CN116455633B - Digital certificate verification method and device, electronic equipment and storage medium - Google Patents

Digital certificate verification method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN116455633B
CN116455633B CN202310406133.8A CN202310406133A CN116455633B CN 116455633 B CN116455633 B CN 116455633B CN 202310406133 A CN202310406133 A CN 202310406133A CN 116455633 B CN116455633 B CN 116455633B
Authority
CN
China
Prior art keywords
certificate
digital certificate
domain name
revoked
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310406133.8A
Other languages
Chinese (zh)
Other versions
CN116455633A (en
Inventor
王继龙
张程远
安常青
祖林美
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202310406133.8A priority Critical patent/CN116455633B/en
Publication of CN116455633A publication Critical patent/CN116455633A/en
Application granted granted Critical
Publication of CN116455633B publication Critical patent/CN116455633B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The present disclosure provides a digital certificate verification method, a device, an electronic apparatus, and a storage medium, where the method includes: acquiring a domain name input by a user and a digital certificate corresponding to the domain name; sending a first request message to a Domain Name System (DNS) server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name; receiving a first response message sent by a DNS server, wherein the first response message comprises a revoked digital certificate record; and determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record. Therefore, the domain name owner can timely cancel the digital certificate by expanding and storing certificate cancel data for DNS service, and potential safety hazard caused by excessive dependence on a third party CA is avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.

Description

Digital certificate verification method and device, electronic equipment and storage medium
Technical Field
The disclosure relates to the field of network public key infrastructure security technologies, in particular to the field of digital certificate revocation and verification, and more particularly to a digital certificate verification method, device, electronic equipment and storage medium.
Background
The anchor point providing trust in the network public key infrastructure (Web Public Key Infrastructure, web PKI) is mainly a certificate authority (Certificate Authority, CA), and during the transport layer security (Transport Layer Security, TLS) handshake, the browser receives the digital certificate sent by the domain name and verifies the signature according to the public key of the CA, thereby confirming that the digital certificate is valid. If the digital certificate has the problems of private key leakage or encryption algorithm invalidation, the digital certificate needs to be timely revoked, so that the security risks brought by unsafe certificates, such as phishing websites, are avoided. Thus, revocation and authentication of digital certificates is an indispensable mechanism for secure and efficient operation of Web PKI.
In the related art, the digital certificate revocation mechanism includes a certificate revocation list (certificate revocation list, CRL) and a certificate presence response protocol (Online Certificate Status Protocol, OCSP). The infrastructure behind both is maintained by the CA, and the browser needs to download the CRL to the CA or send an OCSP request to verify the status of the certificate. However, the digital certificate verification methods of the above two schemes, firstly, require that a trusted connection is additionally established to the CA, resulting in an increase in delay of the user accessing the website; secondly, the website accessed by the user needs to be disclosed to the CA, so that the privacy of the user is revealed; third, whether the certificate is revoked or not is completely controlled by the CA, and the domain name owner, as the party actually represented by the digital certificate, does not have the right to directly revoke the certificate, which results in that if the CA is attacked and colluded with an attacker, the unsafe certificate may not be revoked at a later time. This presents a significant potential safety hazard to the safe and efficient operation of Web PKI.
Therefore, the digital certificate revocation and verification mechanism is optimized and reconstructed, and the method has very important significance for improving the security of Web PKI.
Disclosure of Invention
The present disclosure aims to solve, at least to some extent, one of the technical problems in the related art.
Therefore, the digital certificate verification method is provided, the domain name owner can timely revoke the digital certificate of the domain name owner by means of expanding and storing certificate revocation data of the DNS service, and potential safety hazards caused by excessive dependence on a third-party CA are avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.
Another object of the present disclosure is to provide a digital certificate verification method, apparatus, electronic device, and storage medium.
To achieve the above object, an aspect of the present disclosure provides a digital certificate verification method, including: acquiring a domain name input by a user and a digital certificate corresponding to the domain name; sending a first request message to a Domain Name System (DNS) server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name; receiving a first response message sent by a DNS server, wherein the first response message comprises a revoked digital certificate record; and determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record.
In addition, the digital certificate verification method according to the above embodiment of the present disclosure may further have the following additional technical features:
in some embodiments, obtaining a digital certificate corresponding to a domain name includes: sending a second request message to the DNS server; the second request message is used for requesting to acquire the Internet Protocol (IP) address resolved by the domain name; receiving a second response message sent by the DNS server, wherein the second response message comprises an IP address; and establishing transport layer security TLS connection with the IP address, carrying out TLS handshake and obtaining a digital certificate corresponding to the domain name.
In some embodiments, determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record includes: if the digital certificate is in the revoked state in the revoked digital certificate record, determining that the digital certificate has been revoked as a result of the verification.
In some embodiments, if the digital certificate is in an unremoved state in the withdrawn digital certificate record, determining a root certificate to be verified and an intermediate certificate to be verified, which correspond to the digital certificate; determining a revoked root certificate list and a revoked intermediate certificate list; and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
In some embodiments, determining the verification result of the digital certificate corresponding to the domain name according to the root certificate to be verified and the intermediate certificate to be verified corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list includes: if the root certificate to be verified is in an unremoved state in the revoked root certificate list and the intermediate certificate to be verified is in an unremoved state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate is not revoked; and if the root certificate to be verified is in the revocation state in the revoked root certificate list and/or the intermediate certificate to be verified is in the revocation state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate is revoked.
In some embodiments, a withdrawn digital certificate record corresponding to the domain name is stored in the DNS server; the revoked digital certificate record corresponding to the domain name is obtained by the DNS server from the domain name owner.
To achieve the above object, another aspect of the present disclosure provides a digital certificate verification apparatus, including: the information acquisition unit is used for acquiring the domain name input by the user and the digital certificate corresponding to the domain name; a request sending unit, configured to send a first request message to a domain name system DNS server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name; the response receiving unit is used for receiving a first response message sent by the DNS server, wherein the first response message comprises a revoked digital certificate record; and the verification processing unit is used for determining a verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record.
To achieve the above object, still another aspect of the present disclosure provides an electronic device, including: a processor; a memory for storing processor-executable instructions; wherein the processor is configured to execute the instructions to implement the method described above.
To achieve the above object, yet another aspect of the present disclosure provides a computer-readable storage medium, the computer instructions for causing the computer to perform the above-described method.
To achieve the above object, yet another aspect of the present disclosure provides a computer program product comprising a computer program/instruction which, when executed by a processor, implements the above method.
According to the digital certificate verification method, the device, the electronic equipment and the storage medium, the domain name owner can timely cancel the digital certificate of the domain name owner by means of expanding and storing certificate cancellation data on the DNS service, and potential safety hazards caused by excessive dependence on a third party CA are avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.
Additional aspects and advantages of the disclosure will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the disclosure.
Drawings
The foregoing and/or additional aspects and advantages of the present disclosure will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a flow chart of a digital certificate verification method provided by an embodiment of the present disclosure;
FIG. 2 is a sample DNS resource record provided by an embodiment of the present disclosure;
FIG. 3 is one example of a certificate revocation list provided by an embodiment of the present disclosure;
FIG. 4 is a flowchart of S1 in a digital certificate verification method provided by an embodiment of the present disclosure;
FIG. 5 is a flow chart of another digital certificate verification method provided by an embodiment of the present disclosure;
FIG. 6 is a flow chart of yet another digital certificate verification method provided by an embodiment of the present disclosure;
fig. 7 is a block diagram of a digital certificate verification apparatus provided in an embodiment of the present disclosure;
fig. 8 is a block diagram of an information acquisition unit in a digital certificate verification apparatus provided in an embodiment of the present disclosure;
fig. 9 is a block diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
It should be noted that, without conflict, the embodiments of the present disclosure and features of the embodiments may be combined with each other. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
In order that those skilled in the art will better understand the present disclosure, a technical solution in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure, shall fall within the scope of the present disclosure.
The principles and spirit of the present disclosure will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the present disclosure and are not intended to limit the scope of the present disclosure in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one of skill in the art, embodiments of the present disclosure may be embodied as a system, apparatus, device, method or computer program product. Accordingly, the present disclosure may be embodied in the form of entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or in a combination of hardware and software.
In the related art, as described in the background art, the first method for verifying the digital certificate of two schemes is that a trusted connection needs to be additionally established to the CA, which causes an increase in delay of accessing the website by the user; secondly, the website accessed by the user needs to be disclosed to the CA, so that the privacy of the user is revealed; thirdly, whether the certificate is revoked or not is completely controlled by the CA, and the domain name owner is taken as the party actually represented by the digital certificate and does not have the right to directly revoke the certificate, so that the realization will of the browser on a digital certificate revocation verification mechanism is seriously influenced, and therefore, the current browser almost does not properly realize the revocation verification of the digital certificate, and the mechanism hardly plays a role in the current Web PKI system in practice. This presents a significant potential safety hazard to the safe and efficient operation of Web PKI.
Therefore, the digital certificate revocation and verification mechanism is optimized and reconstructed, and the method has very important significance for improving the security of Web PKI. It is an aim of embodiments of the present disclosure to provide a solution for the pain point in current digital certificate revocation verification mechanisms by way of DNS-related infrastructure.
According to the implementation manner provided by the embodiment of the disclosure, a digital certificate verification method, a device, an electronic device and a storage medium are provided, so that the situation that a domain name owner needs to rely on a CA to revoke a certificate is changed, the hidden danger of CA trust loss is reduced, and the safety of a Web PKI system is improved; meanwhile, the browser does not need to establish additional connection with the CA to verify the digital certificate, so that browsing time delay is reduced.
Noun interpretation to which this disclosure relates:
web PKI: network public key infrastructure (Web Public Key Infrastructure).
CA: a certificate authority (Certificate Authority).
DNS: domain name resolution system (Domain Name System).
CRL: certificate revocation list (Certificate Revocation List).
Root certificate and intermediate certificate: the root certificate issues a leaf certificate to the domain name on behalf of the CA, and the browser, when verifying the validity of the leaf certificate, checks whether its issuer is in a trusted root list maintained by the operating system or by the browser itself. In order to relieve the issuing pressure of the root certificate, the root certificate issues a plurality of intermediate certificates instead of the root certificate to exercise the issuing authority, so that any digital certificate becomes representative of the corresponding issuing chain of trust, the trust is transmitted along the chain of certificate issuing, and the trust system of the whole Web PKI gradually becomes a forest-like structure.
Digital certificate verification methods, devices, electronic equipment and storage media according to embodiments of the present disclosure are described below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a digital certificate verification method of an embodiment of the present disclosure.
As shown in fig. 1, the method includes, but is not limited to, the steps of:
s1, acquiring a domain name input by a user and a digital certificate corresponding to the domain name.
In the embodiment of the disclosure, the browser may acquire the domain name and the digital certificate corresponding to the domain name.
It will be appreciated that the user may enter a domain name in the browser, whereby the domain name entered by the user may be obtained.
The browser obtains the digital certificate corresponding to the domain name, and can establish TLS connection at an internet protocol address (Internet Protocol Address, IP address) corresponding to the domain name, and receive the digital certificate sent by the domain name and used by the browser in the TLS handshake process.
S2, a first request message is sent to a Domain Name System (DNS) server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name.
In some embodiments, a domain name system (domain name system, DNS) server stores a record of revoked digital certificates corresponding to domain names; the revoked digital certificate record corresponding to the domain name is obtained by the DNS server from the domain name owner.
In the embodiment of the disclosure, the storing and responding logic of the DNS server in the related art is modified, so that the DNS server supports storing the revoked certificate information corresponding to the domain name. Each domain name maintained within the DNS server has its own domain file, and the domain file is internally composed of a plurality of resource records. After receiving the inquiry aiming at a certain domain name, the DNS server inquires the domain file content corresponding to the domain name so as to acquire records of corresponding types, and encapsulates the records into DNS response and returns. Therefore, the modification of the DNS server in the step mainly comprises the steps of firstly defining a new DNS resource type to store certificate revocation data corresponding to a domain name; and secondly enabling the DNS server to analyze the corresponding resource record according to the new type definition, and encapsulating the record into a DNS response.
Fig. 2 is a DNS resource record sample provided in an embodiment of the present disclosure. The name of the DNS resource record is TLSR record, which is used for recording the revoked digital certificate information corresponding to the domain name. Specifically, the first item of the TLSR record defined in this step is a selector, and the value of the first item may be 0 or 1, where a value of 0 represents the whole certificate as an input of the subsequent calculation, and a value of 1 represents the public key as an input of the subsequent calculation; the second item is of a matching type, and the value of the item can be 0, 1 or 2, wherein 0 represents the original data selected by the last item when matching, 1 represents the abstract of the original data selected by the last item when matching, and the SHA-256 algorithm is firstly used for calculating the abstract of the original data selected by the last item when matching, and the obtained result is matched; 2, when the obtained result is represented by matching, firstly, calculating the abstract of the original data selected by the previous item by using an SHA-512 algorithm, and matching the obtained result; the third term is specific data, and the sample shown in fig. 2 is the result obtained by calculating the digital certificate through the SHA-256 algorithm.
When a domain name owner wishes to revoke a digital certificate, a request may be sent to the domain name service provider for content including certificate data that needs to be revoked, and the selector and match type when computing the TLSR record. After the TLSR record is obtained by the domain name service provider according to the request content, the domain file corresponding to the domain name should be updated in time.
In the embodiment of the disclosure, when the withdrawn digital certificate record corresponding to the domain name is stored in the DNS server, a first request message may be sent to the DNS server, where the first request message is used to request to obtain the withdrawn digital certificate record corresponding to the domain name.
S3, receiving a first response message sent by the DNS server, wherein the first response message comprises the revoked digital certificate record.
In the embodiment of the disclosure, after the first request message is sent to the DNS server, a first response message sent by the DNS server may be received, where the first response message includes the revoked digital certificate record.
Illustratively, when the browser accesses the domain name, it needs to send a request (first request message) for querying the TLSR record corresponding to the domain name to the DNS server, where the request content includes the domain name value and the DNS resource record type (i.e., TLSR). After receiving the request, the DNS server should query the domain file corresponding to the domain name, obtain all TLSR records corresponding to the domain name, and return the TLSR records as a TLSR response (first response message) to the browser.
When a browser accesses a website, firstly, a DNS (Domain name System) is required to query an IP address corresponding to a domain name, then connection is established with the corresponding IP address, and under the condition that caching is not considered, the DNS server is required to query the IP address corresponding to the domain name, so that the condition of revealing user privacy does not exist; meanwhile, the browser can obtain the revoked digital certificate information submitted by the domain name owner in advance when acquiring the DNS response, and no additional connection with a third party is needed to be established in the TLS handshake process to inquire the digital certificate state, so that the time delay of certificate state verification is saved.
S4, determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record.
In the embodiment of the disclosure, under the condition that the digital certificate corresponding to the domain name is determined and the digital evidence record is revoked, the verification result of the digital certificate corresponding to the domain name can be determined according to the comparison of the digital certificate and the digital evidence record.
In some embodiments, determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record includes: if the digital certificate is in the revoked state in the revoked digital certificate record, determining that the digital certificate has been revoked as a result of the verification.
In the embodiment of the disclosure, according to the digital certificate corresponding to the domain name and the revoked digital certificate record, the verification result of the digital certificate corresponding to the domain name is determined, and in the case that the digital certificate is in a revoked state in the revoked digital certificate record, the verification result can be determined that the digital certificate has been revoked.
In some embodiments, if the digital certificate is in an unremoved state in the withdrawn digital certificate record, determining a root certificate to be verified and an intermediate certificate to be verified, which correspond to the digital certificate; determining a revoked root certificate list and a revoked intermediate certificate list; and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
In the embodiment of the disclosure, under the condition that the digital certificate is in an unremoved state in the withdrawn digital certificate record, a root certificate to be verified and an intermediate certificate to be verified, which correspond to the digital certificate, can be determined; and determining a list of revoked root certificates and a list of revoked intermediate certificates; and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
In the disclosed embodiment, the revocation list maintained by the browser is similar to the CRLSet scheme used by google browser and the OneCRL scheme used by firefox browser in the current Web PKI system. The revoked root certificate list and the revoked intermediate certificate list contain entries of a plurality of revoked root certificates or intermediate certificates, each entry containing a certificate serial number corresponding to a revoked certificate (a certificate serial number corresponding to a revoked root certificate or a certificate serial number corresponding to a revoked intermediate certificate), a point of time when the certificate (root certificate or intermediate certificate) was revoked, and a reason why the certificate (root certificate or intermediate certificate) was revoked.
Where the certificate serial number is an identifier of the certificate, it is possible to find out whether a certificate is in the list by comparing the serial numbers. Fig. 3 is an example of the certificate revocation list described in this step. It should be noted that, the digital certificates distributed to each domain name are in a leaf node in the Web PKI forest-like trust structure, and the number is huge, so if all the revoked certificates are directly recorded by using the certificate revocation list, a great amount of local storage space is consumed, and the maintenance of such huge list is huge, so that the method has no practical feasibility. While storing revocation lists of root certificates and intermediate certificates is considered a viable solution, it has not been widely appreciated and implemented due to a variety of problems with certificate revocation mechanisms.
In the embodiment of the disclosure, the browser maintains a revoked root certificate list and a revoked intermediate certificate list, and can determine the corresponding root certificate and intermediate certificate according to the digital certificate.
In this case, the verification result of the digital certificate corresponding to the domain name may be determined according to the root certificate to be verified and the intermediate certificate to be verified, which correspond to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
In some embodiments, determining the verification result of the digital certificate corresponding to the domain name according to the root certificate to be verified and the intermediate certificate to be verified corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list includes: if the root certificate to be verified is in an unremoved state in the revoked root certificate list and the intermediate certificate to be verified is in an unremoved state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate is not revoked; and if the root certificate to be verified is in the revocation state in the revoked root certificate list and/or the intermediate certificate to be verified is in the revocation state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate is revoked.
In the embodiment of the disclosure, according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list, determining a verification result of the digital certificate corresponding to the domain name, where the to-be-verified root certificate is in an unremoved state in the revoked root certificate list, and the to-be-verified intermediate certificate is in an unremoved state in the revoked intermediate certificate list, it may be determined that the verification result is not revoked.
In the embodiment of the disclosure, according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list, determining the verification result of the digital certificate corresponding to the domain name, where the to-be-verified root certificate is in a revoked state in the revoked root certificate list, and/or where the to-be-verified intermediate certificate is in a revoked state in the revoked intermediate certificate list, it may be determined that the verification result is that the digital certificate has been revoked.
It will be appreciated that the trust of the certificate is transferred by the root certificate to the leaf certificate (digital certificate) via an intermediate certificate. If a leaf certificate (digital certificate) is in a revoked state in a revoked digital certificate record, the digital certificate may be directly considered to be in a revoked state; on the contrary, the browser is required to further verify the root certificate and the intermediate certificate which issue the leaf certificate (digital certificate). The browser compares whether the queried certificate serial number is in the revoked list or not by querying a revoked root certificate list and a revoked intermediate certificate list which are maintained locally, and if so, the browser indicates that the certificate is revoked and does not need to continue subsequent connection; otherwise the certificate may be considered to pass the revocation check and the state should be unremoved. The browser may proceed with other validity checks on the certificate to confirm the validity of the certificate, whether the actual domain name matches a list of public names or aliases listed in the certificate, etc.
According to the digital certificate revocation and verification device based on DNS (domain name server) extension, certificate revocation data are stored by means of extension of DNS service, so that a domain name owner can timely revoke own certificate, and potential safety hazards caused by excessive dependence on a third-party CA are avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.
By implementing the embodiment of the disclosure, the domain name input by the user and the digital certificate corresponding to the domain name are obtained; sending a first request message to a Domain Name System (DNS) server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name; receiving a first response message sent by a DNS server, wherein the first response message comprises a revoked digital certificate record; and determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record. Therefore, by means of expanding and storing certificate revocation data for DNS service, a domain name owner can timely revoke own digital certificate, and potential safety hazards caused by excessive dependence on a third-party CA are avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.
As shown in fig. 4, in some embodiments, S1, obtaining a digital certificate corresponding to a domain name includes:
s11, sending a second request message to the DNS server; the second request message is used for requesting to acquire the Internet Protocol (IP) address resolved by the domain name.
S12, receiving a second response message sent by the DNS server, wherein the second response message comprises an IP address.
S13, establishing transport layer security TLS connection with the IP address, carrying out TLS handshake and obtaining a digital certificate corresponding to the domain name.
In embodiments of the present disclosure, a second request message may be sent to a domain name system (domain name system, DNS) requesting to obtain an internet protocol, IP, address to which the domain name is resolved.
In this case, a second response message sent by the DNS server may be received, where the second response message includes the IP address.
Based on the above, a TLS connection can be established with the IP address, TLS handshake is performed, and a digital certificate corresponding to the domain name is obtained.
As shown in fig. 5, in the exemplary embodiment, in step S101, the storing and responding logic of the DNS authority server needs to be modified to support storing the revoked certificate information corresponding to the domain name. Each domain name maintained within the DNS authoritative server has its own domain file, and the domain file is internally composed of a plurality of resource records. After receiving the inquiry aiming at a certain domain name, the DNS server inquires the domain file content corresponding to the domain name so as to acquire records of corresponding types, and encapsulates the records into DNS response and returns. Therefore, the modification of the DNS server in the step mainly comprises the steps of firstly defining a new DNS resource type to store certificate revocation data corresponding to a domain name; and secondly enabling the DNS server to analyze the corresponding resource record according to the new type definition, and encapsulating the record into a DNS response.
Fig. 2 is a sample DNS resource record as defined in this step. The name of the DNS resource record defined in the step is TLSR record, which is used for recording the revoked digital certificate information corresponding to the domain name. Specifically, the first item of the TLSR record defined in this step is a selector, and the value of the first item may be 0 or 1, where a value of 0 represents the whole certificate as an input of the subsequent calculation, and a value of 1 represents the public key as an input of the subsequent calculation; the second item is of a matching type, and the value of the item can be 0, 1 or 2, wherein 0 represents the original data selected by the last item when matching, 1 represents the abstract of the original data selected by the last item when matching, and the SHA-256 algorithm is firstly used for calculating the abstract of the original data selected by the last item when matching, and the obtained result is matched; 2, when the obtained result is represented by matching, firstly, calculating the abstract of the original data selected by the previous item by using an SHA-512 algorithm, and matching the obtained result; the third term is specific data, and the sample shown in fig. 2 is the result obtained by calculating the digital certificate through the SHA-256 algorithm.
When a domain name owner wishes to revoke a digital certificate, a request may be sent to the domain name service provider for content including certificate data that needs to be revoked, and the selector and match type when computing the TLSR record. After the TLSR record is obtained by the domain name service provider according to the request content, the domain file corresponding to the domain name should be updated in time.
In step S102, the browser needs to maintain and store the revoked root certificate and the intermediate certificate list.
The revocation list maintained by the browser in this step is similar to the CRLSet scheme used by google browser and the OneCRL scheme used by firefox browser in the current Web PKI system. The list of revoked root certificates and intermediate certificates comprises a plurality of revoked root certificates or intermediate certificate entries, each entry comprising a certificate serial number corresponding to a revoked certificate, a point in time at which the certificate was revoked, and a reason why the certificate was revoked. Where the certificate serial number is an identifier of the certificate, it is possible to find out whether a certificate is in the list by comparing the serial numbers. Fig. 3 is an example of the certificate revocation list described in this step. It should be noted that, the digital certificates distributed to each domain name are in a leaf node in the Web PKI forest-like trust structure, and the number is huge, so if all the revoked certificates are directly recorded by using the certificate revocation list, a great amount of local storage space is consumed, and the maintenance of such huge list is huge, so that the method has no practical feasibility. While storing revocation lists of root certificates and intermediate certificates is currently considered a viable solution, it is simply not widely appreciated and implemented due to the various problems with current certificate revocation mechanisms.
In step S103, the browser accesses the domain name and acquires digital certificate revocation information returned by the DNS server.
In this step, when the browser accesses the domain name, it needs to send a request for querying the TLSR record corresponding to the domain name to the DNS server, where the request content includes the domain name value and the DNS resource record type (i.e. TLSR). After receiving the request, the DNS server should query the domain file corresponding to the domain name, obtain all TLSR records corresponding to the domain name, and return the TLSR records as TLSR responses to the browser.
When a browser accesses a website, firstly, a DNS (Domain name System) is required to query an IP address corresponding to a domain name, then connection is established with the corresponding IP address, and under the condition that caching is not considered, the DNS server is required to query the IP address corresponding to the domain name, so that the condition of revealing user privacy does not exist; meanwhile, the browser can obtain the revoked digital certificate information submitted by the domain name owner in advance when acquiring the DNS response, and no additional connection with a third party is needed to be established in the TLS handshake process to inquire the digital certificate state, so that the time delay of certificate state verification is saved.
In step S104, the browser checks whether the certificate provided by the domain name at the time of TLS handshake is in the revocation certificate list returned by the DNS.
Fig. 6 is a schematic flow chart of step S103 and step S104 combined together:
1. after the user enters the domain name, the browser sends a request (second request message) to the DNS server, hopefully querying the a record of the domain name, i.e. the IP address to which the domain name is resolved.
2. The browser simultaneously sends a request (first request message) to the DNS server, hopefully querying the TLSR record of the domain name, that is, the revoked digital certificate record corresponding to the domain name.
3. The DNS server returns an a-record response (second response message) about the domain name, that is, informs the browser of the IP address to which the domain name corresponds.
4. The DNS server returns a TLSR record response (first response message) for the domain name, that is, a list of revoked digital certificates corresponding to the informing browser domain name, including the SHA-256 digest of certificate C0.
5. The browser tries to establish a TLS connection with the IP address returned in step 1, and first performs a TLS handshake.
6. The domain name sends the browser a digital certificate C0 from which it used to verify the identity.
7. The browser calculates the SHA-256 digest of C0 and compares it with the data item in the TLSR record sent from the DNS server to find that the certificate has been revoked by the domain name holder.
8. The browser determines that the digital certificate used for the connection is in the revoked state and thus cannot trust the identity of the other party, thereby interrupting the connection with the website.
In step S105, the browser continues to locally query the revocation list of the root certificate and the intermediate certificate, resulting in a certificate revocation status.
As previously described, the trust of the certificate is transferred by the root certificate to the leaf certificate via the intermediate certificate. If the leaf certificate does not pass the check of step S103 to step S104, the certificate may be directly considered to be in the revoked state; otherwise, the browser is required to further verify the root certificate and the intermediate certificate which issue the leaf certificate. The browser compares whether the queried certificate serial number is in the revoked list or not by querying the revoked root certificate and the intermediate certificate list which are maintained locally, and if so, the browser indicates that the certificate is revoked and does not need to continue subsequent connection; otherwise the certificate may be considered to pass the revocation check and the state should be unremoved. The browser may proceed with other validity checks on the certificate to confirm the validity of the certificate, whether the actual domain name matches a list of public names or aliases listed in the certificate, etc.
In the embodiment of the disclosure, the certificate revocation data is stored by means of expanding the DNS service, so that a domain name owner can timely revoke own certificates, and potential safety hazards caused by excessive dependence on a third-party CA are avoided; meanwhile, when the browser inquires the certificate revocation state, no additional connection is needed to be established, so that delay brought by checking the certificate state by the browser can be effectively reduced, and the risk of privacy disclosure of a user is avoided.
In order to realize the above-described embodiment, as shown in fig. 7, there is also provided a digital certificate verification apparatus 1 in the present embodiment, which includes an information acquisition unit 11, a request transmission unit 12, a response reception unit 13, and a verification processing unit 14.
The information obtaining unit 11 is configured to obtain a domain name input by a user and a digital certificate corresponding to the domain name.
A request sending unit 12, configured to send a first request message to a domain name system DNS server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name.
And the response receiving unit 13 is configured to receive a first response message sent by the DNS server, where the first response message includes the revoked digital certificate record.
The verification processing unit 14 is configured to determine a verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record.
As shown in fig. 8, in some embodiments, the information acquisition unit 11 includes:
a message sending module 111, configured to send a second request message to the DNS server; the second request message is used for requesting to acquire the Internet Protocol (IP) address resolved by the domain name.
The message receiving module 112 is configured to receive a second response message sent by the DNS server, where the second response message includes an IP address.
The information obtaining module 113 is configured to establish a transport layer security TLS connection with the IP address, perform TLS handshake, and obtain a digital certificate corresponding to the domain name.
In some embodiments, the verification processing unit 14 is further configured to determine that the digital certificate has been revoked as a result of the verification if the digital certificate is in a revoked state in the revoked digital certificate record.
In some embodiments, the verification processing unit 14 is further configured to determine a root certificate to be verified and an intermediate certificate to be verified corresponding to the digital certificate if the digital certificate is in an unremoved state in the revoked digital certificate record; determining a revoked root certificate list and a revoked intermediate certificate list; and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
In some embodiments, the verification processing unit 14 is further configured to determine that the verification result is that the digital certificate is not revoked if the root certificate to be verified is in an unremoved state in the revoked root certificate list and the intermediate certificate to be verified is in an unremoved state in the revoked intermediate certificate list; and if the root certificate to be verified is in the revocation state in the revoked root certificate list and/or the intermediate certificate to be verified is in the revocation state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate is revoked.
In some embodiments, a withdrawn digital certificate record corresponding to the domain name is stored in the DNS server; the revoked digital certificate record corresponding to the domain name is obtained by the DNS server from the domain name owner.
It should be noted that, it should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. For example, the information acquiring unit 11 may be a processing element that is set up separately, may be implemented as integrated in a chip of the above-described apparatus, or may be stored in a memory of the above-described apparatus in the form of program codes, and the functions of the above-described information acquiring unit 11 may be called and executed by a processing element of the above-described apparatus. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element here may be an integrated circuit with signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
The device of the foregoing embodiment is configured to implement the corresponding digital certificate verification method in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which is not described herein.
Based on the same inventive concept, the present disclosure also provides an electronic device corresponding to the method of any embodiment, including a memory, a processor, and a computer program stored on the memory and capable of running on the processor, where the processor implements the digital certificate verification method of any embodiment when executing the program.
Fig. 9 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), microprocessor, application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present disclosure.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random AccessMemory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the embodiments of the present specification are implemented in software or firmware, the associated program code is stored in memory 1020 and executed by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
The embodiment of the disclosure also provides a chip for executing the instruction, which is used for executing the technical scheme of the digital certificate verification method in the embodiment.
The embodiment of the disclosure also provides a computer readable storage medium, in which computer instructions are stored, which when run on a computer, cause the computer to execute the technical scheme of the digital certificate verification method of the above embodiment.
The embodiment of the present disclosure also provides a computer program product, where the computer program product includes a computer program, where the computer program is stored in a computer readable storage medium, and at least one processor may read the computer program from the computer readable storage medium, and the technical solution of the digital certificate verification method in the foregoing embodiment may be implemented when the at least one processor executes the computer program.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present disclosure. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present disclosure, the meaning of "a plurality" is at least two, such as two, three, etc., unless explicitly specified otherwise.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and additional implementations are included within the scope of the preferred embodiment of the present disclosure in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present disclosure.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer readable medium may even be paper or other suitable medium on which the program is printed, as the program may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
It should be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. As with the other embodiments, if implemented in hardware, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps carried out in the method of the above-described embodiments may be implemented by a program to instruct related hardware, where the program may be stored in a computer readable storage medium, and where the program, when executed, includes one or a combination of the steps of the method embodiments.
Furthermore, each functional unit in the embodiments of the present disclosure may be integrated in one processing module, or each unit may exist alone physically, or two or more units may be integrated in one module. The integrated modules may be implemented in hardware or in software functional modules. The integrated modules may also be stored in a computer readable storage medium if implemented in the form of software functional modules and sold or used as a stand-alone product.
The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, or the like. Although embodiments of the present disclosure have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the present disclosure, and that variations, modifications, alternatives, and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the present disclosure.

Claims (9)

1. A digital certificate verification method, comprising:
acquiring a domain name input by a user and a digital certificate corresponding to the domain name;
sending a first request message to a Domain Name System (DNS) server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name; receiving a first response message sent by the DNS server, wherein the first response message comprises the revoked digital certificate record;
determining a verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record;
the method further comprises the steps of:
modifying the storage and response logic of the DNS server, defining a new DNS resource type to store digital certificate revocation data corresponding to the domain name, wherein the name of the DNS resource record is a TLSR record, the first item of the TLSR record is a selector, the value of the item is 0 or 1, wherein the value of 0 represents that the whole certificate is used as the input of subsequent calculation, and the value of 1 represents that the public key is used as the input of subsequent calculation; the second item is a matching type, the value of the item is 0, 1 or 2, wherein 0 represents the original data selected by the previous item when matching, 1 represents the abstract of the original data selected by the previous item when matching, and the SHA-256 algorithm is firstly used for calculating the abstract of the original data selected by the previous item when matching, and the obtained result is matched; 2, when the obtained result is represented by matching, firstly, calculating the abstract of the original data selected by the previous item by using an SHA-512 algorithm, and matching the obtained result; the third item is specific data;
When a domain name owner withdraws a certain digital certificate, a request is sent to a domain name service provider, and the request content comprises certificate data needing to be withdrawn and a selector and a matching type when a TLSR record is calculated;
the method further comprises the steps of:
if the digital certificate is in an unremoved state in the withdrawn digital certificate record, determining a root certificate to be verified and an intermediate certificate to be verified, which correspond to the digital certificate;
determining a locally maintained revoked root certificate list and a revoked intermediate certificate list through a browser;
and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
2. The method according to claim 1, wherein the obtaining the digital certificate corresponding to the domain name includes:
sending a second request message to the DNS server; the second request message is used for requesting to acquire the Internet Protocol (IP) address resolved by the domain name;
receiving a second response message sent by the DNS server, wherein the second response message comprises the IP address;
And establishing transport layer security TLS connection with the IP address, carrying out TLS handshake and obtaining a digital certificate corresponding to the domain name.
3. The method according to claim 1 or 2, wherein the determining the verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record includes:
and if the digital certificate is in the revocation state in the revoked digital certificate record, determining that the digital certificate is revoked as a verification result.
4. The method according to claim 1, wherein the determining the verification result of the digital certificate corresponding to the domain name according to the root certificate to be verified and the intermediate certificate to be verified corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list includes:
if the root certificate to be verified is in an unremoved state in the revoked root certificate list and the intermediate certificate to be verified is in an unremoved state in the revoked intermediate certificate list, determining that the digital certificate is not revoked as a verification result;
and if the root certificate to be verified is in a revocation state in the revoked root certificate list and/or the intermediate certificate to be verified is in a revocation state in the revoked intermediate certificate list, determining that the verification result is that the digital certificate has been revoked.
5. The method of claim 1, wherein the DNS server stores the revoked digital certificate record corresponding to the domain name; the revoked digital certificate corresponding to the domain name is recorded as obtained by the DNS server from a domain name owner.
6. A digital certificate verification apparatus, comprising:
the information acquisition unit is used for acquiring a domain name input by a user and a digital certificate corresponding to the domain name;
a request sending unit, configured to send a first request message to a domain name system DNS server; the first request message is used for requesting to acquire a revoked digital certificate record corresponding to the domain name;
a response receiving unit, configured to receive a first response message sent by the DNS server, where the first response message includes the revoked digital certificate record;
the verification processing unit is used for determining a verification result of the digital certificate corresponding to the domain name according to the digital certificate corresponding to the domain name and the revoked digital certificate record;
the request sending unit is further configured to:
modifying the storage and response logic of the DNS server, defining a new DNS resource type to store digital certificate revocation data corresponding to the domain name, wherein the name of the DNS resource record is a TLSR record, the first item of the TLSR record is a selector, the value of the item is 0 or 1, wherein the value of 0 represents that the whole certificate is used as the input of subsequent calculation, and the value of 1 represents that the public key is used as the input of subsequent calculation; the second item is a matching type, the value of the item is 0, 1 or 2, wherein 0 represents the original data selected by the previous item when matching, 1 represents the abstract of the original data selected by the previous item when matching, and the SHA-256 algorithm is firstly used for calculating the abstract of the original data selected by the previous item when matching, and the obtained result is matched; 2, when the obtained result is represented by matching, firstly, calculating the abstract of the original data selected by the previous item by using an SHA-512 algorithm, and matching the obtained result; the third item is specific data;
When a domain name owner withdraws a certain digital certificate, a request is sent to a domain name service provider, and the request content comprises certificate data needing to be withdrawn and a selector and a matching type when a TLSR record is calculated;
the verification processing unit is further configured to:
if the digital certificate is in an unremoved state in the withdrawn digital certificate record, determining a root certificate to be verified and an intermediate certificate to be verified, which correspond to the digital certificate;
determining a locally maintained revoked root certificate list and a revoked intermediate certificate list through a browser;
and determining the verification result of the digital certificate corresponding to the domain name according to the to-be-verified root certificate and the to-be-verified intermediate certificate corresponding to the digital certificate, and the revoked root certificate list and the revoked intermediate certificate list.
7. The apparatus according to claim 6, wherein the information acquisition unit includes:
a message sending module, configured to send a second request message to the DNS server; the second request message is used for requesting to acquire the Internet Protocol (IP) address resolved by the domain name;
the message receiving module is used for receiving a second response message sent by the DNS server, wherein the second response message comprises the IP address;
And the information acquisition module is used for establishing transport layer security TLS connection with the IP address, carrying out TLS handshake and acquiring the digital certificate corresponding to the domain name.
8. An electronic device, comprising: a processor, and a memory communicatively coupled to the processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored in the memory to implement the method of any one of claims 1 to 5.
9. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are adapted to carry out the method of any one of claims 1 to 5.
CN202310406133.8A 2023-04-17 2023-04-17 Digital certificate verification method and device, electronic equipment and storage medium Active CN116455633B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310406133.8A CN116455633B (en) 2023-04-17 2023-04-17 Digital certificate verification method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310406133.8A CN116455633B (en) 2023-04-17 2023-04-17 Digital certificate verification method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN116455633A CN116455633A (en) 2023-07-18
CN116455633B true CN116455633B (en) 2024-01-30

Family

ID=87119741

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310406133.8A Active CN116455633B (en) 2023-04-17 2023-04-17 Digital certificate verification method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116455633B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136098A (en) * 2006-08-30 2008-03-05 阿里巴巴公司 Method, device and system for accessing to certificate revocation list
CN101305359A (en) * 2005-11-14 2008-11-12 微软公司 Service for determining whether digital certificate has been revoked
CN101572707A (en) * 2009-05-31 2009-11-04 成都市华为赛门铁克科技有限公司 Method, apparatus and system for validating certificate state
CN106656455A (en) * 2015-07-13 2017-05-10 腾讯科技(深圳)有限公司 Website access method and device
CN109921910A (en) * 2019-03-21 2019-06-21 平安科技(深圳)有限公司 Verification method and device, storage medium, the electronic device of certificate status
CN110858804A (en) * 2018-08-25 2020-03-03 华为技术有限公司 Method for determining certificate status
CN113541930A (en) * 2020-04-21 2021-10-22 中国电信股份有限公司 Method, device, system and storage medium for checking digital certificate state
CN115134088A (en) * 2022-06-22 2022-09-30 杭州迪普科技股份有限公司 Client certificate verification method and system and electronic equipment

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7120793B2 (en) * 2001-09-28 2006-10-10 Globalcerts, Lc System and method for electronic certificate revocation
US7437551B2 (en) * 2004-04-02 2008-10-14 Microsoft Corporation Public key infrastructure scalability certificate revocation status validation
US9118485B2 (en) * 2010-02-26 2015-08-25 Red Hat, Inc. Using an OCSP responder as a CRL distribution point
US8984283B2 (en) * 2011-08-03 2015-03-17 Motorola Solutions, Inc. Private certificate validation method and apparatus
US20130061038A1 (en) * 2011-09-03 2013-03-07 Barracuda Networks, Inc. Proxy Apparatus for Certificate Authority Reputation Enforcement in the Middle

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101305359A (en) * 2005-11-14 2008-11-12 微软公司 Service for determining whether digital certificate has been revoked
CN101136098A (en) * 2006-08-30 2008-03-05 阿里巴巴公司 Method, device and system for accessing to certificate revocation list
CN101572707A (en) * 2009-05-31 2009-11-04 成都市华为赛门铁克科技有限公司 Method, apparatus and system for validating certificate state
CN106656455A (en) * 2015-07-13 2017-05-10 腾讯科技(深圳)有限公司 Website access method and device
CN110858804A (en) * 2018-08-25 2020-03-03 华为技术有限公司 Method for determining certificate status
CN109921910A (en) * 2019-03-21 2019-06-21 平安科技(深圳)有限公司 Verification method and device, storage medium, the electronic device of certificate status
CN113541930A (en) * 2020-04-21 2021-10-22 中国电信股份有限公司 Method, device, system and storage medium for checking digital certificate state
CN115134088A (en) * 2022-06-22 2022-09-30 杭州迪普科技股份有限公司 Client certificate verification method and system and electronic equipment

Also Published As

Publication number Publication date
CN116455633A (en) 2023-07-18

Similar Documents

Publication Publication Date Title
US11140177B2 (en) Distributed data authentication and validation using blockchain
CN111526159B (en) Method and device for establishing data connection, terminal equipment and storage medium
EP3788742B1 (en) Emulation of cloud computing service regions
US9608966B2 (en) Information handling device, information output device, and recording medium
US11128476B2 (en) DNS provider configuring a registry DNSSEC record
US9258293B1 (en) Safe and secure access to dynamic domain name systems
JP5644770B2 (en) Access control system, server, and access control method
CN109886036B (en) Domain name distributed authentication method and device based on block chain and block chain network
US20170272467A1 (en) Systems and methods for automating client-side discovery of public keys of external contacts that are secured by dane using dnssec
JP2004072717A (en) Authentication base system with notification function for issuance of crl
US8566910B2 (en) Method and apparatus to bind a key to a namespace
CN110650112B (en) Universal authentication method and device and cloud service network system
CN112311769B (en) Method, system, electronic device and medium for security authentication
CN111786996B (en) Cross-domain synchronous login state method and device and cross-domain synchronous login system
Wazan et al. Tls connection validation by web browsers: Why do web browsers still not agree?
CN111049789B (en) Domain name access method and device
CN116455633B (en) Digital certificate verification method and device, electronic equipment and storage medium
CN111787044A (en) Internet of things terminal platform
CN111917554B (en) Method and device for verifying digital certificate
JP5834118B2 (en) Information operation device, information output device, and information operation program
KR101815145B1 (en) Certificate sharing method between cross domain
JP2023516204A (en) Manufacturer's Instructions for Obtaining MUD Files and Devices
CN107517178B (en) Authentication method, device and system
JP2016028532A (en) Information operation device, information output device, and information operation program
CN115334057A (en) Picture transmission method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant