CN117892320A - Automatic encryption and decryption method, system, equipment and medium for data access - Google Patents
Automatic encryption and decryption method, system, equipment and medium for data access Download PDFInfo
- Publication number
- CN117892320A CN117892320A CN202311841057.XA CN202311841057A CN117892320A CN 117892320 A CN117892320 A CN 117892320A CN 202311841057 A CN202311841057 A CN 202311841057A CN 117892320 A CN117892320 A CN 117892320A
- Authority
- CN
- China
- Prior art keywords
- annotation
- encryption
- decryption
- data
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 91
- 238000012545 processing Methods 0.000 claims abstract description 93
- 238000013507 mapping Methods 0.000 claims abstract description 31
- 230000006870 function Effects 0.000 claims description 200
- 230000007246 mechanism Effects 0.000 claims description 19
- 230000008569 process Effects 0.000 claims description 16
- 238000004458 analytical method Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 6
- 238000013500 data storage Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000006467 substitution reaction Methods 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000008030 elimination Effects 0.000 description 1
- 238000003379 elimination reaction Methods 0.000 description 1
- 229940004975 interceptor Drugs 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
Abstract
The invention discloses a data access automatic encryption and decryption method, a system, equipment and a medium, wherein the method comprises the steps of obtaining a database read-write request; performing encryption and decryption annotation processing on the database operation function according to the database read-write request to obtain an encryption and decryption annotation function; intercepting the database read-write request through the data access plug-in, and annotating and analyzing the encryption and decryption annotation function to obtain annotation parameters; carrying out mapping relation query processing on the cache according to the annotation parameters to obtain target data after encryption and decryption processing; and storing the target data into a designated field of the database or a return value designated field of the database read-write request according to the database read-write request. According to the method and the device, the data access plug-in is used for intercepting the database read-write request, and the corresponding target data after encryption and decryption are obtained through caching, so that the data processing efficiency is improved, and the method and the device can be widely applied to the technical field of computers.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method, a system, equipment and a medium for automatically encrypting and decrypting data access.
Background
With the increasing popularity of internet related technology, massive user information data is collected and stored in data storage media to which various application websites and application programs belong. Aiming at the urgent requirement of the data safety storage, the current industry generally has the problems that in the process of data access, encryption and decryption are needed to be carried out on the data respectively and then corresponding business processing is carried out, and automatic encryption and decryption cannot be carried out in the process of data access, so that the processing efficiency of the method on the data is lower. In view of the foregoing, there is a need for solving the technical problems in the related art.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a method, a system, an apparatus, and a medium for data access automation encryption and decryption, so as to improve the processing efficiency of data encryption and decryption.
In one aspect, the present invention provides a method for automatically encrypting and decrypting data access, the method comprising:
acquiring a database read-write request, wherein the database read-write request is used for requesting the database to store or read data to be processed;
performing encryption and decryption annotation processing on the database operation function according to the database read-write request to obtain an encryption and decryption annotation function, wherein the encryption and decryption annotation function comprises an encryption annotation function and a decryption annotation function;
Intercepting the database read-write request through a data access plug-in, and performing annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters;
carrying out mapping relation query processing on a cache according to the annotation parameters to obtain target data after encryption and decryption processing, wherein the cache is used for storing the mapping relation between plaintext and ciphertext of the data to be processed;
and storing the target data into a designated field of the database or a returned value designated field of the database read-write request according to the database read-write request.
Optionally, the encrypting and decrypting annotation processing is performed on the database operation function according to the database read-write request to obtain the encrypting and decrypting annotation function, which includes:
determining and obtaining a database operation function according to the database read-write request;
and adding data encryption annotation to the database operation function, and carrying out configuration processing of an encryption field and an encryption storage field on the input parameters of the database operation function according to the data encryption annotation to obtain an encryption annotation function.
Optionally, the encrypting and decrypting annotation processing is performed on the database operation function according to the database read-write request to obtain the encrypting and decrypting annotation function, which includes:
Determining and obtaining a database operation function according to the database read-write request;
and adding data decryption annotation to the database operation function, and carrying out configuration processing of a decryption field and a decryption storage field on the return value of the database operation function according to the data decryption annotation to obtain a decryption annotation function.
Optionally, the performing annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters includes:
analyzing the encryption and decryption annotation function through the data access plug-in to obtain a function signature;
and carrying out annotation parameter query processing on the cache according to the function signature to obtain annotation parameters.
Optionally, the performing annotation parameter query processing on the cache according to the function signature to obtain annotation parameters includes:
performing annotation query processing on the cache according to the function signature to obtain an annotation query result;
when the annotation inquiry result is that the annotation parameter is obtained from the cache;
and when the annotation inquiry result is empty, carrying out annotation acquisition processing on the encryption and decryption annotation function through a reflection mechanism to obtain annotation parameters, and storing the annotation parameters into the cache.
Optionally, the mapping relation query processing is performed on the cache according to the annotation parameter to obtain target data after encryption and decryption processing, including:
performing data query processing on the cache according to the annotation parameters to obtain a data query result;
when the data query result is that the target data after encryption and decryption processing is obtained from the cache according to the mapping relation between the plaintext and the ciphertext of the data to be processed;
and when the data query result is empty, encrypting and decrypting the data to be processed according to the annotation parameter by the data access plug-in to obtain target data, and storing the target data into the cache.
Optionally, the encrypting and decrypting the data to be processed according to the annotation parameter by the data access plug-in to obtain the target data includes:
identifying and obtaining data to be processed from the encryption and decryption annotation function according to the annotation parameters;
and encrypting and decrypting the data to be processed by using a pre-configured encryption and decryption algorithm to obtain target data.
On the other hand, the embodiment of the invention also provides a data access automatic encryption and decryption system, which comprises:
The first module is used for acquiring a database read-write request, wherein the database read-write request is used for requesting the database to store or read the data to be processed;
the second module is used for carrying out encryption and decryption annotation processing on the database operation function according to the database read-write request to obtain an encryption and decryption annotation function, wherein the encryption and decryption annotation function comprises an encryption annotation function and a decryption annotation function;
the third module is used for intercepting the database read-write request through the data access plug-in, and carrying out annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters;
a fourth module, configured to perform mapping relation query processing on a cache according to the annotation parameter, to obtain target data after encryption and decryption processing, where the cache is used to store a mapping relation between plaintext and ciphertext of the data to be processed;
and a fifth module, configured to store the target data to a specified field of the database or a returned value specified field of the database read-write request according to the database read-write request.
On the other hand, the embodiment of the invention also discloses electronic equipment, which comprises a processor and a memory;
The memory is used for storing programs;
the processor executes the program to implement the method as described above.
In another aspect, embodiments of the present invention also disclose a computer readable storage medium storing a program for execution by a processor to implement a method as described above.
In another aspect, embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the foregoing method.
Compared with the prior art, the technical scheme provided by the invention has the following technical effects: according to the method, a data access plug-in intercepts a database read-write request, annotates and analyzes an encryption and decryption annotation function to obtain annotation parameters, and the data access plug-in intercepts the request to obtain corresponding annotation, so that encryption and decryption processing is carried out on a designated field; in addition, the invention carries out mapping relation query processing on the cache according to the annotation parameters to obtain the target data after encryption and decryption processing, and the data after encryption and decryption can be obtained by accessing the cache module by storing the result of encryption and decryption processing in the cache, thereby greatly reducing the number of times of invoking an encryption and decryption algorithm and improving the performance and efficiency of the encryption and decryption flow.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an automated encryption and decryption method for data access according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an application scenario of an automatic encryption and decryption method for data storage according to an embodiment of the present invention;
FIG. 3 is a flow chart of one implementation of step S103 in FIG. 1;
FIG. 4 is a flow chart of one implementation of step S104 in FIG. 1;
FIG. 5 is a schematic diagram of an automated encryption and decryption framework for data access according to an embodiment of the present invention;
FIG. 6 is a flow chart of an embodiment of the present invention for automated encryption of data access;
FIG. 7 is a flow chart of an automated decryption of data access according to an embodiment of the present invention;
FIG. 8 is a schematic diagram of a data access automatic encryption and decryption system according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention;
Fig. 10 is a schematic structural diagram of a computer storage medium according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present invention more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
First, several nouns involved in the present invention are parsed:
object relationship mapping (Object Relational Mapping, ORM): is a specification describing the mapping between objects and relational databases for implementing in an application the interconversion between relational database table structures and objects of an application.
Spring: is a development framework based on java language.
Jdbc Template, a framework for database operation in a Spring framework based on java language.
Annotation: a concept in java programming language, not the program itself, can be similar to explaining and annotating the program (comment), generally beginning with @, and can be used on top of packages (packages), classes (methods), fields (fields) as auxiliary information.
Reflection: a java language provides a mechanism for obtaining information such as class and method based on class names.
Least recently used algorithms: (least recent used, LRU): a page elimination algorithm eliminates the least recently used data when the storage space is insufficient.
With the increasing popularity of internet related technology, massive user information data is collected and stored in data storage media to which various application websites and application programs (APP) belong. In this context, the security and reliability of data storage is particularly critical. Any application or website must strictly maintain and guarantee the data security of each user. Therefore, the private data encryption storage technology has been widely applied to various application systems.
In the related art, the relatively common method is relatively simple and rough, for example, an encryption algorithm is firstly called in an application system to encrypt, and then a database access interface is called to store data; after the application system reads the encrypted data from the database, the application system firstly decrypts the encrypted data and then processes the service data. At present, some schemes for automatically encrypting and decrypting data in a middleware mode exist in the industry, but most of the schemes are modified based on certain middleware, and the universality of the schemes is slightly insufficient. At present, the existing application system has various data encryption and decryption modes and algorithms, the operation of embedding various data encryption and decryption in a business system can cause great increase in system complexity, and the system has a plurality of negative effects on the aspects of code complexity, maintainability and the like, and is easier to bring various logic problems in business. With the continuous development of technology, various database access frameworks are used in various application systems at present, various database access framework technologies are simultaneously used in various service module codes, and the existing automatic data encryption and decryption method based on a single type of database access framework is extremely limited in application scene.
In view of this, the embodiment of the present invention provides an automatic encryption and decryption method for data access, which can be applied to a terminal, a server, software running in a terminal or a server, and the like. The terminal may be, but is not limited to, a tablet computer, a notebook computer, a desktop computer, etc. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDNs, basic cloud computing services such as big data and artificial intelligent platforms.
Referring to fig. 1, an embodiment of the present invention provides an automatic encryption and decryption method for data access, including:
s101, acquiring a database read-write request, wherein the database read-write request is used for requesting the database to store or read data to be processed;
s102, encrypting and decrypting annotation processing is carried out on the database operation function according to the database read-write request, so that an encrypting and decrypting annotation function is obtained, and the encrypting and decrypting annotation function comprises an encrypting annotation function and a decrypting annotation function;
S103, intercepting the database read-write request through a data access plug-in, and performing annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters;
s104, carrying out mapping relation query processing on a cache according to the annotation parameters to obtain target data after encryption and decryption processing, wherein the cache is used for storing the mapping relation between plaintext and ciphertext of the data to be processed;
s105, storing the target data into a designated field of the database or a return value designated field of the database read-write request according to the database read-write request.
In the embodiment of the invention, referring to fig. 2, the invention can be applied to a service scenario in which an application program performs data access to a database, wherein the application program can perform data storage and data reading on the database, the application program can be operated on a terminal such as a computer and a mobile phone, and the database can be operated on a server. When the application program needs to store or read the data to be processed, the application program sends a database read-write request to the database, wherein the database read-write request is used for the application program to request the database to store or read the data to be processed, the database read-write request comprises a database operation function, such as SQL sentences, and the database is subjected to data storage or reading operation through the database operation function. The embodiment of the invention carries out encryption and decryption annotation processing on database operation functions to obtain encryption and decryption annotation functions, wherein the encryption and decryption annotation functions comprise encryption annotation functions and decryption annotation functions. According to the embodiment of the invention, the data needing encryption and decryption can be quickly identified and obtained by annotating the database operation function needing encryption and decryption. Then, the embodiment of the invention intercepts the database read-write request through the data access plug-in, wherein the data access plug-in is responsible for intercepting the query and the write request of the database initiated by the application program, and annotating and analyzing the encryption and decryption annotation function to obtain annotation parameters, wherein the annotation parameters comprise all parameters transmitted to the SQL sentence by the application program and the corresponding return value of the database query. Then, the embodiment of the invention carries out mapping relation query processing on the cache according to the annotation parameters, the cache stores the mapping relation between the plaintext and the ciphertext of the data to be processed and also stores the corresponding plaintext data and ciphertext data, so that the corresponding target data after encryption and decryption processing can be obtained by querying the cache. And finally, according to the database read-write request, the application program stores the target data in the appointed field of the database, or the application program reads the target data from the appointed field of the return value of the database read-write request, thereby completing the automatic encryption and decryption processing of the data access.
It should be noted that, in each specific embodiment of the present invention, when related processing is required to be performed according to data related to the identity or characteristics of the target object, such as information of the target object, behavior data of the target object, history data of the target object, and position information of the target object, permission or consent of the target object is obtained first, and the collection, use, processing, etc. of the data complies with related laws and regulations and standards. In addition, when the embodiment of the invention needs to acquire the sensitive information of the target object, the independent permission or independent consent of the target object is acquired through a popup window or a jump to a confirmation page or the like, and after the independent permission or independent consent of the target object is explicitly acquired, the necessary target object related data for enabling the embodiment of the invention to normally operate is acquired. Performing mapping relation query processing on the cache according to the annotation parameters,
further as an optional implementation manner, in the step S101, a database read-write request is obtained, where the database read-write request is used to request the database to store or read the data to be processed;
When the application program needs to store or read the data to be processed, a database read-write request needs to be sent to the database, so that the data is stored in the database or read from the database.
Further as an optional implementation manner, in step S102, encryption and decryption annotation processing is performed on the database operation function according to the database read-write request, so as to obtain an encryption and decryption annotation function, where the encryption and decryption annotation function includes an encryption annotation function and a decryption annotation function, and the method includes:
encrypting, decrypting and annotating the database operation function according to the database read-write request to obtain an encrypted annotation function;
encrypting, decrypting and annotating the database operation function according to the database read-write request to obtain a decrypting and annotating function;
further as an optional implementation manner, the encrypting and decrypting annotation processing is performed on the database operation function according to the database read-write request to obtain the encrypting and decrypting annotation function, including:
determining and obtaining a database operation function according to the database read-write request;
and adding data encryption annotation to the database operation function, and carrying out configuration processing of an encryption field and an encryption storage field on the input parameters of the database operation function according to the data encryption annotation to obtain an encryption annotation function.
In the embodiment of the invention, the database operation function is determined according to the database read-write request, when the database read-write request is for storing the data to be processed into the database, the database operation function can be determined to be the data storage function, and the data encryption annotation is added to the data storage function and mainly acts on the entry of the database operation function and is used for specifying which fields need encryption processing in the entry of the function through the annotation, and which fields the encrypted value is stored in. According to the embodiment of the invention, the encryption and decryption annotation processing is carried out on the database operation function according to the database read-write request to obtain the encryption and decryption annotation function, the data needing encryption and decryption processing can be obtained according to the quick reading inquiry of the encryption and decryption annotation function, and the data processing efficiency is improved.
Further as an optional implementation manner, the encrypting and decrypting annotation processing is performed on the database operation function according to the database read-write request to obtain an encrypting and decrypting annotation function, including:
determining and obtaining a database operation function according to the database read-write request;
and adding data decryption annotation to the database operation function, and carrying out configuration processing of a decryption field and a decryption storage field on the return value of the database operation function according to the data decryption annotation to obtain a decryption annotation function.
In the embodiment of the invention, the database operation function can be determined according to the database read-write request, when the database read-write request is for reading data from the database, the database operation function can be determined to be the data reading function, the data encryption annotation is added to the data reading function, and the data encryption annotation mainly acts on the return value of the database operation function and is used for specifying which fields need decryption processing in the return value of the function through the annotation, and which fields the decrypted value is stored in. According to the embodiment of the invention, the encryption and decryption annotation processing is carried out on the database operation function according to the database read-write request to obtain the encryption and decryption annotation function, the data needing encryption and decryption processing can be obtained according to the quick reading inquiry of the encryption and decryption annotation function, and the data processing efficiency is improved.
Further optionally, in step S103, referring to fig. 3, the performing an annotation analysis process on the encrypted and decrypted annotation function to obtain an annotation parameter includes:
s301, analyzing the encryption and decryption annotation function through the data access plug-in to obtain a function signature;
s302, carrying out annotation parameter query processing on the cache according to the function signature to obtain annotation parameters.
In the embodiment of the invention, the encryption and decryption annotation function is analyzed through the data access plug-in to obtain the function signature, wherein the data access plug-in is responsible for intercepting the read-write request of the application program to the database, analyzing each parameter of the SQL statement transmitted by the application program and the return value of the database query. Because of the diversity of the database access frames and the different iteration progress of the service module codes, a plurality of database frames are generally used for reading and writing operations of the database in one service system. The embodiment of the invention fully considers the universality and compatibility of the scheme and supports a database operation interception mechanism based on JdbcTemplate, myBatis, myBatis-plus and other various database access frameworks. The embodiment of the invention can intercept database operation based on the JdbcTemplate database access framework, and the JdbcTemplate open source framework provides NamedParameterJdbcTemplate class by default to realize the database access operation. The embodiment of the invention designs a custom AEPNamedparameter JdbcTemplate class, expands functions of the NamedParameterJdbcTemplate class, and the data access plug-in designed in the embodiment of the invention can intercept functions of an operation database in the AEPNamedparameter JdbcTemplate class, and if the intercepted functions have notes related to encryption and decryption, the plug-in can call encryption and decryption plug-in to fields configured in the notes for encryption and decryption. The embodiment of the invention can also realize that the custom RowMapper, rowMapper is a conversion interface between the original data of the database and the java object provided in the JdbcTemplate open source framework on the basis of the JdbcTemplate database access framework, and the embodiment of the invention realizes that the custom AEPRowMapper, AEPRowMapper calls a decryption function for a designated field to decrypt according to decryption field information on function annotation after reading the original table data of the database and assigns the decryption function to the designated field of the object. In addition, the embodiment of the invention can intercept database operations based on the MyBatis, myBatis-plus database access framework. The plug-in designed in the embodiment of the invention expands the interconnector based on the MyBatis framework, and realizes ParamCryptPlugin, paramDecryptPlugin two plug-ins; the plug-in designed in the embodiment of the invention expands the InnerInterceptor based on the MyBatis-plus framework and realizes ParamCryptInterceptor, paramDecryptInterceptor two plug-ins. The plug-in is responsible for intercepting the operation of the database, and if the intercepted function has the annotation related to encryption and decryption, the follow-up plug-in can call the encryption and decryption plug-in to the fields configured in the annotation for encryption and decryption. According to the embodiment of the invention, a caching mechanism is introduced in the process of searching the analysis annotation, so that the operation efficiency in the process of encrypting and decrypting the data is improved. The design of the embodiment of the invention follows the opening and closing principle, has good expansibility and has the capability of adapting to the interception operation of a new database access framework. The embodiment of the invention can adopt different interception methods aiming at different database access frameworks, thereby acquiring all parameter information of the database access method function and reflecting the universality and expansibility of the database access interception layer.
Further optionally, in step S302, the performing annotation parameter query processing on the cache according to the function signature to obtain an annotation parameter includes:
performing annotation query processing on the cache according to the function signature to obtain an annotation query result;
when the annotation inquiry result is that the annotation parameter is obtained from the cache;
and when the annotation inquiry result is empty, carrying out annotation acquisition processing on the encryption and decryption annotation function through a reflection mechanism to obtain annotation parameters, and storing the annotation parameters into the cache.
In the embodiment of the invention, the annotation parameter query processing is required to be carried out according to the function signature obtained by the annotation query, if the annotation parameter is obtained by the query in the cache, the annotation parameter is directly obtained from the cache, otherwise, the annotation parameter is obtained by carrying out the annotation obtaining processing on the encryption and decryption annotation function through a reflection mechanism, and the annotation parameter is stored in the cache. The method and the device for inquiring the annotation of the current class use a java-based reflection mechanism to acquire the annotation, namely, the API provided by jdk is called according to the signature of the current method function to search the information of all the method functions in the current class, and the annotation on the method function is acquired, and the process is an inquiring process with larger performance loss. Therefore, a buffer mapping mechanism from the method function signature to the class information is established in the scheme, the buffered key is the method function signature, and the buffered value is the class information containing all the method function information. Only when the class information cannot be found according to the cache key in the cache, the reflection mechanism is utilized to inquire, and after the result is inquired, the result is put into the cache.
Further as an optional implementation manner, in step S104, referring to fig. 4, the performing mapping relation query processing on the cache according to the annotation parameter to obtain target data after encryption and decryption processing includes:
s401, carrying out data query processing on the cache according to the annotation parameters to obtain a data query result;
s402, when the data query result is that the data query result is sometimes, acquiring encrypted and decrypted target data from the cache according to a mapping relation between plaintext and ciphertext of the data to be processed;
s403, when the data query result is empty, encrypting and decrypting the data to be processed according to the annotation parameters through the data access plug-in to obtain target data, and storing the target data into the cache.
In the embodiment of the invention, the cache is subjected to data query according to the annotation parameters obtained by analysis, and if the corresponding data is obtained by query, the mapping relation between the plaintext and the ciphertext of the data to be processed can be obtained from the cache to obtain the target data after encryption and decryption processing, namely the target data after encryption and decryption of the data to be processed is obtained from the cache according to the mapping relation. And otherwise, encrypting and decrypting the data to be processed according to the annotation parameters through the data access plug-in to obtain target data, and storing the target data into the cache. According to the embodiment of the invention, a caching mechanism is introduced in the data encryption and decryption process, so that the data encryption and decryption processing performance is improved. Because the data encryption and decryption operation is a cpu intensive operation, performance loss is brought to the whole application system, therefore, the embodiment of the invention provides a data memory caching mechanism, and if the encrypted and decrypted data cannot be found from the memory cache, the encryption and decryption algorithm of the scheme is required to be called for operation, and the operation result is put into the cache. In addition, in the encryption and decryption annotation of the embodiment of the invention, whether the encryption and decryption result buffer is started or not, and the buffer configuration information such as the maximum buffer number and the like can be configured in the annotation.
Further optionally, in step S403, the encrypting and decrypting, by the data access plug-in, the data to be processed according to the annotation parameter to obtain target data includes:
identifying and obtaining data to be processed from the encryption and decryption annotation function according to the annotation parameters;
and encrypting and decrypting the data to be processed by using a pre-configured encryption and decryption algorithm to obtain target data.
In the embodiment of the invention, the data to be processed, namely the data to be encrypted and decrypted, can be identified from the encryption and decryption annotation function according to the annotation parameters, and then the pre-configured encryption and decryption algorithm is used for encrypting and decrypting the data to be processed to obtain the target data. The embodiment of the invention provides an encryption and decryption algorithm component which not only provides an encryption and decryption algorithm supported by default, but also provides a mechanism for expanding any encryption and decryption algorithm, and determines which encryption and decryption algorithm to use in a collocation mode. The encryption and decryption component designed by the embodiment of the invention provides two encryption and decryption algorithms of AES and SM4 by default, wherein the AES algorithm provides a ECB, GCM, CBC, CTR, CFB encryption mode. It may be conceivable that if an encryption/decryption algorithm or an encryption mode other than the encryption/decryption algorithm provided by the embodiment of the present invention is required, the encryption/decryption interface provided by the embodiment of the present invention may be implemented by writing a custom encryption/decryption implementation class, so as to implement an integrated custom encryption/decryption algorithm.
Referring to fig. 5, an embodiment of the present invention provides an automated encryption and decryption framework for data access, where the framework is composed of a hybrid data access layer plug-in, a custom annotation, an encryption and decryption algorithm component, a parameter configuration center, and a cache module. The mixed data access layer plug-in is responsible for intercepting SQL statement requests initiated by application programs to the database, and the custom annotation is responsible for providing information such as which SQL statement in the application programs needs to be intercepted, which parameters and fields need to be encrypted and decrypted in the process of calling the database, whether encryption and decryption operation result cache is started, the maximum number of cache entries and the like for the mixed data access layer plug-in. In the embodiment of the invention, two encryption and decryption algorithms of AES and SM4 are provided by default, and the AES provides a ECB, GCM, CBC, CTR, CFB encryption mode. After the mixed data access layer plug-in acquires the information, the buffer module searches the encryption and decryption operation result, if the result can be found, the subsequent business flow is continued, otherwise, the encryption and decryption algorithm is called to encrypt and decrypt the parameters or fields appointed in the annotation, and the operation result is tried to be put into the buffer. The key configuration of encryption and decryption and the algorithm configuration function of encryption and decryption are provided by the parameter configuration component module.
Referring to fig. 6, an embodiment of the present invention provides an automated encryption method for data access, wherein:
firstly, configuring a key and an encryption algorithm required by encryption according to a parameter configuration mode provided by an encryption algorithm component in an application program. The encryption algorithm may be unconfigured, default to AES algorithm, and GCM encryption mode.
And secondly, adding the annotation provided by the scheme to the function which needs to be encrypted and accessed to the database in the application program.
Thirdly, configuring a field needing encryption in the annotation, wherein a sample used by the annotation is given:
@ParamEncrypt(srcKey={"param.name","param.description"});
int insertData(@Param("param")DataPO row);
in this example, the annotation indicates that the application needs to encrypt both the name and description fields of the parameter DataPO object of the insertData function before invoking the insertData function.
Wherein the attribute function in the ParamyCrypt annotation is as follows:
srcKey: which parameters or fields of the function parameters need to be encrypted;
destKey: the method is used for specifying which fields are stored in the encrypted content in the function parameters, the fields are not necessarily filled, and if the fields are not specified, the encrypted content is stored in the original fields.
In this step, the user of the annotation may choose whether the encrypted data covers the plaintext data or not, and if not, may specify the destKey attribute value.
Fourth, an enableCache attribute may be configured in the annotation, for indicating whether to start the encryption result caching mechanism, and the maximum number of cache entries of the encryption cache may be configured in the configuration file of the application program.
Fifthly, when an application program executes a function of a database read-write operation, if the application program uses a Jdbc Template framework to access the database, a hybrid data access layer intercepts the call of all functions of an AEPNamedparameter Jdbc Template class through a mechanism of a Spring dynamic proxy, and can acquire a method function signature called by a current database call request, and all field information in parameters and object parameters of the method function; if the application program uses the MyBatis framework to access the database, the MyBatis framework can call a ParamCryptoPlugin plug-in of the mixed data access layer, and the plug-in can acquire a method function signature which initiates database operation currently according to the statementId of the MyBatis framework, and further acquire all field information in parameters and object parameters of the acquired method function; if the application program uses the MyBatis-plus framework to access the database, the MyBatis-plus framework can call a ParamCryptographic interceptor of the hybrid data access layer, and the interceptor can acquire a method function signature which initiates database operation currently according to the statementId of the MyBatis-plus framework, and further acquire all field information in parameters and object parameters of the method function.
And step six, after the hybrid data access layer acquires the method function for initiating database call, a cache module is called, whether annotation information and parameter field information corresponding to the function exist in the cache module is inquired, and if the annotation information and the parameter field information on the function are not inquired in the cache module, the annotation information and the parameter field information on the function are required to be acquired by using a java reflection mechanism and are stored in the cache module.
And seventhly, if the method function is found to have no annotation information in the previous step, the normal database read-write request operation is carried out. Otherwise, the mixed data access layer acquires the field needing to be encrypted in the annotation, stores the field of the encrypted data and whether to start caching the encryption result.
And eighth step, if the encryption result buffer is started, the mixed data access layer calls the buffer module to inquire the encryption result of the corresponding field, and if the encryption result can be inquired, the mixed data access layer goes to a conventional database read-write flow.
And ninth, the mixed data access layer reads the encryption algorithm and the corresponding encryption key of the configuration center, the mixed data access layer calls the API of the encryption and decryption module to encrypt the field by using AES or SM4 algorithm, if the application program uses the Jdbc Template framework, the mixed data access layer stores the encrypted data in the appointed field of the appointed parameter of the corresponding method function in the AEPNamedparameter Jdbc Template class, and if the application program uses the MyBatis framework, the ParamyCAPTUGGin plug-in stores the encrypted data in the appointed field of the appointed parameter of the intercepted method function. If the application uses the MyBatis-plus framework, the ParamyCryptographic Interceptor interceptor will store the encrypted data in specified fields of specified parameters of the intercepted method functions.
And tenth, if the encryption result cache is started, reading the maximum cache entry configuration of the configuration center, and if the maximum cache entry is not exceeded, calling a cache module to store the mapping relation before and after encryption by the mixed data access layer, otherwise, eliminating cache data in an LRU (line-by-line) mode.
Referring to fig. 7, an embodiment of the present invention provides an automatic decryption method for data access, including:
firstly, configuring a key and a decryption algorithm required by encryption and decryption in an application program according to a parameter configuration mode provided by an encryption and decryption algorithm component. The decryption algorithm may be unconfigured, default to AES algorithm, and GCM decryption mode.
And secondly, adding the annotation provided by the scheme to the function which needs to be decrypted and accesses the database in the application program.
Thirdly, configuring fields to be decrypted in the annotation, wherein a sample used by the annotation is given:
@ResultDecrypt(fieldConfig={@ResultDecrypt.Config(field="name",target=""),@ResultDecrypt.Config(field="description",target="")});
DataPO selectByPrimaryKey(Long id);
in this example, the annotation indicates that the application needs to decrypt both the name and description fields of the return value DataPO object of the selectbyprimykey function before invoking the selectbyprimykey function.
The attribute function in the resultDecrypt annotation is as follows:
field: for specifying which fields in the function return value need to be decrypted
target, which is used to specify in which fields the decrypted content in the function return value is stored, the fields are not necessarily filled, if the fields are not specified, the decrypted content is stored in the original fields.
In this step, the user of the annotation can choose whether the decrypted data covers the ciphertext data or not according to the actual situation, and if the decrypted data is not covered, the target attribute value can be specified.
And fourthly, configuring an enableCache attribute in the annotation, whether a decryption result caching mechanism is started, and configuring the maximum number of cache entries of the decryption cache in a configuration file of the application program.
And fifthly, executing a fifth step of the encryption process, and acquiring annotation information and parameter information of the current calling function.
And step six, after the hybrid data access layer acquires the method function for initiating database call, a cache module is called, whether annotation information and parameter information corresponding to the function exist in the cache module is queried, and if the annotation information and the parameter information on the function are not queried in the cache module, the annotation information and the parameter information on the function are required to be acquired by using a java reflection mechanism and are stored in the cache module.
And seventhly, if the method function is found to have no annotation information in the previous step, the normal database read-write request operation is carried out. Otherwise, the mixed data access layer acquires the field needing to be decrypted in the annotation, stores the field of the decrypted data and whether to start the cache decryption result.
And eighth step, if the decryption result buffer is started, the mixed data access layer calls the buffer module to inquire the decryption result of the corresponding field, and if the decryption result can be inquired, the mixed data access layer goes to a conventional database read-write flow.
And ninth, reading a decryption algorithm and a corresponding encryption and decryption key of the configuration center, calling an API of an encryption and decryption module by the mixed data access layer to decrypt fields by using an AES or SM4 algorithm, if an application program uses a Jdbc Template framework, calling AEPRowMapper to map data lines to object instances by the mixed data access layer, storing decrypted data in a designated field of a return value of a corresponding method function in an AEPNamedparameter JdbcTemplate class, and if the application program uses a MyBatis framework, storing decrypted data in the designated field of the return value of the intercepted method function by a ParamyDecryptPlugin plug-in. If the application uses the MyBatis-plus framework, the ParamyDecryptInterceptor interceptor will store the decrypted data in the specified field of the return value of the intercepted method function.
And tenth, if the decryption result cache is started, reading the maximum cache entry configuration of the configuration center, and if the maximum cache entry is not exceeded, calling a cache module to store the mapping relation before and after decryption by the mixed data access layer, otherwise, eliminating cache data in an LRU (line-by-line) mode.
Referring to fig. 8, the embodiment of the invention further provides a system for encrypting and decrypting data access automation, which comprises:
a first module 801, configured to obtain a database read-write request, where the database read-write request is used to request a database to store or read data to be processed;
a second module 802, configured to perform encryption/decryption annotation processing on the database operation function according to the database read/write request, so as to obtain an encryption/decryption annotation function, where the encryption/decryption annotation function includes an encryption annotation function and a decryption annotation function;
a third module 803, configured to intercept the database read-write request through a data access plug-in, and perform annotation analysis processing on the encryption/decryption annotation function to obtain an annotation parameter;
a fourth module 804, configured to perform mapping relation query processing on a cache according to the annotation parameter to obtain target data after encryption and decryption processing, where the cache is used to store a mapping relation between plaintext and ciphertext of the data to be processed;
And a fifth module 805, configured to store the target data in a specified field of the database or a return value specified field of the database read-write request according to the database read-write request.
It can be understood that the content in the above method embodiment is applicable to the system embodiment, and the functions specifically implemented by the system embodiment are the same as those of the above method embodiment, and the achieved beneficial effects are the same as those of the above method embodiment.
Referring to fig. 9, an embodiment of the present invention further provides an electronic device, including a processor 901 and a memory 902; the memory is used for storing programs; the processor executes the program to implement the method as described above.
Referring to fig. 10, an embodiment of the present invention also provides a computer-readable storage medium 1001, which stores a program 1002 that is executed by a processor to implement a method as described above.
Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the method shown in fig. 1.
In summary, the embodiment of the invention has the following advantages: the data access plug-in of the embodiment of the invention can adopt different interception methods aiming at different database access frames, thereby improving the universality and expansibility of data processing. The data access plug-in the embodiment of the invention can also perform unified management on encryption and decryption, is convenient for unified and orderly management on encryption and decryption processes, and improves the robustness of application. In addition, the embodiment of the invention introduces a quick caching mechanism based on configuration management, reduces the call of a reflection process and an encryption and decryption process, and improves the processing performance of the flow in the whole link of data access encryption and decryption. Meanwhile, the embodiment of the invention can globally configure the maximum number of encryption and decryption results cached by the cache module, and eliminates the cached data in an LRU (line-by-line) way, thereby improving the flexibility and the safety of the scheme. Therefore, the data access automatic encryption and decryption scheme provided by the embodiment of the invention can realize the mutual conversion between the plaintext and the ciphertext in the process of executing encryption and decryption, can realize the simultaneous reservation of the plaintext and the ciphertext, cannot be mutually covered, and is stored in different fields of a program object. The design thought enriches the demands of application program developers who can realize the functions by setting the attributes in the custom notes.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the invention is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the described functions and/or features may be integrated in a single physical device and/or software module or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the invention, which is to be defined in the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the embodiments described above, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and these equivalent modifications or substitutions are included in the scope of the present invention as defined in the appended claims.
Claims (10)
1. A method for automatically encrypting and decrypting data access, the method comprising:
acquiring a database read-write request, wherein the database read-write request is used for requesting the database to store or read data to be processed;
performing encryption and decryption annotation processing on the database operation function according to the database read-write request to obtain an encryption and decryption annotation function, wherein the encryption and decryption annotation function comprises an encryption annotation function and a decryption annotation function;
intercepting the database read-write request through a data access plug-in, and performing annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters;
carrying out mapping relation query processing on a cache according to the annotation parameters to obtain target data after encryption and decryption processing, wherein the cache is used for storing the mapping relation between plaintext and ciphertext of the data to be processed;
and storing the target data into a designated field of the database or a returned value designated field of the database read-write request according to the database read-write request.
2. The method of claim 1, wherein the encrypting and decrypting the annotation processing is performed on the database operation function according to the database read-write request to obtain the encrypting and decrypting the annotation function, and the method comprises:
Determining and obtaining a database operation function according to the database read-write request;
and adding data encryption annotation to the database operation function, and carrying out configuration processing of an encryption field and an encryption storage field on the input parameters of the database operation function according to the data encryption annotation to obtain an encryption annotation function.
3. The method of claim 1, wherein the encrypting and decrypting the annotation processing is performed on the database operation function according to the database read-write request to obtain the encrypting and decrypting the annotation function, and the method comprises:
determining and obtaining a database operation function according to the database read-write request;
and adding data decryption annotation to the database operation function, and carrying out configuration processing of a decryption field and a decryption storage field on the return value of the database operation function according to the data decryption annotation to obtain a decryption annotation function.
4. The method of claim 1, wherein performing an annotation parsing process on the encrypted and decrypted annotation function to obtain annotation parameters comprises:
analyzing the encryption and decryption annotation function through the data access plug-in to obtain a function signature;
and carrying out annotation parameter query processing on the cache according to the function signature to obtain annotation parameters.
5. The method of claim 4, wherein said performing annotation parameter query processing on said cache based on said function signature to obtain annotation parameters comprises:
performing annotation query processing on the cache according to the function signature to obtain an annotation query result;
when the annotation inquiry result is that the annotation parameter is obtained from the cache;
and when the annotation inquiry result is empty, carrying out annotation acquisition processing on the encryption and decryption annotation function through a reflection mechanism to obtain annotation parameters, and storing the annotation parameters into the cache.
6. The method of claim 1, wherein the performing mapping relation query processing on the cache according to the annotation parameter to obtain the target data after encryption and decryption processing includes:
performing data query processing on the cache according to the annotation parameters to obtain a data query result;
when the data query result is that the target data after encryption and decryption processing is obtained from the cache according to the mapping relation between the plaintext and the ciphertext of the data to be processed;
and when the data query result is empty, encrypting and decrypting the data to be processed according to the annotation parameter by the data access plug-in to obtain target data, and storing the target data into the cache.
7. The method according to claim 6, wherein the encrypting and decrypting the data to be processed by the data access plug-in according to the annotation parameter to obtain the target data includes:
identifying and obtaining data to be processed from the encryption and decryption annotation function according to the annotation parameters;
and encrypting and decrypting the data to be processed by using a pre-configured encryption and decryption algorithm to obtain target data.
8. A data access automation encryption and decryption system, the system comprising:
the first module is used for acquiring a database read-write request, wherein the database read-write request is used for requesting the database to store or read the data to be processed;
the second module is used for carrying out encryption and decryption annotation processing on the database operation function according to the database read-write request to obtain an encryption and decryption annotation function, wherein the encryption and decryption annotation function comprises an encryption annotation function and a decryption annotation function;
the third module is used for intercepting the database read-write request through the data access plug-in, and carrying out annotation analysis processing on the encryption and decryption annotation function to obtain annotation parameters;
a fourth module, configured to perform mapping relation query processing on a cache according to the annotation parameter, to obtain target data after encryption and decryption processing, where the cache is used to store a mapping relation between plaintext and ciphertext of the data to be processed;
And a fifth module, configured to store the target data to a specified field of the database or a returned value specified field of the database read-write request according to the database read-write request.
9. An electronic device comprising a memory and a processor;
the memory is used for storing programs;
the processor executing the program implements the method of any one of claims 1 to 7.
10. A computer readable storage medium storing a computer program, characterized in that the computer program, when executed by a processor, implements the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311841057.XA CN117892320A (en) | 2023-12-28 | 2023-12-28 | Automatic encryption and decryption method, system, equipment and medium for data access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311841057.XA CN117892320A (en) | 2023-12-28 | 2023-12-28 | Automatic encryption and decryption method, system, equipment and medium for data access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117892320A true CN117892320A (en) | 2024-04-16 |
Family
ID=90649957
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311841057.XA Pending CN117892320A (en) | 2023-12-28 | 2023-12-28 | Automatic encryption and decryption method, system, equipment and medium for data access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117892320A (en) |
-
2023
- 2023-12-28 CN CN202311841057.XA patent/CN117892320A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11038867B2 (en) | Flexible framework for secure search | |
| CN107743616B (en) | Endpoint management system providing application programming interface proxy services | |
| US9081816B2 (en) | Propagating user identities in a secure federated search system | |
| US8725770B2 (en) | Secure search performance improvement | |
| US8707451B2 (en) | Search hit URL modification for secure application integration | |
| US8868540B2 (en) | Method for suggesting web links and alternate terms for matching search queries | |
| US8875249B2 (en) | Minimum lifespan credentials for crawling data repositories | |
| US10061852B1 (en) | Transparent proxy tunnel caching for database access | |
| US8352475B2 (en) | Suggested content with attribute parameterization | |
| US8027982B2 (en) | Self-service sources for secure search | |
| US8005816B2 (en) | Auto generation of suggested links in a search system | |
| KR101422859B1 (en) | Permission-based document server | |
| CN109960944A (en) | A kind of data desensitization method, server, terminal and computer readable storage medium | |
| WO2012071656A1 (en) | Method and system of hierarchical metadata management and application | |
| US10754628B2 (en) | Extracting web API endpoint data from source code to identify potential security threats | |
| EP2132649A1 (en) | Techniques for a web services data access layer | |
| US20180262510A1 (en) | Categorized authorization models for graphical datasets | |
| US10592470B2 (en) | Discovery of calling application for control of file hydration behavior | |
| US9164781B2 (en) | Client bundle resource creation | |
| CN117892320A (en) | Automatic encryption and decryption method, system, equipment and medium for data access | |
| US11861039B1 (en) | Hierarchical system and method for identifying sensitive content in data | |
| US9747381B1 (en) | Querying and configuring an identity management framework | |
| CN117472973A (en) | Report query method and device based on unified management of interfaces | |
| WO2022071946A1 (en) | Data transformations based on policies |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |