CN113190834A - File signature method, computing device and storage medium - Google Patents
File signature method, computing device and storage medium Download PDFInfo
- Publication number
- CN113190834A CN113190834A CN202110517488.5A CN202110517488A CN113190834A CN 113190834 A CN113190834 A CN 113190834A CN 202110517488 A CN202110517488 A CN 202110517488A CN 113190834 A CN113190834 A CN 113190834A
- Authority
- CN
- China
- Prior art keywords
- file
- signature
- information
- digest
- signer
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 86
- 238000012545 processing Methods 0.000 claims abstract description 22
- 238000004806 packaging method and process Methods 0.000 claims abstract description 3
- 238000012795 verification Methods 0.000 claims description 26
- 238000004891 communication Methods 0.000 description 17
- 238000009434 installation Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 11
- VBMOHECZZWVLFJ-GXTUVTBFSA-N (2s)-2-[[(2s)-6-amino-2-[[(2s)-6-amino-2-[[(2s,3r)-2-[[(2s,3r)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-6-amino-2-[[(2s)-2-[[(2s)-2-[[(2s)-2,6-diaminohexanoyl]amino]-5-(diaminomethylideneamino)pentanoyl]amino]propanoyl]amino]hexanoyl]amino]propanoyl]amino]hexan Chemical compound NC(N)=NCCC[C@@H](C(O)=O)NC(=O)[C@H](CCCCN)NC(=O)[C@H](CCCCN)NC(=O)[C@H]([C@@H](C)O)NC(=O)[C@H]([C@H](O)C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCCN)NC(=O)[C@H](C)NC(=O)[C@H](CCCN=C(N)N)NC(=O)[C@@H](N)CCCCN VBMOHECZZWVLFJ-GXTUVTBFSA-N 0.000 description 9
- 108010068904 lysyl-arginyl-alanyl-lysyl-alanyl-lysyl-threonyl-threonyl-lysyl-lysyl-arginine Proteins 0.000 description 9
- 230000007246 mechanism Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000002093 peripheral effect Effects 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000000547 structure data Methods 0.000 description 2
- 230000007723 transport mechanism Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a file signature method, wherein the file comprises a description file and an execution file, and the method comprises the following steps: processing the execution file based on a preset abstract algorithm to obtain first abstract information; performing signature processing on the first abstract information according to a plurality of service operation types to obtain signature bytes; merging the signature bytes into an execution file to obtain a new execution file; processing the description file and the execution file based on a preset abstract algorithm to obtain second abstract information; performing signature processing on the second abstract information according to a plurality of service operation types to obtain a signature file; and packaging the description file, the new execution file and the signature file to obtain a signed file. The invention also discloses corresponding computing equipment and a storage medium.
Description
This application is a divisional application of invention patent 2021101222786 filed on 29/1/2021.
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a file signature method, a computing device, and a storage medium.
Background
In order to avoid virus intrusion into a system in a software installation process due to the existence of a tampered or maliciously injected code in a software release process, an Android Apk signature mechanism and an IOS App mechanism are commonly used in the prior art to strengthen the control of a platform on third-party software.
Android Apk signature is to ensure the integrity of Apk and the authenticity of source, and is divided into two schemes, namely JAR signature and V2 signature. The core idea is to calculate the hash of the APK content and then use a signature algorithm to sign the hash. And during verification, the signature is decrypted through the public key of the signer, and then the signature is compared with the APK content hash calculated by the verifier, and if the signature is consistent with the APK content hash, the verification is passed. JAR signature is stored in a META-INF directory through a signature in an Android Apk signature mechanism, the directory does not enter a signature verification process, malicious codes can inhabit the META-INFO directory, and then the malicious codes are packaged into an Apk package again. The V2 signing scheme requires that multiple signing keys be input simultaneously while performing the signing task, and each signing covers the existing signing data. Therefore, V2 signature requires that a user performing a signing operation can acquire all keys to complete the signing task at one time, and additional signing is performed when the keys cannot be acquired simultaneously.
The IOS App signature mechanism originates from the apple closed ecosystem, and third party software release must pass through the apple distribution mechanism. In order to meet development and debugging scenes, an IOS App mechanism adopts a mode of double-layer signature and description document limitation, description files are related to AppId, equipment Id and other related data, equipment limitation and signature limitation only aim at a specific App, corresponding tools need to be developed to assist in completing certificate application, and the process is complicated.
Disclosure of Invention
To this end, the present invention provides a data processing solution in an attempt to solve or at least alleviate the above-existing problems.
According to an aspect of the present invention, there is provided a file signing method, the file including a description file and an execution file, the method comprising the steps of: processing the execution file based on a preset abstract algorithm to obtain first abstract information; performing signature processing on the first abstract information according to a plurality of service operation types to obtain signature bytes; merging the signature bytes into an execution file to obtain a new execution file; processing the description file and the execution file in a preset abstract algorithm to obtain second abstract information; performing signature processing on the second abstract information according to a plurality of service operation types to obtain a signature file; and packaging the description file, the new execution file and the signature file to obtain a signed file.
Optionally, in the file signature method according to the present invention, the signing process is performed on the first digest information according to the service operation type to obtain the signature byte, and the method includes the steps of: encrypting the first summary information by using corresponding encryption keys of a plurality of business operation types respectively, and generating signer information corresponding to each business operation type; and adding the plurality of encrypted first digest information and the corresponding signer information into the signature bytes according to the structure of the signature bytes.
Optionally, in the file signing method according to the present invention, before adding a plurality of encrypted first digest information and corresponding signer information to the signature bytes according to the structure of the signature bytes, the method includes the steps of: and judging whether the signature byte exists in the execution file or not, and if not, creating the signature byte according to a preset format.
Optionally, in the file signature method according to the present invention, the signing the second digest information according to a plurality of service operation types to obtain the signature file includes: encrypting the second digest information by using corresponding encryption keys of a plurality of business operation types respectively, and generating a plurality of signer information corresponding to the business operation types; and respectively adding the plurality of encrypted second digest information and the corresponding signer information into the signature file according to the structure of the signature file.
Optionally, in the file signing method according to the present invention, before adding a plurality of encrypted second digest information and corresponding signer information to the signature file according to the structure of the signature bytes, the method includes the steps of: and judging whether the file has a signature file or not, and if not, creating the signature file according to a preset format.
Optionally, in the file signing method according to the present invention, the signer information includes: the method comprises a decryption key corresponding to the business operation type, a certificate for verifying a special item, a digest algorithm for obtaining digest information and a signature algorithm.
Optionally, in the file signing method according to the present invention, the encryption key is a private key, and the decryption key is a public key.
Optionally, in the file signature method according to the present invention, the service operation types include: debugging verification, enterprise internal verification, shop verification and developer verification.
Optionally, in the file signing method according to the present invention, the file is in DEB format.
Alternatively, in the file signing method according to the present invention, the structure of the signature byte is formulated in accordance with the PKCS #7 encryption standard.
Optionally, in the file signing method according to the present invention, obtaining a signed file further includes: when a program is required to be installed, a signature file in the signed file is acquired before the file corresponding to the program is installed so as to verify the security of the file; when the program needs to be run, before loading the file corresponding to the program, signature bytes in the execution file are acquired so as to verify the security of the file.
Optionally, in the file signing method according to the present invention, after acquiring a signature file in the signed file, the method further includes the steps of: acquiring encrypted second digest information in the signature file, and decrypting the encrypted second digest information by using a decryption key corresponding to the encryption key; verifying whether the file is tampered by using the decrypted second digest information; and acquiring a plurality of signer information in the signature file, and verifying the security of the file by using the plurality of signer information.
Optionally, in the file signing method according to the present invention, verifying whether the file is tampered with using the decrypted second digest information includes the steps of: acquiring a summary algorithm in each signer information, and processing a description file and an execution file except for signature bytes in the file based on the acquired summary algorithm to obtain second check data; and if the decrypted second digest information is consistent with the second check data, determining that the file is not tampered.
Optionally, in the file signing method according to the present invention, after the signature byte in the signed file is acquired, the method further includes the steps of: acquiring encrypted first digest information in a signature byte, and decrypting the encrypted first digest information by using a decryption key corresponding to the encryption key; verifying whether the file is tampered by using the decrypted abstract information; and acquiring a plurality of certificates in the signature bytes, and verifying the security of the file by using the plurality of certificates.
Optionally, in the file signing method according to the present invention, verifying whether the file is tampered with using the decrypted first digest information includes the steps of: acquiring a digest algorithm of the certificate in the signature byte, and processing the execution files except the signature byte in the file based on the acquired digest algorithm to obtain first verification data; and if the decrypted first abstract information is consistent with the first verification data, determining that the file is not tampered.
Optionally, in the document signing method according to the present invention, verifying the security of the document using a plurality of certificates includes the steps of: and if the certificate is matched with the preset white list database, determining the file as a safe file.
Optionally, in the file signing method according to the present invention, after the certificate matches with the preset white list database, the method further includes the steps of: and judging whether the matched certificate has a special item, if so, verifying the special item, and determining that the file is a safe file after the special item is verified.
Optionally, in the file signing method according to the present invention, the special item is a preset machine code.
According to yet another aspect of the invention, there is provided a computing device comprising: at least one processor; and a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing a file signing method according to the present invention.
According to still another aspect of the present invention, there is also provided a readable storage medium storing program instructions which, when read and executed by a client, cause the client to perform any of the file signing methods according to the present invention.
According to the technical scheme of the invention, the first abstract information is constructed according to the execution file included in the installation file, and the signed first abstract information is added to the execution file, so that the safety of the execution file is ensured; and second abstract information is constructed according to the execution content and the description content, and a newly added signature file is installed in the file to store the signed second abstract information, wherein the signature verification range covers the original whole file, the reliability and integrity of the whole installed file are ensured, and virus invasion caused by malicious modification of the description file is avoided.
Furthermore, a specific signature byte structure is constructed, and the summary information is processed based on a plurality of service operation types, so that the signature is simply and conveniently added according to different application scenes.
Drawings
To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings, which are indicative of various ways in which the principles disclosed herein may be practiced, and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. The above and other objects, features and advantages of the present disclosure will become more apparent from the following detailed description read in conjunction with the accompanying drawings. Throughout this disclosure, like reference numerals generally refer to like parts or elements.
FIG. 1 shows a schematic diagram of a computing device 100, according to an embodiment of the invention;
FIG. 2 shows a flow diagram of a file signing method 200 according to one embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
FIG. 1 is a block diagram of an example computing device 100, in a basic configuration 102, the computing device 100 typically includes a system memory 106 and one or more processors 104. A memory bus 108 may be used for communication between the processor 104 and the system memory 106.
Depending on the desired configuration, the processor 104 may be any type of processor, including but not limited to: a microprocessor (μ P), a microcontroller (μ C), a Digital Signal Processor (DSP), or any combination thereof. The processor 104 may include one or more levels of cache, such as a level one cache 110 and a level two cache 112, a processor core 114, and registers 116. The example processor core 114 may include an Arithmetic Logic Unit (ALU), a Floating Point Unit (FPU), a digital signal processing core (DSP core), or any combination thereof. The example memory controller 118 may be used with the processor 104, or in some implementations the memory controller 118 may be an internal part of the processor 104.
Depending on the desired configuration, system memory 106 may be any type of memory, including but not limited to: volatile memory (such as RAM), non-volatile memory (such as ROM, flash memory, etc.), or any combination thereof. System memory 106 may include an operating system 120, one or more applications 122, and program data 124. In some embodiments, application 122 may be arranged to operate with program data 124 on an operating system. In some embodiments, where computing device 100 is configured to perform a file signing method according to the present invention, program data 124 includes instructions for performing method 200.
Computing device 100 may also include an interface bus 140 that facilitates communication from various interface devices (e.g., output devices 142, peripheral interfaces 144, and communication devices 146) to the basic configuration 102 via the bus/interface controller 130. The example output device 142 includes a graphics processing unit 148 and an audio processing unit 150. They may be configured to facilitate communication with various external devices, such as a display or speakers, via one or more a/V ports 152. Example peripheral interfaces 144 may include a serial interface controller 154 and a parallel interface controller 156, which may be configured to facilitate communication with external devices such as input devices (e.g., keyboard, mouse, pen, voice input device, image input device) or other peripherals (e.g., printer, scanner, etc.) via one or more I/O ports 158. An example communication device 146 may include a network controller 160, which may be arranged to facilitate communications with one or more other computing devices 162 over a network communication link via one or more communication ports 164.
A network communication link may be one example of a communication medium. Communication media may typically be embodied by computer readable instructions, data structures, program modules, and may include any information delivery media, such as carrier waves or other transport mechanisms, in a modulated data signal. A "modulated data signal" may be a signal that has one or more of its data set or its changes made in such a manner as to encode information in the signal. By way of non-limiting example, communication media may include wired media such as a wired network or private-wired network, and various wireless media such as acoustic, Radio Frequency (RF), microwave, Infrared (IR), or other wireless media. The term computer readable media as used herein may include both storage media and communication media. In some embodiments, one or more programs are stored in a computer-readable medium, including instructions for performing certain methods, such as the file signing method 200 according to the present invention, by which the computing device 100 executes, in accordance with embodiments of the present invention. Generally, in an operating system, an installation package of any application needs to have a signature during installation so as to be identified and installed by the system, and the signature can ensure the integrity of information transmission. In order to determine whether the information is tampered during the transmission process, a signature is generally added to the installation package file of the application program.
FIG. 2 illustrates a flow diagram of a file signing method 200 according to one embodiment of the present invention, the method 200 being suitable for execution in a computing device (such as the aforementioned computing device 100). As shown in fig. 2, the file signing method begins at step S210. The installation package files are of different types in different systems, the format of the application installation file of the Java program is usually JAD or JAR, the Linux system is mostly RPM, TAR.GZ and DEB, and the Android system is mostly APK. But it usually includes a description file and an execution file, where the description file stores version information and related information of the execution file, the execution file refers to a file that can be loaded and executed by an operating system, and the specific contents of the description file and the execution file in the file depend on the file format.
In step S210, the execution file is processed based on a preset digest algorithm to obtain first digest information. For example, the installation package file to be signed is a DEB file, the executable file is actually installed program data, the format is an elf (executable and Linkable format) file, and the content of the description file includes version information, version dependency, publisher information, and the like of the DEB package. Before signing a file, decompressing an installation package file to be signed to extract an ELF file. Generally, an information abstract file needs to exist in an installation package, and information abstract processing in a general sense can be understood as a behavior of recording specific information of all files in the installation package.
Specifically, for each signer, the Digest value of the ELF file Code segment is calculated by using a preset Digest Algorithm, which depends on the system specification, MD (Message Digest), SHA-1(Secure Hash Algorithm), and MAC (Message Authentication Code Algorithm), and in the UOS system, the Digest Algorithm includes SHA256, SM3, and the like. The digest algorithm is irreversible, and the same ciphertext can be obtained only by inputting the same plaintext data and passing through the same digest algorithm.
Next, in step S220, the first digest information is signed according to a plurality of service operation types, so as to obtain a signature byte. The service operation types include: debugging verification, enterprise internal verification, shop verification and developer verification to expand different scenes needing signature verification in the system after application installation.
The signature may be encrypted only with the digest or may be a combination of the digest and other information. In the scheme, the first abstract information is encrypted by a signer key to obtain a signature result, wherein the signer key is related to the service operation type.
Specifically, processing the first summary information according to a plurality of service operation types to obtain a signature byte, includes the steps of: encrypting the first summary information by using corresponding encryption keys of a plurality of business operation types respectively, and generating signer information corresponding to each business operation type; and adding the plurality of encrypted first digest information and the corresponding signer information into the signature bytes according to the structure of the signature bytes. Wherein the signer information includes: the method comprises a decryption key corresponding to the business operation type, a certificate for verifying a special item, a digest algorithm for obtaining digest information and a signature algorithm. The encryption key is a private key and the decryption key is a public key.
According to one embodiment of the invention, the structure of the signature bytes is established according to the PKCS #7 encryption standard, PKCS #7 being an encryption standard generated by the RSA security system exchanging digital certificates in a public key encryption system. PKCS #7 describes the syntax of digital certificates and other methods of encrypting messages, such as data encryption and digital signatures, as well as including digest algorithms. When digitally signed using PKCS #7, the result contains the signed certificate and any other certificates on the certified path.
Specifically, the signature bytes are PEM-formatted signature message data, when each signer signs, a SignedData structure in PKCS #7 encryption standard needs to be created to operate the relevant attributes of the signature data, the SignedData structure comprises a version, a summary algorithm set, content information, a certificate, a revoked certificate and signer information, and corresponding information is filled into the SignedData structure according to the signature process. The content information specifies one of a plaintext format in which the signed data is part of SignedData and does not need to carry source data when the signature is verified, and a plaintext format in which the source data is not required to be carried. The structure of the signer information comprises a version, a certificate identifier containing a decryption key corresponding to the business operation type and a certificate for verifying a special item, a digest algorithm, an authenticated attribute, a signature algorithm, a signature and an unauthenticated attribute. In the verification process, the certificate mark in the signer information of each SignedData is used for searching a corresponding public key certificate, the digest algorithm is used for digesting the original text, the digest comparison decrypted from the signature forms the last step of signature verification, the signature algorithm is used for decrypting the signature, and the signature is used for acquiring the digest. The authenticated attribute is part of the signature computation, and if any part of the attribute is modified, the signature will fail.
Since there are a plurality of signers, the signature byte is already constructed when signing for the first time, before adding a plurality of encrypted first digest information and a plurality of certificates into the signature byte according to the structure of the signature byte, the method further comprises the following steps: and judging whether the signature byte exists in the execution file or not, if not, creating the signature byte according to a preset format, wherein the preset format is the PKCS #7 encryption standard.
If the signature byte exists in the execution file, when the signature is added, the signature byte needs to be converted into an operable structure to add new signedddata. The signature bytes are PEM format signature message data, a PEM reading interface is provided by using openssl to convert the signature bytes into structure data in a SignedData form, and the operation of signature data related attribute data is facilitated. And filling corresponding information into a new empty SignedData structure according to the process of signature addition, and adding the filled SignedData into the unauthenticated attribute of the current SignedData to obtain the new SignedData after signature addition. In order to trace back the signature validity period, the signer signature timestamp certificate TSA needs to be added during the filling. Modifying the unauthenticated attribute does not affect the verification result of the current SignedData, and when the signature is verified, if the SignedData is successfully verified in the unauthenticated attribute, the file can be successfully verified. And a specific signature byte structure is constructed, and the summary information is processed based on a plurality of service operation types, so that signature addition according to different application scenes is realized.
Subsequently, in step S230, the signature bytes are merged into the execution file, resulting in a new execution file. If the signature byte exists in the execution file, the new SignedData obtained according to the method is converted into a PEM format to replace the original signature byte.
Then, in step S240, the description file and the execution file are processed based on a preset summarization algorithm to obtain second summary information. The summary algorithm is not described herein again, and according to an embodiment of the present invention, the summary values of the description file and the new execution file are spliced, and the summary algorithm is performed again on the spliced summary values to obtain the second summary information.
Then, in step S250, the second digest information is signed according to the plurality of service operation types, so as to obtain a signature file. The service operation types are multiple, one service type corresponds to one signer, and different scenes needing signature verification in the system after application installation are expanded.
According to an embodiment of the present invention, signing the second digest information according to a plurality of service operation types to obtain a signature file includes: encrypting the second digest information by using corresponding encryption keys of a plurality of business operation types respectively, and generating a plurality of signer information corresponding to the business operation types; and respectively adding the plurality of encrypted second digest information and the corresponding signer information into the signature file according to the structure of the signature file.
Specifically, the signature file is stored in a PEM format, and PEM-format data needs to be converted into a C-language programmable SignedData data structure object when each signer signs, so that SignedData in a PKCS #7 encryption standard needs to be created first, a SignedData structure comprises a version, a summary algorithm set, content information, a certificate, a revoked certificate and signer information, and corresponding information is filled into the SignedData structure according to a signature process. The content information specifies one of a plaintext format in which the signed data is part of SignedData and does not need to carry source data when the signature is verified, and a plaintext format in which the source data is not required to be carried. The structure of the signer information comprises a version, a certificate identifier containing a decryption key corresponding to the business operation type and a certificate for verifying a special item, a digest algorithm, an authenticated attribute, a signature algorithm, a signature and an unauthenticated attribute.
Since there are a plurality of signers who have already constructed a signature file at the time of first signature, according to one example of the present invention, before adding a plurality of encrypted second digest information and a plurality of certificates to the signature file according to the structure of the signature file, the method includes the steps of: and judging whether the file has a signature file or not, if not, creating the signature file according to a preset format, wherein the preset format is the PKCS #7 encryption standard.
If the signature file exists in the file, the signature file needs to be converted into an operable structure to add new signedddata when the signature is added. The signature file is in a PEM format, a PEM reading interface is provided by openssl to convert the signature file into structure data in a SignedData form, and operation of related attribute data of the signature data is facilitated. And filling corresponding information into a new empty SignedData structure according to the process of signature addition, and adding the filled SignedData into the unauthenticated attribute of the current SignedData to obtain the new SignedData after signature addition. Modifying the unauthenticated attribute does not affect the verification result of the current SignedData, and if the SignedData is successfully verified in the unauthenticated attribute, the file can be successfully verified.
Finally, in step S260, the description file, the new execution file, and the signature file are packaged to obtain a signed file. And after the signed file is obtained, the method also comprises the step of verifying the signed file.
According to one embodiment of the invention, the step of verifying the signed file comprises: when a program is required to be installed, a signature file in the signed file is acquired before the file corresponding to the program is installed so as to verify the security of the file; when the program needs to be run, before loading the file corresponding to the program, signature bytes in the execution file are acquired so as to verify the security of the file.
Specifically, verifying the security of a document comprises the steps of: acquiring encrypted second digest information in the signature file, and decrypting the encrypted second digest information by using a decryption key corresponding to the encryption key; verifying whether the execution file is tampered by using the decrypted second digest information; and acquiring a plurality of signer information in the signature file, and verifying the security of the file by using the plurality of signer information. The structure of the signer information comprises a version, a certificate identifier containing a decryption key corresponding to the business operation type and a certificate for verifying a special item, a digest algorithm, an authenticated attribute, a signature algorithm, a signature and an unauthenticated attribute. It should be noted that after the signature file is directly converted into the SignedData format, additional other SignedData needs to be acquired from the unauthenticated attribute of the SignedData, and the signer information in each SignedData is verified in sequence.
Further, the method for verifying whether the file is tampered by using the decrypted second digest information comprises the following steps: acquiring a summary algorithm in each signer information, and processing a description file and an execution file except for signature bytes in the file based on the acquired summary algorithm to obtain second check data; and if the decrypted second digest information is consistent with the second check data, determining that the execution file is not tampered.
When the program is operated, before the file corresponding to the program is loaded, the signature byte in the execution file is obtained, and the step of verifying the security of the signature byte comprises the following steps: acquiring encrypted first digest information in the signature bytes, and decrypting the encrypted first digest information by using a decryption key corresponding to the encryption key; verifying whether the file is tampered by using the decrypted abstract information; and acquiring a plurality of certificates in the signature bytes, and verifying the security of the file by using the plurality of certificates. It should be noted that, after the signature file is directly converted into the SignedData format, additional other SignedData needs to be acquired from the unauthenticated attribute of the SignedData, and the certificate in each SignedData is verified in sequence.
Further, the method for verifying whether the execution file is tampered by using the decrypted first digest information comprises the following steps: acquiring a digest algorithm of the certificate in the signature byte, and processing the execution files except the signature byte in the file based on the acquired digest algorithm to obtain second check data; and if the decrypted first abstract information is consistent with the first verification data, determining that the file is not tampered.
Verifying the security of a document using a plurality of certificates, comprising the steps of: if the certificate is matched with a preset white list database, the file is determined to be a safe file, and the white list can be beneficial to debugging in a development stage.
If the certificate is matched with the preset white list database, the method also comprises the following steps: and judging whether the matched certificate has a special item, if so, verifying the special item, and determining that the file is a safe file after the special item is verified. Further, the special item is a preset machine code. And debugging the certificate signature, and submitting the machine code of the developer when the developer applies for the certificate. The DEB file signed by the debug certificate will only be installed and run on the device where the machine code is located. The internal certificate of the enterprise is used for the internal application store of the enterprise, and helps the enterprise to further master the DEB package.
According to the technical scheme of the invention, the first abstract information is constructed according to the execution file included in the installation file, and the signed first abstract information is added to the execution file, so that the safety of the execution file is ensured; and second abstract information is constructed according to the execution content and the description content, and a newly added signature file is installed in the file to store the signed second abstract information, wherein the signature verification range covers the original whole file, the reliability and integrity of the whole installed file are ensured, and virus invasion caused by malicious modification of the description file is avoided.
Furthermore, a specific signature byte structure is constructed, signature processing is carried out on the summary information based on a plurality of service operation types, and additional signature is simply and conveniently added according to different application scenes.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules or units or components of the devices in the examples disclosed herein may be arranged in a device as described in this embodiment or alternatively may be located in one or more devices different from the devices in this example. The modules in the foregoing examples may be combined into one module or may be further divided into multiple sub-modules.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
Furthermore, some of the described embodiments are described herein as a method or combination of method elements that can be performed by a processor of a computer system or by other means of performing the described functions. A processor having the necessary instructions for carrying out the method or method elements thus forms a means for carrying out the method or method elements. Further, the elements of the apparatus embodiments described herein are examples of the following apparatus: the apparatus is used to implement the functions performed by the elements for the purpose of carrying out the invention.
The various techniques described herein may be implemented in connection with hardware or software or, alternatively, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof, may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention.
In the case of program code execution on programmable computers, the computing device will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. Wherein the memory is configured to store program code; the processor is configured to execute the web data processing method of the present invention according to instructions in said program code stored in the memory.
By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer-readable media includes both computer storage media and communication media. Computer storage media store information such as computer readable instructions, data structures, program modules or other data. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. Combinations of any of the above are also included within the scope of computer readable media.
As used herein, unless otherwise specified the use of the ordinal adjectives "first", "second", "third", etc., to describe a common object, merely indicate that different instances of like objects are being referred to, and are not intended to imply that the objects so described must be in a given sequence, either temporally, spatially, in ranking, or in any other manner.
While the invention has been described with respect to a limited number of embodiments, those skilled in the art, having benefit of this description, will appreciate that other embodiments can be devised which do not depart from the scope of the invention as described herein. Furthermore, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the appended claims. The present invention has been disclosed in an illustrative rather than a restrictive sense, and the scope of the present invention is defined by the appended claims.
Claims (10)
1. A method of signing a document, said document comprising a description document and an execution document, said method comprising the steps of:
processing the execution file based on a preset abstract algorithm to obtain first abstract information;
the method for signing the first abstract information according to a plurality of service operation types to obtain signature bytes comprises the following steps:
encrypting the first summary information by using corresponding encryption keys of a plurality of business operation types respectively, and generating signer information corresponding to each business operation type;
adding a plurality of encrypted first summary information and corresponding signer information into the signature bytes according to the structure of the signature bytes;
merging the signature bytes into an execution file to obtain a new execution file;
processing the description file and the execution file based on a preset abstract algorithm to obtain second abstract information;
performing signature processing on the second abstract information according to a plurality of service operation types to obtain a signature file;
packaging the description file, the new execution file and the signature file to obtain a signed file;
when a program needs to be installed, before installing a file corresponding to the program, acquiring a signature file in the signed file, acquiring encrypted second digest information in the signature file, and decrypting the encrypted second digest information by using a decryption key corresponding to the encryption key;
verifying whether the file is tampered by using the decrypted second digest information;
and acquiring a plurality of signer information in the signature file, and verifying the security of the file by using the plurality of signer information.
2. The method of claim 1, before adding the plurality of encrypted first digest information and the corresponding signer information to the signature bytes according to the structure of the signature bytes, comprising the steps of: and judging whether the signature byte exists in the execution file or not, and if not, creating the signature byte according to a preset format.
3. The method according to claim 2, wherein said signing the second digest information according to a plurality of service operation types to obtain the signature file comprises the steps of:
encrypting the second digest information by using corresponding encryption keys of a plurality of business operation types respectively, and generating a plurality of signer information corresponding to the business operation types;
and respectively adding the plurality of encrypted second digest information and the corresponding signer information into the signature file according to the structure of the signature file.
4. The method of claim 3, wherein before adding the plurality of encrypted second digest information and the corresponding signer information to the signature file according to the structure of the signature bytes, comprising the steps of: and judging whether the file has a signature file or not, and if not, creating the signature file according to a preset format.
5. The method of any of claims 1-4, the signer information comprising: the method comprises a decryption key corresponding to the business operation type, a certificate for verifying a special item, a digest algorithm for obtaining digest information and a signature algorithm.
6. The method of claim 5, wherein the encryption key is a private key and the decryption key is a public key.
7. The method of any of claims 1-3, the traffic operation type comprising: debugging verification, enterprise internal verification, shop verification and developer verification.
8. The method of any one of claims 1-7, the file being in a DEB format.
9. A computing device, comprising:
at least one processor; and
a memory storing program instructions, wherein the program instructions are configured to be executed by the at least one processor, the program instructions comprising instructions for performing the method of claims 1-8.
10. A readable storage medium storing program instructions which, when read and executed by a client, cause the client to perform the method of any one of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110517488.5A CN113190834A (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110517488.5A CN113190834A (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
| CN202110122278.6A CN112507328B (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110122278.6A Division CN112507328B (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113190834A true CN113190834A (en) | 2021-07-30 |
Family
ID=74952418
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110122278.6A Active CN112507328B (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
| CN202110517488.5A Pending CN113190834A (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110122278.6A Active CN112507328B (en) | 2021-01-29 | 2021-01-29 | File signature method, computing device and storage medium |
Country Status (2)
| Country | Link |
|---|---|
| CN (2) | CN112507328B (en) |
| WO (1) | WO2022160733A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114268431A (en) * | 2021-12-16 | 2022-04-01 | 统信软件技术有限公司 | Browser certificate transcoding method and device, computing device and readable storage medium |
| CN114629658A (en) * | 2022-03-30 | 2022-06-14 | 杭州海康威视系统技术有限公司 | Application signature method, device, equipment and storage medium |
| WO2022160733A1 (en) * | 2021-01-29 | 2022-08-04 | 统信软件技术有限公司 | File signature method, computing device, and storage medium |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112989435A (en) * | 2021-03-26 | 2021-06-18 | 武汉深之度科技有限公司 | Digital signature method and computing device |
| CN113468485A (en) * | 2021-07-05 | 2021-10-01 | 桂林电子科技大学 | Digital signature and certificate verification program protection method based on Linux operating system |
| CN113541973B (en) * | 2021-09-17 | 2021-12-21 | 杭州天谷信息科技有限公司 | Electronic signature packaging method |
| CN115225272A (en) * | 2022-09-20 | 2022-10-21 | 北方健康医疗大数据科技有限公司 | Big data disaster recovery system, method and equipment based on domestic commercial cryptographic algorithm |
| CN116383896B (en) * | 2023-06-07 | 2023-11-03 | 中航金网(北京)电子商务有限公司 | File integrity verification method, cloud platform starting method, device and equipment |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8914641B2 (en) * | 2012-07-11 | 2014-12-16 | Intel Corporation | Method for signing and verifying data using multiple hash algorithms and digests in PKCS |
| CN103413076B (en) * | 2013-08-27 | 2016-03-02 | 北京理工大学 | A kind of Android application program divides the method for block protection |
| US10103890B2 (en) * | 2014-08-08 | 2018-10-16 | Haw-Minn Lu | Membership query method |
| CN105608393B (en) * | 2016-01-19 | 2018-09-07 | 北京鼎源科技有限公司 | A kind of reinforcement means based on the recombination of Android executable files |
| CN106169052B (en) * | 2016-07-19 | 2018-04-06 | 北京海泰方圆科技股份有限公司 | Processing method, device and the mobile terminal of application program |
| CN107786504B (en) * | 2016-08-26 | 2020-09-04 | 腾讯科技(深圳)有限公司 | ELF file release method, ELF file verification method, server and terminal |
| CN108460293A (en) * | 2017-02-22 | 2018-08-28 | 北京大学 | A kind of application integrity multistage checking mechanism |
| CN108683502B (en) * | 2018-03-30 | 2022-01-25 | 上海连尚网络科技有限公司 | Digital signature verification method, medium and equipment |
| CN110378104A (en) * | 2018-04-16 | 2019-10-25 | 北京升鑫网络科技有限公司 | A method of upgrading is anti-to distort |
| CN110830256A (en) * | 2018-08-14 | 2020-02-21 | 珠海金山办公软件有限公司 | File signature method and device, electronic equipment and readable storage medium |
| CN109743171B (en) * | 2018-12-06 | 2022-04-12 | 广州博士信息技术研究院有限公司 | Key series method for solving multi-party digital signature, timestamp and encryption |
| CN111552946A (en) * | 2020-04-24 | 2020-08-18 | 上海亘岩网络科技有限公司 | PDF file digital signature method, system and storage medium |
| CN112507328B (en) * | 2021-01-29 | 2021-06-08 | 统信软件技术有限公司 | File signature method, computing device and storage medium |
-
2021
- 2021-01-29 CN CN202110122278.6A patent/CN112507328B/en active Active
- 2021-01-29 CN CN202110517488.5A patent/CN113190834A/en active Pending
- 2021-09-15 WO PCT/CN2021/118421 patent/WO2022160733A1/en unknown
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2022160733A1 (en) * | 2021-01-29 | 2022-08-04 | 统信软件技术有限公司 | File signature method, computing device, and storage medium |
| CN114268431A (en) * | 2021-12-16 | 2022-04-01 | 统信软件技术有限公司 | Browser certificate transcoding method and device, computing device and readable storage medium |
| CN114268431B (en) * | 2021-12-16 | 2023-06-16 | 统信软件技术有限公司 | Browser certificate transcoding method and device, computing equipment and readable storage medium |
| CN114629658A (en) * | 2022-03-30 | 2022-06-14 | 杭州海康威视系统技术有限公司 | Application signature method, device, equipment and storage medium |
| CN114629658B (en) * | 2022-03-30 | 2024-06-07 | 杭州海康威视系统技术有限公司 | Application signature method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112507328A (en) | 2021-03-16 |
| WO2022160733A1 (en) | 2022-08-04 |
| CN112507328B (en) | 2021-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112507328B (en) | File signature method, computing device and storage medium | |
| US9276752B2 (en) | System and method for secure software update | |
| CN107463806B (en) | Signature and signature verification method for Android application program installation package | |
| KR101740256B1 (en) | Apparatus for mobile app integrity assurance and method thereof | |
| US20170262656A1 (en) | Method and device for providing verifying application integrity | |
| US20170270319A1 (en) | Method and device for providing verifying application integrity | |
| JP4501349B2 (en) | System module execution device | |
| EP3026560A1 (en) | Method and device for providing verifying application integrity | |
| US20170262658A1 (en) | Method and device for providing verifying application integrity | |
| US20050154899A1 (en) | Mobile software authentication and validation | |
| US7552092B2 (en) | Program distribution method and system | |
| KR20170089352A (en) | Firmware integrity verification for performing the virtualization system | |
| CN115550060B (en) | Trusted certificate verification method, device, equipment and medium based on block chain | |
| CN116244756A (en) | Method and device for verifying browser plug-in and computing equipment | |
| WO2020062233A1 (en) | Method and apparatus for processing and deploying application program, and computer-readable medium | |
| CN117556430B (en) | Safe starting method, device, equipment and storage medium | |
| JP2002006739A (en) | Authentication information generating device and data verifying device | |
| CN115455453A (en) | File detection method, device, equipment and storage medium | |
| CN115913563A (en) | Electronic signature generation method, electronic signature verification method and electronic signature verification equipment | |
| CN112257033A (en) | Application packaging method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |