CN107911222B - Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program - Google Patents
Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program Download PDFInfo
- Publication number
- CN107911222B CN107911222B CN201711178114.5A CN201711178114A CN107911222B CN 107911222 B CN107911222 B CN 107911222B CN 201711178114 A CN201711178114 A CN 201711178114A CN 107911222 B CN107911222 B CN 107911222B
- Authority
- CN
- China
- Prior art keywords
- digital
- digital signature
- digital certificate
- path
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Abstract
The invention discloses a digital signature generation method and equipment, a digital signature verification method and equipment and a computer readable storage medium. The digital signature generation method comprises the following steps: the method comprises the steps of obtaining first target data and a path of a digital certificate corresponding to the first target data, calculating first abstract information of the first target data, generating a message abstract according to the first abstract information and the path of the digital certificate, and carrying out digital signature on the message abstract through a private key corresponding to a public key in the digital certificate. According to the technical scheme, the digital signature can be verified after the digital certificate is acquired through the added path during verification, so that the digital signature data volume can be reduced without directly adding the digital certificate in the digital signature, the verification and transmission speed of the digital signature is accelerated, and the occupied space and the power consumption during application of the digital signature are reduced.
Description
Technical Field
The present invention relates to the field of digital signature technology, and in particular, to a digital signature generation method and apparatus, a digital signature verification method and apparatus, and a computer-readable storage medium. .
Background
Digital signatures are the use of digital certificates to sign data or documents and can be used to prove the integrity of the data or documents and to prove the identity of the data signer.
The public key certificate of a signer is required to be verified for verifying the digital signature, and the application of the current digital signature standard is to embed a certificate chain of a signature certificate in the signature, so that the signature data is up to 6 kbytes, which is not a problem for the file signature in the PC era, but is a relatively large data load in the mobile internet era. The digital signature is widely applied to various applications of the mobile internet, and the traditional digital signature verification method based on the PC era not only wastes the flow of a mobile user, but also occupies the resources of a CPU (central processing unit) and a storage space of the mobile phone of the user, causes the increase of the power consumption of the mobile phone and reduces the standby time.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a digital signature generation method, aiming at reducing the data volume of a digital signature, thereby accelerating the speed of verification and transmission of the digital signature and reducing the occupied space and the power consumption when the digital signature is applied.
In order to achieve the above object, the present invention provides a digital signature generation method, including:
acquiring first target data and a path of a digital certificate corresponding to the first target data;
calculating first summary information of the first target data;
generating a message abstract according to the first abstract information and the path of the digital certificate;
and digitally signing the message digest through a private key corresponding to the public key in the digital certificate.
Preferably, the step of generating a message digest according to the first digest information and the path of the digital certificate includes:
generating a summary attribute according to the first summary information, and generating a path attribute according to the path of the digital certificate;
constructing a signature attribute set according to the abstract attribute and the path attribute;
and generating the message abstract according to the signature attribute set.
Preferably, before the step of obtaining the first target data and the path of the digital certificate corresponding to the first target data, the method further includes:
acquiring the digital certificate and generating a path of the digital certificate;
storing the digital certificate in a path of the digital certificate.
Preferably, the step of generating the path of the digital certificate comprises:
extracting identification information of the digital certificate;
and generating a path of the digital certificate according to the identification information.
Further, to achieve the above object, the present invention provides a digital signature generation apparatus, characterized in that the digital signature generation apparatus includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the computer program, when executed by the processor, implements the steps of the digital signature generation method according to any one of the above.
Further, to achieve the above object, the present invention provides a computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a digital signature verification program, which when executed by a processor, implements the steps of the digital signature generation method as described in any one of the above.
Further, to achieve the above object, the present invention also provides a digital signature verification method, based on a digital signature generated by the digital signature generation method as described in any one of the above, the digital signature verification method including the steps of:
acquiring the digital signature;
extracting a message abstract in the digital signature;
analyzing a path signature attribute set of a digital certificate in the message abstract in the digital signature; the signature attribute set is constructed by abstract attributes and path attributes, the abstract attributes are generated according to first abstract information obtained by calculation of first target data, and the path attributes are generated according to paths of digital certificates;
analyzing the signature attribute set to obtain a path of the digital certificate; acquiring a corresponding digital certificate according to the path of the digital certificate;
and verifying the digital signature by using the digital certificate.
Preferably, the step of resolving the path of the digital certificate in the digital signature comprises:
analyzing the signature attribute set of the digital signature;
analyzing a characteristic field of a path of the digital certificate in a data structure of the signature attribute set;
extracting a path of the digital certificate from the feature field.
Preferably, before the step of verifying the digital signature using the digital certificate, the method further includes:
obtaining second target data associated with the digital signature;
calculating second abstract information of the second target data, analyzing and extracting first abstract information in the signature attribute set;
judging whether the second abstract information is consistent with the first abstract information;
if yes, executing the step of verifying the digital signature by applying the digital certificate;
if not, outputting the result of failed verification.
Preferably, the step of obtaining the corresponding digital certificate according to the path of the digital certificate includes:
judging whether the local server has the digital certificate or not according to the path of the digital certificate;
if yes, acquiring the digital certificate from the local server;
and if the digital certificate does not exist, acquiring the digital certificate from a remote server according to the path of the digital certificate.
Further, in order to achieve the above object, the present invention provides a digital signature verification apparatus, characterized in that the digital signature verification apparatus includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and the computer program realizes the steps of the digital signature verification method according to any one of the above when executed by the processor.
Further, to achieve the above object, the present invention provides a computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a digital signature verification program, which when executed by a processor, implements the steps of the digital signature verification method as described in any one of the above.
According to the digital signature generation method provided by the embodiment of the invention, the path of the digital certificate is added in the digital signature, so that the digital signature can be verified after the digital certificate is acquired through the added path during verification, the digital certificate does not need to be directly added in the digital signature, and the reduction of the data volume of the digital signature is realized, thereby the speed of verifying and transmitting the digital signature is accelerated, and the occupied space and the power consumption during application of the digital signature are reduced.
Drawings
Fig. 1 is a schematic device structure diagram of a hardware operating environment related to a digital signature generation method scheme according to an embodiment of the present invention;
FIG. 2 is a schematic device structure diagram of a hardware operating environment related to a digital signature verification method scheme according to an embodiment of the present invention;
FIG. 3 is a first flowchart of a digital signature generation method according to an embodiment of the present invention;
FIG. 4 is a second flowchart of a digital signature generation method according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a third flow of a digital signature generation method according to an embodiment of the present invention;
FIG. 6 is a first flowchart of a digital signature verification method according to an embodiment of the invention;
FIG. 7 is a second flowchart of a digital signature verification method according to an embodiment of the invention;
FIG. 8 is a third flowchart of a digital signature verification method according to an embodiment of the present invention;
fig. 9 is a fourth flowchart illustrating a digital signature verification method according to an embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: the method comprises the steps of obtaining first target data and a path of a digital certificate corresponding to the first target data, calculating first abstract information of the first target data, generating a message abstract according to the first abstract information and the path of the digital certificate, and carrying out digital signature on the message abstract through a private key corresponding to a public key in the digital certificate.
Because the certificate chain of the signature certificate is embedded in the signature in the prior art, the signature data volume is large, and a large data load is caused to the transmission and application of the digital signature.
The invention provides a solution, which enables a digital signature to be verified after acquiring the digital certificate through an added path when the digital signature is verified by adding the path of the digital certificate in the digital signature, and enables the digital signature to be free from directly adding the digital certificate so as to reduce the data volume of the digital signature, thereby accelerating the speed of verifying and transmitting the digital signature and reducing the occupied space and the power consumption when the digital signature is applied.
As shown in fig. 1 and fig. 2, fig. 1 is a schematic device structure diagram of a hardware operating environment related to a digital signature generation method according to an embodiment of the present invention, and fig. 2 is a schematic device structure diagram of a hardware operating environment related to a digital signature verification method according to an embodiment of the present invention.
The digital signature generation method and the digital signature verification method in the embodiment of the invention are suitable for all scenes of digital signature service, and simultaneously support PC application, mobile application and Internet of things application, such as RFC3161 timestamp service, code signature application, document signature application, equipment communication signature application and the like.
The device for operating the digital signature generation method or the digital signature verification method of the embodiment of the invention can comprise: a processor 1001 such as a CPU, a network interface 1002, a memory 1003, and a communication bus 1004. Wherein a communication bus 1004 is used to enable connective communication between these components. The network interface 1002 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1003 may be a high-speed RAM memory or a non-volatile memory (e.g., a disk memory). The memory 1003 may be a built-in storage device of the apparatus, or may be a storage device which is independent of the apparatus and connected to the apparatus. The network interface 1002 is mainly used for connecting a network and performing data communication with other servers through the network.
Those skilled in the art will appreciate that the device configurations illustrated in fig. 1 and 2 do not constitute limitations on the devices, and may include more or fewer components than those illustrated, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, when the apparatus is used for digital signature generation, an operating system, a network communication module, and a digital signature generation program may be included in the memory 1003 as a kind of computer storage medium. The processor 1001 may be configured to call the digital signature generation program stored in the memory 1003, and perform the operations of the steps of the digital signature generation method in the following embodiments. Specifically, the computer-readable storage medium may be a removable storage device such as a usb disk or a removable storage hard disk, or may be a memory built in each digital signature generation device.
As shown in fig. 2, when the apparatus is used for digital signature verification, an operating system, a network communication module, and a digital signature verification program may be included in the memory 1003 as a kind of computer storage medium. The processor 1001 may be configured to call a digital signature verification program stored in the memory 1003, and perform the operations of the steps of the digital signature verification method in the following embodiments. Specifically, the computer-readable storage medium may be a removable storage device such as a usb disk or a removable storage hard disk, or may be a memory built in each digital signature generation device.
In actual use, a user may store the digital signature generation program or the digital signature verification program in a computer storage medium of the device or a computer storage medium externally disposed on and connected to the device according to actual needs, so that the device may execute the steps of the digital signature generation method or the digital signature verification method. In addition, the computer storage medium of the same device can simultaneously store the generation and verification programs of the digital signature, so that the device can simultaneously have the functions of executing the steps of the digital signature generation method or the digital signature verification method. Specifically, the digital signature generation device or the digital signature verification device may be all devices that need to perform digital signature generation or digital signature verification, such as a mobile phone, a computer, a tablet computer, a delivery terminal (e.g., a teller machine, etc.).
Referring to fig. 3, an embodiment of the present invention provides a digital signature generation method, where the digital signature generation method includes:
step S10, acquiring the first target data and the path of the digital certificate corresponding to the first target data;
before generating the digital signature, paths of the digital certificate can be created and stored, one path corresponds to a unique digital certificate for digital signature, the digital certificate comprises a public key corresponding to a private key for signing the first target data, and the corresponding digital certificate can be obtained from a network according to the path of the digital certificate. The path may be stored separately or as an attribute of the digital certificate. The path may be based on the user's needs to access the address under different protocols, and particularly may be preferably based on the URL address of the hypertext transfer protocol, such as:
http:// aia. wotrus. com/ts/77167C0042400E66C9937539CC2CV806.cer is convenient for all networked digital signature service applications to acquire the digital certificate, so that the acquisition of the digital certificate has wide applicability.
When generating the digital signature, a path of first target data to be digitally signed and a digital certificate corresponding to the first target data is acquired. When a device generates a digital signature for data of a specific user, and a unique digital certificate path is pre-stored, the path of the digital certificate corresponding to the first target data can be directly acquired. Because the same device may perform data signing on multiple types of first target data, for example, when different users use the same computer to sign files thereof, different first target data may need different digital certificates to perform signing, and the device may pre-store paths of multiple digital certificates correspondingly, when the paths of the first target data and the digital certificates are not uniquely determined and cannot be directly acquired, the device may select a path for acquiring a corresponding digital certificate according to the first target data after acquiring the first target data, so as to facilitate the device to perform digital signing on different first target data.
When the path is the attribute information of the digital certificate, the path of the digital certificate can be obtained by analyzing the attribute information of the digital certificate after the digital certificate is obtained. And after the digital certificate is acquired according to the path, the path of the digital certificate is locally stored to the attribute information of the digital certificate, so that the digital certificate can be distinguished and applied subsequently.
Step S20, calculating first summary information of the first target data;
first summary information is obtained by calculating first target data (such as pictures, files, messages and the like) needing digital signatures through a message summary algorithm, such as an MD5 algorithm or an SHA algorithm, and the obtained first summary information is specifically represented as DER codes. The first summary information characterizes the primary content of the first target data.
Step S30, generating a message abstract according to the first abstract information and the path of the digital certificate;
and generating a DER encoding result according to the digest of the first target data and the path of the digital certificate. Specifically, in addition to the digest of the first target data and the path of the digital certificate, the DER encoding result may be generated in combination with attribute information related to the first target data, such as a signature time. And calculating the DER encoding result containing the digital certificate path through a Hash algorithm to obtain the message digest of the digital signature. The message abstraction means that the one-way hash function algorithm calculates an input message with any length to obtain a fixed-bit output for checking whether the first target data is correct and complete.
And step S40, digitally signing the message digest through a private key corresponding to the public key in the digital certificate.
After the message digest including the digital certificate path is generated, the message digest is signed by using a private key corresponding to the public key of the digital certificate in the added path to ensure the reliability of the path, and specifically, an ECC or SM2 encryption algorithm with a short secret key amount can be adopted.
In the scheme of the embodiment of the invention, the message digest is generated according to the first digest information of the first target data and the path of the digital certificate, so that the digital signature can be verified after the digital certificate is remotely acquired by analyzing the path of the digital certificate in the digital signature, the digital signature can be verified without directly adding the digital certificate, the data volume of the digital signature is reduced, the verification and transmission speed of the digital signature is increased, and the occupied space and the power consumption of the digital signature in application are reduced.
Specifically, referring to fig. 4, the step of generating the first digest information of the message digest according to the first digest information and the path of the digital certificate includes:
step S31, generating abstract attribute according to the first abstract information, and generating path attribute according to the path of the digital certificate;
step S32, constructing a signature attribute set according to the abstract attribute and the path attribute;
and step S33, generating the message abstract according to the signature attribute set.
When the path of the digital certificate, the signature time and other attribute information of the digital signature are not required to be added, the message digest of the digital signature can be directly obtained by calculating the first digest information. In order to further meet the user requirements, in the process of generating the digital signature, when attribute information of the digital signature, such as a path of a digital certificate, signature time and the like, is required to be added to the main content of the first target data to generate the digital signature, a signature attribute set is constructed first, wherein the signature attribute set is a set of various attribute values representing the digital signature, such as the path, the time, the type, the content and the like of the digital signature, specifically, preset parameters in a system, and parameters can also be set for the acquired user. In the process of constructing the signature attribute set, the first summary information obtained by calculation can be used as the summary attribute in the signature attribute set, the path of the digital certificate to be added is used for generating the path extension attribute, in addition, other attribute information of the digital signature can be obtained according to the actual use requirement to generate the relevant attribute of the first target data, all the attributes of the summary attribute, the path extension attribute and the relevant attribute of the first target data are integrated together in a DER coding mode to form the signature attribute set, the message summary is generated according to the signature attribute set, and the path of the digital certificate used for verifying the digital signature can be added into the digital signature by carrying out digital signature on the message summary.
Specifically, in order to meet the communication industry standard and improve the general applicability of the digital signature generation method and the digital signature verification method of the present invention, the data structure of the signature attribute set includes key attribute values such as contentType, messageDigest, and other non-key extended attributes that need to be added, and each attribute value has ASN data defined by itself. Wherein the messageDigest value is a generated extension field calculated according to the related data structure defined by the standard and the first target data, and the contentType is an extension field (such as a timestamp, a Microsoft code, etc.) generated according to the related data structure defined by the standard and information related to the first target data type; the non-critical extended attribute can be added according to actual requirements, and the specific path attribute as the non-critical extended attribute can be preferably an AIA extended attribute. The AIA extension is a non-key extension in certificate extension items in the national communication industry standard and is used for formulating methods for obtaining other CA information.
Specifically, the step of generating the path extension attribute according to the path of the digital certificate may specifically be: the path of the digital certificate (such as:
http://aia.wotrus.com/ts/77167C0042400E66C9937539CC2CV806.cer)
the addition to the asn.1 structure of the AIA extension defined by the communications industry standards generates AIA extension fields containing digital certificate paths, such as:
access signer credential Access (1.3.6.1.4.1.50570.2.8)
Alternative Name:
URL=http://aia.wotrus.com/ts/77167C0042400E66C9937539CC2CV806.cer
After generating the AIA extension field containing the digital certificate path, the AIA extension field is added to the ASN data structure of the first digest information of the signature attribute set.
Specifically, referring to fig. 5, before the step of obtaining the first target data and the path of the digital certificate corresponding to the first target data, the method further includes:
step S01, obtaining the digital certificate and generating the path of the digital certificate;
step S02, storing the digital certificate in the path of the digital certificate.
Before digitally signing the first target data, a digital certificate for digitally signing the first target data may be acquired and a path of the digital certificate may be generated, and the digital certificate may be stored in the corresponding path. Specifically, the digital certificate may be uploaded to a server, the server generates a path accessible to the digital certificate, and stores the digital certificate in the generated path. The paths can be various according to actual conditions, and only one path is required to be corresponding to one certificate.
Specifically, the step of generating the path of the digital certificate comprises
Step S001, extracting the identification information of the digital certificate;
and step S002, generating a path of the digital certificate according to the identification information.
After the digital certificate is acquired, the digital certificate can be analyzed to obtain identification information of the digital certificate, wherein the identification information is characteristic information for distinguishing the digital certificate from other digital certificates, such as serial numbers of the certificate. When the digital certificate path is generated, the identification information is added to the path and can be used as the identification of the digital certificate. "77167C 0042400E66C9937539CC2CV 806" in the path http:// aia. wotrus. com/ts/77167C0042400E66C9937539C 2CV806.cer is the number of the digital certificate.
An embodiment of the present invention further provides a digital signature verification method, based on a digital signature generated by the digital signature generation method in the foregoing embodiment, as shown in fig. 6, the digital signature verification method includes the following steps:
step S100, acquiring the digital signature;
step S200, analyzing the path of the digital certificate in the digital signature;
step S300, acquiring a corresponding digital certificate according to the path of the digital certificate;
step S400, the digital signature is verified by using the digital certificate.
When a security file using a digital signature needs to be verified, extracting the digital signature of the file, extracting a message digest in the digital signature, analyzing the message digest to obtain various signature attributes in a signature attribute set, and identifying a path of a digital certificate in a data structure of the signature attribute set, such as: http:// aia. wotrus. com/ts/77167C0042400E66C9937539CC2CV806. cer. And acquiring the corresponding digital certificate from the local server or the remote server according to the obtained path. And after the digital certificate is obtained, verifying the digital signature by using a public key in the digital certificate, if the signature value in the digital certificate is consistent with the signature value in a signature attribute set data structure in the digital signature, the verification is passed, and if the signature value in the digital certificate is not consistent with the signature value in the signature attribute set data structure in the digital signature, the verification is not passed.
Specifically, as shown in fig. 7, the step of parsing the path of the digital certificate in the digital signature includes:
step S210, analyzing the signature attribute set of the digital signature;
step S220, analyzing the characteristic field of the path of the digital certificate in the data structure of the signature attribute set;
step S230, extracting a path of the digital certificate from the feature field.
The digital certificate path acquisition specifically comprises: analyzing the message abstract of the digital signature to obtain an ASN data structure of a signature attribute set, identifying a characteristic field of a path of the digital certificate from the data structure according to a preset protocol, wherein the preset protocol is a communication protocol agreed by a digital signature generator and a digital signature verifier, and when both parties follow a communication industry protocol, the characteristic field can be preferably an AIA extension field. The characteristic field is identified and the path of the digital certificate in the process is extracted.
In order to facilitate the user to use again, the digital signature verification method further comprises the following steps:
step S500, after the digital signature passes the verification, the digital certificate is stored in a local server.
The digital certificate is acquired from the remote server, and after the digital signature is verified by using the digital certificate acquired through the address, the acquired digital certificate can be stored in the local server, wherein the file name of the digital certificate can be named by the path of the digital certificate directly; or naming the digital certificate according to the identification information obtained by path analysis; the attribute information of the acquired digital certificate can be analyzed, and the attribute information of the digital certificate different from other certificates is used as a stored file name, so that the attribute information of the digital certificate is convenient to distinguish when a plurality of digital certificates are stored in the same equipment. Further, since there may be a case where the same device uses the same digital certificate multiple times, when the digital certificate is saved, it may be determined whether the digital certificate already exists in the local server, and specifically, a file name may be searched using the identification information of the certificate.
In the scheme of the embodiment of the invention, the digital signature verification method is provided, when the digital signature is verified, the corresponding digital certificate is obtained according to the path of the digital certificate analyzed in the training signature, and the obtained digital certificate is used for verification, so that the digital signature verification equipment obtains a small amount of digital signature data, the digital signature verification speed is accelerated, and the occupied space of the digital signature on the equipment and the power consumption during verification are reduced.
Specifically, in the security application of digital signature, after the digital signature pair is used for signature, the digital signature and the first target data together form a security file. When the security file is transmitted, if the data in the security file is modified, the first target data when the security file is generated and the second target data when the security file is verified are inconsistent. Therefore, in order to guarantee the integrity of the data, when the security document is verified, the verification of the digital signature is associated with the verification of the second target data, and therefore, referring to fig. 9, before the step of obtaining the corresponding digital certificate according to the path of the digital certificate, the method further includes:
step S600, acquiring second target data associated with the digital signature;
and extracting second target data from the file using the digital signature, wherein the second target data is the data signed by using the digital signature in the security file, and the second target data is associated with the digital signature. In addition, in actual execution, step S600 and step S100 do not have a definite sequence, and may be performed simultaneously.
Step S700, calculating second abstract information of the second target data, analyzing and extracting first abstract information in the signature attribute set;
and after the signature attribute set in the digital signature is obtained through analysis, the signature attribute set is analyzed, and the first digest information obtained during the generation of the digital signature is extracted. It should be noted that the parsing of the first digest and the parsing of the feature field of the path of the digital certificate have no explicit order.
Step S800, judging whether the second abstract information is consistent with the first abstract information; if yes, executing step S400, otherwise executing step S900;
and step S900, outputting a result of failed verification.
Comparing whether the first abstract information is consistent with the second abstract information, when the first abstract information is consistent with the second abstract information, judging that the second target data is consistent with the first target data for generating the digital signature, after the consistency of the target data is ensured, further using the method mentioned in the embodiment to verify the digital signature by using the digital certificate obtained through the path of the digital certificate, when the first abstract information is inconsistent with the second abstract information, considering that the second target data is inconsistent with the first target data for generating the digital signature, and the second target data is the data after being deleted, directly outputting a result of failed verification in digital signature verification equipment, and needing not to use the digital certificate to verify the digital signature, so as to meet the security requirement when the digital signature is used for signing the data. It should be noted that, the step of obtaining the corresponding digital certificate according to the path of the digital certificate is performed before or after the second digest information is verified, and there is no clear sequence.
By the method, the integrity of the target data acquired by the digital signature verification device can be ensured when the digital signature is used for signature application of the target data.
Further, since the digital certificate can be stored in the local server, referring to fig. 8, the step of obtaining the corresponding digital certificate according to the path of the digital certificate includes:
step S310, judging whether the local server has the digital certificate according to the path of the digital certificate;
if yes, go to step S320, if not, go to step S330,
step S320, acquiring the digital certificate from the local server;
step S330, the digital certificate is obtained from a remote server according to the path of the digital certificate.
When the digital certificate is acquired, firstly, whether the digital certificate corresponding to the path of the digital certificate exists in the local server or not can be judged, if the digital certificate exists, the digital certificate can be directly acquired from the local server for verification of the digital signature, and if the digital certificate does not exist, the digital certificate is acquired from the remote server according to the path of the digital certificate.
Specifically, the step of determining whether the local server has the digital certificate according to the path of the digital certificate includes:
step S311, analyzing the identification information of the digital certificate in the path of the digital certificate;
step S312, finding whether the local server has the digital certificate according to the identification information.
After the path of the digital certificate is obtained, the path of the digital certificate is analyzed to obtain the identification information of the digital certificate in the path, whether a file matched with the identification information exists in the local server or not is searched according to the identification information, and the matched file is the digital certificate to be obtained.
It should be noted that the digital certificate is used to identify and distinguish the characteristic information of the digital certificate when the digital certificate is stored in the local server, and the characteristic information used to determine whether the corresponding digital certificate exists in the local server after the path of the digital certificate is acquired is corresponding.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (11)
1. A digital signature generation method, characterized by comprising the steps of:
acquiring first target data and a path of a digital certificate corresponding to the first target data;
calculating first summary information of the first target data;
generating a message abstract according to the first abstract information and the path of the digital certificate;
digitally signing the message digest through a private key corresponding to a public key in the digital certificate;
the step of generating the message digest according to the first digest information and the path of the digital certificate includes:
generating a summary attribute according to the first summary information, and generating a path attribute according to the path of the digital certificate;
constructing a signature attribute set according to the abstract attribute and the path attribute;
and generating the message abstract according to the signature attribute set.
2. The method for generating a digital signature according to claim 1, wherein the step of obtaining the path of the first target data and the corresponding digital certificate further comprises:
acquiring the digital certificate and generating a path of the digital certificate;
storing the digital certificate in a path of the digital certificate.
3. The digital signature generation method of claim 2, wherein the step of generating the path of the digital certificate comprises:
extracting identification information of the digital certificate;
and generating a path of the digital certificate according to the identification information.
4. A digital signature generation device, characterized in that it comprises a memory, a processor and a computer program stored on said memory and executable on said processor, said computer program, when executed by said processor, implementing the steps of the digital signature generation method according to any one of claims 1 to 3.
5. A computer-readable storage medium, characterized in that a digital signature generation program is stored thereon, which when executed by a processor implements the steps of the digital signature generation method according to any one of claims 1 to 3.
6. A digital signature verification method based on a digital signature generated by the digital signature generation method according to any one of claims 1 to 3, characterized by comprising the steps of:
acquiring the digital signature;
extracting a message abstract in the digital signature;
analyzing a signature attribute set in the message abstract; the signature attribute set is constructed by abstract attributes and path attributes, the abstract attributes are generated according to first abstract information obtained by calculation of first target data, and the path attributes are generated according to paths of digital certificates;
analyzing the signature attribute set to obtain a path of the digital certificate;
acquiring a corresponding digital certificate according to the path of the digital certificate;
and verifying the digital signature by using the digital certificate.
7. The digital signature verification method of claim 6, wherein the step of parsing the set of signature attributes to obtain the path of the digital certificate comprises:
analyzing a characteristic field of a path of the digital certificate in a data structure of the signature attribute set;
extracting a path of the digital certificate from the feature field.
8. The digital signature verification method of claim 7, wherein the step of verifying the digital signature using the digital certificate is preceded by:
obtaining second target data associated with the digital signature;
calculating second abstract information of the second target data, analyzing and extracting first abstract information in the signature attribute set;
judging whether the second abstract information is consistent with the first abstract information;
if yes, executing the step of verifying the digital signature by applying the digital certificate;
if not, outputting the result of failed verification.
9. The digital signature verification method of claim 8, wherein the step of obtaining the corresponding digital certificate according to the path of the digital certificate comprises:
judging whether the local server has the digital certificate or not according to the path of the digital certificate;
if yes, acquiring the digital certificate from the local server;
and if the digital certificate does not exist, acquiring the digital certificate from a remote server according to the path of the digital certificate.
10. A digital signature verification device, characterized in that it comprises a memory, a processor and a computer program stored on said memory and executable on said processor, said computer program, when executed by said processor, implementing the steps of the digital signature verification method according to any one of claims 6 to 9.
11. A computer-readable storage medium, characterized in that a digital signature verification program is stored thereon, which when executed by a processor implements the steps of the digital signature verification method according to any one of claims 6 to 9.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711178114.5A CN107911222B (en) | 2017-11-21 | 2017-11-21 | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program |
| PCT/CN2017/120026 WO2019100531A1 (en) | 2017-11-21 | 2017-12-29 | Digital signature generation method and device thereof, verification method and device thereof, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711178114.5A CN107911222B (en) | 2017-11-21 | 2017-11-21 | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107911222A CN107911222A (en) | 2018-04-13 |
| CN107911222B true CN107911222B (en) | 2020-08-28 |
Family
ID=61847180
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711178114.5A Active CN107911222B (en) | 2017-11-21 | 2017-11-21 | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN107911222B (en) |
| WO (1) | WO2019100531A1 (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683507B (en) * | 2018-05-03 | 2021-06-29 | 湖南东方华龙信息科技有限公司 | Method for verifying integrity of cloud certificate through traceable linked list |
| CN108764867A (en) * | 2018-05-24 | 2018-11-06 | 北京比特大陆科技有限公司 | A kind of method and apparatus for realizing Transaction Information verification |
| CN108846650A (en) * | 2018-05-24 | 2018-11-20 | 北京比特大陆科技有限公司 | A kind of method and apparatus for realizing Transaction Information verifying |
| CN108764921A (en) * | 2018-05-24 | 2018-11-06 | 北京比特大陆科技有限公司 | A kind of method and apparatus for realizing Transaction Information verification |
| CN108764869A (en) * | 2018-05-28 | 2018-11-06 | 北京比特大陆科技有限公司 | A kind of encrypted method and apparatus of realization Transaction Information |
| CN110825918B (en) * | 2018-07-23 | 2023-01-13 | 中国移动通信有限公司研究院 | Method and device for acquiring and storing digital certificate |
| CN109889325B (en) * | 2019-01-21 | 2023-06-02 | Oppo广东移动通信有限公司 | Verification method, verification device, electronic equipment and medium |
| CN110009342B (en) * | 2019-02-22 | 2023-07-07 | 创新先进技术有限公司 | Data sending and receiving method and device and electronic equipment |
| CN110753257A (en) * | 2019-10-14 | 2020-02-04 | 深圳创维-Rgb电子有限公司 | Data display method, display terminal, server, display system, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488169A (en) * | 2008-01-18 | 2009-07-22 | 富士施乐株式会社 | Information processing apparatus, information processing system, information processing method, computer-readable medium and computer data signal |
| CN104683306A (en) * | 2013-12-03 | 2015-06-03 | 中国人民公安大学 | Safe and controllable internet real-name certification mechanism |
| CN104901931A (en) * | 2014-03-05 | 2015-09-09 | 财团法人工业技术研究院 | certificate management method and device |
| CN106888094A (en) * | 2017-02-16 | 2017-06-23 | 中国移动通信集团公司 | A kind of endorsement method and server |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070277037A1 (en) * | 2001-09-06 | 2007-11-29 | Randy Langer | Software component authentication via encrypted embedded self-signatures |
| KR100755683B1 (en) * | 2003-05-07 | 2007-09-05 | 삼성전자주식회사 | A method for verificating the integrity of coded contents and authenticating the contents provider |
| CN104410635B (en) * | 2014-11-27 | 2017-10-31 | 中国科学院计算机网络信息中心 | A kind of NDN safety certifying methods based on DANE |
| CN106685641A (en) * | 2016-12-23 | 2017-05-17 | 光锐恒宇(北京)科技有限公司 | Installation package signature method and device |
| CN106789091B (en) * | 2017-02-24 | 2020-02-21 | 中金金融认证中心有限公司 | Method and device for realizing Open XML document digital signature and signature verification |
-
2017
- 2017-11-21 CN CN201711178114.5A patent/CN107911222B/en active Active
- 2017-12-29 WO PCT/CN2017/120026 patent/WO2019100531A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101488169A (en) * | 2008-01-18 | 2009-07-22 | 富士施乐株式会社 | Information processing apparatus, information processing system, information processing method, computer-readable medium and computer data signal |
| CN104683306A (en) * | 2013-12-03 | 2015-06-03 | 中国人民公安大学 | Safe and controllable internet real-name certification mechanism |
| CN104901931A (en) * | 2014-03-05 | 2015-09-09 | 财团法人工业技术研究院 | certificate management method and device |
| CN106888094A (en) * | 2017-02-16 | 2017-06-23 | 中国移动通信集团公司 | A kind of endorsement method and server |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107911222A (en) | 2018-04-13 |
| WO2019100531A1 (en) | 2019-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107911222B (en) | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program | |
| CN109639661B (en) | Server certificate updating method, device, equipment and computer readable storage medium | |
| CN109951435B (en) | Equipment identifier providing method and device and risk control method and device | |
| CN107888656B (en) | Calling method and calling device of server-side interface | |
| CN105306534A (en) | Information verification method based on open platform and open platform | |
| CN104468531A (en) | Authorization method, device and system for sensitive data | |
| CN109347620B (en) | Sample alignment method, system and computer readable storage medium | |
| CN110888838A (en) | Object storage based request processing method, device, equipment and storage medium | |
| CN110708335A (en) | Access authentication method and device and terminal equipment | |
| CN113225324B (en) | Block chain anonymous account creation method, system, device and storage medium | |
| CN111259217A (en) | Invoice archiving method and device and computer readable storage medium | |
| CN105162604A (en) | Feature image identification based verification method and system, and verification server | |
| CN111310233A (en) | Application interface display method, device, equipment and storage medium | |
| CN108092947B (en) | Method and device for identity authentication of third-party application | |
| CN112966308A (en) | Software delivery method, processing device and storage medium | |
| CN108574658B (en) | Application login method and device | |
| CN114745681B (en) | Rich media information display method, rich media information display equipment and computer storage medium | |
| CN114422586B (en) | Event notification method, event notification device, computer equipment and storage medium | |
| CN113806815B (en) | File signing method and system | |
| CN104951715A (en) | Information processing method and electronic equipment | |
| CN115361376A (en) | Government affair file uploading method and device, electronic equipment and storage medium | |
| CN111324914B (en) | File transmission method, device, server, equipment and medium | |
| CN111104629B (en) | Verification method and device of dynamic two-dimensional code | |
| CN110650014B (en) | Signature authentication method, system, equipment and storage medium based on hessian protocol | |
| CN109005105B (en) | Method and device for generating mail with recorded sender position information and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |