CN111177685B - Certificate management method and device, computer equipment and storage medium - Google Patents
Certificate management method and device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN111177685B CN111177685B CN201911362689.1A CN201911362689A CN111177685B CN 111177685 B CN111177685 B CN 111177685B CN 201911362689 A CN201911362689 A CN 201911362689A CN 111177685 B CN111177685 B CN 111177685B
- Authority
- CN
- China
- Prior art keywords
- certificate
- entity
- management
- file
- administrator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application relates to a certificate management method, a certificate management device, a computer device and a storage medium. The method comprises the following steps: acquiring a certificate management request carrying a certificate identifier; inquiring position offset information corresponding to the certificate identification from a pre-configured certificate index file; inquiring a certificate entity corresponding to the certificate identification from a pre-configured certificate storage file according to the position offset information; locking the operation authority of the certificate entity, and managing the certificate entity according to the certificate management request; and when the secondary management operation is finished, releasing the operation authority. By adopting the method, the safety of communication can be ensured through the effective management of the certificate.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a certificate management method and apparatus, a computer device, and a storage medium.
Background
The digital certificate is an authoritative electronic document for identity verification of individuals, units or equipment on the network, and the identity of the digital certificate and the identity of an opposite party are proved through the digital certificate in network interaction. In an operation and maintenance scene, when an operation and maintenance person carries out remote operation and maintenance on equipment, the operation and maintenance person and the equipment need to be mutually verified to ensure the safety of communication. However, at present, there is no certificate management mechanism capable of supporting the mutual authentication, which reduces the security of communication.
Disclosure of Invention
In view of the foregoing, it is necessary to provide a certificate management method, apparatus, computer device and storage medium.
A method of certificate management, the method comprising:
acquiring a certificate management request carrying a certificate identifier;
inquiring position offset information corresponding to the certificate identification from a pre-configured certificate index file;
inquiring a certificate entity corresponding to the certificate identification from a pre-configured certificate storage file according to the position offset information;
locking the operation authority of the certificate entity, and managing the certificate entity according to the certificate management request;
and when the secondary management operation is finished, releasing the operation authority.
In one embodiment, the obtaining the certificate management request carrying the certificate identifier includes:
receiving a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identifier;
the managing the certificate entity according to the certificate management request includes:
determining a certificate operation type according to the certificate management interface;
and managing the certificate entity according to the certificate operation type and the certificate management request.
In one embodiment, the method further comprises:
receiving a data encryption request sent by a terminal through an encryption interface; the data encryption request carries a certificate identifier;
inquiring a corresponding certificate entity according to the certificate identification;
and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
In one embodiment, the method further comprises:
acquiring an operation and maintenance authority configuration file sent by a terminal; the operation and maintenance authority configuration file comprises a plurality of certificate identifications and an incidence relation corresponding to each certificate identification; the plurality of certificates comprise certificate identifications corresponding to an administrator, equipment and operation and maintenance personnel respectively;
constructing a corresponding administrator administration index file according to the plurality of certificate identifications and the incidence relation corresponding to each certificate identification;
inquiring a certificate entity corresponding to each certificate identification from a certificate storage file, and storing the certificate entity to an administrator administration file according to the position offset information of the corresponding certificate identification in the administrator administration index file.
In one embodiment, the method further comprises:
determining the identity level of a corresponding user according to the certificate management request;
determining the user authority of the user according to the identity level;
the managing the certificate entity according to the certificate management request includes:
and when the user is judged to have the management right on the certificate entity according to the user right, managing the certificate entity according to the certificate management request.
A certificate management apparatus, the apparatus comprising:
the acquisition module is used for acquiring a certificate management request carrying a certificate identifier;
the inquiry module is used for inquiring the position offset information corresponding to the certificate identification from a pre-configured certificate index file;
the inquiry module is further used for inquiring a certificate entity corresponding to the certificate identifier from a pre-configured certificate storage file according to the position offset information;
the management module is used for locking the operation authority of the certificate entity and managing the certificate entity according to the certificate management request;
and the management module is also used for releasing the operation authority when the execution of the secondary management operation is finished.
In one embodiment, the obtaining module is further configured to receive a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identification; the management module is further used for determining a certificate operation type according to the certificate management interface; and managing the certificate entity according to the certificate operation type and the certificate management request.
In one embodiment, the apparatus further comprises:
the encryption module is used for receiving a data encryption request sent by the terminal through the encryption interface; the data encryption request carries a certificate identifier; inquiring a corresponding certificate entity according to the certificate identification; and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
A computer device comprising a memory storing a computer program and a processor implementing the steps of the certificate management method described in the various embodiments above when the processor executes the computer program.
A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, implements the steps of the certificate management method described in the above-mentioned embodiments.
According to the certificate management method, the device, the computer equipment and the storage medium, all certificate entities are stored in the certificate storage file according to the position offset information of corresponding certificate identifications in the certificate index file, when a certificate management request carrying the certificate identifications is obtained, the position offset information of the certificate identifications in the certificate index file is inquired, the corresponding certificate entities are inquired in the certificate storage file according to the position offset information, after the operation authority of the certificate entities is locked, the inquired certificate entities are managed according to the certificate management request so as to shield the management operation of other terminals on the certificate entities, and when the management operation is finished, the operation authority is released so that other terminals can manage the certificate entities. Therefore, all certificate entities are managed in a unified mode so as to guarantee the consistency and the reliability of the certificate entities, and when the identity of a communication object is verified based on the certificate entities managed in the unified mode, the verification accuracy can be guaranteed, and therefore the communication safety can be guaranteed.
Drawings
FIG. 1 is a diagram of an application scenario of a certificate management method in one embodiment;
FIG. 2 is a flowchart illustrating a certificate management method according to an embodiment;
FIG. 3 is a diagram illustrating a structure of a certificate index file in one embodiment;
FIG. 4 is a diagram illustrating the structure of an administrator administration index file in one embodiment;
FIG. 5 is a flowchart illustrating a certificate management method according to another embodiment;
FIG. 6 is a block diagram showing the structure of a certificate management apparatus in one embodiment;
FIG. 7 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
The certificate management method provided by the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the server 104 via a network. The terminal 102 may be, but not limited to, various personal computers, notebook computers, smart phones, tablet computers, and portable wearable devices, and the server 104 may be implemented by an independent server or a server cluster formed by a plurality of servers.
In one embodiment, a certificate management client is deployed on the terminal, and a certificate management server is deployed on the server. The certificate management client and the certificate management server together form a certificate management tool. The credential management server provides basic credential storage and a server interface that provides client access. And the certificate management client realizes an access interface and man-machine interaction with the certificate management server.
In one embodiment, as shown in fig. 2, a certificate management method is provided, which is described by taking the application of the method to the server in fig. 1 as an example, and includes the following steps:
s202, acquiring the certificate management request carrying the certificate identifier.
Wherein the certificate identity is used to uniquely identify the certificate entity. The certificate management request is a request for triggering a certificate management operation, and the certificate management operation may specifically include addition, deletion, update, and the like.
Specifically, the terminal determines a certificate identifier corresponding to a certificate entity to be managed, triggers generation of a certificate management request carrying the certificate identifier, and sends the generated certificate management request to the server.
In one embodiment, the terminal sends the certificate management request to a server running a corresponding server through a client running on the terminal.
S204, inquiring position offset information corresponding to the certificate identification from the pre-configured certificate index file.
The certificate index file is used for describing the directory hierarchy of the certificate in the whole system and provides the position offset information of the certificate entity in the certificate storage file. The certificate index file comprises certificate identifications and position offset information of all certificate entities, and the offset positions of the certificate entities in the certificate storage file can be quickly located through the certificate identifications, so that the detailed information of the certificate entities is obtained.
Specifically, the server parses the certificate management request to obtain a certificate identifier, and queries, from a pre-configured certificate index file, location offset information corresponding to the certificate identifier according to the certificate identifier, where the location offset information is location offset information of a certificate entity corresponding to the certificate identifier in a certificate storage file.
In one embodiment, the certificate index file further includes certificate status information corresponding to each certificate entity, and the certificate status information is stored in correspondence with the corresponding certificate identity. Certificate status information such as add, update, delete status of certificates, etc.
In one embodiment, the certificate index file comprises a root certificate, a staff certificate and a device certificate are included under the root certificate, a plurality of administrator certificates and a plurality of operation and maintenance staff certificates are included under the staff certificate, and a plurality of device certificates are included under the device certificate. The certificate index file describes a certificate hierarchy, and virtual nodes can be added among certificates of each hierarchy so as to flexibly divide certificate areas. The dummy node has no associated certificate and is used for describing the hierarchy, such as inserting a domain name in the dummy node to indicate the scope of the certificate. The certificates of all levels can be dragged under the valid parent certificate to realize the transfer of the personal certificate or the device certificate. And the certificate index file stores the certificate identification corresponding to each certificate, and the position offset of the corresponding certificate entity in the certificate storage file is positioned through the position offset information of the certificate identification in the certificate index file.
Fig. 3 is a schematic diagram of a structure of a certificate index file in an embodiment. As shown in fig. 3, the certificate index file includes a root certificate, the root certificate includes a personnel certificate and an equipment certificate, the equipment certificate and the personnel certificate belong to a same hierarchy, and a virtual node 1 exists between the hierarchy certificate and the hierarchy certificate where the root node is located. The personnel certificate comprises a plurality of virtual nodes, each virtual node comprises an administrator list consisting of a plurality of administrator certificates and an operation and maintenance personnel list consisting of a plurality of operation and maintenance personnel certificates, and the administrator certificates and the operation and maintenance personnel certificates can be transferred between the virtual nodes. The device certificate comprises a plurality of virtual nodes, and each virtual node comprises a device list consisting of a plurality of device certificates. As shown in fig. 3, the human class node includes a virtual node 2 and a virtual node 3, and the administrator certificate in the virtual node 2 may be transferred to the virtual node 3. As shown in fig. 3, the device class node includes a virtual node 4 and a virtual node 5, and the device certificate of the virtual node 4 may be transferred to the virtual node 5.
As shown in fig. 3, each administrator corresponds to an administrator administration file for specifying operation and maintenance personnel and equipment that the administrator can administer. The operation and maintenance personnel and equipment managed by the administrator are divided to a certain administrator and need to be operated by a system administrator, the name of the operation and maintenance personnel and the name of the equipment managed by the administrator should be reflected in an interface, and the operation and maintenance personnel and the equipment are stored by an administrator management file corresponding to the administrator.
S206, inquiring a certificate entity corresponding to the certificate identification from the pre-configured certificate storage file according to the position offset information.
The position offset information is used for representing the position offset condition of the certificate identifier in the certificate index file and is also used for representing the position offset condition of the certificate entity corresponding to the certificate identifier in the certificate storage file. The certificate storage file is used for storing certificate entities of the whole system.
Specifically, the server locates a corresponding offset position from a pre-configured certificate storage file according to the queried position offset information, and determines the certificate entity stored at the offset position as the certificate entity corresponding to the certificate identifier.
In one embodiment, each certificate entity in the certificate store file includes a certificate object encryption key file, signature key file, encryption certificate, signature certificate, etc. of a user or device.
In one embodiment, the format of the certificate storage file may be as follows:
1) A file header: the file header is of a fixed length and describes the magic number header, the file length, the number of certificates, the check code and the like of the file.
2) List of certificate entities: each certificate entity stores the certificate contents in a fixed space for easy retrieval.
a) The body head of the certificate describes: describing a certificate ID, a certificate type, a certificate state, an encryption certificate private key ciphertext length, a signature certificate private key ciphertext length, an encryption certificate effective length and a signature certificate effective length; the initial number of the encrypted certificate and the initial number, the name, the issue and the subject of the signed certificate are relatively offset, wherein the offset is 0 at the beginning of the certificate data, and the certificate-related attributes and contents can be conveniently obtained through the offset.
b) Encrypting the certificate private key ciphertext: 624 bytes of storage space.
c) Signature certificate private key ciphertext: 624 bytes of storage space.
d) Encryption of certificate data: stored in binary, 1 kbyte storage space.
e) Signature certificate data: stored in binary, 1 kbyte storage space.
The encryption certificate and the signature certificate are converted into binary files to be stored, only the certificate body is stored, and head and tail identifications of 'BEGING …' and 'END …' of the base64 are deleted. When a single certificate file is exported, the program is added again.
3) File tail end identification: magic tail.
And S208, locking the operation authority of the certificate entity, and managing the certificate entity according to the certificate management request.
Wherein, locking the operation authority refers to locking the operation of the certificate entity in the certificate storage file. And after the operation authority corresponding to the certificate entity is locked, the certificate entity in the certificate storage file can not be managed or operated according to the certificate management request sent by other terminals. Managing certificate entities includes adding, deleting, and updating certificate entities, and the like.
Specifically, the server locks the operation authority of the certificate entity queried in the certificate storage file to realize a mutual exclusion mechanism for the certificate entity, so that the certificate entity in the certificate storage file can be prevented from being damaged due to asynchronization during multi-terminal operation. And after the operation authority of the certificate entity is locked, the server manages the certificate entity in the certificate storage file according to the certificate management request.
In one embodiment, when the certificate management request is a newly added certificate entity, the certificate entity is added to the certificate storage file according to the position offset information of the newly added certificate identifier in the certificate index file.
In one embodiment, the server is preconfigured with a certificate operation function, and the certificate entity is managed according to the certificate management request by calling the certificate operation function. Since the certificate storage file is usually large, the certificate operation function is usually realized in a manner that the file is not completely loaded into the memory, and the block access of the file is usually realized by adopting the position offset of the file handle. Thus, the offset and index of the certificate store file are described by the certificate index file. A mutual exclusion mechanism is required in the function to ensure the integrity of file operation.
S210, when the secondary management operation is completed, releasing the operation authority.
Specifically, when the management operation executed for the certificate entity according to the certificate management request is completed, the server releases the operation authority corresponding to the certificate entity, so that when receiving the certificate management request sent by another terminal, the server performs certificate management based on the certificate management request received again.
In one embodiment, all certificate entities are stored in one certificate storage file to enable cross-platform certificate entity storage.
The certificate management method comprises the steps that all certificate entities are stored in a certificate storage file according to the position offset information of corresponding certificate identifications in a certificate index file, when a certificate management request carrying the certificate identifications is obtained, the position offset information of the certificate identifications in the certificate index file is inquired, the corresponding certificate entities are inquired in the certificate storage file according to the position offset information, after the operation authority of the certificate entities is locked, the inquired certificate entities are managed according to the certificate management request so as to shield the management operation of other terminals on the certificate entities, and when the management operation is completed, the operation authority is released so that other terminals can perform management operation on the certificate entities. Therefore, all certificate entities are managed in a unified mode to ensure the consistency and reliability of the certificate entities, and when the certificate entities based on the unified management verify the identity of the communication object, the verification accuracy can be ensured, so that the communication safety can be ensured.
In one embodiment, step S202 includes: receiving a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identifier; managing a certificate entity according to a certificate management request, comprising: determining a certificate operation type according to a certificate management interface; and according to the certificate operation type, managing the certificate entity according to the certificate management request.
Specifically, a plurality of certificate operation types are pre-configured for a certificate entity in a certificate storage file, and a corresponding certificate management interface is pre-configured for each certificate operation type. And the server receives a certificate management request which is sent by the terminal through the certificate management interface and written with the certificate identification. And the server determines the certificate operation type corresponding to the corresponding certificate management request according to the certificate management interface. And after the operation authority of the certificate entity is locked, the server manages the corresponding certificate entity according to the certificate management request and the determined certificate operation type.
In one embodiment, a respective certificate operation function is preconfigured for each certificate operation type. The server calls a corresponding certificate operation function according to the certificate operation type and manages the certificate entity according to the corresponding certificate management request.
In one embodiment, the certificate operation types include application, issuance, update, deletion, and the like of certificates. The application of the certificate includes a request to sign the certificate and encrypt the certificate. The issuing of the certificate means that after receiving a certificate application request, a certificate entity and a certificate identifier are generated and sent to a client, and a new certificate is recorded in a certificate storage file. The updating of the certificate means that the certificate entity in the certificate storage file is updated according to the updating request of the terminal, and the new certificate is sent to the client. The deletion of the certificate means that the certificate entity is deleted from the certificate storage file after a deletion command is received.
In one embodiment, the certificate management method further includes: receiving a data encryption request sent by a terminal through an encryption interface; the data encryption request carries a certificate identifier; inquiring a corresponding certificate entity according to the certificate identification; and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
Specifically, the server receives a data encryption request carrying a certificate identifier sent by the terminal through an encryption interface. And the server queries the certificate entity corresponding to the certificate identifier according to the certificate identifier in the data encryption request and the certificate entity query mode provided in one or more embodiments. And the server analyzes the data encryption request to obtain data to be encrypted, and encrypts the data to be encrypted according to the certificate entity.
In one embodiment, when receiving a data signature request carrying a certificate identifier sent by a terminal, a server queries a corresponding certificate entity according to the certificate identifier, and signs data to be signed specified by the data signature request according to the certificate entity. Similarly, when a data decryption request or a signature verification request sent by the terminal is received, corresponding data processing may also be performed based on the certificate entity according to the similar manner described above, and details are not described herein again.
In one embodiment, the certificate management method further includes: acquiring an operation and maintenance authority configuration file sent by a terminal; the operation and maintenance authority configuration file comprises a plurality of certificate identifications and an incidence relation corresponding to each certificate identification; the plurality of certificates comprise certificate identifications corresponding to an administrator, equipment and operation and maintenance personnel respectively; constructing a corresponding administrator administration index file according to the plurality of certificate identifications and the association relation corresponding to each certificate identification; inquiring the certificate entity corresponding to each certificate identification from the certificate storage file, and storing the certificate entity to the administrator administration file according to the position offset information of the corresponding certificate identification in the administrator administration index file.
Specifically, the terminal determines the administrator according to the allocation operation of the administrator, and the association relationship between the operation and maintenance personnel administered by the administrator and the respective certificate identifications corresponding to the devices, triggers and generates an operation and maintenance authority configuration file according to the respective certificate identifications corresponding to the administrator, the operation and maintenance personnel and the devices and the corresponding association relationship, and sends the operation and maintenance authority configuration file to the server. The server determines respective corresponding certificate identifications of an administrator, operation and maintenance personnel and the equipment and an association relation among the certificate identifications and the equipment based on the operation and maintenance authority configuration file, and constructs a corresponding administrator administration index file according to the association relation. The server inquires a certificate entity corresponding to each certificate identifier in the operation and maintenance authority configuration file from the certificate storage file, and constructs an administrator administration file according to the inquired certificate entities and the position offset information of each corresponding certificate identifier in the administrator administration index file.
In one embodiment, the administrator distributes the operation and maintenance relationship between the managed operation and maintenance personnel and the equipment through a certificate management client deployed on the terminal. The certificate mark corresponding to one operation and maintenance engineer can be matched with the certificate marks of a plurality of devices, so that the operation and maintenance relation mapping of the operation and maintenance engineer to the devices is realized.
FIG. 4 is a diagram illustrating a structure of an administrator administration index file, according to an embodiment. The administrator administration index file comprises a certificate identifier corresponding to an administrator, an equipment list consisting of the certificate identifiers corresponding to the multiple equipment, a certificate identifier corresponding to each operation and maintenance personnel, and a certificate identifier corresponding to the equipment which is responsible for operation and maintenance by each operation and maintenance personnel. Wherein, the device list is a list composed of all devices under the administrator, and the "device list" can be configured as the next fixed item of the administrator. Each operation and maintenance person manages a plurality of devices, and the devices are selected from a device list by an administrator.
As shown in fig. 4, the administration index file includes an administrator whose certificate ID is administrator ID, the certificate IDs are operation and maintenance personnel of the operation and maintenance personnel 1ID and 2ID, respectively, and the certificate IDs are equipment 1ID, equipment 2ID, …, equipment nID and equipment n +1ID, respectively.
In one embodiment, the administrator administration file constructed based on the administrator administration index file stores the certificate entities of all operation and maintenance personnel and equipment administered by the administrator. The corresponding certificate entity can be obtained by the administrator dominating the index of the certificate identification in the index file. The storage format of the administration file of the administrator is consistent with that of the certificate storage file, so that a uniform query interface is adopted.
In one embodiment, the hidden area in the UKey of the administrator is used for storing the administration files, and hidden file data can be obtained through an API function. The UKey refers to a USB flash disk containing an encryption chip, a secret area of the USB flash disk cannot be read by using a tool, if an important file can be written into the area, the encryption chip has a physical algorithm, such as SM1, SM2, SM3 and SM4 supporting national secrets, if SM4 is encrypted by hardware, the encryption chip which is authenticated must be used for encryption and decryption. It can be understood that a certificate entity corresponding to the device managed by each operation and maintenance person can be determined based on the administrator administration file, and the determined certificate entity is written into the operation and maintenance person UKey, so that the operation and maintenance device can be verified based on the certificate entity in the operation and maintenance person UKey. And determining a certificate entity corresponding to each operation and maintenance person who manages each device based on the administrator administration file, and writing the determined certificate entity into the UKey so as to verify the operation and maintenance authority of the operation and maintenance person based on the certificate entity in the UKey.
In one embodiment, the server updates the certificate entities in the UKey of the operation and maintenance personnel and the UKey of the equipment by means of the certificate management client. It can be understood that the administrator distributes the operation and maintenance relationship between the managed operation and maintenance personnel and the equipment through the certificate management client.
In one embodiment, after the certificate management client starts the UKey, the identity information of the UKey is submitted to the server for identity verification, and the UKey in different classes have different authorities, for example, a business class CA can generate an administrator certificate and an operation and maintenance engineer certificate.
In one embodiment, a system administrator allocates corresponding operation and maintenance personnel and equipment to each administrator through a certificate management client.
In one embodiment, the certificate management method further includes: determining the identity level of a corresponding user according to the certificate management request; determining the user authority of the user according to the identity level; managing a certificate entity according to a certificate management request, comprising: and when the user is judged to have the management right on the certificate entity according to the user right, the certificate entity is managed according to the certificate management request.
Specifically, the server analyzes the certificate management request to obtain the identity of the corresponding user, determines the identity level of the user according to the identity, and determines the user authority corresponding to the identity level as the user authority of the user. The server judges whether the corresponding user has the management authority to the certificate entity according to the user authority, and if the user has the management authority to the certificate entity, the server manages the certificate entity according to the certificate management request.
In one embodiment, the identity levels include a master, a system administrator, an administrator, a general user, and the like, and different identity levels have different user rights, such as a general user having a viewing right, a system administrator having a right to modify an administrator administration document, and the like, and are not limited in detail herein. The main pipe is the highest authority owner of the whole system and adopts account and password login. The system administrator and the general user are designated by the main pipe, and the general user can only consult the system administrator and the general user by adopting UKey to log in.
In one embodiment, when the server and the terminal communicate via a TCP method, a transmission protocol or a communication protocol needs to be configured in the server and the terminal, respectively. When the server communicates with the terminal in a WEB mode, the terminal calls the WEB service of the server in the WEB mode to communicate, namely calls a corresponding function interface to communicate.
In one embodiment, the certificate management server establishes a database, provides a database read-write interface, and stores related data such as digital certificates and operation records. The server also provides an access interface for human-computer interaction, and the human-computer interface can access the server data through the access interface.
In one embodiment, the certificate management client has an interface capable of performing operations of adding, updating and deleting certificates, and the interface is used for displaying certificate contents in a tree-shaped hierarchical and list mode. The certificate management client can also provide a plurality of inquiry modes of the certificate, such as certificate identification, certificate serial number, certificate name and the like.
As shown in fig. 5, a certificate management method is provided, which specifically includes the following steps:
s502, receiving a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identification.
S504, querying location offset information corresponding to the certificate identifier from the pre-configured certificate index file.
S506, inquiring a certificate entity corresponding to the certificate identification from a pre-configured certificate storage file according to the position offset information.
S508, locking the operation authority of the certificate entity, and determining the certificate operation type according to the certificate management interface.
And S510, managing the certificate entity according to the certificate operation type and the certificate management request.
S512, when the secondary management operation is finished, releasing the operation authority.
It should be understood that although the steps in the flowcharts of fig. 2 and 5 are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in fig. 2 and 5 may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the sub-steps or stages of other steps.
In one embodiment, as shown in fig. 6, there is provided a certificate management apparatus 600, including: an obtaining module 602, a querying module 604, and a managing module 606, wherein:
an obtaining module 602, configured to obtain a certificate management request carrying a certificate identifier;
a query module 604, configured to query location offset information corresponding to a certificate identifier from a preconfigured certificate index file;
the query module 604 is further configured to query a certificate entity corresponding to the certificate identifier from a preconfigured certificate storage file according to the location offset information;
a management module 606, configured to lock an operation authority of the certificate entity, and manage the certificate entity according to the certificate management request;
the management module 606 is further configured to release the operation authority when the secondary management operation is completed.
In an embodiment, the obtaining module 602 is further configured to receive a certificate management request sent by the terminal through a certificate management interface; the certificate management request carries a certificate identifier; the management module 606 is further configured to determine a certificate operation type according to the certificate management interface; and according to the certificate operation type, managing the certificate entity according to the certificate management request.
In one embodiment, the certificate management apparatus 600 further includes: the encryption module is used for receiving a data encryption request sent by the terminal through the encryption interface; the data encryption request carries a certificate identifier; inquiring a corresponding certificate entity according to the certificate identification; and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
In one embodiment, the certificate management apparatus 600 further includes: the configuration module is used for acquiring an operation and maintenance authority configuration file sent by the terminal; the operation and maintenance authority configuration file comprises a plurality of certificate identifications and an incidence relation corresponding to each certificate identification; the plurality of certificates comprise certificate identifications corresponding to an administrator, equipment and operation and maintenance personnel respectively; constructing a corresponding administrator administration index file according to the plurality of certificate identifications and the association relation corresponding to each certificate identification; inquiring the certificate entity corresponding to each certificate identification from the certificate storage file, and storing the certificate entity to the administrator administration file according to the position offset information of the corresponding certificate identification in the administrator administration index file.
In an embodiment, the obtaining module 602 is further configured to determine an identity level of a corresponding user according to the certificate management request; determining the user authority of the user according to the identity level; the management module 606 is further configured to manage the certificate entity according to the certificate management request when it is determined that the user has the management right for the certificate entity according to the user right.
For the specific limitations of the certificate management apparatus, reference may be made to the above limitations of the certificate management method, which are not described herein again. The modules in the certificate management apparatus may be implemented in whole or in part by software, hardware, and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, a network interface, and a database connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing a certificate index file and a certificate storage file. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a certificate management method.
Those skilled in the art will appreciate that the architecture shown in fig. 7 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the certificate management method in the above embodiments when executing the computer program.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored, which when executed by a processor implements the steps of the certificate management method in the various embodiments described above.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method of certificate management, the method comprising:
acquiring a certificate management request carrying a certificate identifier;
inquiring position offset information corresponding to the certificate identification from a pre-configured certificate index file; the certificate index file comprises a root certificate, a personnel certificate and an equipment certificate are included under the root certificate, a plurality of administrator certificates and a plurality of operation and maintenance personnel certificates are included under the personnel certificate, and a plurality of equipment certificates are included under the equipment certificate; the certificate index file describes a certificate hierarchical structure, and virtual nodes are added among certificates of each hierarchy so as to flexibly divide certificate areas; the virtual node is a non-associated certificate for describing the hierarchy; storing a certificate identifier corresponding to each certificate in the certificate index file, and positioning the position offset of a corresponding certificate entity in the certificate storage file through the position offset information of the certificate identifier in the certificate index file;
inquiring a certificate entity corresponding to the certificate identification from a pre-configured certificate storage file according to the position offset information;
locking the operation authority of the certificate entity, and managing the certificate entity according to the certificate management request;
when the execution of the secondary management operation is finished, releasing the operation authority;
acquiring an operation and maintenance authority configuration file sent by a terminal; the operation and maintenance authority configuration file comprises a plurality of certificate identifications and an incidence relation corresponding to each certificate identification; the plurality of certificate identifications comprise certificate identifications corresponding to an administrator, equipment and operation and maintenance personnel respectively;
constructing a corresponding administrator administration index file according to the plurality of certificate identifications and the incidence relation corresponding to each certificate identification;
inquiring a certificate entity corresponding to each certificate identification from a certificate storage file, and storing the certificate entity to an administrator administration file according to the position offset information of the corresponding certificate identification in the administrator administration index file; the administrator administration file is used for determining a certificate entity corresponding to the equipment managed by the operation and maintenance personnel and verifying the equipment to be operated and maintained on the basis of the certificate entity corresponding to the equipment managed by the operation and maintenance personnel; or the administrator administration file is used for determining a certificate entity corresponding to each operation and maintenance person of each device, and verifying the operation and maintenance authority of the operation and maintenance person based on the certificate entity corresponding to each operation and maintenance person of each device.
2. The method of claim 1, wherein obtaining the certificate management request carrying the certificate identifier comprises:
receiving a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identification;
the managing the certificate entity according to the certificate management request includes:
determining a certificate operation type according to the certificate management interface;
and managing the certificate entity according to the certificate operation type and the certificate management request.
3. The method of claim 1, further comprising:
receiving a data encryption request sent by a terminal through an encryption interface; the data encryption request carries a certificate identifier;
inquiring a corresponding certificate entity according to the certificate identification;
and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
4. The method according to any one of claims 1 to 3, further comprising:
determining the identity level of a corresponding user according to the certificate management request;
determining the user authority of the user according to the identity level;
the managing the certificate entity according to the certificate management request includes:
and when the user is judged to have the management right on the certificate entity according to the user right, managing the certificate entity according to the certificate management request.
5. A certificate management apparatus, characterized in that the apparatus comprises:
the acquisition module is used for acquiring a certificate management request carrying a certificate identifier;
the inquiry module is used for inquiring the position offset information corresponding to the certificate identification from a pre-configured certificate index file; the certificate index file comprises a root certificate, a personnel certificate and an equipment certificate are included under the root certificate, a plurality of administrator certificates and a plurality of operation and maintenance personnel certificates are included under the personnel certificate, and a plurality of equipment certificates are included under the equipment certificate; the certificate index file describes a certificate hierarchical structure, and virtual nodes are added among certificates of each hierarchy so as to flexibly divide certificate areas; the virtual node is a non-associated certificate for describing the hierarchy; storing a certificate identifier corresponding to each certificate in the certificate index file, and positioning the position offset of a corresponding certificate entity in the certificate storage file through the position offset information of the certificate identifier in the certificate index file;
the inquiring module is further used for inquiring a certificate entity corresponding to the certificate identifier from a pre-configured certificate storage file according to the position offset information;
the management module is used for locking the operation authority of the certificate entity and managing the certificate entity according to the certificate management request;
the management module is also used for releasing the operation authority when the secondary management operation is finished;
the configuration module is used for acquiring an operation and maintenance authority configuration file sent by the terminal; the operation and maintenance authority configuration file comprises a plurality of certificate identifications and association relations corresponding to the certificate identifications; the plurality of certificates comprise certificate identifications corresponding to an administrator, equipment and operation and maintenance personnel respectively; according to the plurality of certificate identifications and the association relation corresponding to each certificate identification, constructing a corresponding administrator administration index file; inquiring a certificate entity corresponding to each certificate identification from a certificate storage file, and storing the certificate entity to an administrator administration file according to the position offset information of the corresponding certificate identification in the administrator administration index file; the administrator administration file is used for determining a certificate entity corresponding to the equipment managed by the operation and maintenance personnel and verifying the equipment to be operated and maintained on the basis of the certificate entity corresponding to the equipment managed by the operation and maintenance personnel; or the administrator administration file is used for determining a certificate entity corresponding to each operation and maintenance person of each device, and verifying the operation and maintenance authority of the operation and maintenance person based on the certificate entity corresponding to each operation and maintenance person of each device.
6. The apparatus according to claim 5, wherein the obtaining module is further configured to receive a certificate management request sent by a terminal through a certificate management interface; the certificate management request carries a certificate identification; the management module is further used for determining a certificate operation type according to the certificate management interface; and managing the certificate entity according to the certificate operation type and the certificate management request.
7. The apparatus of claim 5, further comprising:
the encryption module is used for receiving a data encryption request sent by the terminal through the encryption interface; the data encryption request carries a certificate identifier; inquiring a corresponding certificate entity according to the certificate identification; and obtaining data to be encrypted according to the data encryption request, and encrypting the data to be encrypted according to the certificate entity.
8. The apparatus of claim 5, wherein the obtaining module is further configured to determine an identity level of the corresponding user according to the certificate management request; and determining the user authority of the user according to the identity level.
9. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 4 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911362689.1A CN111177685B (en) | 2019-12-26 | 2019-12-26 | Certificate management method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911362689.1A CN111177685B (en) | 2019-12-26 | 2019-12-26 | Certificate management method and device, computer equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111177685A CN111177685A (en) | 2020-05-19 |
| CN111177685B true CN111177685B (en) | 2022-12-16 |
Family
ID=70655673
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911362689.1A Active CN111177685B (en) | 2019-12-26 | 2019-12-26 | Certificate management method and device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177685B (en) |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2001043344A1 (en) * | 1999-12-13 | 2001-06-14 | Rsa Security Inc. | System and method for generating and managing attribute certificates |
| US7310629B1 (en) * | 1999-12-15 | 2007-12-18 | Napster, Inc. | Method and apparatus for controlling file sharing of multimedia files over a fluid, de-centralized network |
| US8195934B1 (en) * | 2007-05-03 | 2012-06-05 | United Services Automobile Association (Usaa) | Systems and methods for managing certificates |
| CN102088350B (en) * | 2009-12-08 | 2014-04-16 | 长春吉大正元信息技术股份有限公司 | Directory service-based authorization management system and implementation method thereof |
| CN102834823B (en) * | 2010-02-11 | 2017-07-28 | 瑞典爱立信有限公司 | Data management at catalog data base |
| CN101860824B (en) * | 2010-05-06 | 2013-06-12 | 上海海基业高科技有限公司 | Digital signature authentication system based on short message and digital signature method |
| CN104901931B (en) * | 2014-03-05 | 2018-10-12 | 财团法人工业技术研究院 | certificate management method and device |
| CN108255859A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | A kind of method and system for being used to establish index for mass digital certificate |
| CN107229877A (en) * | 2017-06-05 | 2017-10-03 | 北京凤凰理理它信息技术有限公司 | Certificate management, acquisition methods, device, computer program and electronic equipment |
-
2019
- 2019-12-26 CN CN201911362689.1A patent/CN111177685B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN111177685A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11647007B2 (en) | Systems and methods for smartkey information management | |
| CN109862041B (en) | Digital identity authentication method, equipment, device, system and storage medium | |
| CN110581860B (en) | Identity authentication method, device, storage medium and equipment based on block chain | |
| CN109471844B (en) | File sharing method and device, computer equipment and storage medium | |
| KR102025409B1 (en) | Data access management system based on blockchain and method thereof | |
| US9031876B2 (en) | Managing keys for encrypted shared documents | |
| CN109325342B (en) | Identity information management method, device, computer equipment and storage medium | |
| WO2019237570A1 (en) | Electronic contract signing method, device and server | |
| KR101593165B1 (en) | Data access control method | |
| WO2018112946A1 (en) | Registration and authorization method, device and system | |
| CN108881252B (en) | Identity authentication data processing method and device, computer equipment and storage medium | |
| US20140237231A1 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
| EP3477891A1 (en) | Methods for recording and sharing a digital identity of a user using distributed ledgers | |
| CN111147432B (en) | KYC data sharing system with confidentiality and method thereof | |
| US10685141B2 (en) | Method for storing data blocks from client devices to a cloud storage system | |
| US20150121498A1 (en) | Remote keychain for mobile devices | |
| CN111010367A (en) | Data storage method and device, computer equipment and storage medium | |
| WO2020215685A1 (en) | Block chain-based information processing and acquisition methods and apparatus, device, and medium | |
| CN112291375B (en) | Internet of things equipment security access control method, Internet of things equipment and Internet of things system | |
| CN109064596B (en) | Password management method and device and electronic equipment | |
| CN112215609B (en) | House property user identity authentication method and device based on super account book and electronic equipment | |
| CN111625869A (en) | Data processing method and data processing device | |
| KR20200112055A (en) | Method for sharing data in block chain environment and apparatus | |
| KR20200097773A (en) | Blockchain-based identity system | |
| BR102020024769A2 (en) | METHOD AND SYSTEM FOR TRANSPARENT NON-REPUBIABLE ORDERING, REPLICATION, AND REGISTRATION OF OPERATIONS INVOLVING PERSONAL DATA AND COMPUTER-READABLE NON- TRANSITIONAL MEANS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |