CN103117862B - By the method for the X.509 digital certificate authentication Java certificate of openssl - Google Patents
By the method for the X.509 digital certificate authentication Java certificate of openssl Download PDFInfo
- Publication number
- CN103117862B CN103117862B CN201310052771.0A CN201310052771A CN103117862B CN 103117862 B CN103117862 B CN 103117862B CN 201310052771 A CN201310052771 A CN 201310052771A CN 103117862 B CN103117862 B CN 103117862B
- Authority
- CN
- China
- Prior art keywords
- certificate
- java
- pki
- digital certificate
- openssl
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 230000006870 function Effects 0.000 claims abstract description 28
- 238000003491 array Methods 0.000 claims description 8
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 230000002159 abnormal effect Effects 0.000 claims description 4
- 238000009434 installation Methods 0.000 abstract description 4
- 230000008901 benefit Effects 0.000 abstract description 2
- 239000000284 extract Substances 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000052 comparative effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides the method for the X.509 digital certificate authentication Java certificate of a kind of openssl, eliminate the difficulty across language certification authentication, provide convenience to Android system security customization.X.509 the digital certificate structure of an openssl is progressively converted to the main body public key information object of Java, namely, under forwarding the PKI in the X.509 digital certificate of openssl to Java environment, finally verify whether digital certificate is the certificate of authority according to certification authentication step general under Java environment.The invention enables and can, with being kept at certain CA certificate checking third party Android installation procedure in security module, stop it to install when installation procedure wrong tally signature closes when CA authorizes.Also this method can be used when Android system authentication server identity simultaneously.Its advantage is: implementation efficiency is high, and use cost is low, and transfer functions used is common function, and these functions are exist in the function library of Android system, without the need to amendment or interpolation.
Description
Technical field
The present invention relates to digital certificate technique field, specifically the method for the X.509 digital certificate authentication Java certificate of a kind of openssl.
Background technology
In Android system, with the CA certificate checking Java certificate be stored in hardware module.In safety applications, under CA certificate can not be kept at the low system path of Prevention-Security degree usually, but be kept at some and have in the hardware module of safe speciality.The read-write of hardware module drives normally C language to write, and is generally the X.509 form of openssl when CA certificate reads from drive.The certificate verified, then at Android Java layer, is Java certificate form.This certification authentication across language needs to use specific verification method.
When current Android system carries out digital certificate authentication, only provide the method under same programming language environment.If under CA certificate is placed on any system path, same programming language environment can be ensured, but degree of safety is lower usually, is easily maliciously tampered.When CA certificate is saved in the hardware of safe speciality, just become the certification authentication across language environment.Because the driving of access hardware is generally C language and writes, can not be that Java writes, and the certificate of Android system application layer be Java certificate certainly.
Summary of the invention
The object of the invention is to eliminate this difficulty across language certification authentication, provide convenience to Android system security customization, the method of the X.509 digital certificate authentication Java certificate of a kind of openssl is provided, its application background is: attempt with being kept at certain CA certificate in security module, checking third party Android installation procedure, when installation procedure wrong tally signature closes CA mandate, it is stoped to install.Also this method can be used when Android system authentication server identity simultaneously.By the server certificate that certain the CA certificate authentication server end be kept in security module is sent, authorize if server certificate is not CA, so connection of broken clients end and server.
According to technical scheme provided by the invention, the method for the X.509 digital certificate authentication Java certificate of described openssl comprises the following steps:
(1) with driving interface reading and saving CA certificate within hardware, the X.509 digital certificate structure of an openssl is returned;
(2) take out described in PKI ASN.1 X.509 in digital certificate structure encode, public key algorithm and parameter;
(3) public key algorithm and parameter is transferred the character array char* type of C language to by the ASN.1 transfer function of openssl;
(4) more described PKI ASN.1 is encoded, the character array type of public key algorithm and parameter three transfers byte arrays the byte [] type of Java language to by JNI rule;
(5) the byte arrays type changed by described public key algorithm transfers the character string String type of Java more further to;
(6) public key algorithm completing conversion becomes the algorithm identifier AlgorithmIdentifier object of Java with parametric configuration;
(7) byte arrays that described algorithm identifier object and PKI ASN.1 encode is configured to the main body public key information SubjectPublicKeyInfo object of Java;
(8) described main body public key information object can use its member function to obtain the PKI object of Java; The PKI object of described Java is exactly the PKI of CA certificate in Java environment, under namely forwarding the PKI in the X.509 digital certificate of openssl to Java environment;
(9) verify whether digital certificate is the certificate of authority, and method is according to certification authentication step general under Java environment:
A, obtain Java certificate object to be verified;
B, call the checking member function verify of this certificate object, and the PKI object of Java is imported into as function parameter;
C, seizure are extremely; If just showing by checking not abnormal, is the certificate of authority; If there is exception, show authentication failed, proof procedure is wrong.Show that certificate is unauthorized if Exception Type is signature exception.
Advantage of the present invention is: implementation efficiency is high, and use cost is low, and transfer functions used is common function, and these functions are exist in the function library of Android system, without the need to amendment or interpolation.
Accompanying drawing explanation
Fig. 1 is the invention process schematic flow sheet.
Embodiment
Below in conjunction with drawings and Examples, the invention will be further described.
First the principle of CA certificate checking digital certificate is introduced.
Generally, digital certificate all comprises the signature of authorized person.Signature has been exactly authorized person with the encrypted private key of oneself one section of plaintext extracted from digital certificate, and the ciphertext generated.This section of ciphertext only has the PKI of authorized person to decipher.And in the CA certificate of authorized person, contain the PKI of authorized person.Therefore, checking principle is exactly the public key decryptions signature with extracting in CA certificate, the plaintext of the Comparative result extraction after deciphering, if both are identical, then digital certificate belongs to CA certificate mandate, otherwise then not to belong to mandate.
When CA certificate takes out from driving, be generally the X.509 form of openssl.This is an X.509 structure, saves all information of CA certificate in structure.Verify Java certificate, key will obtain the PKI under Java environment.The present invention extracts PKI ASN.1 coding, public key algorithm and parameter from the X.509 digital certificate of openssl, through the conversion of Android system JNI layer, gone out the algorithm identifier object (AlgorithmIdentifier) of Java by public key algorithm and parametric configuration, gone out the main body public key information object (SubjectPublicKeyInfo) of Java by PKI ASN.1 coding and algorithm identifier object formation.This object can use its member function to obtain the PKI object of Java.The PKI object of this Java is exactly the PKI of CA certificate in Java environment.Next only need just can verify whether digital certificate is the certificate of authority according to certification authentication step general under Java environment.
As shown in Figure 1, the method for the X.509 digital certificate authentication Java certificate of openssl of the present invention, its implementing procedure is as follows:
1., with driving interface to read CA certificate, return the X.509 digital certificate structure of an openssl.
2. take out PKI ASN.1 coding, public key algorithm and parameter wherein.
Described PKI ASN.1 coding is a pointer (this pointer is character array type, is equivalent to the access to pointed character array to the access of this pointer) pointing to character array, and this character array saves the ASN.1 coding of PKI.Follow ASN.1 standard be coded in different platform under keep character array content constant.
Described public key algorithm is the pointer pointing to the ASN1_OBJECT preserving public key algorithm information.
Described parameter points to the pointer of the ASN1_TYPE preserving public key algorithm parameter information.ASN1_OBJECT and ASN1_TYPE is the type defined in openssl, can pass through ASN.1 transfer function, is saved in character array by Content Transformation.
3. transfer public key algorithm and parameter character array (char*) type of C language to by the ASN.1 transfer function of openssl.Be specially: character array type public key algorithm being transferred to C language by OBJ_obj2txt function, parameter also transferred to the character array type of C language by ASN1_TYPE_get_octetstring function.
4. described PKI ASN.1 encoded again, the character array type of public key algorithm and parameter three transfers byte arrays (byte []) type of Java language to by JNI rule, the content of such three all pass through to change and has been saved in the character array of Java.This is converted to general JNI transformation rule.
5. character string (String) type of Java also will be transferred further to for public key algorithm.Conversion method used is the constructed fuction of character string, Java byte arrays can be configured to character string.
6. complete the algorithm identifier object (AlgorithmIdentifier) that the public key algorithm of conversion and parameter can be configured to Java.Building method used is the constructed fuction of algorithm identifier object.
7. the ASN.1 encoded byte array of algorithm identifier object and PKI can be configured to the main body public key information object (SubjectPublicKeyInfo) of Java.Building method used is the constructed fuction of main body public key information object.
8. main body public key information object can use its member function to obtain the PKI object of Java.
9. the PKI object of above-mentioned Java is exactly the PKI of CA certificate in Java environment.Owing to verifying that the key of digital certificate is the Java PKI obtaining CA, and under successfully forwarding the PKI in the X.509 digital certificate of openssl to Java environment to this step.Therefore next only need just can verify whether digital certificate is the certificate of authority according to certification authentication step general under Java environment.Step is as follows:
1. obtain Java certificate object to be verified.
2. call the checking member function (verify) of this certificate object, and the PKI object of Java is imported into as function parameter.
3. catch abnormal, just showing by checking if not abnormal, is the certificate of authority; If there is exception, show authentication failed, proof procedure is wrong, if wherein Exception Type is that signature exception (SignatureException) shows that certificate is unauthorized.
During this method software simulating according to function divide comprise 3 modules: module one. the driver module of safe speciality hardware, module two. Android JNI layer across language form conversion module, module three. the digital certificate authentication module of Android Java layer.
These three modules are that order performs, and first module one works, and after only having work success, just enter module two work.If module two also works successfully, enter module three work, module three normally work then software work success.Any one module irregular working, software just works failure.
Three functions of modules are as follows: module one reads CA certificate with driving interface, returns the X.509 digital certificate structure of an openssl.Module two extracts PKI, public key algorithm and parameter in X.509 structure, is converted into the operable type of Java language by JNI rule.The digital certificate authentication function that module three is general under performing Java environment, and point out certificate granting, certificate unauthorized and other results of makeing mistakes.
It is below the explanation of some terms that the present invention relates to.
CA:(CertificateAuthority) certificate authority is the office that certificate has been issued in responsible grant a certificate, certificate of certification, management.
CA certificate: be the certificate that CA signs and issues, can be used for the certificate verifying that CA certificate owner authorizes.
Digital certificate: be a file comprising certificate main information and public-key cryptography through CA or CA certificate owner digital signature.
X.509 digital certificate: a kind of digital certificate.X.509 be a kind of general certificate format, the certificate that form follows ITUTX.509 international standard is called X.509 digital certificate.X.509 the digital certificate of a standard comprises following contents:
The version information of certificate; The sequence number of certificate; The signature algorithm that certificate uses; Issuer's title of certificate; The term of validity of certificate; The proprietary title of certificate; The proprietary public-key cryptography of certificate; Certificate issuers is to the signature of certificate.
Openssl: the famous code library of openssl by name, C language is write, and contains structure and the certificate operation-interface of X.509 digital certificate.
Java certificate: the object of the class of the expression certificate in Java.
ASN.1:ASN.1 is a regular set of ITU-T, which specify and encodes to data in which way, so that other any platforms and third party's instrument can both explain its content.Its effect makes same data have unified coding at different platforms.
JNI:(JavaNativeInterface) Java local interface, in Android system Java and C++ call mutually, the software layer of conversion in type.
Claims (3)
1., by the method for the X.509 digital certificate authentication Java certificate of Open Security socket layer agreement openssl, it is characterized in that comprising the following steps:
(1) with driving interface reading and saving CA certificate within hardware, the X.509 digital certificate structure of an openssl is returned;
(2) take out described in PKI ASN.1 X.509 in digital certificate structure encode, public key algorithm and parameter; Described parameter points to the pointer of the ASN1_TYPE preserving public key algorithm parameter information;
(3) public key algorithm is transferred to the character array type of C language by OBJ_obj2txt function, parameter is also transferred to the character array type of C language by ASN1_TYPE_get_octetstring function;
(4) more described PKI ASN.1 is encoded, the character array type of public key algorithm and parameter three transfers byte arrays the byte [] type of Java language to by Java local interface rule;
(5) the byte arrays type changed by described public key algorithm transfers the character string String type of Java more further to;
(6) public key algorithm completing conversion becomes the algorithm identifier AlgorithmIdentifier object of Java with parametric configuration;
(7) byte arrays that described algorithm identifier object and PKI ASN.1 encode is configured to the main body public key information SubjectPublicKeyInfo object of Java;
(8) described main body public key information object can use its member function to obtain the PKI object of Java; The PKI object of described Java is exactly the PKI of CA certificate in Java environment, under namely forwarding the PKI in the X.509 digital certificate of openssl to Java environment;
(9) verify whether digital certificate is the certificate of authority according to certification authentication step general under Java environment.
2. use the method for the X.509 digital certificate authentication Java certificate of openssl as claimed in claim 1, it is characterized in that, whether be checking digital certificate if being the method for the certificate of authority in step (9):
A, obtain Java certificate object to be verified;
B, call the checking member function verify of this certificate object, and the PKI object of Java is imported into as function parameter;
C, seizure are extremely; If just showing by checking not abnormal, is the certificate of authority; If there is exception, show authentication failed, proof procedure is wrong.
3. use the method for the X.509 digital certificate authentication Java certificate of openssl as claimed in claim 2, it is characterized in that, if Exception Type is that signature exception shows that certificate is unauthorized in step c.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310052771.0A CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310052771.0A CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103117862A CN103117862A (en) | 2013-05-22 |
| CN103117862B true CN103117862B (en) | 2015-11-25 |
Family
ID=48416143
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310052771.0A Expired - Fee Related CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103117862B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971034A (en) * | 2014-04-24 | 2014-08-06 | 福建联迪商用设备有限公司 | Method and device for protecting Java software |
| CN105721154B (en) * | 2014-12-05 | 2020-02-18 | 航天信息股份有限公司 | Encryption protection method based on Android platform communication interface |
| CN104680061A (en) * | 2015-02-28 | 2015-06-03 | 国鼎网络空间安全技术有限公司 | Method and system for verifying code signing during startup of application in Android environment |
| CN106936789B (en) * | 2015-12-30 | 2021-04-13 | 格尔软件股份有限公司 | Application method for authentication by using double certificates |
| CN105721162B (en) * | 2016-01-30 | 2019-03-05 | 飞天诚信科技股份有限公司 | The method and device of digital certificate is automatically imported into application program |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
| CN111884813B (en) * | 2020-08-05 | 2022-03-25 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1956372A (en) * | 2005-10-21 | 2007-05-02 | 惠普开发有限公司 | A digital certificate that indicates a parameter of an associated cryptographic token |
| CN102055759A (en) * | 2010-06-30 | 2011-05-11 | 北京飞天诚信科技有限公司 | Hardware engine realization method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020120840A1 (en) * | 2000-12-15 | 2002-08-29 | International Business Machines Corporation | Configurable PKI architecture |
-
2013
- 2013-02-18 CN CN201310052771.0A patent/CN103117862B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1956372A (en) * | 2005-10-21 | 2007-05-02 | 惠普开发有限公司 | A digital certificate that indicates a parameter of an associated cryptographic token |
| CN102055759A (en) * | 2010-06-30 | 2011-05-11 | 北京飞天诚信科技有限公司 | Hardware engine realization method |
Non-Patent Citations (2)
| Title |
|---|
| Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile;D.Cooper等;《Network Working Group RFC5280》;20080531;第26-51页 * |
| 通过CA证书获取安全认证的Java实现;唐雪莲;《电脑开发与应用》;20020730;第15卷(第7期);第34-36页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103117862A (en) | 2013-05-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103117862B (en) | By the method for the X.509 digital certificate authentication Java certificate of openssl | |
| CN100555936C (en) | A kind of method that in smart card and USB flash disk equipment complex, improves access security | |
| CN1832401A (en) | Method for protecting safety of account number cipher | |
| CN102171652A (en) | Method for provisioning trusted software to an electronic device | |
| CN112134956A (en) | Distributed Internet of things instruction management method and system based on block chain | |
| US10958447B2 (en) | Method, security device and security system | |
| CN111082941B (en) | Internet of things data sharing method and system based on block chain technology | |
| CN106100836A (en) | A kind of industrial user's authentication and the method and system of encryption | |
| CN102868702B (en) | System login device and system login method | |
| CN104660551A (en) | Webservice-based database access device and method | |
| CN105635070A (en) | Anti-counterfeit method and system for digital file | |
| CN111625869A (en) | Data processing method and data processing device | |
| CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
| CN103561006A (en) | Application authentication method and device and application authentication server based on Android | |
| CN110932850A (en) | Communication encryption method and system | |
| CN115442047A (en) | Electronic signature method and system for business management file | |
| CN110635900A (en) | Key management method and system suitable for Internet of things system | |
| CN112865965B (en) | Train service data processing method and system based on quantum key | |
| CN111435389A (en) | Power distribution terminal operation and maintenance tool safety protection system | |
| CN108023732A (en) | A kind of data guard method, device, equipment and storage medium | |
| WO2021027982A1 (en) | System and method for electronic signature creation and management for long-term archived documents | |
| CN103260157A (en) | User management system based on satellite communication services and application method thereof | |
| CN107633390B (en) | Cloud wallet management method and server | |
| CN113676446B (en) | Communication network safety error-proof control method, system, electronic equipment and medium | |
| CN111756531B (en) | Communication system and method of LoRa terminal based on CPK |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160223 Address after: 315500, Hengfeng Road, 19 square Bridge Development Zone, Zhejiang, Fenghua Patentee after: Fenghua capital machinery Casting Co., Ltd. Address before: 214135 Jiangsu Province, Wuxi City District Road No. 18 Wuxi Zhenze National Software Park Sagittarius B building 4 floor Patentee before: Wuxi Cynovo Tech Co., Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160620 Address after: 214135 Jiangsu Province, Wuxi City District Road No. 18 Wuxi Zhenze National Software Park Sagittarius B building 4 floor Patentee after: Wuxi Cynovo Tech Co., Ltd. Address before: 315500, Hengfeng Road, 19 square Bridge Development Zone, Zhejiang, Fenghua Patentee before: Fenghua capital machinery Casting Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190422 Address after: Room 616-1, Building 2, Changfeng Building, 14 Xinghuo Road, Jiangbei New District, Nanjing, Jiangsu Province, 210000 Patentee after: Nanjing ningsano Intelligent Technology Co., Ltd. Address before: 214135 building 4, Sagittarius B, Wuxi National Software Park, 18, Zhen Ze Road, Wuxi New District, Jiangsu. Patentee before: Wuxi Cynovo Tech Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151125 Termination date: 20210218 |