CN115021917B - Certificate-based security verification method, system, equipment and medium - Google Patents

Certificate-based security verification method, system, equipment and medium Download PDF

Info

Publication number
CN115021917B
CN115021917B CN202210724037.3A CN202210724037A CN115021917B CN 115021917 B CN115021917 B CN 115021917B CN 202210724037 A CN202210724037 A CN 202210724037A CN 115021917 B CN115021917 B CN 115021917B
Authority
CN
China
Prior art keywords
certificate
client
downloading
interface
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210724037.3A
Other languages
Chinese (zh)
Other versions
CN115021917A (en
Inventor
张雪
赵海兴
岳凯
陈雷
荀海峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chaozhou Zhuoshu Big Data Industry Development Co Ltd
Original Assignee
Chaozhou Zhuoshu Big Data Industry Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chaozhou Zhuoshu Big Data Industry Development Co Ltd filed Critical Chaozhou Zhuoshu Big Data Industry Development Co Ltd
Priority to CN202210724037.3A priority Critical patent/CN115021917B/en
Publication of CN115021917A publication Critical patent/CN115021917A/en
Application granted granted Critical
Publication of CN115021917B publication Critical patent/CN115021917B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/088Usage controlling of secret information, e.g. techniques for restricting cryptographic keys to pre-authorized uses, different access levels, validity of crypto-period, different key- or password length, or different strong and weak cryptographic algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a certificate-based security verification method, a system, equipment and a medium, which are used for solving the technical problem that a client is difficult to realize bidirectional authentication with a server after a certificate is invalid. The method comprises the following steps: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the interfaces; the client verifies the first certificate and the second certificate to obtain a corresponding verification result; and the client determines that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.

Description

Certificate-based security verification method, system, equipment and medium
Technical Field
The application relates to the technical field of computers, in particular to a certificate-based security verification method, a system, equipment and a medium.
Background
The certificate can carry out encryption transmission and identity authentication, so that data is prevented from being stolen and changed in the transmission process, and the safety and the integrity of the data are realized. The client and the server are subjected to bidirectional authentication through the certificate, so that the safety of interface data can be effectively protected.
However, the local certificate preset by the client is packaged into the installation package in a specific mode, the installation package cannot be modified after the application is online, the valid period of the certificate becomes shorter gradually, the certificate cannot play a role in safety verification once being invalid, and the fault tolerance rate is low.
Disclosure of Invention
In order to solve the above problems, the present application proposes a certificate-based security verification method, including: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
the client verifies the first certificate and the second certificate to obtain a corresponding verification result;
And the client determines that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
In one implementation of the present application, before verifying the first certificate and the second certificate, the method further includes:
The server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
the certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface.
In one implementation manner of the present application, the verification of the first certificate and the second certificate to obtain corresponding verification results specifically includes:
The client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
If not, determining that the first certificate and/or the second certificate is invalid.
In one implementation manner of the present application, determining that the updated second certificate is downloaded through the certificate download interface when the second certificate is invalid specifically includes:
The server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name of the client and a second certificate identifier;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
In one implementation of the application, the validity period of the first certificate is greater than the validity period of the second certificate.
In one implementation of the present application, the method further includes:
When the duration between the current network time and the expiration time of the domain name of the client is smaller than a preset value, the server generates certificate invalidation prompt information and sends the certificate invalidation prompt information to the client; the expiration time of the domain name comprises expiration time corresponding to the first certificate and expiration time corresponding to the second certificate respectively.
In one implementation manner of the present application, the certificate verification information at least includes any one of the following: public key information, certificate information;
the certificate information includes any one or more of the following: serial number, version, issuer, expiration date.
The embodiment of the application provides a certificate-based security verification system, which is characterized by comprising a client and a server;
The client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
the client is used for checking the first certificate and the second certificate to obtain a corresponding checking result;
and the client is used for determining that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
The embodiment of the application provides a certificate-based security verification device, which is characterized by being applied to a client, and comprising: at least one processor;
and a memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to:
Acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
And according to the verification result, determining that when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
An embodiment of the present application provides a nonvolatile computer storage medium storing computer executable instructions, which is characterized in that, applied to a client, the computer executable instructions are configured to:
Acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
And according to the verification result, determining that when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
The certificate-based security verification method provided by the application has the following beneficial effects:
according to the embodiment of the application, the client and the server are subjected to two-way authentication through the first certificate and the second certificate, so that the risk of packet capture can be effectively avoided, and due to the difference of expiration time of the client and the server, the two-way authentication time is effectively prolonged, and the robustness of a program is improved. The certificate downloading interface is checked through the first certificate under the condition that the second certificate is invalid through the invalid time difference of the two certificates, so that after the second certificate passes the check, the updated second certificate is downloaded through the certificate downloading interface, the automatic update of the certificate is realized, the flexibility of the check process is improved, and the fault tolerance is stronger.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
fig. 1 is a schematic flow chart of a certificate-based security verification method according to an embodiment of the present application;
fig. 2 is a diagram of a client service architecture according to an embodiment of the present application;
FIG. 3 is a diagram illustrating an update example of a client certificate according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a certificate-based security verification device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The digital certificate (for example, SSL certificate) is issued by a trusted digital certificate issuing organization, and encryption transmission of data information can be realized by establishing an SSL secure channel between the client and the server, so that the information transmission security of the two parties is ensured. However, since the service life of the key is short and the update speed of the organization information is continuously increased, the validity time of the certificate is gradually shortened, and if the local certificate is invalid, the bidirectional authentication between the client and the server cannot be realized. Therefore, a security verification scheme after the SSL certificate of the client is invalid is needed, so that the local certificate and the server certificate are the same certificate, the bidirectional authentication verification is completed, the identity authentication is completed, and the application interface can be ensured to normally acquire the server data.
The following describes in detail the technical solutions provided by the embodiments of the present application with reference to the accompanying drawings.
As shown in fig. 1, the certificate-based security verification method provided by the embodiment of the application includes:
S101: the client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the interfaces.
After the APP of the client is started, the embodiment of the application can adopt a double-certificate mode to carry out security verification. The client is provided with a plurality of interfaces, wherein the interfaces comprise a certificate downloading interface and an application interface except the certificate downloading interface, a first certificate is used for checking the certificate downloading interface, the latest version certificate can be downloaded through the certificate downloading interface after the certificate is invalid, a second certificate is used for checking the application interface, and the application interface is used for realizing data transmission between the client and the server.
It should be noted that, the validity period of the first certificate is greater than that of the second certificate, so that under the condition that the second certificate is invalid, the certificate downloading interface can be checked through the first certificate in a valid state, and the updated second certificate is downloaded again through the certificate downloading interface, thereby ensuring the validity of the double certificates, realizing the bidirectional authentication between the client and the server, and effectively avoiding the risk of packet grabbing. Of course, the first certificate and the second certificate may have the same validity period, but the expiration time of the first certificate and the second certificate has a certain interval, so that after a certain certificate expires, authentication can be completed through another unexpired certificate, and compared with the authentication mode of a single certificate, the two-way authentication time can be effectively prolonged.
S102: and the client verifies the first certificate and the second certificate to obtain a corresponding verification result.
After the first certificate and the second certificate are obtained, the server needs to determine the domain name of the client and the certificate verification information corresponding to the domain name, and then sends the obtained certificate verification information to the client, so that the client verifies the local first certificate and the local second certificate according to the local certificate information and the certificate verification information, and a corresponding verification result is obtained. The certificate verification information can be obtained according to a third certificate and a fourth certificate preset at the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface. The certificate verification information at least comprises any one of the following: public key information, certificate information; the credential information includes any one or more of the following: serial number, version, issuer, expiration date.
Specifically, the client matches the received certificate verification information with the first certificate and the second certificate respectively, so as to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with the first certificate information contained in the first certificate and the second certificate information contained in the second certificate respectively. If they are consistent, it is indicated that both the first certificate and the second certificate remain valid; if the first certificate and/or the second certificate are inconsistent, the first certificate and/or the second certificate are/is invalid, and the certificate is updated at the moment, so that the safety check between the client and the server is ensured.
S103: and the client determines that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
After the client obtains the verification result, the current invalid certificate can be determined according to the verification result. As shown in a service architecture diagram of a client shown in fig. 2, if a first certificate is expired and a corresponding third certificate is updated by a server, public keys and other information of the first certificate and the second certificate are not matched, when security verification is performed, error information can appear on a downloading certificate interface, but error information of the downloading certificate interface does not affect certificate verification of an application interface, and because the second certificate is not expired at this time, a fourth certificate of the server and the second certificate can be kept consistent, bidirectional authentication verification can be passed, at this time, all interfaces except the error information of the downloading certificate interface are normally used, and APP functions of the client are normally used; if the first certificate is not expired, the third certificate of the server can be successfully matched with the public key and other information of the first certificate, the downloaded certificate interface can pass the security check, and the security check of the application interface can also pass because the second certificate and the fourth certificate are kept consistent, and at the moment, all interfaces are in a normal state, and the APP function is normally used. Under the condition that the second certificate is expired, if the first certificate is expired, reporting errors are carried out on the download certificate interface and the application interface, and at the moment, the APP function cannot be normally used, and version updating is carried out on the first certificate and the second certificate in a manual updating mode; if the first certificate is not expired, the client sends a downloading instruction to the server, wherein the downloading instruction carries the domain name of the client and the second certificate identifier, and after receiving the downloading instruction, the server acquires an updated second certificate (namely a fourth certificate) matched with the client according to the second certificate identifier and sends the updated second certificate to the client matched with the domain name, so that the client completes updating of the second certificate, and the APP function can be normally used.
In one embodiment, the client may be reminded to update the certificate on time by generating a hint in advance, thereby reducing the number of certificate checks when the client APP is started. Under the condition that the duration between the current network time and the expiration time of the domain name of the client is smaller than a preset value, the server generates certificate invalidation prompt information and sends the certificate invalidation prompt information to the client, so that the client is prompted to update the local certificate in time, and the starting time of the APP is further shortened. The expiration time of the domain name includes expiration time corresponding to the first certificate and the second certificate, and it can be understood that the expiration time of the domain name is a time point before the expiration time in the first certificate and the second certificate.
Fig. 3 is a diagram of an update example of a client certificate provided in the present application, where, as shown in fig. 3, after the first certificate expires, the updated first certificate may be obtained by a manual update method. After the second certificate expires, the updated second certificate can be obtained by means of automatic updating of the certificate downloading interface. And when the client side has new requirements to be online, the second certificate can be updated in a manual updating mode, so that the downloading times of the certificate can be reduced, and the starting speed of the APP is increased.
The above is a method embodiment of the present application. Based on the same thought, one or more embodiments of the present disclosure further provide a system, an apparatus, and a medium corresponding to the above method.
The embodiment of the application provides a certificate-based security verification system, which comprises a client and a server;
The client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the interfaces;
The client is used for checking the first certificate and the second certificate to obtain corresponding checking results;
And the client is used for determining that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
Fig. 4 is a schematic diagram of a certificate-based security verification device, provided in an embodiment of the present application, applied to a client, where the device includes: at least one processor;
And a memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
And according to the verification result, when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
The embodiment of the application provides a nonvolatile computer storage medium, which stores computer executable instructions, and is applied to a client, wherein the computer executable instructions are set as follows:
acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to the certificate downloading interface, the second certificate corresponds to the application interface, and the application interface is other interfaces except the certificate downloading interface in the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
And according to the verification result, when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate.
The embodiments of the present application are described in a progressive manner, and the same and similar parts of the embodiments are all referred to each other, and each embodiment is mainly described in the differences from the other embodiments. In particular, for the apparatus and medium embodiments, the description is relatively simple, as it is substantially similar to the method embodiments, with reference to the section of the method embodiments being relevant.
The devices and media provided in the embodiments of the present application are in one-to-one correspondence with the methods, so that the devices and media also have similar beneficial technical effects as the corresponding methods, and since the beneficial technical effects of the methods have been described in detail above, the beneficial technical effects of the devices and media are not repeated here.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and variations of the present application will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. which come within the spirit and principles of the application are to be included in the scope of the claims of the present application.

Claims (7)

1. A certificate-based security verification method, the method comprising:
The client acquires a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
the client verifies the first certificate and the second certificate to obtain a corresponding verification result;
The client determines that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate;
before verifying the first certificate and the second certificate, the method further comprises:
The server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
The certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface;
the first certificate and the second certificate are verified to obtain corresponding verification results, and the method specifically comprises the following steps:
The client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
If the first certificate and the second certificate are inconsistent, determining that the first certificate and/or the second certificate are invalid;
And when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface, wherein the method specifically comprises the following steps of:
The server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name of the client and a second certificate identifier;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
2. A certificate-based security check method in accordance with claim 1, wherein the validity period of said first certificate is greater than the validity period of said second certificate.
3. A certificate-based security check method in accordance with claim 1, said method further comprising:
When the duration between the current network time and the expiration time of the domain name of the client is smaller than a preset value, the server generates certificate invalidation prompt information and sends the certificate invalidation prompt information to the client; the expiration time of the domain name comprises expiration time corresponding to the first certificate and expiration time corresponding to the second certificate respectively.
4. A certificate-based security check method in accordance with claim 1, wherein said certificate verification information comprises at least any one of: public key information, certificate information;
the certificate information includes any one or more of the following: serial number, version, issuer, expiration date.
5. A certificate-based security verification system, the system comprising a client and a server;
The client is used for acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
the client is used for checking the first certificate and the second certificate to obtain a corresponding checking result;
The client is used for determining that when the second certificate is invalid, the updated second certificate is downloaded through the certificate download interface so as to perform bidirectional authentication with the server through the updated second certificate and the first certificate;
before the server verifies the first certificate and the second certificate, the server is used for determining a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sending the certificate verification information to the client;
The certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface;
The client is used for respectively matching the received certificate verification information with the first certificate and the second certificate so as to determine whether third certificate information and fourth certificate information carried in the certificate verification information are respectively consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate;
If the first certificate and the second certificate are inconsistent, determining that the first certificate and/or the second certificate are invalid;
The server is used for receiving a downloading instruction sent by the client, wherein the downloading instruction carries a domain name of the client and a second certificate identifier;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
6. A certificate-based security verification apparatus for application to a client, the apparatus comprising: at least one processor;
and a memory communicatively coupled to the at least one processor; wherein,
The memory stores instructions executable by the at least one processor to enable the at least one processor to:
Acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
According to the verification result, when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with a server through the updated second certificate and the first certificate;
before verifying the first certificate and the second certificate, the method further comprises:
The server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
The certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface;
the first certificate and the second certificate are verified to obtain corresponding verification results, and the method specifically comprises the following steps:
The client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
If the first certificate and the second certificate are inconsistent, determining that the first certificate and/or the second certificate are invalid;
And when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface, wherein the method specifically comprises the following steps of:
The server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name of the client and a second certificate identifier;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
7. A non-transitory computer storage medium storing computer executable instructions for application to a client, the computer executable instructions configured to:
Acquiring a preset first certificate and a preset second certificate; the client is provided with a plurality of interfaces, the first certificate corresponds to a certificate downloading interface, the second certificate corresponds to an application interface, and the application interface is other interfaces except the certificate downloading interface among the interfaces;
checking the first certificate and the second certificate to obtain a corresponding checking result;
According to the verification result, when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface so as to perform bidirectional authentication with a server through the updated second certificate and the first certificate;
before verifying the first certificate and the second certificate, the method further comprises:
The server determines a domain name corresponding to the client and certificate verification information corresponding to the domain name, and sends the certificate verification information to the client;
The certificate verification information can be obtained according to a third certificate and a fourth certificate preset by the server, the third certificate corresponds to the certificate downloading interface, and the fourth certificate corresponds to the application interface;
the first certificate and the second certificate are verified to obtain corresponding verification results, and the method specifically comprises the following steps:
The client matches the received certificate verification information with the first certificate and the second certificate respectively to determine whether third certificate information and fourth certificate information carried in the certificate verification information are consistent with first certificate information contained in the first certificate and second certificate information contained in the second certificate respectively;
If the first certificate and the second certificate are inconsistent, determining that the first certificate and/or the second certificate are invalid;
And when the second certificate is invalid, downloading the updated second certificate through the certificate downloading interface, wherein the method specifically comprises the following steps of:
The server receives a downloading instruction sent by the client, wherein the downloading instruction carries a domain name of the client and a second certificate identifier;
and acquiring an updated second certificate matched with the client according to the second certificate identifier, and issuing the updated second certificate to the client matched with the domain name.
CN202210724037.3A 2022-06-24 2022-06-24 Certificate-based security verification method, system, equipment and medium Active CN115021917B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210724037.3A CN115021917B (en) 2022-06-24 2022-06-24 Certificate-based security verification method, system, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210724037.3A CN115021917B (en) 2022-06-24 2022-06-24 Certificate-based security verification method, system, equipment and medium

Publications (2)

Publication Number Publication Date
CN115021917A CN115021917A (en) 2022-09-06
CN115021917B true CN115021917B (en) 2024-05-10

Family

ID=83076739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210724037.3A Active CN115021917B (en) 2022-06-24 2022-06-24 Certificate-based security verification method, system, equipment and medium

Country Status (1)

Country Link
CN (1) CN115021917B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571340A (en) * 2010-12-23 2012-07-11 普天信息技术研究院有限公司 Certificate authentication device as well as access method and certificate update method thereof
CN108881484A (en) * 2018-07-26 2018-11-23 杭州云缔盟科技有限公司 A method of whether detection terminal can access internet
CN110602123A (en) * 2019-09-21 2019-12-20 苏州浪潮智能科技有限公司 Single-point certificate authentication system and method based on micro-service
CN112422551A (en) * 2020-11-16 2021-02-26 微医云(杭州)控股有限公司 SSL certificate updating method and device, electronic equipment and storage medium
CN113472790A (en) * 2021-06-30 2021-10-01 中国工商银行股份有限公司 Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100077208A1 (en) * 2008-09-19 2010-03-25 Microsoft Corporation Certificate based authentication for online services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102571340A (en) * 2010-12-23 2012-07-11 普天信息技术研究院有限公司 Certificate authentication device as well as access method and certificate update method thereof
CN108881484A (en) * 2018-07-26 2018-11-23 杭州云缔盟科技有限公司 A method of whether detection terminal can access internet
CN110602123A (en) * 2019-09-21 2019-12-20 苏州浪潮智能科技有限公司 Single-point certificate authentication system and method based on micro-service
CN112422551A (en) * 2020-11-16 2021-02-26 微医云(杭州)控股有限公司 SSL certificate updating method and device, electronic equipment and storage medium
CN113472790A (en) * 2021-06-30 2021-10-01 中国工商银行股份有限公司 Information transmission method based on HTTPS (hypertext transfer protocol secure protocol), client and server

Also Published As

Publication number Publication date
CN115021917A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
CN107483509B (en) A kind of auth method, server and readable storage medium storing program for executing
CN108764870B (en) Transaction processing method and device based on block chain and electronic equipment
CN108696356B (en) Block chain-based digital certificate deleting method, device and system
CN107026738B (en) Digital certificate updating method, digital signature verification method and digital authentication device
CN112016924A (en) Data evidence storage method, device and equipment based on block chain
US10686612B2 (en) Cryptographic data
CN114240433A (en) Data processing method and system based on block chain
CN113609213B (en) Method, system, device and storage medium for synchronizing device keys
CN114117551B (en) Access verification method and device
CN113259910B (en) Activation method and device for vehicle-mounted networking equipment
CN114491455A (en) Method and device for directory authorization, processor and electronic equipment
CN112182009B (en) Block chain data updating method and device and readable storage medium
CN115021917B (en) Certificate-based security verification method, system, equipment and medium
CN111460465A (en) Identity authentication method, equipment and medium based on block chain
CN112069436B (en) Page display method, system and equipment
CN113225191B (en) Generation method and device of consensus node, storage medium and processor
CN115049402A (en) Transaction risk parameter calculation method, block chain verification node and storage medium
CN113162889B (en) Authentication method and device for route updating information
CN111369246B (en) Calling authentication method and device of intelligent contract, electronic equipment and storage medium
CN111342970A (en) Digital certificate management method and system
CN117082520B (en) Digital certificate processing method and device, electronic equipment and storage medium
CN110971396B (en) Login method of application program and corresponding system thereof
CN114157420B (en) Token invalidation method and device
CN116232655B (en) Configuration application permission management method and system based on Internet of things cloud platform
CN117857180A (en) Edge node authorization method, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant