CN110704815A - Data packet code signature and verification method, device, system and storage medium thereof - Google Patents
Data packet code signature and verification method, device, system and storage medium thereof Download PDFInfo
- Publication number
- CN110704815A CN110704815A CN201910934315.6A CN201910934315A CN110704815A CN 110704815 A CN110704815 A CN 110704815A CN 201910934315 A CN201910934315 A CN 201910934315A CN 110704815 A CN110704815 A CN 110704815A
- Authority
- CN
- China
- Prior art keywords
- code
- signature
- certificate
- data
- signing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000012795 verification Methods 0.000 title claims abstract description 49
- 238000004806 packaging method and process Methods 0.000 claims abstract description 10
- 238000004590 computer program Methods 0.000 claims description 13
- 101000759879 Homo sapiens Tetraspanin-10 Proteins 0.000 claims 8
- 102100024990 Tetraspanin-10 Human genes 0.000 claims 8
- 238000004422 calculation algorithm Methods 0.000 description 45
- 230000008569 process Effects 0.000 description 10
- 238000004364 calculation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 230000008520 organization Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000012856 packing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a data packet code signature method, a device, a system and a storage medium, wherein the method comprises the following steps: receiving a data packet code signing request of a signing user, and acquiring a data packet to be signed; code signing is carried out on the data packet based on the first secret key to obtain code signing data; acquiring a timestamp of the code signature and a code signature certificate state when the code is signed; and packaging the timestamp and the code signature certificate state into the code signature data to obtain a code signature result of the data packet. According to the method, the device, the system and the storage medium, the timestamp and the code certificate state are added during code signing, so that the safety of code signing and verification is improved, and the user experience is ensured.
Description
Technical Field
The invention relates to the technical field of information security processing, in particular to processing of data packet code signatures.
Background
Code signing is a trusted computing and software protection core technology. Through code signing, the identity of the software publisher can be determined, and the software publishing package is verified to be complete and not tampered.
In general, a key and a certificate for code signing are held by a software publisher, and a code signing operation is performed at the time of software release, and a signed software package and a signed package are provided to a recipient. Developers need to be able to properly manage their code signing keys, and if the keys are revealed or lost, the developers need to apply for reimbursement to a certificate authority in time, and the developers pretend to be the developers to issue malicious software while stealing the keys.
In this case, when signing the code, it is necessary to declare to the software receiver that its code signing certificate is not revoked by the certificate authority in the signing operation and is in a valid state. Especially in an offline state, a software receiver may not be able to obtain the valid state of the certificate in time, so that security is not guaranteed.
Therefore, the problem that the security of the code signature of the software package is not high exists in the prior art.
Disclosure of Invention
The present invention has been made in view of the above problems. The invention provides a data packet code signature and a verification method, a device, a system and a computer storage medium thereof, which aim to solve the problem of low security of the code signature.
According to a first aspect of the present invention, there is provided a data packet code signing method, including:
receiving a data packet code signing request of a signing user, and acquiring a data packet to be signed;
code signing is carried out on the data packet based on the first secret key to obtain code signing data;
acquiring a timestamp of the code signature and a code signature certificate state when the code is signed;
packaging the timestamp and the code signature certificate state into the code signature data to obtain a code signature result of the data packet;
alternatively, the first and second electrodes may be,
and acquiring a timestamp and a code signature certificate state, and performing code signature on the data packet based on the timestamp and the code signature certificate state to obtain a code signature result containing the timestamp and the code signature certificate state.
According to a second aspect of the present invention, there is provided a method for verifying a code signature of a data packet, comprising:
receiving a data packet to be verified, which is code-signed by the method according to the first aspect;
verifying the data packet to be verified based on a second key;
acquiring a timestamp and a code signature certificate state in the data packet to be verified;
verifying the timestamp to determine whether the time of the code signature is accurate and verifying whether the code signature certificate status is valid;
when the timestamp is accurate and the code signing certificate status is valid, the verification is successful.
According to a third aspect of the present invention, there is provided a packet code signing apparatus comprising:
the receiving module is used for receiving a data packet code signing request of a signing user and acquiring the data packet to be signed;
the signature module is used for carrying out code signature on the data packet based on a preset first secret key to obtain code signature data;
the information acquisition module is used for acquiring the timestamp and the state of the code signature certificate;
the packaging module is used for packaging the timestamp and the code signature certificate state into the code signature data to obtain a code signature result of the data packet; or, the code signing module is configured to perform code signing on the data packet based on the timestamp and the code signing certificate status, and obtain a code signing result including the timestamp and the code signing certificate status.
According to a fourth aspect of the present invention, there is provided a packet code signing system, comprising a memory, a processor and a computer program stored on the memory and running on the processor, wherein the steps of the method of the first aspect are implemented when the computer program is executed by the processor.
According to a fifth aspect of the present invention, there is provided a computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a computer, implements the steps of the method of the first aspect.
According to the data packet code signing method, the data packet code signing device, the data packet code signing system and the computer storage medium, the timestamp and the code certificate state are added during code signing, so that the security of the code signing and the verification of the code signing is improved, and the user experience is guaranteed.
Drawings
The above and other objects, features and advantages of the present invention will become more apparent by describing in more detail embodiments of the present invention with reference to the attached drawings. The accompanying drawings are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings, like reference numbers generally represent like parts or steps.
FIG. 1 is a schematic flow chart diagram of a data package code signing method according to an embodiment of the present invention;
FIG. 2 is an example of a code signature result according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart diagram of a method of verifying a code signature of a data package in accordance with an embodiment of the present invention;
FIG. 4 is an example of a packet code signing method according to an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a packet code signing apparatus according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of an apparatus for verifying a code signature of a data packet according to an embodiment of the present invention;
fig. 7 is a schematic block diagram of a packet code signing system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, exemplary embodiments according to the present invention will be described in detail below with reference to the accompanying drawings. It is to be understood that the described embodiments are merely a subset of embodiments of the invention and not all embodiments of the invention, with the understanding that the invention is not limited to the example embodiments described herein. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the invention described herein without inventive step, shall fall within the scope of protection of the invention.
Next, a packet code signing method 1 according to an embodiment of the present invention will be described with reference to fig. 1. As shown in fig. 1, a data packet code signing method 1 includes:
step S1-1, receiving a data packet code signing request of a signing user, and acquiring the data packet to be signed;
step S1-2, code signing is carried out on the data packet based on the first key to obtain code signing data;
step S1-3, acquiring the timestamp of the code signature and the state of the code signature certificate when the code is signed;
and step S1-4, packaging the timestamp and the code signature certificate state into the code signature data to obtain the code signature result of the data packet.
Alternatively, the above steps S1-2 to S1-4 may further include:
acquiring a timestamp and a code signature certificate state;
and code signing is carried out on the data packet based on the timestamp and the code signing certificate state, and a code signing result containing the timestamp and the code signing certificate state is obtained.
The timestamp and the code signature certificate state can be subjected to code signature and then packaged into the code signature data, or can be subjected to code signature together with the data to be signed while carrying out code signature, and finally, a code signature result containing the timestamp and the code signature certificate state can be obtained.
According to the embodiment of the invention, in the process of code signing on a data packet such as software and the like, the signature certificate state of a signing user such as a software publisher in code signing on the data packet is increased, so that a verifier can obtain the state of a code signature certificate in original signing of the data packet when verifying the signature of the data packet, the signature verification process is simplified, and a data packet receiver does not need to obtain the certificate state information from a certificate issuing organization, so that the certificate state verification in an off-line mode can be supported, the safety of a code signature mechanism is enhanced, the link of code signature verification is simplified, and the efficiency of code signature verification is improved.
Illustratively, the data packet code signing method according to the embodiment of the present invention may be implemented in a device, apparatus or system having a memory and a processor. The data packet code signing method according to the embodiment of the invention can be deployed at a personal terminal.
Illustratively, the personal terminal includes a computer device. Such as laptop, desktop, tablet computers, and the like.
According to the data packet code signing method provided by the embodiment of the invention, the timestamp and the code certificate state are added during code signing, so that the security of code signing and verification is improved, and the user experience is ensured.
According to the embodiment of the present invention, in step S1-1, receiving the data package code signing request of the signing user includes: receiving the data packet code signing request sent in a remote mode; and/or receiving the locally generated data packet code signing request.
In one example, the packet code signing request may include the packet to be signed.
In one example, obtaining the data packet to be signed may be by receiving the data packet code signing request to obtain
In one example, the data packet to be signed may be obtained after responding to the data packet code signing request.
According to the embodiment of the present invention, in step S1-2, the first key includes a private key of the signing user.
Alternatively, the code signing of the data packet based on the first key to obtain the code signature data may be performed by using an SM2 algorithm, an RSA algorithm, or an ECC algorithm (elliptic curve algorithm).
In one example, step S1-2 may further include:
performing single hash calculation on the data packet to generate a hash;
and signing the hash by using the private key, and obtaining the code signature data based on a signature value, the data packet and a code signature certificate.
The code signing Certificate is a trusted third party, and is a digital Certificate issued by a user using a public key, wherein an Authority (CA) responsible for issuing and managing the digital Certificate is used as the trusted third party to prove that the user listed in the Certificate has the public key listed in the Certificate legally and undertakes the responsibility of legality check of the public key in a public key system. The code signing certificate may include a public key corresponding to the private key for use in verification.
According to the embodiment of the present invention, in step S1-3, acquiring the timestamp of the code signature includes: and acquiring the time stamp when the code signature is acquired based on a time stamp service, or generating the time stamp when the code signature is carried out.
The timestamp service can be obtained by a timestamp server, and the timestamp server is a timestamp authority system based on PKI (public key cryptography infrastructure) technology and provides accurate and reliable timestamp service for the outside. The method adopts an accurate time source and a high-intensity and high-standard security mechanism to confirm the existence of system processing data at a certain time and the relative time sequence of related operations, and provides basic service for time denial prevention in an information system.
In one example, obtaining the timestamp of the code signature includes: a timestamp request is sent to a timestamp server and a valid timestamp of the timestamp server response is received.
In one example, obtaining the timestamp of the code signature includes: the timestamp is generated based on a code signing system when code signing is performed.
According to the embodiment of the present invention, in step S1-3, acquiring the code signature certificate status when the code is signed includes:
and acquiring an OCSP address or a CRL issuing point based on the code signing certificate, and automatically acquiring the state of the code signing certificate, or manually inquiring the state of the code signing certificate during code signing and setting.
Wherein CRL (Certificate Revocation List) lists serial numbers of certificates that are considered to be unusable any more; OCSP (Online Certificate Status Protocol) overcomes the major drawback that CRL must be frequently downloaded at the client to ensure the update of the list, such as when a user attempts to access a server, OCSP sends a request for Certificate Status information, and the server replies with a "valid", "expired" or "unknown" response indicating the Status information of the digital Certificate.
In one example, obtaining an OCSP address or a CRL distribution point based on a code signing certificate automatically obtains the code signing certificate status, comprising:
obtaining an OCSP address or a CRL issuing point according to the code signing certificate;
if the OCSP address is the OCSP address, obtaining an OCSP response of the code signing certificate from the OCSP address through an OCSP protocol;
and if the CRL is the CRL distribution point, acquiring the CRL through the CRL distribution point.
In one example, the setting is performed after manually inquiring the code signature certificate status when the code is signed, including:
when the code signing is carried out and the networking cannot be carried out, the certificate revoking information can be obtained in other modes and manually copied into the code signing system.
In one example, obtaining the code signature certificate status when the code signature is obtained may further include:
and a self-defined certificate state format based on a code signing system, wherein the self-defined certificate state format comprises a signature of a CA center and represents that the state in the self-defined certificate state format is credible.
According to the embodiment of the present invention, in step S1-4, as shown in fig. 2, fig. 2 shows a code signature result example of the embodiment of the present invention. The code signing result comprises: a data portion and a signature portion, wherein the data portion includes the data packet and the data packet description information, and the signature portion includes a signature value, a policy for the code signature, a code signature certificate, the timestamp, and the code signature certificate status.
In one example, the data portion further comprises: packet policy information.
In one example, the code signing policy further comprises: an algorithm of the code signature.
Next, a verification method 3 of a packet code signature according to an embodiment of the present invention will be described with reference to fig. 3. As shown in fig. 3, a method 3 for verifying a code signature of a data packet includes:
step S3-1, receiving a data packet to be verified;
step S3-2, verifying the data packet to be verified based on a second key;
step S3-3, obtaining the timestamp and the code signature certificate state in the data packet to be verified;
step S3-4, verifying the time stamp to determine whether the time of the code signature is authentic, and verifying whether the state of the code signature certificate is valid;
when the timestamp is accurate and the code signing certificate status is valid, the verification is successful.
The data receiving user can determine the time of software code signature through the timestamp and the state of the certificate in front of the code in the data packet to be verified, verify whether the certificate is revoked by a certificate issuing organization when the code signature action occurs through the certificate state information, and judge that the code signature verification fails if the certificate is found not to be in a valid state according to the verification result, so that the reliability of the code signature of the safety verification is enhanced, and the information safety is further ensured.
According to an embodiment of the present invention, in step S3-2, the second key includes a public key of the signing user. Wherein the public key may be obtained through a code signing certificate.
Optionally, the verifying the data packet to be verified based on the second key may be performed by using an SM2 algorithm, an RSA algorithm, or an ECC algorithm (elliptic curve algorithm). It will be appreciated that the algorithm of the verification process corresponds to the algorithm employed for code signing, for example the SM2 algorithm is employed for code signing, and accordingly the SM2 algorithm is also employed for verification.
It should be noted that the algorithm adopted in the code signing or verifying process is only an example, and the embodiment of the present invention is not limited by the above example, and both the existing algorithm for verifying the code signature and the signature thereof and the algorithm for verifying the code signature and the signature thereof developed in the future can be used in the data packet code signing method according to the embodiment of the present invention, and the specific algorithm for verifying the code signature and the signature thereof is not limited herein.
In one example, when the verifying the data packet to be verified based on the second key employs an ECC algorithm, the verifying may further include: ECDSA (elliptic curve digital signature) algorithm or SM2 algorithm.
In one example, when the SM2 algorithm is used for the verification of the data packet to be verified based on the second key, the part 2 of the elliptic curve public key cryptography algorithm of the information security technology SM2 may be based on the national standard GB/T32918.2: digital signature algorithm.
In one example, the verifying the data packet to be verified based on the second key by using RSA algorithm includes:
acquiring a code signature certificate from a data packet to be verified;
obtaining a public key of the signature user based on the code signature certificate;
decrypting the data packet to be verified by adopting the public key to obtain a signed hash;
performing single hash calculation on an original data packet in the data packet to be verified to generate a calculation hash;
comparing the signed hash to the computed hash for verification.
If the signed hash is the same as the calculated hash, the data content is not changed and is reliable data; if the signed hash and the computed hash are different, it is indicated that the data content may change.
According to the embodiment of the present invention, in step S3-4, verifying the timestamp to determine whether the time of the code signature is authentic includes:
obtaining OCSP data or CRL data in the code signature;
comparing the time of the code signature with the verification periods of the timestamp, the OCSP data and/or the CRL data, respectively;
verifying whether the time point in the time stamp is within the valid time shown by the OCSP data or within the valid time shown by the CRL data;
and if the time stamp is within the valid time shown by the OCSP data or within the valid time shown by the CRL data, the time of the code signature is credible.
According to the embodiment of the present invention, in step S3-4, verifying whether the code signing certificate status is valid includes:
obtaining OCSP data or CRL data in the code signature;
inquiring whether the state of the code signing certificate shown by the OCSP data is valid or not, or whether the information shown by the CRL data comprises the code signing certificate or not;
and if the code signing certificate state shown by the OCSP data is valid or the code signing certificate is not included in the information shown by the CRL data, the code signing certificate state is valid.
According to the data packet code signature and the verification method thereof, the safety of the code signature and verification process is enhanced, and an attacker is prevented from issuing software carrying malicious programs, trojans and viruses in a mode of revoking a code signature certificate under the condition that a developer key is leaked or a key medium is lost. The signature packet contains the state information of the certificate when the code signing action occurs, and a data packet receiver can easily and accurately judge the source and the integrity of the software through the information without acquiring the state information of the certificate from a certificate issuing organization, so that the link of code signature verification is simplified, and the efficiency of code signature verification is improved. Meanwhile, the method has stronger applicability and is suitable for various occasions, such as the environment that a single machine is not networked.
In one embodiment, the packet code signing method implemented by the present invention is described with specific examples. Referring to fig. 4, fig. 4 shows an example of a packet code signing method according to an embodiment of the present invention. As shown in fig. 4, the code signing system is installed as software on a terminal computer of a developer, and can obtain a code signing certificate from an authoritative certificate authority using a smart key as a key medium, and the data packet code signing method specifically includes:
when the code signing system signs, receiving a data packet code signing request of a signing user, and acquiring a data packet to be signed;
performing single hash calculation on the data packet to generate a hash;
signing the hash by using the private key, and obtaining the code signature data based on the signed hash, the data packet and a code signature certificate;
the method comprises the steps that current code signing certificate state information is obtained from a certificate authority, and a timestamp is obtained from a third-party timestamp service, wherein when a terminal where a code signing system is located can access the certificate authority on line, and when a signing action occurs, certificate revocation information and the timestamp can be automatically obtained from the certificate authority; if the terminal of the code signing system does not have the network condition of online access, the information can also be acquired by other online terminals and manually copied into the code signing system;
and packaging the timestamp and the code signature certificate state into a code signature data packet to obtain a code signature result comprising a data part and a signature part, wherein the data part comprises the data packet and the data packet description information, and the signature part comprises the code signature policy, the code signature certificate, the timestamp and the code signature certificate state.
Fig. 5 shows a schematic block diagram of a packet code signing apparatus 500 according to an embodiment of the present invention. As shown in fig. 5, the packet code signing apparatus 500 according to the embodiment of the present invention includes:
a receiving module 510, configured to receive a data packet code signing request of a signing user, and obtain the data packet to be signed;
a signature module 520, configured to perform code signature on the data packet based on a preset first key to obtain code signature data;
an information obtaining module 530, configured to obtain a timestamp and a code signing certificate status;
a packing module 540, configured to pack the timestamp and the code signature certificate status into the code signature data, so as to obtain a code signature result of the data packet; alternatively, the first and second electrodes may be,
and the code signing module is used for carrying out code signing on the data packet based on the timestamp and the code signing certificate state to obtain a code signing result containing the timestamp and the code signing certificate state.
According to the embodiment of the invention, the data packet code signing device increases the state of the signature certificate of a signing user such as a software publisher when signing codes of a data packet in the process of signing codes of the data packet such as software, so that a verifier can obtain the state of the code signature certificate when the data packet is originally signed when verifying the signature of the data packet, the signature verification process is simplified, a data packet receiver can support the certificate state verification in an off-line mode without obtaining the certificate state information from a certificate issuing organization, the safety of a code signature mechanism is enhanced, the link of code signature verification is simplified, and the efficiency of verifying the code signature is improved.
According to an embodiment of the present invention, the receiving module 510 receives a data package code signing request of a signing user, including: receiving the data packet code signing request sent in a remote mode; and/or receiving the locally generated data packet code signing request.
In one example, the packet code signing request may include the packet to be signed.
In one example, obtaining the data packet to be signed may be by receiving the data packet code signing request to obtain
In one example, the data packet to be signed may be obtained after responding to the data packet code signing request.
In one example, the first key comprises a private key of a signing user.
Optionally, the signature module 520 may perform code signing on the data packet based on the first key to obtain code signature data by using an SM2 algorithm, an RSA algorithm, or an ECC algorithm (elliptic curve algorithm).
In one example, the signature module 520 may be further configured to:
performing single hash calculation on the data packet to generate a hash;
and signing the hash by using the private key, and obtaining the code signature data based on the signed hash, the data packet and the code signature certificate.
The code signing Certificate is a trusted third party, and is a digital Certificate issued by a user using a public key, wherein an Authority (CA) responsible for issuing and managing the digital Certificate is used as the trusted third party to prove that the user listed in the Certificate has the public key listed in the Certificate legally and undertakes the responsibility of legality check of the public key in a public key system. The code signing certificate may include a public key corresponding to the private key for use in verification.
According to an embodiment of the present invention, the acquiring, by the information acquiring module 530, the timestamp of the code signature includes: and acquiring the time stamp when the code signature is acquired based on a time stamp service, or generating the time stamp when the code signature is carried out.
The timestamp service can be obtained by a timestamp server, and the timestamp server is a timestamp authority system based on PKI (public key cryptography infrastructure) technology and provides accurate and reliable timestamp service for the outside. The method adopts an accurate time source and a high-intensity and high-standard security mechanism to confirm the existence of system processing data at a certain time and the relative time sequence of related operations, and provides basic service for time denial prevention in an information system.
In one example, obtaining the timestamp of the code signature includes: a timestamp request is sent to a timestamp server and a valid timestamp of the timestamp server response is received.
In one example, obtaining the timestamp of the code signature includes: the timestamp is generated based on a code signing system when code signing is performed.
According to the embodiment of the present invention, the acquiring module 530 acquires the status of the code signature certificate when the code is signed, including:
and acquiring an OCSP address or a CRL issuing point based on the code signing certificate, automatically acquiring the state of the code signing certificate, or manually inquiring the state of the code signing certificate during code signing and setting.
Wherein CRL (Certificate Revocation List) lists serial numbers of certificates that are considered to be unusable any more; OCSP (Online Certificate Status Protocol) overcomes the major drawback that CRL must be frequently downloaded at the client to ensure the update of the list, such as when a user attempts to access a server, OCSP sends a request for Certificate Status information, and the server replies with a "valid", "expired" or "unknown" response indicating the Status information of the digital Certificate.
In one example, the information obtaining module 530 obtains the OCSP address or the CRL issuing point based on the code signing certificate and automatically obtains the code signing certificate status, including:
obtaining an OCSP address or a CRL issuing point according to the code signing certificate;
if the OCSP address is the OCSP address, obtaining an OCSP response of the code signing certificate from the OCSP address through an OCSP protocol;
and if the CRL is the CRL distribution point, acquiring the CRL through the CRL distribution point.
In one example, the setting is performed after manually inquiring the code signature certificate status when the code is signed, including:
when the code signing is carried out and the networking cannot be carried out, the certificate revoking information can be obtained in other modes and manually copied into the code signing system.
In one example, obtaining the code signature certificate status when the code signature is obtained may further include:
and a self-defined certificate state format based on a code signing system, wherein the self-defined certificate state format comprises a signature of a CA center and represents that the state in the self-defined certificate state format is credible.
According to an embodiment of the present invention, the code signature result generated by the packaging module 540 includes: a data portion and a signature portion, wherein the data portion includes the data packet and the data packet description information, and the signature portion includes a policy for the code signature, a code signature certificate, the timestamp, and the code signature certificate status.
In one example, the data portion further comprises: packet policy information.
In one example, the code signing policy further comprises: an algorithm of the code signature.
Next, the verification apparatus 6 of the packet code signature according to the embodiment of the present invention will be described with reference to fig. 6. As shown in fig. 6, a verification apparatus 6 for a packet code signature includes:
a data module 610, configured to receive a data packet to be verified;
a first verification module 620, configured to verify the data packet to be verified based on a second key;
an information query module 630, configured to obtain a timestamp and a code signature certificate state in the to-be-verified data packet;
a second verification module 640, configured to verify the timestamp to determine whether the time of the code signature is authentic, and verify whether the code signature certificate status is valid;
when the timestamp is accurate and the code signing certificate status is valid, the verification is successful.
The data receiving user can determine the time of software code signature through the timestamp and the state of the certificate in front of the code in the data packet to be verified, verify whether the certificate is revoked by a certificate issuing organization when the code signature action occurs through the certificate state information, and judge that the code signature verification fails if the certificate is found not to be in a valid state according to the verification result, so that the reliability of the code signature of the safety verification is enhanced, and the information safety is further ensured.
In one example, the second key comprises a public key of the signed user. Wherein the public key may be obtained through a code signing certificate.
Optionally, the first verification module 620 may decrypt and verify or directly authenticate the data packet to be verified based on the second key by using an SM2 algorithm, an RSA algorithm, or an ECC algorithm (elliptic curve algorithm). It will be appreciated that the algorithm of the verification process corresponds to the algorithm employed for code signing, for example the SM2 algorithm is employed for code signing, and accordingly the SM2 algorithm is also employed for verification.
In one example, the first verification module 620 verifies the data packet to be verified based on the second key by using RSA algorithm, including:
acquiring a code signature certificate from a data packet to be verified;
obtaining a public key of the signature user based on the code signature certificate;
decrypting the data packet to be verified by adopting the public key to obtain a signed hash;
performing single hash calculation on an original data packet in the data packet to be verified to generate a calculation hash;
comparing the signed hash to the computed hash for verification.
If the signed hash is the same as the calculated hash, the data content is not changed and is reliable data; if the signed hash and the computed hash are different, it is indicated that the data content may change.
In one example, when the verifying the data packet to be verified based on the second key employs an ECC algorithm, the verifying may further include: ECDSA (elliptic curve digital signature) algorithm or SM2 algorithm.
In one example, when the SM2 algorithm is used for verifying the data packet to be verified based on the second key, the method may be based on a national standard: GB/T32918.2, part 2 of the SM2 elliptic curve public key cryptography algorithm: digital signature algorithm.
According to an embodiment of the present invention, the second verifying module 640 verifying the timestamp to determine whether the time of the code signature is authentic includes:
obtaining OCSP data or CRL data in the code signature;
checking whether the timestamp is within the valid time shown by the OCSP data or within the valid time shown by the CRL data;
and if the time stamp is within the valid time shown by the OCSP data or within the valid time shown by the CRL data, the time of the code signature is credible.
According to the embodiment of the present invention, the verifying whether the code signing certificate status is valid by the second verifying module 640 includes:
obtaining OCSP data or CRL data in the code signature;
inquiring whether the state of the code signing certificate shown by the OCSP data is valid or not, or whether the information shown by the CRL data comprises the code signing certificate or not;
and if the code signing certificate state shown by the OCSP data is valid or the code signing certificate is not included in the information shown by the CRL data, the code signing certificate state is valid.
Fig. 7 shows a schematic block diagram of a packet code signing system 700 according to an embodiment of the present invention. The packet code signing system 700 includes a storage device 710, and a processor 720.
The storage 710 stores program codes for implementing respective steps in a packet code signing method according to an embodiment of the present invention.
The processor 720 is configured to run the program codes stored in the storage device 710 to perform the corresponding steps of the data packet code signing method according to the embodiment of the present invention, and is configured to implement all the above-mentioned modules in the data packet code signing apparatus according to the embodiment of the present invention.
Furthermore, according to an embodiment of the present invention, there is also provided a storage medium on which program instructions are stored, which when executed by a computer or a processor are used for executing the corresponding steps of the data package code signing method according to an embodiment of the present invention, and for implementing the corresponding modules in the data package code signing apparatus according to an embodiment of the present invention. The storage medium can be any combination of one or more computer-readable storage media, such as one containing computer-readable program code for randomly generating sequences of action instructions and another containing computer-readable program code for signing data packet code.
In one embodiment, the computer program instructions may implement the functional modules of the data packet code signing apparatus according to the embodiment of the present invention when executed by a computer, and/or may perform the data packet code signing and the verification method thereof according to the embodiment of the present invention.
The modules in the data package code signing system according to the embodiment of the present invention may be implemented by a processor of an electronic device for data package code signing according to the embodiment of the present invention running computer program instructions stored in a memory, or may be implemented when computer instructions stored in a computer readable storage medium of a computer program product according to the embodiment of the present invention are run by a computer.
According to the data packet code signature and verification method, device, system and storage medium of the data packet code signature, the signature packet contains the state information of the certificate during code signature action, so that the safety of the code signature and verification process is enhanced, and an attacker is prevented from issuing software carrying malicious programs, trojans and viruses in a mode of revoking the code signature certificate under the condition that a developer key is leaked or a key medium is lost, so that the safety of the code signature and verification is improved, and the user experience is guaranteed.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer data and electronic hardware. Whether such functionality is implemented as hardware or data depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
Although the illustrative embodiments have been described herein with reference to the accompanying drawings, it is to be understood that the foregoing illustrative embodiments are merely exemplary and are not intended to limit the scope of the invention thereto. Various changes and modifications may be effected therein by one of ordinary skill in the pertinent art without departing from the scope or spirit of the present invention. All such changes and modifications are intended to be included within the scope of the present invention as set forth in the appended claims.
It will be understood by those skilled in the art that all of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where such features are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Various component embodiments of the invention may be implemented in hardware, or in data modules running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some of the modules in an item analysis apparatus according to embodiments of the present invention. The present invention may also be embodied as apparatus programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
The above description is only for the specific embodiment of the present invention or the description thereof, and the protection scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and the changes or substitutions should be covered within the protection scope of the present invention. The protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for packet code signing, the method comprising:
receiving a data packet code signing request of a signing user, and acquiring a data packet to be signed;
code signing is carried out on the data packet based on the first secret key to obtain code signing data; acquiring a timestamp of the code signature and a code signature certificate state when the code is signed; packaging the timestamp and the code signature certificate state into the code signature data to obtain a code signature result of the data packet;
alternatively, the first and second electrodes may be,
and acquiring a timestamp and a code signature certificate state, and performing code signature on the data packet based on the timestamp and the code signature certificate state to obtain a code signature result containing the timestamp and the code signature certificate state.
2. The method of claim 1, wherein obtaining the timestamp of the code signature comprises: and acquiring the time stamp when the code signature is acquired based on a time stamp service, or generating the time stamp when the code signature is carried out.
3. The method of claim 1, wherein obtaining a code signature certificate status at the time of the code signature comprises:
and acquiring an OCSP address or a CRL issuing point based on the code signing certificate, automatically acquiring the state of the code signing certificate, or manually inquiring the state of the code signing certificate during code signing and setting.
4. The method of claim 1, wherein the code signing result comprises: a data portion and a signature portion, wherein the data portion includes the data packet and the data packet description information, and the signature portion includes a policy for the code signature, a code signature certificate, the timestamp, and the code signature certificate status.
5. A method for verifying a code signature of a data packet, the method comprising:
receiving a data packet to be verified code signed by the method of any one of claims 1-4;
verifying the data packet to be verified based on a second key;
acquiring a timestamp and a code signature certificate state in the data packet to be verified;
verifying the timestamp to determine whether the time of the code signature is authentic and verifying whether the code signature certificate status is valid;
the verification is successful when the timestamp is authentic and the code signing certificate status is valid.
6. The method of claim 5, wherein verifying the timestamp to determine whether the time of the code signature is authentic comprises:
obtaining OCSP data or CRL data in the code signature;
comparing the time of the code signature with the verification periods of the timestamp, the OCSP data and/or the CRL data, respectively;
verifying whether the time point in the time stamp is within the valid time shown by the OCSP data or within the valid time shown by the CRL data;
if the timestamp is within the validity time shown by the OCSP data or within the validity time shown by the CRL data, then the time of the code signature is trusted.
7. The method of claim 5, wherein verifying that the code signing certificate status is valid comprises:
obtaining OCSP data or CRL data in the code signature;
inquiring whether the state of the code signing certificate contained in the OCSP is valid or not, or checking whether the CRL data comprises the code signing certificate or not;
and if the code signing certificate state contained in the OCSP data is valid or the code signing certificate is not contained in the CRL data information, the code signing certificate state is valid.
8. A packet code signing apparatus, said apparatus comprising:
the receiving module is used for receiving a data packet code signing request of a signing user and acquiring the data packet to be signed;
the signature module is used for carrying out code signature on the data packet based on the first secret key to obtain code signature data;
the information acquisition module is used for acquiring the timestamp and the state of the code signature certificate;
the packaging module is used for packaging the timestamp and the code signature certificate state into the code signature data to obtain a code signature result of the data packet; alternatively, the first and second electrodes may be,
and the code signing module is used for carrying out code signing on the data packet based on the timestamp and the code signing certificate state to obtain a code signing result containing the timestamp and the code signing certificate state.
9. A data packet code signing system comprising a memory, a processor and a computer program stored on said memory and running on said processor, wherein the steps of the method of any one of claims 1 to 7 are implemented when said computer program is executed by said processor.
10. A computer storage medium having a computer program stored thereon, wherein the computer program, when executed by a computer, implements the steps of the method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910934315.6A CN110704815A (en) | 2019-09-29 | 2019-09-29 | Data packet code signature and verification method, device, system and storage medium thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910934315.6A CN110704815A (en) | 2019-09-29 | 2019-09-29 | Data packet code signature and verification method, device, system and storage medium thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110704815A true CN110704815A (en) | 2020-01-17 |
Family
ID=69196556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910934315.6A Pending CN110704815A (en) | 2019-09-29 | 2019-09-29 | Data packet code signature and verification method, device, system and storage medium thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110704815A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101479736A (en) * | 2006-06-29 | 2009-07-08 | 西姆毕恩软件有限公司 | Revoking malware in a computing device |
| CN102724042A (en) * | 2012-06-19 | 2012-10-10 | 江苏买卖网电子商务有限公司 | Third-party platform electronic contracting system based on electronic signature technology |
| CN104065484A (en) * | 2014-06-26 | 2014-09-24 | 江苏买卖网电子商务有限公司 | Electronic contract platform realizing method based on SDK message and digital signature |
| CN106209379A (en) * | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
| CN106953730A (en) * | 2016-01-07 | 2017-07-14 | 上海格尔软件股份有限公司 | The safety method of the Windows code signatures containing timestamp is realized under physical isolation network environment |
| CN107294706A (en) * | 2017-06-09 | 2017-10-24 | 飞天诚信科技股份有限公司 | It is a kind of to support the endorsement method of long-term checking signature, sign server and system |
-
2019
- 2019-09-29 CN CN201910934315.6A patent/CN110704815A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101479736A (en) * | 2006-06-29 | 2009-07-08 | 西姆毕恩软件有限公司 | Revoking malware in a computing device |
| CN102724042A (en) * | 2012-06-19 | 2012-10-10 | 江苏买卖网电子商务有限公司 | Third-party platform electronic contracting system based on electronic signature technology |
| CN104065484A (en) * | 2014-06-26 | 2014-09-24 | 江苏买卖网电子商务有限公司 | Electronic contract platform realizing method based on SDK message and digital signature |
| CN106953730A (en) * | 2016-01-07 | 2017-07-14 | 上海格尔软件股份有限公司 | The safety method of the Windows code signatures containing timestamp is realized under physical isolation network environment |
| CN106209379A (en) * | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
| CN107294706A (en) * | 2017-06-09 | 2017-10-24 | 飞天诚信科技股份有限公司 | It is a kind of to support the endorsement method of long-term checking signature, sign server and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102271042B (en) | Certificate authorization method, system, universal serial bus (USB) Key equipment and server | |
| CN101145906B (en) | Method and system for authenticating legality of receiving terminal in unidirectional network | |
| CN105721500B (en) | A kind of safe Enhancement Method of the Modbus/TCP agreement based on TPM | |
| EP2659373B1 (en) | System and method for secure software update | |
| EP2882156B1 (en) | Computer implemented method and a computer system to prevent security problems in the use of digital certificates in code signing and a computer program product thereof | |
| CN110401615B (en) | Identity authentication method, device, equipment, system and readable storage medium | |
| WO2009158086A2 (en) | Techniques for ensuring authentication and integrity of communications | |
| KR20080030359A (en) | Method for integrity attestation of a computing platform hiding its configuration information | |
| CN105227319A (en) | A kind of method of authentication server and device | |
| CN105635070B (en) | Anti-counterfeiting method and system for digital file | |
| WO2016019790A1 (en) | Verification method, client, server and system for installation package | |
| CN109831311B (en) | Server verification method, system, user terminal and readable storage medium | |
| CN104753881A (en) | WebService security certification access control method based on software digital certificate and timestamp | |
| CN113596046A (en) | Bidirectional authentication method and device | |
| WO2017191472A1 (en) | A verification system and method | |
| WO2008001060A1 (en) | Revoking malware in a computing device | |
| CN112887282A (en) | Identity authentication method, device and system and electronic equipment | |
| TW201539239A (en) | Server, user device, and method of interaction between user device and server | |
| CN114726536A (en) | Timestamp generation method and device, electronic equipment and storage medium | |
| CN112600831B (en) | Network client identity authentication system and method | |
| US11399020B2 (en) | System and method for authenticating server identity during connection establishment with client machine | |
| CN110034922B (en) | Request processing method, processing device, request verification method and verification device | |
| CN107241341B (en) | Access control method and device | |
| CN115242471B (en) | Information transmission method, information transmission device, electronic equipment and computer readable storage medium | |
| KR20130100032A (en) | Method for distributting smartphone application by using code-signing scheme |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Li Xiangfeng Inventor after: Liu Wei Inventor before: Li Xiangfeng Inventor before: Liu Wei |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200117 |