CN116263815A - JWT-based software authorization method - Google Patents
JWT-based software authorization method Download PDFInfo
- Publication number
- CN116263815A CN116263815A CN202111515517.0A CN202111515517A CN116263815A CN 116263815 A CN116263815 A CN 116263815A CN 202111515517 A CN202111515517 A CN 202111515517A CN 116263815 A CN116263815 A CN 116263815A
- Authority
- CN
- China
- Prior art keywords
- authorization
- jwt
- file
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013475 authorization Methods 0.000 claims abstract description 81
- 238000012795 verification Methods 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims description 17
- 230000004048 modification Effects 0.000 claims description 8
- 238000012986 modification Methods 0.000 claims description 8
- 238000009434 installation Methods 0.000 claims description 7
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 10
- 230000005540 biological transmission Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000011900 installation process Methods 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a JWT-based software authorization method, which comprises the following steps: step one: and (3) generating an authorization file: organizing and signing various constraint information to form a JWT authorization file; step two: and (3) installing an authorization file: and carrying out signature verification and constraint information consistency verification on the authorization file. The invention adopts the JWT public standard as the main format of the authorization file, adopts the RSA asymmetric encryption algorithm to sign the JWT load part, separates public and private keys, and solves the problems of key leakage risk and compatibility in the traditional mode. The invention adopts a multi-feature acquisition mode of the equipment to form the equipment fingerprint, thereby preventing the risk of single-feature counterfeiting. The invention adopts a system time abnormity adjustment judging mechanism (the comparison is carried out between the verification and the history verification record, and the abnormity adjustment is judged if the difference exceeds a threshold value), thereby solving the risk of modifying the system time to bypass the verification mechanism.
Description
Technical Field
The invention relates to a JWT-based software authorization method, and belongs to the technical field of software authorization.
Background
In order to ensure that the authorization file can be decrypted and verified and tampered in the software deployment process, private key information used in encryption and hash is usually stored in the software to be deployed, and even if the private key can be stored in a very concealed mode, an attacker can still acquire the private key in a plurality of modes, so that an authorization authentication mechanism is broken. In addition, the implementation mode of the encryption and decryption process in the traditional mode is secret and hidden, and the authorization compatibility of a third party and a heterogeneous system is poor.
In order to restrict the authorized software from being repeatedly deployed on other devices, the authorized file often contains a unique identifier of the deployment target device, and whether the authorized file is consistent with the unique identifier of the current device is checked in the process of installing the authorized file. Typically, the unique identifier is obtained by commanding certain unique information in the system, such as a hard disk serial number, a MAC, etc., in a manner that is known to an attacker, and the attacker can easily forge the unique identifier, thereby bypassing the authorized authentication mechanism.
In order to ensure that the authorization software cannot continue to be used after the authorization expires, the authorization file often contains authorization validity information, and during the running of the software, the software verifies whether the current time of the server is within the authorization validity period, and if not, the program function is terminated. An attacker may bypass the authorization-validity-checking mechanism if the server time is modified after the authorization expires, if no other security mechanism guarantees.
Disclosure of Invention
In order to solve the problems, the invention provides a software authorization method based on JWT, which has the following specific technical scheme,
a JWT-based software authorization method comprising the steps of:
step one: and (3) generating an authorization file: organizing and signing various constraint information to form a JWT authorization file;
the specific steps of the authorization file generation are as follows:
a. the unique identifier of the equipment provided by the deployment environment is input, the software constraint information content is set, and the JSON structure authorization information is formed;
b. base64 encoding is carried out on the JSON structure authorization information, and the encoding result is placed in a payload load part of the JWT;
c. forming a JSON description file by an RSA signature mode, performing Base64 coding, and then placing the JSON description file in a header of the JWT;
d. signing the header and payload portions of the JWT using a private key of an RSA keyPair public-private key pair with software authorization; firstly, hashing a header and payload content, then encrypting the hash value by using an RSA private key, and placing the encrypted content in a signature of the JWT;
e. organizing header, payload, signature into JWT content and writing the JWT content into a file to generate a JWT authorization file;
step two: and (3) installing an authorization file: and carrying out signature verification and constraint information consistency verification on the authorization file.
Preferably, the specific steps of installing the authorization file are as follows:
a. using a public key in a software authorization RSA keyPair public-private key pair in a deployment program to decrypt the signature content in the JWT authorization file, and if the signature content cannot be decrypted normally, checking the signature content to be failed; after normal decryption, obtaining a hash value, comparing the hash value with the hash of the header and payload of the JWT authorization file, if the hash value is inconsistent, indicating that the authorization can be tampered, and if the hash value is consistent, entering the next step;
b. performing Base64 inverse coding on payload content in a JWT authorization file to obtain an authorization information description JSON;
c. comparing the constraint information content with the corresponding information of the current environment, if inconsistent conditions exist, executing corresponding authorization failure processing, and if consistent ranges exist, executing the next step;
d. reading the identification information of the unique identification of the equipment of the current deployment equipment, and calculating a hash value as the main fingerprint of the equipment after splicing the identification information according to rules; meanwhile, hash calculation is also carried out on the multi-element combination of the identification information, so that a plurality of equipment auxiliary fingerprints are formed; the verification process can carry out matching calculation according to the main fingerprint and the auxiliary fingerprint of the equipment, and the equipment can be identified as equipment identification matching when the verification process is larger than a threshold value;
e. and reading the authorization check record data, and analyzing the corresponding relation between the current time and the time stamp in the record to judge whether abnormal system time modification exists.
Furthermore, the verification record data structure is designed into a chain type, and the mark of the last verification is recorded at the same time of recording the current information; under normal conditions, the whole chained check record should be a time sequence increment sequence, if a system time modification behavior exists, a node violating a time sequence increment rule is inserted during check, and the abnormal state should be determined at the moment; or a threshold is introduced at the time of determination, and the normal is determined when the time difference is smaller than the threshold.
Furthermore, in the step d of installing the authorization file, the verification process can also configure the weights of the primary fingerprint and the secondary fingerprint, and only the primary fingerprint matching can be started under the condition of strict matching.
Further, the unique identifier of the device is a device fingerprint formed by adopting a device multi-feature acquisition mode.
Further, the information collected by the multiple features of the device comprises a device disk ID, a CPU ID, a mac address and a motherboard serial number.
Further, the constraint information includes the number of installation copies, the use time, the application range and the function module.
The invention adopts the JWT public standard as the main format of the authorization file, adopts the RSA asymmetric encryption algorithm to sign the JWT load part, separates public and private keys, and solves the problems of key leakage risk and compatibility in the traditional mode. The invention adopts a multi-feature acquisition mode of the equipment to form the equipment fingerprint, thereby preventing the risk of single-feature counterfeiting. The invention adopts a system time abnormity adjustment judging mechanism (the comparison is carried out between the verification and the history verification record, and the abnormity adjustment is judged if the difference exceeds a threshold value), thereby solving the risk of modifying the system time to bypass the verification mechanism.
Drawings
FIG. 1 is a workflow diagram of the authorization document generation of the present invention.
FIG. 2 is a flow chart of the authorization file installation process of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Software authorization: software authorization is an extension and development of the concept of software protection, and aims to enable a software user to use software according to purchase permission, and relates to the content of the number of software installation, the use time, the application range, the functional modules and the like.
And (3) hash: the transformation of arbitrary length inputs into fixed length outputs by hashing algorithms is commonly applied in the fields of retrieval and security.
Authorization information: descriptive information about software usage constraints, such as the number of installations, the time of use, the range of applications, and the functional modules.
Authorization file: in order to ensure that the authorization file is not decrypted and tampered in the transmission process, the authorization file mode generally adopts encryption, hash and other algorithms to convert plaintext authorization information into tamper-proof ciphertext authorization file, if the authorization information does not contain sensitive information, the authorization process can not use encryption algorithm, but tamper-proof mechanism is indispensable under various conditions.
Device unique identification (device fingerprint): the identity information of the devices can uniquely identify a device.
JWT: an open standard based on JSON is typically used to pass authenticated user identity information between identity providers and service providers.
The authorization process is divided into two subprocesses of authorization file generation and authorization file installation, the authorization file is distributed to a software deployment environment after being generated, the authorization file and the deployment environment are checked in the execution process, and the whole authorization process is completed after the checking is finished.
Specifically, the JWT-based software authorization method comprises the following steps:
step one: and (3) generating an authorization file: organizing and signing various constraint information to form a JWT authorization file;
as shown in fig. 1, the specific steps of the authorization file generation are as follows:
a. the unique identifier of the equipment provided by the deployment environment is input, the software constraint information content is set, and the JSON structure authorization information is formed; the unique device identifier is a device fingerprint formed by adopting a device multi-feature acquisition mode, and the information acquired by the device multi-feature comprises a device disk ID, a CPU ID, a mac address and a motherboard serial number; the constraint information comprises the contents of the number of installation copies, the use time, the application range, the function module and the like;
b. base64 encoding is carried out on the JSON structure authorization information, and the encoding result is placed in a payload load part of the JWT;
c. forming a JSON description file by an RSA signature mode, performing Base64 coding, and then placing the JSON description file in a header of the JWT;
d. signing the header and payload portions of the JWT using a private key of an RSA keyPair public-private key pair with software authorization; firstly, hashing a header and payload content, then encrypting the hash value by using an RSA private key, and placing the encrypted content in a signature of the JWT;
e. organizing header, payload, signature into JWT content and writing the JWT content into a file to generate a JWT authorization file;
step two: and (3) installing an authorization file: and carrying out signature verification and constraint information consistency verification on the authorization file.
As shown in fig. 2, the specific steps of the installation of the authorization file are as follows:
a. using a public key in a software authorization RSA keyPair public-private key pair in a deployment program to decrypt the signature content in the JWT authorization file, and if the signature content cannot be decrypted normally, checking the signature content to be failed; after normal decryption, obtaining a hash value, comparing the hash value with the hash of the header and payload of the JWT authorization file, if the hash value is inconsistent, indicating that the authorization can be tampered, and if the hash value is consistent, entering the next step;
b. performing Base64 inverse coding on payload content in a JWT authorization file to obtain an authorization information description JSON;
c. comparing the constraint information content with the corresponding information of the current environment, if inconsistent conditions exist, executing corresponding authorization failure processing, and if consistent ranges exist, executing the next step;
d. reading the identification information of the unique identification of the equipment of the current deployment equipment, and calculating a hash value as the main fingerprint of the equipment after splicing the identification information according to rules; meanwhile, hash calculation is also carried out on the multi-element combination of the identification information, so that a plurality of equipment auxiliary fingerprints are formed; the verification process can carry out matching calculation according to the main fingerprint and the auxiliary fingerprint of the equipment, and the equipment can be identified as equipment identification matching when the verification process is larger than a threshold value; considering the condition that the system time is modified normally and slightly, the verification process can also configure the weights of the main fingerprint and the auxiliary fingerprint, and only the main fingerprint matching can be started under the condition of strict matching;
e. and reading the authorization check record data, and analyzing the corresponding relation between the current time and the time stamp in the record to judge whether abnormal system time modification exists.
The verification record data structure is designed into a chain type, and the mark of the last verification is recorded while the information is recorded; under normal conditions, the whole chained check record should be a time sequence increment sequence, if a system time modification behavior exists, a node violating a time sequence increment rule is inserted during check, and the abnormal state should be determined at the moment; or a threshold is introduced at the time of determination, and the normal is determined when the time difference is smaller than the threshold.
The whole process realizes an open and safe software authorization mode through public and private key separation, equipment fingerprint multi-identification coverage, system time sequence judgment and other modes. The method has the advantages of openness and safety, can effectively improve the compatibility of the authorized file platform, and can effectively prevent the invalidation risks of authorization mechanisms such as private key leakage, equipment identification counterfeiting, system time counterfeiting and the like.
Although the present invention has been described with reference to the foregoing embodiments, it will be apparent to those skilled in the art that modifications may be made to the embodiments described, or equivalents may be substituted for elements thereof, and any modifications, equivalents, improvements and changes may be made without departing from the spirit and principles of the present invention.
Claims (7)
1. A JWT-based software authorization method is characterized in that: the method comprises the following steps:
step one: and (3) generating an authorization file: organizing and signing various constraint information to form a JWT authorization file;
the specific steps of the authorization file generation are as follows:
a. the unique identifier of the equipment provided by the deployment environment is input, the software constraint information content is set, and the JSON structure authorization information is formed;
b. base64 encoding is carried out on the JSON structure authorization information, and the encoding result is placed in a payload load part of the JWT;
c. forming a JSON description file by an RSA signature mode, performing Base64 coding, and then placing the JSON description file in a header of the JWT;
d. signing the header and payload portions of the JWT using a private key of an RSA keyPair public-private key pair with software authorization; firstly, hashing a header and payload content, then encrypting the hash value by using an RSA private key, and placing the encrypted content in a signature of the JWT;
e. organizing header, payload, signature into JWT content and writing the JWT content into a file to generate a JWT authorization file;
step two: and (3) installing an authorization file: and carrying out signature verification and constraint information consistency verification on the authorization file.
2. The JWT-based software licensing method of claim 1, wherein: the specific steps of the installation of the authorization file are as follows:
a. using a public key in a software authorization RSA keyPair public-private key pair in a deployment program to decrypt the signature content in the JWT authorization file, and if the signature content cannot be decrypted normally, checking the signature content to be failed; after normal decryption, obtaining a hash value, comparing the hash value with the hash of the header and payload of the JWT authorization file, if the hash value is inconsistent, indicating that the authorization can be tampered, and if the hash value is consistent, entering the next step;
b. performing Base64 inverse coding on payload content in a JWT authorization file to obtain an authorization information description JSON;
c. comparing the constraint information content with the corresponding information of the current environment, if inconsistent conditions exist, executing corresponding authorization failure processing, and if consistent ranges exist, executing the next step;
d. reading the identification information of the unique identification of the equipment of the current deployment equipment, and calculating a hash value as the main fingerprint of the equipment after splicing the identification information according to rules; meanwhile, hash calculation is also carried out on the multi-element combination of the identification information, so that a plurality of equipment auxiliary fingerprints are formed; the verification process can carry out matching calculation according to the main fingerprint and the auxiliary fingerprint of the equipment, and the equipment can be identified as equipment identification matching when the verification process is larger than a threshold value;
e. and reading the authorization check record data, and analyzing the corresponding relation between the current time and the time stamp in the record to judge whether abnormal system time modification exists.
3. A JWT-based software authorization method according to claim 2, wherein: the verification record data structure is designed into a chain type, and the mark of the last verification is recorded while the information is recorded; under normal conditions, the whole chained check record should be a time sequence increment sequence, if a system time modification behavior exists, a node violating a time sequence increment rule is inserted during check, and the abnormal state should be determined at the moment; or a threshold is introduced at the time of determination, and the normal is determined when the time difference is smaller than the threshold.
4. A JWT-based software authorization method according to claim 2, wherein: in the step d of installing the authorization file, the verification process can also configure the weights of the main fingerprint and the auxiliary fingerprint, and only the main fingerprint matching can be started under the condition of strict matching.
5. A JWT-based software authorization method according to claim 2, wherein: the unique identifier of the device is a device fingerprint formed by adopting a device multi-feature acquisition mode.
6. A JWT-based software authorization method according to claim 2, wherein: the information acquired by the multiple characteristics of the equipment comprises an equipment disk ID, a CPU ID, a mac address and a motherboard serial number.
7. A JWT-based software authorization method according to claim 2, wherein: the constraint information comprises the number of installation copies, the use time, the application range and the functional module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111515517.0A CN116263815A (en) | 2021-12-13 | 2021-12-13 | JWT-based software authorization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111515517.0A CN116263815A (en) | 2021-12-13 | 2021-12-13 | JWT-based software authorization method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116263815A true CN116263815A (en) | 2023-06-16 |
Family
ID=86721890
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111515517.0A Pending CN116263815A (en) | 2021-12-13 | 2021-12-13 | JWT-based software authorization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116263815A (en) |
-
2021
- 2021-12-13 CN CN202111515517.0A patent/CN116263815A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7526654B2 (en) | Method and system for detecting a secure state of a computer system | |
| JP4113274B2 (en) | Authentication apparatus and method | |
| Xue et al. | RootAgency: A digital signature-based root privilege management agency for cloud terminal devices | |
| CN106055936B (en) | Executable program data packet encrypting/decrypting method and device | |
| US7634816B2 (en) | Revocation information management | |
| EP2659373A2 (en) | System and method for secure software update | |
| CN107430658A (en) | Fail-safe software certification and checking | |
| US20180204004A1 (en) | Authentication method and apparatus for reinforced software | |
| US6076162A (en) | Certification of cryptographic keys for chipcards | |
| WO2005107146A1 (en) | Trusted signature with key access permissions | |
| JP6387908B2 (en) | Authentication system | |
| CN115001775A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| KR20070059891A (en) | Application authentication security system and method thereof | |
| CN107026729B (en) | Method and device for transmitting software | |
| CN112632476A (en) | Algorithm authorization protection method and device, integrated circuit chip and electronic equipment | |
| CN115550060B (en) | Trusted certificate verification method, device, equipment and medium based on block chain | |
| CN108376212B (en) | Execution code security protection method and device and electronic device | |
| CN116361863A (en) | Trusted environment construction method, data transmission method and data processing system | |
| CN116263815A (en) | JWT-based software authorization method | |
| KR100734600B1 (en) | Method of system authentication and security enforcement using self-integrity checking based on the tamper-proof H/W | |
| CN116992494B (en) | Security protection method, equipment and medium for scenic spot data circulation | |
| JP6063317B2 (en) | Terminal device and determination method | |
| CN114091088B (en) | Method and apparatus for improving communication security | |
| JP5455771B2 (en) | Information processing apparatus and program | |
| JP2002006739A (en) | Authentication information generating device and data verifying device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |