CN112994897A - Certificate query method, device, equipment and computer readable storage medium - Google Patents

Certificate query method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN112994897A
CN112994897A CN202110302657.3A CN202110302657A CN112994897A CN 112994897 A CN112994897 A CN 112994897A CN 202110302657 A CN202110302657 A CN 202110302657A CN 112994897 A CN112994897 A CN 112994897A
Authority
CN
China
Prior art keywords
certificate
query
target client
ocsp
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110302657.3A
Other languages
Chinese (zh)
Inventor
王信大
孙艳杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN202110302657.3A priority Critical patent/CN112994897A/en
Publication of CN112994897A publication Critical patent/CN112994897A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a certificate query method, which comprises the following steps: when the certificate information of the target client is obtained, an OCSP inquiry message carrying the certificate information can be generated; then, sending the OCSP query message to at least one query server so that the query server can perform OCSP query based on the received OCSP query message and generate a response message carrying the certificate status of the target client; and finally, determining the certificate state of the target client based on the response messages returned by one or more query servers. Therefore, the OCSP query mode is adopted, the certificate state of the client is queried in real time, the query result is more accurate, and potential safety hazards are reduced. The application also provides a certificate inquiry device, equipment and a computer readable storage medium.

Description

Certificate query method, device, equipment and computer readable storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a certificate query method, apparatus, device, and computer readable storage medium.
Background
In some applications with higher security requirements (such as internet payment services), the server needs to check the certificate of the client to determine whether the client is valid, see the certificate checking diagram shown in fig. 1, and the certificate checking operation may be implemented by a reverse proxy server in front of the backend server.
For a scenario requiring verification of a client Certificate, the verification is mainly implemented by a verification method based on a Certificate Revocation List (CRL for short). Referring to fig. 2, a schematic diagram of a network architecture for implementing certificate verification is shown, and the working principle is as follows:
the reverse proxy server needs to store the CRL revocation list issued by each (Certificate Authority, CA for short) organization in advance, or download the updated CRL revocation list from the CA site periodically, as a basis for checking the Certificate status. Based on this, when the client initiates a connection request, a Secure Socket Layer (SSL)/Security Transport Layer protocol (TLS) handshake is performed first, in this process, the reverse proxy server sends a certificate request to the client, and the client sends a client certificate to the reverse proxy server after receiving the certificate request. After the reverse proxy server receives the client certificate, the certificate serial number is analyzed from the client certificate, and a CRL revocation list is searched. If the certificate serial number is searched in the CRL revocation list, the client request is refused, and the connection is terminated; otherwise, if the serial number of the certificate is not checked, the verification is passed, and the subsequent processing is continued.
However, in the certificate verification process, the number of CRLs used by the reverse proxy server may be very large, and real-time update cannot be performed, so that CRL data may be inaccurate.
Disclosure of Invention
In view of this, the present application provides a certificate querying method, apparatus, device and computer readable storage medium, which improve the accuracy of the certificate status querying result.
Specifically, the method is realized through the following technical scheme:
a certificate query method is applied to a network device, and comprises the following steps:
acquiring certificate information of a target client;
generating an Online Certificate Status Protocol (OCSP) query message carrying the certificate information;
sending the OCSP query message to at least one query server, wherein the query server is used for querying the certificate state of the target client based on the received OCSP query message and generating a response message carrying the certificate state;
and determining the certificate state of the target client according to a response message returned by at least one query server.
A certificate inquiry apparatus, the apparatus being applied to a network device, the apparatus comprising:
the certificate acquisition unit is used for acquiring the certificate information of the target client;
a message generating unit, configured to generate an online certificate status protocol OCSP query message carrying the certificate information;
the OCSP query message is sent to at least one query server, wherein the query server is used for querying the certificate state of the target client based on the received OCSP query message and generating a response message carrying the certificate state;
and the certificate determining unit is used for determining the certificate state of the target client according to the response message returned by the at least one query server.
An electronic device, comprising: a processor, a memory;
the memory for storing a computer program;
the processor is used for executing the certificate inquiry method by calling the computer program.
A computer-readable storage medium on which a computer program is stored, which program, when executed by a processor, implements the above-described certificate query method.
In the technical scheme provided by the application, when the certificate information of the target client is obtained, an OCSP query message carrying the certificate information can be generated; then, sending the OCSP query message to at least one query server so that the query server can perform OCSP query based on the received OCSP query message and generate a response message carrying the certificate status of the target client; and finally, determining the certificate state of the target client based on the response messages returned by one or more query servers. Therefore, the OCSP query mode is adopted, the certificate state of the client is queried in real time, the query result is more accurate, and potential safety hazards are reduced.
Drawings
FIG. 1 is a schematic diagram of certificate verification shown in the present application;
fig. 2 is a schematic diagram of a network architecture for implementing certificate verification according to the present application;
fig. 3 is a schematic flowchart of a certificate query method according to the present application;
FIG. 4 is a schematic diagram of the network device shown in the present application;
fig. 5 is a schematic diagram illustrating a certificate query apparatus according to the present application;
fig. 6 is a schematic structural diagram of an electronic device shown in the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Prior to describing the embodiments of the present application, technical terms related to the embodiments of the present application will be described first.
HTTPS: it is called Hyper Text Transfer Protocol over secure SecureSeocket Layer. HTTPS is a Hypertext Transfer Protocol (HTTP) channel that targets security, and guarantees security of a transmission process through transmission encryption and identity authentication on the basis of HTTP. HTTPS adds an SSL layer on the basis of HTTP, the security base of the HTTPS is SSL, and therefore SSL is needed for encrypting detailed content. HTTPS has a default port other than HTTP and an encryption/authentication layer (between HTTP and TCP). The system provides authentication and encrypted communication methods. It is widely used for security sensitive communications on the world wide web, such as transaction payments.
TLS: the Transport Layer Security (TLS) is used to provide confidentiality and data integrity between two communicating applications. The protocol consists of two layers: the TLS Record protocol (TLS Record) and the TLS Handshake protocol (TLS Handshake). Between the application layer and the transport layer, it can provide security guarantee for any application layer protocol based on reliable connection such as TCP.
SSL: secure Sockets Layer (TLS), a security protocol that provides security and data integrity for network communications.
Reverse proxy: the reverse proxy server is located between the user and the target server, but for the user, the reverse proxy server is equivalent to the target server, that is, the user can obtain the resources of the target server by directly accessing the reverse proxy server. Meanwhile, the user does not need to know the address of the target server and does not need to make any setting at the user end. The reverse proxy server can be generally used for Web acceleration, namely, the reverse proxy is used as a front-end processor of the Web server to reduce the load of the network and the server and improve the access efficiency.
CRL: certificate Revocation List (CRL) is one of two common methods for accessing servers in a network using a public key structure.
OCSP: the Online Certificate Status Protocol (OCSP) is an internet Protocol for acquiring a revocation Status of an x.509 digital Certificate, and is defined in RFC 6960, and solves a plurality of problems caused by using a Certificate revocation list in Public Key Infrastructure (PKI) as a substitute for the Certificate Revocation List (CRL). The protocol data transmission process uses ASN.1 coding and is usually built on the HTTP protocol, and the message types are divided into "request message" and "response message", so that the OCSP server is called "OCSP response end".
The embodiment of the application provides a certificate query method, in particular to an OCSP (online charging protection protocol) query method of a client certificate.
Fig. 3 is a schematic flowchart of a certificate querying method according to an embodiment of the present application, where the method is applied to a network device, that is, an execution subject of the method is the network device, and the network device communicates with a client and at least one querying server to implement accurate querying of a certificate status of the client. It should be noted that the embodiment of the present application does not limit the device type of the network device, for example, the network device may be a reverse proxy server shown in fig. 2 or other types of devices.
As shown in fig. 3, the certificate query method provided in the embodiment of the present application may include the following steps S301 to S304:
s301: and acquiring the certificate information of the target client.
In this embodiment of the present application, when a Transmission Control Protocol (TCP) connection between a client and a network device (for example, a reverse proxy server shown in fig. 2) is completed, a client session of the client is established. In addition, if the access service of the client is a hypertext Transfer Protocol over secure session Layer (HTTPS) service, an SSL/TLS handshake phase is entered, at this phase, the network device needs to wait for receiving a certificate sent by the client, and when the client specifically implements the receiving, the client may send a certificate packet carrying certificate information to the network device, that is, the certificate packet carries the certificate information of the client, and the certificate information of the client may include certificate related information such as a certificate serial number and certificate issuer information. Based on this, when the network device receives the certificate packet of the client, the certificate information of the client can be parsed from the certificate packet.
Further, in the certificate message sent by the client, in addition to carrying the certificate information of the client, one or more Uniform Resource Identifiers (URIs) may also be carried, and for each URI, the URI is a URI of an inquiry server for OCSP inquiry. In addition, five-tuple information (including source IP, destination IP, protocol, source port, and destination port of the certificate packet) of the TCP connection can be analyzed. It should be noted that the specific application of the URI information and the five tuple information will be described in the following steps.
In an implementation manner of the embodiment of the present application, the "acquiring certificate information of a target client" in S301 may include: if the local OCSP request queue has the query requests, sequentially taking out each query request from the local OCSP request queue, and taking the currently taken out query request as a target query request, wherein the target query request carries certificate information of a target client; then, the certificate information of the target client is obtained from the target inquiry request.
In this implementation manner, as described in the foregoing, for each client, the network device may parse the certificate information of the client from the certificate packet sent by the client, so that an inquiry request carrying the certificate information may be generated, and in addition, the inquiry request may further carry the parsed URI information and/or quintuple information. Then, the query requests belonging to the client are added into the local OCSP request queue, and thus, the local OCSP request queue can continuously obtain the query requests.
In the operation process of the network device, the OCSP request queue may be queried cyclically, when one or more query requests exist in the OCSP request queue, each query request may be taken out in sequence, for the query request taken out currently, in order to facilitate distinguishing from other clients, a client to which the query request taken out currently belongs may be defined as a target client, and since the query request carries certificate information of the target client, the certificate information of the target client may be acquired from the query request.
Further, the embodiment of the present application may further include: after a query request of a target client is formed in a local OCSP request queue, a connection request between the target client and network equipment is verified to pass, and a session mark of the target client is set as a blocking mark; wherein the blocking flag is used for blocking the connection between the network device and the backend server to be accessed by the target client.
Specifically, after the information parsed from the certificate message of the target client is added into the local OCSP request queue, considering that most normal service connections are in a valid certificate state, when the OCSP is verified for the target client certificate, the target client certificate may first pass the verification process, and continue to complete the subsequent SSL/TLS handshake process, where the SSL/TLS handshake is executed in parallel with the subsequent OCSP query, and this asynchronous execution mode may effectively save the time waste caused by the OCSP query. In addition, a session flag corresponding to the request of the target client needs to be set as a blocking flag, such as a flag "OCSP-PEND", for blocking the network device from establishing a connection with the backend server to be accessed by the target client, and a specific purpose of the blocking flag will be described in a subsequent step. The back-end server to be accessed by the target client can be known through the analyzed quintuple information.
Referring to fig. 4, a schematic diagram of a network device may include a configuration management module, a connection management module, and an OCSP query processing module. The functions of the client side such as connection processing, message analysis, adding message analysis information into a local OCSP request queue, setting of a blocking mark and the like can be realized by a connection management module; the function of obtaining the certificate information from the local OCSP request queue may be implemented by the OCSP query processing module.
S302: and generating an OCSP inquiry message carrying the certificate information.
In this embodiment of the present application, after the certificate information of the target client is obtained through S301, an OCSP query message carrying the certificate information needs to be generated, so as to query the certificate status of the target client by using the OCSP query message. Specifically, when the OCSP query packet is generated, the certificate information of the target client may be filled in the OCSP query packet, and the certificate information may include information such as a certificate serial number and a certificate issuer.
Wherein, S302 can be implemented by the OCSP query processing module shown in fig. 4.
S303: and sending the OCSP query message to at least one query server, wherein the query server is used for querying the certificate state of the target client based on the received OCSP query message and generating a response message carrying the certificate state.
In this embodiment of the present application, one or more URIs may be manually configured in advance to serve as query servers for OCSP query, where each URI corresponds to one query server, and the URI configuration function may be implemented by the configuration management module shown in fig. 4; in addition, as can be seen from the related description in S301, the URI of the query server may also be parsed from the certificate packet of the target client. Based on this, one or more URIs can be selected from the manually configured URIs and the parsed URIs, and an OCSP query message is sent to the URIs to perform an OCSP query, so as to implement one-way or multi-way query on the certificate status of the target client.
In an implementation manner of the embodiment of the present application, the sending the OCSP query packet to at least one query server in S303 may include: according to the pre-configured URI priority, the URI of at least one query server used for OCSP query is determined; and transmitting an OCSP inquiry message to each determined URI.
In this implementation, when there are one or more manually configured URIs and/or there are one or more parsed URIs, one or more URIs are selected from the URIs according to a preconfigured URI priority (the priority configuration function may be implemented by the configuration management module shown in fig. 4), and an OCSP query message is sent to each selected URI. The manually configured URI may be obtained from the configuration management module shown in fig. 4, and the parsed URI may be obtained from the local OCSP request queue.
With respect to the configuration result of the URI priority, one of the following three configuration results may be selected:
configuration 1: the URI analyzed from the certificate message of the target client is used as a first priority; taking the pre-configured URI as a second priority; the URI obtained in other ways is taken as other priority.
Configuration 2: taking a pre-configured URI as a first priority; the URI analyzed from the certificate message of the target client is used as a second priority; the URI obtained in other ways is taken as other priority.
Configuration 3: the URI analyzed from the certificate message of the target client and the pre-configured URI are both used as first priority; the URI obtained in other ways is taken as other priority.
The certificate packet of the target client is a packet that is sent by the target client to the network device and carries certificate information (see related description of S301).
When the configuration result of the URI priority comprises a plurality of priorities, the URI with the first priority can be selected; or, two or more levels of URIs are selected; or sorting all the URIs according to the priority, and selecting n (n is more than or equal to 1) URIs sorted at the top. Then, an OCSP query message is sent to each selected URI.
Further, in this embodiment of the present application, in addition to filling the certificate information of the target client in the OCSP query message when constructing the OCSP query message, each selected URI (for example, the URI selected according to the URI priority) may be filled in the OCSP query message, and when M (M is greater than or equal to 1) URIs are selected, M OCSP query messages may be constructed and different OCSP query messages correspond to different URIs, so that each OCSP query message may be sent to the corresponding URI.
Regarding "sending an OCSP query packet to each determined URI" in a specific implementation manner of S303, the method may include: and respectively sending an OCSP inquiry message to each determined URI from different public network links.
Specifically, the network device may be previously connected to a plurality of public network link interfaces, for example, interface 1 of the network device is connected to telecommunications, interface 2 of the network device is connected to communications, and interface 3 of the network device is connected to mobile, and interface configuration between the network device and the public network is previously performed in an interface list of the network device, where the interface configuration function may be implemented by the configuration management module shown in fig. 4. Based on this, assuming that N (N is greater than or equal to 1) interfaces are in total in the preconfigured interface list, for the selected M URIs, N network communication sockets may be created for each URI, and different interfaces are bound respectively, and M × N sockets are in total, that is, M sockets are bound to each interface, so that, for each interface, M sockets may be utilized, and specifically, by traversing the M sockets, M OCSP query messages may be sent from the interface to the corresponding public network link, where the function of sending the query messages from different public networks may be implemented by the OCSP query processing module shown in fig. 4.
S304: and determining the certificate state of the target client according to the response message returned by the at least one query server.
In this embodiment of the present application, the query message may be sent to one or more URIs, so as to perform an OCSP query on the certificate status of the target client by using one or more query servers, and the query server may return the certificate status obtained by the query to the network device in a manner of responding to the message. If a response message is returned, the certificate state of the response message is taken as the certificate state of the target client; and if two or more response messages are returned, selecting one response message from the response messages, and taking the certificate state of the response message as the certificate state of the target client.
In an implementation manner of the embodiment of the present application, the "determining the certificate status of the target client according to the response packet returned by the at least one query server" in S304 may include: and in the preset query timeout time, if a response message returned by at least one query server is received, taking the certificate state carried by the first returned response message as the certificate state of the target client.
In this implementation manner, a query timeout T may be configured in advance, and the configuration function of the query timeout T may be implemented by the configuration management module shown in fig. 4. As can be seen from the above, when there are N interfaces and M OCSP query messages, each interface needs to send M OCSP query messages, and sends M × N OCSP query messages altogether; the method can wait for receiving the response message corresponding to each OCSP query message within the query timeout T, and does not receive the response message after the query timeout T; if G (G is less than or equal to M × N) response messages are received, the certificate state carried by the first returned response message can be used as the certificate state of the target client certificate; and if no response message is received within the query timeout T, the query is considered to be failed. And, all sockets are closed.
It can be understood that, the OCSP query messages are sent from a plurality of public network links at the same time, so that the access duration difference caused by the network quality of different operators can be optimized, and when the certificate status carried by the first returned response message is the OCSP query result, the response time of the OCSP query is effectively reduced; in addition, when the OCSP query message is sent to a plurality of URIs simultaneously, when the certificate state carried by the response message returned firstly is the OCSP query result, the response time of OCSP query is effectively reduced. However, when the multi-public link is combined with the multi-URI, the response time of the OCSP query can be further reduced.
In the embodiment of the present application, the certificate status of the target client may be normal, or revoked, or unknown.
Further, the embodiment of the present application may further include: and if the certificate state of the target client is unknown or the certificate state query fails, setting the certificate state of the target client to be normal or cancelled according to a preset state configuration mode.
Specifically, the certificate status of "inquiry failed" and "certificate status is unknown" may be configured in advance, and may be configured as normal or revoked, and this configuration function may be implemented by the configuration management module shown in fig. 4; based on this, when it is determined that the certificate status of the target client is unknown through S304 or when the certificate status inquiry fails, the certificate status of the target client is set to normal or revoked, and this status setting function may be implemented by the OCSP inquiry processing module shown in fig. 4.
Further, the embodiment of the present application may further include: detecting a session mark of a target client; if the session mark of the target client is a blocking mark, a connection request is not sent to a back-end server to be accessed by the target client; if the session mark of the target client indicates that the certificate state of the target client is normal, sending a connection request to a back-end server accessed by the target client; and if the session mark of the target client indicates that the certificate state of the target client is revoke, disconnecting the network equipment from the target client.
Specifically, the corresponding session may be found in the session table according to the session quintuple of the target client, and it may be known through the query session that the certificate status of the target client is normal or revoked, and if the certificate status of the target client is normal, the session flag of the target client is set to OCSP-OK, and if the certificate status of the target client is revoked, the session flag of the target client is set to OCSP-REVORK. Wherein, the setting function can be implemented by the OCSP query processing module shown in fig. 4. Thus, for each client's certificate status, there may be its corresponding session token.
When the network device starts the retransmission timer, the session flag of each client is checked at preset time intervals (for example, every 100 milliseconds). For the target client, if the session flag is the blocking flag OCSP-PEND, the network device does not send a TCP connection request to the backend server accessed by the target client; if the session mark is OCSP-REVORK, the network equipment sends a TCP RST message interrupt connection request to the target client; if the session mark is OCSP-OK, the network device sends a TCP connection request to a back-end server accessed by the target client, so that the connection between the network device and the back-end server is normally established, at the moment, the connection between the target client and the network device and between the network device and the back-end server is established, and the target client and the back-end server can communicate. This function may be implemented, among other things, by the connection management module shown in fig. 4.
In the certificate query method provided in the embodiment of the present application, when the certificate information of the target client is obtained, an OCSP query message carrying the certificate information may be generated; then, sending the OCSP query message to at least one query server so that the query server can perform OCSP query based on the received OCSP query message and generate a response message carrying the certificate status of the target client; and finally, determining the certificate state of the target client based on the response messages returned by one or more query servers. Therefore, the OCSP query mode is adopted in the embodiment of the application, the certificate state of the client side is queried in real time, the query result is more accurate, and the potential safety hazard is reduced.
Moreover, compared with the prior art, the network equipment in the embodiment of the application does not occupy the storage resource and CPU resource expenses caused by downloading and storing the CRL revocation list regularly, and reduces the resource consumption; moreover, the embodiment of the application can adopt a multi-public network link and/or multi-URI multi-path query mode, so that the response time of OCSP query can be effectively reduced; in addition, because each connection request needs to be subjected to online OCSP query, the OCSP query and the connection request management are separately executed in the embodiment of the application, waiting is not needed, each connection request can be continuously received, the concurrency amount is increased, and the concurrency performance loss caused by real-time OCSP query is reduced.
Referring to fig. 5, a schematic composition diagram of a certificate querying apparatus provided in an embodiment of the present application, where the apparatus is applied to a network device, and the apparatus may include:
a certificate acquisition unit 510, configured to acquire certificate information of a target client;
a message generating unit 520, configured to generate an online certificate status protocol OCSP query message carrying the certificate information;
a certificate query unit 530, configured to send the OCSP query packet to at least one query server, where the query server is configured to query a certificate status of the target client based on the received OCSP query packet, and generate a response packet carrying the certificate status;
the certificate determining unit 540 is configured to determine a certificate status of the target client according to a response packet returned by at least one query server.
In an implementation manner of the embodiment of the present application, the certificate obtaining unit 510 is specifically configured to:
if the local OCSP request queue has the query requests, sequentially taking out each query request from the local OCSP request queue, and taking the currently taken out query request as a target query request, wherein the target query request carries certificate information of a target client;
and acquiring the certificate information of the target client from the target query request.
In an implementation manner of the embodiment of the present application, the certificate querying unit 530 is specifically configured to:
according to the pre-configured uniform resource identifier URI priority, the URI of at least one query server used for OCSP query is determined;
and sending the OCSP query message to each determined URI.
In an implementation manner of the embodiment of the present application, the configuring result of the URI priority includes:
using a URI (Uniform resource identifier) analyzed from a certificate message as a first priority, wherein the certificate message is a message which is sent by the target client to the network equipment and carries the certificate information;
or, the pre-configured URI is taken as the first priority;
or, the URI analyzed from the certificate message and the pre-configured URI are both used as the first priority.
In an implementation manner of this embodiment, when sending the OCSP query packet to each determined URI, the certificate querying unit 530 is specifically configured to:
and respectively sending the OCSP query message to each determined URI from different public network links.
In an implementation manner of the embodiment of the present application, the certificate determining unit 540 is specifically configured to:
and in the preset query timeout time, if a response message returned by at least one query server is received, taking the certificate state carried by the first returned response message as the certificate state of the target client.
In an implementation manner of the embodiment of the present application, the certificate status of the target client is normal, revoked, or unknown; the device further comprises:
and the state setting unit is used for setting the certificate state of the target client to be normal or cancelled according to a preset state configuration mode if the certificate state of the target client is unknown or a response message returned by any query server is not received.
In an implementation manner of the embodiment of the present application, the apparatus further includes:
a check passing unit, configured to pass the check of the connection request between the target client and the network device, and set a session flag of the target client as a blocking flag; wherein the blocking flag is used to block a connection between the network device and a backend server to be accessed by the target client.
In an implementation manner of the embodiment of the present application, the apparatus further includes a connection request unit, configured to:
detecting a session mark of the target client;
if the session mark of the target client is the blocking mark, a connection request is not sent to a back-end server to be accessed by the target client;
if the session mark of the target client indicates that the certificate state of the target client is normal, sending a connection request to a back-end server accessed by the target client;
and if the session mark of the target client indicates that the certificate state of the target client is revoke, disconnecting the network equipment from the target client.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
An embodiment of the present application further provides an electronic device, a schematic structural diagram of the electronic device is shown in fig. 6, where the electronic device 6000 includes at least one processor 6001, a memory 6002, and a bus 6003, and the at least one processor 6001 is electrically connected to the memory 6002; the memory 6002 is configured to store at least one computer-executable instruction that the processor 6001 is configured to execute in order to perform the steps of any of the credential lookup methods as provided by any of the embodiments or any alternative embodiments of the present application.
Further, the processor 6001 may be an FPGA (Field-Programmable Gate Array) or other device with logic processing capability, such as an MCU (micro controller Unit) or a CPU (Central processing Unit).
By applying the embodiment of the application, the OCSP query mode is adopted, the certificate state of the client is queried in real time, the query result is more accurate, and the potential safety hazard is reduced.
The embodiments of the present application further provide another computer-readable storage medium, which stores a computer program, where the computer program is used for implementing, when executed by a processor, the steps of any one of the certificate query methods provided in any one of the embodiments or any one of the alternative embodiments of the present application.
The computer-readable storage medium provided by the embodiments of the present application includes, but is not limited to, any type of disk including floppy disks, hard disks, optical disks, CD-ROMs, and magneto-optical disks, ROMs (Read-Only memories), RAMs (Random Access memories), EPROMs (Erasable Programmable Read-Only memories), EEPROMs (Electrically Erasable Programmable Read-Only memories), flash memories, magnetic cards, or optical cards. That is, a readable storage medium includes any medium that stores or transmits information in a form readable by a device (e.g., a computer).
By applying the embodiment of the application, the OCSP query mode is adopted, the certificate state of the client is queried in real time, the query result is more accurate, and the potential safety hazard is reduced.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A certificate query method, applied to a network device, the method comprising:
acquiring certificate information of a target client;
generating an Online Certificate Status Protocol (OCSP) query message carrying the certificate information;
sending the OCSP query message to at least one query server, wherein the query server is used for querying the certificate state of the target client based on the received OCSP query message and generating a response message carrying the certificate state;
and determining the certificate state of the target client according to a response message returned by at least one query server.
2. The method of claim 1, wherein the obtaining the certificate information of the target client comprises:
if the local OCSP request queue has the query requests, sequentially taking out each query request from the local OCSP request queue, and taking the currently taken out query request as a target query request, wherein the target query request carries certificate information of a target client;
and acquiring the certificate information of the target client from the target query request.
3. The method of claim 1, wherein the sending the OCSP query message to at least one query server comprises:
according to the pre-configured uniform resource identifier URI priority, the URI of at least one query server used for OCSP query is determined;
and sending the OCSP query message to each determined URI.
4. The method of claim 3, wherein the configuring of the URI priority results in:
using a URI (Uniform resource identifier) analyzed from a certificate message as a first priority, wherein the certificate message is a message which is sent by the target client to the network equipment and carries the certificate information;
or, the pre-configured URI is taken as the first priority;
or, the URI analyzed from the certificate message and the pre-configured URI are both used as the first priority.
5. The method of claim 3, wherein sending the OCSP query message to each URI determined comprises:
and respectively sending the OCSP query message to each determined URI from different public network links.
6. The method according to claim 1, wherein the determining the certificate status of the target client according to the response message returned by the at least one query server comprises:
and in the preset query timeout time, if a response message returned by at least one query server is received, taking the certificate state carried by the first returned response message as the certificate state of the target client.
7. The method of any of claims 1-6, wherein the target client's certificate status is normal, or revoked, or unknown; the method further comprises the following steps:
and if the certificate state of the target client is unknown or the response message returned by any query server is not received, setting the certificate state of the target client to be normal or cancelled according to a preset state configuration mode.
8. The method according to any one of claims 2-6, further comprising:
after the query request of the target client is formed in the local OCSP request queue, the connection request between the target client and the network equipment is verified to be passed, and a session mark of the target client is set as a blocking mark;
wherein the blocking flag is used to block a connection between the network device and a backend server to be accessed by the target client.
9. The method of claim 8, further comprising:
detecting a session mark of the target client;
if the session mark of the target client is the blocking mark, a connection request is not sent to a back-end server to be accessed by the target client;
if the session mark of the target client indicates that the certificate state of the target client is normal, sending a connection request to a back-end server accessed by the target client;
and if the session mark of the target client indicates that the certificate state of the target client is revoke, disconnecting the network equipment from the target client.
10. A certificate inquiry apparatus, wherein the apparatus is applied to a network device, and the apparatus comprises:
the certificate acquisition unit is used for acquiring the certificate information of the target client;
a message generating unit, configured to generate an online certificate status protocol OCSP query message carrying the certificate information;
the OCSP query message is sent to at least one query server, wherein the query server is used for querying the certificate state of the target client based on the received OCSP query message and generating a response message carrying the certificate state;
and the certificate determining unit is used for determining the certificate state of the target client according to the response message returned by the at least one query server.
11. An electronic device, comprising: a processor, a memory;
the memory for storing a computer program;
the processor, configured to execute the certificate query method according to any one of claims 1 to 9 by calling the computer program.
12. A computer-readable storage medium on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the certificate query method of any one of claims 1 to 9.
CN202110302657.3A 2021-03-22 2021-03-22 Certificate query method, device, equipment and computer readable storage medium Pending CN112994897A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110302657.3A CN112994897A (en) 2021-03-22 2021-03-22 Certificate query method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110302657.3A CN112994897A (en) 2021-03-22 2021-03-22 Certificate query method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN112994897A true CN112994897A (en) 2021-06-18

Family

ID=76334280

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110302657.3A Pending CN112994897A (en) 2021-03-22 2021-03-22 Certificate query method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN112994897A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157432A (en) * 2021-11-25 2022-03-08 上海派拉软件股份有限公司 Digital certificate acquisition method, device, electronic equipment, system and storage medium
CN114598549A (en) * 2022-03-25 2022-06-07 杭州迪普科技股份有限公司 Client SSL certificate verification method and device
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184182A1 (en) * 2001-05-31 2002-12-05 Nang Kon Kwan Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL)
CN102026161A (en) * 2009-09-21 2011-04-20 中兴通讯股份有限公司 System and method for validity verification of certificate in mobile backhaul net
CN107295510A (en) * 2016-03-31 2017-10-24 中国移动通信有限公司研究院 The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN107786515A (en) * 2016-08-29 2018-03-09 中国移动通信有限公司研究院 A kind of method and apparatus of certificate verification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184182A1 (en) * 2001-05-31 2002-12-05 Nang Kon Kwan Method and system for answering online certificate status protocol (OCSP) requests without certificate revocation lists (CRL)
CN102026161A (en) * 2009-09-21 2011-04-20 中兴通讯股份有限公司 System and method for validity verification of certificate in mobile backhaul net
CN107295510A (en) * 2016-03-31 2017-10-24 中国移动通信有限公司研究院 The method, equipment and system of Home eNodeB access control are realized based on OCSP
CN107786515A (en) * 2016-08-29 2018-03-09 中国移动通信有限公司研究院 A kind of method and apparatus of certificate verification

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114157432A (en) * 2021-11-25 2022-03-08 上海派拉软件股份有限公司 Digital certificate acquisition method, device, electronic equipment, system and storage medium
CN114640467A (en) * 2022-03-15 2022-06-17 微位(深圳)网络科技有限公司 Service-based digital certificate query method and system
CN114598549A (en) * 2022-03-25 2022-06-07 杭州迪普科技股份有限公司 Client SSL certificate verification method and device
CN114598549B (en) * 2022-03-25 2023-07-07 杭州迪普科技股份有限公司 Customer SSL certificate verification method and device

Similar Documents

Publication Publication Date Title
US9203627B2 (en) Systems and methods for flash crowd control and batching OCSP requests via online certificate status protocol
US9172545B2 (en) Systems and methods for evaluating and prioritizing responses from multiple OCSP responders
CN112994897A (en) Certificate query method, device, equipment and computer readable storage medium
EP3633949B1 (en) Method and system for performing ssl handshake
EP2472772B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
US20110154026A1 (en) Systems and methods for parallel processing of ocsp requests during ssl handshake
TWI393400B (en) Method and system for authenticating a requestor without providing a key
EP1189407A2 (en) Client-server system with securita function intermediary
US9954839B2 (en) Systems and methods for providing distributed authentication of service requests by identity management components
CN109413096B (en) A kind of login method and device more applied
CN105721412A (en) Method and device for authenticating identity between multiple systems
US10791119B1 (en) Methods for temporal password injection and devices thereof
CN110730189B (en) Communication authentication method, device, equipment and storage medium
CN111866993B (en) Wireless local area network connection management method, device, software program and storage medium
WO2015027931A1 (en) Method and system for realizing cross-domain remote command
Vithanage et al. A Secure corroboration protocol for internet of things (IoT) devices using MQTT version 5 and LDAP
CN112994882B (en) Authentication method, device, medium and equipment based on block chain
CN116074028A (en) Access control method, device and system for encrypted traffic
CN109995697A (en) A kind of digital certificate authentication method using cryptography
US20220239726A1 (en) Communication device and communication method
CN111163466B (en) Method for 5G user terminal to access block chain, user terminal equipment and medium
CN115865384A (en) Middle-station micro-service authorization method and device, electronic equipment and storage medium
CN113660284B (en) Distributed authentication method based on bill
CN114448670B (en) Data transmission method and device and electronic equipment
Popa Building extensible and secure networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210618

RJ01 Rejection of invention patent application after publication