CN115454458A - POS machine application authority management method, device, equipment and storage medium - Google Patents

POS machine application authority management method, device, equipment and storage medium Download PDF

Info

Publication number
CN115454458A
CN115454458A CN202211266538.8A CN202211266538A CN115454458A CN 115454458 A CN115454458 A CN 115454458A CN 202211266538 A CN202211266538 A CN 202211266538A CN 115454458 A CN115454458 A CN 115454458A
Authority
CN
China
Prior art keywords
file
application
information
permission
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211266538.8A
Other languages
Chinese (zh)
Inventor
饶熠舟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202211266538.8A priority Critical patent/CN115454458A/en
Publication of CN115454458A publication Critical patent/CN115454458A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Abstract

The embodiment of the invention discloses a method, a device, equipment and a storage medium for managing application authority of a POS machine, wherein the method comprises the following steps: acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information, and generating a user-defined permission information file; writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file; carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application; and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file. The technical scheme of the embodiment of the invention can lead the acquiring mechanism to modify the application authority, thereby reducing the maintenance and management cost.

Description

POS machine application authority management method, device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of terminal application management, in particular to a method, a device, equipment and a storage medium for managing POS machine application authority.
Background
A point of sale (POS) machine is an intelligent device based on an Android system, and an application installation package (APK) of the POS machine is managed by a developer nowadays. And the developer sends the application installation package APK subjected to authority setting to an acquirer to carry out signature verification and then sends the application installation package APK to a POS machine for installation. At this time, the application authority may be already fixed, and if the acquirer needs to modify the application authority, a developer needs to reissue a new application, which is tedious in process and high in application maintenance cost.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment and a storage medium for managing application authority of a POS machine, which can enable a acquirer to modify the application authority and reduce the maintenance and management cost.
In a first aspect, an embodiment of the present invention provides a method for managing authority of a POS machine, where the method is applied to an authority management end, and the method includes:
acquiring user-defined setting information of at least one application permission of a user to a target application, and encrypting the user-defined setting information to generate a user-defined permission information file;
writing the user-defined permission information file into an original packed file of the target application to obtain an updated packed file;
encrypting and signing the updated packaged file to generate a signature file, and writing the signature file into the updated packaged file to obtain a final packaged file of the target application;
and sending the final packed file to a target POS machine terminal so that the target POS machine terminal determines the permission setting of the target application at the target POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file.
In a second aspect, an embodiment of the present invention provides a method for managing application permission of a POS terminal, where the method includes:
when a packed file of a target application to be installed is obtained, analyzing and checking the packed file;
when the packaged file is analyzed to have the user-defined permission information file, the application permission of the target application to be installed is set according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file, and installation of the target application to be installed is completed.
In a third aspect, an embodiment of the present invention provides a POS application authority management apparatus, configured at an authority management end, where the apparatus includes:
the user-defined permission file generation module is used for acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information and generating a user-defined permission information file;
the application packed file updating module is used for writing the user-defined permission information file into an original packed file of the target application to obtain an updated packed file;
the application packaging file signature encryption module is used for encrypting and signing the updated packaging file to generate a signature file, and writing the signature file into the updated packaging file to obtain a final packaging file of the target application;
and the packed file transmitting module is used for transmitting the final packed file to a target POS machine terminal so as to enable the target POS machine terminal to determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file.
In a fourth aspect, an embodiment of the present invention provides a POS application authority management apparatus, configured at a POS terminal, where the apparatus includes:
the installation file analysis module is used for analyzing and verifying the packaged file of the target application to be installed when the packaged file is obtained;
and the application permission setting module is used for setting the application permission of the target application to be installed according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file when the packaged file has the user-defined permission information file, and completing installation of the target application to be installed.
In a fifth aspect, an embodiment of the present invention provides a computer device, where the computer device includes:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the method of POS application rights management of any embodiment.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the POS application authority management method according to any embodiment.
According to the technical scheme provided by the embodiment of the invention, the user-defined setting information of at least one application permission of a user to a target application is acquired, and the user-defined setting information is encrypted to generate a user-defined permission information file; writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file; carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application; and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file. The technical scheme of the embodiment of the invention solves the problem that the receiving mechanism in the prior art can not modify the application authority, can enable the receiving mechanism to modify the application authority, and reduces the maintenance and management cost.
Drawings
Fig. 1 is a flowchart of a method for managing authority of a POS machine applied to an authority management terminal according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for managing application rights of a POS machine applied to a rights management end according to an embodiment of the present invention;
fig. 3 is a flowchart of a method for managing authority of a POS terminal according to an embodiment of the present invention;
fig. 4 is a flowchart of another method for managing POS application authority applied to a POS terminal according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a POS application authority management device configured at an authority management end according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a POS application authority management device configured at a POS terminal according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a flowchart of a method for managing POS application permission applied to a permission management terminal according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a scenario in which permission information of a POS application is authorized, the method may be executed by a POS application permission management device configured at the permission management terminal, and the device may be implemented by software and/or hardware.
As shown in fig. 1, the method for managing the application authority of the POS machine includes the following steps:
s110, obtaining user-defined setting information of at least one application permission of a user to the target application, encrypting the user-defined setting information, and generating a user-defined permission information file.
Wherein the user may be an inside operator of the acquirer. The target application can be an application which needs to be subjected to permission information setting; the application authority may be authority information of the target application, such as information of authority whether the POS positioning mode can be turned on, whether the data of the POS itself is read, and the like.
The user-defined setting information can be application authority information of a target application set by a user, and the user can fill the user-defined setting information according to a preset setting rule to manage the application authority. Generally, an application is constrained by multiple authorities during the operation of a terminal, and the authority of the application program, including the reading authority of some information, the access authority of the application, and the like, can be set through authority management. For example, the user may set the application rights related to privacy security to an unauthorized state according to the privacy protocol of the acquirer, and the target application will not exercise the application rights. Specifically, the application permission information of the target application set by the user can be read in real time, and the user-defined setting information of the application permission of the target application by the user is further acquired.
Furthermore, the preset encryption rule can be used for encrypting the user-defined setting information, so that the user-defined setting information is prevented from being illegally stolen or tampered. And encrypting the user-defined setting information to obtain a user-defined permission information file.
And S120, writing the user-defined permission information file into an original packed file of the target application to obtain an updated packed file.
The original packaged file can be an original APK file developed by a developer of the target application, and in the original packaged file, the developer of the target application also sets the application permission information of the target application. The updating may be a process of fusing the custom permission information file and the original packed file, for example, the custom permission information file may be added to the original packed file of the target application, and the custom permission information and the setting information of the same application permission in the original packed file may be fused to obtain the fused application permission information.
S130, carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application.
The encryption signature can be a process of encrypting and signing the updated packaged file, specifically, the updated packaged file can be encrypted and signed according to preset encryption and signature rules, and the security and identifiability of the updated packaged file can be improved through the encryption signature. The final packed file can be a file of application permission information about the target application, which is finally generated after the processing of the permission management terminal, a signature file can be generated by performing pre-encryption signature processing on the updated packed file, and then the signature file is written into the updated packed file, so that the final packed file of the target application can be obtained.
S140, the final packed file is sent to a target POS machine terminal, so that the target POS machine terminal determines the permission setting of the target application at the target POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file.
The target POS terminal may be a terminal device that needs to determine the application authority of the target application and install the target application. The Manifest file is one of the original package files, and in the Manifest file, the developer of the target application sets the application permission information of the target application. After the target POS machine terminal receives the final packed file, the permission setting of the target application at the target POS machine terminal can be determined according to a preset permission setting determination rule of the POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file. For example, the rule of small rule may be used as a determination rule for setting authority of the POS terminal, and when the custom authority information file and the Manifest file set an authorized state for a certain application authority at the same time, the POS terminal may determine that the application authority is an authorized state, and may modify the authority state of the application authority; when the user-defined permission information file or the Manifest file is set to be in an unauthorized state for a certain application permission, the POS machine terminal can determine that the application permission is in the unauthorized state, and the POS machine terminal can not modify the permission state of the application permission.
According to the technical scheme provided by the embodiment of the invention, the user-defined setting information of at least one application permission of a user to a target application is acquired, and the user-defined setting information is encrypted to generate a user-defined permission information file; writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file; carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application; and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file. The technical scheme of the embodiment of the invention solves the problem that the receiving mechanism in the prior art can not modify the application authority, can enable the receiving mechanism to modify the application authority, and reduces the maintenance and management cost.
Fig. 2 is a flowchart of another method for managing authority of a POS application applied to an authority management terminal according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a scenario in which authority information of the POS application is authorized, and this embodiment further illustrates how to encrypt and sign the authority information of the POS application on the basis of the foregoing embodiment.
As shown in fig. 2, the method for managing the application authority of the POS machine includes the following steps:
s210, obtaining user-defined setting information of at least one application authority of a user to a target application, and encrypting the user-defined setting information by using a private key in a work certificate public and private key pair generated in advance by the authority management end to generate a user-defined authority information file.
Wherein the user may be an inside operator of the acquirer. The target application can be an application which needs to be subjected to permission information setting; the application authority may be authority information of the target application, such as information of authority whether the POS positioning mode can be turned on, whether the data of the POS itself is read, and the like. The user-defined setting information can be application authority information of a target application set by a user, and the user can fill the user-defined setting information according to a preset setting rule or the requirement of an application scene to manage the application authority. Generally, an application is restricted by multiple permissions in the running process of a terminal, and the permissions of the application program can be set through permission management, including the reading permission of some information, the access permission of the application and the like. For example, the user may set the application rights related to privacy security to an unauthorized state according to the privacy protocol of the acquirer, and the target application will not exercise the application rights. Specifically, the application permission information of the target application set by the user can be read in real time, and the user-defined setting information of the application permission of the target application by the user is further acquired.
Furthermore, the authority management end can call a preset encryption algorithm to generate a root certificate public and private key pair and a work certificate public and private key pair. The root certificate public and private key pair can be a pair of original keys, the root certificate public and private key pair comprises a root certificate public key and a root certificate private key, the root certificate public key and the root certificate private key have a one-to-one correspondence relationship, the root public key is used for generating a root public key certificate and issuing the root public key certificate to the intelligent POS terminal for preassembling, and the root private key is used for encrypting work data issued by a acquirer to the POS terminal. The work certificate public and private key pair can be a pair of derivative keys, the work certificate public and private key pair comprises a work certificate public key and a work certificate private key, the work certificate public and private key and the work certificate private key have a one-to-one correspondence, and the work private key is responsible for encrypting data of files and the work certificate public key issued to the POS terminal. By generating two pairs of keys of a root certificate public and private key pair and a work certificate public and private key pair and then nesting the two pairs of keys, the security of encrypted files can be improved, and the files can be prevented from being illegally stolen or tampered. And after the user-defined setting information is encrypted by using the private key in the work certificate public and private key pair, a user-defined authority information file can be obtained.
S220, writing the user-defined permission information file into an original packed file of the target application to obtain an updated packed file.
The original packaged file can be an original APK file developed by a developer of the target application, and in the original packaged file, the developer of the target application also sets the application permission information of the target application. The updating may be a process of fusing the custom permission information file and the original packed file, for example, the custom permission information file may be added to the original packed file of the target application, and the custom permission information and the setting information of the same application permission in the original packed file may be fused to obtain the fused application permission information.
And S230, performing data summarization on the updated packed file and the corresponding signature description information, calculating a hash value of the data summarization to obtain a first hash value, and performing filling processing on the first hash value.
The signature description information may be information describing a signature of the updated packaged file. The hash value is a numerical value obtained through logical operation according to data in file content, the hash value can be used as an identity card of the file and used for verifying the accuracy of the file obtained by the target POS terminal, and the first hash value can be a hash value of the data abstract. The data digest may be a process of extracting a digest of data in the updated packed file and the corresponding signature description information, and then, a first hash value may be obtained by performing hash value calculation on the data digest. Further, the filling may be a process of supplementing information such as key terms that are missing in the first hash value, and by performing the filling process on the first hash value, readability of the first hash value may be increased.
For example, table 1 is a first hash value table subjected to padding processing. The column of the "authorization setting 1" indicates the setting of whether each authority item can be modified by the user-defined authority information file, the column of the "authorization setting 2" indicates the setting of whether each authority item can be modified by the original packed file, and the column of the "final application authority" indicates the determination condition of whether the final POS machine terminal can execute the authority item.
Table 1 the first hash value table subjected to the padding process.
Rights item Authorization settings 1 Authorization settings 2 Ultimate application rights
Rights item 1 × × ×
Rights item 2 × ×
Rights item 3
.. ...
Rights item N
As shown in table 1, when both the authorization setting 1 and the authorization setting 2 are filled in "√" for the same authority item, the POS terminal can execute the authority item; when the authorization setting 1 or the authorization setting 2 fills in "x" for the same authority item, the POS terminal may not execute the authority item.
And S240, carrying out encryption signature on the first hash value subjected to the filling processing by using a private key in the work certificate public and private key pair to generate signed first hash value data.
The private key in the work certificate public and private key pair is the work certificate private key, and the first hash value subjected to filling processing is encrypted and signed by using the work certificate private key, so that signed first hash value data can be generated, and the safety of the first hash value data is improved.
And S250, generating a signature file according to the signature description information, the working public key certificate and the signed first hash value data, and writing the signature file into the updated packed file to obtain a final packed file of the target application.
The signature file may be a file for packaging the signature information, and specifically, the signature file may be generated by generating the signature description information, the working public key certificate, and the signed first hash value data and splicing them to generate the signature file. The final packed file can be a file generated after the processing at the authority management terminal is completed, and the signature file is written into the updated packed file, so that the final packed file of the target application can be obtained.
S260, the final packed file is sent to a target POS machine terminal, so that the target POS machine terminal can determine the permission setting of the target application at the target POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file.
The target POS terminal may be a terminal device that needs to determine the application authority of the target application and install the target application. The Manifest file is one of the original packed files, and in the Manifest file, the developer of the target application sets the application authority information of the target application. After the target POS machine terminal receives the final packed file, the permission setting of the target application at the target POS machine terminal can be determined according to a preset permission setting determination rule of the POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file. For example, the rule of small rule may be used as a determination rule for setting authority of the POS terminal, and when the custom authority information file and the Manifest file set an authorized state for a certain application authority at the same time, the POS terminal may determine that the application authority is an authorized state, and may modify the authority state of the application authority; when the user-defined permission information file or the Manifest file is set to be in an unauthorized state for a certain application permission, the POS machine terminal can determine that the application permission is in the unauthorized state, and the POS machine terminal can not modify the permission state of the application permission.
According to the technical scheme provided by the embodiment of the invention, the user-defined setting information of at least one application authority of a user on a target application is acquired, and the user-defined setting information is encrypted by using a private key in a document public and private key pair generated in advance by an authority management end to generate a user-defined authority information file; writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file; performing data summarization on the updated packed file and the corresponding signature description information, calculating the hash value of the data summarization to obtain a first hash value, and performing filling processing on the data summarization; carrying out encryption signature on the data summary subjected to the filling processing by using a private key in the work certificate public and private key pair to generate signed first hash value data; generating a signature file according to the signature description information, the working public key certificate and the signed first hash value data, and writing the signature file into the updated packed file to obtain a final packed file of the target application; and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file. The technical scheme of the embodiment of the invention solves the problem that the acquiring mechanism can not modify the application authority in the prior art, can enable the acquiring mechanism to modify the application authority, and reduces the maintenance and management cost.
Fig. 3 is a flowchart of a method for managing authority of a POS application applied to a POS terminal according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a scenario of analyzing and verifying application authority information during a process of installing the POS application, and the method may be executed by a POS application authority management device configured at the POS terminal, and the device may be implemented in a software and/or hardware manner.
As shown in fig. 3, the method for managing the application authority of the POS machine includes the following steps:
s310, when the packaged file of the target application to be installed is obtained, analyzing and checking the packaged file.
The target application to be installed may be an application that needs to be installed. The packaged file comprises a user-defined permission information file and a Manifest file, the user-defined permission information file comprises application permission information set by an internal worker of the acquiring mechanism to the target application to be installed, and the Manifest file comprises application permission information set by a developer of the target application to be installed. The analysis can be a process of decrypting the encrypted packaged file, and the packaged file can be analyzed through a preset decryption rule corresponding to the encryption rule of the authority management terminal. The verification can be a process of checking the accuracy of the packaged file, and specifically, the verification items in the packaged file can be checked according to a preset verification rule, so that the accuracy of the packaged file is ensured.
S320, when the packaged file is analyzed to have the user-defined permission information file, setting the application permission of the target application to be installed according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file, and completing installation of the target application to be installed.
The first permission setting information is application permission information set by an internal worker of the acquiring mechanism to the target application to be installed, and the second permission setting information is application permission information set by a developer of the target application to be installed. After the first permission setting information and the second permission setting information are obtained, the application permission of the target application to be installed can be set according to a preset setting rule of the application permission of the POS machine terminal based on the first permission setting information and the second permission setting information. For example, the rule of small rule may be used as a setting rule of the application authority of the POS terminal, and when the first authority setting information and the second authority setting information set an application authority to be in an authorizeable state at the same time, the POS terminal may set the application authority to be in an authorizeable state, and the POS terminal may modify the authority state of the application authority; when the first permission setting information and the second permission setting information set an unauthorized state for a certain application permission, the POS terminal may set the application permission to the unauthorized state, and the POS terminal may not modify the permission state of the application permission.
According to the technical scheme provided by the embodiment of the invention, when the packed file of the target application to be installed is obtained, the packed file is analyzed and verified; when the packaged file is analyzed to have the user-defined permission information file, the application permission of the target application to be installed is set according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file, and installation of the target application to be installed is completed. The technical scheme of the embodiment of the invention solves the problem that the receiving mechanism in the prior art can not modify the application authority, can enable the receiving mechanism to modify the application authority, and reduces the maintenance and management cost.
Fig. 4 is a flowchart of a method for managing POS application permission applied to a POS terminal according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a scenario where analysis and verification are performed on application permission information during a process of installing a POS application.
As shown in fig. 4, the method for managing the application authority of the POS machine includes the following steps:
s410, when the packaged file of the target application to be installed is obtained, the packaged file is analyzed to obtain the packaged file written with the user-defined permission information file and the signature file.
The target application to be installed may be an application that needs to be installed. The packaged file comprises a user-defined permission information file and a Manifest file, the user-defined permission information file comprises application permission information set by an internal worker of the acquiring mechanism to the target application to be installed, and the Manifest file comprises application permission information set by a developer of the target application to be installed. The analysis can be a process of decrypting the encrypted packaged file, and the packaged file can be analyzed through a preset decryption rule corresponding to the encryption rule of the authority management terminal.
And S420, verifying the legality of the working public key certificate in the signature file according to a public key in a public and private key pair of a root certificate preset by the POS machine terminal.
Specifically, the certificate obtained by processing the public key in the public and private key pair of the root certificate preset by the POS terminal according to the preset signature may be compared with the working public key certificate in the signature file, and if the two are consistent, the working public key certificate in the signature file is legal, otherwise, the working public key certificate is not legal.
And S430, when the work public key certificate in the signature file passes the verification, extracting work public key information from the work public key certificate in the signature file, and decrypting based on the work public key information to obtain a work certificate private key.
The work certificate public key information can be information capable of expressing a work certificate public key, and the work public key certificate is obtained by processing a root certificate public key according to a preset signature, so that the work certificate public key information can be obtained by reverse processing, and then the work certificate private key is obtained through the one-to-one correspondence relationship between the work certificate public key and the work certificate private key.
S440, analyzing the signature file through the work certificate private key to obtain the signature description information of the packed file and the original hash value of the signature description information.
The signature description information may be information describing a signature of the updated packaged file, and the original hash value refers to a hash value calculated by performing a hash value calculation on the signature description information at the authority management end. After the signature file is analyzed through the work certificate private key, the signature description information in the packed file and the original hash value of the signature description information can be obtained.
S450, performing data summarization on the packed file written with the user-defined permission information file and the signature description information, and calculating the hash value of the data summarization to obtain a second hash value.
The data digest may be a process of extracting a digest of data in the updated packed file and the corresponding signature description information, and the second hash value may be obtained by performing data digest on the packed file and the signature description information written with the custom permission information file and then calculating a hash value of the data digest.
S460, comparing the second hash value with the original hash value, finishing the verification of the packed file when the second hash value is the same as the original hash value, and otherwise, ending the installation process of the target application to be installed.
When the second hash value is the same as the original hash value, the packaged file received by the POS terminal can be consistent with the packaged file sent by the authority management terminal, and then verification of the packaged file is completed; on the contrary, when the second hash value is different from the original hash value, the packaged file received by the POS terminal may not be consistent with the packaged file sent by the authority management terminal, and the installation process of the target application to be installed is ended.
And S470, when the user-defined permission information file is analyzed, matching the setting information of the same permission setting item in the first permission setting information and the second permission setting information.
The first permission setting information is application permission information set by an internal worker of the acquiring mechanism to the target application to be installed, and the second permission setting information is application permission information set by a developer of the target application to be installed. And after the first permission setting information and the second permission setting information are acquired, matching the setting information of the same permission setting item in the first permission setting information and the second permission setting information, and further judging whether the target application to be installed has the permission of the corresponding permission setting item.
S480, when the setting information of the same permission setting item in the first permission setting information and the second permission setting information is set to have permission, setting the permission that the target application to be installed has the corresponding permission setting item, and completing the installation of the target application to be installed.
When the setting information of the same authority setting item in the first authority setting information or the second authority setting information is set without authority, the acquirer or a developer of the target application to be installed does not agree that the target application to be installed has the authority of the corresponding authority setting item, and then the target application to be installed can be determined not to have the authority of the corresponding authority setting item; when the setting information of the same permission setting item in the first permission setting information and the second permission setting information is permission setting, the acquirer and the developer of the target application to be installed can agree that the target application to be installed has the permission of the corresponding permission setting item, and then the target application to be installed can be determined to have the permission of the corresponding permission setting item. And finishing the installation of the target application to be installed after the permission of all corresponding permission setting items of the target application to be installed is determined.
Fig. 5 is a schematic structural diagram of a POS application authority management apparatus provided in an embodiment of the present invention, and the apparatus is configured at an authority management end, and the embodiment of the present invention is applicable to a scenario in which POS application authority information is authorized.
As shown in fig. 5, the POS application authority management apparatus includes: a custom permission file generating module 510, an application package file updating module 520, an application package file signature encrypting module 530 and a package file sending module 540.
The custom permission file generating module 510 is configured to obtain custom setting information of at least one application permission of a user to a target application, encrypt the custom setting information, and generate a custom permission information file; an application package file updating module 520, configured to write the user-defined permission information file into an original package file of the target application, so as to obtain an updated package file; an application package file signature encryption module 530, configured to encrypt and sign the updated package file to generate a signature file, and write the signature file into the updated package file to obtain a final package file of the target application; and a packed file sending module 540, configured to send the final packed file to the target POS terminal, so that the target POS terminal determines permission setting of the target application at the target POS terminal based on the custom permission information file in the final packed file and the permission information in the Manifest file.
According to the technical scheme provided by the embodiment of the invention, the user-defined setting information of at least one application permission of a user to a target application is acquired, and the user-defined setting information is encrypted to generate a user-defined permission information file; writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file; encrypting and signing the updated packaged file to generate a signature file, and writing the signature file into the updated packaged file to obtain a final packaged file of the target application; and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file. The technical scheme of the embodiment of the invention solves the problem that the receiving mechanism in the prior art can not modify the application authority, can enable the receiving mechanism to modify the application authority, and reduces the maintenance and management cost.
In an alternative embodiment, the application package file signature encryption module 530 is specifically configured to:
and encrypting the user-defined setting information by using a private key in a public and private key pair of the work certificate generated in advance by the authority management end.
In an alternative embodiment, the application package file signature encryption module 530 is further configured to:
performing data summarization on the updated packed file and the corresponding signature description information, calculating a hash value of the data summary to obtain a first hash value, and performing filling processing on the first hash value;
carrying out encryption signature on the first hash value subjected to filling processing by using a private key in a work certificate public and private key pair to generate signed first hash value data;
and generating a signature file according to the signature description information, the working public key certificate and the signed first hash value data.
The POS machine application authority management device provided by the embodiment of the invention can execute the POS machine application authority management method applied to the authority management end provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 6 is a schematic structural diagram of a POS application permission management apparatus, applied to a POS terminal, according to an embodiment of the present invention, where the apparatus is applicable to a scenario where analysis and verification are performed on application permission information during a POS application installation process, and the apparatus may be implemented in a software and/or hardware manner and integrated in a computer device with an application development function.
As shown in fig. 6, the POS application authority management device includes: an installation file parsing module 610 and an application authority setting module 620.
The installation file analysis module 610 is configured to, when a packed file of a target application to be installed is obtained, analyze and verify the packed file; and the application permission setting module 620 is configured to set the application permission of the target application to be installed according to the first permission setting information in the custom permission information file and the second permission setting information in the Manifest file in the package file when the package file has the custom permission information file, and complete installation of the target application to be installed.
According to the technical scheme provided by the embodiment of the invention, when the packaged file of the target application to be installed is obtained, the packaged file is analyzed and verified; when the packaged file is analyzed to have the user-defined permission information file, the application permission of the target application to be installed is set according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file, and installation of the target application to be installed is completed. The technical scheme of the embodiment of the invention solves the problem that the receiving mechanism in the prior art can not modify the application authority, can enable the receiving mechanism to modify the application authority, and reduces the maintenance and management cost.
In an optional implementation manner, the application permission setting module 620 is specifically configured to:
matching the setting information of the same authority setting item in the first authority setting information and the second authority setting information;
and when the setting information of the same permission setting item in the first permission setting information and the second permission setting information is permission setting, setting the permission that the target application to be installed has the corresponding permission setting item.
In an optional implementation manner, the installation file parsing module 610 is specifically configured to:
analyzing the packed file to obtain a packed file and a signature file written with the user-defined authority information file;
verifying the validity of a working public key certificate in a signature file according to a public key in a public and private key pair of a root certificate preset by a POS machine terminal;
when the work public key certificate in the signature file passes the verification, extracting work certificate public key information from the work public key certificate in the signature file, and decrypting based on the work certificate public key information to obtain a work certificate private key;
analyzing the signature file through a work certificate private key to obtain signature description information of the packed file and an original hash value of the signature description information;
performing data summarization on the packed file written with the user-defined authority information file and the signature description information, and calculating the hash value of the data summarization to obtain a second hash value;
and comparing the second hash value with the original hash value, finishing the verification of the packed file when the second hash value is the same as the original hash value, and otherwise, finishing the installation process of the target application to be installed.
The POS machine application authority management device provided by the embodiment of the invention can execute the POS machine application authority management method applied to the POS machine terminal provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 7 is a schematic structural diagram of a computer device according to an embodiment of the present invention. FIG. 7 illustrates a block diagram of an exemplary computer device 12 suitable for use in implementing embodiments of the present invention. The computer device 12 shown in fig. 7 is only an example and should not impose any limitation on the scope of use or functionality of embodiments of the invention. The computer device 12 may be any terminal device with computing power, and may be configured in the POS application authority management device.
As shown in FIG. 7, computer device 12 is in the form of a general purpose computing device. The components of computer device 12 may include, but are not limited to: one or more processors or processing units 16, a system memory 28, and a bus 18 that couples various system components including the system memory 28 and the processing unit 16.
Bus 18 may be one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Computer device 12 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer device 12 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 28 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM) 30 and/or cache 32. Computer device 12 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 34 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 7, and commonly referred to as a "hard drive"). Although not shown in FIG. 7, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to bus 18 by one or more data media interfaces. System memory 28 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
A program/utility 40 having a set (at least one) of program modules 42 may be stored, for example, in system memory 28, such program modules 42 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 42 generally carry out the functions and/or methodologies of the described embodiments of the invention.
Computer device 12 may also communicate with one or more external devices 14 (e.g., keyboard, pointing device, display 24, etc.), with one or more devices that enable a user to interact with computer device 12, and/or with any devices (e.g., network card, modem, etc.) that enable computer device 12 to communicate with one or more other computing devices. Such communication may be through an input/output (I/O) interface 22. Also, computer device 12 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via network adapter 20. As shown, network adapter 20 communicates with the other modules of computer device 12 via bus 18. It should be appreciated that although not shown in FIG. 7, other hardware and/or software modules may be used in conjunction with computer device 12, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 16 executes various functional applications and data processing by executing programs stored in the system memory 28, for example, implementing a method for managing authority of a POS application provided by the embodiment of the present invention, the method including:
acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information, and generating a user-defined permission information file;
writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file;
carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application;
and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file.
The present embodiment provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a method for managing POS application authority, according to any embodiment of the present invention, where the method includes:
acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information, and generating a user-defined permission information file;
writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file;
carrying out encryption signing on the updated packed file to generate a signature file, and writing the signature file into the updated packed file to obtain a final packed file of the target application;
and sending the final packed file to a target POS machine terminal so that the target POS machine terminal can determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file.
Computer storage media for embodiments of the invention may employ any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer-readable storage medium may be, for example but not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It will be understood by those skilled in the art that the modules or steps of the present invention described above can be implemented by a general purpose computing device, they can be centralized in a single computing device or distributed over a network of multiple computing devices, and they can alternatively be implemented by program code executable by a computing device, so that they can be stored in a storage device and executed by a computing device, or they can be separately fabricated into various integrated circuit modules, or multiple modules or steps thereof can be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
It is to be noted that the foregoing description is only exemplary of the invention and that the principles of the technology may be employed. Those skilled in the art will appreciate that the present invention is not limited to the particular embodiments described herein, and that various obvious changes, rearrangements and substitutions will now be apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in some detail by the above embodiments, the invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the invention, and the scope of the invention is determined by the scope of the appended claims.

Claims (10)

1. A POS machine application authority management method is applied to an authority management end and is characterized by comprising the following steps:
acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information, and generating a user-defined permission information file;
writing the user-defined authority information file into an original packed file of the target application to obtain an updated packed file;
encrypting and signing the updated packaged file to generate a signature file, and writing the signature file into the updated packaged file to obtain a final packaged file of the target application;
and sending the final packed file to a target POS machine terminal so that the target POS machine terminal determines the permission setting of the target application at the target POS machine terminal based on the user-defined permission information file in the final packed file and the permission information in the Manifest file.
2. The method of claim 1, wherein encrypting the customization information comprises:
and encrypting the user-defined setting information by using a private key in a work certificate public and private key pair generated in advance by the authority management terminal.
3. The method of claim 2, wherein cryptographically signing the updated packaged file generates a signature file, comprising:
performing data summarization on the updated packed file and the corresponding signature description information, calculating a hash value of the data summarization to obtain a first hash value, and performing filling processing on the first hash value;
carrying out encryption signature on the first hash value subjected to the filling processing by using a private key in the employee certificate public and private key pair to generate signed first hash value data;
and generating a signature file according to the signature description information, the working public key certificate and the signed first hash value data.
4. A POS machine application authority management method is applied to a POS machine terminal and is characterized by comprising the following steps:
when a packed file of a target application to be installed is obtained, analyzing and verifying the packed file;
when the packaged file is analyzed to have the user-defined permission information file, the application permission of the target application to be installed is set according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file, and installation of the target application to be installed is completed.
5. The method of claim 4, wherein setting the application permission of the target application to be installed according to first permission setting information in the custom permission information file and second permission setting information in a Manifest file in the package file comprises:
matching the setting information of the same authority setting item in the first authority setting information and the second authority setting information;
and when the setting information of the same authority setting item in the first authority setting information and the second authority setting information is set to have authority, setting the authority of the target application to be installed, which has the corresponding authority setting item.
6. The method of claim 4, wherein parsing and verifying the packaged file comprises:
analyzing the packed file to obtain a packed file and a signature file written with a user-defined authority information file;
verifying the validity of a working public key certificate in the signature file according to a public key in a public and private key pair of a root certificate preset by the POS machine terminal;
when the work public key certificate in the signature file passes the verification, extracting work certificate public key information from the work public key certificate in the signature file, and decrypting based on the work certificate public key information to obtain a work certificate private key;
analyzing the signature file through the work certificate private key to obtain signature description information of the packed file and an original hash value of the signature description information;
performing data summarization on the packed file written with the user-defined permission information file and the signature description information, and calculating a hash value of the data summarization to obtain a second hash value;
and comparing the second hash value with the original hash value, finishing the verification of the packed file when the second hash value is the same as the original hash value, and finishing the installation process of the target application to be installed if the second hash value is not the same as the original hash value.
7. A POS machine application authority management device configured at an authority management end is characterized by comprising:
the user-defined permission file generation module is used for acquiring user-defined setting information of at least one application permission of a user to a target application, encrypting the user-defined setting information and generating a user-defined permission information file;
the application packed file updating module is used for writing the user-defined permission information file into an original packed file of the target application to obtain an updated packed file;
the application packaging file signature encryption module is used for encrypting and signing the updated packaging file to generate a signature file, and writing the signature file into the updated packaging file to obtain a final packaging file of the target application;
and the packed file sending module is used for sending the final packed file to a target POS machine terminal so as to enable the target POS machine terminal to determine the authority setting of the target application at the target POS machine terminal based on the user-defined authority information file in the final packed file and the authority information in the Manifest file.
8. A POS application authority management device provided in a POS terminal, comprising:
the installation file analysis module is used for analyzing and verifying the packed file of the target application to be installed when the packed file is obtained;
and the application permission setting module is used for setting the application permission of the target application to be installed according to first permission setting information in the user-defined permission information file and second permission setting information in a Manifest file in the packaged file when the packaged file has the user-defined permission information file, and completing installation of the target application to be installed.
9. A server apparatus, characterized in that the server apparatus comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the POS application rights management method of any of claims 1-6.
10. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the POS application rights management method according to any one of claims 1 to 6.
CN202211266538.8A 2022-10-17 2022-10-17 POS machine application authority management method, device, equipment and storage medium Pending CN115454458A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211266538.8A CN115454458A (en) 2022-10-17 2022-10-17 POS machine application authority management method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211266538.8A CN115454458A (en) 2022-10-17 2022-10-17 POS machine application authority management method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115454458A true CN115454458A (en) 2022-12-09

Family

ID=84309973

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211266538.8A Pending CN115454458A (en) 2022-10-17 2022-10-17 POS machine application authority management method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115454458A (en)

Similar Documents

Publication Publication Date Title
CN110414268B (en) Access control method, device, equipment and storage medium
CN111291339B (en) Method, device, equipment and storage medium for processing blockchain data
CN113472720B (en) Digital certificate key processing method, device, terminal equipment and storage medium
CN110324416B (en) Download path tracking method, device, server, terminal and medium
CN112464212B (en) Data authority control reconstruction method based on mature complex service system
US9678766B2 (en) Controlling the configuration of computer systems
US7340773B2 (en) Multi-stage authorisation system
CN111200593A (en) Application login method and device and electronic equipment
CN112583594B (en) Data processing method, acquisition device, gateway, trusted platform and storage medium
CN110830428A (en) Block chain financial big data processing method and system
CN112328975A (en) Product software authorization management method, terminal device and medium
CN111030816A (en) Authentication method and device for access platform of evidence obtaining equipment and storage medium
CN115454458A (en) POS machine application authority management method, device, equipment and storage medium
CN112016336B (en) Method, device, equipment and storage medium for detecting copy card
CN110879876A (en) System and method for issuing certificates
CN114003877A (en) Data access method, device, medium and electronic equipment of multi-tenant system
CN112825093B (en) Security baseline checking method, host, server, electronic device and storage medium
CN113868628A (en) Signature verification method and device, computer equipment and storage medium
CN112883397A (en) Data storage method, data reading method, device, equipment and storage medium
CN112115491A (en) Symmetric encryption key protection method, device, equipment and storage medium
CN115329315A (en) Service authentication method, device, storage medium and electronic equipment
JP7477907B2 (en) Information provision system, information provision method, and information provision program
CN116996248A (en) Vehicle-mounted ECU file security management method, device, equipment and storage medium
CN111597576B (en) Android compilation-based assets file encryption method and related equipment thereof
CN114567486B (en) Method and system for regulating and controlling metering parameters of intelligent metering equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination