CN114679275B - Digital signature verification method, platform and system - Google Patents
Digital signature verification method, platform and system Download PDFInfo
- Publication number
- CN114679275B CN114679275B CN202210013110.6A CN202210013110A CN114679275B CN 114679275 B CN114679275 B CN 114679275B CN 202210013110 A CN202210013110 A CN 202210013110A CN 114679275 B CN114679275 B CN 114679275B
- Authority
- CN
- China
- Prior art keywords
- certificate
- signature verification
- platform
- management
- digital
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 title claims abstract description 167
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000007726 management method Methods 0.000 claims abstract description 143
- 230000009977 dual effect Effects 0.000 claims abstract description 9
- 238000013523 data management Methods 0.000 claims abstract description 4
- 238000004891 communication Methods 0.000 claims description 24
- 230000007246 mechanism Effects 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 12
- 238000012423 maintenance Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 8
- 238000011176 pooling Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 6
- 238000013500 data storage Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 3
- 238000004140 cleaning Methods 0.000 claims description 3
- 238000007639 printing Methods 0.000 claims description 3
- 230000008531 maintenance mechanism Effects 0.000 claims description 2
- 230000004044 response Effects 0.000 abstract description 7
- 230000006872 improvement Effects 0.000 description 14
- 238000009826 distribution Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007710 freezing Methods 0.000 description 2
- 230000008014 freezing Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000003860 storage Methods 0.000 description 2
- 238000010257 thawing Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005111 flow chemistry technique Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a digital signature verification method, a digital signature verification platform and a digital signature verification system, wherein the digital signature verification platform comprises: the signature verification front terminal platform is used for providing front end support of the business application connection encryption and key transaction platform; the signature verification application sub-platform is used for providing data security service; the signature verification management sub-platform is used for carrying out core certificate data management, key management service and platform management coordination; and the database is used for storing the core certificate data. And a thread pool operation structure is adopted in the platform, so that the service response speed is improved. The platform operates on the dual-activity data center, so that large-area interruption of service after the data center fails is avoided.
Description
Technical Field
The invention belongs to the technical field of digital encryption, and particularly relates to a digital signature verification method and a digital signature verification system.
Background
The digital signature verification based on the PKI system is widely applied to various business systems in the financial industry, such as UKEY and control of an online banking system, paperless system, payment system and the like, which all use the signature verification function. The application security base platform is used for certificate management, ensures data integrity, confidentiality and non-repudiation, and has very high requirements on algorithm credibility, real-time response rate, response time and the like. The security protocols and encryption algorithms established abroad are always adopted in China, so that the security, autonomy and controllability of key systems and equipment cannot be met, and the network security situation is optimistic. The safe and reliable domestic cryptographic algorithm is a set of data encryption algorithms which are independently researched and developed and innovated in China, and a plurality of algorithm standards, such as SM2, SM3 and SM4 commonly used in the financial industry, are issued after years of development.
Defects in the prior art: PKI system-based certificate management systems, which are not full life-cycle inside enterprises, typically use third party certificates, resulting in up to millions of costs for enterprises to purchase certificates each year; the signing devices with different brands and models of different manufacturers cannot be uniformly managed, often, different signing devices provide independent service interfaces, and when the external system is used, a plurality of manufacturer service interfaces cannot be integrated, so that the signing devices cannot be reused, and meanwhile, double-center double-activity deployment cannot be achieved.
Disclosure of Invention
In view of the above, the invention provides a digital signature verification method, a digital signature verification platform and a digital signature verification system, which provide signature verification work for users by building a digital certificate signature verification platform.
In order to solve the technical problems, the invention provides a digital signature verification platform, which comprises: the signature verification front terminal platform is used for providing front end support of the business application connection encryption and key transaction platform; the signature verification application sub-platform is used for providing data security service; the signature verification management sub-platform is used for carrying out core certificate data management, key management service and platform management coordination; and the database is used for storing the core certificate data.
As an improvement, the signature verification front terminal platform comprises: the interface module is used for providing a function interface for external calling; the communication module is used for communicating with the signature verification application sub-platform; and the message format assembling module is used for combining the request message into a message format which can be identified by the signature verification application sub-platform.
As a further improvement, the signature verification front terminal platform further includes: the configuration module is used for configuring the API communication service; the cluster load algorithm module is used for selecting a specific IP address of an application sub-platform server of the signature verification platform; the log module is used for supporting printing logs;
and the character processing and basic algorithm module is used for providing character conversion and calculating MD5 values.
As another still further improvement, the signature verification application sub-platform includes: the TCP communication module is used for communicating with the signature verification front terminal platform and the signature verification management sub-platform through a TCP communication protocol; the thread scheduling module is used for carrying out pooling management on the service threads of the signature verification application sub-platform and is responsible for starting, scheduling, managing and maintaining the service threads; the cipher machine equipment management module is used for establishing short connection with the cipher machine and the signature verification and signature verification equipment, completing equipment state management, being responsible for communication with equipment and providing a complete equipment instruction interface for an interface; and the key cache management module is used for realizing a key cache establishment mechanism, a data storage mechanism, a data cleaning mechanism and a cache maintenance mechanism.
As an improvement, the signature verification application sub-platform further comprises: the log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting; the device monitoring module is used for detecting and monitoring the state of the cipher machine, the thread running state and the running state of each process of the system in near real time.
As an improvement, the signature verification management sub-platform comprises: the TCP communication module is used for communicating with the signature verification application sub-platform through a TCP communication protocol; the thread scheduling module is used for carrying out pooling management on certificate management service threads of the signature verification management sub-platform and is responsible for starting, service thread scheduling, management and maintenance of the service threads; the cluster management module is used for realizing cluster management on the signature verification management sub-platform and managing and controlling data synchronization and data update of the signature verification management sub-platform; and the database management module is used for maintaining connection with the database, communicating with the database and executing corresponding operation on the database.
As an improvement, the signature verification management sub-platform further comprises: the interface management module is used for providing a graphical interface management interface and supporting the access of Web application services; the log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting; the device monitoring module is used for detecting and monitoring signature device states, thread running states and running states of all processes of the system in near real time.
As an improvement, the digital signature verification platform runs on a dual-activity data center.
As an improvement, dynamically maintaining the IP address of the dual-active data center in the DNS server and returning an egress IP in the dual-active data center to the user for the user request; when one of the dual active data centers fails, the DNS server suspends its corresponding IP usage and directs subsequent user DNS requests to the remaining properly functioning data center outlets.
The invention also provides a digital signature verification system, which comprises: the certificate authentication center server is used for receiving the certificate management requests from the certificate authentication center management terminal and the certificate registration center server, performing management works such as registration, application, issuing, revocation, cancellation and the like of the digital certificate, and issuing a CRL list of the certificate and the certificate; the certificate authentication center management terminal is used for performing certificate authentication system policy management, certificate template management and certificate management; the certificate registration center server is used for sending a certificate management request to the certificate authentication center server and carrying out application, downloading, updating, freezing, thawing and revocation of the digital certificate; the key management center server is used for realizing the key management service of the encryption certificate and carrying out generation, distribution, storage, restoration and key history management of the encryption key; the certificate online state query server is used for providing a state online query service of the certificate; the user terminal is provided with a certificate downloading control which is used for key generation, certificate downloading, certificate updating, certificate revocation and key history acquisition; the encryption machine is used for encrypting the certificate authentication center server, the certificate registration center server, the key management center server and the certificate online state inquiry server.
The invention also provides a digital signature verification method, which is characterized by comprising the following steps: applying for a digital certificate; auditing the digital certificate application; generating a digital certificate after the verification is passed, and feeding back the identification after the certificate generation to the applicant; the applicant downloads the digital certificate and signs and verifies the signature using the digital certificate.
As an improvement, the application digital certificate includes: uploading applicant data to a certificate registry server by a user terminal; the registration center server compares the received applicant data with the database, and registers if the applicant is not registered; if so, the user UID is obtained from the registry server, and the UID, the applied certificate type, the certificate validity period and the certificate subject are recorded in a database of the registry server.
As an improvement, the auditing the digital certificate application includes: the registration center server examines the digital certificate application and verifies the true identity of the applicant; if the verification passes through the registry server, the record is set to a pass state, and a request for generating a certificate is sent to the certificate authority server.
As an improvement, the generating of the digital certificate and the feedback of the result to the applicant after the verification is passed comprises: the certificate authentication center server generates a digital signature from the identity information of the applicant; the certificate authentication center server generates a digital certificate by using the identity information and the digital signature of the applicant; the certificate authentication center server sends the identification of the generated certificate to the registration center server, and the registration center server forwards the identification to the user terminal.
As an improvement, the applicant downloads a digital certificate comprising: the user terminal sends a request for downloading the certificate to the registry server by using the identifier after the certificate is generated; the registration center server forwards the request for downloading the certificate to the certificate authentication center server; after receiving the digital certificate fed back by the certificate authentication center server, the registration center server writes the digital certificate into the applicant certificate carrier and delivers the digital certificate to the applicant.
As an improvement, the applicant calls a signature verification interface of a signature verification front terminal platform through an API when signing and verifying; searching corresponding certificate information in the signature verification application sub-platform cache, and if the certificate information exists in the signature verification application sub-platform cache, sending the certificate information and the message to hardware signature equipment; if the certificate information does not exist, searching in a database through the signature verification management sub-platform, sending the certificate information and the message to hardware signature equipment, and storing the certificate information to a signature verification application sub-platform for caching.
As an improvement, the applicant signs the certificate updating service of the application sub-platform through API call signature when the certificate is updated; the signature verification application sub-platform calls the signature hardware equipment to finish certificate updating and then sends certificate data to the corresponding signature verification management sub-platform; after the signature verification management sub-platform updates the certificate data to the corresponding database, transmitting the certificate updated information to other signature verification management sub-platforms; after receiving the certificate updating information, the other signature verification management sub-platforms update the certificate data and distribute the updated certificate data to all the signature verification application sub-platforms; and after receiving the certificate updating data, each signature verification application sub-platform updates the certificate data in each local cache.
The invention has the advantages that:
1. a thread pool. The signature verification application sub-platform and the management sub-platform both use the running structure of the thread pool. Through the utilization of the thread pool, on one hand, the consumption of system resources is reduced, and on the other hand, the task processing of the system is quickened, and the response speed of the service is provided.
2. Certificate caching. The name checking platform designs a caching mechanism, and directly acquires certificate key information from a cache when processing online transaction service so as to improve the processing efficiency of the service.
The signature verification application subsystem interacts with the management subsystem and loads certificate information in the management subsystem into the cache. When the signature verification platform processes the certificate related transaction request of the business application, the signature verification platform does not need to request the management subsystem every time, and can take out the certificate information in the cache according to the control of the strategy, so that the response speed of the service is improved.
3. Certificate data synchronization. The certificate information of each node in the application subsystem cluster of the signature verification platform is kept consistent, and the platform adopts a certificate data synchronization mechanism.
All application subsystem node certificate data in the cluster are consistent through a certificate information distribution mechanism of the management subsystem. All application subsystem nodes in the cluster can provide services to the outside. Upon receipt of the update credential data operation, the credential data is first updated into the database. And then notifying other management subsystem nodes, and submitting certificate data update after the other management subsystem nodes update the certificate data successfully. And distributing the certificate data to each application subsystem node to which the certificate belongs so as to update the cache by the application subsystem node. And after receiving the certificate data updating operation, the certificate data notification module load notifies the application subsystem of updating the certificate data in the cache in the management subsystem.
4. All-service system safe and reliable cryptographic algorithm.
5. The dual-active digital center architecture avoids large-area interruption of service after the data center fails.
6. Global load GTM, optimal transmission line, and guaranteed minimum response time.
7. Oracle RAC, high availability of databases and load balancing.
Drawings
Fig. 1 is a schematic diagram of a digital signature verification platform according to the present invention.
Fig. 2 is a schematic diagram of a digital signature verification system of the present invention.
Fig. 3 is a flow chart of the present invention.
Detailed Description
In order to make the technical scheme of the present invention better understood by those skilled in the art, the present invention will be further described in detail with reference to the following specific embodiments.
As shown in fig. 1, the digital signature verification platform of the present invention specifically includes:
the signature verification front terminal platform is used for providing front end support of the business application connection encryption and key transaction platform; the API adopts a load balancing technology, can support business application to access the signature verification platform application subsystem cluster, and improves service performance and high availability.
The signature verification application sub-platform is used for providing data security services.
The signature verification management sub-platform is used for carrying out core certificate data management, key management service and platform management coordination.
And the database is used for storing the core certificate data. The data layer is the storage of the core certificate data of the signature verification platform. The invention preferably adopts an Oracle database to realize data storage and access management. The management subsystem database module is responsible for interacting with the data layer, and adopts a TCP long connection mode.
The signature verification front terminal platform specifically comprises:
and the interface module is used for providing a function interface for external calling.
And the communication module is used for communicating with the signature verification application sub-platform.
And the message format assembling module is used for combining the request message into a message format which can be identified by the signature verification application sub-platform.
And the configuration module is used for configuring the API communication service.
And the cluster load algorithm module is used for selecting a specific IP address of the signature verification platform application sub-platform server.
And the log module is used for supporting the printing log.
The character processing and basic algorithm module is used for providing character conversion, calculating MD5 value and the like.
The signature verification application sub-platform is specifically supported by the following technical modules:
the TCP communication module is used for communicating with the signature verification front terminal platform and the signature verification management sub-platform through a TCP communication protocol; the communication module is responsible for message management, and after data is received, message analysis is carried out, and the message is transmitted into the encryption service thread pool.
The thread scheduling module is used for carrying out pooling management on the service threads of the signature verification application sub-platform and is responsible for starting, scheduling, management and maintenance of the service threads and the like; and the service logic flow processing is completed by dispatching the service task, and the final service request is completed by cooperation of each functional module.
The cipher machine equipment management module is used for establishing short connection with the cipher machine and the signature verification and signature verification equipment, completing equipment state management, being responsible for communication with equipment and providing a complete equipment instruction interface for an interface; the instruction interface of the cipher machine adopts the instruction queue technology.
And the key cache management module is used for realizing the mechanisms of key cache establishment, data storage, data cleaning, cache maintenance and the like.
The log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting.
The device monitoring module is used for detecting and monitoring the state of the cipher machine, the running state of the thread, the running state of each process of the system and the like in near real time.
The label checking management sub-platform can be supported by the following technical modules:
the TCP communication module is used for communicating with the signature verification application sub-platform through a TCP communication protocol; the communication module is responsible for message management.
The thread scheduling module is used for carrying out pooling management on certificate management service threads of the signature verification management sub-platform and is responsible for starting, service thread scheduling, management and maintenance of the service threads; by dispatching the dispatch service task, the business logic flow process is completed, and the final business request signature equipment management is completed by cooperating with each functional module: short connection is established with the cipher machine, equipment state management is completed, communication with equipment is carried out, and a complete equipment instruction interface is provided for the interface. The instruction interface of the cipher machine adopts the instruction queue technology.
The cluster management module is used for realizing cluster management on the signature verification management sub-platform and managing and controlling data synchronization and data update of the signature verification management sub-platform.
And the database management module is used for maintaining connection with the database, communicating with the database and executing SQL operation corresponding to the database.
The interface management module is used for providing a graphical interface management interface and supporting the access of Web application services; an administrator can access the management interface of the signature verification platform through a Web application service by a Web browser.
The log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting;
the device monitoring module is used for detecting and monitoring signature device states, thread running states and running states of all processes of the system in near real time.
In addition, in the embodiment, the digital signature verification platform runs on the dual-activity data center, in the working mode, all business systems of a user run on two data centers simultaneously, and simultaneously provide services for the user, and when an application system of one data center has a problem, the application of the other data center continuously provides services.
The advantages of the dual live data center are that: 1. fully utilizes resources and avoids waste caused by that one data center is in an idle state all the year round. By resource integration, the service capacity of a dual-lived data center is doubled. 2. If one data center is disconnected, the other data center is still running and is not perceived by the user.
The invention also has global load GTM, namely load balancing applied to the double-active data center, in order to solve the redundancy of traffic load and business between the data centers; positioning the user to the nearest data center with the fastest response; and realizing flexible switching of the service of the dual-active data center.
Specifically, IP addresses of several background data centers are dynamically maintained in a DNS server through intelligent DNS resolution, and the most suitable egress IP is returned according to an algorithm for a user request. If one of the data center outlets has a problem, the DNS server pauses the use of the corresponding IP address, and guides the subsequent user DNS request to other data center outlets still working normally, so that the load balance of the background resource is realized on the wide area network.
As shown in fig. 2, in addition, the present invention further provides a digital signature verification system, which is used as a hardware support of the digital signature verification platform, and specifically includes:
and the certificate authentication center Server (CA Server, certificate Authority Server) is used for receiving the certificate management requests from the certificate authentication center management terminal and the certificate registration center Server, performing management works such as registration, application, issuing, revocation, cancellation and the like of the digital certificate, and issuing a CRL list of the certificate and the certificate.
And a certificate authority management terminal (CA Server, certificate Authority Server) for performing certificate authority system policy management, certificate template management and certificate management.
And the certificate registration center Server (RA Server, registration Authority Server) is used for sending a certificate management request to the certificate authentication center Server and carrying out application, downloading, updating, freezing, thawing and revocation of the digital certificate.
A key management center Server (KMC Server, key Management Center Server) for implementing a key management service of the encryption certificate, and performing generation, distribution, preservation, restoration, and key history management of the encryption key.
And the certificate online state query server is used for providing a certificate online state query service.
And the user terminal is provided with a certificate downloading control which is used for key generation, certificate downloading, certificate updating, certificate revocation and key history acquisition.
The encryption machine is used for encrypting the certificate authentication center server, the certificate registration center server, the key management center server and the certificate online state inquiry server.
As shown in fig. 3, the present invention further provides a digital signature verification method, which specifically includes:
s1, applying for a digital certificate;
s2, checking the digital certificate application;
s3, generating a digital certificate after the verification is passed, and feeding back the identification after the certificate is generated to the applicant;
s4, the applicant downloads the digital certificate and signs and verifies the signature by using the digital certificate.
The step S1 specifically comprises the following steps:
s11, the user terminal uploads the applicant data to a certificate registry server;
s12, the registration center server compares the received applicant data with the database, and registers if the applicant is not registered; if so, the user UID is obtained from the registry server, and the UID, the applied certificate type, the certificate validity period and the certificate subject are recorded in a database of the registry server.
The step S2 specifically comprises the following steps:
s21, the registration center server examines the digital certificate application and verifies the true identity of the applicant;
s22, if the verification passes through the registration center server, the record is set to be in a passing state, and a request for generating a certificate is sent to the certificate authentication center server.
The step S3 specifically comprises the following steps:
s31, the certificate authentication center server generates a digital signature from the identity information of the applicant;
s32, the certificate authentication center server generates a digital certificate by using the identity information and the digital signature of the applicant;
s33, the certificate authentication center server sends the identification of the generated certificate to the registration center server, and the registration center server forwards the identification to the user terminal.
The step S4 specifically comprises the following steps:
s41, the user terminal sends a request for downloading the certificate to the registry server by using the identifier after the certificate is generated;
s42, the registry server forwards a request for downloading the certificate to the certificate authority server;
s43, after receiving the digital certificate fed back by the certificate authentication center server, the registration center server writes the digital certificate into an applicant certificate carrier and delivers the digital certificate to the applicant;
s44, the applicant performs signature verification work by using the certificate.
In addition, when the user calls the signature verification interface through the API by the third party application system, certificate information is called, and the certificate and the message are sent to the hardware signature equipment. In order to reduce the system overhead, the invention adopts a certificate caching mechanism, which specifically comprises the following steps:
s51, the applicant calls a signature verification interface of a terminal platform before signature verification through an API when signing and verification;
s52, searching corresponding certificate information in the signature verification application sub-platform cache, and if the certificate information exists in the signature verification application sub-platform cache, sending the certificate information together with the message to hardware signature equipment; if the certificate information does not exist, searching in a database through the signature verification management sub-platform, sending the certificate information and the message to hardware signature equipment, and storing the certificate information to a signature verification application sub-platform for caching.
Because the platform runs on the double data centers, when the applicant performs certificate updating, the applicant also performs certificate data synchronization, and the specific steps include:
s61, when the applicant updates the certificate, the API calls a certificate updating service of the signature verification application sub-platform;
s62, the signature verification application sub-platform calls the signature hardware equipment to finish certificate updating and then sends certificate data to the corresponding signature verification management sub-platform;
s63, after the signature verification management sub-platform updates the certificate data to the corresponding database, transmitting the certificate updated information to other signature verification management sub-platforms;
s64, after receiving the certificate updating information, the other signature verification management sub-platforms update the certificate data, and distribute the updated certificate data to all the signature verification application sub-platforms;
s65, after each signature verification application sub-platform receives the certificate updating data, the certificate data in each local cache are updated.
The certificate information is placed in a database of the signature verification management sub-platform and is stored in a local cache of the signature verification application sub-platform, and the signature verification management sub-platform and the signature verification application sub-platform are more than one server, so that a data synchronization mechanism of the certificate information is provided. Take two application sub-platforms (A, B) and management sub-platforms (a, b) as examples
And the third party system calls the certificate updating service of the application sub-platform (A) through the API interface, and the application sub-system calls the signature hardware equipment to update and then sends the signature hardware equipment to the management sub-platform (a). Firstly, the management sub-platform (a) updates the certificate data into the database, then notifies the b management sub-platform, and submits the certificate data to update after waiting for the node of the b management sub-platform to update the certificate data successfully. And distributing the updated certificate data to each application sub-platform (A, B), and after receiving the update information, the application sub-platform updates the local certificate information.
The foregoing is merely a preferred embodiment of the present invention, and it should be noted that the above-mentioned preferred embodiment should not be construed as limiting the invention, and the scope of the invention should be defined by the appended claims. It will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the spirit and scope of the invention, and such modifications and adaptations are intended to be comprehended within the scope of the invention.
Claims (13)
1. A digital signature verification method is applied to a digital signature verification platform, and is characterized in that: the digital signature verification platform comprises: the signature verification front terminal platform is used for providing front end support of the business application connection encryption and key transaction platform; the signature verification application sub-platform is used for providing data security service; the signature verification management sub-platform is used for carrying out core certificate data management, key management service and platform management coordination; the database is used for storing core certificate data; the digital signature verification method is operated on a dual-activity data center;
the digital signature verification method comprises the following steps:
applying for a digital certificate;
auditing the digital certificate application;
generating a digital certificate after the verification is passed, and feeding back the identification after the certificate generation to the applicant;
the applicant downloads the digital certificate and signs and verifies the signature by using the digital certificate;
when the applicant updates the certificate, signing and signing the certificate updating service of the application sub-platform through the API call; the signature verification application sub-platform calls the signature hardware equipment to finish certificate updating and then sends certificate data to the corresponding signature verification management sub-platform;
after the signature verification management sub-platform updates the certificate data to the corresponding database, transmitting the certificate updated information to other signature verification management sub-platforms;
after receiving the certificate updating information, the other signature verification management sub-platforms update the certificate data and distribute the updated certificate data to all the signature verification application sub-platforms;
and after receiving the certificate updating data, each signature verification application sub-platform updates the certificate data in each local cache.
2. A digital signature verification method as recited in claim 1, wherein said signature verification front terminal platform comprises:
the interface module is used for providing a function interface for external calling;
the communication module is used for communicating with the signature verification application sub-platform;
and the message format assembling module is used for combining the request message into a message format which can be identified by the signature verification application sub-platform.
3. A digital signature verification method as recited in claim 2, wherein said signature verification front terminal platform further comprises:
the configuration module is used for configuring the API communication service;
the cluster load algorithm module is used for selecting a specific IP address of the signature verification application sub-platform server;
the log module is used for supporting printing logs;
and the character processing and basic algorithm module is used for providing character conversion and calculating MD5 values.
4. The digital signature verification method as claimed in claim 1, wherein said signature verification application sub-platform comprises:
the TCP communication module is used for communicating with the signature verification front terminal platform and the signature verification management sub-platform through a TCP communication protocol;
the thread scheduling module is used for carrying out pooling management on the service threads of the signature verification application sub-platform and is responsible for starting, scheduling, managing and maintaining the service threads;
the cipher machine equipment management module is used for establishing short connection with the cipher machine and the signature verification equipment, completing equipment state management, being responsible for communication with the equipment and providing a complete equipment instruction interface for the interface;
and the key cache management module is used for realizing a key cache establishment mechanism, a data storage mechanism, a data cleaning mechanism and a cache maintenance mechanism.
5. The digital signature verification method as recited in claim 4, wherein said signature verification application sub-platform further comprises:
the log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting;
the device monitoring module is used for detecting and monitoring the state of the cipher machine, the thread running state and the running state of each process of the system in near real time.
6. A digital signature verification method as recited in claim 1, wherein said signature verification management sub-platform comprises:
the TCP communication module is used for communicating with the signature verification application sub-platform through a TCP communication protocol;
the thread scheduling module is used for carrying out pooling management on certificate management service threads of the signature verification management sub-platform and is responsible for starting, service thread scheduling, management and maintenance of the service threads;
the cluster management module is used for realizing cluster management on the signature verification management sub-platform and managing and controlling data synchronization and data update of the signature verification management sub-platform;
and the database management module is used for maintaining connection with the database, communicating with the database and executing corresponding operation on the database.
7. The digital signature verification method as recited in claim 6, wherein said signature verification management sub-platform further comprises:
the interface management module is used for providing a graphical interface management interface and supporting the access of Web application services;
the log management module is used for carrying out log cache management, log queue management and maintenance and updating corresponding logs according to log level policy setting;
the device monitoring module is used for detecting and monitoring signature device states, thread running states and running states of all processes of the system in near real time.
8. The digital signature verification method as claimed in claim 1, wherein: dynamically maintaining the IP address of the dual-activity data center in the DNS server, and returning one exit IP in the dual-activity data center to the user for the user request; when one of the dual active data centers fails, the DNS server suspends its corresponding IP usage and directs subsequent user DNS requests to the remaining properly functioning data center outlets.
9. A digital signature verification method as recited in claim 1, wherein said applying for a digital certificate includes:
uploading applicant data to a certificate registry server by a user terminal;
the registration center server compares the received applicant data with the database, and registers if the applicant is not registered; if so, the user UID is obtained from the registry server, and the UID, the applied certificate type, the certificate validity period and the certificate subject are recorded in a database of the registry server.
10. The digital signature verification method as recited in claim 1, wherein said verifying the digital certificate application comprises:
the registration center server examines the digital certificate application and verifies the true identity of the applicant;
if the verification passes through the registry server, the record is set to a pass state, and a request for generating a certificate is sent to the certificate authority server.
11. The digital signature verification method as recited in claim 1, wherein generating a digital certificate after the verification is passed and feeding back the result to the applicant comprises:
the certificate authentication center server generates a digital signature from the identity information of the applicant;
the certificate authentication center server generates a digital certificate by using the identity information and the digital signature of the applicant;
the certificate authentication center server sends the identification of the generated certificate to the registration center server, and the registration center server forwards the identification to the user terminal.
12. A digital signature verification method as recited in claim 1, wherein said applicant downloads a digital certificate comprising:
the user terminal sends a request for downloading the certificate to the registry server by using the identifier after the certificate is generated;
the registration center server forwards the request for downloading the certificate to the certificate authentication center server;
after receiving the digital certificate fed back by the certificate authentication center server, the registration center server writes the digital certificate into the applicant certificate carrier and delivers the digital certificate to the applicant.
13. The digital signature verification method as claimed in claim 1, wherein:
the applicant calls a signature verification interface of a signature verification front terminal platform through an API when signing and verifying;
searching corresponding certificate information in the signature verification application sub-platform cache, and if the certificate information exists in the signature verification application sub-platform cache, sending the certificate information and the message to hardware signature equipment; if the certificate information does not exist, searching in a database through the signature verification management sub-platform, sending the certificate information and the message to hardware signature equipment, and storing the certificate information to a signature verification application sub-platform for caching.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210013110.6A CN114679275B (en) | 2022-01-06 | 2022-01-06 | Digital signature verification method, platform and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210013110.6A CN114679275B (en) | 2022-01-06 | 2022-01-06 | Digital signature verification method, platform and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114679275A CN114679275A (en) | 2022-06-28 |
CN114679275B true CN114679275B (en) | 2024-04-12 |
Family
ID=82071301
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210013110.6A Active CN114679275B (en) | 2022-01-06 | 2022-01-06 | Digital signature verification method, platform and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114679275B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2518670A1 (en) * | 2010-09-07 | 2012-10-31 | ZTE Corporation | System and method for remote payment based on mobile terminal |
CN103368902A (en) * | 2012-03-27 | 2013-10-23 | 湖南亲安网络科技有限公司 | Data interaction method |
CN104052597A (en) * | 2013-03-11 | 2014-09-17 | 江苏国盾科技实业有限责任公司 | Certificate issuing system based on SM2 algorithm |
CN108432180A (en) * | 2015-11-13 | 2018-08-21 | 维萨国际服务协会 | Method and system for the certification based on PKI |
CN110598482A (en) * | 2019-09-30 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based digital certificate management method, device, equipment and storage medium |
-
2022
- 2022-01-06 CN CN202210013110.6A patent/CN114679275B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2518670A1 (en) * | 2010-09-07 | 2012-10-31 | ZTE Corporation | System and method for remote payment based on mobile terminal |
CN103368902A (en) * | 2012-03-27 | 2013-10-23 | 湖南亲安网络科技有限公司 | Data interaction method |
CN104052597A (en) * | 2013-03-11 | 2014-09-17 | 江苏国盾科技实业有限责任公司 | Certificate issuing system based on SM2 algorithm |
CN108432180A (en) * | 2015-11-13 | 2018-08-21 | 维萨国际服务协会 | Method and system for the certification based on PKI |
CN110598482A (en) * | 2019-09-30 | 2019-12-20 | 腾讯科技(深圳)有限公司 | Block chain-based digital certificate management method, device, equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN114679275A (en) | 2022-06-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101197851B (en) | Method and system for implementing control of plane centralized type data plane distribution | |
EP2156308B1 (en) | Extensible and programmable multi-tenant service architecture | |
WO2019061720A1 (en) | Data synchronization method and system | |
US20120072728A1 (en) | Retrieving and using cloud based storage credentials | |
CN101714996B (en) | Authentication system and method based on peer-to-peer computing network | |
CN102138307B (en) | Method and system for load balancing for services | |
CN105607954A (en) | Stateful container online migration method and apparatus | |
US11068398B2 (en) | Distributed caching system | |
WO2020186807A1 (en) | System and method for power data linking based on blockchain technology | |
CN112612629A (en) | Method and system for realizing component type data interface | |
US8209412B2 (en) | Methods for managing a plurality of devices using protectable communication protocol, including determination of marketing feedback to assess a response to an advertisement | |
US10817327B2 (en) | Network-accessible volume creation and leasing | |
CN111030818A (en) | Uniform session management method and system based on micro-service gateway | |
US9104488B2 (en) | Support server for redirecting task results to a wake-up server | |
WO2023051232A1 (en) | Computing cluster system, security authentication method, node device and storage medium | |
US9100277B2 (en) | Client credentials data structure and method of employing the same | |
US9390052B1 (en) | Distributed caching system | |
CN101771724B (en) | Heterogeneous distributed information integration method, device and system | |
CN107872492B (en) | Method and device for supporting multi-user editing of data object at server | |
CN109246212B (en) | Multi-bank data interaction implementation method based on long connection | |
CN114679275B (en) | Digital signature verification method, platform and system | |
Collins et al. | Online payments by merely broadcasting messages (extended version) | |
CN114157448A (en) | Method, device, terminal and storage medium for establishing and deploying password service platform | |
WO2024103943A1 (en) | Service processing method and apparatus, storage medium, and device | |
CN102333248B (en) | A kind of realization method and system of dynamic distribution management platform service address |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |