CN101136098A - Method, device and system for accessing to certificate revocation list - Google Patents
Method, device and system for accessing to certificate revocation list Download PDFInfo
- Publication number
- CN101136098A CN101136098A CNA2006101277182A CN200610127718A CN101136098A CN 101136098 A CN101136098 A CN 101136098A CN A2006101277182 A CNA2006101277182 A CN A2006101277182A CN 200610127718 A CN200610127718 A CN 200610127718A CN 101136098 A CN101136098 A CN 101136098A
- Authority
- CN
- China
- Prior art keywords
- download
- crl
- time
- revocation list
- policy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The method comprises: pre-setting certificate revocation list (CRL) in the real-time distributor; the certificate use end send a CRL download request to the real-time distributor; the real-time distributor enquiries the CRL corresponding to the download request in its saved CRLs, and returns the CRL to the certificate user end.
Description
Technical field
The present invention relates to the management of digital certificate, particularly relate to a kind of methods, devices and systems of access certificate revocation list.
Background technology
Along with popularizing of Internet, various e-commerce initiative develop rapidlys in order to guarantee electronic transaction and security of payment on the internet, are taken precautions against the fraud in transaction and the payment process, must set up a kind of faith mechanism on the net.This just requires the buyer and the seller that participate in ecommerce all must have legal identity, and on the net can be effectively errorless be carried out checking.
Based on public key infrastructure (PKI, Pubic Key Infrastructure), use the asymmetric encryption public/private keys to certificate be for satisfying a kind of effective means that above-mentioned requirements adopts.For the data of using encrypted private key, can only use corresponding public key to be decrypted, vice versa.As its name suggests, PKI is meant the key that can offer a lot of people.On the contrary, private key is that the unique individual is exclusive.The distribution mechanisms that transmits the PKI use to the user is a certificate.Usually, certification authority (CA, Certification Authority) is signed to certificate, and PKI for confirmation is from claiming the main body that sends PKI.CA is the entity of a mutual trust.
Certificate has the term of validity, and certificate will lose efficacy after expiration.But certificate also might become invalid before expired, and reason may be that private key for user is lost or user identity change etc.CA needs to make the processing of calcellation in time to this type of certificate, and makes the recipient of certificate know the information of these calcellation certificates in time as far as possible, and therefore, CA need revoke this certificate.Revoke certificate, the CA preservation is also distributed a tabulation of revoking certificate, i.e. CRL (CRL, Certificate Revocation List).Record is still not out of date but stated the user certificate sequence number of calcellation in the CRL, the recipient of certificate by the access certificate revocation list to determine the validity of certificate.
In existing technology, CA presses the distributing certificates revocation list of certain hour gap periods usually, this time interval is called the issue phase of CRL, and the user side of certificate is according to whether comprising the validity that certificate to be verified is judged certificate in the CRL.But, because CRL has the term of validity when issue, and CA is by fixing issue phase issue CRL, therefore, expired and be updated when CRL, and this moment, CA did not enter the execution issue an order of Next Command performance period as yet, and the CRL that will cause having upgraded can not in time be issued.
In addition, because CA is distributed to the huge certificate user end of quantity at synchronization with CRL, this will certainly cause the moment surge of communication network data transmission and the possibility of network blockage, and the possibility of distribution failure also so greatly increases.
Summary of the invention
Technical matters to be solved by this invention provides a kind of method of access certificate revocation list, and the certificate user end can't in time obtain CRL in the prior art to solve.
Another object of the present invention provides a kind of device of access certificate revocation list, can't in time obtain CRL to solve existing certificate user end.
The present invention also provides a kind of access certificate revocation list,
For overcoming the above problems, the invention provides a kind of method of access certificate revocation list, comprise following
Step:
In real-time distributor, preset CRL;
The certificate user end sends the CRL download request to real-time distributor;
Real-time distributor is inquired about from the CRL of being stored and the corresponding CRL of above-mentioned download request, and this CRL is back to the certificate user end.
Preferably, also comprise:
Before the deadline whether real-time distributor check described CRL, if out of date, real-time distributor is to sending the CRL download request with the corresponding certification authority of this CRL server;
Certification authority's server is obtained corresponding CRL and is back to real-time distributor according to above-mentioned request;
Real-time distributor uses above-mentioned CRL to update stored in CRL in the described real-time distributor.
Preferably, also comprise:
Real-time distributor judges whether to exist the active threads of downloadable authentication revocation list, if exist, wait for that this thread finishes the back and starts new download thread, otherwise start new download thread that described new download thread is in order to from the described CRL of certification authority's downloaded.
Preferably, also comprise: finish download according to the download policy that sets in advance, comprise retry download time and retry download time interval in the described download policy.
Preferably, described download policy is:
Judge whether current download thread has successfully downloaded CRL, if success finishes to download; Otherwise, resend download request at interval according to retry download time of described download policy;
This step is carried out in circulation, up to the retry download time of finishing described download policy or successfully download.
Preferably, described download policy is:
After receiving the CRL that certification authority's server returns, before the deadline whether the CRL that checking is downloaded, if do not have expired, then use this CRL to update stored in CRL in the real-time distributor, if expired, resend download request at interval by retry download time according to described download policy;
This step is carried out in circulation, does not have expired up to the CRL of the retry download time of finishing described download policy or download.
Preferably, described download policy is: whether the CRL that checking is downloaded is legal CRL, if legal, uses this CRL to update stored in CRL in the real-time distributor; Otherwise, resend download request at interval by retry download time according to described download policy;
This step is carried out in circulation, is legal CRL file up to the CRL of the retry download time of finishing described download policy or download.
The invention also discloses a kind of device of access certificate revocation list, comprising:
Storage unit is used for the Store Credentials revocation list;
Query unit is used for the CRL inquiry and the corresponding CRL of user's download request of storing from storage unit;
Communication unit is used to receive user's CRL download request, and sends the described CRL that inquires to the user.
Preferably, also comprise: file download schedule unit, be used for connecting the downloading process that certification authority's server is finished CRL according to the download policy that sets in advance, the described download policy that sets in advance comprises retry download time and retry download time interval, and described file download schedule unit is stored in the CRL of downloading in the storage unit.
Preferably, also comprise: authentication unit, whether be used for the certification of proof revocation list expired, if expired, described file download schedule unit sends the CRL download request according to described download policy to certification authority's server.
Preferably, described downloading process is: whether described file download schedule unit judges exists the active threads of downloadable authentication revocation list, if exist, waits for that this thread finishes the back and starts new download thread; Otherwise start new download thread, described new download thread in order to according to described download policy from the described CRL of certification authority's downloaded.
Preferably, described download policy is: whether the current download thread of described file download schedule unit judges has successfully downloaded CRL, if success finishes to download; Otherwise, resend download request at interval according to the download time of described download policy;
This process is carried out in circulation, up to the retry download time of finishing described download policy or successfully download.
Preferably, described download policy is: whether the CRL that described authentication unit authenticating documents download schedule unit is downloaded before the deadline if do not have expiredly, then uses this CRL to update stored in CRL in the real-time distributor; If expired, resend download request at interval according to retry download time of described download policy by file download schedule unit;
This process is carried out in circulation, does not have expired up to the CRL of the retry download time of finishing described download policy or download.
Preferably, described download policy is: whether the CRL that described authentication unit authenticating documents download schedule unit is downloaded is legal CRL, if legal, uses this CRL to update stored in CRL in the storage unit; Otherwise, resend download request at interval according to retry download time of described download policy by file download schedule unit;
This process is carried out in circulation, is legal CRL up to the CRL of the retry download time of finishing described download policy or download.
The invention also discloses a kind of system of access certificate revocation list, comprise certificate user end, real-time distributor and certification authority's server,
Described certificate user end comprises:
First communication unit is in order to send CRL download request and acceptance certificate revocation list;
Described certification authority server comprises:
Server storage unit is used for the Store Credentials revocation list;
Maintenance unit is used for the CRL of update service device storage unit;
Described real-time distributor comprises:
Storage unit is used for the Store Credentials revocation list;
Query unit is used for the CRL inquiry and the corresponding CRL of user's download request of storing from storage unit;
Second communication unit is in order to receive the CRL of downloading and to store in the storage unit from server storage unit; Receive the CRL download request that first communication unit sends, and corresponding CRL is back to first communication unit.
Compared with prior art, the present invention has the following advantages:
Generally, CA links to each other with the certificate user end by communication network, certificate user end whether the stablizing of communication network and data transmission when downloading that can successful downloadable authentication revocation list when CA issue certificate place one's entire reliance upon, and the communication network Luoque has its intrinsic complicacy and uncertainty, therefore, in case go wrong, will cause the certificate user end can't obtain CRL.The present invention initiatively sends the CRL download request to real-time distributor by the certificate user end, by real-time distributor the CRL of its storage is returned to the certificate user end, because the certificate user end is no longer directly from certification authority's downloaded CRL, avoided the uncertainty in the downloading process that the complicacy of communication network causes, therefore, make each download request of certificate user end all can obtain CRL, guaranteed the normal process of certificate user end business.
In addition, because the CA server need ask table to be distributed to the certificate user end of One's name is legion the certificate revocation row, if distribute simultaneously by the time interval, will certainly cause the moment of data transmission in network to increase sharply, and therefore cause the possibility of network congestion also to increase greatly, cause the distribution failure of CRL.And the time that each certificate user end of the present invention sends the CRL download request is basis certification authentication demand triggering separately, the transmitting time of its download request has nothing in common with each other, therefore, the CA server will very limited in the quantity that synchronization sends download request, effectively avoid the moment surge of network service and the possibility of network blockage occur.
Secondly, the present invention judges by real-time distributor whether expired determining whether sends download request to certificate server to CRL, avoided because CA server during by Fixed Time Interval distributing certificates revocation list, expired and be updated when CRL, and the CA server did not enter the Next Command performance period as yet and carried out issue an order this moment, the problem that the CRL that causes having upgraded can not in time be issued.
The present invention is by the file download scheduler, send the CRL download request at interval according to the retry download time in the download policy that sets in advance and retry download time, even occur the problem of interruption or failure in the downloading process, can guarantee to greatest extent from CA server success downloadable authentication revocation list by the retry download, simultaneously in downloading process, whether the CRL that the check of file download scheduler is downloaded is expired, if it is expired, then download again according to download policy, so, further guaranteed the validity of the CRL downloaded.
Because the certificate user end links to each other with the CA server by real-time distributor, the file download scheduler is after downloading to CRL, real-time distributor can check whether described CRL is the legal and valid CRL, avoided because the CA server directly may occur when certificate user end distributing certificates revocation list, the third party is by attacking or distorting, malice, illegal file is sent to the problem of certificate user end, effectively guaranteed the safety of certificate user end.
Description of drawings
Fig. 1 is the structural drawing that is used for the system of access certificate revocation list of the present invention;
Fig. 2 is the data flowchart that is used for the method for access certificate revocation list of the present invention;
Fig. 3 is the data flowchart that is used for the method for access certificate revocation list of the present invention;
Fig. 4 is the data flowchart of file download scheduler of the present invention from CA downloaded CRL;
Fig. 5 is the structured flowchart of the device of the method that is used for the access certificate revocation list of the present invention.
Embodiment
Before methods, devices and systems of the present invention are described in conjunction with specific embodiments, at first introduce the related several notions of complete certificate verification process, and understand the effect and the relation of each main body in the verification process by a concrete example.
In an e-commerce initiative, the identity that shows oneself that all entities of participating in business all must be clear and definite is only set up this mutual trust relation, and transaction can normally be carried out.And digital certificate is exactly to participate in entity shows effective means from own identity to the other side.
Rivest, shamir, adelman is the basis of realizing digital certificate.This algorithm uses private/public key right, for the data of using encrypted private key, can only use corresponding public key to be decrypted, and vice versa.Usually, CA signs to certificate, and PKI for confirmation is from claiming the main body that sends PKI.Be how to certificate signature with a concrete example explanation CA below:
Suppose that Wang Li and Li Hua are two entities of communicating pair, Wang Li will allow Li Hua believe that the opposing party who communicates by letter with him is Wang Li now, and detailed process is as follows:
1). Wang Li with the certificate request of a signature (comprise she name, PKI, may also have some other information) send to CA.
2) .CA uses the request of Wang Li to create a message.CA uses its private key that message is signed, so that create an independent signature.CA returns to Wang Li with message and signature.Message and signature have constituted the certificate of Wang Li jointly.
3). Wang Li sends to Li Hua with her certificate, so that the PKI of authorizing Li Hua to visit her.
4). Li Hua uses the PKI of CA that certificate signature is verified.If attestation-signatures is that effectively he just admits that the PKI in the certificate is the PKI of Wang Li.
After Li Hua has finished checking to digital certificate, after with the communicating by letter of Wang Li in, use the PKI of Wang Li in the certificate that data are encrypted, the data that will encrypt send to Wang Li then, Wang Li uses the private key of oneself to decipher this data, thereby guarantees the secure and trusted of data communication.
The certificate of most of general applications is based on certificate standard X.509. and usually, certificate comprises following information:
User's public key value;
User's identification information (as title and e-mail address);
The term of validity (effective time of certificate);
Certificate serial number;
The issuer identification information;
The digital signature of issuer is used for proving whether the binding relationship between user's PKI and user's the identification information is effective.
Certificate is only just effective in the time limit of appointment; Each certificate all comprises " effectively from date " and " effectively date of expiry ", and these two values are provided with the time limit of the term of validity, and certificate will lose efficacy after expiration.But certificate also might become invalid before expired, and reason may be that private key for user is lost or user identity change etc.CA needs to make the processing of calcellation in time to this type of certificate, and makes the recipient of certificate know the information of these calcellation certificates in time as far as possible, and therefore, CA need revoke this certificate.Revoke certificate, the CA preservation is also distributed a CRL.Record is still not out of date but stated the user certificate sequence number of calcellation among the CRL, the recipient of certificate by visit CRL to determine the validity of certificate.
The content of certificate and the mechanism of certificate more than have been discussed, below just describe according to the methods, devices and systems that are used for the access certificate revocation list of the present invention in conjunction with specific embodiments.
Fig. 1 shows one and uses the system construction drawing that the present invention realizes the CRL visit.
This system comprises certificate user end 101, real-time distributor 102 and CA server 103.
When certificate user end 101 is received a digital certificate, need checking its whether effectively the time, certificate user end 101 sends the CRL download requests to real-time distributor 102; Real-time distributor 102 will return to certificate user end 101 with described download request corresponding C RL; Real-time distributor 102 is downloaded CRL and is upgraded local CRL from CA server 103; Whether certificate user end 101 is effective according to the CRL authentication certificate of downloading.
Preferably, real-time distributor 102 is according to the CRL download request of receiving, judge whether this locality stores corresponding C RL, if exist, obtain this CRL and send it to certificate user end 101, check this CRL whether to exceed its term of validity then, if exceed, the CA server 103 of real-time distributor 102 under this CRL sends the CRL download request; If do not exist, real-time distributor 102 is obtained the CA information under this CRL from the CRL download request, sends the CRL download request to this CA server 103, and the CRL that downloads is sent to certificate user end 101.
In the embodiment of another visit CRL method of the present invention, stored the configuration information of CA in the real-time distributor in advance, comprise the title of CA and the CRL chained address of issue etc.According to described CA configuration information, real-time distributor regularly sends the CRL download request to CA according to the time interval of setting, and the CRL that downloads is updated to this locality.Real-time distributor is obtained corresponding C RL, and is sent it to the certificate user end according to the CRL download request of receiving.
Fig. 2 shows the data flowchart of the method that is used for the access certificate revocation list in accordance with a preferred embodiment of the present invention.Below with reference to Fig. 2 one embodiment of the present of invention are described in detail.
Step 201: the certificate user end sends the CRL download request to real-time distributor.
Certificate user end of the present invention can be applied to multiple use, as Web subscriber authentication, Web server authentication, safety E-mail checking etc.Described certificate user end is received certificate and was verified before using certificate whether this certificate is revoked.As mentioned before, the certificate user end is by the validity of visit CRL with definite certificate.In the present invention, the certificate user end is by sending the CRL download request to obtain corresponding C RL to real-time distributor.
Real-time distributor is responsible for receiving the CRL download request, and obtains corresponding C RL according to described download request and send to the certificate user end.
In the business processing of reality, based on different checking purposes, the certificate that the certificate user termination is received is signed and issued by different CA often, therefore, when certificate of needs checkings whether effectively the time, need to use the CRL that CA issued that is responsible for signing and issuing this certificate to verify.Store the CRL of different CA issue in the real-time distributor, when the certificate user end when real-time distributor sends the CRL download request, real-time distributor is obtained and described download request corresponding C RL from the CRL of storage, and it is returned to the certificate user end.
For example: the CRL download request information that the certificate user end sends to real-time distributor has comprised the CRL person of signing and issuing, as " O=Alibaba.com Corporation; OU=CA Center; CN=Alibaba.comCorporation User CA ", the CRL that the expression request is downloaded is issued by the Alibaba.comCorporation of certificate verification mechanism, real-time distributor is obtained the CRL by Alibaba.com Corporation issue, and sends it to the certificate user end.
By real-time distributor CRL is returned to the certificate user end, when having avoided the certificate user end to utilize communication network from CA downloaded CRL, the CRL failed download that causes owing to the uncertainty of network data transmission.Preferably, the present invention is deployed in real-time distributor and certificate user end in the same computer equipment, has guaranteed the CRL safe transmission by reliable physical connection.
Step 202: whether the real-time distributor check stores and described download request corresponding C RL, if exist, obtains this CRL and sends it to the certificate user end, otherwise direct execution in step 204.
Step 203: real-time distributor check and described download request corresponding C RL whether before the deadline, if out of date, execution in step 204; Otherwise, wait for receiving next CRL download request.
The present invention is preferred, finish check by real-time distributor to the CRL term of validity, the certificate user end only need send download request and download CRL, like this, Each performs its own functions for real-time distributor and certificate user end, not only realize and safeguard simply, and reduced the load of certificate user end, guaranteed the normal process that it is professional.
In addition,, therefore, also can finish check,, then send the CRL download request to real-time distributor if exceed the term of validity by the certificate user end to the CRL term of validity because the certificate user end has also been stored the CRL that downloads from real-time distributor.The check of being finished the validity period of certificate limit by certificate user end or real-time distributor does not influence enforcement of the present invention, and those skilled in the art can select to use according to actual conditions, and the present invention does not limit this.
Step 204: real-time distributor sends the CRL download request according to the CRL download request of receiving to the CA server.
Step 205: real-time distributor updates stored in CRL in the real-time distributor according to the CRL that downloads.
Fig. 3 shows the data flowchart of the method that is used for the access certificate revocation list according to a further advantageous embodiment of the invention.Below with reference to Fig. 3 another embodiment of the present invention is described in detail.
Step 301: whether real-time distributor checks this locality to store and this CA corresponding C RL according to the time interval that sets in advance and according to the configuration information of the CA that stores in advance, if there is execution in step 302, otherwise, execution in step 303;
Because the user may use the different digital certificate of CRL checking of different CA issues, therefore, in this example, stores the configuration information of different CA in the real-time distributor, comprises the title of CA, the issue chained address of CRL etc.Real-time distributor can download to corresponding C RL according to the CRL issue chained address of CA.
In actual applications, those skilled in the art can set up the time interval of the real-time distributor check CRL term of validity according to actual needs on their own, for example every check in 30 seconds once.Preferably, the start time of real-time distributor periodic survey CRL is at random, and the CA configuration information in each real-time distributor also is not quite similar, therefore, avoided different real-time distributors to send the situation of download request to same CA server at synchronization.
Step 302: if whether before the deadline real-time distributor check and this CA corresponding C RL out of date, carry out following step, otherwise execution in step 304.
Step 303: the server to this CA sends the CRL download request, and the CRL that downloads is stored in the real-time distributor.
Step 304: repeated execution of steps 301 and step 303, download up to the check of finishing all CA and CRL.
Step 305: real-time distributor is obtained with this download request corresponding C RL from the CRL of storage and is sent to the certificate user end according to the CRL download request of receiving.
By the description of embodiment one as can be known, real-time distributor is after the download request of receiving the certificate user end, and whether check CRL surpasses the term of validity, if expired, then sends the CRL download request to the CA server.By embodiment two as can be known, real-time distributor is pressed certain hour, and whether periodic inspection CRL is expired at interval, if expired then to CA server transmission CRL download request.Therefore, use the present invention, generally the situation that synchronization CA server need respond a large amount of requests can not occur, effectively avoided original CA server to distribute CRL by Fixed Time Interval, the network data transmission moment that causes increases sharply, and then causes the possibility of network blockage.
More than described the conventional method that the present invention visits CRL, preferred for more safe and effective visit and download CRL, real-time distributor passes through the file download scheduler from CA downloaded CRL.
Fig. 4 shows file download scheduler of the present invention from CA downloaded CRL data flowchart.Below with reference to Fig. 4 this preferred embodiment of the present invention is described in detail.
Step 401: the file download scheduler judges whether to exist the active threads of downloading CRL, if exist, waits for that this thread finishes the back and starts new download thread, sends download request to download described CRL otherwise directly start new download thread to the CA server.
Step 402: the file download scheduler judges whether successfully to have downloaded CRL, if success, execution in step 404; Otherwise, execution in step 403;
Step 403: judge whether that according to download policy needs download CRL again,, then resend the CRL download request if need, otherwise execution in step 404.
Preferably, the file download scheduler sends download request according to the download policy that sets in advance, and is preferred, and described download policy has defined download time and download time at interval.
According to download policy, after the transmission CRL download request, can judge once more whether this CRL downloads success, if the step below the successful execution; Otherwise, judge whether to have finished the retry download time, if finish, interrupt CRL and download, otherwise, after waiting for a period of time at interval according to retry download time, resend the CRL download request; Repeat this process, up to finishing the retry download time or successfully downloading.
After the file download scheduler is received download request, at first judge the CRL download thread of current whether existence activity, concrete way is: by a zone bit is set, if started download thread, marker bit is set to " active threads is arranged "; Otherwise after all threads all finished, it was set to " no active threads ".The file download scheduler judges whether the download thread of existence activity according to this zone bit.If exist, one period stand-by period is set, the file download scheduler can judge whether movable download thread again when the time comes; Otherwise, read and start new download thread according to retry strategy.
With the Java language is example: if the value of file download scheduler judgement symbol position is " active threads is arranged ", then carry out Thread.sleep (int seconds), expression waits for that seconds carries out judgement again after second; Otherwise, read retry strategy and, start new download thread according to this strategy execution Thread.start ().Retry strategy by pre-defined retry download time and download time at interval, be embodied in parameter configuration, form as: 5,30,60,600,3600, represent maximum retries 5 times, the time interval of each time operation is 5 seconds, 30 seconds, 60 seconds, 600 seconds, 3600 seconds.In this example,, be used to write down the number of times that retry is downloaded by the variable of " number of retries " is set.After each retry was downloaded, " number of retries " added 1.It not only can be used for need judging whether retry, and can also be used to obtain needs time of waiting for before the retry next time.
By described download policy, though when downloading for the first time because network communication fault or other reasons cause the CRL failed download, the file download scheduler still afterwards retry successfully download to CRL in downloading, therefore improved the reliability of downloading greatly.
Step 404: the CRL that real-time distributor checking file download scheduler is downloaded whether before the deadline, if effectively, execution in step 406; Otherwise, execution in step 405;
Step 405: judge whether that according to download policy needs download CRL again,, then resend the CRL download request if need, otherwise execution in step 406.
According to download policy,, otherwise resend the CRL download request after waiting for retry download time interval unless it is effective to finish the CRL of retry download time or download.
Usually the CA server can be crossed after date renewal CRL at CRL, and untimely but appearance is in a single day upgraded, will cause the CRL of certificate user end download is an expired CRL, causes the potential safety hazard of certification authentication.In practical application of the present invention, even the problems referred to above occurred, by step 401 to 405 or described method, even make CRL in surpassing the certain hour scope of its term of validity, by repeatedly retry download, improved the possibility that downloads to effective CRL, reduced because of obtaining the potential safety hazard that effective CRL causes.
Step 406: whether the CRL that the real-time distributor checking is downloaded is legal CRL, if legal, execution in step 408; Otherwise, execution in step 407.
Step 407: judge whether that according to download policy needs download CRL again, if need resend the CRL download request, otherwise execution in step 408.。
Must meet X.509 format standard from the CRL file of CA downloaded, real-time distributor can verify whether this CRL file meets X.509 standard, whether this CRL file of simultaneous verification is by specific CA issue, avoid because the CA server directly may occur when the certificate user end distributing certificates revocation list with this, the third party is by attacking or distorting, malice, illegal file is sent to the problem of certificate user end, effectively guaranteed the safety of certificate user end.
Step 408: use the CRL that downloads to upgrade local CRL.
More than, the method for a kind of access certificate revocation list of the present invention has been described in conjunction with specific embodiments.With reference to above relevant introduction of the present invention, as shown in Figure 5, be the device block scheme that is used to visit CRL in accordance with a preferred embodiment of the present invention.Described device comprises:
File download schedule unit 503, be used for sending the CRL download request to the CA server according to the download policy that sets in advance, the described download policy that sets in advance comprises retry download time and retry download time interval, and described file download schedule unit 503 is stored in the CRL that downloads in the storage unit;
Whether authentication unit 504 is used to check CRL expired, if expired, sends the CRL download request by file download schedule unit 503.
After communication unit 502 receives the CRL download request, authentication unit 504 is according to whether storing corresponding C RL in the described download request inquiry storage unit 501, if exist, then this CRL is sent to the download request end of CRL by communication unit 502, simultaneously, verify whether this CRL surpasses the term of validity,, submit the CRL download request to file download schedule unit 503 if exceed the term of validity; If do not have corresponding C RL in the storage unit 501, submit the CRL download request to file download schedule unit 503.
File download schedule unit 503 judges whether successfully to have downloaded CRL, if not success, from storage unit 501, read download policy, send the CRL download request at interval according to predefined retry download time, unless finishing retry download time or CRL downloads successfully, otherwise file download schedule unit 503 resends the CRL download request by downloading strategy.
Whether the CRL that authentication unit 504 authenticating documents download schedule unit 503 are downloaded exceeds the term of validity, if exceed the term of validity, from storage unit 501, read download policy, send the CRL download request at interval according to predefined retry download time, unless it is effective to finish retry download time or CRL, otherwise file download schedule unit 503 resends the CRL download request by downloading strategy.
Whether the CRL that authentication unit 504 authenticating documents download schedule unit 503 are downloaded is legal, if it is illegal, from storage unit 501, read download policy, send the CRL download request at interval according to predefined retry download time, unless it is legal to finish retry download time or CRL, otherwise file download schedule unit 503 resends the CRL download request by downloading strategy.
Preferably, device and the certificate user end of visit CRL of the present invention are deployed in same the computer equipment, certainly, as one of ordinary skill in the art understand, can otherwise dispose this device easily, for example it is deployed in independently in the server, the present invention is not limited in this respect, and those skilled in the art can select according to actual conditions.
With reference to the foregoing description, of the present invention another is used to visit the preferred embodiment of device of CRL and the difference of the foregoing description is:
Also store the configuration information of CA in the storage unit in advance;
Whether authentication unit is periodically checked by pre-set time interval and is stored in the storage unit and described CA corresponding C RL, if do not exist, submits the CRL download request to file download schedule unit; If exist and this CA corresponding C RL, check this CRL whether to exceed the term of validity, if exceed, then submit the CRL download request to file download schedule unit.
The other guide of present embodiment sees also the foregoing description, repeats no more here.
The invention also discloses a kind of system of access certificate revocation list, comprise certificate user end, real-time distributor and certification authority's server,
Described certificate user end comprises: first communication unit, in order to send CRL download request and acceptance certificate revocation list;
Described certification authority server comprises: server storage unit is used for the Store Credentials revocation list; Maintenance unit is used for the CRL of update service device storage unit;
Described real-time distributor comprises: storage unit is used for the Store Credentials revocation list; Query unit is used for from the CRL inquiry and the corresponding CRL of user's download request of being stored; Second communication unit is in order to receive the CRL of downloading and to store in the storage unit from server storage unit; Receive the CRL download request that first communication unit sends, and corresponding CRL is back to first communication unit.
More than to the methods, devices and systems of a kind of access certificate revocation list provided by the present invention, be described in detail, used specific case herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (15)
1. the method for an access certificate revocation list is characterized in that, comprises the following steps:
In real-time distributor, preset CRL;
The certificate user end sends the CRL download request to real-time distributor;
Real-time distributor is inquired about from the CRL of being stored and the corresponding CRL of above-mentioned download request, and this CRL is back to the certificate user end.
2. the method for access certificate revocation list according to claim 1 is characterized in that, also comprises:
Before the deadline whether real-time distributor check described CRL, if out of date, real-time distributor is to sending the CRL download request with the corresponding certification authority of this CRL server;
Certification authority's server is obtained corresponding CRL and is back to real-time distributor according to above-mentioned request;
Real-time distributor uses above-mentioned CRL to update stored in CRL in the described real-time distributor.
3. the method for access certificate revocation list according to claim 2 is characterized in that, also comprises:
Real-time distributor judges whether to exist the active threads of downloadable authentication revocation list, if exist, wait for that this thread finishes the back and starts new download thread, otherwise start new download thread that described new download thread is in order to from the described CRL of certification authority's downloaded.
4. the method for access certificate revocation list according to claim 3 is characterized in that, also comprises: finish download according to the download policy that sets in advance, comprise retry download time and retry download time interval in the described download policy.
5. the method for access certificate revocation list according to claim 4 is characterized in that, described download policy is:
Judge whether current download thread has successfully downloaded CRL, if success finishes to download; Otherwise, resend download request at interval according to retry download time of described download policy;
This step is carried out in circulation, up to the retry download time of finishing described download policy or successfully download.
6. the method for access certificate revocation list according to claim 4 is characterized in that, described download policy is:
After receiving the CRL that certification authority's server returns, before the deadline whether the CRL that checking is downloaded, if do not have expired, then use this CRL to update stored in CRL in the real-time distributor, if expired, resend download request at interval by retry download time according to described download policy;
This step is carried out in circulation, does not have expired up to the CRL of the retry download time of finishing described download policy or download.
7. the method for access certificate revocation list according to claim 4, it is characterized in that, described download policy is: whether the CRL that checking is downloaded is legal CRL, if legal, use this CRL to update stored in CRL in the real-time distributor; Otherwise, resend download request at interval by retry download time according to described download policy;
This step is carried out in circulation, is legal CRL file up to the CRL of the retry download time of finishing described download policy or download.
8. the device of an access certificate revocation list is characterized in that, comprising:
Storage unit is used for the Store Credentials revocation list;
Query unit is used for the CRL inquiry and the corresponding CRL of user's download request of storing from storage unit;
Communication unit is used to receive user's CRL download request, and sends the described CRL that inquires to the user.
9. the device of access certificate revocation list according to claim 8, it is characterized in that, also comprise: file download schedule unit, be used for connecting the downloading process that certification authority's server is finished CRL according to the download policy that sets in advance, the described download policy that sets in advance comprises retry download time and retry download time interval, and described file download schedule unit is stored in the CRL of downloading in the storage unit.
10. the device of access certificate revocation list according to claim 9, it is characterized in that, also comprise: authentication unit, whether be used for the certification of proof revocation list expired, if expired, described file download schedule unit sends the CRL download request according to described download policy to certification authority's server.
11. device according to claim 9 or 10 described access certificate revocation lists, it is characterized in that, described downloading process is: whether described file download schedule unit judges exists the active threads of downloadable authentication revocation list, if exist, waits for that this thread finishes the back and starts new download thread; Otherwise start new download thread, described new download thread in order to according to described download policy from the described CRL of certification authority's downloaded.
12. the device of access certificate revocation list according to claim 11 is characterized in that, described download policy is: whether the current download thread of described file download schedule unit judges has successfully downloaded CRL, if success finishes to download; Otherwise, resend download request at interval according to the download time of described download policy;
This process is carried out in circulation, up to the retry download time of finishing described download policy or successfully download.
13. the device of access certificate revocation list according to claim 11, it is characterized in that, described download policy is: before the deadline whether the CRL that described authentication unit authenticating documents download schedule unit is downloaded, if do not have expiredly, then use this CRL to update stored in CRL in the real-time distributor; If expired, resend download request at interval according to retry download time of described download policy by file download schedule unit;
This process is carried out in circulation, does not have expired up to the CRL of the retry download time of finishing described download policy or download.
14. the device of access certificate revocation list according to claim 11, it is characterized in that, described download policy is: whether the CRL that described authentication unit authenticating documents download schedule unit is downloaded is legal CRL, if legal, use this CRL to update stored in CRL in the storage unit; Otherwise, resend download request at interval according to retry download time of described download policy by file download schedule unit;
This process is carried out in circulation, is legal CRL up to the CRL of the retry download time of finishing described download policy or download.
15. the system of an access certificate revocation list is characterized in that, comprises certificate user end, real-time distributor and certification authority's server,
Described certificate user end comprises:
First communication unit is in order to send CRL download request and acceptance certificate revocation list;
Described certification authority server comprises:
Server storage unit is used for the Store Credentials revocation list;
Maintenance unit is used for the CRL of update service device storage unit;
Described real-time distributor comprises:
Storage unit is used for the Store Credentials revocation list;
Query unit is used for the CRL inquiry and the corresponding CRL of user's download request of storing from storage unit;
Second communication unit is in order to receive the CRL of downloading and to store in the storage unit from server storage unit; Receive the CRL download request that first communication unit sends, and corresponding CRL is back to first communication unit.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101277182A CN101136098A (en) | 2006-08-30 | 2006-08-30 | Method, device and system for accessing to certificate revocation list |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2006101277182A CN101136098A (en) | 2006-08-30 | 2006-08-30 | Method, device and system for accessing to certificate revocation list |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101136098A true CN101136098A (en) | 2008-03-05 |
Family
ID=39160185
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2006101277182A Pending CN101136098A (en) | 2006-08-30 | 2006-08-30 | Method, device and system for accessing to certificate revocation list |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101136098A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873240A (en) * | 2012-12-10 | 2014-06-18 | 华为技术有限公司 | CRL transmission method, device and system |
| CN104036033A (en) * | 2014-06-30 | 2014-09-10 | 北京数字认证股份有限公司 | Certificate revocation list caching and checking method of digital certificate |
| CN104980438A (en) * | 2015-06-15 | 2015-10-14 | 中国科学院信息工程研究所 | Method and system for checking revocation status of digital certificate in virtual environment |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| CN107026853A (en) * | 2017-03-24 | 2017-08-08 | 中国联合网络通信集团有限公司 | Safety certifying method, system and server |
| CN107026738A (en) * | 2016-02-01 | 2017-08-08 | 阿里巴巴集团控股有限公司 | Digital certificate updating method, digital signature verification method and digital authentication device |
| CN109379371A (en) * | 2018-11-20 | 2019-02-22 | 多点生活(成都)科技有限公司 | Certification authentication method, apparatus and system |
| CN109889484A (en) * | 2018-12-28 | 2019-06-14 | 卡斯柯信号有限公司 | The Information Security method and device of rail transportation vehicle-mounted whistle control system |
| CN110381077A (en) * | 2019-07-26 | 2019-10-25 | 中国工商银行股份有限公司 | For the treating method and apparatus of digital certificate |
| CN113742787A (en) * | 2021-08-06 | 2021-12-03 | 深圳数字电视国家工程实验室股份有限公司 | Digital certificate revocation list updating method, initiating terminal, responding terminal and system |
| CN114866243A (en) * | 2021-01-20 | 2022-08-05 | 华为技术有限公司 | Certificate revocation list management method and device and electronic equipment |
| CN116455633A (en) * | 2023-04-17 | 2023-07-18 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
-
2006
- 2006-08-30 CN CNA2006101277182A patent/CN101136098A/en active Pending
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103873240A (en) * | 2012-12-10 | 2014-06-18 | 华为技术有限公司 | CRL transmission method, device and system |
| CN104036033A (en) * | 2014-06-30 | 2014-09-10 | 北京数字认证股份有限公司 | Certificate revocation list caching and checking method of digital certificate |
| CN104980438B (en) * | 2015-06-15 | 2018-07-24 | 中国科学院信息工程研究所 | The method and system of digital certificate revocation status checkout in a kind of virtualized environment |
| CN104980438A (en) * | 2015-06-15 | 2015-10-14 | 中国科学院信息工程研究所 | Method and system for checking revocation status of digital certificate in virtual environment |
| WO2016201754A1 (en) * | 2015-06-15 | 2016-12-22 | 中国科学院信息工程研究所 | Method and system for checking revocation state of digital certificate in virtual environment |
| CN106682028A (en) * | 2015-11-10 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Method, device and system for obtaining web application |
| CN107026738B (en) * | 2016-02-01 | 2020-05-19 | 阿里巴巴集团控股有限公司 | Digital certificate updating method, digital signature verification method and digital authentication device |
| CN107026738A (en) * | 2016-02-01 | 2017-08-08 | 阿里巴巴集团控股有限公司 | Digital certificate updating method, digital signature verification method and digital authentication device |
| CN107026853B (en) * | 2017-03-24 | 2019-10-22 | 中国联合网络通信集团有限公司 | Safety certifying method, system and server |
| CN107026853A (en) * | 2017-03-24 | 2017-08-08 | 中国联合网络通信集团有限公司 | Safety certifying method, system and server |
| CN109379371A (en) * | 2018-11-20 | 2019-02-22 | 多点生活(成都)科技有限公司 | Certification authentication method, apparatus and system |
| CN109379371B (en) * | 2018-11-20 | 2021-11-23 | 多点生活(成都)科技有限公司 | Certificate verification method, device and system |
| CN109889484A (en) * | 2018-12-28 | 2019-06-14 | 卡斯柯信号有限公司 | The Information Security method and device of rail transportation vehicle-mounted whistle control system |
| CN110381077A (en) * | 2019-07-26 | 2019-10-25 | 中国工商银行股份有限公司 | For the treating method and apparatus of digital certificate |
| CN114866243A (en) * | 2021-01-20 | 2022-08-05 | 华为技术有限公司 | Certificate revocation list management method and device and electronic equipment |
| CN114866243B (en) * | 2021-01-20 | 2024-03-15 | 华为技术有限公司 | Certificate revocation list management method and device and electronic equipment |
| CN113742787A (en) * | 2021-08-06 | 2021-12-03 | 深圳数字电视国家工程实验室股份有限公司 | Digital certificate revocation list updating method, initiating terminal, responding terminal and system |
| CN116455633A (en) * | 2023-04-17 | 2023-07-18 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
| CN116455633B (en) * | 2023-04-17 | 2024-01-30 | 清华大学 | Digital certificate verification method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101136098A (en) | Method, device and system for accessing to certificate revocation list | |
| CN109617698B (en) | Method for issuing digital certificate, digital certificate issuing center and medium | |
| JP5099139B2 (en) | How to get and check public key certificate status | |
| O’Malley et al. | Hadoop security design | |
| KR100501095B1 (en) | Terminal communication system | |
| US8006085B2 (en) | License management system and method | |
| JP2008022526A (en) | Attribute certificate verification method, attribute authority apparatus, service providing apparatus, and attribute certificate verification system | |
| CN111049835B (en) | Unified identity management system of distributed public certificate service network | |
| CN109450843B (en) | SSL certificate management method and system based on block chain | |
| EP2604022B1 (en) | Certificate revocation | |
| CN109146479B (en) | Data encryption method based on block chain | |
| CN101527634B (en) | System and method for binding account information with certificates | |
| JP2007110377A (en) | Network system | |
| CN103490881A (en) | Authentication service system, user authentication method, and authentication information processing method and system | |
| CN109936552B (en) | Key authentication method, server and system | |
| JPWO2020050390A1 (en) | Right holder terminal, user terminal, right holder program, user program, content use system and content use method | |
| CN103117987A (en) | Digital certificate updating method | |
| CN100527144C (en) | Method and device for accurate charging in digital copyright management | |
| KR102410006B1 (en) | Method for creating decentralized identity able to manage user authority and system for managing user authority using the same | |
| JP2003150735A (en) | Digital certificate system | |
| JP7280517B2 (en) | Right holder terminal, user terminal, right holder program, user program, content usage system and content usage method | |
| JP2020120173A (en) | Electronic signature system, certificate issuing system, certificate issuing method, and program | |
| CN101291220B (en) | System, device and method for identity security authentication | |
| JP3761432B2 (en) | Communication system, user terminal, IC card, authentication system, connection and communication control system, and program | |
| EP1912147A1 (en) | Method and apparatus for selling a digital resource |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 1114444 Country of ref document: HK |
|
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080305 |
|
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: WD Ref document number: 1114444 Country of ref document: HK |