CN110855445A - Block chain-based certificate management method and device and storage equipment - Google Patents
Block chain-based certificate management method and device and storage equipment Download PDFInfo
- Publication number
- CN110855445A CN110855445A CN201911088180.2A CN201911088180A CN110855445A CN 110855445 A CN110855445 A CN 110855445A CN 201911088180 A CN201911088180 A CN 201911088180A CN 110855445 A CN110855445 A CN 110855445A
- Authority
- CN
- China
- Prior art keywords
- certificate
- target
- certificate information
- information
- target certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The embodiment of the invention provides a certificate management method, a certificate management device and a storage device based on a block chain, wherein the method comprises the following steps: receiving target certificate information from the certificate issuing equipment, wherein the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment; if the target certificate information meets the certificate storing condition, recording the target certificate information and performing first consensus in the block chain network; if the block chain network achieves the first consensus, updating a block chain security contract according to the target certificate information to obtain a first block chain security contract, wherein the state corresponding to the target certificate information in the first block chain security contract is activated to be available; the first blockchain warranty contract is added to a blockchain ledger of the blockchain network. By adopting the embodiment of the invention, the certificate can be effectively prevented from being lost or tampered, so that the safety of the certificate can be improved.
Description
Technical Field
The present invention relates to the field of information processing technologies, and in particular, to a certificate management method and apparatus based on a block chain, and a storage device.
Background
The academic certificate is a diploma issued by a school or other education institutions implementing the academic education in the academic system to educated persons who have completed a learning task at a certain education stage in the academic system. A subject certificate may include information such as a subject (e.g., a subject or a subject, etc.), a graduate, a certificate number, and the like.
Currently, schools or other educational institutions issue paper academic certificates to educated persons to prove the diploma of the educated persons. However, the paper academic certificate has the risk of being easily lost and tampered, and once the paper academic certificate of the educated person is lost or tampered, under the condition that the educated person needs to prove the academic history, the educated person is greatly inconvenient.
Disclosure of Invention
Embodiments of the present invention provide a block chain-based certificate management method, apparatus, and storage device, which can effectively prevent a certificate from being lost or tampered, so as to improve the security of the certificate.
In a first aspect, an embodiment of the present invention provides a certificate management method based on a block chain, where the method includes:
receiving target certificate information from the certificate issuing equipment; the target certificate information is the certificate information which is issued by the certificate issuing equipment for the certificate applying equipment;
if the target certificate information meets the certificate storing condition, recording the target certificate information to perform first consensus in the block chain network;
if the block chain network achieves the first consensus, updating a block chain security contract according to the target certificate information to obtain a first block chain security contract; the state corresponding to the target certificate information in the first block chaining certificate contract is activated and available;
the first blockchain warranty contract is added to a blockchain ledger of a blockchain network.
In one embodiment, the target certificate information includes a certificate identifier and an identity identifier of the certificate issuing apparatus. And if the certificate identification is not stored and the identity identification of the certificate issuing equipment is legal, determining that the target certificate information meets the certificate storing condition. The certificate identification is verified to be not stored and the identity identification of the certificate signing and issuing equipment, so that the certificate is not repeatedly stored, and the identity of the certificate signing and issuing equipment is confirmed.
In one embodiment, an revoke request is received from a revoke device, the revoke request including a certificate identification of the target certificate information, the revoke request being used to request to revoke the target certificate information corresponding to the certificate identification; if the revoking request meets the revoking condition, revoking the target certificate information for the second consensus in the block chain network; if the block chain network achieves the second consensus, updating the first block chain security contract to obtain a second block chain security contract; the state corresponding to the target certificate information in the second block chain storage certificate contract is cancelled.
In one embodiment, the lift pin request further includes an identification of the lift pin device. And if target certificate information corresponding to the certificate identification exists, the state corresponding to the target certificate information is activation available, and the identity identification of the revoking equipment is determined to be legal according to the identity identification list, determining that the revoking request meets the revoking condition.
In one embodiment, a status query request for the target certificate information is received from the certificate issuing device, where the status query request carries a certificate identifier of the target certificate information; searching the state corresponding to the target certificate information according to the certificate identification; and sending a state inquiry response to the certificate issuing equipment, wherein the state inquiry response is used for indicating that the state corresponding to the target certificate information is activated and available, cancelled or not stored.
In one embodiment, the target certificate information includes a signature of the certificate issuing apparatus and a public key identifier of the certificate issuing apparatus; under the condition of receiving a legality query request aiming at target certificate information from query equipment, verifying whether the signature is legal or not according to the public key identification; and sending a legality inquiry response to the inquiring equipment according to the verification result, wherein the legality inquiry response is used for indicating that the signature is legal, or the signature is not legal, or the signature is legal, but the public key of the certificate issuing equipment is in a cancelled state.
Specifically, a public key value and a current state of the public key are obtained according to the public key identifier, and the current state of the public key is an activation available state or a cancellation state. In one possible mode, acquiring a first digest of a signature generated by a certificate issuing device by using a private key of the certificate issuing device; decrypting the signature according to the public key value to obtain a second abstract; if the first digest is the same as the second digest, the signature of the certificate issuing device is legal, otherwise, the signature is not legal. In another possible mode, a public key issued by the certificate issuing center for the certificate issuing equipment is obtained from the certificate authority, and the public key is adopted to decrypt the signature to obtain a first abstract; decrypting the signature according to the public key value corresponding to the public key identification to obtain a second abstract; if the first digest is the same as the second digest, the signature of the certificate issuing device is legal, otherwise, the signature is not legal.
In one implementation, an revoke inquiry request is received from an inquiry device, where the revoke inquiry request carries a certificate identifier of the target certificate information; searching target certificate information according to the certificate identification; and if the target certificate information is found and the state corresponding to the target certificate information is cancelled, sending a cancellation inquiry response to the inquiry equipment, wherein the cancellation inquiry response is used for indicating that the target certificate information is cancelled.
In a second aspect, an embodiment of the present invention provides a certificate management apparatus, which includes a transceiving unit and a processing unit.
A receiving and sending unit for receiving target certificate information from the certificate issuing apparatus; the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment.
The processing unit is used for recording the target certificate information and carrying out first consensus in the block chain network if the target certificate information meets the certificate storing condition; if the block chain network achieves the first consensus, updating a block chain security contract according to the target certificate information to obtain a first block chain security contract; the state corresponding to the target certificate information in the first block chaining certification contract is activated and available; the first blockchain warranty contract is added to a blockchain ledger of a blockchain network.
In a third aspect, an embodiment of the present invention provides a certificate management apparatus, which includes a processor and a memory, where the processor and the memory are coupled to each other, where the memory is configured to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to perform the operations recited in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a storage device, which may include a computer-readable storage medium, in which a computer program is stored, the computer program including program instructions, which, when executed by a processor, cause the processor to execute the method of the first aspect.
According to the embodiment of the invention, the certificate is stored on the block chain through the block chain memory certification contract, so that the certificate can be effectively prevented from being lost or tampered, and the safety of the certificate can be improved. By adopting the embodiment of the invention, even if the paper certificate of the educated person is lost, the educated person can be searched or proved through the block chain, thereby bringing convenience to the educated person. The enterprise (such as a recruitment enterprise) or the education institution can verify the certificate provided by other people through the block chain, so that the enterprise or the education institution can verify the certificate conveniently.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1A is a schematic diagram of a data sharing system;
FIG. 1B is a schematic diagram of a blockchain;
FIG. 2 is a diagram showing an example of the structure of a Mercker tree;
FIG. 3 is a diagram of a network architecture to which embodiments of the present invention are applied;
fig. 4 is a flowchart illustrating a certificate management method according to an embodiment of the present invention;
fig. 5 is a flowchart illustrating another certificate management method according to an embodiment of the present invention;
fig. 6 is a flowchart illustrating another certificate management method according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a certificate management apparatus according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of another certificate management apparatus according to an embodiment of the present invention.
Detailed Description
Before describing embodiments of the present invention, names or terms related to the embodiments of the present invention will be described.
(1) Data sharing system and block chain
Referring to the data sharing system shown in fig. 1A, the data sharing system 100 refers to a system for performing data sharing between nodes, the data sharing system may include a plurality of nodes 101, and the plurality of nodes 101 may refer to respective clients in the data sharing system. Each node 101 may receive input information while operating normally and maintain shared data within the data sharing system based on the received input information. In order to ensure information intercommunication in the data sharing system, information connection can exist between each node in the data sharing system, and information transmission can be carried out between the nodes through the information connection. For example, when an arbitrary node in the data sharing system receives input information, other nodes in the data sharing system acquire the input information according to a consensus algorithm, and store the input information as data in shared data, so that the data stored on all the nodes in the data sharing system are consistent.
Each node in the data sharing system has a node identifier corresponding thereto, and each node in the data sharing system may store a node identifier of another node in the data sharing system, so that the generated block is broadcast to the other node in the data sharing system according to the node identifier of the other node in the following. Each node may maintain a node identifier list as shown in the following table, and store the node name and the node identifier in the node identifier list correspondingly. The node identifier may be an Internet Protocol (IP) address and any other information that can be used to identify the node, and only the IP address is used as an example in table 1.
| Node name | Node identification |
| Node 1 | 117.114.151.174 |
| Node 2 | 117.116.189.145 |
| … | … |
| Node N | 119.123.789.258 |
The data sharing system may also be referred to as a blockchain network, and the nodes in the data sharing system may also be referred to as blockchain nodes. Each blockchain node in the blockchain network stores one identical blockchain. The block chain is composed of a plurality of blocks, referring to fig. 1B, the block chain is composed of a plurality of blocks, the starting block includes a block header and a block main body, the block header stores an input information characteristic value, a version number, a timestamp and a difficulty value, and the block main body stores input information; the next block of the starting block takes the starting block as a parent block, the next block also comprises a block head and a block main body, the block head stores the input information characteristic value of the current block, the block head characteristic value of the parent block, the version number, the timestamp and the difficulty value, and the like, so that the block data stored in each block in the block chain is associated with the block data stored in the parent block, and the safety of the input information in the block is ensured.
When each block in the block chain is generated, when a node where the block chain is located receives input information, the input information is verified, after the verification is completed, the input information is stored in a memory pool, and a hash tree used for recording the input information is updated; and then, updating the updating time stamp to the time when the input information is received, trying different random numbers, and calculating the characteristic value for multiple times, so that the calculated characteristic value can meet the following formula:
SHA256(SHA256(version+prev_hash+merkle_root+ntime+nbits+x))<TARGET
wherein, SHA256 is a characteristic value algorithm used for calculating a characteristic value; version is version information of the relevant block protocol in the block chain; prev _ hash is a block head characteristic value of a parent block of the current block; merkle _ root is a characteristic value of the input information; ntime is the update time of the update timestamp; nbits is the current difficulty, is a fixed value within a period of time, and is determined again after exceeding a fixed time period; x is a random number; TARGET is a feature threshold, which can be determined from nbits.
Therefore, when the random number meeting the formula is obtained through calculation, the information can be correspondingly stored, and the block head and the block main body are generated to obtain the current block. And then, the node where the block chain is located respectively sends the newly generated blocks to other block chain nodes in the block chain network where the newly generated blocks are located according to the node identifiers of the other block chain nodes in the block chain network, the newly generated blocks are verified by the other block chain nodes, and the newly generated blocks are added into the block chain stored in the newly generated blocks after the verification is completed.
The Blockchain (Blockchain) is a novel application mode of computer technologies such as distributed data storage, point-to-point transmission, a consensus mechanism and an encryption algorithm. The block chain, which is essentially a decentralized database, is a string of data blocks associated by using a cryptographic method, and each data block contains information of a batch of network transactions, which is used for verifying the validity (anti-counterfeiting) of the information and generating a next block.
(2) Merkel tree
A Merkle Tree (Merkle Tree) is a type of binary or multi-way Tree based on hash values, where the values on the leaf nodes are typically hash values of a data block, the values on the intermediate nodes are typically hash values of the combined result of two adjacent leaf nodes, and the value on the root node is a hash value of the combined result of all children of the root node.
For example, referring to the structural example diagram of the merkel tree shown in fig. 2, D0 to D3 are four data blocks, the value at the leaf node N0 is the hash value obtained by performing the hash operation on the data block D0, the value at the leaf node N1 is the hash value obtained by performing the hash operation on the data block D1, the value at the leaf node N2 is the hash value obtained by performing the hash operation on the data block D2, and the value at the leaf node N3 is the hash value obtained by performing the hash operation on the data block D3; the value on the intermediate node N4 is a hash value obtained by performing hash operation on the leaf nodes N0 and N1, and the value on the intermediate node N5 is a hash value obtained by performing hash operation on the leaf nodes N2 and N3; the value on the root node is a hash value obtained by hashing the intermediate nodes N4 and N5.
The merkel tree is generally used for integrity verification processing, and in an application scenario of integrity verification processing, the merkel tree greatly reduces the transmission amount of data and the complexity of calculation. The hash value of the root node is typically stored in the chunk header in the chunk, and the hash values of the leaf nodes and the hash values of the intermediate nodes are typically stored in the chunk body in the chunk.
(3) Block chaining verification contract
In the embodiment of the invention, the block chain storage certificate contract is an intelligent contract used for storing the certificate. A smart contract (SmartContract) is a set of conventions that are defined, propagated, verified or executed in digital form, including protocols on which contract participants may execute such conventions. Smart contracts allow trusted transactions to be conducted without third parties, which transactions are traceable and irreversible.
In view of the disadvantages of the paper certificate, embodiments of the present invention provide a block chain-based certificate management method and apparatus, and a storage device, which can effectively prevent the certificate from being lost or tampered with, thereby improving the security of the certificate.
The certificates may include, but are not limited to, various academic certificates issued by an educational institution (e.g., a specialist's academic certificate or a subject's academic certificate, etc.), various degree certificates (e.g., a bachelor degree certificate, etc.), various professional qualifications or skill certificates (e.g., a psychological consultant or a human resources manager, etc.), and the like. The certificate may also be a academic credible declaration certificate, a degree credible declaration certificate, a skill credible declaration certificate, a qualification credible declaration certificate, or the like. The academic credible declaration certificate is a certificate for declaring that the academic is credible, and other credible declaration certificates are analogized in the same way. The embodiment of the invention is described by taking an example of a academic credible declaration certificate.
Referring to fig. 3, a schematic diagram of a network architecture to which an embodiment of the present invention is applied is shown, where the network architecture 200 includes a certificate application apparatus 201, a certificate issuing apparatus 202, a blockchain network 204, and optionally an inquiry apparatus 203. It should be noted that the number and form of each device in fig. 3 are used for example, and do not constitute a limitation to the embodiment of the present invention, and for example, two certificate application devices (certificate application device 201a and certificate application device 201b, respectively) are taken as an example.
Certificate application device 201, certificate issuing device 202, and querying device 203 may be Mobile phones (or smart phones), tablet computers, personal computers, notebooks, laptops, Mobile Internet Devices (MIDs), and the like.
The certificate application apparatus 201 is an apparatus for applying for a certificate, and may be an apparatus of an educated person or a graduate. The certificate issuing apparatus 202 is an apparatus for issuing a certificate, and may be an apparatus of an education institution or a school or an authority of an education institution. The inquiry device 203 is a device for inquiring whether the certificate is legal, and may be a device of a recruitment enterprise or a recruitment principal, or a device of a graduate.
Taking a academic credibility declaration certificate as an example, in one possible implementation, certificate issuing apparatus 202 may send a request message to certificate applying apparatus 201, where the request message is used to request certificate applying apparatus 201 to feed back credibility declaration related information (e.g., academic, graduation time, graduation institution, etc.). The certificate application apparatus 201, upon receiving the request message, receives the graduate input trust declaration related information, and transmits a response message including the trust declaration related information to the certificate issuing apparatus 202. Upon receiving the response message, the certificate issuing device 202 may generate a academic trusted declaration certificate from the response message, the academic trusted declaration certificate including a certificate Identification (ID), certificate content, certificate metadata, and a signature.
The certificate identification is used for uniquely identifying the academic credible declaration certificate; the certificate content may include information such as a scholarly calendar, graduation time, graduates, etc.; certificate metadata may include creation time, i.e., the time the certificate was opened, the identity of the certificate issuing device, graduate ID, expiration time (e.g., referring to the expiration time of a learned trusted claim certificate), and revocation mechanisms, among others; the signature includes a signature of the certificate issuing apparatus (i.e., a signature of an education authority) and a public key identification of the certificate issuing apparatus. The asymmetric key pair of the Certificate issuing apparatus may be issued for the Certificate issuing apparatus by a Certificate Authority (CA). The graduate ID may be assigned to the graduate by the certificate issuing device or may be a graduate ID included in the academic certificate.
In another possible implementation, the certificate application apparatus 201 sends an application message to the certificate issuing apparatus 202, where the application message is used for the certificate issuing apparatus 202 to generate a student trusted declaration certificate, which includes information related to the trusted declaration input by the graduates. Upon receiving the application message, the certificate issuing apparatus 202 generates an academic credible declaration certificate from the application message.
In yet another possible implementation, certificate issuing device 202 generates a student trust assertion certificate with knowledge of graduate's student's calendar information. For example, the certificate issuing apparatus 202 is an apparatus of an education authority, and the education authority may generate a student trust declaration certificate of each graduate when the student information of each graduate is entered in the certificate issuing apparatus 202.
The certificate issuing device 202, after generating the academic trust declaration certificate, may send the academic trust declaration certificate to the blockchain network 204, save the academic trust declaration certificate in the blockchain certification contract by the blockchain network 204, and mark the state of the academic trust declaration certificate as being available for activation. The querying device 203 can prevent others from forging the lesson by sending a legitimacy query request to the blockchain network 204 to query whether the graduate's lesson trusted declaration certificate was issued by a legitimate educational institution.
The certificate issuing apparatus 202 may further send the academic credibility declaration certificate to the certificate application apparatus 201 after generating the academic credibility declaration certificate, and send the academic credibility declaration certificate to the certificate application apparatus 201 in a secure transmission manner. For example, the certificate issuing apparatus 202 may encrypt the academic credibility declaration certificate using the public key of the certificate applying apparatus 201, and send the encrypted academic credibility declaration certificate to the certificate applying apparatus 201, and the certificate applying apparatus 201 may decrypt it using its private key. The certificate issuing apparatus 202 may acquire the public key of the certificate applying apparatus 201 from a CA, or the certificate issuing apparatus 202 may acquire the public key of the certificate applying apparatus 201 directly from the certificate applying apparatus 201. The asymmetric key pair of the certificate application apparatus 201 may be issued by the CA or may be autonomously generated by the certificate application apparatus 201 and notarized by the CA.
Optionally, the network architecture shown in fig. 3 may further include an revoking device 205, where the revoking device 205 is a device for requesting the blockchain network 204 to revoke the academic trust certificate, and may be the certificate issuing device 202, that is, the certificate issuing device 202 may apply for the revocation academic trust certificate; other devices for requesting revocation certificates are also possible.
The certificate management device provided by the embodiment of the present invention may be a blockchain link point in a blockchain network, for example, an accounting node or a miner node, and the certificate management device may also be a part of the blockchain node.
Based on the network architecture shown in fig. 3, the certificate management method provided by the embodiment of the present invention will be described in detail below with reference to fig. 4 to 6. In the introduction, the certificate is exemplified by a learned trusted declaration certificate, and the certificate management apparatus is exemplified by a blockchain node (which may be any blockchain node in a blockchain network).
Referring to fig. 4, a flowchart of a certificate management method according to an embodiment of the present invention includes, but is not limited to, the following steps:
301, certificate issuing apparatus 202 sends target certificate information to blockchain nodes in blockchain network 204. Assume that certificate issuing apparatus 202 sends target certificate information to block link point 2044 in block chain network 204. Accordingly, block link point 2044 receives target certificate information from certificate issuing apparatus 202.
The target certificate information may be any academic credibility declaration certificate, that is, any academic credibility declaration certificate of a graduate. For each academic credible declaration certificate, processing can be performed according to the certificate management method provided by the embodiment of the invention. The certificate issuing apparatus 202 may also send a plurality of academic credibility declaration certificates to the block link point 2044, and the block link point 2044 may process each academic credibility declaration certificate separately according to the certificate management method provided in the embodiment of the present invention. The academic credibility declaration certificate is issued by the certificate issuing device 202 for the certificate applying device 201, and issuing can also be understood as issuing or configuring or distributing and the like.
The target certificate information may include a certificate ID, certificate content, certificate metadata, and a signature, as follows:
the certificate ID is an identifier assigned to the academic credibility declaration certificate by the certificate issuing apparatus 202, and is used for uniquely identifying the academic credibility declaration certificate, that is, the certificate issuing apparatus 202 issues different academic credibility declaration certificates for different graduates.
The certificate content may include information such as a scholarly calendar, a graduation time, a graduate college and a graduate photo, which may be filled in by the graduate in the certificate application device 201, may be autonomously entered by the certificate issuing device 202, may be obtained by the certificate issuing device 202 through other methods, and the like.
Certificate metadata may include the time the certificate issuing device 202 created the academic trust certificate (i.e., the time the certificate was opened), the validity time (i.e., the time within which the certificate was valid) or expiration time (i.e., after what time the certificate was invalid), the identity of the certificate issuing device 202 (used to identify different certificate issuing devices), the graduate ID and revocation mechanism, and the like. The identity of the certificate issuing device 202 may be an identity issued or configured by an educational authority, a device identity, or the like. The graduate ID may be assigned to the graduate by the certificate issuing device 202 or may be a graduate ID included in the academic certificate. An revoking mechanism, which indicates under what circumstances a certificate may be revoked, e.g. if a validity time is exceeded, or if a revoking request is received and satisfies a revoking condition.
The signature, which refers to the signature of the certificate issuing device 202, may also include the public key identification of the certificate issuing device 202. The asymmetric key pair of the certificate issuing apparatus 202 may be issued by the CA for the certificate issuing apparatus 202, or may be a notary that the certificate issuing apparatus 202 configures autonomously and obtains from the CA. The asymmetric key pair includes a public key and a private key. Certificate issuing device 202 may generate a signature from the private key of an asymmetric key pair. The signature and public key identification of the certificate issuing device 202 are sent to the blockchain network 204 so that the blockchain network 204 checks the validity of the certificate issuing device 202.
The certificate identification and the identity of the certificate issuing device 202 may be used to determine whether the certificate storing condition is satisfied. The signature of certificate issuing device 202 may be used to verify that there are other devices that counterfeit certificate issuing device 202 issuing a subject trusted declaration certificate, i.e., to verify the legitimacy of certificate issuing device 202.
After issuing the academic credibility declaration certificate for the certificate application apparatus 201, the certificate issuing apparatus 202 sends the academic credibility declaration certificate to the blockchain network 204, for example, may send the academic credibility declaration certificate to the blockchain network 204 through a certificate storing request, that is, the certificate storing request carries the academic credibility declaration certificate. The credentialing request is used to request that the blockchain network 204 save the learned trusted declaration certificate in the blockchain credentialing contract. In fig. 4, the blockchain network 204 includes 5 blockchain nodes (2041 to 2045), and the target certificate information received by the blockchain node 2044 is taken as an example.
302, block link point 2044 determines whether the target credential information satisfies the credential storage condition.
When receiving the target certificate information, the block chain node 2044 determines whether the target certificate information satisfies the certificate storing condition. Specifically, it is determined whether the target certificate information satisfies the certificate storing condition, that is, the block link point 2044 determines whether the certificate identifier included in the target certificate information is stored, and determines whether the identity identifier of the certificate issuing apparatus 202 included in the target certificate information is legal.
Whether the certificate identifier is stored is judged, that is, whether the academic credible declaration certificate identified by the certificate identifier is stored in the block chain certificate contract is judged, that is, whether the academic credible declaration certificate is stored in the block chain network 204 is judged. For example, a list of certified certificate identifiers is stored at block link point 2044, and if the certificate identifier does not exist in the list, it may be determined that the certificate identifier has not been certified; otherwise the certificate identification is certified. For another example, the block link point 2044 searches for the academic credible declaration certificate matching the certificate identifier in the block link storage certification contract according to the certificate identifier, and if the academic credible declaration certificate is not found, it is determined that the certificate identifier has not been stored; otherwise the certificate identification is certified.
Whether the identity of the certificate issuing equipment 202 is legal or not is judged, that is, whether the education institution corresponding to the certificate issuing equipment 202 is legal or not is judged. For example, a list of identities of certificate issuing apparatuses having validity is stored in block link point 2044, and if the identity of the certificate issuing apparatus 202 exists in the list, it may be determined that the identity of the certificate issuing apparatus 202 has validity; whereas the identity of the certificate issuing device 202 is not legitimate.
In the case that the certificate identifier is not certified and the identity identifier of the certificate issuing apparatus 202 is legal, it is determined that the target certificate information satisfies the certification condition, that is, the block link point 2044 may record and store the target certificate information in the block link certification contract.
303, if the determination result in the step 302 is yes, the block link point 2044 performs first consensus on the record destination certificate information in the block link network 204.
If the determination result in step 302 is yes, that is, if the target certificate information satisfies the certification storing condition, the blockchain link point 2044 performs the first consensus on the recorded target certificate information in the blockchain network 204, that is, performs the first consensus on the operation of recording the target certificate information in the blockchain network 204. In the case where the determination result in step 302 is no, the block link point 2044 transmits a credentialing response to the certificate issuing apparatus 202, the credentialing response being used to indicate that the target certificate information does not satisfy the credentialing conditions.
Specifically, in the case that the determination result in the step 302 is yes, the block link point 2044 may send the operation of recording the target certificate information to other block link nodes in the block link network 204, and if more than half of the block link points in the block link network 204 agree with the operation, it may be determined that the block link network 204 has achieved the first consensus. For example, if the operation is agreed upon by the block link points 2041-2043 in the block chain network 204, i.e., if the operation is agreed upon by three block chain nodes, then it can be determined that the block chain network 204 has achieved a first consensus.
If the blockchain network 204 achieves the first consensus, then the blockchain link point 2044 proceeds to step 304; if the blockchain network 204 does not achieve the first consensus, the blockchain link point 2044 cannot save the target certificate information in the blockchain certificate contract.
304, in case the blockchain network 204 achieves the first consensus, the blockchain link point 2044 updates the blockchain credit contract according to the target certificate information to obtain a first blockchain credit contract.
Specifically, the block link point 2044 stores the target certificate information in the block link deposit certificate contract, and marks the state corresponding to the target certificate information as active and available, that is, the academic credible declaration certificate is stored in the block link deposit certificate contract, and marks the state corresponding to the academic credible declaration certificate as active and available, so as to obtain the first block link deposit certificate contract. Then, in the first block chaining certification contract, the state corresponding to the target certificate information is activation available.
Wherein activation available indicates that the certificate is available for use, yet within the validity period. The status corresponding to the target certificate information may be activation available, non-credited, revoked, or expired, etc.
A block chaining certification contract may correspond to one or more academic credibility statement certificates, for example, academic credibility statement certificates of graduates of the same school may correspond to a block chaining certification contract, academic credibility statement certificates of graduates of the same school and the same profession may correspond to a block chaining certification contract, and the like. One or more blockchain memory validation contracts may exist in blockchain network 204.
305, block link point 2044 adds a first block chain credit contract to the block chain ledger of block chain network 204.
The block chain node 2044 adds the first block chain credit contract to the block chain account book of the block chain network 204, and chains the first block chain credit contract, so that each block chain link point in the block chain network 204 can acquire the first block chain credit contract or acquire that the target certificate information is stored in the block chain credit contract, and the state corresponding to the target certificate information is active and available.
Optionally, after performing step 305, the block link point 2044 may send a credentialing response to the certificate issuing apparatus 202, where the credentialing response is used to indicate that the target certificate information is already saved in the block link credentialing contract, and the corresponding status of the target certificate information is active and available.
In the embodiment shown in fig. 4, when receiving the target certificate information from the certificate issuing apparatus 202, the block link point 2044 stores the target certificate information in the block link certificate contract when the target certificate information meets the certificate storing condition and the block link network 204 achieves the consensus of recording the target certificate information, and marks the state corresponding to the target certificate information as active and available, and chains up the updated block link certificate contract, thereby implementing the block link network to store the certificate, which can effectively prevent the certificate from being lost or tampered, and improve the security of the certificate.
Fig. 5 is a flowchart illustrating another certificate management method according to an embodiment of the present invention. It is understood that the embodiment shown in fig. 4 is a verification process, the embodiment shown in fig. 5 is a pinning process, and the embodiment shown in fig. 5 is performed after the embodiment shown in fig. 4, that is, step 401 is performed after step 305. The embodiment shown in fig. 5 may include, but is not limited to, the following steps:
in step 401, the lift pin apparatus 205 sends a lift pin request to a blockchain link point in the blockchain network 204. An overhead request may be sent to any blockchain node in the blockchain network 204. Assume that the lift pin apparatus 205 sends a lift pin request to the block link point 2044 in the block chain network 204. Accordingly, block link point 2044 receives a lift pin request from lift pin apparatus 205.
For reasons such as the possibility of a study being forged, it may be desirable to revoke a study trust certificate, and revoke device 205 may request to revoke the corresponding study trust certificate by sending an revoke request to blockchain network 204. The revoke device 205 may be a device in the educational authority, i.e., the educational authority sends a revoke request to the blockchain network 204 through the revoke device 205 when it finds that a certain story is counterfeit, in which case the revoke device 205 may be the certificate issuing device 202. The revoking appliance 205 may also be an appliance that finds a counterfeit academic calendar.
Wherein the revoke request is used to request the blockchain network 204 to revoke target certificate information, i.e., revoke academic trust certificate. It will be appreciated that the revoke request is a revoke request for target certificate information. The revoke request may carry a certificate identifier of the target certificate information, and is used to request the blockchain network 204 to revoke the academic trust declaration certificate corresponding to the certificate identifier.
The lift pin request also includes an identification of the lift pin apparatus 205 that identifies the lift pin apparatus 205 so that the blockchain network 204 can determine whether the lift pin apparatus 205 is legitimate.
In step 402, block link point 2044 determines whether the pinning request satisfies the pinning condition.
When receiving the revoke request, the block link node 2044 determines whether the revoke request satisfies the evidence storage condition. Specifically, the block link point 2044 determines whether the target certificate information is verified, whether the corresponding status is activated and available, and determines whether the identity of the revoking device 205 is valid.
And judging whether the target certificate information is stored or not, wherein the judgment can be carried out through the certificate identification of the target certificate information, if so, the target certificate information is represented to be stored or not, and then whether the state corresponding to the target certificate information is activated or not is obtained. If the target certificate information is not verified, block link point 2044 may send an revoke response to revoke device 205, where the revoke response is used to indicate that the target certificate information does not exist or that the status corresponding to the target certificate information is not verified. If the target certificate information is verified and the corresponding status is revoked, an revoke response is sent to the revoke device 205, where the revoke response is used to indicate that the status corresponding to the target certificate information is revoked.
It is determined whether the identity of the revoking equipment 205 is legitimate, i.e., whether the revoking equipment 205 is qualified to apply for a revoking certificate. If the identity of the revoking equipment 205 is legal, the revoking equipment 205 is qualified to apply for the revoking certificate; if the identity of the revoking appliance 205 is not legitimate, the revoking appliance 205 is not eligible to apply for a revocation certificate. For example, a list of identities of the revoking apparatuses with validity is stored in the block link point 2044, and if the identity of the revoking apparatus 205 exists in the list, it is determined that the identity of the revoking apparatus 205 is valid; otherwise the identification of the lift pin apparatus 205 is not valid.
In the case that the target certificate information is verified, the corresponding status is active and the identity of the revoking apparatus 205 is valid, the block link point 2044 may determine that the revoking request satisfies the revoking condition.
In step 403, if the determination result in step 402 is yes, the block link point 2044 performs the second consensus on the revoke target certificate information in the block link network 204.
If the result of the determination in step 402 is yes, that is, if the revoke request satisfies the revoke condition, the block link point 2044 performs the second consensus on the revoke target certificate information in the block chain network 204, that is, performs the second consensus on the revoke target certificate information in the block chain network 204. Blockchain node 2044 may perform the operation of revoking the target certificate information, i.e., perform an revoking action and perform a second consensus on the result of the revoking action in blockchain network 204.
In the case where the determination result of step 402 is no, block link point 2044 transmits to certificate issuing apparatus 202 an revoke response indicating that the revoke request does not satisfy the revoke condition.
If the blockchain network 204 achieves the second consensus, then the blockchain link point 2044 performs step 404; if the blockchain network 204 does not achieve the second consensus, the blockchain link point 2044 does not revoke the target certificate information.
In step 404, when the block chain network 204 achieves the second consensus, the block link point 2044 updates the first block chain security contract to obtain a second block chain security contract.
Specifically, the block link point 2044 revokes the target certificate information, and marks the state corresponding to the target certificate information as revoked, to obtain a second block link storage certificate contract. Then, in the second block link credit contract, the status corresponding to the target certificate information is revoked.
Optionally, after step 404, the block link point 2044 adds the second block chain credit contract to the block chain ledger of the block chain network 204 to update the first block chain credit contract.
Optionally, after step 404, block link point 2044 may send an revoke response to revoke device 205, where the revoke response is used to indicate that the target certificate information is revoked or indicate that the corresponding status of the target certificate information is revoked.
In the embodiment shown in fig. 5, the block chain network 205 can revoke the target certificate information through the revoke request of the revoke device 205, so that the forged academic certificate can be effectively prevented.
Based on the embodiments shown in fig. 4 or fig. 5, the certificate issuing device 202 or the revoking device 205 may query the state of the academic trusted declaration certificate, i.e., the blockchain network 204 may provide a state query function. Specifically, when receiving a status query request from the certificate issuing equipment 202 or the revoking equipment 205, any blockchain node in the blockchain network 205 may carry a certificate identifier, and the blockchain link node searches for a status of a corresponding certificate in a blockchain certificate contract according to the certificate identifier, and sends a status query response to the certificate issuing equipment 202 or the revoking equipment 205, where the status query response is used to indicate that a status corresponding to target certificate information is active, available, revoked, unreported, or expired. For example, for the embodiment shown in FIG. 4, the status query response is used to indicate that the status corresponding to the target credential information is active available; for the embodiment shown in FIG. 5, the status query response is used to indicate that the status corresponding to the target certificate information is revoked.
In the embodiment of the present invention, the first case: a subject calendar trust statement certificate may correspond to a subject calendar, e.g., a subject calendar corresponds to a subject calendar trust statement, and a student calendar corresponds to a subject calendar trust statement; in the second case: a subject trust declaration certificate may also correspond to all of the subjects of a subject, such as a subject having a subject and a subject. The embodiments shown in fig. 4 or 5 may be understood to be for the first case.
For the second case, the certificate issuing device included in the academic credible declaration certificate may correspond to the same department of education authority, that is, a plurality of academic calendars are issued by the department of education authority, and the academic credible declaration certificate includes information (such as signature, public key, identification, and the like) of one certificate issuing device; it may also correspond to multiple schools, i.e., different calendars issued by different schools, the calendar trust assertion certificate including information for multiple certificate issuing devices.
For the case that the credit declaration certificate of the academic record comprises information of a certificate issuing device, when the academic record of a certain educated person changes, for example, the educated person completes a special book, the certificate issuing device sends a certificate updating request to the blockchain network when knowing that the educational academic record changes, wherein the certificate updating request carries a certificate identifier and updating content; and updating the academic credibility statement certificate corresponding to the certificate identifier by the blockchain network, performing consensus on the updating result in the blockchain network, updating the blockchain deposit-evidence contract after the consensus is achieved, and adding the updated blockchain deposit-evidence contract to the blockchain account book.
For the case that the academic credible declaration certificate comprises information of a plurality of certificate issuing devices, when the academic record of a certain educated person changes, for example, the educated person completes a book of expertise, the certificate issuing device corresponding to the academic record acquires the certificate identification of the academic credible declaration certificate which is stored before the educated person, and sends a certificate updating request to the blockchain network, wherein the certificate updating request carries the certificate identification, the updating content and the identity identification of the certificate issuing device; and under the condition that the academic credible declaration certificate corresponding to the certificate identifier and the state corresponding to the certificate are activated and available and the identity identifier of the certificate signing and issuing equipment is legal, the block chain network updates the academic credible declaration certificate corresponding to the certificate identifier, performs consensus on the updating result in the block chain network, updates the block chain deposit contract after consensus is achieved, and adds the updated block chain deposit contract to the block chain account book.
Referring to fig. 6, a flowchart of another certificate management method according to an embodiment of the present invention includes, but is not limited to, the following steps:
in step 501, the query device 203 sends a validity query request to a blockchain node in the blockchain network 204. A validity query request may be sent to any blockchain node in the blockchain network 204. Assume that the querying device 203 sends a validity query request to a block chain link point 2044 in the block chain network 204. Accordingly, block link point 2044 receives a validity query request from querying device 203.
The legality query request is a legality query request for target certificate information, and is used for querying whether the target certificate information is legal or not, specifically, for querying whether a signature in the target certificate information is legal or not, namely, whether a learned credible statement certificate issued by a certificate issuing device with the legality is queried or not. The validity query request may carry the certificate identification of the target certificate information for querying and checking by the blockchain network 204.
Upon receiving the legitimacy query request, the blockchain node 2044 may check whether the transaction issuing the target certificate information is in the blockchain ledger, i.e., whether a blockchain deposit approval contract containing the target certificate information exists in the blockchain ledger. In the case where the blockchain network 204 is not synchronized with the full blockchain ledger, the blockchain link point 2044 may employ the merkel tree of the verification transaction to demonstrate the existence of a blockchain warranty contract that includes the target warranty information.
If so, block link point 2044 performs step 502. Optionally, in the presence of the target certificate, the block link point 2044 needs to obtain a state corresponding to the target certificate information.
In step 502, block link point 2044 verifies whether the signature is valid.
In one possible implementation, the certificate issuing device 202 encrypts the first digest by its private key to generate a signature, informs the blockchain node 2044 of the signature and the first digest, and the target certificate information may also include the first digest. The block link point 2044 decrypts the signature by using the obtained public key value to obtain a second digest, and if the second digest is the same as the first digest, the signature is verified to be valid; otherwise, the signature verification is not passed and the validity is not available.
In another possible implementation manner, the block link point 2044 obtains, from the CA, a public key issued by the CA for the certificate issuing apparatus 202, and decrypts the signature by using the public key to obtain the first digest; decrypting the signature according to the public key value corresponding to the public key identification to obtain a second abstract; if the second abstract is the same as the first abstract, the signature passes the verification and has validity; otherwise, the signature verification is not passed and the validity is not available.
The blockchain node 2044 verifies the signature of the certificate issuing device 202 and can obtain any one of the following three results: a, the signature has legality; b, the signature has no legality; and C, the signature has legality, but the public key of the certificate issuing device is in a cancelled state.
Wherein, a, the signature has validity, which means that the certificate issuing apparatus 202 is a legal certificate issuing apparatus, and the public key of the certificate issuing apparatus 202 is in an activated available state, which is trustworthy for the academic credibility declaration certificate issued by the certificate applying apparatus. B, the signature is not legal, indicating that the certificate issuing device 202 is not a legal certificate issuing device, and that the academic trust certificate issued by the certificate applying device is not trustworthy. C, the signature has validity, but the public key of the certificate issuing apparatus 202 is in a cancelled state, which means that the certificate issuing apparatus 202 is a legal certificate issuing apparatus, but the certificate issuing apparatus has the possibility of being cancelled, and it has a certain degree of credibility for the academic credibility declaration certificate issued by the certificate applying apparatus.
Optionally, if the target certificate information includes a valid time or an expiration time, block link point 2044 may also verify whether the current time exceeds the valid time or the expiration time.
In step 503, block link point 2044 sends a validity query response to querying device 203. Accordingly, query device 203 receives a validity query response from block link point 2044.
Wherein, the legality inquiry response is used for indicating any one of the three results, and specifically indicating which is determined according to specific situations. Optionally, if block link point 2044 verifies that the current time exceeds the validity time or expiration time, then the validity query response is also used to indicate whether the validity time or expiration time has been exceeded.
The querying device 203 may know whether the academic credible declaration certificate is credible or not when receiving the validity query response, for example, may know that the academic credible declaration certificate is credible for the result a; for result B, it can be known that the academic trust declaration certificate is not trusted. The querying device 203 may also learn whether the academic trust declaration certificate has expired.
In the embodiment shown in fig. 6, the querying device may query whether the certificate is trusted through the blockchain network, so as to effectively prevent others from forging the certificate.
It will be appreciated that the embodiment shown in fig. 6 is a process of verifying whether a certificate is legitimate, and may be performed after the embodiment shown in fig. 4 or fig. 5, fig. 4 or fig. 5 being the basis for implementing fig. 6.
As an alternative embodiment, the querying device 203 may also query whether the certificate is revoked. Specifically, the querying device 203 sends an revoke query request to the blockchain network 204, where the revoke query request carries a certificate identifier of the target certificate information, and is used to request to query whether the target certificate information is revoked. The blockchain network 204 searches for target certificate information according to the certificate identifier when receiving the revoke inquiry request.
If the target certificate information is not found, the blockchain network 204 sends an revoke inquiry response to the inquiry device 203, where the revoke inquiry response is used to indicate that the target certificate information does not exist or that the state corresponding to the target certificate information is not certified. If the target certificate information is found and the state corresponding to the target certificate information is cancelled, the blockchain network 204 sends an cancellation inquiry response to the inquiry equipment 203, wherein the cancellation inquiry response is used for indicating that the target certificate information is cancelled or the state corresponding to the target certificate information is cancelled. If the target certificate information is found and the state corresponding to the target certificate information is activation available, the blockchain network 204 sends an revoke inquiry response to the inquiry apparatus 203, where the revoke inquiry response is used to indicate that the target certificate information is valid or the state corresponding to the target certificate information is activation available.
Based on the above description of the method embodiments, the embodiments of the present invention also provide a corresponding certificate management apparatus, which may be a computer program (including program code) running in a blockchain node, and which may be run in a blockchain node.
Referring to fig. 7, a schematic structural diagram of a certificate management apparatus according to an embodiment of the present invention is shown, where the apparatus includes: a transceiver unit 701 and a processing unit 702.
A transceiving unit 701 configured to receive target certificate information from a certificate issuing apparatus; the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment;
a processing unit 702, configured to perform first consensus on the recorded target certificate information in a blockchain network if the target certificate information meets a certificate storing condition; if the block link network achieves the first consensus, updating a block link security contract according to the target certificate information to obtain a first block link security contract; the state corresponding to the target certificate information in the first block chaining certificate contract is activation available; adding the first blockchain credit contract into a blockchain account book of the blockchain network.
Optionally, the target certificate information includes a certificate identifier and an identity identifier of the certificate issuing apparatus;
the processing unit 702 is further configured to determine that the target certificate information satisfies the certificate storing condition if the certificate identifier is not stored and the identity identifier of the certificate issuing apparatus is legal.
Optionally, the transceiver 701 is further configured to receive an revoke request from an revoke device, where the revoke request includes a certificate identifier of the target certificate information, and the revoke request is used to request to revoke the target certificate information corresponding to the certificate identifier;
the processing unit 702 is further configured to perform second consensus on the revoke target certificate information in the blockchain network if the revoke request meets a revoke condition; if the block link network achieves the second consensus, updating the first block link security contract to obtain a second block link security contract; and the state corresponding to the target certificate information in the second block chain storage certificate contract is cancelled.
Optionally, the suspension pin request further includes an identity of the suspension pin device;
the processing unit 702 is further configured to determine that the revoking request meets the revoking condition if the target certificate information corresponding to the certificate identifier exists, the state corresponding to the target certificate information is activation available, and it is determined that the identity identifier of the revoking device is legal according to the identity identifier list.
Optionally, the transceiving unit 701 is further configured to receive a status query request for the target certificate information from the certificate issuing apparatus, where the status query request carries a certificate identifier of the target certificate information;
the processing unit 702 is further configured to search a state corresponding to the target certificate information according to the certificate identifier;
the transceiving unit 701 is further configured to send a status query response to the certificate issuing apparatus, where the status query response is used to indicate that the status corresponding to the target certificate information is activated and available, revoked or not stored.
Optionally, the target certificate information includes a signature of the certificate issuing apparatus and a public key identifier of the certificate issuing apparatus;
the processing unit 702 is further configured to, when the transceiver unit 701 receives a validity query request for the target certificate information from a query device, verify whether the signature is valid according to the public key identifier;
the transceiving unit 701 is further configured to send a validity query response to the querying device according to the verification result, where the validity query response is used to indicate that the signature is valid, or the signature is not valid, or the signature is valid, but the public key of the certificate issuing device is in a cancelled state.
Optionally, the transceiver 701 is further configured to receive an revoke query request from a query device, where the revoke query request carries a certificate identifier of the target certificate information;
a processing unit 702, further configured to search the target certificate information according to the certificate identifier;
the transceiving unit 701 is further configured to send an revoke query response to the query device if the target certificate information is found and the state corresponding to the target certificate information is revoke, where the revoke query response is used to indicate that the target certificate information is revoke.
Referring to fig. 8, a schematic structural diagram of another certificate management apparatus according to an embodiment of the present invention is provided, where the apparatus includes a processor 801, a memory 802, and a communication interface 803, and the processor 801, the memory 802, and the communication interface 803 are connected by one or more communication buses.
The processor 801 is configured to support block chain link points to perform the corresponding functions of the block chain node 2044 in the methods of fig. 4-6. The processor 801 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof.
The memory 802 is used for storing program codes and the like. The memory 802 may include volatile memory (volatile), such as Random Access Memory (RAM); the memory 802 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a Hard Disk Drive (HDD), or a solid-state drive (SSD); the memory 802 may also comprise a combination of the above-described types of memory.
The communication interface 803 is used for transmitting and receiving data, information, messages or the like, and may also be described as a transceiver, a transmitting and receiving circuit or the like. For example, the communication interface 803 is used to receive target certificate information from a certificate issuing apparatus, or the communication interface 803 is used to receive a legitimacy inquiry request or the like from an inquiring apparatus.
In an embodiment of the present invention, the processor 801 may call the program code stored in the memory 802 to perform the following operations:
in one embodiment, the control communication interface 803 receives target certificate information from a certificate issuing device; the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment; if the target certificate information meets the certificate storing condition, recording the target certificate information and carrying out first consensus in a block chain network; if the block link network achieves the first consensus, updating a block link security contract according to the target certificate information to obtain a first block link security contract; the state corresponding to the target certificate information in the first block chaining certificate contract is activation available; adding the first blockchain credit contract into a blockchain account book of the blockchain network.
Optionally, the target certificate information includes a certificate identifier and an identity identifier of the certificate issuing apparatus;
the processor 801 is further configured to determine that the target certificate information satisfies the certificate storing condition if the certificate identifier is not stored and the identity identifier of the certificate issuing apparatus is legal.
Optionally, the processor 801 is further configured to control the communication interface 803 to receive an revoke request from a revoking device, where the revoke request includes a certificate identifier of the target certificate information, and the revoke request is used to request to revoke the target certificate information corresponding to the certificate identifier; if the revoking request meets the revoking condition, revoking the target certificate information for the second time in the block chain network; if the block link network achieves the second consensus, updating the first block link security contract to obtain a second block link security contract; and the state corresponding to the target certificate information in the second block chain storage certificate contract is cancelled.
Optionally, the suspension pin request further includes an identity of the suspension pin device;
the processor 801 is further configured to determine that the revoking request meets the revoking condition if the target certificate information corresponding to the certificate identifier exists, a state corresponding to the target certificate information is activation available, and it is determined that the identity identifier of the revoking device is legal according to the identity identifier list.
Optionally, the processor 801 is further configured to control the communication interface 803 to receive a status query request for the target certificate information from the certificate issuing apparatus, where the status query request carries a certificate identifier of the target certificate information; searching a state corresponding to the target certificate information according to the certificate identification; the control communication interface 803 sends a status query response to the certificate issuing apparatus, where the status query response is used to indicate that the status corresponding to the target certificate information is activation available, revoked or not stored.
Optionally, the target certificate information includes a signature of the certificate issuing apparatus and a public key identifier of the certificate issuing apparatus;
the processor 801 is further configured to, in a case where the control communication interface 803 receives a legitimacy query request for the target certificate information from a querying device, verify whether the signature is legitimate according to the public key identifier; and sending a legality inquiry response to the inquiry equipment according to a verification result, wherein the legality inquiry response is used for indicating that the signature is legal, or the signature is not legal, or the signature is legal, but the public key of the certificate issuing equipment is in a cancelled state.
Optionally, the processor 801 is further configured to control the communication interface 803 to receive an revoke query request from a querying device, where the revoke query request carries a certificate identifier of the target certificate information; searching the target certificate information according to the certificate identification; if the target certificate information is found and the state corresponding to the target certificate information is cancelled, the control communication interface 803 sends an cancellation inquiry response to the inquiry device, where the cancellation inquiry response is used to indicate that the target certificate information is cancelled.
It should be noted that, in the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.
The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs.
The modules in the processing equipment of the embodiment of the invention can be merged, divided and deleted according to actual needs. In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. The procedures or functions according to the embodiments of the present application are all or partially generated when the computer program instructions are loaded and executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, memory Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.
Claims (10)
1. A method for blockchain based certificate management, the method comprising:
receiving target certificate information from the certificate issuing equipment; the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment;
if the target certificate information meets the certificate storing condition, recording the target certificate information and carrying out first consensus in a block chain network;
if the block link network achieves the first consensus, updating a block link security contract according to the target certificate information to obtain a first block link security contract; the state corresponding to the target certificate information in the first block chaining certificate contract is activation available;
adding the first blockchain credit contract into a blockchain account book of the blockchain network.
2. The method of claim 1, wherein the target certificate information comprises a certificate identification and an identity of the certificate issuing device;
the method further comprises the following steps:
and if the certificate identification is not stored and the identity identification of the certificate issuing equipment is legal, determining that the target certificate information meets the certificate storing condition.
3. The method of claim 1, further comprising:
receiving an revoking request from revoking equipment, wherein the revoking request comprises a certificate identifier of the target certificate information, and the revoking request is used for requesting to revoke the target certificate information corresponding to the certificate identifier;
if the revoking request meets the revoking condition, revoking the target certificate information for the second time in the block chain network;
if the block link network achieves the second consensus, updating the first block link security contract to obtain a second block link security contract; and the state corresponding to the target certificate information in the second block chain storage certificate contract is cancelled.
4. The method of claim 3, wherein the lift pin request further comprises an identification of the lift pin apparatus;
the method further comprises the following steps:
and if the target certificate information corresponding to the certificate identification exists, the state corresponding to the target certificate information is activation available, and the identity identification of the revoking equipment is determined to be legal according to the identity identification list, determining that the revoking request meets the revoking condition.
5. The method according to claim 1 or 3, characterized in that the method further comprises:
receiving a state query request aiming at the target certificate information from the certificate issuing equipment, wherein the state query request carries a certificate identifier of the target certificate information;
searching a state corresponding to the target certificate information according to the certificate identification;
and sending a state inquiry response to the certificate issuing equipment, wherein the state inquiry response is used for indicating that the state corresponding to the target certificate information is activated and available, cancelled or not stored.
6. The method according to any one of claims 1 to 4, wherein the target certificate information includes a signature of the certificate issuing device and a public key identification of the certificate issuing device;
the method further comprises the following steps:
under the condition that a legality query request aiming at the target certificate information from query equipment is received, verifying whether the signature is legal or not according to the public key identification;
and sending a legality inquiry response to the inquiry equipment according to a verification result, wherein the legality inquiry response is used for indicating that the signature is legal, or the signature is not legal, or the signature is legal, but the public key of the certificate issuing equipment is in a cancelled state.
7. The method according to any one of claims 1-4, further comprising:
receiving an expense inquiry request from inquiry equipment, wherein the expense inquiry request carries the certificate identification of the target certificate information;
searching the target certificate information according to the certificate identification;
and if the target certificate information is found and the state corresponding to the target certificate information is cancelled, sending a cancellation inquiry response to the inquiry equipment, wherein the cancellation inquiry response is used for indicating that the target certificate information is cancelled.
8. A certificate management apparatus, comprising:
a receiving and sending unit for receiving target certificate information from the certificate issuing apparatus; the target certificate information is the certificate information issued by the certificate issuing equipment for the certificate applying equipment;
the processing unit is used for recording the target certificate information and performing first consensus in a block chain network if the target certificate information meets the certificate storing condition; if the block link network achieves the first consensus, updating a block link security contract according to the target certificate information to obtain a first block link security contract; the state corresponding to the target certificate information in the first block chaining certificate contract is activation available; adding the first blockchain credit contract into a blockchain account book of the blockchain network.
9. A certificate management apparatus, comprising:
a processor and a memory, the processor and the memory being coupled to each other, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the method according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911088180.2A CN110855445B (en) | 2019-11-08 | 2019-11-08 | Block chain-based certificate management method and device and storage equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911088180.2A CN110855445B (en) | 2019-11-08 | 2019-11-08 | Block chain-based certificate management method and device and storage equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110855445A true CN110855445A (en) | 2020-02-28 |
| CN110855445B CN110855445B (en) | 2022-05-13 |
Family
ID=69600123
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911088180.2A Active CN110855445B (en) | 2019-11-08 | 2019-11-08 | Block chain-based certificate management method and device and storage equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110855445B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560072A (en) * | 2021-02-18 | 2021-03-26 | 腾讯科技(深圳)有限公司 | Key management method, device, medium and equipment based on block chain |
| CN115001699A (en) * | 2022-05-05 | 2022-09-02 | 华东师范大学 | Digital authentication issuing system of internet education platform |
| WO2022206247A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Certificate lookup method, and apparatus |
| CN115225639A (en) * | 2022-09-15 | 2022-10-21 | 杭州趣链科技有限公司 | Changing method and device of consensus trusted cluster, computer equipment and medium |
| WO2024065798A1 (en) * | 2022-09-30 | 2024-04-04 | Nokia Shanghai Bell Co., Ltd. | Certificate management for network functions |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108512667A (en) * | 2018-04-16 | 2018-09-07 | 北京天德科技有限公司 | A kind of certification certificates constructing method based on block chain |
| US20180293547A1 (en) * | 2017-04-06 | 2018-10-11 | Jaspreet Randhawa | Methods and systems for employment and education verification using blockchain |
| CN108768933A (en) * | 2018-04-11 | 2018-11-06 | 深圳技术大学(筹) | Digital identification authentication system can be independently supervised on a kind of block platform chain |
| CN108768657A (en) * | 2018-04-17 | 2018-11-06 | 深圳技术大学(筹) | A kind of digital certificate based on block platform chain issues system and method |
| US20190036712A1 (en) * | 2017-07-26 | 2019-01-31 | Alibaba Group Holding Limited | Digital certificate management method, apparatus, and system |
| CN110111105A (en) * | 2019-05-05 | 2019-08-09 | 江苏全链通信息科技有限公司 | Contract based on block chain deposits card method, equipment and storage medium |
-
2019
- 2019-11-08 CN CN201911088180.2A patent/CN110855445B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180293547A1 (en) * | 2017-04-06 | 2018-10-11 | Jaspreet Randhawa | Methods and systems for employment and education verification using blockchain |
| US20190036712A1 (en) * | 2017-07-26 | 2019-01-31 | Alibaba Group Holding Limited | Digital certificate management method, apparatus, and system |
| CN108768933A (en) * | 2018-04-11 | 2018-11-06 | 深圳技术大学(筹) | Digital identification authentication system can be independently supervised on a kind of block platform chain |
| CN108512667A (en) * | 2018-04-16 | 2018-09-07 | 北京天德科技有限公司 | A kind of certification certificates constructing method based on block chain |
| CN108768657A (en) * | 2018-04-17 | 2018-11-06 | 深圳技术大学(筹) | A kind of digital certificate based on block platform chain issues system and method |
| CN110111105A (en) * | 2019-05-05 | 2019-08-09 | 江苏全链通信息科技有限公司 | Contract based on block chain deposits card method, equipment and storage medium |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560072A (en) * | 2021-02-18 | 2021-03-26 | 腾讯科技(深圳)有限公司 | Key management method, device, medium and equipment based on block chain |
| CN112560072B (en) * | 2021-02-18 | 2021-06-04 | 腾讯科技(深圳)有限公司 | Key management method, device, medium and equipment based on block chain |
| WO2022206247A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Certificate lookup method, and apparatus |
| CN115001699A (en) * | 2022-05-05 | 2022-09-02 | 华东师范大学 | Digital authentication issuing system of internet education platform |
| CN115225639A (en) * | 2022-09-15 | 2022-10-21 | 杭州趣链科技有限公司 | Changing method and device of consensus trusted cluster, computer equipment and medium |
| WO2024065798A1 (en) * | 2022-09-30 | 2024-04-04 | Nokia Shanghai Bell Co., Ltd. | Certificate management for network functions |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110855445B (en) | 2022-05-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2022204148B2 (en) | Methods and apparatus for providing blockchain participant identity binding | |
| CN110855445B (en) | Block chain-based certificate management method and device and storage equipment | |
| TWI720727B (en) | Computer-implemented method for managing sensitive data elements that are stored in a blockchain network, apparatus and system for managing sensitive data elements stored in a blockchain network | |
| CN107231351B (en) | Electronic certificate management method and related equipment | |
| Lesavre et al. | A taxonomic approach to understanding emerging blockchain identity management systems | |
| US11228452B2 (en) | Distributed certificate authority | |
| US11159307B2 (en) | Ad-hoc trusted groups on a blockchain | |
| US10547643B2 (en) | Systems and methods for distributed data sharing with asynchronous third-party attestation | |
| WO2021120253A1 (en) | Data storage method and verification method for blockchain structure, blockchain structure implementation method, blockchain-structured system, device, and medium | |
| US10715502B2 (en) | Systems and methods for automating client-side synchronization of public keys of external contacts | |
| US9037849B2 (en) | System and method for managing network access based on a history of a certificate | |
| CN113328997B (en) | Alliance chain crossing system and method | |
| US20230006840A1 (en) | Methods and devices for automated digital certificate verification | |
| US20220094542A1 (en) | Methods and devices for public key management using a blockchain | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| US20140298010A1 (en) | Public-key certificate management system and method | |
| Konoplev et al. | A blockchain decentralized public key infrastructure model | |
| CN114944937B (en) | Distributed digital identity verification method, system, electronic equipment and storage medium | |
| CN114503508A (en) | Computer-implemented method and system for storing authenticated data on blockchains | |
| CN111327426A (en) | Data sharing method and related device, equipment and system | |
| TW202217620A (en) | Verification requirement document for credential verification | |
| JP2022552420A (en) | Distributed ledger based method and system for certificate authentication | |
| KR102044396B1 (en) | System and method for managing national disaster safety based on a blockchain | |
| US20240031341A1 (en) | Methods, devices and system related to a distributed ledger and user identity attribute | |
| Azeem | URS–A universal revocation service for applying in self-sovereign identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |