CN108365962B - Certificate revocation list query method and device - Google Patents

Certificate revocation list query method and device Download PDF

Info

Publication number
CN108365962B
CN108365962B CN201810003002.4A CN201810003002A CN108365962B CN 108365962 B CN108365962 B CN 108365962B CN 201810003002 A CN201810003002 A CN 201810003002A CN 108365962 B CN108365962 B CN 108365962B
Authority
CN
China
Prior art keywords
certificate
serial number
crl
queried
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810003002.4A
Other languages
Chinese (zh)
Other versions
CN108365962A (en
Inventor
赵剑竹
张庆勇
王翊心
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Infosec Technologies Co Ltd
Original Assignee
Beijing Infosec Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Infosec Technologies Co Ltd filed Critical Beijing Infosec Technologies Co Ltd
Priority to CN201810003002.4A priority Critical patent/CN108365962B/en
Publication of CN108365962A publication Critical patent/CN108365962A/en
Application granted granted Critical
Publication of CN108365962B publication Critical patent/CN108365962B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a method and a device for inquiring a certificate revocation list, which are used for improving the inquiring efficiency of the certificate revocation list. The certificate revocation list query method comprises the following steps: receiving a certificate revocation list query request, wherein the query request carries a serial number of a certificate to be queried; obtaining a Certificate Revocation List (CRL) file from a Lightweight Directory Access Protocol (LDAP) directory server; preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number; recombining the second certificate serial numbers to obtain a plurality of recombined CRL files, wherein the number of the certificate serial numbers contained in each recombined CRL file is less than or equal to a first preset number; and matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result, and returning the inquiry result.

Description

Certificate revocation list query method and device
Technical Field
The invention relates to the technical field of information security and digital certificates, in particular to a certificate revocation list query method and device.
Background
CRL (Certificate Revocation List) is a structured data file in a PKI (Public Key Infrastructure) system, which contains the serial number of a Certificate that has been revoked by a CA (Certificate Authority) and its Revocation date.
At present, when inquiring whether a certificate is in a CRL to verify whether the certificate is revoked, an application program obtains a CRL file from an LDAP (Lightweight Directory Access Protocol) Directory server, and a plurality of CRL files without arrangement rules are obtained, wherein the CRL files contain serial numbers and revocation time of all certificates revoked by a current CA, and then all the CRL files are stored in a memory of the application program after being analyzed, and then the certificate is retrieved.
Therefore, how to improve the query efficiency of the certificate revocation list is one of the technical problems to be solved in the prior art.
Disclosure of Invention
The invention provides a method and a device for inquiring a certificate revocation list, which are used for improving the inquiring efficiency of the certificate revocation list.
The embodiment of the invention provides a certificate revocation list query method, which comprises the following steps:
receiving a certificate revocation list query request, wherein the query request carries a serial number of a certificate to be queried;
obtaining a Certificate Revocation List (CRL) file from a Lightweight Directory Access Protocol (LDAP) directory server;
preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number;
recombining the second certificate serial numbers to obtain a plurality of recombined CRL files, wherein the number of the certificate serial numbers contained in each recombined CRL file is less than or equal to a first preset number;
and matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result, and returning the inquiry result.
The embodiment of the invention provides a certificate revocation list inquiry device, which comprises:
the system comprises a receiving unit, a receiving unit and a processing unit, wherein the receiving unit is used for receiving a certificate revocation list inquiry request which carries a serial number of a certificate to be inquired;
the acquisition unit is used for acquiring a Certificate Revocation List (CRL) file from a Lightweight Directory Access Protocol (LDAP) directory server;
the preprocessing unit is used for respectively preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number;
the restructuring unit is used for restructuring each second certificate serial number to obtain a plurality of restructured CRL files, wherein the number of the certificate serial numbers contained in each restructured CRL file is less than or equal to a first preset number;
and the matching unit is used for matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result and returning the inquiry result.
The beneficial effects of the invention include:
in the method and apparatus for querying a certificate revocation list according to embodiments of the present invention, after receiving a certificate revocation list query request, a server obtains a certificate revocation list CRL file from an LDAP directory server, where the query request carries a certificate serial number to be queried, pre-processes each first certificate serial number included in each obtained CRL file to obtain a corresponding second certificate serial number, recombines each second certificate serial number to obtain a plurality of recombined CRL files, matches the certificate serial number to be queried with the recombined CRL files to obtain a query result, and returns the query result, where the number of certificate serial numbers included in each recombined CRL file is less than or equal to a first preset number, and according to the above-described procedure, after receiving the certificate revocation list query request, the server first obtains a first certificate serial number included in each CRL file without an arrangement rule from the LDAP directory server The number is preprocessed, the preprocessed second certificate serial number is recombined to obtain a new recombined CRL file, the certificate serial number to be inquired is matched with the recombined CRL file to obtain an inquiry result, and the number of the second certificate serial numbers in the recombined CRL file is not more than a certain preset number, so that the inquiry efficiency of the certificate revocation list is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention and not to limit the invention. In the drawings:
fig. 1 is a schematic flow chart illustrating an implementation of a certificate revocation list query method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an implementation flow of matching a serial number of a certificate to be queried with a restructured CRL file according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a certificate revocation list query apparatus in an embodiment of the present invention.
Detailed Description
The invention provides a method and a device for inquiring a certificate revocation list, which improve the inquiring efficiency of the certificate revocation list.
The implementation principle of the certificate revocation list query method provided by the embodiment of the invention is as follows: after receiving a certificate revocation list query request, a server acquires a certificate revocation list CRL file from an LDAP directory server, wherein the query request carries a certificate serial number to be queried, preprocesses each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number, recombines each second certificate serial number to obtain a plurality of recombined CRL files, matches the certificate serial number to be queried with the recombined CRL files to obtain a query result, and returns the query result, wherein the number of the certificate serial numbers contained in each recombined CRL file is less than or equal to a first preset number, and according to the process, after receiving the certificate revocation list query request, the server preprocesses the first certificate serial number contained in each CRL file without an arrangement rule acquired from the directory server, and after the second certificate serial number is preprocessed, obtaining a new recombined CRL file, matching the certificate serial number to be inquired with the recombined CRL file to obtain an inquiry result, wherein the number of the second certificate serial numbers in the recombined CRL file is not more than a certain preset number, so that the inquiry efficiency of the certificate revocation list is improved.
The preferred embodiments of the present invention will be described below with reference to the accompanying drawings of the specification, it being understood that the preferred embodiments described herein are merely for illustrating and explaining the present invention, and are not intended to limit the present invention, and that the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.
As shown in fig. 1, which is a schematic flow chart of an implementation of a certificate revocation list query method according to an embodiment of the present invention, the method may include the following steps:
s11, receiving a certificate revocation list inquiry request, wherein the inquiry request carries a serial number of a certificate to be inquired.
In specific implementation, a server receives a certificate revocation list query request sent by a user through application software, wherein the query request carries a serial number of a certificate to be queried.
S12, obtaining the certificate revocation list CRL file from the lightweight directory access protocol LDAP directory server.
In specific implementation, the server acquires a plurality of CRL files from the LDAP directory server, the CRL files store the certificate serial numbers and revocation time revoked up to now, and each CRL file contains a large number of revoked certificate serial numbers without arrangement rules and corresponding revocation time.
S13, preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number.
In specific implementation, when it is determined that the length of the first certificate serial number is smaller than N bytes, the length of the first certificate serial number is supplemented to N bytes, and a corresponding second certificate serial number is obtained. Wherein N is the maximum length of the certificate serial number, and the maximum length of the current certificate serial number is generally 20 bytes. Specifically, the first byte of the first certificate serial number is supplemented with a hexadecimal number 0X00, and the length of the first serial number is supplemented with N bytes. The certificate serial number in the CRL file obtained from the LDAP directory server has different lengths, and the maximum length is 20 bytes, and when the length of the certificate serial number is less than N bytes (i.e. 20 bytes), the hexadecimal number 0X00 is supplemented before the first byte of the certificate serial number until the length of the certificate serial number is N bytes, i.e. 20 bytes. For example, a certificate serial number is: 2024112 b 065 f 67, which is represented by hexadecimal numbers, and contains 7 bytes, which are respectively: 20. 24, 11, 2b, 06, 5f, and 67, add 14 00 s before the first byte 20 of the certificate serial number, and complement: 00000000000000000000000000002024112 b 065 f 67, i.e., the length of the certificate serial number is supplemented by 20 bytes.
Determining the first certificate serial number as a corresponding second certificate serial number when it is determined that the length of the first certificate serial number is equal to N bytes. Specifically, if the length of the first certificate serial number is 20 bytes, the first certificate serial number is directly determined as the corresponding second certificate serial number without being processed.
S14, recombining the second certificate serial numbers to obtain a plurality of recombined CRL files, wherein the number of the certificate serial numbers contained in each recombined CRL file is less than or equal to a first preset number.
In specific implementation, for all the second certificate serial numbers obtained by preprocessing the first certificate serial number in step S13, the second certificate serial numbers with the same bytes in the second preset number are arranged in ascending order or descending order to form a new CRL file, and a plurality of recombined CRL files are obtained.
It should be noted that, in the embodiment of the present invention, the second preset number may be set according to needs, and is not limited herein.
In a preferred embodiment, the second predetermined number may be set to 19. Specifically, after the serial numbers of the second certificates with the same first 19 bytes are arranged in ascending or descending order, a new CRL file is formed, and a plurality of recombined CRL files are obtained and can be stored in a system directory for the next use. Since the range of one byte is 256, the number of the second certificate serial numbers included in each restructured CRL file is 256 at most, that is, the first preset number is 256 at this time. The first preset number depends on the setting of the second preset number.
It should be noted that the second certificate serial numbers in each restructured CRL folder are all sorted in the same arrangement manner, either in an ascending order or in a descending order.
And then, arranging the recombined CRL files according to a preset sequence.
Specifically, when it is determined that the second certificate serial numbers in the reassembled CRL file are arranged in an ascending order, the reassembled CRL file is arranged in an ascending order, that is, all the second certificate serial numbers in a subsequent CRL file in all the reassembled CRL files are greater than the largest second certificate serial number in the previous CRL folder. And when the second certificate serial numbers in the recombined CRL file are determined to be arranged in a descending order, arranging the recombined CRL file in the descending order, namely that all the second certificate serial numbers in the next CRL file in the recombined CRL file are smaller than the minimum second certificate serial number in the previous CRL folder.
S15, matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result, and returning the inquiry result.
In specific implementation, the matching between the serial number of the certificate to be queried and the reconstructed CRL file according to the flow shown in fig. 2 may be performed according to the following steps, and may include the following steps:
s201, obtaining second certificate serial numbers at the middle positions of all the recombined CRL files after the sequencing is finished, and marking the second certificate serial numbers at the middle positions as reference certificate serial numbers.
In this step, the server obtains the second certificate serial numbers at the intermediate positions of all the recombined CRL files after the completion of the sorting, and marks the second certificate serial numbers as the reference certificate serial numbers. For example, assuming that there are A, B, C, D four restructured CRL files after the sorting is completed, and the number of the second certificate serial numbers included in A, B, C, D is 100, 150, 200, and 255, respectively, the second certificate serial number at the intermediate position of A, B, C, D is the 103 th second certificate serial number in the CRL file C, and the second certificate serial number is marked as the reference certificate serial number. In implementation, if the total number of all the second certificate serial numbers included in the reassembled CRL file is an even number, any one of the two middle second certificate serial numbers may be marked as the reference certificate serial number, which is not limited in the embodiment of the present invention.
S202, comparing the serial number of the certificate to be inquired with the serial number of the reference certificate to obtain a comparison result.
S203, determining the inquiry range of the serial number of the certificate to be inquired according to the comparison result.
Specifically, when it is determined that the comparison result obtained in step S202 is that the serial number of the certificate to be queried is greater than the reference certificate serial number, the CRL file including each second certificate serial number that is greater than the serial number of the certificate to be queried and each second certificate serial number that is greater than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs are determined as the query range of the serial number of the certificate to be queried. And when the comparison result is that the serial number of the certificate to be queried is smaller than the serial number of the reference certificate, determining the CRL file containing the serial number of each second certificate smaller than the serial number of the certificate to be queried and the serial number of each second certificate smaller than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs as the query range of the serial number of the certificate to be queried. And when the comparison result is that the serial number of the certificate to be inquired is equal to the serial number of the reference certificate, determining that the certificate to be inquired is revoked.
Still taking the sorted and recombined CRL file A, B, C, D in step S201 as an example, the numbers of the second certificate serial numbers included in A, B, C, D are 100, 150, 200, and 255, respectively, and it is assumed that each of the second certificate serial numbers in A, B, C, D and A, B, C, D is arranged in an ascending order. Comparing the serial number of the certificate to be inquired with a reference certificate serial number, namely the 103 th second certificate serial number in the file C, if the value of the serial number to be inquired is greater than the value of the reference certificate serial number, limiting the inquiry range in all second certificate serial numbers after the 103 th second certificate serial number in the file C, namely starting from the 104 th second certificate serial number in the file C to the 200 th second certificate serial number in the file folder, and determining the file D as the inquiry range of the serial number to be inquired; if the value of the serial number to be queried is smaller than the value of the reference certificate serial number, the query range is defined in all the second certificate serial numbers before the 103 th second certificate serial number in the file C, that is, the first 102 second certificate serial numbers in the file C, plus the file A, B, is determined as the query range of the serial number to be queried.
S204, matching the serial number of the certificate to be inquired with the determined inquiry range.
In this step, the server matches the serial number of the certificate to be queried with the query range determined in step S203, searches whether the serial number of the certificate to be queried is included in the query range, determines that the certificate to be queried has been revoked if the serial number of the certificate to be queried exists, otherwise determines that the certificate to be queried has not been revoked, and returns a query result, which may be stored in an application memory, where the application is application software installed in the server.
In the method for querying a certificate revocation list provided in the embodiment of the present invention, after receiving a certificate revocation list query request, a server obtains a certificate revocation list CRL file from an LDAP directory server, where the query request carries a certificate serial number to be queried, pre-processes each first certificate serial number included in each obtained CRL file to obtain a corresponding second certificate serial number, recombines each second certificate serial number to obtain a plurality of recombined CRL files, matches the certificate serial number to be queried with the recombined CRL files to obtain a query result, and returns the query result, where the number of certificate serial numbers included in each recombined CRL file is less than or equal to a first preset number, and in the method for querying a certificate revocation list provided in the embodiment of the present invention, because the number of certificate serial numbers in the recombined CRL files is far less than the number of certificate serial numbers in original CRL files, the preprocessed certificate serial numbers are arranged according to the ascending order or the descending order, and a reference certificate serial number is selected, so that the query range is reduced by half, the query efficiency is effectively improved, and only the query result is stored in the memory of the application program, so that the risk of memory overflow is avoided, and the robustness of the application program is improved.
Based on the same inventive concept, the embodiment of the invention also provides a certificate revocation list query device, and as the principle of solving the problems of the device is similar to the certificate revocation list query method, the implementation of the device can refer to the implementation of the method, and repeated details are omitted.
As shown in fig. 3, which is a schematic structural diagram of a certificate revocation list query apparatus according to an embodiment of the present invention, the certificate revocation list query apparatus may include:
a receiving unit 31, configured to receive a certificate revocation list query request, where the query request carries a serial number of a certificate to be queried;
an obtaining unit 32, configured to obtain a certificate revocation list CRL file from a lightweight directory access protocol LDAP directory server;
a preprocessing unit 33, configured to respectively preprocess each first certificate serial number included in each acquired CRL file, to obtain a corresponding second certificate serial number;
a restructuring unit 34, configured to restructure each second certificate serial number to obtain a plurality of restructured CRL files, where the number of certificate serial numbers included in each restructured CRL file is less than or equal to a first preset number;
and the matching unit 35 is configured to match the certificate serial number to be queried with the recombined CRL file to obtain a query result, and return the query result.
Preferably, the preprocessing unit 33 is specifically configured to, when it is determined that the length of the first certificate serial number is smaller than N bytes, complement the length of the first certificate serial number to N bytes, and obtain a corresponding second certificate serial number; determining the first certificate serial number as a corresponding second certificate serial number when it is determined that the length of the first certificate serial number is equal to N bytes; wherein N is the maximum length of the certificate serial number.
Preferably, the preprocessing unit 33 is specifically configured to supplement a hexadecimal number 0X00 before a first byte of the first certificate serial number, so as to supplement the length of the first serial number to N bytes.
Preferably, the restructuring unit 34 is specifically configured to arrange the second certificate serial numbers with the same bytes in the second preset number in an ascending order or a descending order to form a new CRL file, so as to obtain a plurality of restructured CRL files.
Optionally, the apparatus may further include:
and the sequencing unit is used for arranging the recombined CRL files according to a preset sequence after obtaining the plurality of recombined CRL files and before matching the serial number of the certificate to be inquired with the recombined CRL files.
Preferably, the sorting unit is specifically configured to, when it is determined that the second certificate serial numbers in the reassembled CRL file are arranged in an ascending order, arrange the reassembled CRL file in the ascending order; and when the second certificate serial numbers in the recombined CRL file are determined to be arranged according to a descending order, arranging the recombined CRL file according to the descending order.
Preferably, the matching unit 35 is specifically configured to obtain second certificate serial numbers at intermediate positions of all the reorganized CRL files after the sorting is completed, and mark the second certificate serial numbers at the intermediate positions as reference certificate serial numbers; comparing the serial number of the certificate to be inquired with the serial number of the reference certificate to obtain a comparison result; determining the inquiry range of the serial number of the certificate to be inquired according to the comparison result; and matching the serial number of the certificate to be inquired with the determined inquiry range.
Preferably, the matching unit 35 is specifically configured to, when it is determined that the comparison result is that the serial number of the certificate to be queried is greater than the reference certificate serial number, determine, as a query range of the serial number of the certificate to be queried, a CRL file that includes each second certificate serial number that is greater than the serial number of the certificate to be queried, and each second certificate serial number that is greater than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs; and when the comparison result is that the serial number of the certificate to be queried is smaller than the serial number of the reference certificate, determining the CRL file containing the serial number of each second certificate smaller than the serial number of the certificate to be queried and the serial number of each second certificate smaller than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs as the query range of the serial number of the certificate to be queried.
The embodiment of the invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the certificate revocation list query method when executing the program.
An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the above method for querying a certificate revocation list.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (10)

1. A method for querying a certificate revocation list, comprising:
receiving a certificate revocation list query request, wherein the query request carries a serial number of a certificate to be queried;
obtaining a Certificate Revocation List (CRL) file from a Lightweight Directory Access Protocol (LDAP) directory server;
preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number;
recombining the second certificate serial numbers to obtain a plurality of recombined CRL files, wherein the number of the certificate serial numbers contained in each recombined CRL file is less than or equal to a first preset number;
recombining the serial numbers of the second certificates to obtain a plurality of recombined CRL files, which specifically comprises: arranging second certificate serial numbers with the same bytes in a second preset number in an ascending or descending order to form a new CRL file, and obtaining a plurality of recombined CRL files;
arranging the recombined CRL files according to a preset sequence, which specifically comprises the following steps: when the second certificate serial numbers in the recombined CRL file are determined to be arranged according to an ascending order, arranging the recombined CRL file according to the following order: all second certificate serial numbers in the CRL file after the last recombination are larger than the largest second certificate serial number in the CRL file after the last recombination; when the second certificate serial numbers in the recombined CRL file are determined to be arranged according to a descending order, arranging the recombined CRL file according to the following order: all second certificate serial numbers in the CRL file after the last recombination are smaller than the minimum second certificate serial number in the CRL file after the last recombination;
and matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result, and returning the inquiry result.
2. The method of claim 1, wherein the first certificate serial number is preprocessed to obtain a corresponding second certificate serial number by:
when the length of the first certificate serial number is determined to be smaller than N bytes, supplementing the length of the first certificate serial number into N bytes to obtain a corresponding second certificate serial number;
determining the first certificate serial number as a corresponding second certificate serial number when it is determined that the length of the first certificate serial number is equal to N bytes;
wherein N is the maximum length of the certificate serial number.
3. The method of claim 2, wherein supplementing the length of the first certificate serial number with N bytes specifically comprises:
the first byte of the first certificate serial number is supplemented with a hexadecimal number 0X00, and the length of the first certificate serial number is supplemented with N bytes.
4. The method of claim 1, wherein the certificate serial number to be queried is matched with the restructured CRL file according to the following steps:
acquiring second certificate serial numbers at the middle positions of all the recombined CRL files after the sequencing is finished, and marking the second certificate serial numbers at the middle positions as reference certificate serial numbers;
comparing the serial number of the certificate to be inquired with the serial number of the reference certificate to obtain a comparison result;
determining the inquiry range of the serial number of the certificate to be inquired according to the comparison result;
and matching the serial number of the certificate to be inquired with the determined inquiry range.
5. The method according to claim 4, wherein determining the query range of the serial number of the certificate to be queried according to the comparison result specifically includes:
when the comparison result is that the serial number of the certificate to be queried is larger than the serial number of the reference certificate, determining the serial number of each second certificate contained in the CRL file with the serial number of the certificate to be queried larger than the serial number of the certificate to be queried and the serial number of each second certificate in the CRL file with the serial number of the certificate to be queried larger than the serial number of the certificate to be queried as a query range of the serial number of the certificate to be queried;
and when the comparison result is that the serial number of the certificate to be queried is smaller than the serial number of the reference certificate, determining the CRL file containing the serial number of each second certificate smaller than the serial number of the certificate to be queried and the serial number of each second certificate smaller than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs as the query range of the serial number of the certificate to be queried.
6. A certificate revocation list query apparatus, comprising:
the system comprises a receiving unit, a receiving unit and a processing unit, wherein the receiving unit is used for receiving a certificate revocation list inquiry request which carries a serial number of a certificate to be inquired;
the acquisition unit is used for acquiring a Certificate Revocation List (CRL) file from a Lightweight Directory Access Protocol (LDAP) directory server;
the preprocessing unit is used for respectively preprocessing each first certificate serial number contained in each acquired CRL file to obtain a corresponding second certificate serial number;
the restructuring unit is used for restructuring each second certificate serial number to obtain a plurality of restructured CRL files, wherein the number of the certificate serial numbers contained in each restructured CRL file is less than or equal to a first preset number;
the restructuring unit is specifically configured to arrange second certificate serial numbers with the same bytes in a second preset number in an ascending order or a descending order to form a new CRL file, so as to obtain a plurality of restructured CRL files;
the sequencing unit is used for sequencing the recombined CRL files according to a preset sequence;
the sorting unit is specifically configured to, when it is determined that the second certificate serial numbers in the reassembled CRL file are arranged in an ascending order, arrange the reassembled CRL file in the following order: all second certificate serial numbers in the CRL file after the last recombination are larger than the largest second certificate serial number in the CRL file after the last recombination; when the second certificate serial numbers in the recombined CRL file are determined to be arranged according to a descending order, arranging the recombined CRL file according to the following order: all second certificate serial numbers in the CRL file after the last recombination are smaller than the minimum second certificate serial number in the CRL file after the last recombination;
and the matching unit is used for matching the serial number of the certificate to be inquired with the recombined CRL file to obtain an inquiry result and returning the inquiry result.
7. The apparatus of claim 6,
the preprocessing unit is specifically configured to, when it is determined that the length of the first certificate serial number is smaller than N bytes, complement the length of the first certificate serial number to N bytes, and obtain a corresponding second certificate serial number; determining the first certificate serial number as a corresponding second certificate serial number when it is determined that the length of the first certificate serial number is equal to N bytes; wherein N is the maximum length of the certificate serial number.
8. The apparatus of claim 7,
the preprocessing unit is specifically configured to supplement a hexadecimal number 0X00 before a first byte of the first certificate serial number, and supplement the length of the first certificate serial number to N bytes.
9. The apparatus of claim 6,
the matching unit is specifically configured to obtain second certificate serial numbers at intermediate positions of all the reorganized CRL files after the sorting is completed, and mark the second certificate serial numbers at the intermediate positions as reference certificate serial numbers; comparing the serial number of the certificate to be inquired with the serial number of the reference certificate to obtain a comparison result; determining the inquiry range of the serial number of the certificate to be inquired according to the comparison result; and matching the serial number of the certificate to be inquired with the determined inquiry range.
10. The apparatus of claim 9,
the matching unit is specifically configured to, when it is determined that the comparison result is that the serial number of the certificate to be queried is greater than the reference certificate serial number, determine, as a query range of the serial number of the certificate to be queried, a CRL file containing each second certificate serial number that is greater than the serial number of the certificate to be queried, and each second certificate serial number that is greater than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs; and when the comparison result is that the serial number of the certificate to be queried is smaller than the serial number of the reference certificate, determining the CRL file containing the serial number of each second certificate smaller than the serial number of the certificate to be queried and the serial number of each second certificate smaller than the serial number of the certificate to be queried in the CRL file to which the serial number of the certificate to be queried belongs as the query range of the serial number of the certificate to be queried.
CN201810003002.4A 2018-01-02 2018-01-02 Certificate revocation list query method and device Active CN108365962B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810003002.4A CN108365962B (en) 2018-01-02 2018-01-02 Certificate revocation list query method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810003002.4A CN108365962B (en) 2018-01-02 2018-01-02 Certificate revocation list query method and device

Publications (2)

Publication Number Publication Date
CN108365962A CN108365962A (en) 2018-08-03
CN108365962B true CN108365962B (en) 2021-04-06

Family

ID=63011108

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810003002.4A Active CN108365962B (en) 2018-01-02 2018-01-02 Certificate revocation list query method and device

Country Status (1)

Country Link
CN (1) CN108365962B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3993339B1 (en) * 2020-10-29 2023-05-31 Siemens Aktiengesellschaft Certificate management in a technical system
CN115514500B (en) * 2022-11-23 2023-03-24 江苏荣泽信息科技股份有限公司 Rapid verification method for CA certificate revocation list

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707999A (en) * 2004-05-03 2005-12-14 汤姆森许可公司 Distributed management of a certificate revocation list
CN102567410A (en) * 2010-12-31 2012-07-11 上海格尔软件股份有限公司 Method for on-line querying certificate state of certificate serial number on basis of step-by-step design

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7814315B2 (en) * 2006-11-30 2010-10-12 Red Hat, Inc. Propagation of certificate revocation information
US9906374B2 (en) * 2016-02-29 2018-02-27 Red Hat, Inc. Efficient certificate revocation list processing

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1707999A (en) * 2004-05-03 2005-12-14 汤姆森许可公司 Distributed management of a certificate revocation list
CN102567410A (en) * 2010-12-31 2012-07-11 上海格尔软件股份有限公司 Method for on-line querying certificate state of certificate serial number on basis of step-by-step design

Also Published As

Publication number Publication date
CN108365962A (en) 2018-08-03

Similar Documents

Publication Publication Date Title
US11663090B2 (en) Method and system for desynchronization recovery for permissioned blockchains using bloom filters
CN109034809B (en) Block chain generation method and device, block chain node and storage medium
US12073400B2 (en) Method and system for an efficient consensus mechanism for permissioned blockchains using audit guarantees
CN109586896B (en) Data integrity verification method based on Hash prefix tree
WO2018177190A1 (en) Method and device for synchronizing blockchain data
EP3072076B1 (en) A method of generating a reference index data structure and method for finding a position of a data pattern in a reference data structure
CN110737663B (en) Data storage method, device, equipment and storage medium
CN110235162B (en) Block chain system data processing method and block generation method
CN109634959B (en) Block indexing method and block indexing device
CN103077208B (en) URL(uniform resource locator) matched processing method and device
CN110634052A (en) Method and device for generating order number by distributed architecture
CN108365962B (en) Certificate revocation list query method and device
CN111694502B (en) Block chain data storage method, device, equipment and storage medium
CN111209341B (en) Data storage method, device, equipment and medium of block chain
CN113609533A (en) Integrity auditing method for smart power grid data
CN111147477B (en) Verification method and device based on block chain network
CN114970464A (en) Method, device, terminal equipment and storage medium for generating identification
CN106326310B (en) Resource encryption updating method for mobile phone client software
CN110442456B (en) Multi-channel load balancing method based on Hyperridge-fabric
CN114489737A (en) Multi-firmware OTA (over the air) upgrading method and device, server and storage medium
CN110033189B (en) Method, device and equipment for automatically generating fiber core segment
CN112732789A (en) Searchable encryption method based on block chain and electronic equipment
CN108984780B (en) Method and device for managing disk data based on data structure supporting repeated key value tree
CN112559546A (en) Database synchronization method and device, computer equipment and readable storage medium
CN113505155B (en) Transaction information retrieval method and retrieval device based on blockchain network

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant