CN103885723B

CN103885723B - Digital certificate store method, system and digital certificate read method and system

Info

Publication number: CN103885723B
Application number: CN201410077035.5A
Authority: CN
Inventors: 张永强; 王胜男
Original assignee: Age Of Security Polytron Technologies Inc
Current assignee: Age Of Security Polytron Technologies Inc
Priority date: 2014-03-04
Filing date: 2014-03-04
Publication date: 2017-06-06
Anticipated expiration: 2034-03-04
Also published as: CN103885723A

Abstract

The invention discloses a kind of digital certificate store method, system and digital certificate read method and system, the digital certificate store method includes：Digital certificate is divided into two or more data slots；Data Matching is carried out to the data slot obtained by segmentation, at least two structures data slot consistent with content is obtained, the structure data slot consistent with content is divided at least one redundant data fragment and at least one valid data fragment；By other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, store certificate memory space, and data positional information of each data slot of corresponding record storage in digital certificate, wherein, to the valid data piece segment record its own data positional information and the redundant data fragment data positional information.Implement the method for the present invention and system, while full storage digital certificate is ensured, memory space can be saved, and can quickly read complete digital certificate.

Description

Digital certificate store method, system and digital certificate read method and system

Technical field

The present invention relates to digital authentication technology field, more particularly to a kind of digital certificate store method, system and number Word certificate read method and system.

Background technology

In digital authentication technology, the content of digital certificate is by certificate authority (Certificate Authority, CA) signature, the strict guarantee integrality of data is when being transmitted to digital certificate and being stored also necessary Ensure the integrality of its data, will otherwise be considered as invalid certificate.Therefore prior art is in digital certificate, typically Stored digital certificate as a complete data file in credential media.

Because legal CA needs to implement double certificate system, storage signing certificate is at least needed in a credential media and is added Two certificates of close certificate.And in order to realize SM2 (a kind of asymmetric cryptographic algorithm that China national password office formulates) certificates and show There are RSA certificates applying upper compatibility, be likely to require in a credential media and deposit the signing certificate of SM2 algorithms simultaneously, add The signing certificate of close certificate and RSA Algorithm, encrypted certificate, cause the memory space of digital certificate nervous.

Meanwhile, with the continuous popularization of quadrature digital up-converter, credential media rapidly (makes from traditional USB Key With the certificate and key storage media of USB) expand to various IC (the integrated electricity of Integrate Circuit Road) card, SIM (Subscriber Identity Module user identification modules) card, RFID (Radio Frequency IDentification radio frequency identifications) card etc. in the strictly limited medium of memory space, also result in digital certificate and received in space Storage in limit medium is difficult.

Additionally, with " Key is multiplex ", the popularization of " card is multiplex " idea, even memory space is relatively abundant USB Key, also usually because simultaneously assume responsibility for multiple application demands, stored in USB Key in addition to certificate and key Various applied business data, so as to cause USB Key memory spaces nervous.

The content of the invention

Based on this, it is necessary to for the problem that digital certificate store in the storage medium of above-mentioned digital authentication technology is difficult, A kind of digital certificate store method, system and digital certificate read method and system are provided.

A kind of digital certificate store method, comprises the following steps：

According to ASN.1 coding rules, digital certificate is divided into two or more data slots；

Data Matching is carried out to the data slot obtained by segmentation, structure at least two data slices consistent with content are obtained Section, at least one redundant data fragment and at least one significant figure are divided into by the structure data slot consistent with content According to fragment；

Other data slots in data slot obtained by segmentation in addition to the redundant data fragment, storage are deposited to certificate Storage space, and corresponding record storage data positional information of each data slot in digital certificate, wherein, to the significant figure According to piece segment record its own data positional information and the redundant data fragment data positional information.

A kind of digital certificate store system, including：

Segmentation module, for according to ASN.1 coding rules, digital certificate being divided into two or more data slices Section；

Matching module, for carrying out Data Matching to the data slot obtained by segmentation, obtains structure consistent with content At least two data slots, by the structure data slot consistent with content be divided at least one redundant data fragment and At least one valid data fragment；

Memory module, for by other data slices in the data slot obtained by segmentation in addition to the redundant data fragment Data positional information of each data slot of section, storage to certificate memory space, and corresponding record storage in digital certificate, its In, to the valid data piece segment record its own data positional information and the redundant data fragment data bit confidence Breath.

Above-mentioned digital certificate store method and system, two or more data slices are divided into by by digital certificate Section, and the structure data slot consistent with content is obtained from the data slot obtained by segmentation again by except the structure of fractional numbers Other data slots outside the data slot consistent with content, storage to certificate memory space, and record storage is in the card Data positional information of each data slot of book memory space in each digital certificate, to the valid data piece segment record its from The data positional information of the data positional information of body and the redundant data fragment, is ensureing the same of full storage digital certificate When, can not storage part fraction purpose structure and the consistent data slot of content, eliminate partial redundance information, saved digital card Book amount of storage, reduces to certificate storage center or the request memory of certificate storage medium.

A kind of digital certificate read method, comprises the following steps：

Data slot corresponding with digital certificate to be read is obtained from certificate memory space, and the data slot exists Corresponding data positional information in the digital certificate, wherein, the data slot includes at least one valid data fragment, institute State valid data fragment at least two data positional informations of correspondence；

Data slot outside the valid data fragment is combined according to its corresponding data positional information, will be had Effect data slot recovers corresponding data slot in its corresponding each Data Position respectively, reassembles into the digital certificate.

A kind of digital certificate reads system, including：

Read module, for obtaining data slot corresponding with digital certificate to be read from certificate memory space, and The data slot corresponding data positional information in the digital certificate, wherein, the data slot includes at least one Valid data fragment, at least two data positional informations of the valid data fragment correspondence；

Recombination module, for by the data slot outside the valid data fragment according to its corresponding data positional information It is combined, valid data fragment is recovered into corresponding data slot in its corresponding each Data Position respectively, reassembles into institute State digital certificate.

Above-mentioned digital certificate read method and system, obtain and digital certificate pair to be read by from certificate memory space The data slot answered, and the data slot corresponding data positional information in the digital certificate, then will be described effective Data slot outside data slot is combined according to its corresponding data positional information, by valid data fragment respectively at it Corresponding each Data Position recovers corresponding data slot, reassembles into the digital certificate, can save the base of memory space On plinth, complete digital certificate is quickly read.

A kind of digital certificate read method, comprises the following steps：

Other data slots in data slot obtained by segmentation in addition to the redundant data fragment, storage are deposited to certificate Storage space, and corresponding record storage data positional information of each data slot in the digital certificate, wherein, have to described Effect data slot record its own data positional information and the redundant data fragment data positional information；

Data slot corresponding with digital certificate to be read is obtained from certificate memory space, and the data slot exists Corresponding data positional information in the digital certificate；

A kind of digital certificate reads system, including：

Memory module, for by other data slices in the data slot obtained by segmentation in addition to the redundant data fragment Data bit confidence of each data slot of section, storage to certificate memory space, and corresponding record storage in the digital certificate Breath, wherein, to the valid data piece segment record its own data positional information and the redundant data fragment data Positional information；

Read module, for obtaining data slot corresponding with digital certificate to be read from certificate memory space, and The data slot corresponding data positional information in the digital certificate；

Above-mentioned digital certificate read method and system, remove the redundant data piece in the data slot as obtained by by segmentation Each data slot of other data slots outside section, storage to certificate memory space, and corresponding record storage is in the numeral card Data positional information in book, and the data slot corresponding data positional information in the digital certificate, then by institute State the data slot outside valid data fragment to be combined according to its corresponding data positional information, by valid data fragment point Do not recover corresponding data slot in its corresponding each Data Position, reassemble into the digital certificate, storage sky can saved Between on the basis of, quickly read complete digital certificate.

Brief description of the drawings

Fig. 1 is the schematic flow sheet of digital certificate store method first embodiment of the present invention；

Fig. 2 is the schematic flow sheet of digital certificate store method second embodiment of the present invention；

Fig. 3 is the schematic flow sheet of the implementation method of digital certificate store method the 3rd of the present invention；

Fig. 4 is the attribute schematic diagram of data set in the implementation method of digital certificate store method the 4th of the present invention；

Fig. 5 is the structural representation of digital certificate store system first embodiment of the present invention；

Fig. 6 is the schematic flow sheet of digital certificate read method first embodiment of the present invention；

Fig. 7 is the schematic flow sheet of digital certificate read method second embodiment of the present invention；

Fig. 8 is the structural representation that digital certificate of the present invention reads system first embodiment；

Fig. 9 is the schematic flow sheet of another digital certificate read method first embodiment of the invention；

Figure 10 is the structural representation that another digital certificate of the invention reads system first embodiment.

Specific embodiment

Fig. 1 is referred to, Fig. 1 is the schematic flow sheet of digital certificate store method first embodiment of the present invention.

The digital certificate store method of present embodiment is comprised the following steps：

Step 101, according to ASN.1 coding rules, two or more data slots is divided into by digital certificate.

Step 102, carries out Data Matching to the data slot obtained by segmentation, obtains structure and content consistent at least two Individual data slot, at least one redundant data fragment and at least one are divided into by the structure data slot consistent with content Individual valid data fragment.

Step 103, by other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, storage To certificate memory space, and corresponding record storage data positional information of each data slot in digital certificate, wherein, to institute State valid data piece segment record its own data positional information and the redundant data fragment data positional information.

Above-mentioned digital certificate store method, two or more data slots are divided into by by digital certificate, and The structure data slot consistent with content is obtained from the data slot obtained by segmentation will remove the structure of fractional numbers and interior again Hold other data slots outside consistent data slot, storage to certificate memory space, and record storage to be deposited in the certificate Store up the data positional information of each data slot in each digital certificate in space, to the valid data piece segment record its own The data positional information of data positional information and the redundant data fragment, while full storage digital certificate is ensured, Can not storage part fraction purpose structure and the consistent data slot of content, eliminate partial redundance information, saved digital certificate Amount of storage, reduces to certificate storage center or the request memory of certificate storage medium.

Wherein, for step 101, the digital certificate is by certificate authority (Certificate Authority, CA) Signature distribution, it is preferable that may include root certificate, two grades of CA service certificates, user certificates etc..

Further, when splitting to digital certificate, when digital certificate to be stored is only 1, by the numeral Certificate is divided into two or more data slots, then performs the operation of step 102.When digital certificate to be stored is At more than 2, each digital certificate can be divided into two or more data slots, then perform step 102 Operation, from the data slot obtained by the multiple certificates of segmentation, obtains the structure data slot consistent with content.

In one embodiment, it is described according to ASN.1 coding rules, digital certificate is divided into two or more The step of data slot, comprises the following steps：

According to the certificate type of digital certificate, it is determined that partitioning boundary corresponding with the digital certificate.

According to the partitioning boundary for determining, the digital certificate is divided into two or more data slots.

The digital certificate store method of the present embodiment, can reduce data storage positional information and consume internal memory, further reduce The memory space that digital certificate takes.

In the present embodiment, the basic structural unit of ASN.1 codings is label (Tag), length (Length), value (Value), i.e. TLV structures.TLV structures allow nesting to use, i.e., certain TLV structure can be the Value of another TLV structure Field.When data segmentation is carried out according to ASN.1 coding rules, partitioning boundary can be independent Tag fields, Length fields With Value word section boundaries, or some independent fields composition composite construction border.Such as：When digital certificate is OID classes During the digital certificate of type, partitioning boundary is defined as Tag words section boundary compound with what Length fields and Value fields were constituted The structure boundary of structure.

In other embodiments, can also be using the usual other technologies means of those skilled in the art to digital certificate Carry out data segmentation.

In another embodiment, described digital certificate is divided into two or more data slots performing Before step, can also include the steps of：

Step 1012, sets the storage lattice of certificate storage template corresponding with digital certificate to be stored and data slot Formula.

Wherein, in step 1012, can make a digital certificate can correspond to a certificate storage template, can also make many numbers Word certificate one certificate template of correspondence, can be set a kind of compound certificate format, and a compound certificate can be comprising multiple digital certificates Data.On the one hand can ensure that the user data of redundancy only preserves an example, on the other hand can help eliminate ASN.1 again The redundancy of coding.

Further, can be in compound certificate with data set format data storage fragment, by the elementary cell of compound certificate Be set to data set, for preserving the data slot of the digital certificate for meeting certain data characteristics, these features by data set category Property (Attribute) is identified.The attribute, preferably may include Tag values (label), the object type of each data cell and deposits Storage form etc..

Preferably, data set can be set according to the data content of digital certificate to be stored.Same data set can be used for Preserve same type of data slot.For example：OID data sets can be set, for preserving the data slot that content is object identifier. Wherein, object identifier is used to identify the numbering of object class or attribute.Can also setting data collection be used for preserving and contain any Justice, but meet the discrete data of specified conditions, and for example length is the data of 1 byte.

In other embodiments, it is also possible to each data slot is stored in the way of partitioned storage, and by each number Carried out with digital certificate residing before the storage of each data slot according to the storage region of fragment corresponding.

For step 102, a secondary data can be carried out with one digital certificate of every segmentation, the data slot to the digital certificate Matching, finds out the structure data slot consistent with content in the data slot split obtained by the digital certificate.Can also be After segmenting more than two digital certificates, the data slot to more than two digital certificates carries out a Data Matching, looks into Find out the data slot consistent with content of structure in the data slot obtained by the segmentation of more than two digital certificates.

Preferably, a data slot in the structure data slot consistent with content can be divided into valid data piece Section, remaining data fragment is divided into redundant data fragment.If after dividing, when the number of valid data fragment is two or more, Can to a valid data piece segment record in multiple valid data fragments its own data positional information and the redundancy The data positional information of data slot.

Further, the structure one group data slot consistent with content, in being one or more digital certificates Redundancy.A Ukey (it is a kind of be directly connected with computer by USB, with cryptographic authorization functions, reliable high speed it is small Type storage device) in preserve digital certificate there is substantial amounts of redundancy.For example：The certificate storage medium such as Ukey, generally needs Mechanism's certificate of user certificate and certificate authority is preserved simultaneously, to construct complete certificate chain.And user certificate is issued Originator is completely the same with the main information of the public key certificate of certificate authority, as redundancy.And for example：The certificates such as Ukey are deposited Storage media, saves signing certificate and encrypted certificate respectively, and this two issuers of certificate, main informations are completely the same, i.e., It is redundancy.For another example：Above-mentioned certificate storage medium, can preserve the user certificate of various Key Tpes, and these user certificates The general all same of main information, as redundancy.

Additionally, the ASN.1 codings that digital certificate is followed there is also many redundancies in itself, for example certificate typically has SEQUENCE (certificate version number) type nesting is formed, now can be comprising many such for identifying in digital certificate Tag bytes.There is substantial amounts of OID categorical datas in digital certificate, can equally include multiple Tag words for identifying the type Section.After segmentation step (step 101), matching step (step 102) can find out above-mentioned redundancy, some of them It is the valid data fragment for storing, the redundant data fragment that other are not stored.

In one embodiment, the data slot obtained by described pair of segmentation carries out Data Matching, obtains structure and content is equal The step of consistent at least two data slot, comprises the following steps：

Step 1021, the Hash check values of the data slot as obtained by calculating segmentation, matches to each data slot Verification, verifies out the structure data slot consistent with content.

In other embodiments, those skilled in the art can also be right by other technologies means customary in the art Data slot obtained by segmentation carries out Data Matching.Such as：Certificate template is analyzed in advance, can be entered according to prior information Row matching, is not necessarily complete intelligent algorithm.And for example：Certificate authority person object can be matched as overall, certificate main body Information should then take the combination of its some SET sequence of signature to be matched.

In another embodiment, can be divided according to the size of the memory space of the storage medium of digital certificate The redundant data fragment and the valid data fragment, if memory space it is smaller, it is necessary to storage digital certificate number compared with It is many, then a data slot in the structure data slot consistent with content can be divided into valid data fragment, it is other Data slot is redundant data fragment (preferably, can delete redundant data fragment), i.e. the structure number consistent with content One is only stored according to fragment.

For step 103, when in the structure data slot consistent with content except a data slot is used as valid data Fragment is used to store outer, when other data slots are redundant data fragment, to a valid data fragment for storing Record its own data positional information and be divided into redundant data fragment other data slots data positional information, For substituting Data Position of the redundant data fragment consistent with its structure and content in each digital certificate during restructuring.It is described Data positional information is used to record each data slot present position in digital certificate, can be the relative position between each data slot Relation is put, the absolute position (relatively with digital certificate initial data or end data) of each data slot is can also be.

Preferably, a Data Identification can be set for each data slot, the Data Identification can be digital numbering, Can be the storage location of each data slot, and then each data slice can be recorded by recording the Data Identification of each data slot Intersegmental data relationship, and the data relationship for recording is corresponded with each digital certificate.

In one embodiment, by other data slices in the data slot obtained by segmentation in addition to the redundant data fragment Data positional information of each data slot of section, storage to certificate memory space, and corresponding record storage in digital certificate Step is further comprising the steps of：

Step 1031, by other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, point Do not stored as the data cell of data set, wherein, data slot one data set data cell of correspondence.

Step 1032, the Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and deposits The data relationship between each data cell is stored up, with data bit confidence of each data slot of record storage in the digital certificate Breath.

Wherein, the data relationship is preferably position relationship of each data slot in digital certificate or puts in order.

Further, it is described to obtain and comprised the following steps the step of storing the data relationship between each data cell：

For each data cell distributes unique global index, and the global index that will be distributed is stored in default index number According to concentration.

Data Position of each data slot obtained by segmentation in the digital certificate is corresponded to, by the overall situation of each data cell Index is ranked up, and forms the index sequence for recovering the digital certificate, with each data slot of record storage described Data positional information in digital certificate.

Further, after the step of described formation for recovering the digital certificate index sequence, also including with Lower step：

According to the index sequence for being formed, tract of the occurrence number higher than frequency threshold in the index sequence to be formed is found out Section, the sequence fragment that will be above frequency threshold is stored as the data cell of data set, and to store the sequence fragment Data cell distribution global index, to replace the sequence fragment in the index sequence.

Wherein, the frequency threshold determines by the size of sequence fragment and the size of memory space, preferably can in or Equal to 2.

In another embodiment, other in the data slot by obtained by segmentation in addition to the redundant data fragment Data of each data slot of data slot, storage to certificate memory space, and corresponding record storage in the digital certificate The step of positional information, is further comprising the steps of：

Judge whether the number of data slot exceedes fragment threshold in every group of same clip group in the data slot obtained by segmentation Value, wherein, the same clip group is one group of structure data slot consistent with content.

If exceeding, using exceed the fragment threshold value same clip group in valid data fragment as data set category Property is stored.

The valid data fragment that will be stored except the redundant data fragment and the attribute as the data set Data slot obtained by other outer segmentations, the data cell respectively as the data set is stored, wherein, a data Fragment one data set data cell of correspondence.

The Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and stores the data Data relationship between the attribute of collection and each data cell, with number of each data slot of record storage in the digital certificate According to positional information.

Wherein, the fragment threshold value determines by the size of data slot and the size of memory space, preferably can in or Equal to 2.

Preferably, for example digital certificate for OID types digital certificate, partitioning boundary be defined as Tag words section boundary with The structure boundary of the composite construction of Length fields and Value fields composition, in the present embodiment, can be using Tag fields as number According to set attribute, remaining data slot is stored as the data cell of data set after above-mentioned steps.

Fig. 2 is referred to, Fig. 2 is the schematic flow sheet of digital certificate store method second embodiment of the present invention.

The digital certificate store method of present embodiment is with the difference of first embodiment：It is described to be compiled according to ASN.1 Code rule, comprises the following steps the step of digital certificate is divided into two or more data slots：

Step 201, obtains each digital certificate to be stored.

Step 202, unified coded format is converted to by the data content of each digital certificate, while recording obtained by conversion Original coding form and data positional information of the data content in each digital certificate.

Step 203, according to the characteristic information of each digital certificate after form conversion, looks into from default certificate storage template The certificate matched with each digital certificate after form conversion is looked for store template.

Step 204, each placeholder in the certificate storage template that foundation finds and each digital certificate after form conversion Data content between corresponding relation.

Step 205, according to ASN.1 coding rules, pair data content corresponding with each placeholder carries out data segmentation, segmentation It is two or more data slots.

Digital certificate store method described in present embodiment, can further eliminate the redundancy of ASN.1 codings, save Memory space.

Wherein, for step 202, the data content of digital certificate is converted into unified coded format, can be by originally not Same data content is converted to the structure data content consistent with content.

In one embodiment, the data content by each digital certificate is converted to unified coded format, while note The step of recording original coding form and data positional information of the data content obtained by conversion in each digital certificate includes following Step：

All strings in each digital certificate are converted into UTF8 forms, while recording each word obtained by conversion Original coding form and data positional information of the symbol string object in each digital certificate.

In other embodiments, the unified coded format can also be other usual volumes of those skilled in the art Code form.

Fig. 3 is referred to, Fig. 3 is the schematic flow sheet of the implementation method of digital certificate store method the 3rd of the present invention.

The digital certificate store method of present embodiment is with the difference of first embodiment：After being changed with form When the certificate storage template of each digital certificate matching is a compound certificate, except described in the data slot by obtained by segmentation Other data slots outside redundant data fragment, storage to certificate memory space, and each data slot of corresponding record storage exist The step of data positional information in digital certificate, comprises the following steps：

Step 301, the data characteristics of the data slot according to obtained by segmentation will remove redundancy in the data slot obtained by segmentation Other data slots outside data slot, are stored as the data cell of each data set of the compound certificate, wherein, institute State default storage format corresponding with the data form of each digital certificate.

Step 302, be the compound certificate each data set in each data cell set up global index, and will set up Global index's storage is concentrated in default index data.

Step 303, corresponds to Data Position of each data slot obtained by segmentation in each digital certificate, by each data cell Global index be ranked up, form the index sequence for recovering each digital certificate, existed with each data slot of record storage Data positional information in each digital certificate.

Step 304, is stored each index sequence as the data cell of the data set of the compound certificate, and to deposit The data cell for storing up each index sequence sets up global index.

Step 305, the global index that will store the data cell of each index sequence describes as the certificate of each digital certificate.

Digital certificate store method described in present embodiment, one compound certificate template of multiple digital certificate correspondences is carried out The storage of data slot, can be by the redundancy elimination in multiple digital certificates, by indexing come reference data unit, convenient note The data relationship between each data cell is recorded, and can fast and accurately retrieve corresponding data slot.

Wherein, for step 302 and step 304, the user data that each data set inside preserves assigns a sequence number, The sequence number of all data sets carries out Unified coding, and a sequence number only corresponds to a data cell, and is referred to as index.By inciting somebody to action A series of index splices according to particular order, represents that these corresponding user data of index can enter in that same order Row splicing, so that a segment for digital certificate is built, even one complete digital certificate.Such index sequence also may be used It is numbered with by an index, the structure of digital certificate in other words can be described using nested sequence.

For step 305, can also be according to the certificate characteristic of each digital certificate for obtaining, by the certificate name of each digital certificate It is stored in the compound certificate as certificate description

Preferably, can also be according to the certificate characteristic of each digital certificate for obtaining, by private key title, the key of each digital certificate The index value of usage, the index value of Key Tpe, the index value of private key file and public key file, as key description storage in institute In stating compound certificate.

In one embodiment, the data cell of the data set using each index sequence as the compound certificate is carried out The step of storage, is further comprising the steps of：

According to each index sequence for being formed, it is higher than frequency threshold to find out the occurrence number in one or more index sequences Sequence fragment, the sequence fragment that will be above frequency threshold stored as the data cell of data set, and for storage is described The data cell distribution global index of sequence fragment, to replace the sequence fragment in one or more index sequences.

Each index sequence after using replacement is stored as the data cell of the data set of the compound certificate.

In another embodiment, using data slot, index sequence or global index as data set data cell When being stored, the object type and storage format of each data cell are recorded in the attribute of each data set, wherein, the object Type includes object, the object of index sequence form, the object of X509 forms, the object of tape format, the band of ASN.1 forms in fact At least one in the object and external file object of exampleization sequence, the storage format is used to for data cell to be converted to data Fragment.

The following is the implementation method of digital certificate store method the 4th of the present invention.

The digital certificate store method of present embodiment is with the difference of first embodiment to the 3rd implementation method：Card Book memory space is provided with certificate container, and certificate container may include identifier 1, the certificate container identifier of identifier 2 and at least Individual compound certificate, the setting number in the specific form such as table 1 of certificate container, the specific form of compound certificate such as table 2, compound certificate It is as shown in table 3 according to collection list：

Table 1：

Table 2：

Table 3：

Wherein, certificate memory space preferably may include 8 certificate container files, can be wrapped in each certificate container file Containing at least one compound certificate object, each compound certificate object can include at least one digital certificate.

Preferably, global information table record certificate information of container, including ID and length.Wherein, ID accounts for 1 byte, highest Bit is used to judge that container whether there is that 1 to represent exist, and 0 represents do not exist, and remaining 7 bit is used to represent certificate container Identifier, length accounts for 2 bytes, the length for representing certificate container, if container does not exist, length is set to 0.

Further, all of inside, external data cells all have and uniquely index as identifier.All certificates hold The index of any one data cell in device file is different from.The span of index is 0~0xDF, has 224. 0xE0-0xFF corresponds to 0-31 spaces respectively for indicating NameSpace.

Wherein, the data cell for being included in certificate container file is internal data cells, and the identifier of external file etc. is External data cells.

For table 1, certificate container including identifier 1, identifier 2, can only there is 1 reality etc. certificate container identifier Example, each compound certificate object can be by the way of TLV codings.

For table 2, being combined certificate includes that multiple certificate descriptions and multiple data sets are constituted, each certificate description object and one Individual digital certificate is corresponding, compound certificate can by comprising multiple certificate description objects save multiple numerals stating it Certificate.The data of these digital certificates can be stored in multiple compound certificate institutes in multiple certificate containers, and each certificate container Comprising multiple data sets.

Certificate is described preferably, it may include index value, certificate text that certificate name, credential key type are concentrated in O data The Hash check values of index value and certificate file of the index value, certificate serial number of part root object in N data sets, each field By the way of TLV codings, as shown in table 4：

Table 4：

Type	Length (length, unit byte)	Value (codomain)
			1	It is variable	Certificate name
2	2	The index value of certificate file root object
			3	2	Index value of the certificate serial number in N data sets
4	8	The Hash check values of certificate file

Further, key description is as shown in table 5：

Table 5：

In one embodiment, the storage format of data set is as shown in table 6：

Table 6：

NS	Attribute	Baselndex	Count	Tag	Length	Value
							1	2	1	1	1	2	It is elongated

For table 6, NS is the data space of data set, and Attribute is the attribute of data set, and BaseIndex is the number Indexed according to the base of collection object, Count is object number, Tag is the corresponding identifier of object data set, and Length joins for Value Several byte numbers, Value is that Count object is sequentially connected in series.

Preferably, NS spans are 0~31, and on the one hand the parameter indicates notebook data and concentrate life belonging to the object for including The name space, data cell is quoting acquiescence during other object data sets using index on the other hand also show data set NameSpace.If the object outside indexing default namespace, 0xE0-0xFF is needed to use as lead byte.

Attribute elements show the association attributes of the data cell of current data set, as shown in figure 4, wherein：

0- simple objects, contain the data (note for being used directly for decoding：Except simple object need according to b4, B3 } determine decoding rule, { b4, the b3 } of other objects=00).1- composite objects, a sequence being made up of index.2- The certificate or certificate data template of X509 forms, comprising ASN.1 elements such as SEQUENCE, SET and length in this data cell, and And the placeholder for also being represented comprising A-Z letters.The composite object of 3- tape format sequences, its data cell storage format for O, P }, i.e., each data cell is made up of 2 user indexes, wherein the 1st index points to certain composite object, the 2nd index Certain " string format sequence " object of X data sets should be pointed to.Format sequence and there are two kinds of describing modes：1 is leading Character is A, then include some indexes below, and N number of character string is corresponded to respectively.2 leading characters are I, then include several below { Index, Tag } key-value pair, corresponds to the corrigendum description of several string formats.

4- with instantiation sequence composite object, its data cell storage format be { O, P }, i.e. each data cell by 2 user indexes are constituted, wherein the 1st indexes certain the certificate template object pointed in P data set, the 2nd index should refer to To certain " placeholder instantiation sequence " object of M data collection.The mark of 5- external files.

Usage/Len={ b3, b2, b1, b0 }：

0- retains, and the byte number of 1- fixed-length datas is the byte number of 2,3- fixed-length datas for the byte number of 1,2- fixed-length datas It is that the byte number of 3,4- fixed-length datas is 4, for longer fixed-length data, should be stored using elongated data form, 5- [TL] Elongated data cell is TL structures, and 6-L [V] elongated data cell is LV structures, and each V data can be directly used for decoding behaviour Make, fixed-length data unit is V structure, can it is direct/be indirectly for decoding operate, 7- [LV] data cell is LV structures, and often Individual LV data can be directly used for decoding operate, and 8- [(T) LV] data cell is LV structures, and each LV data will be with set Tag element combinations could be used for decoding operate, and 9-L [FOL] data cell is LV structures, wherein, V data save a FOL Structure (File/Offset/Length), F is file identifier, and O/L is the length data of compound ASN.1 coding rules, 10- [TLV] data cell is TLV structures, and each TLV data can be directly used for decoding operate, the Tag elements of this kind of data set There is no practical significance, preserve data according to TLV structures in data set, it is any only by the TLV data using 1 time, all push away Recommend and be saved in such data set so that 1 operation of retrieval Tag data sets, 11-L [V] L [P] data sheet are saved in decoding process Unit is LVLP structures, and wherein LV represents certain object, and LP represents the parameter to LV amendments, and 12- [OP] data cell is OP structures (Object/Parameters), wherein, O be point to certain object index, P be point to corrected parameter index.In bracket Portion's data are directly used in decoding operate, and round parentheses internal data comes from parameter set metadata.

Wherein, the rule of combination of Type and Usage/Len is as shown in table 7：

Table 7:

Sequence number	Type	Usage/Len
			1	Simple object	1~10
2	Composite object	6
			3	X509 forms	6
4	The composite object of tape format sequence	11、12
			5	Composite object with instantiation sequence	11、12
6	The mark of external file	2

Further, BaseIndex elements are the 1st index value of data cell of current data set, thereafter each data The index of unit is incremented by successively, and base index is decided in its sole discretion by compression algorithm, is adjusted as required by the capacity of all kinds of set, but The index of data cell in any two set must be avoided to clash.

Count elements are the data cell number that notebook data collection is included.The type of Tag element representation data sets, with data Element Tag in the certificate is consistent, and Tag is matched during decomposing element to determine which set the element belongs to.If Attribute The Usage=8 of element, concatenates Tag with each data cell during restructuring digital certificate, and replace index.Length units Element represents the byte number of Value elements.Value elements are the set of multiple data cells, each data cell storage format by Type, Usage of Attribute elements are determined.

Digital certificate store system described in present embodiment, sets the specific storage side of the data slot of digital certificate Formula, devises flexible index rule, simply uses 1 index of byte, effectively saves what index sequence itself was occupied Memory space, while extending the quantity of index using NameSpace.

Fig. 5 is referred to, Fig. 5 is the structural representation of digital certificate store system first embodiment of the present invention.

The digital certificate store system of present embodiment includes segmentation module 100, matching module 200 and memory module 300, wherein：

Segmentation module 100, for according to ASN.1 coding rules, digital certificate being divided into two or more numbers According to fragment.

Matching module 200, for carrying out Data Matching to the data slot obtained by segmentation, obtains structure consistent with content At least two data slots, the structure data slot consistent with content is divided at least one redundant data fragment With at least one valid data fragment.

Memory module 300, for by other data in the data slot obtained by segmentation in addition to the redundant data fragment Data positional information of each data slot of fragment, storage to certificate memory space, and corresponding record storage in digital certificate, Wherein, to the valid data piece segment record its own data positional information and the redundant data fragment Data Position Information.

Above-mentioned digital certificate store system, two or more data slots are divided into by by digital certificate, and The structure data slot consistent with content is obtained from the data slot obtained by segmentation will remove the structure of fractional numbers and interior again Hold other data slots outside consistent data slot, storage to certificate memory space, and record storage to be deposited in the certificate Store up the data positional information of each data slot in each digital certificate in space, to the valid data piece segment record its own The data positional information of data positional information and the redundant data fragment, while full storage digital certificate is ensured, Can not storage part fraction purpose structure and the consistent data slot of content, eliminate partial redundance information, saved digital certificate Amount of storage, reduces to certificate storage center or the request memory of certificate storage medium.

Wherein, for segmentation module 100, the digital certificate is by certificate authority (Certificate Authority, CA) signature distribution, it is preferable that may include root certificate, two grades of CA service certificates, user certificates etc..

Further, when splitting to digital certificate, when digital certificate to be stored is only 1, by the numeral Certificate is divided into two or more data slots, then performs the operation of matching module 200.When numeral card to be stored When book is more than 2, each digital certificate can be divided into two or more data slots, then perform matching mould The operation of block 200, from the data slot obtained by the multiple certificates of segmentation, obtains the structure data slot consistent with content.

In one embodiment, segmentation module 100 can be additionally used in：

The digital certificate store method of the present embodiment, can reduce data positional information and consume internal memory, further reduce storage The memory space that digital certificate takes.

In another embodiment, also including setup module, for digital certificate to be divided into two or more Data slot before, the storage format of corresponding with digital certificate to be stored certificate storage template and data slot is set.

Wherein, can make a digital certificate can correspond to a certificate storage template, can also make multiple digital certificate correspondences one Individual certificate template, can be set a kind of compound certificate format, and a compound certificate can include the data of multiple digital certificates.On the one hand Can ensure that the user data of redundancy only preserves an example, the redundancy for eliminating ASN.1 codings on the other hand can be helped to believe again Breath.

For matching module 200, can be carried out once with one digital certificate of every segmentation, the data slot to the digital certificate Data Matching, finds out the structure data slot consistent with content in the data slot obtained by the segmentation of this digital certificate.Also may be used So that after more than two digital certificates are segmented, the data slot to more than two digital certificates carries out a secondary data Match somebody with somebody, find out the data slot consistent with content of structure in the data slot obtained by the segmentation of more than two digital certificates.

In one embodiment, matching module 200 can be used for：

The Hash check values of the data slot as obtained by calculating segmentation, matching verification is carried out to each data slot, is verified Go out the structure data slot consistent with content.

For memory module 300, when in the structure data slot consistent with content except a data slot is used as effective Data slot is used to store outer, when other data slots are redundant data fragment, to a valid data for storing Piece segment record its own data positional information and be divided into redundant data fragment other data slots data bit confidence Breath, in restructuring for substituting data bit of the redundant data fragment consistent with its structure and content in each digital certificate Put.

In one embodiment, memory module 300 can be used for：

By other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, respectively as data The data cell of collection is stored, wherein, data slot one data set data cell of correspondence.

The Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and stores each data sheet Data relationship between unit, with data positional information of each data slot of record storage in the digital certificate.

Further, memory module 300 can be additionally used in：

Further, memory module 300 can be further used for, according to the index sequence for being formed, finding out the rope to be formed Occurrence number will be above the sequence fragment of frequency threshold as the number of data set higher than the sequence fragment of frequency threshold in drawing sequence Stored according to unit, and global index is distributed to store the data cell of the sequence fragment, to replace the index sequence In the sequence fragment.

In another embodiment, memory module 300 can be used for：

Wherein, for example digital certificate for OID types digital certificate, partitioning boundary be defined as Tag words section boundary with The structure boundary of the composite construction of Length fields and Value fields composition, in the present embodiment, can be using Tag fields as number According to set attribute, remaining data slot is stored as the data cell of data set after above-mentioned steps.

As described below is digital certificate store system second embodiment of the present invention.

The digital certificate store system of present embodiment is with the difference of first embodiment：Segmentation module 100 may be used also For：

Obtain each digital certificate to be stored.

The data content of each digital certificate is converted into unified coded format, while recording the data content obtained by conversion Original coding form and data positional information in each digital certificate.

According to the characteristic information of each digital certificate after form conversion, searched and form from default certificate storage template The certificate storage template of each digital certificate matching after conversion.

The certificate that foundation finds is stored in the data of each digital certificate after each placeholder and the form conversion in template Corresponding relation between appearance.

According to ASN.1 coding rules, pair data content corresponding with each placeholder carries out data segmentation, be divided into two or More than two data slots.

Digital certificate store system described in present embodiment, can further eliminate the redundancy of ASN.1 codings, save Memory space.

Wherein, for segmentation module 100, the data content of digital certificate is converted into unified coded format, can be by original Carry out different data contents and be converted to the structure data content consistent with content.

In one embodiment, segmentation module 100 can be additionally used in：

As described below is the implementation method of digital certificate store system the 3rd of the present invention.

The digital certificate store system of present embodiment is with the difference of first embodiment：After being changed with form When the certificate storage template of each digital certificate matching is a compound certificate, memory module 300 can be additionally used in：

The data characteristics of the data slot according to obtained by segmentation, will remove redundant data fragment in the data slot obtained by segmentation Other outer data slots, are stored as the data cell of each data set of the compound certificate, wherein, it is described default Storage format is corresponding with the data form of each digital certificate.

For each data cell in each data set of the compound certificate sets up global index, and the global index that will be set up Storage is concentrated in default index data.

Data Position of each data slot obtained by segmentation in each digital certificate is corresponded to, by the global rope of each data cell Draw and be ranked up, form the index sequence for recovering each digital certificate, with each data slot of record storage in each numeral card Data positional information in book.

Stored each index sequence as the data cell of the data set of the compound certificate, and to store each index The data cell of sequence sets up global index.

The global index that the data cell of each index sequence will be stored describes as the certificate of each digital certificate.

Digital certificate store system described in present embodiment, one compound certificate template of multiple digital certificate correspondences is carried out The storage of data slot, can be by the redundancy elimination in multiple digital certificates, by indexing come reference data unit, convenient note The data relationship between each data cell is recorded, and can fast and accurately retrieve corresponding data slot.

Wherein, for memory module 300, the user data that each data set inside preserves assigns a sequence number, owns The sequence number of data set carries out Unified coding, and a sequence number only corresponds to a data cell, and is referred to as index.It is by by one The index of row splices according to particular order, represents that these corresponding user data of index can be spelled in that same order Connect, so that a segment for digital certificate is built, even one complete digital certificate.Such index sequence can also be by One index is numbered, and the structure of digital certificate in other words can be described using nested sequence.

Further, the certificate name of each digital certificate can be also referred to as according to the certificate characteristic of each digital certificate for obtaining For certificate description is stored in the compound certificate

In one embodiment, memory module 300 can be additionally used in：

Fig. 6 is referred to, Fig. 6 show the schematic flow sheet of digital certificate read method first embodiment of the present invention.

Digital certificate read method described in present embodiment is comprised the following steps：

Step 601, data slot corresponding with digital certificate to be read, and the number are obtained from certificate memory space According to fragment in the digital certificate corresponding data positional information, wherein, the data slot include at least one significant figure According to fragment, at least two data positional informations of the valid data fragment correspondence.

Step 602, the data slot outside the valid data fragment is carried out according to its corresponding data positional information Combination, corresponding data slot is recovered by valid data fragment in its corresponding each Data Position respectively, reassembles into the number Word certificate.

Digital certificate read method described in present embodiment, obtains and numeral to be read by from certificate memory space The corresponding data slot of certificate, and the data slot corresponding data positional information in the digital certificate, then by institute State the data slot outside valid data fragment to be combined according to its corresponding data positional information, by valid data fragment point Do not recover corresponding data slot in its corresponding each Data Position, reassemble into the digital certificate, storage sky can saved Between on the basis of, quickly read complete digital certificate.

Wherein, for step 601, acquired data slot is by the digital certificate in Fig. 1 to 4 shown in any one The data slot of storage method storage.

Preferably, can be special according to the mark (as indexed) for pre-setting or data corresponding with digital certificate to be read Property, find the data slot.

For step 602, the pre-recorded storage the certificate memory space each data slot in each numeral Data Position in certificate is corresponding with the Data Position recorded in the digital certificate store method shown in any one in Fig. 1 to 4.

Fig. 7 is referred to, Fig. 7 is the schematic flow sheet of digital certificate read method second embodiment of the present invention.

The digital certificate read method of present embodiment is with the difference of first embodiment：When the data slot is made For the data cell of data set is stored in the certificate memory space, the data positional information is for recovering the numeral card It is described to obtain data slot corresponding with digital certificate to be read, Yi Jisuo from certificate memory space during the index sequence of book Data slot is stated to be comprised the following steps the step of corresponding data positional information in the digital certificate：

Step 701, obtains the index sequence of the digital certificate, and each global index in the index sequence is scanned successively The data cell of corresponding data set, and each global index is converted to the data cell for scanning.

Step 702, according to the attribute of each affiliated data set of the data cell for scanning, to the global index after each conversion Default recovery operation is performed, corresponding data slot is reverted to.

Digital certificate read method described in present embodiment, by global index, can quickly read the number for needing to read Word certificate, saves read access time.

Wherein, for step 701, the global index is set up in digital certificate store method of the present invention complete Office's index.Preferably, when the index sequence of the digital certificate describes corresponding record as the certificate of the digital certificate, directly Obtained by connecing the certificate description for searching the digital certificate.

In one embodiment, before performing the step of the root for obtaining the digital certificate is indexed, also including with Lower step：

Each data set in the certificate memory space is analyzed, is set up between global index and data cell and is corresponded Tables of data.

Preferably, during specific analysis, index file is can read, obtains the row of certificate container file identifier Table, reads each certificate container file, and all compound certificate that analysis is wherein included reads each compound certificate, analyzes The description of all certificates, the data set for wherein including, analyze each data set, extract the corresponding index of each data cell, Check whether data cell number matches with Count parameters, terminate reading digital certificate if mismatching, check all data sheets The index of unit terminates reading digital certificate with the presence or absence of conflict if clashing.

In another embodiment, the step of index sequence of the acquisition digital certificate is comprised the following steps：

The certificate description of the digital certificate is obtained, the contained corresponding data set of global index of the certificate description is scanned Data cell, the index sequence of the digital certificate is obtained from the data cell.

In other embodiments, the data cell of the corresponding data set of each global index for scanning acquisition successively, And comprise the following steps the step of each global index is converted into the data cell for scanning：

The attribute of data set according to where the data cell for scanning, obtains the object type of the data cell, wherein, The object type includes object, the object of index sequence form, the object of tape format, the band instantiation sequence of ASN.1 forms At least one in the object and external file object of row.

If the data cell for scanning is the object (or simple object) of ASN.1 forms, by the conversion of each global index It is the data cell for scanning.

If the data cell for scanning is the object (or composite object) of index sequence form, by the data cell still Preserved in the form of index sequence, and continued to scan on according to the index sequence, until the data cell for scanning is ASN.1 lattice During the object of formula, each global index in the index sequence is converted to the data cell for scanning.

If the data cell for scanning is the object (or composite object of tape format sequence) of tape format, according to One subindex is scanned, until corresponding data cell, when the data cell for scanning is the object of ASN.1 forms, by institute Each global index stated in index sequence is converted to the data cell for scanning.

String format is obtained according to the second subindex.

If the data cell for scanning is the object (or the composite object with instantiation sequence) with instantiation sequence, root The certificate matched with the digital certificate is read according to the first subindex and stores template.

The index sequence of data cell corresponding with each placeholder is obtained according to the second subindex.

Continued to scan on according to each index sequence, until when the data cell for scanning is the object of ASN.1 forms, will be described Each global index in index sequence is converted to the data cell for scanning.

If the data cell for scanning is external file object (or external file indicia), corresponding external file is read Data content.

Preferably, by Multiple-Scan, attempt recovering each corresponding initial data fragment of index, wherein the 1st scanning Recover all of simple object, then user recovers composite object for each scanning thereafter, when the object for finding composite object index It is the object for not yet recovering initial data, then first processes the object being indexed.After scanning several times, it should recover all Corresponding initial data is indexed, for each corresponding data cell of index, it is necessary to the Attribute according to place data set is first Element, is respectively adopted following different modes to recover their initial data.

For step 702, the default recovery operation is implemented with digital certificate store method the 4th of the present invention Attribute (Attribute elements) correspondence of the specific form of the centrally stored data cell of data or affiliated data set in mode.

In one embodiment, according to the attribute of each affiliated data set of the data cell for scanning, after each conversion Global index perform default recovery operation, comprise the following steps the step of revert to corresponding data slot：

If the data cell for scanning is the object of ASN.1 forms, and/or the object of index sequence form, according to most Record storage form in the attribute of each affiliated data set of data cell for scanning eventually, global index after each is changed as Data slot corresponding with the digital certificate, or after each global index after changing is concatenated with the Tag elements of data set As the corresponding data slot of the digital certificate.

If the data cell for scanning is the object with instantiation sequence, the global index after conversion is filled into reading Certificate storage template in, the index sequence of the corresponding data cell of each placeholder all after conversion, then calculates its corresponding The length of data slot, to replace the data of Length fields in the certificate storage template.

In another embodiment：

The data slot by outside the valid data fragment is combined according to its corresponding data positional information The step of it is further comprising the steps of：

Data slot after recovery is ranked up according to the index sequence and/or nested.

Or, before performing the step of the root for obtaining the digital certificate is indexed, it is further comprising the steps of：

In addition, the corresponding initial data of index sequence is successfully recovered, then represent certain certificate and be successfully recovered, and passes through Calculate hash and be compared with the Hash in certificate description, so as to judge whether the certificate of decoding is correct.

Fig. 8 is referred to, Fig. 8 show the structural representation that digital certificate of the present invention reads system first embodiment.

Digital certificate described in present embodiment reads system includes read module 810 and recombination module 820, wherein：

Read module 810, data slot corresponding with digital certificate to be read, Yi Jisuo are obtained from certificate memory space Data slot corresponding data positional information in the digital certificate is stated, wherein, the data slot has including at least one Effect data slot, at least two data positional informations of the valid data fragment correspondence.

Recombination module 820, by the data slot outside the valid data fragment according to its corresponding data positional information It is combined, valid data fragment is recovered into corresponding data slot in its corresponding each Data Position respectively, reassembles into institute State digital certificate.

Digital certificate described in present embodiment reads system, is obtained and numeral to be read by from certificate memory space The corresponding data slot of certificate, and the data slot corresponding data positional information in the digital certificate, then by institute State the data slot outside valid data fragment to be combined according to its corresponding data positional information, by valid data fragment point Do not recover corresponding data slot in its corresponding each Data Position, reassemble into the digital certificate, storage sky can saved Between on the basis of, quickly read complete digital certificate.

Wherein, for read module 810, acquired data slot is by the numeral in Fig. 1 to 4 shown in any one The data slot of certificate storage method storage.

For recombination module 820, the pre-recorded storage the certificate memory space each data slot each The Data Position recorded in digital certificate store method in Data Position and Fig. 1 to 4 in digital certificate shown in any one Correspondence.

Digital certificate of the present invention as described below reads system second embodiment.

The digital certificate of present embodiment reads system：When the data slot is made For the data cell of data set is stored in the certificate memory space, the data positional information is for recovering the numeral card During the index sequence of book, read module 810 can be additionally used in：

The index sequence of the digital certificate is obtained, the corresponding number of each global index in the index sequence is scanned successively According to the data cell of collection, and each global index is converted to the data cell for scanning.

According to the attribute of each affiliated data set of the data cell for scanning, the global index after each conversion is performed default Recovery operation, revert to corresponding data slot.

Digital certificate described in present embodiment reads system, by global index, can quickly read the number for needing to read Word certificate, saves read access time.

Wherein, for read module 810, the global index is foundation in digital certificate store method of the present invention Global index.Preferably, when the index sequence of the digital certificate describes corresponding record as the certificate of the digital certificate When, obtained by the certificate description for directly searching the digital certificate.

String format is obtained according to the second subindex.

For read module 810, the default recovery operation and digital certificate store method the 4th of the present invention The attribute (Attribute elements) of the specific form of the centrally stored data cell of data or affiliated data set is right in implementation method Should.

In another embodiment：

Fig. 9 is referred to, the flow that Fig. 9 show another digital certificate read method first embodiment of the invention is illustrated Figure.

Step 901, according to ASN.1 coding rules, two or more data slots is divided into by digital certificate.

Step 902, carries out Data Matching to the data slot obtained by segmentation, obtains structure and content consistent at least two Individual data slot, at least one redundant data fragment and at least one are divided into by the structure data slot consistent with content Individual valid data fragment.

Step 903, by other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, storage To certificate memory space, and corresponding record storage data positional information of each data slot in the digital certificate, wherein, To the valid data piece segment record its own data positional information and the redundant data fragment data positional information.

Step 904, data slot corresponding with digital certificate to be read, and the number are obtained from certificate memory space According to fragment in the digital certificate corresponding data positional information.

Step 905, the data slot outside the valid data fragment is carried out according to its corresponding data positional information Combination, corresponding data slot is recovered by valid data fragment in its corresponding each Data Position respectively, reassembles into the number Word certificate.

Wherein, above-mentioned steps 901 are to step 903, with any one corresponding above-mentioned digital certificate store in Fig. 1 to Fig. 4 The operating process of the digital certificate in method is corresponding.

Step 904 is corresponding with the operating process in the digital certificate read method described in Fig. 6 and Fig. 7 to step 905.

Figure 10 is referred to, Figure 10 show the structural representation that another digital certificate of the present invention reads system first embodiment Figure.

Digital certificate described in present embodiment reads system includes segmentation module 100, matching module 200, memory module 300th, read module 810 and recombination module 820, wherein：

Memory module 300, for by other data in the data slot obtained by segmentation in addition to the redundant data fragment Data Position of each data slot of fragment, storage to certificate memory space, and corresponding record storage in the digital certificate Information, wherein, to the valid data piece segment record its own data positional information and the redundant data fragment number According to positional information.

Read module 810, for obtaining data slot corresponding with digital certificate to be read from certificate memory space, with And the data slot corresponding data positional information in the digital certificate.

Recombination module 820, for by the data slot outside the valid data fragment according to its corresponding Data Position Information is combined, and valid data fragment is recovered into corresponding data slot, restructuring in its corresponding each Data Position respectively Into the digital certificate.

Embodiment described above only expresses several embodiments of the invention, and its description is more specific and detailed, but simultaneously Therefore the limitation to the scope of the claims of the present invention can not be interpreted as.It should be pointed out that for one of ordinary skill in the art For, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to guarantor of the invention Shield scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims

1. a kind of digital certificate store method, it is characterised in that comprise the following steps：

Data Matching is carried out to the data slot obtained by segmentation, structure at least two data slots consistent with content are obtained, The structure data slot consistent with content is divided at least one redundant data fragment and at least one valid data Fragment；

Other data slots in data slot obtained by segmentation in addition to the redundant data fragment, storage to certificate are stored empty Between, and corresponding record storage data positional information of each data slot in the digital certificate, wherein, to the significant figure According to piece segment record its own data positional information and the redundant data fragment data positional information；

Other data slots in the data slot by obtained by segmentation in addition to the redundant data fragment, storage is deposited to certificate Storage space, and the step of data positional information of each data slot in the digital certificate of corresponding record storage also include with Lower step：

By other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, respectively as data set Data cell is stored, wherein, data slot one data set data cell of correspondence；

The Data Position of each data slot according to obtained by segmentation in the digital certificate, between obtaining and storing each data cell Data relationship, with data positional information of each data slot of record storage in the digital certificate；

It is described to obtain and comprised the following steps the step of storing the data relationship between each data cell：

For each data cell distributes unique global index, and the global index that will be distributed is stored in default directoried data set In；

Data Position of each data slot obtained by segmentation in the digital certificate is corresponded to, by the global index of each data cell It is ranked up, forms the index sequence for recovering the digital certificate, with each data slot of record storage in the numeral Data positional information in certificate.

2. digital certificate store method according to claim 1, it is characterised in that the data slot obtained by described pair of segmentation Carry out Data Matching, comprise the following steps the step of obtain structure at least two data slots consistent with content：

The Hash check values of the data slot as obtained by calculating segmentation, matching verification is carried out to each data slot, verifies out knot The structure data slot consistent with content.

3. digital certificate store method according to claim 1, it is characterised in that formed for recovering the number described It is further comprising the steps of after the step of word certificate index sequence：

According to the index sequence for being formed, the sequence fragment of occurrence number in the index sequence to be formed higher than frequency threshold is found out, The sequence fragment that will be above frequency threshold is stored as the data cell of data set, and to store the number of the sequence fragment Global index is distributed according to unit, to replace the sequence fragment in the index sequence.

4. digital certificate store method according to claim 1, it is characterised in that the data slot by obtained by segmentation In other data slots in addition to the redundant data fragment, storage to certificate memory space, and corresponding record storage each number It is further comprising the steps of the step of data positional information in the digital certificate according to fragment：

Judge whether the number of data slot exceedes fragment threshold value in every group of same clip group in the data slot obtained by segmentation, its In, the same clip group is one group of structure data slot consistent with content；

If exceeding, the valid data fragment in the same clip group for exceeding the fragment threshold value is entered as the attribute of data set Row storage；

Using in addition to the valid data fragment that the redundant data fragment and the attribute as the data set are stored Data slot obtained by other segmentations, the data cell respectively as the data set is stored, wherein, a data slot One data set data cell of correspondence；

The Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and stores the data set Data relationship between attribute and each data cell, with data bit of each data slot of record storage in the digital certificate Confidence ceases.

5. digital certificate store method according to claim 1, it is characterised in that described according to ASN.1 coding rules, will The step of digital certificate is divided into two or more data slots comprises the following steps：

Obtain each digital certificate to be stored；

The data content of each digital certificate is converted into unified coded format, while recording the data content obtained by changing each Original coding form and data positional information in digital certificate；

According to the characteristic information of each digital certificate after form conversion, searched from default certificate storage template and form conversion The certificate storage template of each digital certificate matching afterwards；

Between the certificate that foundation finds stores the data content of each digital certificate after each placeholder and the form conversion in template Corresponding relation；

According to ASN.1 coding rules, pair data content corresponding with each placeholder carries out data segmentation, is divided into two or two Data slot above.

6. digital certificate store method according to claim 5, it is characterised in that described by the data of each digital certificate Appearance is converted to unified coded format, while recording original coding form of the data content obtained by changing in each digital certificate And the step of data positional information is comprised the following steps：

All strings in each digital certificate are converted into UTF8 forms, while recording each character string obtained by conversion Original coding form and data positional information of the object in each digital certificate.

7. digital certificate store method according to claim 6, it is characterised in that each numeral card after being changed with form When the certificate storage template of book matching is a compound certificate, the redundant data is removed in the data slot by obtained by segmentation Each data slot of other data slots outside fragment, storage to certificate memory space, and corresponding record storage is in the numeral The step of data positional information in certificate, comprises the following steps：

The data characteristics of the data slot according to obtained by segmentation and default storage format, will remove in the data slot obtained by segmentation Other data slots outside redundant data fragment, are stored as the data cell of each data set of the compound certificate, its In, the default storage format is corresponding with the data form of each digital certificate；

For each data cell in each data set of the compound certificate sets up global index, and the global index's storage that will be set up Concentrated in default index data；

Data Position of each data slot obtained by segmentation in each digital certificate is corresponded to, the global index of each data cell is entered Row sequence, forms the index sequence for recovering each digital certificate, with each data slot of record storage in each digital certificate Data positional information；

Stored each index sequence as the data cell of the data set of the compound certificate, and to store each index sequence Data cell set up global index；

8. digital certificate store method according to claim 7, it is characterised in that it is described using each index sequence as described The step of data cell of the data set of compound certificate is stored is further comprising the steps of：

According to each index sequence for being formed, sequence of the occurrence number higher than frequency threshold in one or more index sequences is found out Column-slice section, the sequence fragment that will be above frequency threshold is stored as the data cell of data set, and to store the sequence The data cell distribution global index of fragment, to replace the sequence fragment in one or more index sequences；

9. the digital certificate store method according to claim 3,4,7 or 8, it is characterised in that：

When data slot, index sequence or global index are stored as the data cell of data set, in each data set Attribute in record the object type and storage format of each data cell, wherein, the object type includes the right of ASN.1 forms As, the object of index sequence form, the object of X509 forms, the object of tape format, with instantiation sequence object and outside At least one in file object, the storage format is used to for data cell to be converted to data slot.

10. a kind of digital certificate store system, it is characterised in that including：

Segmentation module, for according to ASN.1 coding rules, digital certificate being divided into two or more data slots；

Matching module, for carrying out Data Matching to the data slot obtained by segmentation, obtain structure and content it is consistent at least Two data slots, at least one redundant data fragment and at least is divided into by the structure data slot consistent with content One valid data fragment；

Memory module, for by other data slots in the data slot obtained by segmentation in addition to the redundant data fragment, depositing Store up certificate memory space, and corresponding record storage data positional information of each data slot in the digital certificate, its In, to the valid data piece segment record its own data positional information and the redundant data fragment data bit confidence Breath；

The memory module, for by other data slices in the data slot obtained by segmentation in addition to the redundant data fragment Section, the data cell respectively as data set is stored, wherein, data slot one data set data of correspondence Unit；The Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and stores each data cell Between data relationship, with data positional information of each data slot of record storage in the digital certificate；

The memory module, for distributing unique global index, and the global index's storage that will be distributed for each data cell Concentrated in default index data；Data Position of each data slot obtained by segmentation in the digital certificate is corresponded to, will be each The global index of data cell is ranked up, and the index sequence for recovering the digital certificate is formed, with each of record storage Data positional information of the data slot in the digital certificate.

11. a kind of digital certificate read methods, it is characterised in that comprise the following steps：

Data slot corresponding with digital certificate to be read is obtained from certificate memory space, and the data slot is described Corresponding data positional information in digital certificate, wherein, the data slot includes at least one valid data fragment, described to have Effect data slot at least two data positional informations of correspondence；

Data slot outside the valid data fragment is combined according to its corresponding data positional information, by significant figure Recover corresponding data slot in its corresponding each Data Position respectively according to fragment, reassemble into the digital certificate；

When the data slot is stored in the certificate memory space, the data positional information as the data cell of data set It is described to be obtained and digital certificate pair to be read from certificate memory space when being the index sequence for recovering the digital certificate The data slot answered, and the data slot in the digital certificate the step of corresponding data positional information include it is following Step：

The index sequence of the digital certificate is obtained, the corresponding data set of each global index in the index sequence is scanned successively Data cell, and each global index is converted to the data cell for scanning；

According to the attribute of each affiliated data set of the data cell for scanning, the global index after each conversion is performed default extensive Multiple operation, reverts to corresponding data slot.

12. digital certificate read methods according to claim 11, it is characterised in that the acquisition digital certificate The step of index sequence, comprises the following steps：

The certificate description of the digital certificate is obtained, the number of the contained corresponding data set of global index of the certificate description is scanned According to unit, the index sequence of the digital certificate is obtained from the data cell.

13. digital certificate read methods according to claim 11, it is characterised in that the acquisition digital certificate Index sequence, scans the data cell of the corresponding data set of each global index of acquisition, and each global index is turned successively The step of being changed to the data cell for scanning comprises the following steps：

The attribute of data set according to where the data cell for scanning, obtains the object type of the data cell, wherein, it is described The object of object type including ASN.1 forms, the object of index sequence form, the object of tape format, band instantiate sequence At least one in object and external file object；

If the data cell for scanning is the object of ASN.1 forms, each global index is converted to the data sheet for scanning Unit；

If the data cell for scanning is the object of index sequence form, by the data cell still in the form of index sequence Preserve, and continued to scan on according to the index sequence, until when the data cell for scanning is the object of ASN.1 forms, by institute Each global index stated in index sequence is converted to the data cell for scanning；

If the data cell for scanning is the object of tape format, it is scanned according to the first subindex, until corresponding number According to unit, when the data cell for scanning is the object of ASN.1 forms, each global index in the index sequence is converted to The data cell for scanning；

String format is obtained according to the second subindex；

If the data cell for scanning is the object with instantiation sequence, read and the digital certificate according to the first subindex The certificate storage template of matching；

The index sequence of data cell corresponding with each placeholder is obtained according to the second subindex；

Continued to scan on according to each index sequence, until when the data cell for scanning is the object of ASN.1 forms, by the index Each global index in sequence is converted to the data cell for scanning；

If the data cell for scanning is external file object, the data content of corresponding external file is read.

14. digital certificate read methods according to claim 13, it is characterised in that described according to each data for scanning The attribute of the affiliated data set of unit, default recovery operation is performed to the global index after each conversion, reverts to corresponding number The step of according to fragment, comprises the following steps：

If the data cell for scanning is the object of ASN.1 forms, and/or the object of index sequence form, according to final each The storage format recorded in the attribute of the affiliated data set of data cell for scanning, global index after each is changed as with The corresponding data slot of the digital certificate, or make after each global index after changing is concatenated with the Tag elements of data set It is the corresponding data slot of the digital certificate；The type of data set described in the Tag element representations；

If the data cell for scanning is the object with instantiation sequence, the global index after conversion is filled into the card of reading In book storage template, after the index sequence of the corresponding data cell of each placeholder is all changed, then its corresponding data is calculated The length of fragment, to replace the data of Length fields in the certificate storage template；Length in the certificate storage template Field represents the Length fields in the TLV structures for meeting ASN.1 codings included in the certificate storage masterplate.

15. digital certificate read methods according to claim 11, it is characterised in that described by the valid data fragment Outside data slot it is further comprising the steps of the step of be combined according to its corresponding data positional information：

16. digital certificate read methods according to claim 11, it is characterised in that performing the acquisition numeral It is further comprising the steps of before the step of index sequence of certificate：

Each data set in the certificate memory space is analyzed, is set up between global index and data cell and is counted correspondingly According to table.

A kind of 17. digital certificates read system, it is characterised in that including：

Read module for obtaining data slot corresponding with digital certificate to be read and described from certificate memory space Data slot corresponding data positional information in the digital certificate, wherein, the data slot includes that at least one is effective Data slot, at least two data positional informations of the valid data fragment correspondence；

Recombination module, for the data slot outside the valid data fragment to be carried out according to its corresponding data positional information Combination, corresponding data slot is recovered by valid data fragment in its corresponding each Data Position respectively, reassembles into the number Word certificate；

The read module, for storing empty in the certificate as the data cell storage of data set when the data slot Between, when the data positional information is the index sequence for recovering the digital certificate, obtain the index of the digital certificate Sequence, scans the data cell of the corresponding data set of each global index in the index sequence successively, and by each global rope Draw the data cell for being converted to and scanning；According to the attribute of each affiliated data set of the data cell for scanning, after each conversion Global index perform default recovery operation, revert to corresponding data slot.

18. a kind of digital certificate read methods, it is characterised in that comprise the following steps：

Data slot corresponding with digital certificate to be read is obtained from certificate memory space, and the data slot is described Corresponding data positional information in digital certificate；

Wherein, other data slots in the data slot by obtained by segmentation in addition to the redundant data fragment, storage is arrived Certificate memory space, and the step of data positional information of each data slot in the digital certificate of corresponding record storage is also Comprise the following steps：

A kind of 19. digital certificates read system, it is characterised in that including：

Read module for obtaining data slot corresponding with digital certificate to be read and described from certificate memory space Data slot corresponding data positional information in the digital certificate；

Wherein, the memory module, for other in the data slot obtained by segmentation in addition to the redundant data fragment to be counted According to fragment, the data cell respectively as data set is stored, wherein, a data slot correspondence one the one of data set Data cell；The Data Position of each data slot according to obtained by segmentation in the digital certificate, obtains and stores each data Data relationship between unit, with data positional information of each data slot of record storage in the digital certificate；And pass through For each data cell distributes unique global index, the global index's storage that will be distributed is concentrated in default index data；It is right Data Position of each data slot of gained in the digital certificate should be split, the global index of each data cell is arranged Sequence, forms the index sequence for recovering the digital certificate, with each data slot of record storage in the digital certificate Data positional information.