WO2017000676A1 - Method for verifying the validity of digital certificate and authentication server therefor - Google Patents

Method for verifying the validity of digital certificate and authentication server therefor Download PDF

Info

Publication number
WO2017000676A1
WO2017000676A1 PCT/CN2016/081665 CN2016081665W WO2017000676A1 WO 2017000676 A1 WO2017000676 A1 WO 2017000676A1 CN 2016081665 W CN2016081665 W CN 2016081665W WO 2017000676 A1 WO2017000676 A1 WO 2017000676A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
verification
format
whitelist
revocation status
Prior art date
Application number
PCT/CN2016/081665
Other languages
French (fr)
Chinese (zh)
Inventor
胡亚楠
赖晓龙
李少锋
张伟
颜湘
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2017000676A1 publication Critical patent/WO2017000676A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided is a method for verifying the validity of a digital certificate, which falls within the technical field of network security and solves the technical problem that the current method for verifying a digital certificate does not facilitate extension. The method relates to an authentication server comprising a message receiving module and a digital certificate verification module, wherein a verification scheme configuration unit is provided in the digital certificate verification module and sets a configuration so as to configure a verification scheme for verifying the validity of a digital certificate; the message receiving module receives a digital certificate authentication request message containing a digital certificate content, and submits the received digital certificate content to the digital certificate verification module for verification; if the verification of the validity of the digital certificate according to the selected verification scheme cannot be passed, it is determined that the verification of the validity of the digital certificate has failed; otherwise, it is determined that the verification of the validity of the digital certificate has succeeded. The method realizes the extension of a digital certificate verification scheme. Correspondingly, also provided is an authentication server.

Description

一种验证数字证书有效性的方法及其鉴别服务器Method for verifying validity of digital certificate and authentication server thereof
本申请要求于2015年7月2日提交中国专利局、申请号为201510381509.X、发明名称为“一种验证数字证书有效性的方法及其鉴别服务器”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201510381509.X, filed on July 2, 2015, entitled "A Method for Verifying the Validity of Digital Certificates and Its Authentication Server", all of which The content is incorporated herein by reference.
技术领域Technical field
本发明涉及网络安全技术领域,尤其涉及一种验证数字证书有效性的方法及其鉴别服务器。The present invention relates to the field of network security technologies, and in particular, to a method for verifying the validity of a digital certificate and an authentication server thereof.
背景技术Background technique
目前在基于无线局域网鉴别和保密基础结构(WLAN Authentication and Privacy Infrastructure,简称WAPI)协议的WLAN中,鉴别服务器实体(Authentication Service Entity,简称ASE)收到证书鉴别请求后,仅对收到的数字证书格式是否正确和是否被吊销的状态进行验证。验证过程涉及到使用对数字证书中数字签名验证等复杂的密码学技术,需要消耗大量的计算资源,如果黑客随意搜集一个无效的数字证书连续发送到ASE,将会成功占用ASE大量的计算资源和时间,形成有效的拒绝服务攻击(Denial of Service,简称DOS),导致其他合法用户无法正常和ASE进行通信。同时,由于验证内容对数字证书是否在数字证书颁发者颁发本数字证书时限定的业务范围内使用并不验证,黑客可能将一个领域合法授权的数字证书用于其他非授权领域,造成信息安全事故。Currently, in a WLAN based on the WLAN Authentication and Privacy Infrastructure (WAPI) protocol, an authentication server entity (Authentication Service Entity, ASE for short) receives only a digital certificate after receiving a certificate authentication request. The format is correct and verified if it is revoked. The verification process involves the use of complex cryptography techniques such as digital signature verification in digital certificates. It requires a lot of computing resources. If a hacker randomly collects an invalid digital certificate and sends it to ASE continuously, it will successfully occupy a large amount of ASE computing resources and Time, forming a valid Denial of Service (DOS), causing other legitimate users to communicate with ASE. At the same time, because the verification content does not verify whether the digital certificate is used within the scope of the business defined by the digital certificate issuer when the digital certificate is issued, the hacker may use a digital certificate legally authorized in one field for other non-authorized areas, resulting in an information security incident. .
总之,当前通常对数字证书验证方法相对固定化、单一,没有考虑后续如何扩展,而且存在一定的安全风险。In short, the current digital certificate verification method is usually relatively fixed and single, and does not consider how to expand subsequently, and there is a certain security risk.
发明内容Summary of the invention
为了解决上述技术问题,本发明提供如下的技术方案: In order to solve the above technical problem, the present invention provides the following technical solutions:
一种验证数字证书有效性的方法,该方法涉及鉴别服务器,该鉴别服务器包括消息接收模块和数字证书验证模块,所述数字证书验证模块中设置有验证方案配置单元,所述验证方案配置单元进行配置设置以用于配置验证数字证书有效性的验证方案;A method for verifying the validity of a digital certificate, the method comprising an authentication server, the authentication server comprising a message receiving module and a digital certificate verification module, wherein the digital certificate verification module is provided with an authentication scheme configuration unit, and the verification scheme configuration unit performs Configuration settings for configuring a verification scheme to verify the validity of a digital certificate;
所述消息接收模块接收数字证书鉴别请求消息,所述数字证书鉴别请求消息中包含有数字证书内容;所述消息接收模块将收到的数字证书内容提交至所述数字证书验证模块进行验证;所述数字证书验证模块根据验证需求从所述验证方案配置单元中配置的验证方案中选择相应的验证方案来执行具体的验证过程;The message receiving module receives a digital certificate authentication request message, where the digital certificate authentication request message includes digital certificate content; the message receiving module submits the received digital certificate content to the digital certificate verification module for verification; The digital certificate verification module selects a corresponding verification scheme from the verification schemes configured in the verification scheme configuration unit to perform a specific verification process according to the verification requirement;
如果根据选择的所述验证方案对数字证书的有效性验证无法通过,则确定数字证书有效性验证失败;否则,确定数字证书有效性验证成功。If the validity verification of the digital certificate fails according to the selected verification scheme, it is determined that the digital certificate validity verification fails; otherwise, the digital certificate validity verification is determined to be successful.
此外,本发明同时提供一种用于验证数字证书有效性的鉴别服务器,其包括消息接收模块、数字证书验证模块,其特征在于,所述数字证书验证模块包括验证方案配置单元;In addition, the present invention also provides an authentication server for verifying the validity of a digital certificate, which includes a message receiving module and a digital certificate verification module, wherein the digital certificate verification module includes a verification scheme configuration unit;
所述消息接收模块用于接收数字证书鉴别请求分组;The message receiving module is configured to receive a digital certificate authentication request packet;
所述验证方案配置单元用于配置验证数字证书有效性的验证方案。The verification scheme configuration unit is configured to configure a verification scheme for verifying the validity of the digital certificate.
本发明提供的技术方案,很好的降低了鉴别服务器增加和删除验证方案的复杂度,通过验证方案配置单元实现了鉴别服务器在涉及多种验证方案时的有效配置和控制,有助于验证方案的扩展、修改及删除等操作;另外,通过选用已配置的验证方案验证数字证书的有效性,也提高了数字证书验证效率。The technical solution provided by the invention greatly reduces the complexity of the authentication server adding and deleting the verification scheme, and the verification scheme configuration unit realizes the effective configuration and control of the authentication server when multiple verification schemes are involved, which is helpful for the verification scheme. The expansion, modification and deletion operations; in addition, by verifying the validity of the digital certificate by using the configured verification scheme, the efficiency of digital certificate verification is also improved.
附图说明DRAWINGS
图1为本发明提供的方法流程示意图;1 is a schematic flow chart of a method provided by the present invention;
图2为本发明实施例一流程示意图;2 is a schematic flow chart of a first embodiment of the present invention;
图3为本发明实施例二流程示意图; 3 is a schematic flowchart of Embodiment 2 of the present invention;
图4为本发明实施例三流程示意图;4 is a schematic flowchart of a third embodiment of the present invention;
图5为本发明实施例网络拓扑示意图;FIG. 5 is a schematic diagram of a network topology according to an embodiment of the present invention;
图6为本发明实施例提供的鉴别服务器结构示意图。FIG. 6 is a schematic structural diagram of an authentication server according to an embodiment of the present invention.
具体实施方式detailed description
下面结合附图和实施例对本发明提供的验证数字证书有效性的方法及其鉴别服务器进行更详细地说明。The method for verifying the validity of a digital certificate provided by the present invention and its authentication server will be described in more detail below with reference to the accompanying drawings and embodiments.
如图1及图6所示,本发明提供的验证数字证书有效性的方法,其涉及鉴别服务器,所述鉴别服务器包括消息接收模块和数字证书验证模块,该方法具体包括:As shown in FIG. 1 and FIG. 6 , the method for verifying the validity of a digital certificate provided by the present invention relates to an authentication server, where the authentication server includes a message receiving module and a digital certificate verification module, and the method specifically includes:
S100,所述数字证书验证模块中设置有验证方案配置单元,所述验证方案配置单元进行配置设置以用于配置验证数字证书有效性的验证方案;S100. The digital certificate verification module is configured with an authentication scheme configuration unit, where the verification scheme configuration unit performs configuration setting for configuring an authentication scheme for verifying validity of the digital certificate.
S200,所述消息接收模块接收数字证书鉴别请求消息,所述数字证书鉴别请求消息中包含有数字证书内容;所述消息接收模块将收到的数字证书内容提交至所述数字证书验证模块进行验证;所述数字证书验证模块根据验证需求从所述验证方案配置单元中配置的验证方案中选择相应的验证方案来执行具体的验证过程;S200, the message receiving module receives a digital certificate authentication request message, where the digital certificate authentication request message includes digital certificate content; and the message receiving module submits the received digital certificate content to the digital certificate verification module for verification. The digital certificate verification module selects a corresponding verification scheme from the verification schemes configured in the verification scheme configuration unit to perform a specific verification process according to the verification requirement;
S300,如果根据选择的所述验证方案对数字证书的有效性验证无法通过,则确定数字证书有效性验证失败;否则,确定数字证书有效性验证成功。S300. If the validity verification of the digital certificate fails according to the selected verification scheme, determining that the digital certificate validity verification fails; otherwise, determining that the digital certificate validity verification is successful.
优选的,所述鉴别服务器中还可以包括数字证书解析模块,用于解析数字证书鉴别请求分组以获取数字证书内容。Preferably, the authentication server may further include a digital certificate parsing module configured to parse the digital certificate authentication request packet to obtain the digital certificate content.
优选的,所述配置设置为创建验证方案数据库表,所述验证方案数据库表包括验证项目字段和开关值字段,所述验证项目字段用于标识验证方案;所述验证方案的启用通过设置开关值来实现,当所述开关值为开启时,启用相应的验证方案;当所述开关值设置为关闭时,不启用相应的验证方案。 Preferably, the configuration is set to create a verification scheme database table, the verification scheme database table includes a verification item field and a switch value field, the verification item field is used to identify a verification scheme; and the verification scheme is enabled by setting a switch value To achieve, when the switch value is on, the corresponding verification scheme is enabled; when the switch value is set to off, the corresponding verification scheme is not enabled.
优选的,S100中所述验证方案可以是白名单列表验证、黑名单列表验证、数字证书格式和吊销状态验证以及数字证书使用范围验证等验证方案中的至少任意两种的组合。相应的验证方案由所述验证方案配置单元使用验证方案配置数据库表设置,配置有前述验证方案的验证方案配置单元进一步就包括了白名单列表验证子单元、黑名单列表验证子单元、数字证书格式和吊销状态验证子单元、数字证书使用范围验证子单元以及数字证书使用范围验证子单元。其中数字证书使用范围是指数字证书的颁发者是否有权限颁发在某个使用范围的数字证书或者数字证书的颁发者在某个使用范围内的可信度或者数字证书本身在颁发的时候是否限定某个使用范围内使用的权限。同时,所述验证方案配置单元中设置有开关值以确定相应验证子单元是否开启,通常情况下开关值设置为1时表示开启,开关值设置为0时表示关闭。所述验证方案配置单元具有建立验证方案配置数据库表、增加和删除验证方案和配置验证方案的功能。Preferably, the verification scheme in S100 may be a combination of at least any two of the verification schemes such as whitelist list verification, blacklist list verification, digital certificate format and revocation status verification, and digital certificate use range verification. The verification scheme is configured by the verification scheme configuration unit using the verification scheme configuration database table, and the verification scheme configuration unit configured with the foregoing verification scheme further includes a whitelist list verification subunit, a blacklist list verification subunit, and a digital certificate format. And the revocation status verification subunit, the digital certificate usage range verification subunit, and the digital certificate usage range verification subunit. The scope of use of the digital certificate refers to whether the issuer of the digital certificate has the authority to issue a digital certificate in a certain scope of use or the credibility of the issuer of the digital certificate within a certain scope of use or whether the digital certificate itself is qualified at the time of issuance. Permissions used within a scope of use. At the same time, the verification scheme configuration unit is provided with a switch value to determine whether the corresponding verification sub-unit is turned on. Generally, when the switch value is set to 1, it means to be on, and when the switch value is set to 0, it means to be off. The verification scheme configuration unit has a function of establishing a verification scheme configuration database table, adding and deleting an authentication scheme, and configuring a verification scheme.
具体的,如表一所示,所述验证方案配置单元创建验证方案配置数据库表,其中的验证方案配置数据库表包括序号字段、验证项目字段以及开关值字段。所述序号字段是主键,序号值自动递增,该序号字段可用于标识相应的验证方案的执行顺序(如1表示第一验证内容,2表示第二验证内容等);所述验证项目字段用于标识验证方案配置单元支持的数字证书验证方案,该验证项目字段标识的验证方案可根据本地验证策略要求的验证顺序调整到对应序号序号字段标识的位置。Specifically, as shown in Table 1, the verification scheme configuration unit creates a verification scheme configuration database table, where the verification scheme configuration database table includes a sequence number field, a verification item field, and a switch value field. The sequence number field is a primary key, and the sequence number value is automatically incremented. The sequence number field can be used to identify the execution order of the corresponding verification scheme (eg, 1 indicates the first verification content, 2 indicates the second verification content, etc.); the verification item field is used for The digital certificate verification scheme supported by the verification scheme configuration unit is configured, and the verification scheme identified by the verification item field may be adjusted to the location identified by the corresponding serial number field according to the verification sequence required by the local verification policy.
序号Serial number 验证项目Verification project 开关值Switch value
11 白名单列表验证Whitelist verification 0或者10 or 1
22 黑名单列表验证Blacklist verification 0或者10 or 1
33 数字证书格式和吊销状态验证Digital certificate format and revocation status verification 0或者10 or 1
44 数字证书使用范围验证Digital certificate use scope verification 0或者10 or 1
... ... ...
表一Table I
优选的,所述数据库表中还可以包括验证顺序字段(在此情况下的序号字段仅仅是一个序号标识),如表二所示,通过在验证顺序字段中配置优先级顺序如1,2,3等,以用于标识相应验证方案的执行顺序。Preferably, the database table may further include a verification order field (in this case, the sequence number field is only a sequence number identifier), as shown in Table 2, by configuring a priority order such as 1, 2 in the verification order field, 3, etc., to identify the execution order of the corresponding verification scheme.
Figure PCTCN2016081665-appb-000001
Figure PCTCN2016081665-appb-000001
表二Table II
所述数字证书验证方案具体可以包括白名单列表验证、黑名单列表验证、数字证书格式和吊销状态验证以及数字证书应用范围验证等中的至少任意两种的组合,即所述验证方案配置单元进一步包括了白名单列表验证子单元、黑 名单列表验证子单元、数字证书格式和吊销状态验证子单元以及数字证书应用范围验证子单元。所述开关值字段表示是否启用验证项目字段标识的验证方案。所述验证方案配置数据库表中验证项目字段标识的具体验证方案均可灵活的增加、修改和删除;其中每个对应的开关值字段的数值用于表示相应的验证方案是否开启,通常情况下,当开关值字段的值为0时代表对应的验证项目开启,当开关值字段的值为1时代表对应的验证项目关闭。当然,也可将开关值字段的值设置为1时代表对应的验证项目开启,当开关值字段的值为0时代表对应的验证项目关闭,本发明对于开关值字段的值的设置不做限制。The digital certificate verification scheme may specifically include a combination of at least any two of a whitelist list verification, a blacklist list verification, a digital certificate format and a revocation status verification, and a digital certificate application range verification, that is, the verification scheme configuration unit further Includes whitelisted list verification subunit, black The list list verification subunit, the digital certificate format and the revocation status verification subunit, and the digital certificate application range verification subunit. The switch value field indicates whether the verification scheme of the verification item field identification is enabled. The specific verification scheme of the verification item field identifier in the verification scheme configuration database table can be flexibly added, modified, and deleted; wherein the value of each corresponding switch value field is used to indicate whether the corresponding verification scheme is enabled, usually, When the value of the switch value field is 0, it means that the corresponding verification item is turned on. When the value of the switch value field is 1, it means that the corresponding verification item is closed. Of course, the value of the switch value field may be set to 1 to indicate that the corresponding verification item is enabled, and when the value of the switch value field is 0, the corresponding verification item is closed, and the present invention does not limit the setting of the value of the switch value field. .
优选的,所述配置设置还可通过XML的方式配置验证方案。即验证方案配置单元以XML格式配置文件存在,该配置文件中包括序号元素、验证项目元素、验证顺序元素以及开关值元素。所述开关值元素用于确定相应验证子单元是否开启,通常情况下开关值元素设置为1时表示开启,开关值元素设置为0时表示关闭,所述验证方案配置单元可通过修改XML配置文件中元素的方式进行验证方案的增加、修改和删除。前述通过XML方式配置验证方案的配置文件示例如下:Preferably, the configuration setting may also configure the verification scheme by means of XML. That is, the verification scheme configuration unit exists in an XML format configuration file, which includes a sequence number element, a verification item element, a verification order element, and a switch value element. The switch value element is used to determine whether the corresponding verification subunit is turned on. Generally, when the switch value element is set to 1, it means to be turned on, and when the switch value element is set to 0, it means to be turned off, and the verification scheme configuration unit can modify the XML configuration file. The way the element is used to add, modify, and delete the verification scheme. An example of the configuration file for configuring the authentication scheme by XML is as follows:
<item><item>
<序号>1<序号/><Serial number>1<No.
<验证项目>白名单列表验证</验证项目><Verification Item> Whitelist List Verification</ verification item>
<验证顺序>2</验证顺序><Verification order> 2</ verification order>
<开关值>0或者1</开关值><switch value>0 or 1</switch value>
</item> </item>
<item><item>
<序号>2<序号/><Serial number>2<No.
<验证项目>黑名单列表验证</验证项目><Verification Item> Blacklist List Verification</ verification item>
<验证顺序>3</验证顺序><Verification sequence>3</ verification order>
<开关值>0或者1</开关值><switch value>0 or 1</switch value>
</item></item>
<item><item>
<序号>3<序号/><Serial number>3<No.
<验证项目>数字证书格式和吊销状态验证</验证项目><Verification Project> Digital Certificate Format and Revocation Status Verification</ verification item>
<验证顺序>4</验证顺序><Verification sequence> 4</ verification order>
<开关值>0或者1</开关值><switch value>0 or 1</switch value>
</item></item>
<item><item>
<序号>4<序号/><Serial number>4<No.
<验证项目>数字证书使用范围验证</验证项目><Verification Project> Digital Certificate Use Scope Verification</ verification project>
<验证顺序>1</验证顺序><Verification sequence>1</ verification order>
<开关值>0或者1</开关值><switch value>0 or 1</switch value>
</item></item>
本发明正是利用了验证方案的配置设置实现了鉴别服务器中多种验证方 案的有效配置和控制,利用所述验证方案配置单元进行验证方案的配置设置有助于鉴别服务器验证方案的灵活的增加、修改和删除,The invention realizes the multiple verification parties in the authentication server by using the configuration setting of the verification scheme. Effective configuration and control of the case, the configuration of the verification scheme using the verification scheme configuration unit helps to identify the flexible addition, modification and deletion of the server verification scheme.
以下将结合图2、图3、图4、图5就基于数据库表配置验证方案的方式对于本发明具体实施过程进行详细的阐述。The specific implementation process of the present invention will be described in detail below with reference to FIG. 2, FIG. 3, FIG. 4, and FIG.
实施例一Embodiment 1
如图2和图5,在所述验证方案配置单元中开启数字证书使用范围验证子单元和数字证书格式和吊销状态验证子单元。具体验证过程详细说明如下。以WAPI网络架构为例,当所述消息接收模块接收到接入点AP发送的数字证书鉴别请求分组后,由所述数字证书解析模块对所述数字证书鉴别请求分组解析以获得数字证书内容,并将解析后的数字证书内容提交到所述数字证书验证模块,首先由所述数字证书验证模块中的数字证书使用范围验证子单元执行验证。具体是:所述数字证书使用范围验证子单元创建一个数字证书使用范围表,如表三所示,所述数字证书使用范围表包括序号字段、数字证书标识字段和使用范围字段,其中,序号字段是主键,序号值自动递增;数字证书标识字段表示是数字证书标识内容,数字证书标识可以为数字证书中证书序列号和颁发者名称的组合,也可以只为证书序列号。As shown in FIG. 2 and FIG. 5, the digital certificate use range verification subunit and the digital certificate format and the revocation status verification subunit are turned on in the verification scheme configuration unit. The specific verification process is described in detail below. Taking the WAPI network architecture as an example, after the message receiving module receives the digital certificate authentication request packet sent by the access point AP, the digital certificate analysis module parses the digital certificate authentication request packet to obtain a digital certificate content. And submitting the parsed digital certificate content to the digital certificate verification module, first performing verification by the digital certificate use range verification subunit in the digital certificate verification module. Specifically, the digital certificate use scope verification sub-unit creates a digital certificate use range table, as shown in Table 3, the digital certificate use scope table includes a sequence number field, a digital certificate identifier field, and a use range field, where the sequence number field It is the primary key, and the serial number value is automatically incremented; the digital certificate identification field indicates the digital certificate identification content, and the digital certificate identifier may be a combination of the certificate serial number and the issuer name in the digital certificate, or only the certificate serial number.
序号Serial number 数字证书标识Digital certificate identification 使用范围Scope of use
11 证书序列号1+颁发者名称Certificate Serial Number 1 + Issuer Name 范围1/范围2/范围1/范围4…Range 1 / Range 2 / Range 1 / Range 4...
22 证书序列号2+颁发者名称Certificate Serial Number 2+ Issuer Name 范围1/范围2/范围1/范围4…Range 1 / Range 2 / Range 1 / Range 4...
33 证书序列号3+颁发者名称Certificate Serial Number 3+ Issuer Name 范围1/范围2/范围1/范围4…Range 1 / Range 2 / Range 1 / Range 4...
44 证书序列号4+颁发者名称Certificate Serial Number 4+ Issuer Name 范围1/范围2/范围1/范围4…Range 1 / Range 2 / Range 1 / Range 4...
... ... ...
表三 Table 3
所述数字证书使用范围验证子单元可执行SQL的查询语句对数字证书的使用范围是否在使用范围字段中进行查询,根据SQL查询语句的返回值判断;The digital certificate use scope verification subunit executable SQL query statement whether the use scope of the digital certificate is queried in the use range field, and is judged according to the return value of the SQL query statement;
如果在所述使用范围字段中可以查询到数字证书鉴别请求分组中包含的数字证书符合数字证书颁发时规定的使用范围,则所述数字证书使用范围验证子单元验证数字证书使用范围成功,否则,所述数字证书使用范围验证子单元验证数字证书使用范围失败。其中,数字证书使用范围记录可以增加或者删除。鉴别服务器增加或者删除数字证书使用范围记录的信息可来自于数字证书颁发实体或者网络管理员等,本发明对此不做限制。If the digital certificate included in the digital certificate authentication request packet can be queried in the use scope field to meet the scope of use specified in the digital certificate issuance, the digital certificate use scope verification sub-unit verifies that the digital certificate use range is successful, otherwise, The digital certificate uses the range verification sub-unit to verify that the digital certificate usage range fails. Among them, the digital certificate use range record can be added or deleted. The information that the authentication server adds or deletes the digital certificate usage range record may be from a digital certificate issuing entity or a network administrator, and the present invention does not limit this.
换句话说,如果数字证书使用范围验证子单元判断数字证书鉴别请求分组中包含的数字证书不符合数字证书颁发时候规定的使用范围,则数字证书验证模块得到的数字证书验证结果为失败,然后通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果或者数字证书应该的使用范围;如果数字证书使用范围验证子单元判断数字证书鉴别请求分组中包含的数字证书符合数字证书颁发时候规定的使用范围,则继续下一步的验证。In other words, if the digital certificate use scope verification subunit determines that the digital certificate included in the digital certificate authentication request packet does not meet the scope of use specified in the digital certificate issuance, the digital certificate verification result obtained by the digital certificate verification module is a failure, and then passes The message sending module constructs a certificate authentication response packet sent to the AP to notify the digital certificate verification result or the use range of the digital certificate; if the digital certificate use range verification subunit determines that the digital certificate included in the digital certificate authentication request packet meets the requirements specified in the digital certificate issuance Use the scope, continue to the next verification.
然后由数字证书格式和吊销状态验证子单元进行验证,具体是:It is then verified by the digital certificate format and the revocation status verification sub-unit, specifically:
所述数字证书解析模块解析所述数字证书鉴别请求分组获取数字证书的相关信息,所述数字证书格式和吊销状态验证子单元验证所述数字证书的信息格式是否与所述鉴别服务器已知的格式一致,如果不一致则数字证书格式和吊销状态验证失败,如果一致则数字证书格式和吊销状态验证成功;本发明中所述数字证书的信息格式依据的是X.509的数字证书标准;The digital certificate parsing module parses the digital certificate authentication request packet to acquire related information of a digital certificate, and the digital certificate format and the revocation status verification subunit verify whether the information format of the digital certificate is related to a format known by the authentication server Consistently, if the inconsistency, the digital certificate format and the revocation status verification fail. If they are consistent, the digital certificate format and the revocation status are successfully verified; the information format of the digital certificate in the present invention is based on the digital certificate standard of X.509;
或者,所述鉴别服务器利用其数字证书的公钥计算所述解析模块解析后的所述数字证书鉴别请求分组中的数字证书的签名值,所述数字证书格式和吊销状态验证子单元计算出的签名值和所述数字证书的签名值是否相同,如果不相同,则数字证书格式和吊销状态验证失败,如果相同,则数字证书格式和吊销状态性验证成功; Or the authentication server calculates, by using a public key of the digital certificate, a signature value of the digital certificate in the digital certificate authentication request packet parsed by the parsing module, where the digital certificate format and the revocation status verification subunit calculate Whether the signature value and the signature value of the digital certificate are the same. If they are not the same, the digital certificate format and the revocation status verification fail. If they are the same, the digital certificate format and the revocation status verification are successful.
或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器当前时间和接收到的数字证书的有效时间范围,如果所述鉴别服务器当前时间不在接收到的数字证书的有效范围内,则数字证书格式和吊销状态验证失败;否则,数字证书格式和吊销状态验证成功;Alternatively, the digital certificate format and the revocation status verification subunit verify the current time of the authentication server and the valid time range of the received digital certificate, if the current time of the authentication server is not within the valid range of the received digital certificate, Digital certificate format and revocation status verification failed; otherwise, digital certificate format and revocation status verification succeeded;
或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器存储的接收到的数字证书的状态是否被标记为已吊销,如果被标记为已吊销,则数字证书格式和吊销状态验证失败,否则,数字证书格式和吊销状态验证成功。Alternatively, the digital certificate format and the revocation status verification subunit verify whether the status of the received digital certificate stored by the authentication server is marked as revoked, and if marked as revoked, the digital certificate format and the revocation status verification fail. Otherwise, the digital certificate format and revocation status are verified successfully.
在其他实施方式中,上述数字证书格式和吊销状态验证子单元执行的四种验证方式可做任意组合使用,此时,组合中的任意一种如果验证失败,则认为所述数字证书格式和吊销状态验证子单元判断证书鉴别请求分组中包含的数字证书格式不正确或者使用状态是无效,即数字证书验证失败;否则,数字证书验证成功。In other embodiments, the above-mentioned digital certificate format and the four verification methods performed by the revocation status verification subunit may be used in any combination. In this case, if any of the combinations fails, the digital certificate format and the revocation are considered to be revoked. The status verification subunit determines that the digital certificate included in the certificate authentication request packet is in an incorrect format or the usage status is invalid, that is, the digital certificate verification fails; otherwise, the digital certificate verification is successful.
基于上述的验证数字证书验证模块得到的数字证书验证结果为成功后,然后通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果。After the verification result of the digital certificate obtained by the verification digital certificate verification module is successful, the certificate transmission response packet is sent to the AP through the message sending module to notify the digital certificate verification result.
该实施例述及的验证过程适用于在完全开放的网络环境中传输数字证书的情况,该验证方案能够很好地提高这种网络环境下的数字证书的验证效率。The verification process described in this embodiment is applicable to the case of transmitting a digital certificate in a completely open network environment, and the verification scheme can well improve the verification efficiency of the digital certificate in such a network environment.
实施例二Embodiment 2
如图3和图5,在所述验证方案配置模块中开启数字证书格式和吊销状态验证子单元、黑名单列表验证子单元和或白名单列表验证子单元。具体验证过程详细说明如下。As shown in FIG. 3 and FIG. 5, the digital certificate format and the revocation status verification subunit, the blacklist list verification subunit, and the whitelist list verification subunit are enabled in the verification scheme configuration module. The specific verification process is described in detail below.
以WAPI网络架构为例,首先数字证书格式和吊销状态验证子单元开始执行验证具体验证过程同实施例一的表述,此处不再赘述。当数字证书格式和吊销状态验证通过后所述黑名单列表验证子单元和或白名单列表验证子单元开 始验证,具体包括:Taking the WAPI network architecture as an example, the digital certificate format and the revocation status verification sub-unit start to perform the verification. The specific verification process is the same as that of the first embodiment, and details are not described herein again. After the digital certificate format and the revocation status are verified, the blacklist verification subunit and the whitelist verification subunit are opened. Start verification, including:
所述白名单列表验证子单元创建一个白名单数据库表,如表四所示所述白名单数据库表包括序号字段和白名单值字段,其中序号字段是主键,序号值自动递增;白名单值字段表示数字证书标识,数字证书标识可以为数字证书中证书序列号和颁发者名称的组合,也可以只为证书序列号。The whitelist list verification sub-unit creates a whitelist database table. As shown in Table 4, the whitelist database table includes a sequence number field and a whitelist value field, wherein the sequence number field is a primary key, and the sequence number value is automatically incremented; the whitelist value field is Indicates the digital certificate identifier. The digital certificate identifier can be a combination of the certificate serial number and the issuer name in the digital certificate, or it can be just the certificate serial number.
序号Serial number 白名单值Whitelist value
11 证书序列号1+颁发者名称Certificate Serial Number 1 + Issuer Name
22 证书序列号2+颁发者名称Certificate Serial Number 2+ Issuer Name
33 证书序列号3+颁发者名称Certificate Serial Number 3+ Issuer Name
44 证书序列号4+颁发者名称Certificate Serial Number 4+ Issuer Name
... ...
表四Table 4
所述白名单列表验证子单元执行SQL的查询语句对数字证书标识是否在白名单值字段中进行查询,根据SQL查询语句的返回值判断,如果返回值中包含有所查询的数字证书标识,则代表在白名单数据库表的白名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,否则,则代表在白名单数据库表的白名单值字段中不能查询到数字证书鉴别请求分组中包含的数字证书的标识;The whitelist verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the whitelist value field, and judges according to the return value of the SQL query statement, if the return value includes the digital certificate identifier of the query, The identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the whitelist value field of the whitelist database table. Otherwise, the digital certificate authentication request cannot be queried in the whitelist value field of the whitelist database table. The identifier of the digital certificate contained in the packet;
如果在白名单数据库表的白名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述白名单列表验证子单元执行白名单验证通过,说明白名单列表验证子单元判断证书鉴别请求分组中包含的数字证书在白名单内,从而确定数字证书有效性验证成功;否则,所述白名单列表验证子单元执行白名单验证失败,说明白名单列表验证子单元判断证书鉴别请求分组If the identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the whitelist value field of the whitelist database table, the whitelist verification sub-unit performs whitelist verification, indicating that the whitelist verification subunit Determining that the digital certificate included in the certificate authentication request packet is in the white list, thereby determining that the digital certificate validity verification is successful; otherwise, the whitelist list verification subunit fails to perform whitelist verification, indicating that the whitelist list verification subunit determines the certificate authentication. Request grouping
换句话说,如果白名单列表验证子单元判断数字证书鉴别请求分组中包含 的数字证书不在白名单内,则数字证书验证单元得到的数字证书验证结果为失败,并通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果;如果白名单列表验证子单元判断数字证书鉴别请求分组中包含的数字证书在白名单内,则数字证书有效性验证成功。In other words, if the whitelist verification sub-unit determines that the digital certificate authentication request packet is included If the digital certificate is not in the white list, the digital certificate verification result obtained by the digital certificate verification unit is a failure, and the message is sent by the message sending module to send a certificate authentication response packet to the AP to notify the digital certificate verification result; if the whitelist list verification subunit determines the number If the digital certificate contained in the certificate authentication request packet is in the white list, the validity verification of the digital certificate is successful.
上述执行过程中的白名单值可以增加或者删除。鉴别服务器增加或者删除白名单记录的信息可来自于数字证书颁发实体或者网络管理员等,本发明对此不做限制。The whitelist value in the above execution process can be added or deleted. The information that the authentication server adds or deletes the whitelist record may be from a digital certificate issuing entity or a network administrator, and the present invention does not limit this.
黑名单列表验证子单元的验证过程详细如下。The verification process of the blacklist verification subunit is detailed below.
所述黑名单列表验证子单元创建一个黑名单数据库表,如表五所示,所述黑名单数据库表包括序号字段和黑名单值字段,其中,序号字段是主键,序号值自动递增;黑名单值字段表示是数字证书标识,数字证书标识可以为数字证书中证书序列号和颁发者名称的组合,也可以只为证书序列号。The blacklist list verification sub-unit creates a blacklist database table. As shown in Table 5, the blacklist database table includes a sequence number field and a blacklist value field, wherein the sequence number field is a primary key, and the sequence number value is automatically incremented; The value field indicates a digital certificate identifier, and the digital certificate identifier can be a combination of the certificate serial number and the issuer name in the digital certificate, or just the certificate serial number.
序号Serial number 黑名单值Blacklist value
11 证书序列号1+颁发者名称Certificate Serial Number 1 + Issuer Name
22 证书序列号2+颁发者名称Certificate Serial Number 2+ Issuer Name
33 证书序列号3+颁发者名称Certificate Serial Number 3+ Issuer Name
44 证书序列号4+颁发者名称Certificate Serial Number 4+ Issuer Name
... ...
表五Table 5
所述黑名单列表验证子单元执行SQL的查询语句对数字证书标识是否在黑名单值字段中进行查询,根据SQL查询语句的返回值判断,如果返回值中包含有所查询的数字证书标识,则代表在黑名单数据库表的黑名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,否则,则代表在黑名单数据库表的黑名单值字段中不能查询到数字证书鉴别请求分组中包含的 数字证书的标识;The blacklist verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the blacklist value field, and judges according to the return value of the SQL query statement, if the return value includes the digital certificate identifier of the query, The identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the blacklist value field of the blacklist database table. Otherwise, the digital certificate authentication request cannot be queried in the blacklist value field of the blacklist database table. Included in the group Identification of the digital certificate;
如果在黑名单数据库表的黑名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述黑名单列表验证子单元执行黑名单验证不通过,说明黑名单列表验证子单元判断证书鉴别请求分组中包含的数字证书在黑名单内从而确定数字证书有效性验证失败;否则,所述黑名单列表验证子单元执行黑名单验证成功,说明黑名单列表验证子单元判断证书鉴别请求分组中包含的数字证书不在黑名单内,从而确定数字证书有效性验证成功。If the identifier of the digital certificate included in the digital certificate authentication request packet is queried in the blacklist value field of the blacklist database table, the blacklist verification sub-unit performs the blacklist verification failure, indicating that the blacklist is verified. The unit determines that the digital certificate included in the certificate authentication request packet is in the blacklist to determine that the digital certificate validity verification fails; otherwise, the blacklist verification sub-unit performs the blacklist verification successfully, indicating that the blacklist verification sub-unit determines the certificate authentication. The digital certificate contained in the request packet is not in the blacklist, thereby determining that the digital certificate validity verification is successful.
换句话说,如果黑名单列表验证子单元判断证书鉴别请求分组中包含的数字证书在黑名单内,则数字证书验证模块得到的数字证书验证结果为失败,然后通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果;如果黑名单列表验证子单元判断证书鉴别请求分组中包含的数字证书不在黑名单则数字证书有效性验证成功。In other words, if the blacklist verification sub-unit determines that the digital certificate included in the certificate authentication request packet is in the blacklist, the digital certificate verification result obtained by the digital certificate verification module is a failure, and then the certificate authentication response packet is constructed by the message sending module. Sending to the AP to inform the digital certificate verification result; if the blacklist verification sub-unit determines that the digital certificate included in the certificate authentication request packet is not blacklisted, the digital certificate validity verification is successful.
上述执行过程中的黑名单值可以增加或者删除。鉴别服务器增加或者删除黑名单记录的信息可来自于数字证书颁发实体或者网络管理员等,本发明对此不做限制。The blacklist value in the above execution process can be added or deleted. The information that the authentication server adds or deletes the blacklist record may be from a digital certificate issuing entity or a network administrator, and the present invention does not limit this.
基于上述的验证数字证书验证模块得到的数字证书验证结果为成功后,然后通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果。After the verification result of the digital certificate obtained by the verification digital certificate verification module is successful, the certificate transmission response packet is sent to the AP through the message sending module to notify the digital certificate verification result.
该实施例述及的验证过程适用于在一个特定的网络环境中,如一个企业内的局域网,传输的数字证书很大可能是企业内部的数字证书颁发者颁发,每一台企业内部网络中使用的设备中包含的数字证书数量有限,且根据设备本身的应用仅含有某个特定应用的证书,在这个封闭的特定应用环境中,由于数字证书来源和应用范围单一。该实施例提供的验证方案能够很好地提高这种网络环境下的数字证书的验证效率。 The verification process described in this embodiment is applicable to a specific network environment, such as a local area network, and the digital certificate transmitted is likely to be issued by an internal digital certificate issuer, and is used in each enterprise internal network. The number of digital certificates included in the device is limited, and only the certificate of a specific application is included according to the application of the device itself. In this closed specific application environment, the source of the digital certificate and the scope of application are single. The verification scheme provided by this embodiment can well improve the verification efficiency of digital certificates in such a network environment.
实施例三Embodiment 3
如图4和图5,在所述验证方案配置模块中开启黑名单列表验证子单元和或白名单列表验证子单元、数字证书使用范围验证子单元以及数字证书格式和吊销状态验证子单元。具体验证过程详细说明如下。As shown in FIG. 4 and FIG. 5, the blacklist list verification subunit and or the whitelist list verification subunit, the digital certificate use range verification subunit, and the digital certificate format and the revocation status verification subunit are enabled in the verification scheme configuration module. The specific verification process is described in detail below.
以WAPI网络架构为例,当所述消息接收模块接收到接入点AP发送的数字证书鉴别请求分组后,由所述数字证书解析模块对所述数字证书鉴别请求分组解析以获得数字证书内容,并将解析后的数字证书内容提交到所述数字证书验证模块,首先由所述黑名单列表验证子单元和或白名单列表验证子单元执行验证,详细验证过程同实施例二的描述,此处不再赘述。Taking the WAPI network architecture as an example, after the message receiving module receives the digital certificate authentication request packet sent by the access point AP, the digital certificate analysis module parses the digital certificate authentication request packet to obtain a digital certificate content. And submitting the parsed digital certificate content to the digital certificate verification module, first performing verification by the blacklist list verification subunit and or the whitelist list verification subunit, and the detailed verification process is the same as the description of the second embodiment, where No longer.
待所述黑名单列表验证子单元和或白名单列表验证子单元执行验证的结果为通过时,进一步由数字证书使用范围验证子单元执行验证,该验证过程同实施例一的描述,此处不再赘述。When the result of performing the verification by the blacklist list verification subunit and or the whitelist list verification subunit is a pass, the verification is further performed by the digital certificate use scope verification subunit, which is the same as the description of the first embodiment, and is not here. Let me repeat.
待所述数字证书使用范围验证子单元执行验证的结果为在特定的范围内时,进一步由所述数字证书格式和吊销状态验证子单元执行验证,如验证执行通过则数字证书有效性验证成功,否则,数字证书有效性验证失败。When the result of the digital certificate use scope verification subunit performing the verification is within a specific range, the verification is further performed by the digital certificate format and the revocation status verification subunit, and if the verification execution is passed, the digital certificate validity verification is successful. Otherwise, the digital certificate validity verification fails.
基于上述的验证数字证书验证模块得到的数字证书验证结果为成功后,然后通过消息发送模块构建证书鉴别响应分组发送至AP告知数字证书验证结果。After the verification result of the digital certificate obtained by the verification digital certificate verification module is successful, the certificate transmission response packet is sent to the AP through the message sending module to notify the digital certificate verification result.
该实施例述及的验证过程适用于在一个网络通信系统中,如果某几个网络只限定给某些用户使用,其他的网络所有人都可以使用,则需要限定给某些用户使用的网络设备需要首先验证自己设备中的白名单和或黑名单,如果接收到的数字证书内容是白名单和或黑名单里面的成员,则可进行后续验证,如果接收到的数字证书内容不在设备的白名单内和或黑名单,不再进行后续的验证工作,节省时间。该验证方案能够很好地提高这种网络环境下的数字证书的验证效率。 The verification process described in this embodiment is applicable to a network communication system. If a certain network is limited to use by some users and other network owners can use it, it is necessary to limit the network devices used by some users. You need to first verify the whitelist and blacklist in your device. If the received digital certificate content is a whitelist or a member of the blacklist, you can perform subsequent verification. If the received digital certificate content is not in the device's whitelist. Internal or blacklist, no further verification work is done, saving time. The verification scheme can improve the verification efficiency of digital certificates in such a network environment.
除上述实施例描述的以外,所述验证方案配置单元中的验证项目字段标识的验证方案还可以是证书鉴别请求分组中包含的数字证书的颁发者是否满足使用的安全级别的验证等,鉴别服务器还可继续依据验证方案配置单元预置的验证方案对数字证书鉴别请求分组中包含的数字证书进行验证,然后通过消息发送模块构建证书鉴别响应分组发送给AP告知数字证书验证结果或者与验证相关的信息内容,本发明具体实施部分对此不再赘述。In addition to the above embodiments, the verification scheme identified by the verification item field in the verification scheme configuration unit may also be that the issuer of the digital certificate included in the certificate authentication request packet satisfies the verification of the security level used, etc., and the authentication server The digital certificate included in the digital certificate authentication request packet may be further verified according to the verification scheme preset by the verification scheme configuration unit, and then the certificate transmission response packet is constructed by the message sending module to be sent to the AP to notify the digital certificate verification result or related to the verification. The content of the information is not described in detail in the specific implementation of the present invention.
此外,本发明提供的验证数字证书有效性的方法并不局限于上述实施例所述的WAPI架构。基于本发明提供的验证数字证书有效性的方法的相同的思路,本发明还提供了一种与之对应的鉴别服务器,参见图6。具体是:Furthermore, the method for verifying the validity of a digital certificate provided by the present invention is not limited to the WAPI architecture described in the above embodiments. Based on the same idea of the method for verifying the validity of a digital certificate provided by the present invention, the present invention also provides an authentication server corresponding thereto, see FIG. specifically is:
用于验证数字证书有效性的鉴别服务器,其包括消息接收模块、数字证书验证模块,其特征在于,所述数字证书验证模块包括验证方案配置单元;An authentication server for verifying the validity of the digital certificate, comprising a message receiving module and a digital certificate verification module, wherein the digital certificate verification module comprises a verification scheme configuration unit;
所述消息接收模块用于接收数字证书鉴别请求分组;The message receiving module is configured to receive a digital certificate authentication request packet;
所述验证方案配置单元用于配置验证数字证书有效性的验证方案。The verification scheme configuration unit is configured to configure a verification scheme for verifying the validity of the digital certificate.
优选的,所述鉴别服务器还可以进一步包括数字证书解析模块,用于解析数字证书鉴别请求分组中的数字证书内容。Preferably, the authentication server may further comprise a digital certificate parsing module for parsing the digital certificate content in the digital certificate authentication request packet.
优选的,所述验证方案配置单元进一步包括白名单列表验证子单元,所述白名单列表验证子单元用于验证所述数字证书鉴别请求分组中的数字证书是否包含在白名单内;Preferably, the verification scheme configuration unit further includes a whitelist list verification subunit, and the whitelist list verification subunit is configured to verify whether the digital certificate in the digital certificate authentication request packet is included in the whitelist;
所述验证方案配置单元进一步包括黑名单列表验证子单元,所述黑名单列表验证子单元用于验证所述数字证书鉴别请求分组中的数字证书是否包含在黑名单内;The verification scheme configuration unit further includes a blacklist list verification subunit, and the blacklist list verification subunit is configured to verify whether the digital certificate in the digital certificate authentication request packet is included in the blacklist;
所述验证方案配置单元进一步包括数字证书格式和吊销状态验证子单元,所述数字证书格式和吊销状态验证子单元用于验证所述数字证书的信息格式是否与所述鉴别服务器已知的格式一致; The verification scheme configuration unit further includes a digital certificate format and a revocation status verification subunit, wherein the digital certificate format and the revocation status verification subunit are configured to verify whether the information format of the digital certificate is consistent with a format known by the authentication server ;
所述验证方案配置单元进一步包括数字证书使用范围验证子单元,所述数字证书使用范围验证子单元用以验证所述数字证书鉴别请求分组中包含的数字证书是否符合数字证书颁发时候规定的使用范围。The verification scheme configuration unit further includes a digital certificate use scope verification subunit, and the digital certificate use scope verification subunit is configured to verify whether the digital certificate included in the digital certificate authentication request packet meets the use range specified in the digital certificate issuance .
鉴别服务器所述各结构的功能及工作方式与前述方法中描述的工作过程相应,此处不再赘述。The functions and working modes of the structures described in the authentication server correspond to the working processes described in the foregoing methods, and are not described herein again.
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (13)

  1. 一种验证数字证书有效性的方法,该方法涉及鉴别服务器,该鉴别服务器包括消息接收模块和数字证书验证模块,其特征在于,A method for verifying the validity of a digital certificate, the method comprising an authentication server, the authentication server comprising a message receiving module and a digital certificate verification module, wherein
    所述数字证书验证模块中设置有验证方案配置单元,所述验证方案配置单元进行配置设置以用于配置验证数字证书有效性的验证方案;The digital certificate verification module is provided with an authentication scheme configuration unit, and the verification scheme configuration unit performs configuration setting for configuring a verification scheme for verifying validity of the digital certificate;
    所述消息接收模块接收数字证书鉴别请求消息,所述数字证书鉴别请求消息中包含有数字证书内容;所述消息接收模块将收到的数字证书内容提交至所述数字证书验证模块进行验证;所述数字证书验证模块根据验证需求从所述验证方案配置单元中配置的验证方案中选择相应的验证方案来执行具体的验证过程;The message receiving module receives a digital certificate authentication request message, where the digital certificate authentication request message includes digital certificate content; the message receiving module submits the received digital certificate content to the digital certificate verification module for verification; The digital certificate verification module selects a corresponding verification scheme from the verification schemes configured in the verification scheme configuration unit to perform a specific verification process according to the verification requirement;
    如果根据选择的所述验证方案对数字证书的有效性验证无法通过,则确定数字证书有效性验证失败;否则,确定数字证书有效性验证成功。If the validity verification of the digital certificate fails according to the selected verification scheme, it is determined that the digital certificate validity verification fails; otherwise, the digital certificate validity verification is determined to be successful.
  2. 根据权利要求1所述的方法,其特征在于,所述配置设置为创建验证方案数据库表,所述验证方案数据库表包括验证项目字段和开关值字段,所述验证项目字段用于标识验证方案;所述验证方案的启用通过设置开关值来实现,当所述开关值为开启时,启用相应的验证方案;当所述开关值设置为关闭时,不启用相应的验证方案。The method according to claim 1, wherein the configuration is configured to create a verification scheme database table, the verification scheme database table including a verification item field and a switch value field, the verification item field being used to identify a verification scheme; The activation of the verification scheme is achieved by setting a switch value. When the switch value is on, the corresponding verification scheme is enabled; when the switch value is set to off, the corresponding verification scheme is not enabled.
  3. 根据权利要求2所述的方法,其特征在于,所述验证方案数据库表还包括序号字段和或验证顺序字段,所述验证顺序字段用于控制验证方案的执行顺序。The method of claim 2, wherein the verification scheme database table further comprises a sequence number field and or a verification order field, the verification sequence field being used to control an execution order of the verification scheme.
  4. 根据权利要求1或2或3所述的方法,其特征在于,所述验证方案为白名单列表验证方案、黑名单列表验证方案、数字证书格式和吊销状态验证方案以及数字证书使用范围验证方案中的至少任意两种的组合;The method according to claim 1 or 2 or 3, wherein the verification scheme is a whitelist list verification scheme, a blacklist list verification scheme, a digital certificate format and a revocation status verification scheme, and a digital certificate use scope verification scheme. At least any combination of two;
    所述验证方案配置单元中相应的进一步包括:白名单列表验证子单元、黑名单列表验证子单元、数字证书格式和吊销状态验证子单元以及数字证书使用 范围验证子单元中的至少任意两种的组合。Correspondingly, the verification scheme configuration unit further includes: a whitelist list verification subunit, a blacklist list verification subunit, a digital certificate format and a revocation status verification subunit, and a digital certificate use. A combination of at least any two of the range verification subunits.
  5. 根据权利要求4所述的方法,其特征在于,所述验证方案配置单元中启用数字证书使用范围验证子单元和数字证书格式和吊销状态验证子单元以验证数字证书有效性的方法,具体包括:The method according to claim 4, wherein the method for enabling the digital certificate use range verification sub-unit and the digital certificate format and the revocation status verification sub-unit in the verification scheme configuration unit to verify the validity of the digital certificate comprises:
    1)首先执行数字证书使用范围验证:1) First perform digital certificate use scope verification:
    所述数字证书使用范围验证子单元创建一个数字证书使用范围表,所述数字证书使用范围表包括序号字段、数字证书标识字段和使用范围字段;The digital certificate uses a range verification sub-unit to create a digital certificate usage range table, where the digital certificate usage range table includes a sequence number field, a digital certificate identification field, and a usage range field;
    所述数字证书使用范围验证子单元执行SQL的查询语句对数字证书的使用范围否在使用范围字段中进行查询,根据SQL查询语句的返回值判断;The digital certificate uses the range verification sub-unit to execute the SQL query statement to query whether the use scope of the digital certificate is in the use range field, and judge according to the return value of the SQL query statement;
    如果在所述使用范围字段中可以查询到数字证书鉴别请求分组中包含的数字证书符合数字证书颁发时规定的使用范围,则所述数字证书使用范围验证子单元验证数字证书使用范围成功,从而进一步执行数字证书格式和吊销状态验证;If the digital certificate included in the digital certificate authentication request packet can be queried in the use scope field to meet the scope of use specified in the digital certificate issuance, the digital certificate uses the range verification sub-unit to verify that the digital certificate is successfully used, thereby further Perform digital certificate format and revocation status verification;
    否则,所述数字证书使用范围验证子单元验证数字证书使用范围失败,从而确定数字证书有效性验证失败;Otherwise, the digital certificate uses the range verification sub-unit to verify that the digital certificate usage range fails, thereby determining that the digital certificate validity verification fails;
    2)执行数字证书格式和吊销状态验证:2) Perform digital certificate format and revocation status verification:
    所述数字证书格式和吊销状态验证子单元验证所述数字证书内容的信息格式是否与所述鉴别服务器已知的格式一致,如果不一致则数字证书格式和吊销状态验证失败,如果一致则数字证书格式和吊销状态验证成功;The digital certificate format and the revocation status verification subunit verify whether the information format of the digital certificate content is consistent with the format known by the authentication server, and if not, the digital certificate format and the revocation status verification fail, and if they are consistent, the digital certificate format And the revocation status verification is successful;
    或者,所述鉴别服务器利用其数字证书的公钥计算所述数字证书鉴别请求分组中的数字证书的签名值,所述数字证书格式和吊销状态验证子单元计算出的签名值和所述数字证书的签名值是否相同,如果不相同,则数字证书格式和吊销状态验证失败,如果相同则数字证书格式和吊销状态验证验证成功;Alternatively, the authentication server calculates a signature value of the digital certificate in the digital certificate authentication request packet by using a public key of the digital certificate, the digital certificate format and the signature value calculated by the revocation status verification subunit and the digital certificate Whether the signature values are the same. If they are not the same, the digital certificate format and the revocation status verification fail. If they are the same, the digital certificate format and the revocation status verification are successful.
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器当前时间和接收到的数字证书的有效时间范围,如果所述鉴别服务器当前时间不在 接收到的数字证书的有效范围内,则数字证书格式和吊销状态验证失败;否则,数字证书格式和吊销状态验证成功;Alternatively, the digital certificate format and the revocation status verification subunit verify the current time of the authentication server and the valid time range of the received digital certificate, if the current time of the authentication server is not Within the valid range of the received digital certificate, the digital certificate format and the revocation status verification fail; otherwise, the digital certificate format and the revocation status are verified successfully;
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器存储的接收到的数字证书的状态是否被标记为已吊销,如果被标记为已吊销,则数字证书格式和吊销状态验证失败,否则,数字证书格式和吊销状态验证成功。Alternatively, the digital certificate format and the revocation status verification subunit verify whether the status of the received digital certificate stored by the authentication server is marked as revoked, and if marked as revoked, the digital certificate format and the revocation status verification fail. Otherwise, the digital certificate format and revocation status are verified successfully.
  6. 根据权利要求4所述的方法,其特征在于,所述验证方案配置单元中启用数字证书格式和吊销状态验证子单元、黑名单列表验证子单元和或白名单列表验证子单元以验证数字证书有效性的方法,具体包括:The method according to claim 4, wherein the digital certificate format and the revocation status verification subunit, the blacklist list verification subunit, and the whitelist list verification subunit are enabled in the verification scheme configuration unit to verify that the digital certificate is valid. Sexual methods, including:
    1)首先执行数字证书格式和吊销状态验证:1) First perform digital certificate format and revocation status verification:
    所述数字证书格式和吊销状态验证子单元验证所述数字证书内容的信息格式是否与所述鉴别服务器已知的格式一致,如果不一致则数字证书格式和吊销状态验证失败,如果一致则数字证书格式和吊销状态验证成功;The digital certificate format and the revocation status verification subunit verify whether the information format of the digital certificate content is consistent with the format known by the authentication server, and if not, the digital certificate format and the revocation status verification fail, and if they are consistent, the digital certificate format And the revocation status verification is successful;
    或者,所述鉴别服务器利用其数字证书的公钥计算所述数字证书鉴别请求分组中的数字证书的签名值,所述数字证书格式和吊销状态验证子单元计算出的签名值和所述数字证书的签名值是否相同,如果不相同,则数字证书格式和吊销状态验证失败,如果相同则数字证书格式和吊销状态验证成功;Alternatively, the authentication server calculates a signature value of the digital certificate in the digital certificate authentication request packet by using a public key of the digital certificate, the digital certificate format and the signature value calculated by the revocation status verification subunit and the digital certificate Whether the signature values are the same. If they are not the same, the digital certificate format and the revocation status verification fail. If they are the same, the digital certificate format and the revocation status are verified successfully.
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器当前时间和接收到的数字证书的有效时间范围,如果所述鉴别服务器当前时间不在接收到的数字证书的有效范围内,则数字证书格式和吊销状态验证失败;否则,数字证书格式和吊销状态验证成功;Alternatively, the digital certificate format and the revocation status verification subunit verify the current time of the authentication server and the valid time range of the received digital certificate, if the current time of the authentication server is not within the valid range of the received digital certificate, Digital certificate format and revocation status verification failed; otherwise, digital certificate format and revocation status verification succeeded;
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器存储的接收到的数字证书的状态是否被标记为已吊销,如果被标记为已吊销,则数字证书格式和吊销状态验证失败,否则,数字证书格式和吊销状态验证成功;Alternatively, the digital certificate format and the revocation status verification subunit verify whether the status of the received digital certificate stored by the authentication server is marked as revoked, and if marked as revoked, the digital certificate format and the revocation status verification fail. Otherwise, the digital certificate format and the revocation status are verified successfully;
    2)待所述数字证书格式和吊销状态验证执行成功后进一步执行黑名单列表验证和或白名单列表验证,具体包括: 2) After the digital certificate format and the revocation status verification are successfully executed, the blacklist list verification and the whitelist list verification are further performed, including:
    所述黑名单列表验证子单元创建一个黑名单数据库表,所述黑名单数据库表包括序号字段和黑名单值字段,所述黑名单值字段为数字证书标识;The blacklist list verification sub-unit creates a blacklist database table, where the blacklist database table includes a sequence number field and a blacklist value field, and the blacklist value field is a digital certificate identifier;
    所述黑名单列表验证子单元执行SQL的查询语句对数字证书标识是否在白名单值字段中进行查询,根据SQL查询语句的返回值判断;The blacklist list verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the whitelist value field, and is determined according to the return value of the SQL query statement;
    如果在黑名单数据库表的黑名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述黑名单列表验证子单元执行黑名单验证失败;否则,确定所述黑名单列表验证子单元执行黑名单验证通过;和或,If the identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the blacklist value field of the blacklist database table, the blacklist verification sub-unit fails to perform the blacklist verification; otherwise, the blacklist is determined. The list verification subunit performs blacklist verification pass; and or,
    所述白名单列表验证子单元创建一个白名单数据库表,所述白名单数据库表包括序号字段和白名单值字段,所述白名单值字段为数字证书标识;The whitelist list verification sub-unit creates a whitelist database table, where the whitelist database table includes a sequence number field and a whitelist value field, and the whitelist value field is a digital certificate identifier;
    所述白名单列表验证子单元执行SQL的查询语句对数字证书标识是否在白名单值字段中进行查询,根据SQL查询语句的返回值判断;The whitelist verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the whitelist value field, and is determined according to the return value of the SQL query statement;
    如果在白名单数据库表的白名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述白名单列表验证子单元执行白名单验证通过;否则,确定所述白名单列表验证子单元执行白名单验证失败。If the identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the whitelist value field of the whitelist database table, the whitelist verification sub-unit performs whitelist verification; otherwise, the whitelist is determined. The list verification subunit failed to perform whitelist verification.
  7. 根据权利要求4所述的方法,其特征在于,所述验证方案配置单元中启用黑名单列表验证子单元和或白名单列表验证子单元、数字证书使用范围验证子单元以及数字证书格式和吊销状态验证子单元以验证数字证书有效性的方法,具体包括:The method according to claim 4, wherein the blacklist list verification subunit and or the whitelist list verification subunit, the digital certificate use range verification subunit, and the digital certificate format and revocation status are enabled in the verification scheme configuration unit. A method of verifying a subunit to verify the validity of a digital certificate, specifically comprising:
    1)首先执行黑名单列表验证和或白名单列表验证,具体包括:1) First perform blacklist verification and whitelist verification, including:
    所述黑名单列表验证子单元创建一个黑名单数据库表,所述黑名单数据库表包括序号字段和黑名单值字段,所述黑名单值字段为数字证书标识;The blacklist list verification sub-unit creates a blacklist database table, where the blacklist database table includes a sequence number field and a blacklist value field, and the blacklist value field is a digital certificate identifier;
    所述黑名单列表验证子单元执行SQL的查询语句对数字证书标识是否在白名单值字段中进行查询,根据SQL查询语句的返回值判断;The blacklist list verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the whitelist value field, and is determined according to the return value of the SQL query statement;
    如果在黑名单数据库表的黑名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述黑名单列表验证子单元执行黑名单验证 失败;否则,确定所述黑名单列表验证子单元执行黑名单验证通过;和或,If the identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the blacklist value field of the blacklist database table, the blacklist verification sub-unit performs blacklist verification. Failing; otherwise, determining that the blacklist verification sub-unit performs blacklist verification; and or
    所述白名单列表验证子单元创建一个白名单数据库表,所述白名单数据库表包括序号字段和白名单值字段,所述白名单值字段为数字证书标识;The whitelist list verification sub-unit creates a whitelist database table, where the whitelist database table includes a sequence number field and a whitelist value field, and the whitelist value field is a digital certificate identifier;
    所述白名单列表验证子单元执行SQL的查询语句对数字证书标识是否在白名单值字段中进行查询,根据SQL查询语句的返回值判断;The whitelist verification sub-unit executes the SQL query statement to query whether the digital certificate identifier is in the whitelist value field, and is determined according to the return value of the SQL query statement;
    如果在白名单数据库表的白名单值字段中可以查询到数字证书鉴别请求分组中包含的数字证书的标识,则所述白名单列表验证子单元执行白名单验证通过;否则,确定所述白名单列表验证子单元执行白名单验证失败;If the identifier of the digital certificate included in the digital certificate authentication request packet can be queried in the whitelist value field of the whitelist database table, the whitelist verification sub-unit performs whitelist verification; otherwise, the whitelist is determined. The list verification subunit failed to perform whitelist verification;
    2)在黑名单列表验证和或白名单列表验证成功后,再执行数字证书使用范围验证,具体是:2) After the blacklist list verification or the whitelist list verification is successful, the digital certificate use scope verification is performed, specifically:
    所述数字证书使用范围验证子单元创建一个数字证书使用范围表,所述数字证书使用范围表包括序号字段、数字证书标识字段和使用范围字段;The digital certificate uses a range verification sub-unit to create a digital certificate usage range table, where the digital certificate usage range table includes a sequence number field, a digital certificate identification field, and a usage range field;
    所述数字证书使用范围验证子单元执行SQL的查询语句对数字证书的使用范围否在使用范围字段中进行查询,根据SQL查询语句的返回值判断;The digital certificate uses the range verification sub-unit to execute the SQL query statement to query whether the use scope of the digital certificate is in the use range field, and judge according to the return value of the SQL query statement;
    如果在所述使用范围字段中可以查询到数字证书鉴别请求分组中包含的数字证书符合数字证书颁发时规定的使用范围,则所述数字证书使用范围验证子单元验证数字证书使用范围成功;If the digital certificate included in the digital certificate authentication request packet can be queried in the use scope field to meet the scope of use specified in the digital certificate issuance, the digital certificate use scope verification subunit verifies that the digital certificate use range is successful;
    否则,所述数字证书使用范围验证子单元验证数字证书使用范围失败,从而确定数字证书有效性验证失败;Otherwise, the digital certificate uses the range verification sub-unit to verify that the digital certificate usage range fails, thereby determining that the digital certificate validity verification fails;
    3)在数字证书使用范围验证成功后进一步执行数字证书格式和吊销状态验证,具体是:3) Further verify the digital certificate format and revocation status verification after successful verification of the digital certificate usage scope, specifically:
    所述数字证书格式和吊销状态验证子单元验证所述数字证书内容的信息格式是否与所述鉴别服务器已知的格式一致,如果不一致则数字证书格式和吊销状态验证失败,如果一致则数字证书格式和吊销状态验证成功;The digital certificate format and the revocation status verification subunit verify whether the information format of the digital certificate content is consistent with the format known by the authentication server, and if not, the digital certificate format and the revocation status verification fail, and if they are consistent, the digital certificate format And the revocation status verification is successful;
    或者,所述鉴别服务器利用其数字证书的公钥计算所述数字证书鉴别请求 分组中的数字证书的签名值,所述数字证书格式和吊销状态验证子单元计算出的签名值和所述数字证书的签名值是否相同,如果不相同,则数字证书格式和吊销状态验证失败,如果相同则数字证书格式和吊销状态验证成功;Alternatively, the authentication server calculates the digital certificate authentication request using the public key of its digital certificate a signature value of the digital certificate in the group, the digital certificate format and the signature value calculated by the revocation status verification subunit and the signature value of the digital certificate are the same. If not, the digital certificate format and the revocation status verification fail. If the same, the digital certificate format and revocation status are verified successfully;
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器当前时间和接收到的数字证书的有效时间范围,如果所述鉴别服务器当前时间不在接收到的数字证书的有效范围内,则数字证书格式和吊销状态验证失败;否则,数字证书格式和吊销状态验证成功;Alternatively, the digital certificate format and the revocation status verification subunit verify the current time of the authentication server and the valid time range of the received digital certificate, if the current time of the authentication server is not within the valid range of the received digital certificate, Digital certificate format and revocation status verification failed; otherwise, digital certificate format and revocation status verification succeeded;
    或者,所述数字证书格式和吊销状态验证子单元验证所述鉴别服务器存储的接收到的数字证书的状态是否被标记为已吊销,如果被标记为已吊销,则数字证书格式和吊销状态验证失败,否则,数字证书格式和吊销状态验证成功。Alternatively, the digital certificate format and the revocation status verification subunit verify whether the status of the received digital certificate stored by the authentication server is marked as revoked, and if marked as revoked, the digital certificate format and the revocation status verification fail. Otherwise, the digital certificate format and revocation status are verified successfully.
  8. 根据权利要求1所述的方法,其特征在于,所述配置设置还可以是XML格式的配置文件,其包括序号元素、验证项目元素、验证顺序元素以及开关值元素;The method according to claim 1, wherein the configuration setting is further a configuration file in an XML format, including a serial number element, a verification item element, a verification order element, and a switch value element;
    所述验证顺序元素用于控制验证方案的执行顺序;The verification sequence element is used to control the execution order of the verification scheme;
    所述开关值元素用于确定相应的验证方案是否开启。The switch value element is used to determine if the corresponding verification scheme is turned on.
  9. 一种用于验证数字证书有效性的鉴别服务器,其包括消息接收模块、数字证书验证模块,其特征在于,所述数字证书验证模块包括验证方案配置单元;An authentication server for verifying the validity of a digital certificate, comprising a message receiving module and a digital certificate verification module, wherein the digital certificate verification module comprises a verification scheme configuration unit;
    所述消息接收模块用于接收数字证书鉴别请求分组;The message receiving module is configured to receive a digital certificate authentication request packet;
    所述验证方案配置单元用于配置验证数字证书有效性的验证方案。The verification scheme configuration unit is configured to configure a verification scheme for verifying the validity of the digital certificate.
  10. 一种如权利要求9所述的鉴别服务器,其特征在于,所述验证方案配置单元进一步包括白名单列表验证子单元,所述白名单列表验证子单元用于验证所述数字证书鉴别请求分组中的数字证书是否包含在白名单内。An authentication server according to claim 9, wherein said verification scheme configuration unit further comprises a whitelist list verification subunit, said whitelist list verification subunit being configured to verify said digital certificate authentication request packet Whether the digital certificate is included in the whitelist.
  11. 一种如权利要求9所述的鉴别服务器,其特征在于,所述验证方案配置单元进一步包括黑名单列表验证子单元,所述黑名单列表验证子单元用于验 证所述数字证书鉴别请求分组中的数字证书是否包含在黑名单内。An authentication server according to claim 9, wherein said verification scheme configuration unit further comprises a blacklist list verification subunit, said blacklist list verification subunit being used for verification Whether the digital certificate in the digital certificate authentication request packet is included in the blacklist.
  12. 一种如权利要求9所述的鉴别服务器,其特征在于,所述验证方案配置单元进一步包括数字证书格式和吊销状态验证子单元,所述数字证书格式和吊销状态验证子单元用于验证所述数字证书的信息格式是否与所述鉴别服务器已知的格式一致。An authentication server according to claim 9, wherein said verification scheme configuration unit further comprises a digital certificate format and a revocation status verification subunit, said digital certificate format and revocation status verification subunit being for verifying said Whether the information format of the digital certificate is consistent with the format known by the authentication server.
  13. 一种如权利要求9所述的鉴别服务器,其特征在于,所述验证方案配置单元进一步包括数字证书使用范围验证子单元,所述数字证书使用范围验证子单元用以验证所述数字证书鉴别请求分组中包含的数字证书是否符合数字证书颁发时候规定的使用范围。 An authentication server according to claim 9, wherein said verification scheme configuration unit further comprises a digital certificate use range verification subunit, said digital certificate use range verification subunit for verifying said digital certificate authentication request Whether the digital certificate contained in the group meets the scope of use specified in the digital certificate issuance.
PCT/CN2016/081665 2015-07-02 2016-05-11 Method for verifying the validity of digital certificate and authentication server therefor WO2017000676A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510381509.X 2015-07-02
CN201510381509.XA CN106330449A (en) 2015-07-02 2015-07-02 Method for verifying validity of digital certificate and authentication server

Publications (1)

Publication Number Publication Date
WO2017000676A1 true WO2017000676A1 (en) 2017-01-05

Family

ID=57607716

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/081665 WO2017000676A1 (en) 2015-07-02 2016-05-11 Method for verifying the validity of digital certificate and authentication server therefor

Country Status (2)

Country Link
CN (1) CN106330449A (en)
WO (1) WO2017000676A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116894109A (en) * 2023-09-11 2023-10-17 北京格尔国信科技有限公司 Method, system, device and storage medium for inquiring digital certificate

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108549809A (en) * 2018-04-02 2018-09-18 郑州云海信息技术有限公司 A kind of program process control method and system based on digital certificate
CN110858804B (en) * 2018-08-25 2022-04-05 华为云计算技术有限公司 Method for determining certificate status
US20200412552A1 (en) * 2019-06-28 2020-12-31 Zebra Technologies Corporation Methods and Apparatus to Renew Digital Certificates
CN113242130B (en) * 2021-04-01 2022-07-22 深圳国实检测技术有限公司 Equipment digital certificate revocation method, electronic equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030888A1 (en) * 2002-08-08 2004-02-12 Roh Jong Hyuk Method of validating certificate by certificate validation server using certificate policies and certificate policy mapping in public key infrastructure
US20060200854A1 (en) * 2005-03-02 2006-09-07 Shinichi Saito Server with authentication function, and authentication method
CN102439898A (en) * 2009-05-22 2012-05-02 微软公司 Model based multi-tier authentication
CN102638346A (en) * 2012-05-12 2012-08-15 杭州迪普科技有限公司 Method and device for authorizing subscriber digital certificate
CN102811218A (en) * 2012-07-24 2012-12-05 江苏省电子商务服务中心有限责任公司 Precision authentication method and device for digital certificate, and cloud authentication service system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101163012B (en) * 2007-11-20 2010-12-08 江苏先安科技有限公司 System and method of checking fine grit of digital certificate
US8627073B2 (en) * 2010-03-24 2014-01-07 GM Global Technology Operations LLC Adaptive certificate distribution mechanism in vehicular networks using forward error correcting codes
CN103560889B (en) * 2013-11-05 2017-01-18 江苏先安科技有限公司 Precision identity authentication method between X509 digital certificate and certificate application

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040030888A1 (en) * 2002-08-08 2004-02-12 Roh Jong Hyuk Method of validating certificate by certificate validation server using certificate policies and certificate policy mapping in public key infrastructure
US20060200854A1 (en) * 2005-03-02 2006-09-07 Shinichi Saito Server with authentication function, and authentication method
CN102439898A (en) * 2009-05-22 2012-05-02 微软公司 Model based multi-tier authentication
CN102638346A (en) * 2012-05-12 2012-08-15 杭州迪普科技有限公司 Method and device for authorizing subscriber digital certificate
CN102811218A (en) * 2012-07-24 2012-12-05 江苏省电子商务服务中心有限责任公司 Precision authentication method and device for digital certificate, and cloud authentication service system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HE, GUOFENG ET AL.: "High Performance CA Authentication Solution", APPLICATIONS OF THE COMPUTER SYSTEMS, 30 June 2001 (2001-06-30) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116894109A (en) * 2023-09-11 2023-10-17 北京格尔国信科技有限公司 Method, system, device and storage medium for inquiring digital certificate
CN116894109B (en) * 2023-09-11 2024-01-09 北京格尔国信科技有限公司 Method, system, device and storage medium for inquiring digital certificate

Also Published As

Publication number Publication date
CN106330449A (en) 2017-01-11

Similar Documents

Publication Publication Date Title
CN109417553B (en) Detecting attacks using leaked credentials via internal network monitoring
KR102018971B1 (en) Method for enabling network access device to access wireless network access point, network access device, application server and non-volatile computer readable storage medium
JP5414898B2 (en) Security access control method and system for wired LAN
WO2017000676A1 (en) Method for verifying the validity of digital certificate and authentication server therefor
US8024488B2 (en) Methods and apparatus to validate configuration of computerized devices
CN112422532B (en) Service communication method, system and device and electronic equipment
US20060156391A1 (en) Method and apparatus providing policy-based revocation of network security credentials
EP2180632A1 (en) A method for trusted network connect based on tri-element peer authentication
KR101405509B1 (en) Method and system for entity public key acquiring, certificate validation and authentication by introducing an online credible third party
EP3850510B1 (en) Infrastructure device enrolment
CN107396350B (en) SDN-5G network architecture-based security protection method between SDN components
US20120036354A1 (en) Wireless communication system, terminal, method for reporting status of terminal, and progam
US10516653B2 (en) Public key pinning for private networks
EP4096147A1 (en) Secure enclave implementation of proxied cryptographic keys
EP2951950A1 (en) Methods for activation of an application on a user device
KR20220006097A (en) Method and device for public key management using blockchain
EP4096160A1 (en) Shared secret implementation of proxied cryptographic keys
WO2014169802A1 (en) Terminal, network side device, terminal application control method, and system
US11804957B2 (en) Exporting remote cryptographic keys
CN116506118A (en) Identity privacy protection method in PKI certificate transparentization service
JP5011314B2 (en) Method and apparatus for incorporating a device into a community of network devices
WO2022143498A1 (en) Access control method and apparatus, and network-side device, terminal and blockchain node
EP4252384B1 (en) Methods, devices and system related to a distributed ledger and user identity attribute
WO2022027904A1 (en) Server login method, system and device
JP2009181194A (en) Authentication system, control device to be used for the same, authentication method and program for authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16817040

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16817040

Country of ref document: EP

Kind code of ref document: A1