CN116155515B - Type-selectable double-key certificate generation method, electronic device and storage medium - Google Patents

Type-selectable double-key certificate generation method, electronic device and storage medium Download PDF

Info

Publication number
CN116155515B
CN116155515B CN202310422727.8A CN202310422727A CN116155515B CN 116155515 B CN116155515 B CN 116155515B CN 202310422727 A CN202310422727 A CN 202310422727A CN 116155515 B CN116155515 B CN 116155515B
Authority
CN
China
Prior art keywords
certificate
key
public key
encryption
field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310422727.8A
Other languages
Chinese (zh)
Other versions
CN116155515A (en
Inventor
赵万里
张相雨
李岩
张旺
王瑞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhongqi Zhilian Technology Co ltd
Original Assignee
Zhongqi Zhilian Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhongqi Zhilian Technology Co ltd filed Critical Zhongqi Zhilian Technology Co ltd
Priority to CN202310422727.8A priority Critical patent/CN116155515B/en
Publication of CN116155515A publication Critical patent/CN116155515A/en
Application granted granted Critical
Publication of CN116155515B publication Critical patent/CN116155515B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention relates to the field of information security, and discloses an optional type of double-key certificate generation method, electronic equipment and a storage medium, wherein the method comprises the following steps: responding to the certificate application request, analyzing the certificate application request and determining a certificate type parameter; if the certificate type parameter is of multiple types, acquiring an initial key certificate; determining a signature public key and signature public key parameters according to the certificate application request; receiving an encryption key pair and an encryption public key parameter; for each initial key certificate, determining an original primary field of the certificate and an expanded primary field of the certificate according to the certificate use of the initial key certificate, and generating a target double-key certificate by combining a signature public key, a signature public key parameter, a first key use, an encryption public key parameter, a second key use and the initial key certificate; and combining the target double-key certificates to obtain target feedback certificates so as to uniformly manage the certificates in multiple formats, and separately manage the keys with different purposes, so that the storage space is reduced, and the certificate analysis efficiency is improved.

Description

Type-selectable double-key certificate generation method, electronic device and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an optional type of dual key certificate generation method, an electronic device, and a storage medium.
Background
In a multi-format dual-certificate system, a user has certificates in multiple formats at the same time, and each certificate in multiple formats includes two private keys, respectively referred to as a signature private key and an encryption private key. The signature private key is locally generated and mastered by the user, and the corresponding certificate is called a signature certificate; the encryption private key is used for decryption and key exchange, and the corresponding certificate is referred to as an "encryption certificate".
However, under the multi-format double-certificate system, the user is required to have two digital certificates (a signature certificate and an encryption certificate) with multiple formats, the certificate objects of the digital certificates with multiple formats and the corresponding user are the same, the content contained in the two digital certificates corresponding to each format is different except for the serial number, public key information and key usage of the certificate, and the rest of information including the information of certificate version, signature algorithm, issuer, validity period and the like is the same. For the above reasons, waste of certificate storage resources and inconvenience in management are caused, and decrypting these digital certificates by users causes a problem of low decryption efficiency.
In view of this, the present invention has been made.
Disclosure of Invention
In order to solve the technical problems, the invention provides an optional double-key certificate generation method, electronic equipment and a storage medium, which realize the effects of uniformly managing certificates in various formats, separately managing a signature key and an encryption key, reducing the storage space and improving the subsequent analysis efficiency of the certificates.
The embodiment of the invention provides an optional type double-key certificate generation method, which comprises the following steps:
responding to a certificate application request, analyzing the certificate application request, and determining a certificate type parameter; wherein the certificate type parameter comprises a single type and multiple types;
acquiring at least two initial key certificates corresponding to the certificate application request under the condition that the certificate type parameters are of multiple types; wherein, the certificate format of the initial key certificate comprises an X.509 format and a V2X format;
determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request;
receiving an encryption key pair called out from a spare key library and an encryption public key parameter corresponding to the encryption key pair; wherein the encryption key pair comprises an encryption public key and an encryption private key;
For each initial key certificate, determining a first-level field of a certificate original and a first-level field of a certificate extension according to the certificate purpose of the initial key certificate, and generating a target double-key certificate corresponding to the initial key certificate according to the first-level field of the certificate original, the first-level field of the certificate extension, the signature public key parameter, a first key purpose corresponding to the signature public key, the encryption public key parameter, a second key purpose corresponding to the encryption public key and the initial key certificate; wherein the number of public key usage fields in the target double-key certificate is one or two, if the number of public key usage fields is one, the public key usage fields include the first key usage and the second key usage, and if the number of public key usage fields is two, the two public key usage fields include the first key usage and the second key usage, respectively;
and combining the target double-key certificates corresponding to each initial key certificate to obtain a target feedback certificate corresponding to the certificate application request.
The embodiment of the invention provides electronic equipment, which comprises:
a processor and a memory;
the processor is configured to execute the steps of the type-selective dual key certificate generation method according to any of the embodiments by calling a program or instructions stored in the memory.
Embodiments of the present invention provide a computer-readable storage medium storing a program or instructions that cause a computer to perform the steps of the type-selective double key certificate generation method of any of the embodiments.
The embodiment of the invention has the following technical effects:
by responding to the certificate application request, analyzing the certificate application request, determining the certificate type parameter, under the condition that the certificate type parameter is of multiple types, acquiring at least two initial key certificates, acquiring a signature public key and the signature public key parameter according to the certificate application request, receiving an encryption key pair called out from a standby key library and the encryption public key parameter corresponding to the encryption key pair, further, determining an original primary field and an expanded primary field of the certificate according to the certificate application of the initial key certificate, writing information corresponding to the original primary field and the expanded primary field of the certificate into the original primary field and the expanded primary field of the certificate corresponding to the initial key certificate, generating a target double-key certificate, combining each target double-key certificate to obtain a target feedback certificate, realizing unified management of certificates of multiple formats, separating and managing the signature key and the encryption key, and improving the analysis efficiency of the certificate while reducing the storage space.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an alternative type of dual key certificate generation method provided by an embodiment of the present invention;
FIG. 2 is a flow chart of another type of alternative dual key certificate generation method provided by an embodiment of the present invention;
FIG. 3 is a flow chart of another type of alternative dual key certificate generation method provided by an embodiment of the present invention;
FIG. 4 is a flow chart of another type of alternative dual key certificate generation method provided by an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the invention, are within the scope of the invention.
The type-selectable double-key certificate generation method provided by the embodiment of the invention is mainly suitable for the situation that when a certificate application request of a user is received, certificates containing a group of signature public keys and encryption public keys in various formats are issued for the user. The type-selectable double-key certificate generation method provided by the embodiment of the invention can be executed by independent electronic equipment.
FIG. 1 is a flow chart of an alternative type of dual key certificate generation method provided by an embodiment of the present invention. Referring to fig. 1, the type of the optional dual key certificate generation method specifically includes:
s110, responding to the certificate application request, analyzing the certificate application request and determining the certificate type parameter.
The certificate application request may be a request about issuing a certificate sent by a user, that is, a certificate requester, to a certificate authority (Certification Authority, CA), and the certificate application request may carry a certificate application file. The certificate type parameter includes a single type, which means that the certificate application request corresponds to applying for a certificate of one format, such as an x.509 format or a V2X format, and multiple types, which means that the certificate application request corresponds to applying for a certificate of two formats, including an x.509 format and a V2X format.
Specifically, after receiving the certificate application request, the method can respond to the certificate application request, analyze the certificate application request, and acquire the certificate type parameter corresponding to the certificate application request so as to facilitate the subsequent generation of one or more certificates according to the certificate type parameter.
S120, under the condition that the certificate type parameters are of multiple types, at least two initial key certificates corresponding to the certificate application request are acquired.
The certificate formats of the initial key certificate include an X.509 format and a V2X format. The initial key certificate may be an initial certificate that is not written with parameters, and the certificate purpose of the initial key certificate may be signature or encryption.
Specifically, if the certificate type parameter is multiple types, an initial key certificate under each type needs to be acquired for subsequent processing. For example, in the scene of internet of vehicles and the like, certificates in an x.509 format and a V2X format need to be obtained at the same time, and at this time, the certificate type parameters carried by the certificate application request are of multiple types.
It will be appreciated that the x.509 format certificate may be one, and the V2X format certificate may be one, in which case the number of initial key certificates is two, but since the V2X certificate includes multiple types of EC, PC, AC, etc., it is generally referred to as EC certificate, but two or more types of certificates may be included, in which case the number of initial key certificates is greater than two.
S130, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request.
It may be appreciated that a pair of asymmetric keys may be generated at the user end as a signing key pair, where a signing private key in the signing key pair may be stored locally at the user end, and further, a signing public key in the signing key pair and other certificate related information (such as a common name, a validity period, etc.) are synthesized into a certificate application file, and signed by the signing private key and then sent to the certificate authentication center through a certificate application request.
The signing key pair can be a pair of asymmetric keys, and can be generated by a certificate requester, a signing private key is used for signing data by an information sender, and a signing public key is used for signing data by an information receiver. The signature public key parameter may be parameter information corresponding to the signature public key.
Specifically, the certificate application request is analyzed, a certificate application file corresponding to the certificate application request is obtained, and a signature public key parameter corresponding to the signature public key are obtained from the certificate application file.
And S140, receiving an encryption key pair called out from the spare key library and an encryption public key parameter corresponding to the encryption key pair.
Wherein the encryption key pair includes an encryption public key and an encryption private key. The encryption key pair may be a pair of asymmetric keys generated by a key management center (Key Management Center, KMC), an encryption public key for the information sender to encrypt data, and an encryption private key for the information receiver to decrypt data. The spare keystore may be a pre-established key database in the KMC. The encryption public key parameter may be parameter information corresponding to the encryption public key.
Specifically, the certificate authentication center sends an encryption key pair request to the key management center to apply for an asymmetric key pair for encryption, and sends a pre-issued certificate serial number to the key management center. The key management center responds to the encryption key pair request, calls out an encryption key pair from the spare key library, encrypts the encryption key pair and encryption public key parameters corresponding to the encryption key pair, and safely returns the encryption key pair and the encryption public key parameters to the certificate authentication center. In this case, a subsequently used encryption key pair may be received along with encryption public key parameters.
It should be noted that, if the certificate type parameter is of multiple types, or the certificate type parameter is of a single type, specifically, a V2X format certificate, the key type can only select SM2, and if the certificate type parameter is of a single type, specifically, an x.509 format certificate, the key type can be RSA or SM2.
And S150, for each initial key certificate, determining a first-level field of the original certificate and a first-level field of the extension certificate according to the certificate purpose of the initial key certificate, and generating a target double-key certificate corresponding to the initial key certificate according to the first-level field of the original certificate, the first-level field of the extension certificate, the signature public key parameter, the first key purpose corresponding to the signature public key, the encryption public key parameter, the second key purpose corresponding to the encryption public key and the initial key certificate.
Wherein the original primary field of the certificate may be a field related to the public key that is original in the initial key certificate. The certificate extension level one field may be a field related to a public key that is extended on the basis of an initial key certificate. The certificate usage includes signing and/or encryption, wherein the certificate usage of the original key certificate in the x.509 format is signing or encryption, and the certificate usage of the V2X certificate is signing and encryption. The first key use is the use of a public key for signing, i.e. signing. The second key use is the use of an encryption public key, i.e. encryption. The target double-key certificate can be a certificate obtained by performing primary field expansion on the initial key certificate and filling information of each field.
The number of public key application fields in the target double-key certificate is one or two, if the number of public key application fields is one, the public key application fields comprise a first key application and a second key application, and if the number of public key application fields is two, the two public key application fields comprise a first key application and a second key application respectively. For example, if the number of public key usage fields is one, the field value of the public key usage field may be "signature, encryption", and if the number of public key usage fields is two, the field value of one public key usage field is "signature", and the field value of the other public key usage field is "encryption", which may correspond to the public keys, respectively.
Specifically, for each initial key certificate, a corresponding target double key certificate may be generated in the following manner. On the basis of the initial key certificate, the certificate use of the initial key certificate is determined, and further, the fields related to the public key are determined to be the original primary fields of the certificate according to the certificate use, and the primary fields related to the public key, namely, the primary fields of the certificate expansion, need to be expanded on the initial key certificate. The primary field of the initial key certificate is extended, i.e. the extended certificate extends the primary field. For the initial key certificate in the V2X format, since the initial key certificate itself has two key fields, a field related to a signature may be used as a primary field of a certificate, a field related to encryption may be used as a primary field of a certificate extension, or a field related to encryption may be used as a primary field of a certificate, and a field related to a signature may be used as a primary field of a certificate extension. Further, the signature public key parameter, the first key usage corresponding to the signature public key, the encryption public key parameter, and the second key usage corresponding to the encryption public key are respectively filled in the corresponding certificate original primary field or certificate extension primary field. And after each other necessary field of the certificate is generated, the generated certificate is used as a target double-key certificate corresponding to the initial key certificate.
The signature key and the encryption key used by each target double-key certificate generated in the mode are the same, and each certificate does not need to correspond to a group of signature key and encryption key, so that the use amount of the keys is effectively saved, the key storage amount is solved, and the difficulty of subsequent decryption is reduced.
It will be appreciated that if the initial key certificate is a certificate in x.509 format. The standard certificate structure of certificates in x.509 format is:
TBSCertificate::=SEQUENCE{
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
extensions [3] EXPLICIT Extensions OPTIONAL
}
the advantages of the extension of the primary field of each certificate, namely the extension information, through the extensions field are that the existing X.509V 3 certificate standard can be compatible, so that the target double-key certificate can be compared with the prior certificate, and the compatibility problem of various existing applications can not be caused. In addition, the problem of destruction of the original certificate structure (initial key certificate) caused by adding both encryption public key information and signature public key information to the SubjectPublicKeyinfo field can be avoided.
The original key certificate in the X.509 format needs to be subjected to field expansion, the target double-key certificate can be obtained by adding the two expanded key fields, the adding positions of the two keys are reserved in the original key certificate in the V2X format, and the target double-key certificate can be obtained by adding the two keys according to the corresponding positions.
S160, combining the target double-key certificates corresponding to each initial key certificate to obtain a target feedback certificate corresponding to the certificate application request.
The target feedback certificate may be a certificate corresponding to the certificate application request, that is, a certificate fed back to the certificate applicant.
Specifically, after the target double-key certificates corresponding to the initial key certificates are acquired, the target double-key certificates are integrated and used as target feedback certificates to be fed back to the certificate applicant corresponding to the certificate application request.
It can be understood that the encryption key and the signature key of each target double-key certificate in the target feedback certificates are identical, so that the processing time and the storage space are effectively saved.
On the basis of the above example, if the certificate type parameter is of a single type, the target feedback certificate may be obtained by:
under the condition that the certificate type parameter is of a single type, acquiring an initial key certificate corresponding to a certificate application request;
if the certificate format of the initial key certificate is X.509 format, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request, and receiving an encryption key pair called from a spare key library and an encryption public key parameter corresponding to the encryption key pair;
If the certificate format of the initial key certificate is V2X format, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request, and receiving an encryption key pair called from a spare key library and an encryption public key parameter corresponding to the encryption key pair; or determining a signature public key carried by the certificate application request, a signature public key parameter corresponding to the signature public key, an encryption key pair and an encryption public key parameter corresponding to the encryption key pair according to the certificate application request;
determining an original primary field of a certificate and an expanded primary field of the certificate according to the certificate application of the initial key certificate, and generating a target double-key certificate corresponding to the initial key certificate according to the original primary field of the certificate, the expanded primary field of the certificate, the signature public key parameter, the first key application corresponding to the signature public key, the encryption public key parameter, the second key application corresponding to the encryption public key and the initial key certificate;
and taking the target double-key certificate corresponding to the initial key certificate as a target feedback certificate corresponding to the certificate application request.
Specifically, if the certificate type parameter is of a single type, an initial key certificate under the single type is acquired for subsequent processing. If the certificate format of the initial key certificate is x.509 format, the signature public key parameter corresponding to the signature public key, the encryption key pair and the encryption public key parameter corresponding to the encryption key pair are acquired in the same manner that the certificate type parameter is multi-type. If the certificate format of the initial key certificate is in the V2X format, the initial key certificate can be obtained in the same mode that the certificate type parameter is of multiple types, and the signature public key, the signature public key parameter corresponding to the signature public key, the encryption key pair and the encryption public key parameter corresponding to the encryption key pair are used; if the certificate application request carries the signature public key and the encryption key pair, the signature public key parameter corresponding to the signature public key, the encryption key pair and the encryption public key parameter corresponding to the encryption key pair can be obtained from the certificate application request. Further, the target double-key certificate corresponding to each initial key certificate may be generated in the same manner as the certificate type parameter in a multi-type manner based on the signature public key, the signature public key parameter corresponding to the signature public key, the encryption key pair, and the encryption public key parameter corresponding to the encryption key pair acquired from different sources. Because the certificate type parameter at this time is of a single type, the generated one target double-key certificate can be directly used as a target feedback certificate corresponding to the certificate application request.
The embodiment has the following technical effects: by responding to the certificate application request, analyzing the certificate application request, determining the certificate type parameter, under the condition that the certificate type parameter is of multiple types, acquiring at least two initial key certificates, acquiring a signature public key and the signature public key parameter according to the certificate application request, receiving an encryption key pair called out from a standby key library and the encryption public key parameter corresponding to the encryption key pair, further, determining an original primary field and an expanded primary field of the certificate according to the certificate application of the initial key certificate, writing information corresponding to the original primary field and the expanded primary field of the certificate into the original primary field and the expanded primary field of the certificate corresponding to the initial key certificate, generating a target double-key certificate, combining each target double-key certificate to obtain a target feedback certificate, realizing unified management of certificates of multiple formats, separating and managing the signature key and the encryption key, and improving the analysis efficiency of the certificate while reducing the storage space.
On the basis of the above example, after receiving the encryption key pair transferred from the spare key store and the encryption public key parameter corresponding to the encryption key pair, the encryption private key may also be written into a digital envelope in such a manner as to be transmitted to the certificate requester in the form of a digital envelope. The specific steps can be as follows:
Generating a symmetric key to be used, and encrypting the encryption private key based on the symmetric key to be used to obtain a first encryption result; encrypting the symmetric key to be used based on the signature public key to obtain a second encryption result; and generating a first digital envelope corresponding to the target feedback certificate according to the first encryption result and the second encryption result.
The symmetric key to be used may be a symmetric key, which is used for encrypting the encryption private key. The first encryption result may be a result of encrypting the encryption private key by the symmetric key to be used, and the second encryption result may be a result of encrypting the symmetric key to be used by the signature public key. The first digital envelope may be a digital envelope including a first encryption result and a second encryption result.
Specifically, a symmetric key may be randomly generated by a symmetric algorithm as a public symmetric key to be used. Furthermore, the first encryption result is obtained by encrypting the encryption private key through the symmetric key to be used, and the second encryption result is obtained by further encrypting the symmetric key to be used through the signature public key, so that the security of the encryption private key is improved. Writing the first encryption result and the second encryption result into the digital envelope to obtain a first digital envelope. The first digital envelope may then be sent to the credential requester along with the target feedback credential.
It can be understood that after the certificate requester receives the first digital envelope, the second encryption result can be decrypted through a signature private key stored in the local of the user side in advance to obtain a symmetric key to be used, and further, the first encryption result is decrypted through the symmetric key to be used to obtain an encryption key and is stored safely.
On the basis of the above example, after receiving the encryption key pair called out from the spare key store and the encryption public key parameter corresponding to the encryption key pair, the encryption private key may also be written into the digital envelope in another relatively simple manner, which may specifically be:
encrypting the encryption private key based on the signature public key to obtain a third encryption result; and generating a second digital envelope corresponding to the target feedback certificate according to the third encryption result.
The third encryption result may be a result of encrypting the encryption private key by the signature public key. The second digital envelope may be a digital envelope including the third encryption result.
Specifically, the encryption private key is encrypted through the signature public key to obtain a third encryption result, and the third encryption result is written into the digital envelope to obtain a second digital envelope. The second digital envelope may then be sent to the credential requester along with the target feedback credential.
It can be understood that after the certificate requester receives the second digital envelope, the third encryption result can be decrypted by a signature private key stored in the local area of the user side in advance, so as to obtain an encryption key, and the encryption key is stored safely.
Fig. 2 is a flowchart of another type of optional dual key certificate generation method provided by the embodiment of the present invention, where the embodiment is based on the above embodiment, the original primary field of the certificate and the primary field of the certificate expansion are determined and the generation manner of the target dual key certificate is described in detail in this technical scheme, for the case that the initial key certificate is in the x.509 format and the certificate usage of the initial key certificate is a signature. Wherein, the explanation of the same or corresponding terms as the above embodiments is not repeated herein. Referring to fig. 2, the type of the optional dual key certificate generation method specifically includes:
s210, responding to the certificate application request, analyzing the certificate application request, and determining the certificate type parameter.
S220, under the condition that the certificate type parameters are of multiple types, at least two initial key certificates corresponding to the certificate application request are acquired.
S230, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request.
S240, receiving an encryption key pair called out from the spare key library and an encryption public key parameter corresponding to the encryption key pair.
S250, for each initial key certificate with the format of X.509, under the condition that the certificate purpose of the initial key certificate is signature, determining that an original primary field of the certificate comprises a signature public key field, a signature public key parameter field and an original purpose field, and determining that an extended primary field of the certificate comprises an encryption public key field, an encryption public key parameter field and an extended purpose field.
Wherein the signature public key field may be a field for writing a signature public key, the signature public key parameter field may be a field for writing a signature public key parameter, and the original use field may be a use field for writing a key in the initial key certificate. The encryption public key field may be a field for writing an encryption public key, the encryption public key parameter field may be a field for writing an encryption public key parameter, and the extension use field may be a use field of a key that extends the initial key certificate.
Specifically, in the case that the certificate application of the initial key certificate is signature, each field of the signature certificate may be considered to be included in the initial key certificate, that is, each primary field related to the signature public key, that is, the signature public key field, the signature public key parameter field, and the original application field, so that the primary fields may be regarded as the original primary fields of the certificate. Since the primary field of the initial key certificate is required to be expanded subsequently, that is, the primary field related to the encrypted public key, that is, the encrypted public key field, the encrypted public key parameter field and the expansion use field are expanded, the primary field can be used as a certificate expansion primary field.
And S260, writing the signature public key, the signature public key parameter and the first key application corresponding to the signature public key into each certificate original primary field of the initial key certificate to obtain a first certificate to be expanded.
The first certificate to be expanded may be an initial key certificate in which information writing is completed.
Specifically, on the basis of the initial key certificate, writing a signature public key into a signature public key field in an original primary field of the certificate, writing a signature public key parameter into a signature public key parameter field in the original primary field of the certificate, and writing a first key application into an original application field in the original primary field of the certificate, so that information required by other initial key certificates can be written completely, and the certificate at the moment is used as a first certificate to be expanded.
S270, according to the first certificate to be expanded, expanding one-level fields of each certificate, writing the encryption public key, encryption public key parameters and the second key application corresponding to the encryption public key into one-level fields of each expansion of the first certificate to be expanded, and obtaining the target double-key certificate corresponding to the initial key certificate.
Specifically, on the basis of the first certificate to be expanded, the primary field of the first certificate to be expanded is expanded to expand the primary fields of each certificate, namely, the encryption public key field, the encryption public key parameter field and the expansion use field. Further, the encrypted public key is written into the encrypted public key field in the first-stage certificate extension field, the encrypted public key parameter is written into the encrypted public key parameter field in the first-stage certificate extension field, the second key application is written into the extension application field in the first-stage certificate extension field, and the written certificate is used as the target double-key certificate corresponding to the initial key certificate.
S280, determining an original primary field of the certificate and an expanded primary field of the certificate according to the original key certificate with the V2X format of each certificate, writing a signature public key, a signature public key parameter, a first key purpose corresponding to the signature public key, an encryption public key parameter and a second key purpose corresponding to the encryption public key into the original primary field of the certificate and the expanded primary field of the certificate, and generating a target double-key certificate corresponding to the original key certificate.
Specifically, the original key certificate in the V2X format is signed and encrypted, so that the encryption related field can be used as the original primary field of the certificate and the signature related field can be used as the primary field of the certificate extension, and the signature related field can be used as the original primary field of the certificate and the encryption related field can be used as the primary field of the certificate extension. Further, the signing public key parameter, the first key application corresponding to the signing public key, the encryption public key parameter and the second key application corresponding to the encryption public key are filled into the initial key certificate with the certificate format of V2X, specifically, the original primary field of the certificate corresponding to the application and the primary field of the certificate expansion, so that the target double-key certificate corresponding to the initial key certificate is obtained.
S290, combining the target double-key certificates corresponding to each initial key certificate to obtain a target feedback certificate corresponding to the certificate application request.
If the certificate type parameter is of a single type, that is, if the certificate format of the initial key certificate is in the x.509 format, the target double-key certificate corresponding to the initial key certificate may be generated in a similar manner to the present example, in the case where the certificate purpose of the initial key certificate is a signature.
The embodiment has the following technical effects: for each initial key certificate with the format of X.509, under the condition that the certificate usage of the initial key certificate is signature, determining that the original primary field of the certificate comprises a signature public key field, a signature public key parameter field and an original usage field, and determining that the original primary field of the certificate comprises an encryption public key field, an encryption public key parameter field and an extension usage field, further, writing the signature public key, the signature public key parameter and the first key usage into the original primary field of each certificate of the initial key certificate, expanding each certificate extension primary field, writing the encryption public key, the encryption public key parameter and the second key usage into each certificate extension primary field, so as to obtain the target double-key certificate, thereby realizing primary field expansion on the basis of the signature certificate, improving the utilization rate of the certificate, reducing the complexity of certificate creation, and realizing the effect of separation management of the signature key and the encryption key.
Fig. 3 is a flowchart of another type of optional dual key certificate generation method provided by the embodiment of the present invention, where the embodiment is based on the above embodiment, the initial key certificate is in x.509 format, and in the case where the use of the initial key certificate is encryption, the manner of determining the original primary field of the certificate and the primary field of the certificate expansion and the manner of generating the target dual key certificate can be referred to in the detailed description of the technical scheme. Wherein, the explanation of the same or corresponding terms as the above embodiments is not repeated herein. Referring to fig. 3, the type of optional dual key certificate generation method specifically includes:
s310, responding to the certificate application request, analyzing the certificate application request and determining the certificate type parameter.
S320, under the condition that the certificate type parameters are of multiple types, at least two initial key certificates corresponding to the certificate application request are acquired.
S330, according to the certificate application request, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key.
S340, receiving an encryption key pair called out from the spare key library and an encryption public key parameter corresponding to the encryption key pair.
S350, for each initial key certificate with the format of X.509, determining that an original primary field of the certificate comprises an encryption public key field, an encryption public key parameter field and an original purpose field and determining that an extension primary field of the certificate comprises a signature public key field, a signature public key parameter field and an extension purpose field under the condition that the certificate purpose of the initial key certificate is encryption.
Specifically, in the case that the certificate usage of the initial key certificate is encryption, each field of the encrypted certificate may be considered to be included in the initial key certificate, that is, each primary field related to the encrypted public key, that is, the encrypted public key field, the encrypted public key parameter field, and the original usage field, so that the primary field may be regarded as the original primary field of the certificate. Since the primary field of the initial key certificate is required to be extended later, that is, the primary field related to the signature public key, that is, the signature public key field, the signature public key parameter field and the extension use field are extended, the primary field can be used as a certificate extension primary field.
S360, writing the encryption public key, encryption public key parameters and second key application corresponding to the encryption public key into each certificate primary field of the initial key certificate to obtain a second certificate to be expanded.
The second certificate to be expanded may be an initial key certificate in which information writing is completed.
Specifically, on the basis of the initial key certificate, an encrypted public key is written into an encrypted public key field in an original primary field of the certificate, an encrypted public key parameter is written into an encrypted public key parameter field in the original primary field of the certificate, and a second key application is written into an original application field in the original primary field of the certificate, so that information required by other initial key certificates can be written into the original primary field of the certificate, and the certificate at the moment is used as a second certificate to be expanded.
And S370, expanding the primary fields of each certificate according to the second certificate to be expanded, and writing the signature public key, the signature public key parameter and the first key application corresponding to the signature public key into the primary fields of each expansion of the second certificate to be expanded to obtain the target double-key certificate corresponding to the initial key certificate.
Specifically, on the basis of the second certificate to be expanded, the primary fields of the second certificate to be expanded are expanded, and each certificate is expanded by the primary fields, namely, the signature public key field, the signature public key parameter field and the expansion use field. Further, the signature public key is written into the signature public key field in the first-stage certificate extension field, the signature public key parameter is written into the signature public key parameter field in the first-stage certificate extension field, the first-key application is written into the extension application field in the first-stage certificate extension field, and the written certificate is used as a target double-key certificate corresponding to the initial-key certificate.
S380, determining an original primary field of the certificate and an expanded primary field of the certificate according to the initial key certificate with the V2X format of each certificate, writing a signature public key, a signature public key parameter, a first key purpose corresponding to the signature public key, an encryption public key parameter and a second key purpose corresponding to the encryption public key into the original primary field of the certificate and the expanded primary field of the certificate, and generating a target double-key certificate corresponding to the initial key certificate.
S390, combining the target double-key certificates corresponding to each initial key certificate to obtain a target feedback certificate corresponding to the certificate application request.
If the certificate type parameter is of a single type, that is, if the certificate format of the initial key certificate is in the x.509 format, the target double-key certificate corresponding to the initial key certificate may be generated in a similar manner to the present example, in the case where the certificate use of the initial key certificate is encryption.
The embodiment has the following technical effects: for each initial key certificate with the format of X.509, under the condition that the certificate usage of the initial key certificate is encryption, determining that an original primary field of the certificate comprises an encryption public key field, an encryption public key parameter field and an original usage field, and determining that an original primary field of the certificate comprises a signature public key field, a signature public key parameter field and an extension usage field, further, writing the encryption public key, the encryption public key parameter and a second key usage into original primary fields of the initial key certificate, expanding each original primary field of the certificate, writing the signature public key, the signature public key parameter and the first key usage into each original primary field of the certificate extension, and obtaining a target double-key certificate.
Based on the above example, fig. 4 is a flowchart of another type of optional two-key certificate generation method provided in an embodiment of the present invention. Referring to fig. 4, the type of the optional dual key certificate generation method specifically includes:
1. the user (certificate applicant) generates a pair of asymmetric keys locally as a signing key pair, and securely stores the signing private key of the signing key pair locally.
2. And synthesizing a certificate signing application (Certificate Signing Request, CSR) according to the public signature key in the signing key pair, the CN (Common Name) value, the validity period and other information, signing by a private signature key, and sending to the CA.
If the CA judges that the applied certificates are of multiple types, the CA needs to apply an asymmetric key pair for encryption, namely an encryption certificate key pair, to the KMC and send the serial numbers of the pre-issued certificates to the KMC.
And 4, the KMC receives the request, calls out an encryption key pair from the spare key library, encrypts and safely returns the encryption key pair and the public key parameters to the CA.
And 5, after the CA receives the encryption key pair and the public key parameter, decrypting, taking the encryption key pair and the public key parameter, adding the encryption public key into an extension field encryption key of the signature certificate in the X.509 format and the V2X format, adding the encryption public key parameter into the extension field encryption public key parameter of the signature certificate, and issuing the target feedback certificate by using the private key of the CA.
The encryption public key and encryption public key parameters in the encryption key pair may be written as two primary extensions to the signature certificate without the need to sign the encryption certificate separately.
Alternatively, the primary field of the extension may also be 3 items, including key usage, public key parameters, i.e. the added extension field "key usage" (extension usage field), the added key usage field having a value of "encryption", and the primary field "key usage" (original usage field) in the certificate having a value of "signature". If only 2 primary fields are extended, the extended key usage is considered to be a usage other than the main field "key usage".
It can be understood that if the certificate is based on the signature, the key application in the certificate displays the signature, the master key is the signature public key for verification, and the corresponding public key parameter is the signature public key parameter; an extended primary field is additionally added, the field names are "encryption public key", "encryption public key parameter", the field values are encryption public key and encryption public key parameter respectively, and the extended secret key is used for encryption. If the certificate is based on an encryption certificate as a main body, the application of a key in the certificate is displayed for encryption, the main key is an encryption public key for encryption, and the corresponding public key parameter is an encryption public key parameter; an extended primary field is additionally added, the fields are named as a signature verification public key (signature public key) and a signature verification public key parameter (signature public key parameter), the field values are respectively a signature verification public key (signature public key) and a signature verification public key parameter (signature public key parameter), and the extended secret key is used as a signature.
6. For the encryption key pair to be transmitted to the user in a digital envelope mode, a symmetrical key is generated, the encryption key pair is encrypted by the symmetrical key, the symmetrical key is encrypted by a signature public key in a signature key pair generated by the user, and the two encryption results are used for manufacturing the digital envelope. Alternatively, the KMC creates a digital envelope using the public signature key of the user generated signing key pair to the private encryption key of the KMC generated encryption key pair.
The ca returns a multi-type certificate (target feedback certificate), digital envelope, containing both the signed public key and the encrypted public key to the user.
At this time, when the certificate is returned to the user side, the encryption certificate is not required to be returned, so that the number of the digital certificates managed by the CA is halved, and the transmitted files are correspondingly reduced by 1/3.
8. The user receives and verifies the multi-type certificate containing the signature public key and the encryption public key; the decrypted digital envelope is taken to the encryption key pair and stored securely.
At this time, multiple types of certificates can be obtained through one application, and the certificates use the same key pair, so that the subsequent storage and use are convenient.
The reason for adding the primary extension field instead of adding the secondary extension field under the original primary field is that: the first-level extension field is shallower than the second-level extension field in resolution depth, so that the program can be rapidly positioned to the target field. The signature verification public key and the encryption public key can be directly analyzed by using a standard TLS (Transport Layer Security, secure transport layer protocol) protocol suite, and if a secondary extension field is used, customized development of the TLS protocol suite is required. And the second-level extension field and the original first-level field share a public key parameter field, so that the extended encrypted public key can be only generated under the specific public key parameter. Meanwhile, two primary fields of an encryption public key and an encryption public key parameter are added, so that the encryption public key parameter and the signature verification public key parameter are relatively independent, and more values of the encryption public key are determined.
The embodiment has the following technical effects: on the basis of satisfying the separation management of the signing key and the encryption key, the same signing key and encryption key are used for certificates in various formats, so that the storage space of the certificates and the keys is reduced, the use frequency of the certificates and the keys is improved, and the storage space is greatly saved especially in the scene of limited resources of equipment such as the Internet of things. In addition, the problem that the conventional SSL (Secure Socket Layer, secure socket layer protocol) channel is required to transmit the encrypted certificate and then transmit the signed certificate in the certificate use link, so that the problem of high certificate exchange frequency and exchange data volume is solved, and the certificate exchange frequency and the key exchange data volume are reduced by transmitting the certificates in multiple formats including double keys and a group of keys, so that the SSL channel is more efficient to establish. And by ensuring certificates containing double keys in various formats, the security of the certificates is improved, and the risk of program error reporting can be reduced.
Fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention. As shown in fig. 5, the electronic device 400 includes one or more processors 401 and memory 402.
The processor 401 may be a Central Processing Unit (CPU) or other form of processing unit having data processing capabilities and/or instruction execution capabilities and may control other components in the electronic device 400 to perform desired functions.
Memory 402 may include one or more computer program products that may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. The volatile memory may include, for example, random Access Memory (RAM) and/or cache memory (cache), and the like. The non-volatile memory may include, for example, read Only Memory (ROM), hard disk, flash memory, and the like. On which one or more computer program instructions may be stored that may be executed by the processor 401 to implement the type-selective dual key certificate generation method and/or other desired functions of any of the embodiments of the present invention described above. Various content such as initial arguments, thresholds, etc. may also be stored in the computer readable storage medium.
In one example, the electronic device 400 may further include: an input device 403 and an output device 404, which are interconnected by a bus system and/or other forms of connection mechanisms (not shown). The input device 403 may include, for example, a keyboard, a mouse, and the like. The output device 404 may output various information to the outside, including early warning prompt information, braking force, etc. The output device 404 may include, for example, a display, speakers, a printer, and a communication network and remote output devices connected thereto, etc.
Of course, only some of the components of the electronic device 400 that are relevant to the present invention are shown in fig. 5 for simplicity, components such as buses, input/output interfaces, etc. are omitted. In addition, electronic device 400 may include any other suitable components depending on the particular application.
In addition to the methods and apparatus described above, embodiments of the invention may also be a computer program product comprising computer program instructions which, when executed by a processor, cause the processor to perform the steps of a type-selective double key certificate generation method provided by any of the embodiments of the invention.
The computer program product may write program code for performing operations of embodiments of the present invention in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server.
Furthermore, embodiments of the present invention may also be a computer-readable storage medium, having stored thereon computer program instructions which, when executed by a processor, cause the processor to perform the steps of the type-selective double key certificate generation method provided by any of the embodiments of the present invention.
The computer readable storage medium may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may include, for example, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit the scope of the present application. As used in the specification and in the claims, the terms "a," "an," "the," and/or "the" are not specific to a singular, but may include a plurality, unless the context clearly dictates otherwise. The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method or apparatus comprising such elements.
It should also be noted that the positional or positional relationship indicated by the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inner", "outer", etc. are based on the positional or positional relationship shown in the drawings, are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or element in question must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Unless specifically stated or limited otherwise, the terms "mounted," "connected," and the like are to be construed broadly and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some or all of the technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the essence of the corresponding technical solutions from the technical solutions of the embodiments of the present invention.

Claims (10)

1. A type-selective dual key certificate generation method, comprising:
responding to a certificate application request, analyzing the certificate application request, and determining a certificate type parameter; the certificate type parameters comprise single types and multiple types, wherein the single types represent that the certificate application request corresponds to the application of certificates in one format, and the multiple types represent that the certificate application request corresponds to the application of certificates in two formats;
acquiring at least two initial key certificates corresponding to the certificate application request under the condition that the certificate type parameters are of multiple types; wherein the certificate formats of the at least two initial key certificates comprise an X.509 format and a V2X format;
determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request;
receiving an encryption key pair called out from a spare key library and an encryption public key parameter corresponding to the encryption key pair; wherein the encryption key pair comprises an encryption public key and an encryption private key;
for each initial key certificate, determining a first-level field of a certificate original and a first-level field of a certificate extension according to the certificate purpose of the initial key certificate, and generating a target double-key certificate corresponding to the initial key certificate according to the first-level field of the certificate original, the first-level field of the certificate extension, the signature public key parameter, a first key purpose corresponding to the signature public key, the encryption public key parameter, a second key purpose corresponding to the encryption public key and the initial key certificate; wherein the number of public key usage fields in the target double-key certificate is one or two, if the number of public key usage fields is one, the public key usage fields include the first key usage and the second key usage, and if the number of public key usage fields is two, the two public key usage fields include the first key usage and the second key usage, respectively;
And combining the target double-key certificates corresponding to each initial key certificate to obtain a target feedback certificate corresponding to the certificate application request.
2. The method of claim 1, further comprising, after said determining said certificate type parameter:
acquiring an initial key certificate corresponding to the certificate application request under the condition that the certificate type parameter is of a single type;
if the certificate format of the initial key certificate is X.509 format, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request, and receiving an encryption key pair called out from a standby key library and an encryption public key parameter corresponding to the encryption key pair; wherein the encryption key pair comprises an encryption public key and an encryption private key;
if the certificate format of the initial key certificate is in a V2X format, determining a signature public key carried by the certificate application request and a signature public key parameter corresponding to the signature public key according to the certificate application request, and receiving an encryption key pair called out from a standby key library and an encryption public key parameter corresponding to the encryption key pair; or determining a signature public key carried by the certificate application request, a signature public key parameter corresponding to the signature public key, an encryption key pair and an encryption public key parameter corresponding to the encryption key pair according to the certificate application request;
Determining a first-level field of a certificate original and a first-level field of a certificate extension according to the certificate application of the initial key certificate, and generating a target double-key certificate corresponding to the initial key certificate according to the first-level field of the certificate original, the first-level field of the certificate extension, the signature public key parameter, a first key application corresponding to the signature public key, the encryption public key parameter, a second key application corresponding to the encryption public key and the initial key certificate; wherein the number of public key usage fields in the target double-key certificate is one or two, if the number of public key usage fields is one, the public key usage fields include the first key usage and the second key usage, and if the number of public key usage fields is two, the two public key usage fields include the first key usage and the second key usage, respectively;
and taking the target double-key certificate corresponding to the initial key certificate as a target feedback certificate corresponding to the certificate application request.
3. The method according to claim 1 or 2, further comprising, after said receiving an encryption key pair called out from a spare key store and an encryption public key parameter corresponding to said encryption key pair:
Generating a symmetric key to be used, and encrypting the encryption private key based on the symmetric key to be used to obtain a first encryption result;
encrypting the symmetric key to be used based on the signature public key to obtain a second encryption result;
and generating a first digital envelope corresponding to the target feedback certificate according to the first encryption result and the second encryption result.
4. The method according to claim 1 or 2, further comprising, after said receiving an encryption key pair called out from a spare key store and an encryption public key parameter corresponding to said encryption key pair:
encrypting the encryption private key based on the signature public key to obtain a third encryption result;
and generating a second digital envelope corresponding to the target feedback certificate according to the third encryption result.
5. The method according to claim 1 or 2, wherein the certificate format of the initial key certificate is x.509 format, and the determining the original primary field of the certificate and the extended primary field of the certificate according to the certificate usage of the initial key certificate includes:
in the case that the certificate usage of the initial key certificate is signature, determining that the original primary field of the certificate includes a signature public key field, a signature public key parameter field and an original usage field, and determining that the original primary field of the certificate includes an encryption public key field, an encryption public key parameter field and an extension usage field.
6. The method of claim 5, wherein the generating the target double-key certificate corresponding to the initial-key certificate from the certificate original primary field, the certificate extension primary field, the signing public key parameter, a first key usage corresponding to the signing public key, the encryption public key parameter, a second key usage corresponding to the encryption public key, and the initial-key certificate, comprises:
writing the signature public key, the signature public key parameters and the first key application corresponding to the signature public key into the original primary fields of each certificate of the initial key certificate to obtain a first certificate to be expanded;
and expanding one-level fields of each certificate according to the first certificate to be expanded, and writing the encryption public key, the encryption public key parameter and the second key application corresponding to the encryption public key into each one-level field of each expansion of the first certificate to be expanded to obtain a target double-key certificate corresponding to the initial key certificate.
7. The method according to claim 1 or 2, wherein the certificate format of the initial key certificate is x.509 format, and the determining the original primary field of the certificate and the extended primary field of the certificate according to the certificate usage of the initial key certificate includes:
In the case that the certificate usage of the initial key certificate is encryption, determining that the original primary field of the certificate includes an encryption public key field, an encryption public key parameter field and an original usage field, and determining that the original primary field of the certificate includes a signature public key field, a signature public key parameter field and an extension usage field.
8. The method of claim 7, wherein the generating the target double-key certificate corresponding to the initial-key certificate from the certificate original primary field, the certificate extension primary field, the signing public key parameter, a first key usage corresponding to the signing public key, the encryption public key parameter, a second key usage corresponding to the encryption public key, and the initial-key certificate comprises:
writing the encryption public key, the encryption public key parameters and the second key application corresponding to the encryption public key into each certificate primary field of the initial key certificate to obtain a second certificate to be expanded;
and expanding one-level fields of each certificate according to the second certificate to be expanded, and writing the signature public key, the signature public key parameter and the first key application corresponding to the signature public key into the one-level fields of each expansion of the second certificate to be expanded to obtain a target double-key certificate corresponding to the initial key certificate.
9. An electronic device, the electronic device comprising:
a processor and a memory;
the processor is configured to perform the steps of the type-selective double key certificate generation method as claimed in any one of claims 1 to 8 by invoking a program or instruction stored in the memory.
10. A computer-readable storage medium storing a program or instructions that cause a computer to perform the steps of the type-selectable two-key certificate generation method as set forth in any one of claims 1 to 8.
CN202310422727.8A 2023-04-20 2023-04-20 Type-selectable double-key certificate generation method, electronic device and storage medium Active CN116155515B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310422727.8A CN116155515B (en) 2023-04-20 2023-04-20 Type-selectable double-key certificate generation method, electronic device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310422727.8A CN116155515B (en) 2023-04-20 2023-04-20 Type-selectable double-key certificate generation method, electronic device and storage medium

Publications (2)

Publication Number Publication Date
CN116155515A CN116155515A (en) 2023-05-23
CN116155515B true CN116155515B (en) 2023-07-28

Family

ID=86358561

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310422727.8A Active CN116155515B (en) 2023-04-20 2023-04-20 Type-selectable double-key certificate generation method, electronic device and storage medium

Country Status (1)

Country Link
CN (1) CN116155515B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6854056B1 (en) * 2000-09-21 2005-02-08 International Business Machines Corporation Method and system for coupling an X.509 digital certificate with a host identity

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3617789B2 (en) * 1999-05-26 2005-02-09 株式会社エヌ・ティ・ティ・データ Public key certificate issuance method, verification method, system, and recording medium
JP2002207427A (en) * 2001-01-10 2002-07-26 Sony Corp System and method for issuing public key certificate, information processor, information recording medium, and program storage medium
CN1787525A (en) * 2005-11-15 2006-06-14 上海格尔软件股份有限公司 Method for application of double certificate in SSL protocol
WO2011032261A1 (en) * 2009-09-09 2011-03-24 Research In Motion Limited System and method for providing credentials
US9660978B1 (en) * 2016-08-08 2017-05-23 ISARA Corporation Using a digital certificate with multiple cryptosystems
CN106453330B (en) * 2016-10-18 2019-11-12 深圳市金立通信设备有限公司 A kind of identity authentication method and system
CN111628860B (en) * 2019-02-28 2023-08-08 武汉信安珞珈科技有限公司 Method for generating digital certificate of double-key system and application method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6854056B1 (en) * 2000-09-21 2005-02-08 International Business Machines Corporation Method and system for coupling an X.509 digital certificate with a host identity

Also Published As

Publication number Publication date
CN116155515A (en) 2023-05-23

Similar Documents

Publication Publication Date Title
US20210326442A1 (en) Host attestation
US20200336299A1 (en) Method and system for managing decentralized data access permissions through a blockchain
US10129034B2 (en) Signature delegation
US11134069B2 (en) Method for authorizing access and apparatus using the method
US20180183774A1 (en) Key distribution in a distributed computing environment
US9276749B2 (en) Distributed validation of digitally signed electronic documents
JP2021516495A (en) Key management methods, devices, systems, computer equipment and computer programs
US20100046749A1 (en) Content protection apparatus, and content utilization apparatus
KR20190035835A (en) Data processing method and device
US10237249B2 (en) Key revocation
JP2003503864A (en) Method and apparatus for authenticating a first instance and a second instance
US20140317401A1 (en) Server, system, and method for issuing mobile certificate
US8732481B2 (en) Object with identity based encryption
CN111355702B (en) Method and system for secure transmission of data sets, medical facility and program product
CN112887080A (en) SM 2-based key generation method and system
CN112000985B (en) Proxy re-encryption method and system with specified conditional keyword search function
CN116155515B (en) Type-selectable double-key certificate generation method, electronic device and storage medium
US20220407690A1 (en) Key ladder generating a device public key
KR20140148295A (en) Broadcast encryption method and system
CN114650181B (en) E-mail encryption and decryption method, system, equipment and computer readable storage medium
US11856091B2 (en) Data distribution system, data processing device, and program
CN112636909A (en) Key identification conversion method, system and medium
JP2010272899A (en) Key generating system, key generating method, blind server device, and program
CN117062079B (en) Digital certificate issuing method, device and storage medium
CN115664769B (en) Data transmission method, system, equipment and medium based on blockchain commitment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant