CN117579325A

CN117579325A - Digital certificate verification method and related device

Info

Publication number: CN117579325A
Application number: CN202311512370.9A
Authority: CN
Inventors: 万超波
Original assignee: Beijing Jidu Technology Co Ltd
Current assignee: Beijing Jidu Technology Co Ltd
Priority date: 2023-11-14
Filing date: 2023-11-14
Publication date: 2024-02-20

Abstract

The application discloses a digital certificate verification method and a related device, and relates to the technical field of information security. In the method, a server responds to a data access request of a target object to acquire a digital certificate to be verified, and performs attribute information verification on a trust chain corresponding to the digital certificate to be verified based on a certificate type associated with the digital certificate to be verified; when the attribute information of the trust chain passes the verification, signature verification is sequentially carried out on all the digital certificates in the trust chain; when the signature verification of all the digital certificates passes, the identity validity verification is carried out on the target object, and when the identity validity verification passes, the digital certificate to be verified is confirmed to pass. In this way, the verification of the trust chain to which the digital certificate to be verified belongs is completed step by associating the digital certificate to be verified with the corresponding certificate type, so that the verification of the digital certificate with various formats can be realized, and the universality of the digital certificates with different formats in the embedded system is improved.

Description

Digital certificate verification method and related device

Technical Field

The present disclosure relates to the field of information security technologies, and in particular, to a digital certificate verification method and a related device.

Background

The internet of vehicles refers to the technology and application mode of connecting various transportation tools, equipment and users such as vehicles, roads, traffic facilities and the like by utilizing modern communication and information technology, realizing information exchange, enabling the driving to be more convenient and the vehicle to be more intelligent by the development of the internet of vehicles, enabling the communication between the vehicle and an intelligent traffic system to be more efficient, and leading out more safety problems.

For example, there are many sensors and processors in the internet of vehicles, where collected data including vehicle status, driving mode, traffic information, etc. need to be stored or transmitted, and if information is revealed or under network attack, it may pose a threat to the privacy and property of the user.

In order to solve the data security problem, a digital certificate authentication mechanism is defined in the latest automobile industry diagnosis communication protocol ISO-14229 standard, a secure transmission protocol is adopted, a digital certificate security verification mechanism is added, and access rights of a network end are limited.

However, due to the limitations of the embedded system, external requesters, such as different objects of the original equipment manufacturer (Original Equipment Manufacturer, OEM), the vehicle parts suppliers, the vehicle repair shop, etc., requesting access to the ECU data of the electronic control unit (Electronic Control Unit, ECU) must provide digital certificates in the same format when accessing the ECU data of the same vehicle, so that the ECU performs authentication, and each external requester cannot define digital certificates in different formats according to different usage scenarios, which affects the usage range of digital certificate applications and the implementation of digital certificate application technologies.

Disclosure of Invention

The application provides a digital certificate verification method and a related device, which are used for improving the universality of digital certificates with different formats in an embedded system.

In a first aspect, an embodiment of the present application provides a digital certificate verification method, where the method includes:

responding to a data access request of a target object, and acquiring a digital certificate to be verified, wherein the digital certificate to be verified and at least one superior certificate form a trust chain, and the superior certificate adjacent to the digital certificate to be verified is a publisher certificate of the digital certificate to be verified;

based on the certificate type associated with the digital certificate to be verified, verifying attribute information aiming at a trust chain corresponding to the digital certificate to be verified;

when the attribute information of the trust chain passes the verification, signature verification is sequentially carried out on all the digital certificates in the trust chain;

when the signature verification of all the digital certificates passes, the identity validity verification is carried out on the target object, and when the identity validity verification passes, the digital certificate to be verified is confirmed to pass.

In a second aspect, embodiments of the present application further provide a digital certificate verification apparatus, where the apparatus includes:

the acquisition module is used for responding to a data access request of a target object to acquire a digital certificate to be verified, wherein the digital certificate to be verified and at least one superior certificate form a trust chain, and the superior certificate adjacent to the digital certificate to be verified is a publisher certificate of the digital certificate to be verified;

The first verification module is used for verifying attribute information aiming at a trust chain corresponding to the digital certificate to be verified based on the certificate type associated with the digital certificate to be verified;

the second verification module is used for sequentially carrying out signature verification on all the digital certificates in the trust chain when the attribute information verification of the trust chain passes;

and the processing module is used for carrying out identity validity verification on the target object when the signature verification of all the digital certificates passes, and confirming that the digital certificates to be verified pass the verification when the identity validity verification passes.

Optionally, when verifying attribute information for the trust chain based on the certificate type associated with the digital certificate to be verified, the first verification module is configured to:

starting from the digital certificate to be verified, taking each digital certificate in the trust chain as a target digital certificate, and performing attribute information verification on the target digital certificate until the current target digital certificate is a root certificate, wherein in one attribute information verification process, the following operations are performed:

extracting an attribute information set of the target digital certificate based on the certificate type of the target digital certificate;

acquiring a publisher certificate of the target digital certificate based on the publisher information recorded in the target digital certificate, and determining a necessary attribute set corresponding to the digital certificate to be verified based on the publisher certificate;

And carrying out integrity check on the attribute information set based on the necessary attribute set.

Optionally, when the integrity check is performed on the attribute information set based on the necessary attribute set, the first verification module is configured to:

if any one of the necessary attributes in the necessary attribute set is absent in the attribute information set, determining that the integrity check is not passed;

if the attribute information set contains all necessary attributes in the necessary attribute set, and each piece of attribute information in the attribute information set accords with a preset consistency rule with the corresponding necessary attribute, determining that the integrity check passes.

Optionally, when signature verification is performed on all digital certificates in the trust chain in sequence, the second verification module is configured to:

and carrying out signature verification on the root certificate, and when the signature verification passes, sequentially carrying out signature verification on the subordinate certificates of the root certificate until the digital certificate to be verified is verified.

Optionally, when verifying the identity validity of the target object, the processing module is configured to:

sending an initial verification value to a target object, and receiving an encrypted verification value returned after the target object encrypts the initial verification value by using a target private key;

and decrypting the encrypted verification value by adopting a target public key corresponding to the target private key, and if the decryption result is the same as the initial verification value, determining that the identity validity verification is passed.

Optionally, the processing module is further configured to:

if the attribute information of any one digital certificate in the trust chain fails to pass the integrity check, or if any one digital certificate in the trust chain fails to pass the signature verification, or if the identity validity verification fails, determining that the digital certificate to be verified fails to pass the verification.

Optionally, the processing module is further configured to:

responding to a certificate replacement request of a target object, acquiring a new digital certificate to be verified and a corresponding authority certificate, and verifying the authority certificate, wherein the authority certificate is a special certificate for acquiring a certificate replacement authority;

if the authority certificate passes the verification, verifying the new digital certificate to be verified, and when the verification passes, storing at least one superior certificate corresponding to the new digital certificate to be verified.

In a third aspect, embodiments of the present application provide an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to any one of the first aspects when executing the computer program.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method according to any of the first aspects.

In a fifth aspect, embodiments of the present application provide a computer program product which, when invoked by a computer, causes the computer to perform the method according to the first aspect.

In the embodiment of the application, a server responds to a data access request of a target object, acquires a digital certificate to be verified, and performs attribute information verification on a trust chain corresponding to the digital certificate to be verified based on a certificate type associated with the digital certificate to be verified; when the attribute information of the trust chain passes the verification, signature verification is sequentially carried out on all the digital certificates in the trust chain; when the signature verification of all the digital certificates passes, the identity validity verification is carried out on the target object, and when the identity validity verification passes, the digital certificate to be verified is confirmed to pass.

In this way, the verification of the trust chain to which the digital certificate to be verified belongs can be accomplished step by associating the corresponding certificate type with the digital certificate to be verified and determining the attribute information of the digital certificate to be verified based on the certificate type, so that the verification of the digital certificate to be verified can be realized, the specific content of the certificate has no limit requirement, the data security is ensured, meanwhile, each demand end can define the certificates with different formats according to different use scenes, and the universality of the digital certificates with different formats in an embedded system is improved.

Drawings

Fig. 1 is a schematic diagram of a possible application scenario in an embodiment of the present application;

FIG. 2 is a flowchart of a digital certificate verification method according to an embodiment of the present application;

FIG. 3 is a schematic diagram of a trust chain according to an embodiment of the present application;

FIG. 4 is a schematic diagram of another trust chain in an embodiment of the present application;

FIG. 5 is a flowchart of a method for verifying attribute information according to an embodiment of the present application;

FIG. 6 is a flowchart of a digital certificate replacement method according to an embodiment of the present application;

FIG. 7 is a schematic diagram of a digital certificate verification method according to an embodiment of the present application;

fig. 8 is a schematic structural diagram of a digital certificate verification device in an embodiment of the present application;

fig. 9 is a schematic structural diagram of an electronic device in an embodiment of the present application.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the technical solutions of the present application, but not all embodiments. All other embodiments, which can be made by a person of ordinary skill in the art without any inventive effort, based on the embodiments described in the present application are intended to be within the scope of the technical solutions of the present application.

The terms first, second and the like in the description and in the claims of the present application and in the above-described figures, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be capable of operation in sequences other than those illustrated or otherwise described.

Some of the terms in the embodiments of the present application are explained below to facilitate understanding by those skilled in the art.

(1) Electronic control unit (Electronic Control Unit, ECU): the ECU is composed of microprocessor, memory, I/O interface, A/D converter and large-scale integrated circuit for shaping and driving.

(2) Original equipment manufacturer (Original Equipment Manufacturer, OEM): refers to the production of products and product accessories for one manufacturer according to the requirements of another manufacturer, and is also called the license plate production or the authorized license plate production.

(3) Root certificate: the certificate obtained by the root certificate authority digitally signing its own public key is called the root certificate and is the origin of the trust chain.

(4) Intermediate certificate: the certificate obtained by the root certificate authority digitally signing the public key of the intermediate certificate authority is called an intermediate certificate, the intermediate certificate is proved to be reliable by the root certificate, and one trust chain can have no intermediate certificate or a plurality of intermediate certificates.

(5) User credentials, also known as leaf credentials, are credentials issued to a user by the issuing architecture of the last-stage intermediate credentials, which prove trustworthy.

The following briefly describes the design concept of the embodiment of the present application:

in the development process of the automobile electronic software, the management of the data access authority is in a semi-open state, namely, conventionally, a security algorithm and a key related to data are only opened to automobile part suppliers or development and test personnel, and updating of the algorithm and the key is carried out on a production line, and an updating record is permanently recorded in an ECU, so that the algorithm and the key are easy to crack, and identity legitimacy of the algorithm and the key holder cannot be verified.

With the development of the automobile networking technology, the conventional security mechanism cannot meet the security requirement, so in the ISO-14229 standard, a mechanism for authenticating a digital certificate is defined. The digital certificate can effectively solve the safety requirements of identity authentication, message safety transmission, code safety and the like in the intelligent network-connected automobile communication process.

However, due to the limitation of the embedded system, the ECU is only provided with a component for processing the digital certificate in a specific format, and external requesters such as OEMs, vehicle parts suppliers, vehicle repair shops and the like requesting access to the ECU data need to provide the digital certificate in the same format when accessing the ECU data of the same vehicle, so that the ECU performs verification according to a specific rule, and each external requester cannot define the digital certificate in different formats according to different usage scenarios, which affects the application range of the digital certificate application and the implementation of the digital certificate application technology.

In view of this, in the embodiments of the present application, a digital certificate verification method and related apparatus are provided.

In the embodiment of the application, a server responds to a data access request of a target object to acquire a digital certificate to be verified, and performs attribute information verification on a trust chain corresponding to the digital certificate to be verified based on a certificate type associated with the digital certificate to be verified; when the attribute information of the trust chain passes the verification, signature verification is sequentially carried out on all the digital certificates in the trust chain; when the signature verification of all the digital certificates passes, the identity validity verification is carried out on the target object, and when the identity validity verification passes, the digital certificate to be verified is confirmed to pass.

The preferred embodiments of the present application will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are for illustration and explanation only, and are not intended to limit the present application, and embodiments and features of embodiments of the present application may be combined with each other without conflict.

Fig. 1 is a schematic diagram of a possible application scenario in the embodiment of the present application.

The application scenario includes a terminal device 110 (including a terminal device 1101 and a terminal device 1102 …, and a terminal device 110 n) and a server 120, where the terminal device 110 and the server 120 may communicate through a communication network.

In an alternative embodiment, the communication network may be a wired network or a wireless network. Accordingly, the terminal device 110 and the server 120 may be directly or indirectly connected through wired or wireless communication. For example, the terminal device 110 may be indirectly connected to the server 120 through a wireless access point, or the terminal device 110 may be directly connected to the server 120 through the internet, which is not limited herein.

In the embodiment of the present application, the terminal device 110 includes, but is not limited to, a mobile phone, a tablet computer, a notebook computer, a desktop computer, an electronic book reader, an intelligent voice interaction device, an intelligent home appliance, a vehicle-mounted terminal, and the like; the terminal device can be provided with various clients, and the clients can be application programs (such as a browser, game software and the like) supporting functions of video preview, video playing and the like, web pages, applets and the like;

the server 120 is a backend server corresponding to a client installed in the terminal apparatus 110. The server 120 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, a content delivery network (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligence platform.

It should be noted that, the digital certificate verification method in the embodiment of the present application may be performed by an electronic device, which may be the server 120 or the terminal device 110, that is, the method may be performed by the server 120 or the terminal device 110 alone, or may be performed by both the server 120 and the terminal device 110 together.

In the following, the server alone is mainly used as an example, and the present invention is not limited thereto.

It should be noted that, the number of the terminal devices 110 and the servers 120 is not limited in practice, and is not specifically limited in the embodiment of the present application, as shown in fig. 1 for illustration only.

In the embodiment, when the number of servers 120 is plural, plural servers 120 may be configured as a blockchain, and the servers 120 are nodes on the blockchain.

Referring to fig. 2, a flowchart of a digital certificate verification method in an embodiment of the present application is applied to a vehicle ECU, and the following details of the steps executed in conjunction with fig. 2 are described below:

step S201: and responding to the data access request of the target object, and acquiring the digital certificate to be verified.

The digital certificate to be verified and at least one superior certificate form a trust chain, and the superior certificate adjacent to the digital certificate to be verified is a publisher certificate of the digital certificate to be verified.

Specifically, in the embodiment of the present application, the target object may be a third party responsibility entity such as an OEM, an automobile parts provider, an automobile repair shop, or an individual user, which is not limited in this application.

When the target object wants to access the data stored in the ECU, the user certificate is required to be provided for the ECU to verify, and then the data access authority is activated.

For example, referring to fig. 3, a schematic diagram of a trust chain is shown in an embodiment of the present application, where a plurality of intermediate certificates are included between a user certificate and a root certificate, and in the entire trust chain, digital certificates of each level are serially connected one by one.

For another example, referring to fig. 4, another trust chain schematic diagram in this embodiment of the present application is shown, where a root certificate corresponds to a plurality of intermediate certificates, each intermediate certificate corresponds to a user certificate, each path from the root certificate to the user certificate is a trust chain, and when verifying a user certificate, only the trust chain to which the user certificate belongs needs to be verified.

In addition, a root certificate and a user certificate may be contained in one trust chain, where the root certificate is a certificate issued to the user by a trusted certificate issuing authority, is a starting point of the trust chain, and determining whether a root certificate is trusted is mainly by retrieving a root certificate library trusted list of the browser, and whether the root certificate exists.

Step S202: and verifying attribute information aiming at a trust chain corresponding to the digital certificate to be verified based on the certificate type associated with the digital certificate to be verified.

In this embodiment of the present application, before sending the digital certificate to be verified to the ECU, the target object has previously classified all user certificates into a certificate set according to the certificate types, and associates a corresponding certificate type with each user certificate for the ECU to identify, which can be understood that after the user certificate is classified according to the certificate types, the corresponding trust chains of the user certificates also logically together form a certificate Group.

The root certificate and the intermediate certificate are generally installed in the software of the ECU in advance and stored in the DFflash or EEPROM, so that support is provided for subsequent certificate updating and replacement.

And after the ECU receives the digital certificate to be verified provided by the target object, triggering a verification process aiming at the digital certificate to be verified, and firstly checking attribute information aiming at a trust chain corresponding to the digital certificate to be verified by the server.

Specifically, the server starts from the digital certificate to be verified, sequentially takes each digital certificate in the trust chain as a target digital certificate, and verifies attribute information of the target digital certificate until the current target digital certificate is a root certificate.

For example, assume that the trust chain to which the digital certificate to be verified belongs includes a root certificate, an intermediate certificate and a user certificate, wherein the user certificate is the digital certificate to be verified, the server first uses the user certificate as a target digital certificate and performs attribute information verification on the user certificate, and when the attribute information verification on the user certificate passes, uses the intermediate certificate as the target digital certificate and performs attribute information verification on the intermediate certificate, and then uses the root certificate as the target digital certificate, thereby completing the attribute information verification process on the trust chain.

Referring to fig. 5, which is a flowchart of an attribute information verification method in an embodiment of the present application, with reference to fig. 5, the following details of steps specifically executed in a primary attribute information verification process are described:

step S501: and extracting the attribute information set of the target digital certificate based on the certificate type of the target digital certificate.

Specifically, in the embodiment of the present application, based on the certificate type of the target digital certificate, the server may obtain the element IDs defined in advance by the target digital certificate, and extract the elements corresponding to each ID one by one, where the element includes the data type, the data length, the numerical value, and the like of the element in the certificate, so as to obtain the attribute information set of the target digital certificate.

It should be noted that, in the embodiment of the present application, the digital certificates of the same type specifically have the same element ID, that is, the digital certificate result is obtained based on the element ID in each digital certificate.

After the attribute information set of the target digital certificate is acquired, whether the attribute information is legal or not can be checked according to a specific check rule, for example, whether the certificate is out of date or not can be judged according to the current real time aiming at the validity period attribute of the certificate.

Step S502: based on the publisher information recorded in the target digital certificate, obtaining the publisher certificate of the target digital certificate, and based on the publisher certificate, determining a necessary attribute set corresponding to the digital certificate to be verified.

Further, the server acquires the issuer certificate of the target digital certificate, which is also called an upper-level certificate of the target digital certificate, based on the issuer information recorded in the target digital certificate, and the target digital certificate is issued by the upper-level certificate thereof, so that the code of the issuer certificate thereof is recorded in the target digital certificate, and the corresponding issuer certificate can be retrieved from the stored certificate store through the code.

The issuer certificate defines a necessary attribute set of the target digital certificate, and based on the necessary attribute set, the validity of the attribute information set of the target digital certificate can be primarily judged.

Step S503: and carrying out integrity check on the attribute information set based on the necessary attribute set.

Specifically, in the embodiment of the present application, when the server performs integrity check on the attribute information set based on the necessary attribute set, if any one of the necessary attribute sets is absent in the attribute information set, it is determined that the integrity check is not passed.

For example, if the necessary attribute set specified in the issuer certificate includes a certificate serial number, and the attribute information set of the target digital certificate lacks a certificate serial number, it is determined that the integrity check of the attribute information set of the target digital certificate is not passed.

For example, on the basis that the attribute information set contains all the necessary attributes in the necessary attribute set, if the subject names in the attribute information set are different from the subject names recorded in the necessary attribute set, it is determined that the integrity check is not passed.

For another example, if the validity period one item in the attribute information set is the same as the validity period in the necessary attribute set, but the current time exceeds the specified period, the integrity check is determined not to pass.

In some alternative embodiments, the content in the attribute information set is not identical to the content specified by the necessary attribute set, but is within a reasonable range, and can be regarded as passing the verification, that is, the consistency rule in the application can be defined according to actual needs.

Step S203: when the attribute information of the trust chain passes the verification, signature verification is sequentially carried out on all the digital certificates in the trust chain.

Further, after the server starts from the user certificate and performs attribute information verification on all the digital certificates except the root certificate in the trust chain, the server continues to sequentially perform signature verification on all the digital certificates in the trust chain from the root certificate.

Specifically, the server starts from the root certificate, performs signature verification on the root certificate, and sequentially performs signature verification on the lower certificates of the root certificate when the signature verification passes until the digital certificate to be verified is verified.

The digital certificate is validated only if the signature verification passes, and the user certificate is considered trusted only if all digital certificates on the entire certificate trust chain are valid.

It should be noted that, when verifying the root certificate, it is generally determined whether the root certificate exists in the trusted list of the root certificate repository, so the step of signing and verifying the root certificate may be replaced by retrieving the trusted list of the root certificate of the browser.

Step S204: when the signature verification of all the digital certificates passes, the identity validity verification is carried out on the target object, and when the identity validity verification passes, the digital certificate to be verified is confirmed to pass.

When signature verification of all the digital certificates passes, the digital certificates to be verified are characterized to be effective, and in order to further guarantee the safety of data, the server can verify the identity legitimacy of a target object providing the digital certificates to be verified, so that the risk of data leakage caused by the fact that the digital certificates to be verified are stolen is avoided.

Specifically, the server sends an initial verification value to the target object, receives an encrypted verification value returned after the target object encrypts the initial verification value by using a target private key, then decrypts the encrypted verification value by using a target public key corresponding to the target private key, and if the decryption result is the same as the initial verification value, determines that the identity validity verification passes, and completes the verification flow of the digital certificate to be verified until the verification of the digital certificate to be verified passes, thereby confirming that the digital certificate to be verified passes.

For example, the server selects a section of random number as the challenge data to be sent to the target object, the target object encrypts the challenge data by using the private key after receiving the challenge data and transmits the challenge data back to the server, the server decrypts the encrypted data by using the public key corresponding to the private key, and compares the decryption result with the initial challenge data, if the decryption result is the same with the initial challenge data, the identity validity verification for the target object is determined to pass.

At this time, the server may activate the access right for the target data in the digital certificate to be verified, and send response data to the target object, and grant the target object access to the target data.

In another alternative embodiment, if the attribute information of any one of the digital certificates in the trust chain fails the integrity check, or if any one of the digital certificates in the trust chain fails the signature verification, or if the identity validity verification fails, it is determined that the digital certificate to be verified fails the verification.

At this time, the server transmits response data to the target object, and denies the target object access to the target data.

In addition, on the basis of the digital certificate verification method provided by the embodiment of the application, the embodiment of the application also provides a digital certificate replacement method.

Specifically, referring to fig. 6, a flowchart of a digital certificate replacement method in an embodiment of the present application specifically includes:

step S601: and responding to the certificate replacement request of the target object, acquiring a new digital certificate to be verified and a corresponding authority certificate, and verifying the authority certificate.

The authority certificate is a special certificate for acquiring certificate replacement authority.

For example, in the case that a user certificate or an intermediate certificate in a certain trust chain expires or is compromised, in order to ensure data security and ensure the access rights of the user to the data, the expired or compromised certificate needs to be replaced.

In this embodiment of the present application, when the target object wants to replace the certificate, a new user certificate needs to be provided for the ECU to verify, and before the new user certificate is replaced, the rights certificate needs to be presented, and only after the ECU verifies the rights certificate by using the digital certificate verification method described above, the target object can obtain the rights of certificate replacement.

Step S602: if the authority certificate passes the verification, verifying the new digital certificate to be verified, and when the verification passes, storing at least one superior certificate corresponding to the new digital certificate to be verified.

Further, after the target object obtains the certificate replacement authority, the server verifies the new user certificate by adopting the method, and when the verification passes, the server determines that the new user certificate is valid and reliable and stores an intermediate certificate in a trust chain to which the new user certificate belongs.

It should be noted that, the root certificate in the trust chain is generally a digital certificate in the certificate white list, and the condition of expiration and disclosure is less compared with the intermediate certificate or the user certificate, so that the replacement probability of the root certificate is less, and only the intermediate certificate and the user certificate are usually replaced in the process of replacing the certificate.

The following describes the above embodiments in further detail through a specific application scenario:

referring to fig. 7, a logic flow diagram of a digital certificate verification method according to an embodiment of the present application is shown, wherein:

step S701: and acquiring the digital certificate to be verified.

Step S702: and acquiring the attribute information set of the current target digital certificate.

Step S703: a set of necessary attributes for the current target digital certificate is determined.

Step S704: judging whether the integrity check of the attribute information set passes, if so, executing step S705, otherwise, executing step S715.

Step S705: the current target digital certificate is updated based on the superior certificate.

Step S706: whether the current target digital certificate is a root certificate is judged, if so, step S708 is executed, otherwise step S707 is executed.

Step S707: the superior certificate is read, and then returns to step S704.

Step S708: the lower level certificate is read.

Step S709: and (5) signature verification.

Step S710: whether the signature verification is passed or not is judged, if yes, step S711 is executed, otherwise step S715 is executed.

Step S711: whether the current digital certificate is the digital certificate to be verified is judged, if so, step S712 is executed, otherwise, step S708 is returned.

Step S712: and verifying the identity legitimacy of the target object.

Step S713: whether the identity validity verification is passed or not is judged, if yes, step S714 is executed, otherwise step S715 is executed.

Step S714: the data access rights are activated.

Step S715: data access is denied.

In summary, in the embodiment of the present application, the target object generalizes the digital certificates with the same certificate type in the design stage and associates the corresponding certificate types, when the ECU server verifies the digital certificate to be verified, the attribute information of the digital certificate to be verified can be determined based on the certificate types, so that verification of the trust chain is completed step by step.

Furthermore, although the operations of the methods of the present application are depicted in the drawings in a particular order, this is not required to or suggested that these operations must be performed in this particular order or that all of the illustrated operations must be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.

Based on the same technical concept, referring to fig. 8, an embodiment of the present application further provides a digital certificate verification apparatus, where the apparatus includes:

an obtaining module 801, configured to obtain a digital certificate to be verified in response to a data access request of a target object, where the digital certificate to be verified and at least one superior certificate form a trust chain, and a superior certificate adjacent to the digital certificate to be verified is a publisher certificate of the digital certificate to be verified;

the first verification module 802 is configured to verify attribute information for a trust chain corresponding to a digital certificate to be verified based on a certificate type associated with the digital certificate to be verified;

a second verification module 803, configured to sequentially perform signature verification on all digital certificates in the trust chain when the attribute information of the trust chain passes verification;

The processing module 804 is configured to perform identity validity verification on the target object when all the digital certificates pass signature verification, and confirm that the digital certificates to be verified pass verification when the identity validity verification passes.

Optionally, when verifying attribute information for a trust chain based on a certificate type associated with a digital certificate to be verified, the first verification module 802 is configured to:

Optionally, when the integrity check is performed on the attribute information set based on the necessary attribute set, the first verification module 802 is configured to:

Optionally, when signature verification is performed on all digital certificates in the trust chain in sequence, the second verification module 803 is configured to:

Optionally, when verifying the identity validity of the target object, the processing module 804 is configured to:

Optionally, the processing module 804 is further configured to:

Based on the same technical concept, the embodiment of the application also provides electronic equipment, and the electronic equipment can realize the method flow of digital certificate verification provided by the embodiment of the application.

In one embodiment, the electronic device may be a server, a terminal device, or other electronic device.

Referring to fig. 9, the electronic device may include:

at least one processor 901, and a memory 902 connected to the at least one processor 901, a specific connection medium between the processor 901 and the memory 902 is not limited in the embodiment of the present application, and in fig. 9, the processor 901 and the memory 902 are connected by a bus 900 as an example. Bus 900 is shown in bold lines in fig. 9, and the manner in which other components are connected is illustrated schematically and not by way of limitation. The bus 900 may be divided into an address bus, a data bus, a control bus, etc., and is represented by only one thick line in fig. 9 for convenience of representation, but does not represent only one bus or one type of bus. Alternatively, the processor 901 may also be referred to as a controller, and the names are not limited.

In the embodiment of the present application, the memory 902 stores instructions executable by the at least one processor 901, and the at least one processor 901 may perform a digital certificate verification method as previously discussed by executing the instructions stored in the memory 902. The processor 901 may implement the functions of the respective modules in the apparatus shown in fig. 8.

The processor 901 is a control center of the apparatus, and may connect various parts of the entire control device using various interfaces and lines, and by executing or executing instructions stored in the memory 902 and invoking data stored in the memory 902, various functions of the apparatus and processing data, thereby performing overall monitoring of the apparatus.

In one possible design, processor 901 may include one or more processing units, and processor 901 may integrate an application processor that primarily processes operating systems, user interfaces, application programs, and the like, and a modem processor that primarily processes wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 901. In some embodiments, processor 901 and memory 902 may be implemented on the same chip, and in some embodiments they may be implemented separately on separate chips.

The processor 901 may be a general purpose processor such as a CPU, digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, and may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a digital certificate verification method disclosed in connection with the embodiments of the present application may be directly embodied as a hardware processor executing, or may be executed by a combination of hardware and software modules in the processor.

The memory 902 is a non-volatile computer-readable storage medium that can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 902 may include at least one type of storage medium, which may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), charged erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory), magnetic Memory, magnetic disk, optical disk, and the like. Memory 902 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 902 of the present embodiment may also be circuitry or any other device capable of implementing a memory function for storing program instructions and/or data.

By programming the processor 901, the code corresponding to one of the digital certificate verification methods described in the foregoing embodiments may be cured into the chip, so that the chip can execute the steps of one of the digital certificate verification methods of the embodiment shown in fig. 2 at runtime. How to design and program the processor 901 is a technology well known to those skilled in the art, and will not be described in detail herein.

Based on the same inventive concept, the embodiments of the present application also provide a storage medium storing computer instructions that, when executed on a computer, cause the computer to perform a digital certificate verification method as previously discussed.

In some possible embodiments, aspects of a digital certificate verification method may also be implemented in the form of a program product comprising program code for causing a control apparatus to carry out the steps of a digital certificate verification method according to the various exemplary embodiments of the application as described herein above when the program product is run on a device.

It should be noted that although several units or sub-units of the apparatus are mentioned in the above detailed description, such a division is merely exemplary and not mandatory. Indeed, the features and functions of two or more of the elements described above may be embodied in one element in accordance with embodiments of the present application. Conversely, the features and functions of one unit described above may be further divided into a plurality of units to be embodied.

It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

Claims

1. A digital certificate verification method, comprising:

when the attribute information of the trust chain passes verification, signature verification is sequentially carried out on all digital certificates in the trust chain;

and when the signature verification of all the digital certificates passes, carrying out identity validity verification on the target object, and when the identity validity verification passes, confirming that the digital certificates to be verified pass the verification.

2. The method of claim 1, wherein the verifying attribute information for the trust chain based on the certificate type associated with the digital certificate to be verified comprises:

starting from the digital certificate to be verified, taking each digital certificate in the trust chain as a target digital certificate in sequence, and performing attribute information verification on the target digital certificate until the current target digital certificate is a root certificate, wherein in the one-time attribute information verification process, the following operations are executed:

3. The method of claim 2, wherein the integrity checking the set of attribute information based on the set of necessary attributes comprises:

and if the attribute information set contains all necessary attributes in the necessary attribute set and each attribute information in the attribute information set accords with a preset consistency rule with the corresponding necessary attribute, determining that the integrity check passes.

4. The method of claim 2, wherein said sequentially signing all digital certificates in the chain of trust comprises:

5. The method of claim 1, wherein the verifying the identity legitimacy of the target object comprises:

sending an initial verification value to the target object, and receiving an encrypted verification value returned after the target object encrypts the initial verification value by using a target private key;

and decrypting the encrypted verification value by adopting a target public key corresponding to the target private key, and if the decryption result is the same as the initial verification value, determining that the identity validity verification passes.

6. The method of any one of claims 1-5, further comprising:

and if the attribute information of any one digital certificate in the trust chain fails to pass the integrity verification, or if any one digital certificate in the trust chain fails to pass the signature verification, or if the identity validity verification fails, determining that the digital certificate to be verified fails to pass the verification.

7. The method of any one of claims 1-5, further comprising:

Responding to a certificate replacement request of the target object, acquiring a new digital certificate to be verified and a corresponding authority certificate, and verifying the authority certificate, wherein the authority certificate is a special certificate for acquiring a certificate replacement authority;

and if the authority certificate passes the verification, verifying the new digital certificate to be verified, and storing at least one superior certificate corresponding to the new digital certificate to be verified when the verification passes.

8. A digital certificate verification apparatus, comprising:

And the processing module is used for carrying out identity validity verification on the target object when the signature verification of all the digital certificates is passed, and confirming that the digital certificates to be verified pass the verification when the identity validity verification is passed.

9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1-7 when executing the computer program.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method according to any of claims 1-7.

11. A computer program product, characterized in that the computer program product, when called by a computer, causes the computer to perform the method according to any of claims 1-7.