CN114531242A - Certificate upgrading method, device, equipment and storage medium - Google Patents
Certificate upgrading method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114531242A CN114531242A CN202011326714.3A CN202011326714A CN114531242A CN 114531242 A CN114531242 A CN 114531242A CN 202011326714 A CN202011326714 A CN 202011326714A CN 114531242 A CN114531242 A CN 114531242A
- Authority
- CN
- China
- Prior art keywords
- certificate
- new root
- root certificate
- file
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000012545 processing Methods 0.000 claims abstract description 27
- 238000007781 pre-processing Methods 0.000 claims abstract description 15
- 230000004044 response Effects 0.000 claims description 44
- 230000005540 biological transmission Effects 0.000 abstract description 8
- 238000013507 mapping Methods 0.000 description 12
- 238000004891 communication Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 238000012937 correction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of Internet and discloses a certificate upgrading method, a device, equipment and a storage medium, wherein the method comprises the following steps: when a service request sent by a client is received, acquiring new root certificate information and a new root certificate file according to the service request; preprocessing the new root certificate information to obtain target certificate data; and sending the target certificate data and the new root certificate file to the client so that the client performs upgrading processing on the new root certificate file based on the target certificate data. The validity of the certificate is recovered through the upgrading client side without the need of recovering the certificate after the certificate expires, and only the new root certificate information and the new root certificate file are acquired according to the service request, and then the new root certificate file is verified based on the new root certificate information, so that the security of certificate transmission is ensured, and the upgrading efficiency of the certificate is improved.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, and a storage medium for upgrading a certificate.
Background
In the prior art, when a certificate problem is detected, the server certificate is considered to be valid by changing the on-line firmware time, the local time is wrong, the new firmware uses a new domain name or a hypertext transfer security protocol to degrade and is not guaranteed to be available in the means of verifying the certificate, and the like, so that the certificate has a safety problem, and the problems of time correction of the firmware using the hypertext transfer security protocol or local binding of a sub-certificate or a root certificate to revoke, expiration, replacement of a cooperative signing and issuing agency and the like exist, the normal use can be realized only by upgrading the firmware, but the upgrading period of the firmware is long, and the upgrading efficiency of the certificate is low.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a certificate upgrading method, a certificate upgrading device and a certificate upgrading storage medium, and aims to solve the technical problem of how to ensure the security of certificate transmission and further improve the upgrading efficiency of certificates.
In order to achieve the above object, the present invention provides a certificate upgrading method, where the certificate upgrading method includes:
when a service request sent by a client is received, acquiring new root certificate information and a new root certificate file according to the service request;
preprocessing the new root certificate information to obtain target certificate data;
and sending the target certificate data and the new root certificate file to a client so that the client can upgrade the new root certificate file based on the target certificate data.
Optionally, the step of obtaining new root certificate information and a new root certificate file according to the service request includes:
acquiring a request response code corresponding to the service request;
and acquiring new root certificate information and a new root certificate file according to the request response code and the service request.
Optionally, the step of obtaining new root certificate information and a new root certificate file according to the request response code and the service request includes:
judging whether the request response code meets a preset handshake failure condition or not;
when the request response code meets the preset handshake failure condition, extracting certificate access information in the service request;
generating a new root certificate inquiry instruction according to the request response code and the certificate access information;
and acquiring new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
Optionally, the step of obtaining new root certificate information and a new root certificate file according to the new root certificate query instruction includes:
acquiring a certificate domain name according to the new root certificate inquiry command;
and determining new root certificate information and a new root certificate file according to the certificate domain name.
Optionally, the step of determining new root certificate information and a new root certificate file according to the certificate domain name includes:
acquiring a plurality of certificate files according to the certificate domain name;
and selecting a new root certificate file from the plurality of certificate files, and acquiring new root certificate information according to the new root certificate file.
Optionally, the step of obtaining new root certificate information according to the new root certificate file includes:
acquiring the file size of the certificate file, the certificate signature and the certificate valid time according to the new root certificate file;
determining a file size MD5 value from the file size and a signature MD5 value from the certificate signature;
the file size MD5 value, the signature MD5 value, and the certificate validity time are taken as new root certificate information.
Optionally, the step of preprocessing the new root certificate information to obtain target certificate data includes:
acquiring an application identifier corresponding to a server, and determining a first device key according to the application identifier;
and encrypting the new root certificate information according to the first equipment secret key to obtain target certificate data.
Optionally, the step of encrypting the new root certificate information according to the first device key to obtain target certificate data includes:
determining a preset appointed encryption rule according to the new root certificate information;
and encrypting the new root certificate information according to the first equipment secret key and the preset appointed encryption rule to obtain target certificate data.
Optionally, the step of preprocessing the new root certificate information to obtain target certificate data further includes:
acquiring an application identifier corresponding to the client, and determining a second equipment secret key and an asymmetric public key according to the application identifier;
encrypting the second equipment secret key according to the asymmetric public key to obtain an encrypted secret key;
and encrypting the new root certificate information according to the encryption key to obtain target certificate data.
Optionally, the step of encrypting the new root certificate information according to the encryption key to obtain target certificate data includes:
acquiring an asymmetric private key corresponding to the application identifier;
decrypting the encrypted secret key according to the asymmetric private key to obtain the decrypted encrypted secret key;
and encrypting the new root certificate information according to the decrypted encryption key to obtain target certificate data.
Optionally, the step of encrypting the new root certificate information according to the decrypted encryption key to obtain target certificate data includes:
determining a preset appointed encryption rule according to the new root certificate information;
and encrypting the new root certificate information according to the decrypted encryption key and the preset agreed encryption rule to obtain target certificate data.
Optionally, the step of determining a preset agreed encryption rule according to the new root certificate information includes:
determining a certificate level according to the new root certificate information;
and matching a preset agreed encryption rule corresponding to the new root certificate information in a mapping relation table according to the certificate grades, wherein the certificate grades and the preset agreed encryption rule in the mapping relation table have one-to-one correspondence.
In addition, in order to achieve the above object, the present invention further provides a certificate upgrading apparatus, including:
the acquisition module is used for acquiring new root certificate information and a new root certificate file according to a service request when the service request sent by a client is received;
the processing module is used for preprocessing the new root certificate information to obtain target certificate data;
and the upgrading module is used for sending the target certificate data and the new root certificate file to the client so that the client can upgrade the new root certificate file based on the target certificate data.
Optionally, the obtaining module is further configured to obtain a request response code corresponding to the service request;
the obtaining module is further configured to obtain new root certificate information and a new root certificate file according to the request response code and the service request.
Optionally, the obtaining module is further configured to determine whether the request response code meets a preset handshake failure condition;
the obtaining module is further configured to extract credential access information in the service request when the request response code meets the preset handshake failure condition;
the acquisition module is further used for generating a new root certificate inquiry instruction according to the request response code and the certificate access information;
the acquisition module is further configured to acquire new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
Optionally, the obtaining module is further configured to obtain a certificate domain name according to the new root certificate query instruction;
the acquisition module is further configured to determine new root certificate information and a new root certificate file according to the certificate domain name.
Optionally, the obtaining module is further configured to obtain a plurality of certificate files according to the certificate domain name;
the acquisition module is further configured to select a new root certificate file from the plurality of certificate files, and acquire new root certificate information according to the new root certificate file.
Optionally, the obtaining module is further configured to obtain a file size of the certificate file, a certificate signature, and a certificate validity time according to the new root certificate file;
the acquisition module is also used for determining a file size MD5 value according to the file size and determining a signature MD5 value according to the certificate signature;
the obtaining module is further configured to use the file size MD5 value, the signature MD5 value, and the certificate validity time as new root certificate information.
In addition, to achieve the above object, the present invention further provides a certificate upgrading apparatus, including: a memory, a processor and a certificate upgrade program stored on the memory and executable on the processor, the certificate upgrade program configured to implement the steps of the certificate upgrade method as described above.
Furthermore, to achieve the above object, the present invention further provides a storage medium having a certificate upgrade program stored thereon, which when executed by a processor implements the steps of the certificate upgrade method as described above.
The method comprises the steps of firstly, acquiring new root certificate information and a new root certificate file according to a service request when the service request sent by a client is received, then preprocessing the new root certificate information to obtain target certificate data, and then sending the target certificate data and the new root certificate file to the client so that the client can upgrade the new root certificate file based on the target certificate data. Since the validity of the certificate is not required to be recovered by upgrading the client after the certificate expires, only the new root certificate information and the new root certificate file are required to be obtained according to the service request, and then the new root certificate file is verified based on the new root certificate information, the security of certificate transmission is ensured, and the upgrading efficiency of the certificate is improved.
Drawings
Fig. 1 is a schematic structural diagram of a certificate upgrading device of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a certificate upgrading method according to a first embodiment of the present invention;
FIG. 3 is a flowchart illustrating a certificate upgrading method according to a second embodiment of the present invention;
fig. 4 is a block diagram of a first embodiment of the certificate upgrading apparatus according to the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a certificate upgrading device in a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the certificate upgrading apparatus may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory, or may be a Non-Volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration shown in FIG. 1 is not intended to be limiting of credential upgrade devices and may include more or less components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a storage medium, may include therein an operating system, a data storage module, a network communication module, a user interface module, and a certificate upgrade program.
In the certificate upgrading apparatus shown in fig. 1, the network interface 1004 is mainly used for data communication with a network server; the user interface 1003 is mainly used for data interaction with a user; the processor 1001 and the memory 1005 in the certificate upgrading apparatus of the present invention may be disposed in the certificate upgrading apparatus, and the certificate upgrading apparatus invokes the certificate upgrading program stored in the memory 1005 through the processor 1001 and executes the certificate upgrading method provided by the embodiment of the present invention.
An embodiment of the present invention provides a certificate upgrading method, and referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of the certificate upgrading method according to the present invention.
In this embodiment, the certificate upgrading method includes the following steps:
step S10: and when a service request sent by a client is received, acquiring new root certificate information and a new root certificate file according to the service request.
It is easy to understand that the execution subject of this embodiment may be a certificate upgrading device having functions of data processing, network communication, program operation, and the like, or may also be other computer devices having similar functions, and this embodiment is not limited thereto, where the certificate upgrading device may be a server, and this embodiment and the following embodiments are described by taking the server as an example. The server may be a service server, a certificate Over-the-Air Technology (OTA) server, an Internet of Things (Internet of Things) cloud device, and the like, which is not limited in this embodiment.
It is understood that the client may be firmware, IOT firmware, or the like, and the embodiment is not limited thereto.
The service request can be understood as a service request sent by a user through a client. The normal access of the website may be performed according to the service request, and whether the https certificate is valid may also be queried according to the service request, which is not limited in this embodiment.
The new root certificate file may be understood as an updated Hypertext Transfer Protocol Secure https (Hypertext Transfer Protocol Secure https) certificate, which may exist in a form of a picture, may also exist in a form of file information, and the like, where the new root certificate information is information existing on the https certificate, and may include a certificate file address, a Message Digest Algorithm (MD 5) value of a certificate size, a certificate validity time, an MD5 value of a certificate signature, and the like, and this embodiment is not limited.
Further, in order to improve the upgrading efficiency of the certificate, in this embodiment, the operation of acquiring the new root certificate information and the new root certificate file according to the service request may be: the server obtains a request response code corresponding to the service request, and obtains new root certificate information and a new root certificate file according to the request response code and the service request, where the request response code may be a request response code returned by the server after the user sends the request service through firmware, and the request response code may be a valid code of the certificate, and may also be an error code of a handshake failure certificate of a security transport layer protocol TLS, and the like.
The request-response code may be represented in a form of a number, or may be represented in a form of a character, assuming that the request reports an error, prompting the client local certificate error, and the CURL error is a 58-label firmware local certificate error, and the like, which is not limited in this embodiment.
The operation of acquiring the new root certificate information and the new root certificate file according to the request response code and the service request may be that the service server determines whether the request response code satisfies a preset handshake failure condition, when the request response code does not satisfy the preset handshake failure condition, the service server may normally access a website or a system, and when the request response code satisfies the preset handshake failure condition, the service server extracts the certificate access information in the service request, generates a new root certificate inquiry instruction according to the request response code and the certificate access information, and the certificate OTA server acquires the new root certificate information and the new root certificate file according to the new root certificate inquiry instruction, where the preset handshake failure condition may be a certificate failure or a certificate error, and the embodiment is not limited.
The certificate access information may be related information that the certificate needs to be updated after the certificate fails, and the new root certificate query instruction may be that the firmware requests to upgrade an https certificate interface after receiving the certificate error information, and then sends the new root certificate query instruction to the server, i.e., the certificate OTA server, and the like, which is not limited in this embodiment.
The operation of obtaining the new root certificate information and the new root certificate file according to the new root certificate inquiry command may also be that a certificate domain name is obtained according to the new root certificate inquiry command, and the new root certificate information and the new root certificate file are determined according to the certificate domain name.
It can also be understood that the operation of determining the new root certificate information and the new root certificate file according to the certificate domain name may be to obtain a plurality of certificate files according to the certificate domain name, select a new root certificate file from the plurality of certificate files, and obtain the new root certificate information according to the new root certificate file.
It should be noted that, a plurality of certificate files exist in the certificate domain name, and then a target certificate file, that is, a new root certificate file, required by the user may be found from the plurality of certificate files, where new root certificate information and the like may be obtained from the new root certificate file, which is not limited in this embodiment.
The method for obtaining the new root certificate information according to the new root certificate file may be to obtain a file size, a certificate signature, and a certificate validity time of the certificate file according to the new root certificate file, determine a file size MD5 value according to the file size, determine a signature MD5 value according to the certificate signature, and use the file size MD5 value, the signature MD5 value, and the certificate validity time as the new root certificate information, which is not limited in this embodiment.
Step S20: and preprocessing the new root certificate information to obtain target certificate data.
The target certificate data may be understood as encrypted certificate data, and the like, and the embodiment is not limited thereto.
The method for preprocessing the information of the new root certificate to obtain the target certificate data may be to obtain an application identifier corresponding to a client, that is, a firmware, determine an equipment key according to the application identifier, encrypt the information of the new root certificate according to the equipment key to obtain the target certificate data, where the equipment key may be a first equipment key understood as an equipment key corresponding to the IOT cloud equipment, or a key stored by the service end is queried according to the SN number, or may also be a second equipment key corresponding to the client, and the application identifier may be an equipment number or a product running number, and the embodiment is not limited thereto.
In a specific implementation, when the IOT cloud device is docked, because the IOT cloud device has a triplet that can authenticate the device, an agreed key may be used for an encryption key of an OTA https certificate, and the like, assuming that a certificate OTA server receives a new root certificate query instruction sent by a firmware, it is necessary to obtain a device number corresponding to the cloud device from the IOT cloud device, then obtain a device key corresponding to the cloud device, that is, a first device key, according to the device number, obtain new root certificate information and a new root certificate file from the IOT cloud device, and finally encrypt the new root certificate information according to the device key, to obtain encrypted certificate information, that is, target certificate data, and the like, where the certificate file and the certificate information may be stored in the IOT cloud device in advance, and this embodiment is not limited.
Further, in order to ensure the security of certificate transmission, in this embodiment, the new root certificate information is encrypted according to the device key, and the step of obtaining the target certificate data includes: the preset convention Encryption rule can be determined according to the new root certificate information, the Encryption processing is carried out on the new root certificate according to the equipment secret key and the preset convention Encryption rule, the target certificate data is obtained, wherein the preset convention Encryption rule can be various different Encryption algorithms and can be a des algorithm, the des algorithm is a symmetric cryptosystem in the cryptosystem, the plaintext is grouped according to 64 bits, the key length is 64 bits, the key is an Encryption method that 56 bits participate in des operation (8 th, 16 th, 24 th, 32 th, 40 th, 48 th, 56 th and 64 th bits are check bits, each key has odd number of 1) grouped plaintext group and 56 bits of key are replaced or exchanged according to bits to form a ciphertext group, the Encryption algorithm can also be Advanced Encryption Standard (AES), AES Encryption algorithm, the grouping length of the encrypted data block must be 128 bits, the key length may be any one of 128 bits, 192 bits, and 256 bits (and may be padded if the data block and key length are insufficient). The aes encryption has many rounds of repetition and transformation, etc., and the embodiment is not limited.
It can also be understood that the user may self-define and select a preset agreed encryption rule according to the new root certificate information, where the preset agreed encryption rule may be pre-stored in the certificate OTA server, and may also determine a certificate level according to the new root certificate information, and match the preset agreed encryption rule corresponding to the new root certificate information in the mapping table according to the certificate level, where the certificate level and the preset agreed encryption rule in the mapping table have a one-to-one correspondence, the mapping table has a plurality of certificate levels and a plurality of preset agreed encryption rules, and the certificate level may be a medium level, a high level, a low level, or the like.
Further, in order to ensure the security of the certificate, the present embodiment preprocesses the new root certificate information, and the step of obtaining the target certificate data includes: the method further includes the steps of obtaining an application identifier corresponding to the client, determining an equipment key, namely a second equipment key and an asymmetric public key, according to the application identifier, encrypting the second equipment key according to the asymmetric public key to obtain an encryption key, and encrypting the new root certificate information according to the encryption key to obtain target certificate data, wherein the equipment key is a key and the like which are locally and pre-stored in the firmware.
The method for encrypting the new root certificate information according to the encryption key to obtain the target certificate data may be, for example, obtain an asymmetric private key corresponding to the application identifier, decrypt the encryption key according to the asymmetric private key to obtain a decrypted encryption key, determine a preset agreed encryption rule according to the new root certificate information, encrypt the new root certificate information according to the decrypted encryption key and the preset agreed encryption rule to obtain the target certificate data, and the like.
In the specific implementation, assuming the use of the undocked IOT equipment, the OTA service public key is locally stored in the equipment and is also used for generating an encryption key for OTA https certificate communication, and the logic unified firmware end and the OTA develop and access are not required to develop each service, thereby reducing the workload.
In the firmware request service, the TLS handshake failure certificate is wrong, then the firmware locally generates an equipment key, namely a second equipment key, and locally acquires an OTA public key, namely an asymmetric public key, from the firmware, wherein the firmware locally pre-stores an asymmetric public and private key and the like, then the firmware encrypts the second equipment key by using the asymmetric public key to obtain an encrypted key, the firmware requests to upgrade an https certificate interface and sends the encrypted key to a certificate OTA server, the certificate OTA server decrypts the encrypted key by using the asymmetric private key to obtain the second equipment key, wherein the new root certificate information, namely a new root certificate file, is stored in the certificate OTA server, the corresponding new root certificate file and new root certificate information can be inquired in the certificate OTA server according to a new root certificate instruction, and finally the new root certificate information is encrypted by using the second equipment key and a preset agreement rule, obtain target certificate data, etc., and the present embodiment is not limited.
Step S30: and sending the target certificate data and the new root certificate file to a client so that the client can upgrade the new root certificate file based on the target certificate data.
When the IOT cloud device is connected, the certificate OTA server sends target certificate data, that is, encrypted new root certificate information and a new root certificate file, to the firmware end, the firmware end obtains a local firmware key when receiving the encrypted new root certificate information, decrypts the encrypted new root certificate information according to the local firmware key to obtain the decrypted new root certificate information, that is, the new root certificate information, then verifies validity by checking a validity period and an MD5 value of a certificate signature according to the new root certificate information, and tries to make a request available or not, after the verification is valid, the new root certificate file can be added to the local certificate file, and finally, a firmware request service can be restored normally, and the embodiment is not limited.
When the IOT cloud device is not docked, the certificate OTA server sends target certificate data, that is, encrypted new root certificate information and a new root certificate file, to the firmware end, the firmware end obtains a local firmware key when receiving the encrypted new root certificate information, decrypts the encrypted new root certificate information according to the local firmware key to obtain the decrypted new root certificate information, that is, the new root certificate information, then verifies validity by checking a validity period and an MD5 value of a certificate signature according to the new root certificate information to verify validity, and tries to make a request available or not, and after the verification is valid, the new root certificate file can be added to the local certificate file, and finally, the firmware request service can be restored normally, and the embodiment is not limited.
In this embodiment, first, when a service request sent by a client is received, new root certificate information and a new root certificate file are obtained according to the service request, then the new root certificate information is preprocessed to obtain target certificate data, and then the target certificate data and the new root certificate file are sent to the client, so that the client performs upgrade processing on the new root certificate file based on the target certificate data. The validity of the certificate is recovered through the upgrading client side without the need of recovering the certificate after the certificate expires, and only the new root certificate information and the new root certificate file are acquired according to the service request, and then the new root certificate file is verified based on the new root certificate information, so that the safety of certificate transmission is ensured, and the upgrading efficiency of the certificate is improved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a certificate upgrading method according to a second embodiment of the present invention.
Based on the first embodiment, in this embodiment, the step S20 further includes:
step S201: the method comprises the steps of obtaining an application identifier corresponding to a server, and determining a first device key according to the application identifier.
The device key may be understood as a device key corresponding to the IOT cloud device, that is, a first device key, or a key stored by a server according to an SN number, or may also be a second device key local to a client, that is, a firmware, and the application identifier may be a device number or a product running number, which is not limited in this embodiment.
It can also be understood that, an application identifier, that is, a device number, corresponding to the IOT cloud device has a fixed device key, that is, the IOT cloud device number and the device key have a one-to-one relationship, and the embodiment is not limited.
Step S202: and encrypting the new root certificate information according to the equipment secret key to obtain target certificate data.
The new root certificate information includes a file size MD5 value, a signature MD5 value, a certificate validity time, and the like, and the target certificate data may be data obtained by encrypting a file size MD5 value, a signature MD5 value, a certificate validity time, and the like, which is not limited in this embodiment.
The file size, the certificate signature, and the certificate validity time of the certificate file are obtained according to the new root certificate file, the file size MD5 value is determined according to the file size, the signature MD5 value is determined according to the certificate signature, and the file size MD5 value, the signature MD5 value, and the certificate validity time are used as new root certificate information, and the like, which is not limited in this embodiment.
In addition, when the IOT cloud device is docked, the device number corresponding to the cloud device needs to be acquired from the IOT cloud device, then the device key corresponding to the cloud device, that is, the first device key, is acquired according to the device number, the new root certificate information and the new root certificate file are acquired from the IOT cloud device, and finally the new root certificate information is encrypted according to the device key, and the encrypted certificate information, that is, the target certificate data and the like are acquired.
In the specific implementation, assuming that the IOT device is not docked, the firmware locally generates a device key, i.e., a second device key, and locally obtains an OTA public key, i.e., an asymmetric public key, from the firmware, wherein the firmware locally pre-stores an asymmetric public and private key, etc., and then the firmware encrypts the second device key by using the asymmetric public key to obtain an encrypted key, the firmware requests to upgrade an https certificate interface and sends the encrypted key to the certificate OTA server, the certificate OTA server decrypts the encrypted key by using the asymmetric private key to obtain the second device key, wherein the new root certificate information, i.e., a new root certificate file, is stored in the certificate OTA server, the corresponding new root certificate file and new root certificate information can be queried in the certificate OTA server according to a new root certificate instruction, and finally the new root certificate information is encrypted by using the device key and a preset agreement rule, obtain target certificate data, etc., and the embodiment is not limited thereto
Further, in order to ensure the security of certificate transmission, in this embodiment, the new root certificate information is encrypted according to the device key, and the step of obtaining the target certificate data includes: the preset appointed Encryption rule can be determined according to the new root certificate information, the Encryption processing is carried out on the new root certificate according to the first device secret key or the second device secret key and the preset appointed Encryption rule, the target certificate data is obtained, wherein the preset appointed Encryption rule can be various different Encryption algorithms and can be a DES algorithm, the DES algorithm is a symmetric cryptosystem in the cryptosystem, the Encryption keys are grouped according to 64 bits according to the plaintext, the length of the keys is 64 bits, the keys are actually 56 bits and participate in DES operation (8 th, 16 th, 24 th, 32 th, 40 th, 48 th, 56 th and 64 th bits are check bits, each key has 1) of the Encryption method of forming a ciphertext group by bit substitution or exchange of the grouped plaintext group and 56 bit keys, the Encryption algorithm can also be Advanced Encryption Standard (AES) in the cryptosystem, for short, the Encryption algorithm is referred to as AES (Advanced Encryption Standard) in the cryptosystem), the AES-encrypted data block packet length must be 128 bits, and the key length may be any one of 128 bits, 192 bits, and 256 bits (if the data block and key lengths are insufficient, they will be padded). The AES encryption has many rounds of repetition and transformation, etc., and the embodiment is not limited.
It can also be understood that the user may self-define and select a preset agreed encryption rule according to the new root certificate information, where the preset agreed encryption rule may be pre-stored in the certificate OTA server, and may also determine a certificate level according to the new root certificate information, and match the preset agreed encryption rule corresponding to the new root certificate information in the mapping table according to the certificate level, where the certificate level and the preset agreed encryption rule in the mapping table have a one-to-one correspondence, the mapping table has a plurality of certificate levels and a plurality of preset agreed encryption rules, and the certificate level may be a medium level, a high level, a low level, or the like.
It should be noted that, no matter whether the IOT cloud device is accessed, the OTA certificate server needs to encrypt the file size MD5 value, the signature MD5 value, and the certificate validity time according to the device key, so as to obtain encrypted data, that is, target certificate data.
In this embodiment, first, an application identifier corresponding to the server is obtained, a first device key is determined according to the application identifier, and then, the new root certificate information is encrypted according to the first device key to obtain target certificate data, so that the security of certificate information transmission is improved.
Referring to fig. 4, fig. 4 is a block diagram illustrating a first embodiment of a certificate upgrading apparatus according to the present invention.
As shown in fig. 4, a certificate upgrading apparatus provided in an embodiment of the present invention includes:
the acquiring module 4001 is configured to acquire new root certificate information and a new root certificate file according to a service request sent by a client when the service request is received;
a processing module 4002, configured to pre-process the new root certificate information to obtain target certificate data;
an upgrade module 4003, configured to send the target certificate data and the new root certificate file to the client, so that the client performs upgrade processing on the new root certificate file based on the target certificate data.
In this embodiment, first, when a service request sent by a client is received, new root certificate information and a new root certificate file are obtained according to the service request, then the new root certificate information is preprocessed to obtain target certificate data, and then the target certificate data and the new root certificate file are sent to the client, so that the client performs upgrade processing on the new root certificate file based on the target certificate data. The validity of the certificate is recovered through the upgrading client side without the need of recovering the certificate after the certificate expires, and only the new root certificate information and the new root certificate file are acquired according to the service request, and then the new root certificate file is verified based on the new root certificate information, so that the safety of certificate transmission is ensured, and the upgrading efficiency of the certificate is improved.
Further, the obtaining module 4001 is further configured to obtain a request response code corresponding to the service request;
the obtaining module 4001 is further configured to obtain new root certificate information and a new root certificate file according to the request response code and the service request.
Further, the obtaining module 4001 is further configured to determine whether the request response code meets a preset handshake failure condition;
the obtaining module 4001 is further configured to extract credential access information in the service request when the request response code meets the preset handshake failure condition;
the obtaining module 4001 is further configured to generate a new root certificate query instruction according to the request response code and the certificate access information;
the obtaining module 4001 is further configured to obtain new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
Further, the obtaining module 4001 is further configured to obtain a certificate domain name according to the new root certificate query instruction;
the obtaining module 4001 is further configured to determine new root certificate information and a new root certificate file according to the certificate domain name.
Further, the obtaining module 4001 is further configured to obtain a plurality of certificate files according to the certificate domain name;
the obtaining module 4001 is further configured to select a new root certificate file from the plurality of certificate files, and obtain new root certificate information according to the new root certificate file.
Further, the obtaining module 4001 is further configured to obtain a file size of the certificate file, a certificate signature, and a certificate validity time according to the new root certificate file;
the obtaining module 4001 is further configured to determine a file size MD5 value according to the file size, and determine a signature MD5 value according to the certificate signature;
the obtaining module 4001 is further configured to use the file size MD5 value, the signature MD5 value, and the certificate validity time as new root certificate information.
Further, the processing module 4002 is further configured to obtain an application identifier corresponding to the server, and determine a first device key according to the application identifier;
the processing module 4002 is further configured to encrypt the new root certificate information according to the first device key, so as to obtain target certificate data.
Further, the processing module 4002 is further configured to determine a preset agreed encryption rule according to the new root certificate information;
the processing module 4002 is further configured to encrypt the new root certificate information according to the first device key and the preset agreed encryption rule, so as to obtain target certificate data.
Further, the processing module 4002 is further configured to obtain an application identifier corresponding to the client, and determine a second device key and an asymmetric public key according to the application identifier;
the processing module 4002 is further configured to encrypt the second device key according to the asymmetric public key to obtain an encrypted key;
the processing module 4002 is further configured to encrypt the new root certificate information according to the encryption key, so as to obtain target certificate data.
Further, the processing module 4002 is further configured to obtain an asymmetric private key corresponding to the application identifier;
the processing module 4002 is further configured to decrypt the encrypted secret key according to the asymmetric private key, so as to obtain the decrypted encrypted secret key;
the processing module 4002 is further configured to encrypt the new root certificate information according to the decrypted encryption key, so as to obtain target certificate data.
Further, the processing module 4002 is further configured to determine a preset agreed encryption rule according to the new root certificate information;
the processing module 4002 is further configured to encrypt the new root certificate information according to the decrypted encryption key and the preset agreed encryption rule, so as to obtain target certificate data.
Further, the processing module 4002 is further configured to determine a certificate level according to the new root certificate information;
the processing module 4002 is further configured to match a preset agreed encryption rule corresponding to the new root certificate information in a mapping relation table according to the certificate grades, where the certificate grades and the preset agreed encryption rule in the mapping relation table have a one-to-one correspondence relationship.
Other embodiments or specific implementation manners of the certificate upgrading apparatus of the present invention may refer to the above method embodiments, and are not described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., a rom/ram, a magnetic disk, an optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
The invention discloses A1 and a certificate upgrading method, wherein the certificate upgrading method comprises the following steps:
when a service request sent by a client is received, acquiring new root certificate information and a new root certificate file according to the service request;
preprocessing the new root certificate information to obtain target certificate data;
and sending the target certificate data and the new root certificate file to the client so that the client performs upgrading processing on the new root certificate file based on the target certificate data.
A2, the method of claim a1, the step of obtaining new root certificate information and new root certificate files based on the service request, comprising:
acquiring a request response code corresponding to the service request;
and acquiring new root certificate information and a new root certificate file according to the request response code and the service request.
A3, the method of claim a2, the step of obtaining new root certificate information and new root certificate file according to the request response code and the service request, comprising:
judging whether the request response code meets a preset handshake failure condition or not;
when the request response code meets the preset handshake failure condition, extracting certificate access information in the service request;
generating a new root certificate inquiry instruction according to the request response code and the certificate access information;
and acquiring new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
A4, the method of claim A3, the step of obtaining new root certificate information and new root certificate file according to the new root certificate query instruction, comprising:
acquiring a certificate domain name according to the new root certificate inquiry instruction;
and determining new root certificate information and a new root certificate file according to the certificate domain name.
A5, the method of claim a4, the step of determining new root certificate information and new root certificate files from the certificate domain name comprising:
acquiring a plurality of certificate files according to the certificate domain name;
and selecting a new root certificate file from the plurality of certificate files, and acquiring new root certificate information according to the new root certificate file.
A6, the method of claim a5, the step of obtaining new root certificate information from the new root certificate file comprising:
acquiring the file size of the certificate file, the certificate signature and the certificate valid time according to the new root certificate file;
determining a file size MD5 value from the file size and a signature MD5 value from the certificate signature;
the file size MD5 value, the signature MD5 value, and the certificate validity time are taken as new root certificate information.
A7, the method of any one of claims A1-A6, wherein the step of preprocessing the new root certificate information to obtain target certificate data, comprises:
acquiring an application identifier corresponding to a server, and determining a first device key according to the application identifier;
and encrypting the new root certificate information according to the first equipment secret key to obtain target certificate data.
A8, the method according to claim a7, wherein the step of encrypting the new root certificate information according to the first device key to obtain target certificate data includes:
determining a preset appointed encryption rule according to the new root certificate information;
and encrypting the new root certificate information according to the first equipment secret key and the preset agreed encryption rule to obtain target certificate data.
A9, the method of any one of claims A1-A6, wherein the step of preprocessing the new root certificate information to obtain target certificate data, further comprises:
acquiring an application identifier corresponding to the client, and determining a second equipment secret key and an asymmetric public key according to the application identifier;
encrypting the second equipment secret key according to the asymmetric public key to obtain an encrypted secret key;
and encrypting the new root certificate information according to the encryption key to obtain target certificate data.
A10, the method according to claim a9, wherein the step of obtaining the target certificate data by encrypting the new root certificate information according to the encryption key comprises:
acquiring an asymmetric private key corresponding to the application identifier;
decrypting the encrypted secret key according to the asymmetric private key to obtain the decrypted encrypted secret key;
and encrypting the new root certificate information according to the decrypted encryption key to obtain target certificate data.
A11, the method according to claim a10, wherein the step of encrypting the new root certificate information according to the decrypted encryption key to obtain the target certificate data includes:
determining a preset appointed encryption rule according to the new root certificate information;
and encrypting the new root certificate information according to the decrypted encryption key and the preset agreed encryption rule to obtain target certificate data.
A12, the method of claim a11, the step of determining a preset agreed upon encryption rule based on the new root certificate information, comprising:
determining a certificate level according to the new root certificate information;
and matching a preset agreed encryption rule corresponding to the new root certificate information in a mapping relation table according to the certificate grades, wherein the certificate grades and the preset agreed encryption rule in the mapping relation table have one-to-one correspondence.
The invention discloses B13, a certificate upgrading device, which comprises:
the acquisition module is used for acquiring new root certificate information and a new root certificate file according to a service request when the service request sent by a client is received;
the processing module is used for preprocessing the new root certificate information to obtain target certificate data;
and the upgrading module is used for sending the target certificate data and the new root certificate file to the client so that the client can upgrade the new root certificate file based on the target certificate data.
B14, the apparatus according to claim B13, wherein the obtaining module is further configured to obtain a request response code corresponding to the service request;
the obtaining module is further configured to obtain new root certificate information and a new root certificate file according to the request response code and the service request.
B15, the apparatus according to claim B14, the obtaining module further configured to determine whether the request response code satisfies a preset handshake failure condition;
the obtaining module is further configured to extract credential access information in the service request when the request response code meets the preset handshake failure condition;
the acquisition module is further used for generating a new root certificate inquiry instruction according to the request response code and the certificate access information;
the acquisition module is further configured to acquire new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
B16, the apparatus of claim B15, the obtaining module further configured to obtain a certificate domain name according to the new root certificate query instruction;
the acquisition module is further configured to determine new root certificate information and a new root certificate file according to the certificate domain name.
B17, the apparatus of claim B16, the obtaining module further configured to obtain a plurality of certificate files based on the certificate domain name;
the acquisition module is further configured to select a new root certificate file from the plurality of certificate files, and acquire new root certificate information according to the new root certificate file.
B18, the apparatus of claim B17, the obtaining module further for obtaining a file size, a certificate signature, and a certificate validity time of a certificate file from the new root certificate file;
the acquisition module is further used for determining a file size MD5 value according to the file size and determining a signature MD5 value according to the certificate signature;
the obtaining module is further configured to use the file size MD5 value, the signature MD5 value, and the certificate validity time as new root certificate information.
The invention discloses C19, a certificate upgrading device, the device includes: a memory, a processor and a certificate upgrade program stored on the memory and executable on the processor, the certificate upgrade program configured to implement the steps of the certificate upgrade method as described above.
The invention discloses D20, a storage medium having a certificate upgrade program stored thereon, which when executed by a processor implements the steps of the certificate upgrade method as described above.
Claims (10)
1. A certificate upgrading method, characterized in that the certificate upgrading method comprises:
when a service request sent by a client is received, acquiring new root certificate information and a new root certificate file according to the service request;
preprocessing the new root certificate information to obtain target certificate data;
and sending the target certificate data and the new root certificate file to a client so that the client can upgrade the new root certificate file based on the target certificate data.
2. The method of claim 1, wherein the step of obtaining new root certificate information and a new root certificate file according to the service request comprises:
acquiring a request response code corresponding to the service request;
and acquiring new root certificate information and a new root certificate file according to the request response code and the service request.
3. The method of claim 2, wherein the step of obtaining new root certificate information and a new root certificate file according to the request response code and the service request comprises:
judging whether the request response code meets a preset handshake failure condition or not;
when the request response code meets the preset handshake failure condition, extracting certificate access information in the service request;
generating a new root certificate inquiry instruction according to the request response code and the certificate access information;
and acquiring new root certificate information and a new root certificate file according to the new root certificate inquiry instruction.
4. The method as claimed in claim 3, wherein the step of obtaining new root certificate information and a new root certificate file according to the new root certificate inquiry command comprises:
acquiring a certificate domain name according to the new root certificate inquiry instruction;
and determining new root certificate information and a new root certificate file according to the certificate domain name.
5. The method of claim 4, wherein the step of determining new root certificate information and a new root certificate file based on the certificate domain name comprises:
acquiring a plurality of certificate files according to the certificate domain name;
and selecting a new root certificate file from the plurality of certificate files, and acquiring new root certificate information according to the new root certificate file.
6. The method of claim 5, wherein the step of obtaining new root certificate information from the new root certificate file comprises:
acquiring the file size of the certificate file, the certificate signature and the certificate valid time according to the new root certificate file;
determining a file size MD5 value from the file size and a signature MD5 value from the certificate signature;
the file size MD5 value, the signature MD5 value, and the certificate validity time are taken as new root certificate information.
7. The method of any one of claims 1-6, wherein the step of preprocessing the new root certificate information to obtain target certificate data comprises:
acquiring an application identifier corresponding to a server, and determining a first device key according to the application identifier;
and encrypting the new root certificate information according to the first equipment secret key to obtain target certificate data.
8. A certificate upgrading apparatus, characterized in that the certificate upgrading apparatus comprises:
the acquisition module is used for acquiring new root certificate information and a new root certificate file according to a service request when the service request sent by a client is received;
the processing module is used for preprocessing the new root certificate information to obtain target certificate data;
and the upgrading module is used for sending the target certificate data and the new root certificate file to the client so that the client can upgrade the new root certificate file based on the target certificate data.
9. A certificate upgrading apparatus, characterized in that the apparatus comprises: memory, a processor and a certificate upgrade program stored on the memory and executable on the processor, the certificate upgrade program being configured to implement the steps of the certificate upgrade method as claimed in any one of claims 1 to 7.
10. A storage medium having stored thereon a certificate upgrade program which, when executed by a processor, implements the steps of the certificate upgrade method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011326714.3A CN114531242A (en) | 2020-11-23 | 2020-11-23 | Certificate upgrading method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011326714.3A CN114531242A (en) | 2020-11-23 | 2020-11-23 | Certificate upgrading method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114531242A true CN114531242A (en) | 2022-05-24 |
Family
ID=81619050
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011326714.3A Pending CN114531242A (en) | 2020-11-23 | 2020-11-23 | Certificate upgrading method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114531242A (en) |
-
2020
- 2020-11-23 CN CN202011326714.3A patent/CN114531242A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
| CN107493273B (en) | Identity authentication method, system and computer readable storage medium | |
| JP7014806B2 (en) | Digital certificate management method and equipment | |
| JP7292263B2 (en) | Method and apparatus for managing digital certificates | |
| JP2009529832A (en) | Undiscoverable, ie secure data communication using black data | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN115396121B (en) | Security authentication method for security chip OTA data packet and security chip device | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN112351037B (en) | Information processing method and device for secure communication | |
| CN105025019A (en) | Data safety sharing method | |
| CN111740995B (en) | Authorization authentication method and related device | |
| CN111130798A (en) | Request authentication method and related equipment | |
| CN104486087A (en) | Digital signature method based on remote hardware security modules | |
| CN110493272A (en) | Use the communication means and communication system of multiple key | |
| CN111510448A (en) | Communication encryption method, device and system in OTA (over the air) upgrade of automobile | |
| CN113726766A (en) | Offline identity authentication method, system and medium | |
| CN110175471B (en) | File storage method and system | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| KR101256114B1 (en) | Message authentication code test method and system of many mac testserver | |
| CN115766270A (en) | File decryption method, file encryption method, key management method, device and equipment | |
| CN115801287A (en) | Signature authentication method and device | |
| CN110968878A (en) | Information transmission method, system, electronic device and readable medium | |
| CN113918971A (en) | Block chain based message transmission method, device, equipment and readable storage medium | |
| CN114531242A (en) | Certificate upgrading method, device, equipment and storage medium | |
| JP6223907B2 (en) | One-stop application system, one-stop application method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |