message, the update process for the response message is started only once, thereby reducing the overhead of the update process for the system. In addition, if multiple certificates to be verified correspond to the same response message, that is, multiple certificates to be verified have the same cache key, the TLS server may store only one response message.
In addition, it should be noted that by uniformly updating the response messages, it is avoided that the response messages corresponding to a plurality of certificates to be verified are respectively updated, thereby reducing resource consumption of the TLS server.
In an optional embodiment, the TLS server further detects whether the certificate to be verified is in a destroyed state, when the certificate to be verified is in the destroyed state, the TLS server releases a memory occupied by the certificate to be verified, and detects a first duration when the response message is in an idle state, where the first duration is longer than a second preset duration, and a remaining valid duration is shorter than a third preset duration, the TLS server deletes a timer corresponding to the response message, and deletes the response message from the preset storage area.
Optionally, in the schematic diagram of deleting the certificate to be verified shown in fig. 4, after deleting the x.509 certificate, the TLS server releases the memory occupied by the x.509 certificate, and at this time, the TLS server does not process the OCSP response corresponding to the x.509 certificate. If the OCSP response is not used after the OCSP response, that is, the OCSP response is in an idle state for a long time, when the valid remaining duration of the OCSP response expires (that is, the valid remaining duration is less than a third preset duration), the timer corresponding to the OCSP response is deleted, and the OCSP response is deleted from the preset cache region. That is, when the x.509 certificate is destroyed, the OCSP response corresponding to the certificate is not destroyed but remains in the preset cache region, and if no other x.509 certificate uses the OCSP response until the remaining validity duration of the OCSP response is over, the TLS server deletes the OCSP response from the preset cache region.
It should be noted that, by continuously keeping the OCSP response after destroying the x.509 certificate, the cache hit rate is increased under the condition that the x.509 certificate is dynamically added and deleted, the connection speed of the client is improved, meanwhile, the TLS server is prevented from repeatedly creating and acquiring the OCSP response, and the server overhead is reduced.
As can be seen from the above, in the solution provided in this embodiment, the OCSP response is stored in the special preset cache region, so that the reuse rate and the cache hit rate of the OCSP response are improved, the probability of obtaining the OCSP response by the client connection request is increased, the speed of completing the TLS connection by the client is improved, and resources consumed by the TLS server for storing, acquiring, and updating the OCSP response are reduced. In addition, in the present application, when the TLS server loads the x.509 certificate, the storage overhead of the OCSP response may be reduced by caching, and the number of inquiries to the OCSP server may be reduced. In addition, the scheme provided by the application avoids the need of respectively updating the OCSP responses corresponding to the multiple X.509 certificates by uniformly updating the OCSP responses, thereby reducing the resource consumption of the TLS server. Finally, the scheme provided by the application improves the cache hit rate under the condition that the X.509 certificate is dynamically increased and deleted by continuously keeping the OCSP response after the X.509 certificate is destroyed, improves the connection speed of the client, avoids the TLS server from repeatedly creating and obtaining the OCSP response, and reduces the server overhead.
Example 2
According to an embodiment of the present invention, an embodiment of a device for determining a status of a certificate is further provided, where fig. 5 is a schematic diagram of the device for determining a status of a certificate according to the embodiment of the present invention, and as shown in fig. 5, the device includes the following steps: a receiving module 501, a calculating module 503 and a determining module 505.
The receiving module 501 is configured to receive a request message sent by a client, where information carried in the request message at least includes: certificate information of a certificate to be verified; a calculating module 503, configured to calculate, according to the certificate information, a cache keyword corresponding to the certificate to be verified; the determining module 505 is configured to send a response message to the client when detecting that a response message corresponding to the cache keyword exists in the preset storage area, so that the client determines whether the certificate to be verified is in an invalid state according to the response message.
It should be noted that the receiving module 501, the calculating module 503 and the determining module 505 correspond to steps S102 to S106 in the above embodiment, and the three modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in the above embodiment 1.
Optionally, the calculation module includes: the device comprises a first obtaining module and a third determining module. The first acquisition module is used for acquiring an issuer secret key identifier and a main body secret key identifier corresponding to a certificate to be verified; a third determination module to determine a caching key associated with the certificate to be verified based on the issuer key identifier and the subject key identifier.
Optionally, the calculation module includes: the device comprises a second obtaining module and a fourth determining module. The second acquisition module is used for acquiring an issuer name corresponding to the certificate to be verified and a certificate serial number corresponding to the certificate to be verified; and the fourth determining module is used for determining the cache key words associated with the certificate to be verified based on the name of the issuer and the serial number of the certificate.
Optionally, the calculation module includes: the device comprises a third acquisition module and a first calculation module. The third acquisition module is used for acquiring certificate content corresponding to the certificate to be verified; and the first calculation module is used for calculating the hash value of the certificate content to obtain the cache keyword associated with the certificate to be verified.
Optionally, the apparatus for determining the certificate status further includes: the device comprises a first creating module, a fourth obtaining module and a storage module. The first establishing module is used for establishing a preset storage area when detecting that no response message corresponding to the cache key word exists in the preset storage area; the fourth acquisition module is used for acquiring a response message corresponding to the certificate to be verified from the preset server; and the storage module is used for storing the cache key words and the response messages into a preset storage area so as to associate the cache key words with the response messages.
Optionally, the apparatus for determining the certificate status further includes: and the second creating module is used for creating a timer corresponding to the response message after the cache key words and the response message are stored in the preset storage area, wherein the timer is used for recording the effective remaining duration of the response message.
Optionally, the second determining module includes: the device comprises a first detection module and a sending module. The first detection module is used for detecting the effective remaining duration corresponding to the response message; and the sending module is used for sending a response message to the client under the condition that the effective remaining duration is greater than the first preset duration.
Optionally, the apparatus for determining the certificate status further includes: and the first updating module is used for updating the response message cached in the preset storage area under the condition that the effective remaining duration is less than or equal to a first preset duration.
Optionally, the first updating module includes: and the resetting module is used for acquiring the response message from the preset server and resetting the timer corresponding to the response message.
Optionally, the apparatus for determining the certificate status further includes: the device comprises a second detection module, a third detection module and a processing module. The second detection module is used for detecting whether the certificate to be verified is in a destruction state; the third detection module is used for releasing the memory occupied by the certificate to be verified when the certificate to be verified is in a destroyed state, and detecting the first duration of the response message in an idle state; and the processing module is used for deleting the timer corresponding to the response message and deleting the response message from the preset storage area when the first time length is longer than the second preset time length and the effective remaining time length is shorter than the third preset time length.
Example 3
According to another aspect of the embodiments of the present invention, there is also provided a nonvolatile storage medium having a computer program stored therein, wherein the computer program is configured to execute the method for determining the status of the certificate in embodiment 1 described above when running.
Example 4
According to another aspect of the embodiments of the present invention, there is also provided a processor for executing a program, wherein the program is configured to execute the method for determining the certificate status in embodiment 1 when running.
The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages and disadvantages of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technical content can be implemented in other manners. The above-described apparatus embodiments are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or may not be executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention, which is substantially or partly contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk, and various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (11)
1. A method for determining a status of a certificate, comprising:
receiving a request message sent by a client, wherein the information carried in the request message at least comprises: certificate information of a certificate to be verified;
calculating a cache keyword corresponding to the certificate to be verified according to the certificate information;
when detecting that a response message corresponding to the cache keyword exists in a preset storage area, sending the response message to the client, so that the client determines whether the certificate to be verified is in an invalid state according to the response message;
the method further comprises the following steps: detecting whether the certificate to be verified is in a destruction state; when the certificate to be verified is in the destruction state, releasing the memory occupied by the certificate to be verified, and detecting a first duration of the response message in the idle state; and when the first time length is longer than a second preset time length and the effective remaining time length of the response message is shorter than a third preset time length, deleting the timer corresponding to the response message and deleting the response message from the preset storage area.
2. The method according to claim 1, wherein calculating a cache key corresponding to the certificate to be verified according to the certificate information comprises:
acquiring an issuer secret key identifier and a main body secret key identifier corresponding to the certificate to be verified;
determining a caching key associated with the certificate to be verified based on the issuer key identifier and the subject key identifier.
3. The method according to claim 1, wherein calculating a cache key corresponding to the certificate to be verified according to the certificate information comprises:
acquiring an issuer name corresponding to the certificate to be verified and a certificate serial number corresponding to the certificate to be verified;
determining a cache key associated with the certificate to be verified based on the issuer name and the certificate serial number.
4. The method according to claim 1, wherein calculating a cache key corresponding to the certificate to be verified according to the certificate information comprises:
acquiring certificate content corresponding to the certificate to be verified;
and calculating the hash value of the certificate content to obtain a cache keyword associated with the certificate to be verified.
5. The method of claim 1, further comprising:
when detecting that no response message corresponding to the cache keyword exists in the preset storage area, creating the preset storage area;
acquiring a response message corresponding to the certificate to be verified from a preset server;
and storing the cache key word and the response message into the preset storage area so as to associate the cache key word with the response message.
6. The method of claim 5, wherein after storing the cache key and the response message in the predetermined storage area, the method further comprises:
and creating a timer corresponding to the response message, wherein the timer is used for recording the effective remaining duration of the response message.
7. The method of claim 6, wherein sending the response message to the client when detecting that the response message corresponding to the cache key exists in the preset storage area comprises:
detecting the effective remaining duration corresponding to the response message;
and sending the response message to the client under the condition that the effective remaining time length is greater than a first preset time length.
8. The method of claim 7, further comprising:
and updating the response message cached in the preset storage area under the condition that the effective residual time is less than or equal to the first preset time.
9. The method according to claim 8, wherein updating the response message cached in the preset storage area comprises:
and acquiring the response message from the preset server, and resetting a timer corresponding to the response message.
10. An apparatus for determining a status of a certificate, comprising:
a receiving module, configured to receive a request message sent by a client, where information carried in the request message at least includes: certificate information of a certificate to be verified;
the calculation module is used for calculating cache keywords corresponding to the certificate to be verified according to the certificate information;
the determining module is used for sending a response message corresponding to the cache keyword to the client when detecting that the response message exists in a preset storage area, so that the client determines whether the certificate to be verified is in an invalid state according to the response message;
the device further comprises: the second detection module is used for detecting whether the certificate to be verified is in a destruction state; the third detection module is used for releasing the memory occupied by the certificate to be verified when the certificate to be verified is in the destruction state and detecting the first duration of the response message in the idle state; and the processing module is used for deleting the timer corresponding to the response message and deleting the response message from the preset storage area when the first time length is longer than a second preset time length and the effective remaining time length of the response message is shorter than a third preset time length.
11. A non-volatile storage medium, in which a computer program is stored, wherein the computer program is arranged to execute the method for determining a status of a certificate as claimed in any one of claims 1 to 9 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442910.5A CN113300848B (en) | 2021-04-23 | 2021-04-23 | Method and device for determining certificate state |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442910.5A CN113300848B (en) | 2021-04-23 | 2021-04-23 | Method and device for determining certificate state |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113300848A CN113300848A (en) | 2021-08-24 |
| CN113300848B true CN113300848B (en) | 2022-12-23 |
Family
ID=77321683
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110442910.5A Active CN113300848B (en) | 2021-04-23 | 2021-04-23 | Method and device for determining certificate state |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113300848B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114143010A (en) * | 2021-11-25 | 2022-03-04 | 上海派拉软件股份有限公司 | Digital certificate acquisition method, device, terminal, system and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101133410A (en) * | 2005-03-22 | 2008-02-27 | Lg电子株式会社 | Contents rights protecting method |
| CN103229479A (en) * | 2012-12-28 | 2013-07-31 | 华为技术有限公司 | Website identification method and device and network system |
| CN103475485A (en) * | 2013-09-16 | 2013-12-25 | 浙江汇信科技有限公司 | Identity authentication supporting platform and authentication method based on digital certificate interconnection and interworking |
| CN108255859A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of method and system for being used to establish index for mass digital certificate |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170317837A1 (en) * | 2016-04-29 | 2017-11-02 | Arwa Alrawais | Systems and methodologies for certificate validation |
| US11057368B2 (en) * | 2018-07-19 | 2021-07-06 | Fortanix, Inc. | Issuing a certificate based on an identification of an application |
-
2021
- 2021-04-23 CN CN202110442910.5A patent/CN113300848B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101133410A (en) * | 2005-03-22 | 2008-02-27 | Lg电子株式会社 | Contents rights protecting method |
| CN103229479A (en) * | 2012-12-28 | 2013-07-31 | 华为技术有限公司 | Website identification method and device and network system |
| CN103475485A (en) * | 2013-09-16 | 2013-12-25 | 浙江汇信科技有限公司 | Identity authentication supporting platform and authentication method based on digital certificate interconnection and interworking |
| CN108259406A (en) * | 2016-12-28 | 2018-07-06 | 中国电信股份有限公司 | Examine the method and system of SSL certificate |
| CN108255859A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of method and system for being used to establish index for mass digital certificate |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113300848A (en) | 2021-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11128477B2 (en) | Electronic certification system | |
| JP4309629B2 (en) | Network system | |
| US8719572B2 (en) | System and method for managing authentication cookie encryption keys | |
| US8108362B2 (en) | Secure content descriptions | |
| US8935525B2 (en) | Trust information delivery scheme for certificate validation | |
| US7600123B2 (en) | Certificate registration after issuance for secure communication | |
| CN109327481B (en) | Block chain-based unified online authentication method and system for whole network | |
| CN103037312B (en) | Information push method and device | |
| US6732277B1 (en) | Method and apparatus for dynamically accessing security credentials and related information | |
| US8458455B2 (en) | Techniques for handling SSL certificate expiration and renewal | |
| EP1526700A2 (en) | Secure recovery in a serverless distributed file system | |
| US8341616B2 (en) | Updating digitally signed active content elements without losing attributes associated with an original signing user | |
| US11463431B2 (en) | System and method for public API authentication | |
| CN106790296B (en) | Domain name record verification method and device | |
| CN110855672A (en) | JWT-based authorization method capable of being manually cancelled | |
| US20030018896A1 (en) | Method, systems and computer program products for checking the validity of data | |
| KR20080085846A (en) | Authorisation and authentication | |
| JP2004185263A (en) | Dispersed cooperative content delivery system | |
| CN113300848B (en) | Method and device for determining certificate state | |
| CN108632037B (en) | Public key processing method and device of public key infrastructure | |
| JPH11265349A (en) | Computer system and secret protection method, transmitting/receiving log management method, mutual checking method, and a disclosed key generation management method to be applied to its system | |
| JP3770173B2 (en) | Common key management system and common key management method | |
| JP4472920B2 (en) | Method for establishing end-to-end security for transactions between a mobile terminal and an Internet server at the application level and proxy server used for the method | |
| EP4252384B1 (en) | Methods, devices and system related to a distributed ledger and user identity attribute | |
| CN108282332A (en) | A kind of data signature method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |