CN112202719B - Signature method, system, device and storage medium based on digital certificate - Google Patents
Signature method, system, device and storage medium based on digital certificate Download PDFInfo
- Publication number
- CN112202719B CN112202719B CN202010918942.3A CN202010918942A CN112202719B CN 112202719 B CN112202719 B CN 112202719B CN 202010918942 A CN202010918942 A CN 202010918942A CN 112202719 B CN112202719 B CN 112202719B
- Authority
- CN
- China
- Prior art keywords
- digital certificate
- certificate
- application name
- signature
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a signature method, a system, a device and a storage medium based on a digital certificate, wherein the method comprises the following steps: acquiring data to be signed and a first digital certificate application name, and creating a signature request according to the data to be signed and the first digital certificate application name; determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate, and acquiring a first private key of the first digital certificate; and carrying out digital signature on the data to be signed according to the first private key. The invention manages and calls the digital certificate by adopting the application name of the digital certificate, avoids the problem that the digital certificate can not be correctly obtained due to the repeated DN of the certificate or the serial number of the certificate, does not need to change the application name of the digital certificate after the digital certificate is updated due to reasons such as overdue and the like, and has the advantages of more convenient deployment and maintenance of signature verification safety service, improved signature verification efficiency of a signature verification server and wide application in the technical field of information safety compared with the traditional signature verification method.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a signature method, a system, a device and a storage medium based on a digital certificate.
Background
The traditional signature verification server generally takes the DN of a user with certificate attribute or the serial number of the certificate as a keyword to manage and use the certificate. Specifically, the certificate is issued from a Certificate Authority (CA), an administrator can import and store the certificate into a signature and signature server, and can query a corresponding certificate through a certificate user DN or a certificate serial number, and when the application server uses a certificate service interface of the signature and signature server, the application server inputs interface parameters such as the user DN or the certificate serial number and signature data, and the like, so that the password security functions of signature, signature verification and the like can be completed. However, the method for managing or using the certificate based on the user DN or the certificate serial number has the following disadvantages:
1) the number of the certificate DN (distinggushed name) is more information, such as the name of the country, the name of the province, the name of the city, the name of the organization, etc., and the serial number of the certificate is a string of hexadecimal data, which is difficult to memorize and manage, and is very inconvenient to inquire and manage especially when the number of the certificates is large;
2) in practical application, when some CA issues a certificate, the uniqueness of user DN is not completely guaranteed, that is, the user DN of a plurality of certificates is the same, for example, the user DN of a CFCA issued is the same, the user DN of a signature certificate and an encryption certificate is the same, and when the user DN is used as an inquiry condition, the uniquely determined certificate can not be inquired; if a plurality of certificates issued by different CAs exist, the serial numbers of the certificates have the possibility of being repeated;
3) the certificate needs to be issued again by CA due to reasons such as overdue, the serial number of the new certificate is different from the serial number of the original certificate, after the signature verification server updates the certificate, when the application server uses the certificate service interface of the signature verification server, the input parameter of the serial number of the certificate needs to be adjusted correspondingly, which brings inconvenience to the deployment and maintenance of the application system.
The noun interpretation:
digital certificate: a trusted digital document digitally signed by a third party Certification Authority (CA) that is authorized, trusted and impartial by the country.
And (3) certificate DN: in the body name field of the digital certificate, the x.500 name for uniquely identifying the user typically includes information such as country name, province name, city name, organization name, and the like.
Certificate serial number: an integer for uniquely identifying a digital certificate in a certificate issued by a certificate authority.
Signature and signature verification server: the server is used for the server side and provides the application entity with the operation functions of digital signature, signature verification and the like based on a PKI system and a digital certificate, and the authenticity, the integrity and the non-repudiation of key business information can be ensured.
Disclosure of Invention
To solve the above technical problems, the present invention aims to: the signature method, the system, the device and the storage medium based on the digital certificate are provided, so that the deployment and the later maintenance of the signature verification safety service are more convenient, and the signature verification efficiency of the signature verification server is improved.
The technical scheme adopted by the invention on one hand is as follows:
a digital certificate based signing method, comprising the steps of:
acquiring data to be signed and a first digital certificate application name, and creating a signature request according to the data to be signed and the first digital certificate application name;
determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate, and acquiring a first private key of the first digital certificate;
and carrying out digital signature on the data to be signed according to the first private key.
Further, the signature method further comprises a step of establishing a digital certificate library, which specifically comprises the following steps:
generating a public and private key pair and a certificate request file at a preset key index position, and sending the certificate request file to a certificate authority;
acquiring a second digital certificate issued by a certificate authority, and generating a second digital certificate application name according to the second digital certificate;
generating a key value pair according to the second digital certificate and the second digital certificate application name, and storing the key value pair in a digital certificate library;
wherein, the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
Further, the second digital certificate application name includes an application identifier, an organization identifier, and a certificate version number.
Further, the step of determining a first digital certificate in a pre-established digital certificate repository according to the application name of the first digital certificate and acquiring a first private key of the first digital certificate specifically includes:
matching and inquiring the application name of the first digital certificate as a Key in the digital certificate library, and determining the corresponding Value as the first digital certificate;
analyzing the first digital certificate, verifying the validity of the first digital certificate and determining a first key index position of the first digital certificate;
and acquiring a first private key of the first digital certificate according to the first key index position.
Further, the step of digitally signing the data to be signed according to the first private key specifically includes:
acquiring a first timestamp of a signature verification server;
and digitally signing the data to be signed according to the first private key and the first timestamp.
Further, the signature method further comprises the following steps:
acquiring data to be checked and signed and a third digital certificate application name, and creating a checking and signing request according to the data to be checked and signed and the third digital certificate application name;
determining a third digital certificate in a pre-established digital certificate library according to the application name of the third digital certificate, and acquiring a third public key of the third digital certificate;
and performing signature verification on the data to be signed according to the third public key.
The technical scheme adopted by the other aspect of the invention is as follows:
a digital certificate based signing system comprising:
the signature request module is used for acquiring data to be signed and a first digital certificate application name and creating a signature request according to the data to be signed and the first digital certificate application name;
the private key acquisition module is used for determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate and acquiring a first private key of the first digital certificate;
and the digital signature module is used for carrying out digital signature on the data to be signed according to the first private key.
Further, the signature system further comprises a digital certificate library establishing module, which specifically comprises:
the certificate request unit is used for generating a public and private key pair and a certificate request file at a preset key index position and sending the certificate request file to a certificate authority;
the digital certificate application name generating unit is used for acquiring a second digital certificate issued by a certificate authority and generating a second digital certificate application name according to the second digital certificate;
the key value pair storage unit is used for generating a key value pair according to the second digital certificate and the application name of the second digital certificate and storing the key value pair into a digital certificate library;
wherein, the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
The technical scheme adopted by the other aspect of the invention is as follows:
a digital certificate-based signing apparatus, comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the digital certificate-based signing method described above.
The technical scheme adopted by the other aspect of the invention is as follows:
a computer-readable storage medium in which a program executable by a processor is stored, the program executable by the processor being for performing the above-described digital certificate-based signing method when executed by the processor.
The invention has the beneficial effects that: the invention relates to a signature method, a system, a device and a storage medium based on a digital certificate, which manage and call the digital certificate by adopting a digital certificate application name, avoid the problem that the digital certificate cannot be correctly acquired due to the repeated DN or serial number of the certificate, simultaneously support the digital certificates issued by a plurality of certificate issuing organizations, and do not need to change the digital certificate application name after the digital certificate is updated due to overdue reasons and the like.
Drawings
FIG. 1 is a flowchart illustrating steps of a digital certificate based signature method according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating steps of a digital certificate based signature method according to another embodiment of the present invention;
fig. 3 is a specific flowchart of a digital certificate-based signature method according to an embodiment of the present invention;
FIG. 4 is a block diagram of a digital certificate based signature system according to an embodiment of the present invention;
fig. 5 is a block diagram of a digital certificate based signature apparatus according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the figures and the specific embodiments. For the step numbers in the following embodiments, they are set for convenience of illustration only, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.
In the description of the present invention, the meaning of a plurality is more than two, if there are first and second described for the purpose of distinguishing technical features, but not for indicating or implying relative importance or implicitly indicating the number of indicated technical features or implicitly indicating the precedence of the indicated technical features. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art. The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention.
Referring to fig. 1 and 2, an embodiment of the present invention provides a digital certificate-based signing method, including the following steps:
s101, acquiring data to be signed and an application name of a first digital certificate, and creating a signature request according to the data to be signed and the application name of the first digital certificate;
specifically, the application system uses a security service interface of the signature verification server, inputs interface parameters such as a certificate application name and data to be signed, and creates a signature request by the signature verification server.
S102, determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate, and acquiring a first private key of the first digital certificate;
specifically, the digital certificate repository comprises a plurality of key value pairs, each key value pair consists of a digital certificate and an application name corresponding to the digital certificate, and therefore the first digital certificate can be uniquely determined in the digital certificate repository for signature according to the application name of the first digital certificate. Step S102 specifically includes the following steps:
s1021, matching and inquiring the first digital certificate application name as Key in a digital certificate library, and determining the corresponding Value as the first digital certificate;
specifically, in the digital certificate repository according to the embodiment of the present invention, keys of Key-Value pairs correspond to values one to one. The embodiment of the invention also comprises a step S100 of establishing a digital certificate library, which specifically comprises the following steps:
a1, generating a public and private key pair and a certificate request file at a preset key index position, and sending the certificate request file to a certificate authority;
specifically, the preset key index position is used as the key index position of the digital certificate after the digital certificate is generated, so that the corresponding private key or public key can be quickly and accurately addressed;
a2, acquiring a second digital certificate issued by a certificate authority, and generating a second digital certificate application name according to the second digital certificate;
specifically, the second digital certificate application name is a regular and easy-to-remember certificate application name, and the application name is the unique key value of the second digital certificate in the signature and signature verification server;
further as an alternative embodiment, the second digital certificate application name includes an application identifier, an organization identifier, and a certificate version number.
Specifically, the naming rule of the digital certificate application name is as follows: appID.bankID.ver; wherein appID is an application identifier, bankID is an organization identifier, and ver is a certificate version number.
In the embodiment of the invention, the digital certificate application name generated according to the application identifier, the mechanism identifier and the certificate version number covers the key information of the corresponding digital certificate, so that the subsequent calling is facilitated.
A3, generating a key value pair according to the second digital certificate and the application name of the second digital certificate, and storing the key value pair in a digital certificate library;
and the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
Specifically, the application name of the second digital certificate is used as Key, the second digital certificate is used as Value, the generated Key Value pair facilitates subsequent determination of the digital certificate through the application name index of the digital certificate, and meanwhile, the generation of the Key Value pair also facilitates management of the digital certificate.
Optionally, the embodiment of the present invention may be used for managing a local application certificate and managing an external application certificate, and the specific details are as follows:
1) management of local application certificates: before a local application system is deployed, an administrator generates a public and private key pair and a certificate request file at a selected key index position through a management tool, submits the certificate request file to apply for a certificate to a CA (certificate application) and obtains the certificate issued by the CA, then selects the key index position, inputs a regular certificate application name easy to remember (the certificate application name is a unique key value in a signature verification server), guides the certificate into the signature verification server, the signature verification server analyzes the certificate, checks the validity of the certificate, judges whether the certificate application name exists or not, stores the certificate application name and related information of the certificate into a digital certificate library, and the local application system stores the local digital certificate application name into a configuration;
2) management of external application certificates: before the application system of the external organization is in butt joint with the application system of the external organization, an administrator inputs a certificate application name, a certificate issued to the application system of the external organization by a CA is led into a signature and signature server, the signature and signature server analyzes and verifies the legality of the certificate and the uniqueness of the certificate application name, the certificate application name and related information of the certificate are stored in a digital certificate library, and the application name of the external digital certificate is stored in configuration by a local application system.
S1022, the first digital certificate is analyzed, the validity of the first digital certificate is verified, and the first key index position of the first digital certificate is determined;
s1023, a first private key of the first digital certificate is obtained according to the first key index position.
Specifically, referring to step A1 above, a public-private key pair corresponding to the first digital certificate is addressable based on the first key index location, wherein the private key is used for signing and the public key is used for verifying.
S103, carrying out digital signature on the data to be signed according to the first private key.
In particular, the digital signature algorithm may employ an elliptic curve digital signature algorithm, including but not limited to ECDSA digital signature algorithm and SM2 digital signature algorithm. Step S103 specifically includes the following steps:
s1031, obtaining a first time stamp of the signature verification server;
s1032, digitally signing the data to be signed according to the first private key and the first time stamp.
Specifically, the digital signature is performed on the data to be signed according to the first private key and the first timestamp, and the generated signature data format is as follows: timestamp + data to be signed + signature.
In the embodiment of the invention, the timestamp is added when the digital signature is carried out on the data to be signed, so that the data receiver can carry out timeliness verification when the signature is verified, and the reliability of signature verification is improved.
As shown in fig. 3, which is a specific flowchart of a digital certificate-based signature method provided in an embodiment of the present invention, an application system in an embodiment of the present invention uses a security service interface of a signature verification server to input interface parameters such as a certificate application name and signature data, and then the signature verification server addresses a corresponding private key, a certificate public key, and the like according to the certificate application name to complete security functions such as digital signature and signature verification.
The embodiment of the invention provides a digital certificate-based signature method, which manages and calls a digital certificate by adopting a digital certificate application name, avoids the problem that the digital certificate cannot be correctly acquired due to repeated DN (digital directory number) or serial number of the certificate, can simultaneously support the digital certificates issued by a plurality of certificate issuing organizations, does not need to change the digital certificate application name after the digital certificate is updated due to overdue reasons and the like, and is more convenient to deploy and later-period maintenance of signature verification safety service compared with the traditional signature verification method for managing and calling the digital certificate by using the DN or serial number of the certificate, thereby improving the signature verification efficiency of a signature verification server.
Compared with the traditional signature verification method, the embodiment of the invention has the following advantages:
1) the application name of the digital certificate is used for replacing the DN or the serial number of the certificate as a key index value, so that the problem that the DN or the serial number of the certificate is possibly repeated in the certificate issued by the CA is solved, and the certificates issued by a plurality of CAs can be better supported;
2) when the digital certificate is updated due to reasons such as overdue and the like, the application system does not need to be reconfigured, and the deployment and maintenance are more flexible and convenient;
3) and the digital certificate and the application name of the digital certificate are used as key value pairs to establish a digital certificate library, so that the management of the digital certificate is facilitated.
As a further optional implementation, the signature method further includes the following steps:
s104, acquiring data to be checked and signed and an application name of a third digital certificate, and creating a checking and signing request according to the data to be checked and signed and the application name of the third digital certificate;
s105, determining a third digital certificate in a pre-established digital certificate library according to the application name of the third digital certificate, and acquiring a third public key of the third digital certificate;
and S106, performing signature verification on the data to be verified according to the third public key.
Specifically, the embodiment of the present invention further includes a step of performing signature verification according to the application name of the digital certificate, and the principle and the process of the step of performing digital signature are similar to those described above, which are not described herein again.
Further as an optional implementation manner, the signature method adopts an elliptic curve digital signature algorithm to perform digital signature and/or signature verification.
Optionally, the process of generating the digital signature using the ECDSA digital signature algorithm is as follows:
inputting: parameter set D (q, FR, S, a, b, P, n, h), private key D, message m.
B1, selecting a random number k belonging to [1, n-1 ];
b2, calculating kP ═ x 1 ,y 1 ) And x is 1 Converting into an integer z;
b3, calculating r-z mod n, and if r-0, returning to step B1;
b4, calculate e ═ h (m);
b5, calculating s ═ k -1 (e + dr) mod n, if s is 0, return to step B1;
b6, return the signature (r, s) of message m.
The signature verification process by using the ECDSA digital signature algorithm is as follows:
inputting: parameter set D (Q, FR, S, a, b, P, n, h), public key Q, message m, signature (r, S).
C1, checking r, s belongs to [1, n-1], if not, returning verification failure;
c2, calculate e ═ h (m);
c3, calculating w ═ s -1 mod n;
C4, calculating u 1 Ew mod n and u 2 =rw mod n;
C5、Calculating X ═ u 1 P+u 2 Q, if X ═ infinity, returning verification failure;
and C6, converting the X coordinate of X into an integer z, calculating v-z mod n, and if v-r, returning verification success, otherwise, returning verification failure.
Optionally, the process of generating the digital signature by using the SM2 digital signature algorithm is as follows:
d1, for message M, let M be ZA | | | M;
d2, calculating e ═ hv (m), and converting e into an integer;
d3, generating a random number k epsilon [1, n-1] by using a random number generator;
d4 calculating elliptic curve point (x) 1 ,y 1 ) kG, x 1 Converting into an integer;
d5, calculating r ═ e + x 1 ) mod n, if r is 0 or r + k is n, the procedure returns to step C3;
d6, calculate s ═ (1+ dA) -1 (k-r · dA) mod n, if s ═ 0, return to step C3;
d7, return the signature (r, s) of message M.
The signature verification process using the SM2 digital signature algorithm is as follows:
e1, checking r, s belongs to [1, n-1], if not, returning verification failure;
e2, for message M, let M be ZA | | | M;
e3, calculating E ═ hv (m), and converting E into an integer;
e4, converting r and s into integers, calculating t to be (r + s) mod n, and if t to be 0, returning verification failure;
e5, calculating an elliptic curve point (x) 1 ′,y 1 ′)=sG+tPA;
E6, mixing x 1 ' conversion to integer, calculation of R ═ e + x 1 ') mod n, checking whether R-R is true, if true, returning verification success, otherwise, returning verification failure.
In the embodiment of the invention, the elliptic curve digital signature algorithm (ECDSA and SM2) is adopted to carry out digital signature and signature verification, compared with the RSA digital signature algorithm and the DSA digital signature algorithm, the method has the advantages of small calculation amount, high processing speed, small storage space and high safety intensity, and the SM2 digital signature algorithm pre-processes the signature information and contains the self information of a signer, so that the reliability of signature verification is improved.
Referring to fig. 4, an embodiment of the present invention provides a digital certificate-based signature system, including:
the signature request module is used for acquiring the data to be signed and the first digital certificate application name and creating a signature request according to the data to be signed and the first digital certificate application name;
the private key acquisition module is used for determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate and acquiring a first private key of the first digital certificate;
and the digital signature module is used for carrying out digital signature on the data to be signed according to the first private key.
As a further optional implementation manner, the signature system further includes a digital certificate library establishing module, which specifically includes:
the certificate request unit is used for generating a public and private key pair and a certificate request file at a preset key index position and sending the certificate request file to a certificate authority;
the digital certificate application name generating unit is used for acquiring a second digital certificate issued by a certificate issuing organization and generating a second digital certificate application name according to the second digital certificate;
the key value pair storage unit is used for generating a key value pair according to the second digital certificate and the application name of the second digital certificate and storing the key value pair into the digital certificate library;
and the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
The contents in the above method embodiments are all applicable to the present system embodiment, the functions specifically implemented by the present system embodiment are the same as those in the above method embodiment, and the beneficial effects achieved by the present system embodiment are also the same as those achieved by the above method embodiment.
Referring to fig. 5, an embodiment of the present invention further provides a digital certificate-based signing apparatus, including:
at least one processor;
at least one memory for storing at least one program;
when executed by at least one processor, the at least one program causes the at least one processor to implement a digital certificate-based signing method as described above.
The contents in the above method embodiments are all applicable to the present apparatus embodiment, the functions specifically implemented by the present apparatus embodiment are the same as those in the above method embodiments, and the advantageous effects achieved by the present apparatus embodiment are also the same as those achieved by the above method embodiments.
Furthermore, an embodiment of the present invention further provides a computer-readable storage medium, in which a program executable by a processor is stored, where the program executable by the processor is configured to execute the above-mentioned signature method based on a digital certificate when executed by the processor.
It should be recognized that embodiments of the present invention can be realized and implemented by computer hardware, a combination of hardware and software, or by computer instructions stored in a non-transitory computer readable memory. The above-described methods may be implemented in a computer program using standard programming techniques, including a non-transitory computer-readable storage medium configured with the computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner, according to the methods and figures described in the detailed description. Each program may be implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language. Furthermore, the program can be run on a programmed application specific integrated circuit for this purpose.
Further, the operations of processes described herein can be performed in any suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The processes described herein (or variations and/or combinations thereof) may be performed under the control of one or more computer systems configured with executable instructions, and may be implemented as code (e.g., executable instructions, one or more computer programs, or one or more applications) collectively executed on one or more processors, by hardware, or combinations thereof. The computer program includes a plurality of instructions executable by one or more processors.
Further, the above-described methods may be implemented in any type of computing platform operatively connected to a suitable connection, including but not limited to a personal computer, mini computer, mainframe, workstation, networked or distributed computing environment, separate or integrated computer platform, or in communication with a charged particle tool or other imaging device, and the like. Aspects of the invention may be implemented in machine-readable code stored on a non-transitory storage medium or device, whether removable or integrated onto a computing platform, such as a hard disk, optically read and/or write storage media, RAM, ROM, etc., so that it is readable by a programmable computer, which when read by the computer can be used to configure and operate the computer to perform the procedures described herein. Further, the machine-readable code, or portions thereof, may be transmitted over a wired or wireless network. The invention described herein includes these and other different types of non-transitory computer-readable storage media when such media include instructions or programs that implement the steps described above in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described herein.
A computer program can be applied to input data to perform the functions described herein to transform the input data to generate output data that is stored to non-volatile memory. The output information may also be applied to one or more output devices, such as a display. In a preferred embodiment of the invention, the transformed data represents physical and tangible objects, including particular visual depictions of physical and tangible objects produced on a display.
The present invention is not limited to the above embodiments, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention as long as the technical effects of the present invention are achieved by the same means. The technical solution and/or the embodiments thereof may be variously modified and varied within the scope of the present invention.
Claims (7)
1. A signature method based on a digital certificate is characterized by comprising the following steps:
acquiring data to be signed and a first digital certificate application name, and creating a signature request according to the data to be signed and the first digital certificate application name;
determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate, and acquiring a first private key of the first digital certificate;
carrying out digital signature on the data to be signed according to the first private key;
wherein the first digital certificate application name comprises an application identifier, an organization identifier and a certificate version number;
the signature method also comprises the step of establishing a digital certificate library, and the signature method specifically comprises the following steps:
generating a public and private key pair and a certificate request file at a preset key index position, and sending the certificate request file to a certificate authority;
acquiring a second digital certificate issued by a certificate authority, and generating a second digital certificate application name according to the second digital certificate;
generating a key value pair according to the second digital certificate and the second digital certificate application name, and storing the key value pair in a digital certificate library;
wherein, the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
2. The digital certificate-based signing method according to claim 1, wherein the step of determining a first digital certificate in a pre-established digital certificate repository according to the application name of the first digital certificate and obtaining a first private key of the first digital certificate specifically comprises:
matching and inquiring the application name of the first digital certificate as a Key in the digital certificate library, and determining the corresponding Value as the first digital certificate;
analyzing the first digital certificate, verifying the validity of the first digital certificate and determining a first key index position of the first digital certificate;
and acquiring a first private key of the first digital certificate according to the first key index position.
3. The digital certificate-based signing method according to claim 1, wherein the step of digitally signing the data to be signed according to the first private key specifically comprises:
acquiring a first timestamp of a signature verification server;
and carrying out digital signature on the data to be signed according to the first private key and the first timestamp.
4. The digital certificate-based signing method according to claim 1, further comprising the steps of:
acquiring data to be checked and signed and a third digital certificate application name, and creating a checking and signing request according to the data to be checked and signed and the third digital certificate application name;
determining a third digital certificate in a pre-established digital certificate library according to the application name of the third digital certificate, and acquiring a third public key of the third digital certificate;
and performing signature verification on the data to be signed according to the third public key.
5. A digital certificate based signing system, comprising:
the signature request module is used for acquiring data to be signed and a first digital certificate application name and creating a signature request according to the data to be signed and the first digital certificate application name;
the private key acquisition module is used for determining a first digital certificate in a pre-established digital certificate library according to the application name of the first digital certificate and acquiring a first private key of the first digital certificate;
the digital signature module is used for carrying out digital signature on the data to be signed according to the first private key;
wherein the first digital certificate application name comprises an application identifier, an organization identifier and a certificate version number;
the signature system further comprises a digital certificate library establishing module, which specifically comprises:
the certificate request unit is used for generating a public and private key pair and a certificate request file at a preset key index position and sending the certificate request file to a certificate authority;
the digital certificate application name generating unit is used for acquiring a second digital certificate issued by a certificate authority and generating a second digital certificate application name according to the second digital certificate;
the key value pair storage unit is used for generating a key value pair according to the second digital certificate and the application name of the second digital certificate and storing the key value pair into a digital certificate library;
wherein, the Key of the Key-Value pair is the application name of the second digital certificate, and the Value of the Key-Value pair is the second digital certificate.
6. A digital certificate based signing apparatus, comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement a digital certificate based signing method as claimed in any one of claims 1 to 4.
7. A computer-readable storage medium in which a processor-executable program is stored, the processor-executable program being configured to perform a digital certificate based signing method as claimed in any one of claims 1 to 4 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010918942.3A CN112202719B (en) | 2020-09-04 | 2020-09-04 | Signature method, system, device and storage medium based on digital certificate |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010918942.3A CN112202719B (en) | 2020-09-04 | 2020-09-04 | Signature method, system, device and storage medium based on digital certificate |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112202719A CN112202719A (en) | 2021-01-08 |
| CN112202719B true CN112202719B (en) | 2022-09-13 |
Family
ID=74006343
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010918942.3A Active CN112202719B (en) | 2020-09-04 | 2020-09-04 | Signature method, system, device and storage medium based on digital certificate |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112202719B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113132115B (en) * | 2021-05-21 | 2023-03-14 | 中国建设银行股份有限公司 | Certificate switching method, device and system |
| CN113704742B (en) * | 2021-09-23 | 2024-04-26 | 北京国民安盾科技有限公司 | Method and system for preventing device verification from leaking user privacy |
| CN113873027B (en) * | 2021-09-24 | 2024-02-27 | 深信服科技股份有限公司 | Communication method and related device |
| CN115237943B (en) * | 2022-09-21 | 2022-12-09 | 南京易科腾信息技术有限公司 | Data retrieval method and device based on encrypted data and storage medium |
| CN116346396A (en) * | 2022-12-15 | 2023-06-27 | 北京航星永志科技有限公司 | Digital certificate distribution method, device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10454690B1 (en) * | 2017-08-04 | 2019-10-22 | Amazon Technologies, Inc. | Digital certificates with distributed usage information |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3905961B2 (en) * | 1997-11-11 | 2007-04-18 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Temporary signature authentication method and system |
| US8898459B2 (en) * | 2011-08-31 | 2014-11-25 | At&T Intellectual Property I, L.P. | Policy configuration for mobile device applications |
| FR3048530B1 (en) * | 2016-03-01 | 2019-09-06 | Lex Persona | OPEN AND SECURE SYSTEM OF ELECTRONIC SIGNATURE AND ASSOCIATED METHOD |
| CN107645381B (en) * | 2016-07-21 | 2021-07-13 | 阿里巴巴集团控股有限公司 | Security verification implementation method and device |
| WO2018112482A1 (en) * | 2016-12-15 | 2018-06-21 | Alibaba Group Holding Limited | Method and system for distributing attestation key and certificate in trusted computing |
| WO2019072039A1 (en) * | 2017-10-09 | 2019-04-18 | 华为技术有限公司 | Service certificate management method, terminal, and server |
| US11057368B2 (en) * | 2018-07-19 | 2021-07-06 | Fortanix, Inc. | Issuing a certificate based on an identification of an application |
| CN111245620B (en) * | 2018-11-29 | 2023-10-27 | 北京中金国信科技有限公司 | Mobile security application architecture in terminal and construction method thereof |
-
2020
- 2020-09-04 CN CN202010918942.3A patent/CN112202719B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10454690B1 (en) * | 2017-08-04 | 2019-10-22 | Amazon Technologies, Inc. | Digital certificates with distributed usage information |
Non-Patent Citations (1)
| Title |
|---|
| 数字证书的研究与实现;徐勇等;《通信技术》;20090110(第01期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112202719A (en) | 2021-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112202719B (en) | Signature method, system, device and storage medium based on digital certificate | |
| CN110637441B (en) | Encryption key generation for data deduplication | |
| Omar et al. | Identity management in IoT networks using blockchain and smart contracts | |
| EP1622301B1 (en) | Methods and system for providing a public key fingerprint list in a PK system | |
| US7428749B2 (en) | Secure delegation using public key authorization | |
| US20200145234A1 (en) | Secure bootstrap for a blockchain network | |
| CN111490873B (en) | Certificate information processing method and system based on block chain | |
| US20020108041A1 (en) | Public key certificate issuing system, public key certificate issuing method, information processing apparatus, information recording medium, and program storage medium | |
| US6675296B1 (en) | Information certificate format converter apparatus and method | |
| US20120324229A1 (en) | System and method for generating keyless digital multi-signatures | |
| US8719574B2 (en) | Certificate generation using virtual attributes | |
| JP7090161B2 (en) | Device self-authentication for secure transactions | |
| WO2022090405A1 (en) | Certificate based security using post quantum cryptography | |
| WO2018190953A1 (en) | Representing unique device identifiers in hierarchical device certificates as fully qualified domain names (fqdn) | |
| US11757659B2 (en) | Post-quantum certificate binding | |
| US20220020020A1 (en) | Methods, systems, and devices for managing digital assets | |
| CN105187218A (en) | Digital record signature method for multicore infrastructure and verification method | |
| CN115345617A (en) | Method and device for generating non-homogeneous general evidence | |
| CN115664655A (en) | TEE credibility authentication method, device, equipment and medium | |
| CN112306970B (en) | Processing method, device, equipment and storage medium of container mirror warehouse | |
| JP7068826B2 (en) | Enhanced obfuscation or randomization for secure product identification and verification | |
| CN113728348A (en) | Computer-implemented system and method for implementing alias-based addressing for distributed ledgers | |
| CN109257381A (en) | A kind of key management method, system and electronic equipment | |
| CN113472783A (en) | Block chain cipher certificate service method, system, storage medium and device | |
| CN115913621A (en) | Database encryption method, terminal and system suitable for cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |