WO2020073546A1 - Processing method for digital certificate and related apparatus - Google Patents

Processing method for digital certificate and related apparatus Download PDF

Info

Publication number
WO2020073546A1
WO2020073546A1 PCT/CN2019/070234 CN2019070234W WO2020073546A1 WO 2020073546 A1 WO2020073546 A1 WO 2020073546A1 CN 2019070234 W CN2019070234 W CN 2019070234W WO 2020073546 A1 WO2020073546 A1 WO 2020073546A1
Authority
WO
WIPO (PCT)
Prior art keywords
public key
digital certificate
certificate
public
ring
Prior art date
Application number
PCT/CN2019/070234
Other languages
French (fr)
Chinese (zh)
Inventor
陆陈一帆
霍云
冯承勇
Original Assignee
深圳壹账通智能科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳壹账通智能科技有限公司 filed Critical 深圳壹账通智能科技有限公司
Priority to SG11201913856UA priority Critical patent/SG11201913856UA/en
Publication of WO2020073546A1 publication Critical patent/WO2020073546A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Definitions

  • This application relates to the field of blockchain technology, in particular to a digital certificate processing method and related devices.
  • CA Certificate Authority
  • CA Certificate Authority
  • Bank A has its own CA (such as CA-A)
  • Bank B has its own CA (such as CA-B)
  • Bank C has its own CA (such as CA-C)
  • CA-C digital certificate authorities
  • Each bank can use its own CA issues digital certificates for its customers.
  • any participant such as Bank A, Bank B, and Bank C will recognize the digital certificate issued by the CA of other participants to its customers.
  • the embodiments of the present application provide a digital certificate processing method and related device, which can realize the anonymous issuance of the digital certificate, enhance the identity privacy of the issuer of the digital certificate, and have strong applicability.
  • an embodiment of the present application provides a digital certificate issuance method.
  • the above method is applicable to a digital certificate issuer.
  • the above method includes:
  • the certificate authority CA of the first party in the blockchain network records the CA public key of the first party in the blockchain network, and the first party is the issuer of the digital certificate in the blockchain network
  • At least one CA public key of the second party is also recorded in the above-mentioned blockchain network, and the above-mentioned second party is a party other than the above-mentioned second party in the above-mentioned blockchain network;
  • the CA of the first participant When the CA of the first participant receives a certificate authorization request from any user, it determines whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request;
  • the issuer's CA If the issuer's CA confirms that the user is a user of the first participant's CA, it obtains the user's public key from the certificate authorization request, and according to the preset ring signature certificate issuance rules, from the block Obtain any N public CA keys of the above-mentioned second parties from the chain network, where N is equal to the number of public keys set in the above ring signing certificate issuance rules;
  • the CA of the issuer performs a ring signature on the user identity information and public key of the user and forms a digital certificate based on the public key and private key of the CA of the first participant and the CA public keys of the N second participants And send the above digital certificate to the above users.
  • an embodiment of the present application provides a digital certificate verification method.
  • the above method is applicable to a digital certificate verification party.
  • the above method includes:
  • the verifier obtains any signature transaction in the blockchain network
  • the verifier obtains the digital certificate of the initiator of the signature transaction
  • the initiator of the signature transaction may be one of the participants in the blockchain network
  • the above-mentioned blockchain network records the CA public key of the certification authority of each participant, including the initiator of the above transaction;
  • the verifier obtains the public key information of the ring signature of the digital certificate from the digital certificate based on the preset ring signing certificate issuance rule, and determines all the public keys corresponding to the ring signature of the digital certificate according to the public key information. All the public keys corresponding to the signatures are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate;
  • the verifier verifies the signature of the signed transaction based on all public keys corresponding to the ring signature.
  • an embodiment of the present application provides a digital certificate issuance device.
  • the above device is suitable for a certificate issuing authority CA of a digital certificate issuer.
  • the above device includes:
  • the recording unit is used to record the CA public key of the first party into the blockchain network, the first party is the issuer of the digital certificate in the blockchain network, and the blockchain network also records At least one CA public key of a second participant, the second participant is a participant other than the first participant in the blockchain network;
  • the confirmation unit is configured to confirm whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request when receiving a certificate authorization request from any user;
  • the obtaining unit is configured to obtain the public key of the user from the certificate authorization request when the confirmation unit confirms that the user is the user of the CA of the first participant, and according to the preset ring signing certificate issuance rules, from Obtain any N public CA keys of the above-mentioned second parties from the above-mentioned blockchain network, where N is equal to the number of public keys set in the above-mentioned ring signature certificate issuance rules;
  • an embodiment of the present application provides a digital certificate verification device.
  • the above device is suitable for a digital certificate verification party.
  • the above device includes:
  • the obtaining unit is used to obtain the digital certificate of the initiator of the above-mentioned signature transaction when obtaining any signature transaction in the blockchain network;
  • the initiator of the above-mentioned signature transaction may be one of the participants in the above-mentioned blockchain network,
  • the above-mentioned blockchain network records the CA public key of the certification authority of each participant, including the initiator of the above transaction;
  • a determining unit configured to acquire the public key information of the ring signature of the digital certificate from the digital certificate based on preset ring signature certificate issuance rules, and determine all public keys corresponding to the ring signature of the digital certificate based on the public key information, All public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate;
  • the verification unit is configured to verify the signature of the signature transaction based on all public keys corresponding to the ring signature determined by the determination unit.
  • an embodiment of the present application provides a terminal, the terminal includes a processor, a memory, and / or a transceiver, and the processor, the memory, and / or the transceiver are connected to each other, wherein the memory is used to store a computer program,
  • the computer program includes program instructions, and the processor and / or transceiver is configured to call the program instructions to perform the method provided in the first aspect and any possible implementation manner of the first aspect, or the second aspect. And the method provided in any possible implementation manner of the second aspect.
  • an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and the computer program includes program instructions, which when executed by a processor causes the processor to execute The method provided by the foregoing first aspect and any possible implementation manner of the first aspect, or the foregoing second aspect and any possible implementation manner of the second aspect.
  • condition anonymity of any participant as a digital certificate issuer can be realized, and the digital certificate issuer can anonymously issue digital certificates to its users, which can avoid the identity leakage of the digital certificate issuer and avoid blocks
  • the other participants in the chain network are informed of the issuer of the digital certificate, which can enhance the identity privacy of the issuer of the digital certificate, ensure the privacy of the transaction information of the issuer of the digital certificate, and have strong applicability.
  • FIG. 1 is a schematic diagram of a general process of digital certificate issuance provided by an embodiment of the present application
  • FIG. 2 is a schematic flowchart of a method for processing a digital certificate provided by an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of a digital certificate issuance device provided by an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of a digital certificate verification device provided by an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
  • FIG. 6 is another schematic structural diagram of a terminal provided by an embodiment of the present application.
  • the processing method of the digital certificate provided in the embodiment of the present application (including the method of issuing the digital certificate and the verification method of the digital certificate, for convenience of description, hereinafter referred to as the method provided in the embodiment of the present application) and related devices can be applied to banks, insurance, securities , Business associations, group companies, upstream and downstream enterprises and other business transactions and / or enterprise information processing and other application scenarios, specific can be determined according to the actual application scenarios, no restrictions are made here.
  • the above-mentioned institutions such as banks, insurance, securities, business associations, group enterprises, and upstream and downstream enterprises can serve as multiple participants in the same alliance chain network.
  • the above banks, insurance, securities, business associations, group companies, and upstream and downstream enterprises can also have their own alliance chain network.
  • Blockchain was born in the era of mobile Internet.
  • the above-mentioned banks, insurance, securities, business associations, group companies and upstream and downstream enterprises are generally IT-based and Internet-based organizations and / or institutions.
  • the processing efficiency of notarization, settlement and clearing business and value exchange in the industrial chain of the institutional circle is very helpful.
  • the processing performance, privacy protection, and compliance of traditional blockchains cannot meet the business needs of these institutions.
  • the use of public chains to handle notarization, settlement and settlement services, or value exchange services will subvert these.
  • the organization's existing business model and inherent benefits are at greater risk. Therefore, based on the business needs of the above institutions, a blockchain system with better privacy protection, the alliance chain, came into being.
  • the alliance chain only targets members of a certain group and limited third parties, and internally designates multiple pre-selected nodes as bookkeepers.
  • the generation of each block is determined jointly by all pre-selected nodes, and other access nodes can participate in transactions , But just ask about the billing process, other third parties can make limited queries through the application programming interface (API) opened by the alliance chain.
  • API application programming interface
  • Digital certificate is a string of numbers used to identify the identity information of each communication party in Internet communication.
  • the emergence of digital certificate provides a way for Internet communication to verify the identity of each communication party's communication entity on the Internet.
  • a digital certificate is not a digital ID card, but a stamp or seal (or a signature added to each communication entity's digital ID card) affixed to each communication entity's digital ID card by the identity authentication agencies of each communication entity.
  • the digital certificate is issued by an authority, CA, and can be used on the Internet to identify the identity of each communication entity.
  • a digital certificate is a file digitally signed by a CA, which contains the holder information of the public key (public key for short) and the file of the public key.
  • the simplest digital certificate can contain a public key, the name of the holder of the public key and the digital signature of the certificate authority, and the digital certificate is only valid for a specific period of time.
  • a digital certificate is an authoritative electronic document. It can be issued by an authoritative and impartial third-party organization, that is, a CA (such as a CA company in various places in China), or an enterprise-level CA (such as CA-A of Bank A ) To issue. Digital certificates can be used to: send secure e-mails, visit secure sites, online securities transactions, online bidding and procurement, online offices, online insurance, online taxation, online contracting and online banking and other secure electronic transaction processing and secure electronic transaction signatures. There are many numbers and English stored in the digital certificate. When the digital certificate is used for identity authentication, it will randomly generate a 128-bit identity code.
  • Each digital certificate can generate a corresponding number, but it is impossible for the same number every time, thereby ensuring data
  • the confidentiality of transmission is equivalent to generating a complex password.
  • the digital certificate binds the public key and the true identity of the public key holder. It is similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but a piece of digital certificate. Owner's identity information and electronic data issued by the certification center can be more easily and flexibly used in e-commerce and e-government.
  • FIG. 1 is a schematic diagram of a general process of digital certificate issuance provided by an embodiment of the present application.
  • the digital certificate issuance process provided by the embodiment of the present application generally includes the following steps S11 and S12:
  • the user sends a certificate authorization request to the organization's CA.
  • a user when a user (such as a customer of a bank, insurance, or enterprise) requests a transaction with an organization (such as a bank, insurance, or enterprise, etc.), it can first generate its own key pair.
  • the pair includes the public key and the private key, and transmits the public key and some user identity information to the organization's CA by sending a certificate authorization request to the organization's CA.
  • the certificate authorization request sent by the user to the organization's CA may include part of the user's identity information and the user's public key to request the organization's CA to sign the user's user identity information and public key and issue a digital certificate.
  • the organization's CA verifies the user's identity and issues a digital certificate.
  • the institution that the user requests to sign the transaction can verify the identity of the user through the institution's CA.
  • the organization's CA verifies the user's identity (that is, the user is its own customer), it can determine the user identity information included in the certificate authorization request sent by the user to confirm that the certificate authorization request is indeed sent by its own customer (ie, user). Come.
  • the organization's CA confirms that the certificate authorization request is sent by the user, it sends a digital certificate to the user.
  • the digital certificate contains the user's user identity information and the user's public key, as well as the organization's CA's signature information. The user can use the digital certificate issued by the organization's CA to sign the relevant transaction.
  • Digital certificates issued by CAs of various institutions to their customers are issued by independent certificate issuing institutions (ie CAs) of each institution. Digital certificates are different, each certificate can provide different levels of credibility, and each customer user (ie, user) of each institution can obtain their own digital certificate from the CA of each institution.
  • CAs independent certificate issuing institutions
  • Digital certificates use a public key system, which uses a pair of matching keys for digital signature and verification.
  • Each user sets a specific private key (that is, a private key) known only to himself, and based on the private key, digital signatures of transaction information for transactions with institutions can be performed.
  • the user can set a corresponding public key (that is, the public key) and disclose it by himself, shared by a group of users, and used for signature verification of transaction information.
  • Public key technology solves the management problem of key issuance. Users can publicly hold the public key they hold while retaining the private key they hold. The user can also use his own private key to process the transaction information. Since the private key is owned only by himself, a file that cannot be generated by others is generated, and a digital signature is formed.
  • the use of digital signatures can ensure that the transaction information is sent by the sender's own signature, and the sender cannot deny or be difficult to deny. At the same time, it can also ensure that the transaction information has not been modified since the sender signed it until the receiver received it.
  • the document is a real document, which ensures that the transaction information cannot be tampered with.
  • embodiments of the present application provide a digital certificate processing method and related device based on distributed digital certificates, including a digital certificate issuance method and device, and a digital certificate verification method And device, which can issue digital certificates to customers of any participant in the alliance chain network, and can determine all public keys corresponding to the ring signature of the digital certificate based on the digital certificate of the initiator of any signed transaction to be based on the digital certificate All public keys corresponding to the ring signature verify the transaction signature.
  • the CAs of each participant in the alliance chain can issue digital certificates with their own customers based on the digital certificate issuance method provided in this embodiment of the present application, to realize the CA of any participant as the signer (that is, the issuer of the digital certificate)
  • Unconditional anonymity which can avoid the leakage of the identity of the CA of the digital certificate issuer and prevent other participants in the alliance chain network from learning the customer information of the CA of the digital certificate issuer, thereby ensuring the transaction information of the digital certificate issuer.
  • the privacy guarantees the security of the issuer's customer information and is more applicable.
  • the method provided in the embodiment of the present application can record the public keys of all CAs in the alliance chain network that can be recognized as participants (or non-participants) through the alliance chain network (for example, the CA-A of Bank A and the CA of Bank B -B, ).
  • the organization's CA will issue a digital certificate to the customer with a ring signature (traditionally, the CA uses its own private key pair The digital certificate issued to its customers to sign), so that the third party can not judge which organization's CA issued the digital certificate.
  • the CA of any participant included in the alliance chain network uses ring signatures to issue digital certificate signatures to its customers and any verification party to verify any signature transaction for implementation. Please refer to the following steps S21 to S24 The implementation provided.
  • the issuer here refers to any participant in the alliance chain network that needs to issue a digital certificate for its own users.
  • any organization that verifies the digital certificate can use the verification party as an example to explain. It is determined according to the actual application scenario, and is not limited here.
  • the issuer's CA records its public key into the blockchain network.
  • the CA (or the participant CA for short) of any recognized participant (referred to as the participant hereinafter for convenience) in the alliance chain network (that is, the blockchain network) generates a public key and a The private key, and can record its own information (that is, the participant CA) and the public key to the alliance chain network through Smart Crypto Contract (SCC).
  • SCC Smart Crypto Contract
  • each bank ’s CA can generate a public key and a private key
  • the public key generated by each bank ’s CA can be disclosed by each bank ’s CA itself and is fed by the consortium chain network. Record the public key of each bank's CA (that is, the public key of each bank's CA).
  • the private key of each bank's CA is known by each bank's CA.
  • the issuer is one of the participants in the alliance chain network (assuming it is the first participant)
  • the issuer is recorded in the alliance chain network (for ease of description, the issuer of the digital certificate in the blockchain network
  • the first participant can be used as an example to illustrate the public key of the CA (or CA public key for short), and also records other parties other than the issuer (for convenience of description, in addition to digital certificates in the blockchain network
  • Any participant other than the issuer can use the second participant as an example to illustrate the CA public key.
  • the CA public keys of each participant here are recorded in the alliance chain network, so any participant in the alliance chain can know the CA public keys of other participants in the alliance chain network.
  • the CA in any participant (such as the first participant, that is, the issuer) needs to be its own customer (the customer of the issuer's CA, and also the customer of the issuer.
  • the customer of the issuer's CA For the convenience of description, the following is the customer of the issuer's CA
  • you can use the ring signature method to obtain the CA public key of one or more participants from the alliance chain network, and combine your own public key and private key (that is, the issuer's CA's public key and private key) issue digital certificates for their customers.
  • the CA of the issuer receives a certificate authorization request from any user, it determines whether the user is his own according to the user identity information carried in the certificate authorization request.
  • the bank ’s CA (for convenience of description, the issuer ’s
  • the CA is described as an example of the CA of Bank A).
  • the method of sending a certificate authorization request (or authentication request) transmits the public key and user identity information to the CA of the issuer.
  • the certificate authorization request sent by the user to the issuer's CA may include the user's identity information and the user's public key to request the issuer's CA to sign the user's user identity information and public key and issue a digital certificate to user.
  • the issuer's CA can verify the user's identity based on the user identity information included in the certificate authorization request (that is, verify whether the user is its own customer), that is, the issuer's CA can perform the user identity information included in the certificate authorization request sent by the user Confirm to confirm that the certificate authorization request is indeed sent by its own client. After the issuer's CA determines that the user sending the certificate authorization request is its own user (that is, the user of the issuer's CA, that is, the user of the first participant's CA), it can issue a digital certificate to the user.
  • the issuer's CA confirms that the above user is its own user, it obtains the user's public key from the certificate authorization request, and obtains any other N number from the blockchain network according to the preset ring signing certificate issuance rules The CA public key of the participant.
  • the ring signature certificate issuance rules of each participant can be formulated by the CAs of each participant, and each CA of the participant can be based on its own needs , Arbitrarily choose one or more (for convenience of description can be assumed to be N) third-party public key, combined with its own public key and private key to complete the ring signature.
  • N third-party public keys arbitrarily selected may be CAs of any N participants in the alliance chain network except the participant The CA public key recorded in the alliance chain network.
  • the number of public keys used by the participant's CA to issue digital certificates to its users can be set by the participant's CA.
  • the CAs of the various parties in the alliance chain network can jointly formulate the ring signature certificate issuance rules and write them into the alliance chain network, including but not limited to the number of public keys and specifications required for ring signatures. Network range settings, no restrictions here.
  • the ring signature certificate issuance rules formulated by each participant can be written into the alliance chain network, including but not limited to the number of public keys and specifications required for ring signature (that is, the X509 format).
  • the specifications of the digital certificate such as the digital certificate format (X509) and / or the preset field in X509 used to record the public key information of the ring signature, can be set in advance within the scope of the alliance chain network.
  • the CA of each participant in the alliance chain network uses ring signatures to sign the number of public keys required for its users to issue digital certificates, and the specification of X509 format digital certificates (or It is called the ring signature certificate issuance specification), etc., which can be set in the range of the alliance chain network in advance, which can help the verifier to verify and verify the transactions in the alliance chain network based on the above specifications and other information.
  • the preset fields used to record the public key information of the ring signature in the above X509 include but are not limited to the issuer label field and / or the extension field in the digital certificate format, which can be determined according to the actual application scenario, without limitation .
  • the above X509 includes an extension field (Extension), which can be used to record all public keys corresponding to the ring signature of the digital certificate (such as the CA public keys of N parties corresponding to the ring signature), and / or Public key information such as the identification of all public keys corresponding to the ring signature (such as the CA public keys of the N participants corresponding to the ring signature).
  • the verifier determines all public keys corresponding to the ring signature based on all the public keys recorded in the extension field included in the above X509, and / or the identification of all public keys searches the corresponding public key from the alliance chain network to correspond based on the ring signature All of the public keys of the verify the signature of the transaction.
  • the consortium chain network may also divide the CA public keys of the participants in the consortium chain network into different public key groups, and a group identifier may be formulated for each public key group.
  • the group identifier of each group can help the verifier to find the public key group corresponding to the ring signature (for convenience of description, the target group can be used as an example for illustration), and then the public key in the public key group corresponding to the ring signature can be determined The public key corresponding to the ring signature, so that the information of the CA to which each public key belongs can be obtained.
  • the verifier determines the public key information of the ring signature based on the extension field of X509 above, where the public key information of the ring signature includes the group identification, and then can be recorded from the alliance chain network based on the group identifier included in the digital certificate.
  • the target group is determined from each public key group, so that all public keys included in the target group can be determined as all public keys corresponding to the ring signature, and the transaction signature can be verified based on all the public keys corresponding to the ring signature.
  • the issuer's CA performs ring signature on the user's user identity information and public key and forms a digital certificate based on its public key, private key, and any other N participants' CA public keys, and sends the digital certificate to the user.
  • N is equal to the number of public keys set in the ring signing certificate issuance rule preset in the above step S23.
  • the issuer when the CA of any participant in the alliance chain network (ie, issuer, such as Bank A) is ready to issue digital certificates to its own customers (ie, users, such as Enterprise 1), the issuer The CA will use its own public key and private key (such as the public key and private key of the bank A's CA), as well as the CA public keys of any other multiple parties in the alliance chain network (such as the CA public keys of other banks, assuming It is N public keys. It can be understood that the CA public keys of the above multiple parties are recorded in the alliance chain network.) Sign the identity information and public key of enterprise 1 and form a digital certificate. Set the field to carry the public key information of the ring signature of the digital certificate.
  • the CA of Bank A receives a certificate authorization request from its customer (assuming that the customer is m), which includes some user identity information and the public key that the user needs to be verified.
  • Bank A ’s CA verifies the identity of the user corresponding to the user identity information carried in the certificate authorization request and confirms that m is indeed its own customer
  • Bank A ’s CA can use the CA public keys of N ring members in the consortium chain and Bank A
  • the CA's own public key and private key are used as input to generate a signature R for the client m's public key and identity information application.
  • the CA of Bank A can issue the digital certificate signed by the above R to the customer (the certificate contains the basic information of the customer and the public key of the customer), and the customer can use the digital certificate issued by the CA of Bank A to sign the transaction.
  • the CA of the issuer in the alliance chain network issues digital certificates to its customers in the traditional X509 format, and the issued digital certificates conform to the ITU-TX.509 international standard.
  • the issue of digital certificates here uses X509, but the label of the issuer (Issuer) in X509 is no longer the name of an organization, but the blockchain network corresponding to the CA of the certificate issuer (such as the alliance Chain network).
  • the label of the certificate issuer CA in X509 is a field in X509, and the identifier of the blockchain network corresponding to the certificate issuer's CA is recorded in this field.
  • this field can be assumed as The issuer labels the field.
  • the issuer label field in X509 can be any field in X509 used to record the identity of the blockchain network corresponding to the CA of the certificate issuer, which can be determined according to the actual application scenario, without limitation .
  • the public key indication information corresponding to the CA of the certificate issuer is recorded in the label of the certificate issuer (Issuer) in X509.
  • the public key indication information includes but is not limited to: all public key information corresponding to the ring signature of the digital certificate, and identifiers of all public keys corresponding to the ring signature of the digital certificate.
  • the public key indication information corresponding to the CA of the certificate issuer may be recorded in the labeling field of the issuer of X509, and the public key indication information includes but is not limited to: all public key information corresponding to the ring signature of the digital certificate, The identifiers of all public keys corresponding to the ring signature of the digital certificate are not limited here.
  • the public key information corresponding to the CA of the certificate issuer may be recorded in the Extension field of X509.
  • the above public key information includes but is not limited to: all public keys corresponding to the ring signature of the digital certificate, and identifiers of all public keys corresponding to the ring signature of the digital certificate.
  • the public key group identifier corresponding to the ring signature of the digital certificate can be recorded in the extension field of X509.
  • the public key group identifier is used to indicate the group of the public key corresponding to the ring signature of the digital certificate to help the digital
  • the verifier of the certificate finds the public key corresponding to the ring signature based on the group to which the public key belongs.
  • the X509 extension field does not need more records, which can be based on The actual application scenario is determined, and is not limited here.
  • the verifier obtains any signed transaction in the blockchain network
  • the verifier obtains the digital certificate of the initiator of the above transaction, and obtains the ring signature public key from the digital certificate based on the preset ring signature certificate signing rules Information, and determine all public keys corresponding to the ring signature based on the above public key information, and verify the signature of the transaction based on all public keys corresponding to the ring signature.
  • the verifier can be any organization here, and is not limited herein.
  • the following uses any participant in the alliance chain network as an example for description, without specific restrictions.
  • the above ring signing certificate issuance rules are recorded in the blockchain network.
  • the ring signing certificate issuance rules include the number of ring signature public keys and ring signing certificate issuance specifications.
  • the ring signing certificate issuance specifications include digital certificate format X509 for recording rings
  • the public key information included in the above digital certificate includes the identification of the blockchain network included in the preset field of the digital certificate format X509, the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the digital certificate Identification of the CA public keys of all parties corresponding to the ring signature.
  • the above-mentioned preset fields include an issuer label field and / or an extension field.
  • the above public key information may include the group identifier included in the digital certificate, the group The identifier is used to determine the target group included in the blockchain network to determine the CA public keys of all parties corresponding to the ring signature of the digital certificate based on the public key included in the target group. For details, refer to the operation mode of the verifier corresponding to the signature of the digital certificate in step S24 above, which is not limited herein.
  • the digital certificate of the initiator of the signature transaction may be obtained.
  • the format of the data certificate is X509, and the verifier can find all the public keys corresponding to the ring signature of the initiator's digital certificate from the alliance chain network through the identifier written in X509.
  • all identifiers corresponding to the ring signature of the digital certificate can be found from the consortium chain network through the identifier written in X509 when the initiator of the transaction issued the digital certificate Public key.
  • the verifier can also find the public key information written in the label of the issuer (Issuer) of X509 (such as the public key information included in the label field of the issuer in X509) through the digital certificate of the transaction initiator.
  • the key information includes but is not limited to all public keys corresponding to the ring signature of the digital certificate, and / or identifiers of all public keys corresponding to the ring signature of the digital certificate.
  • the verifier can also find the public key information written in the extension field of X509 through the digital certificate of the transaction initiator.
  • the public key information includes but is not limited to all public keys corresponding to the ring signature of the digital certificate, and / or The identifier of all public keys corresponding to the ring signature of the digital certificate.
  • the verifier can also find the public key group identifier written in the extension field of x509 through the digital certificate of the transaction initiator, and find it from each public key group included in the alliance chain network based on the public key group identifier The group to which the public key corresponding to the ring signature of the digital certificate belongs, and then all the public keys corresponding to the ring signature of the digital certificate can be determined based on the found group to which the public key belongs.
  • the method by which the verifier finds the public key corresponding to the ring signature can be determined according to the information in X509, and no limitation is made here. After the verifier finds all the public keys corresponding to the ring signature of the digital certificate of the transaction initiator, it can verify the signature of the transaction based on all the public keys found.
  • the specific verification process is not limited here.
  • the public key information of the ring signature of the digital certificate is specifically carried and / or indicated by what kind of information in the digital certificate, which is not limited herein.
  • the public key information of the ring signature of the digital certificate is specifically carried and / or indicated by any field in the digital certificate format (X509), and is not limited herein.
  • the operation mode of the verifier corresponding to the signature of the digital certificate in step S24 above which is not limited herein.
  • the ring signature of the digital certificate is realized based on the method provided in the embodiment of the present application, and the unconditional anonymity of the issuer of the digital certificate can be achieved.
  • the issuer is completely anonymous.
  • the ring signature of the digital certificate includes but is not limited to the following security attributes:
  • Ring signatures have good characteristics. Unconditional anonymity of signers can be achieved, signers can freely specify their own anonymity range, and the main function of group signatures can be achieved without the need for trusted third parties or group administrators.
  • the ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to the users of the CA of the issuer can ensure that any other than the CA of the digital issuer can participate The party cannot determine which party's CA issued the digital certificate.
  • the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized
  • the CAs of each participant in the chain sign the privacy of digital certificates for their users, so that the CAs of each participant can send digital certificates anonymously to their users, ensuring the privacy of the identity of the CA of the issuer of the digital certificate and enhancing each of the alliance chain network
  • the information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
  • the digital certificate issuance device is suitable for the issuer of the digital certificate, and may be any participant in the alliance chain network that needs to issue a digital certificate for its own users, and no limitation is made here.
  • the digital certificate issuing device may include:
  • the recording unit 31 is used to record the CA public key of the first party into the blockchain network, the first party is the issuer of the digital certificate in the blockchain network, and the blockchain network also records The CA public key of at least one second party is obtained, and the second party is a party other than the first party in the blockchain network.
  • the confirmation unit 32 is configured to confirm whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request when receiving a certificate authorization request from any user.
  • the obtaining unit 33 is configured to obtain the public key of the user from the certificate authorization request when the confirmation unit 32 confirms that the user is a user of the CA of the first participant, and according to a preset ring signing certificate issuance rule Obtain any other N public CA public keys of the above-mentioned second parties from the above-mentioned blockchain network, where N is equal to the number of public keys set in the above-mentioned ring signing certificate issuance rules.
  • the signing unit 34 is configured to perform ring signature on the user identity information and public key of the user and form a digital certificate based on the public key and private key of the CA of the first participant and the CA public keys of the N second participants And send the digital certificate to the user.
  • the above-mentioned ring signature certificate issuance rules are formulated by the above-mentioned first party's CA, or jointly formulated by the above-mentioned blockchain network's CA of each participant; the above-mentioned ring signature certificate issuance rules are recorded In the above-mentioned blockchain network.
  • the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; the above-mentioned X509 includes preset fields for recording public key information of the ring signature;
  • the above issuance unit 34 is used to:
  • the public key and private key of the first party CA and the N public keys of the second party CA are used to perform ring signature on the user identity information and public key of the user and form a digital certificate.
  • the preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
  • the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier corresponding to the CA of the first party and / or a ring signature public key of the digital certificate information;
  • the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the identifiers of the CA public keys of the N second parties corresponding to the ring signature .
  • the preset field includes the extension field in the X509
  • the public key information of the ring signature carried in the extension field includes the N of the second parties corresponding to the ring signature of the digital certificate
  • the CA public keys of each participant recorded in the above-mentioned blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
  • the preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the N number of the second parties corresponding to the ring signature
  • the grouping of the CA public key of the CA helps the verifier of the digital certificate to find the CA public keys of the N second parties based on the grouping of the CA public keys of the N second parties.
  • a digital certificate issuing apparatus that is a digital certificate issuer may execute the implementation provided by the steps in the foregoing embodiments through its built-in functional units.
  • the recording unit 31 is used to implement the implementation provided by step S21 in the foregoing embodiment.
  • the confirmation unit 32 is used to execute the implementation provided in step S22 in the above embodiment.
  • the obtaining unit 33 is used to execute the implementation provided in step S23 in the above embodiment.
  • the above-mentioned issuance unit 34 is used to execute the implementation provided in step S24 in the above embodiment. For details, refer to the operation performed by the digital certificate issuance device in step S24, and no limitation is made here.
  • the CA of the issuer of the digital certificate may formulate the rules for issuing the ring signature certificate, including the number of public keys required for the ring signature and the specifications for issuing the ring signature certificate.
  • the ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to users of the CA of the issuer can ensure that the CA of any participant other than the CA of the digital certificate cannot judge the digital certificate Is issued by the CA of which party.
  • the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized
  • the CA of each participant in the chain issues the privacy of the digital certificate for its users, so that the CA of each participant can send the digital certificate anonymously to its users, to ensure the identity privacy of the CA of the issuer of the digital certificate, and enhance each of the alliance chain network
  • the information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
  • the verification device of the digital certificate is suitable for the verifier of the digital certificate, and is not limited here.
  • the digital certificate issuing device may include:
  • the obtaining unit 41 is used to obtain the digital certificate of the initiator of the above-mentioned signed transaction when obtaining any signed transaction in the blockchain network.
  • the initiator of the above-mentioned signed transaction may be one of the participants in the above-mentioned blockchain network In the above-mentioned blockchain network, the public key of the certification authority CA of each participant including the initiator of the above transaction is recorded.
  • the determining unit 42 is configured to acquire the public key information of the ring signature of the digital certificate from the digital certificate based on the preset ring signing certificate issuance rule, and determine all the public keys corresponding to the ring signature of the digital certificate according to the public key information All public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate.
  • the verification unit 43 is configured to verify the signature of the signature transaction based on all public keys corresponding to the ring signature determined by the determination unit 42.
  • the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
  • the above public key information includes the identification of the blockchain network included in the above preset fields, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CA public keys of all the above parties Logo
  • the above-mentioned preset fields include an issuer label field and / or an extension field.
  • the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
  • the CA public keys of the above parties recorded in the blockchain network are divided into multiple groups, and each group corresponds to a group identifier;
  • the public key information includes the group identifier included in the preset field, and the group identifier is used to determine the target group included in the blockchain network to determine the number based on the CA public key included in the target group
  • the CA public keys of all parties corresponding to the ring signature of the certificate are used to determine the group identifier included in the preset field.
  • the above digital certificate issuing device as a verifier can execute the implementation manners performed by the verifier in the foregoing embodiments through various built-in functional units, including but not limited to the verification manner in the implementation manner provided in step S25
  • the operations performed reference may be made to the implementation manners provided in the foregoing steps, and details are not described herein again.
  • the verifier can determine the number of public keys required for the ring signature and the ring signing certificate issuance specifications according to the ring signature certificate issuance rules formulated by each participant in the alliance chain network, and can be based on the
  • the CA public key of each participant determines all public keys corresponding to the ring signature of the digital certificate. All public keys corresponding to ring signatures are used to verify the transaction initiated by the digital certificate holder. The operation is simple. The verification of the transaction also enhances the privacy of the CA identity of the issuer of the digital certificate, which can meet more participation. The business needs of the party are more applicable.
  • FIG. 5 is a schematic structural diagram of a terminal provided by an embodiment of the present application.
  • the terminal is suitable for the issuer of digital certificates.
  • the issuer can be any participant in the alliance chain network that needs to issue digital certificates for its users.
  • the specific can be determined according to the actual application scenario, and no restrictions are made here.
  • the terminal in this embodiment may include: one or more processors 501, a memory 502, and one or more transceivers 503.
  • the processor 501, the memory 502, and the transceiver 503 are connected through a bus 504.
  • the memory 502 is used to store a computer program, and the computer program includes program instructions.
  • the processor 501 and the transceiver 503 are used to execute the program instructions stored in the memory 502.
  • the processor 501 and the transceiver 503 are configured to call the program instructions to perform the following operations:
  • the transceiver 503 is used to send and record the CA public key of the first party to the blockchain network.
  • the first party is the issuer of the digital certificate in the blockchain network.
  • the CA public key of at least one second participant is recorded, and the second participant is a participant other than the second participant in the blockchain network.
  • the processor 501 is configured to confirm whether the user is the user of the CA of the first participant according to the user identity information carried in the certificate authorization request when the transceiver 503 receives the certificate authorization request of any user; The user is the user of the CA of the first party, and then obtains the public key of the user from the certificate authorization request, and obtains any N number from the blockchain network according to the preset ring signing certificate issuance rules For the CA public key of the above-mentioned second party, where N is equal to the number of public keys set in the above-mentioned ring signing certificate issuance rules.
  • the processor 501 is further configured to perform ring signature on the user identity information and public key of the user based on the public key and private key of the CA of the first party and the CA public keys of the N second parties and form a number certificate.
  • the transceiver 503 is also used to send the digital certificate to the user.
  • the above-mentioned ring signature certificate issuance rules are formulated by the above-mentioned first party's CA, or jointly formulated by the above-mentioned blockchain network's CA of each participant; the above-mentioned ring signature certificate issuance rules are recorded In the above-mentioned blockchain network.
  • the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; the above-mentioned X509 includes preset fields for recording public key information of the ring signature;
  • the above processor 501 is used for:
  • the public key and private key of the first party CA and the N public keys of the second party CA are used to perform ring signature on the user identity information and public key of the user and form a digital certificate.
  • the preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
  • the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier corresponding to the CA of the first party and / or a ring signature public key of the digital certificate information;
  • the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the identifiers of the CA public keys of the N second parties corresponding to the ring signature .
  • the preset field includes the extension field in the X509
  • the public key information of the ring signature carried in the extension field includes the N of the second parties corresponding to the ring signature of the digital certificate
  • the CA public keys of each participant recorded in the above-mentioned blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
  • the preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the N number of the second parties corresponding to the ring signature
  • the grouping of the CA public key of the CA helps the verifier of the digital certificate to find the CA public keys of the N second parties based on the grouping of the CA public keys of the N second parties.
  • the processor 501 may be a central processing unit (CPU), and the processor may also be other general-purpose processors, digital signal processors (DSPs), and dedicated integrations. Circuit (application specific integrated circuit, ASIC), ready-made programmable gate array (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • the general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501 and the transceiver 503. A portion of the memory 502 may also include non-volatile random access memory. For example, the memory 502 may also store device type information.
  • the above-mentioned terminal may perform the operations performed by the CA of the issuer in the implementation provided by the steps in the above-mentioned embodiments through the various functional modules of its built-in processor 501 and transceiver 503, specifically Please refer to the implementation provided by the above steps, which will not be repeated here.
  • a terminal that is a digital certificate issuer CA can formulate a ring signature certificate issuance rule, including the number of public keys required for ring signature and ring signature certificate issuance specifications, etc.
  • the ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to users of the CA of the issuer can ensure that the CA of any participant other than the CA of the digital certificate cannot judge the digital certificate Is issued by the CA of which party.
  • the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized
  • the CA of each participant in the chain issues the privacy of the digital certificate for its users, so that the CA of each participant can send the digital certificate anonymously to its users, to ensure the identity privacy of the CA of the issuer of the digital certificate, and enhance each of the alliance chain network
  • the information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
  • FIG. 6 is another schematic structural diagram of a terminal provided by an embodiment of the present application.
  • the terminal is suitable for the verifier of digital certificates.
  • the terminal in this embodiment may include: one or more processors 601 and a memory 602.
  • the processor 601 and the memory 602 are connected through a bus 603.
  • the memory 602 is used to store a computer program, and the computer program includes program instructions, and the processor 601 is used to execute the program instructions stored in the memory 602.
  • the above processor 601 is configured to call the program instruction to perform the following operations:
  • the verifier When the verifier obtains any signature transaction in the blockchain network, it obtains the digital certificate of the initiator of the signature transaction.
  • the initiator of the signature transaction may be one of the participants in the blockchain network.
  • the public key of the certification authority CA of each participant including the initiator of the above transaction is recorded in the chain network;
  • All public keys are the CA public keys of multiple participants in the blockchain network, and the number of participants in the multiple participants is equal to the number of public keys set in the rules for issuing ring signature certificates;
  • the signature of the above signature transaction is verified according to all public keys corresponding to the above ring signature.
  • the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
  • the above public key information includes the identification of the blockchain network included in the above preset fields, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CA public keys of all the above parties Logo
  • the above-mentioned preset fields include an issuer label field and / or an extension field.
  • the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
  • the CA public keys of the above parties recorded in the blockchain network are divided into multiple groups, and each group corresponds to a group identifier;
  • the public key information includes the group identifier included in the preset field, and the group identifier is used to determine the target group included in the blockchain network to determine the number based on the CA public key included in the target group
  • the CA public keys of all parties corresponding to the ring signature of the certificate are used to determine the group identifier included in the preset field.
  • the above-mentioned terminal may perform the operations performed by the verifier in the implementation manners provided by the various steps in the foregoing embodiments through various functional devices such as its built-in processor 601. The implementation provided will not be repeated here.
  • the number of public keys required for the ring signature and the issuance specifications of the ring signature certificate can be determined according to the ring signature certificate issuance rules established by the CAs of the participants in the alliance chain network
  • All public keys corresponding to the ring signature of the digital certificate can be determined based on the CA public keys of each participant recorded in the alliance chain network.
  • All public keys corresponding to ring signatures implement transaction verification initiated by digital certificate holders. The operation is simple. Completing transaction verification also enhances the identity privacy of the CA of the issuer of the digital certificate, which can satisfy more participants. Business requirements are more applicable.
  • Embodiments of the present application also provide a computer-readable storage medium that stores a computer program, and the computer program includes program instructions, which are executed by a processor to implement the method provided in each step in FIG. 2
  • the computer program includes program instructions, which are executed by a processor to implement the method provided in each step in FIG. 2
  • the implementation provided by the above steps please refer to the implementation provided by the above steps, which will not be repeated here.
  • the above-mentioned computer-readable storage medium may be the digital certificate issuing apparatus provided in any of the foregoing embodiments or the internal storage unit of the above-mentioned terminal, such as a hard disk or a memory of an electronic device.
  • the computer-readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk equipped on the electronic device, a smart memory card (smart media card, SMC), a secure digital (SD) card Flash card (flash card), etc.
  • the computer-readable storage medium may also include both an internal storage unit of the electronic device and an external storage device.
  • the computer-readable storage medium is used to store the computer program and other programs and data required by the electronic device.
  • the computer-readable storage medium can also be used to temporarily store data that has been or will be output.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Disclosed are a processing method for a digital certificate, and an apparatus. The method comprising: a CA of a first participant of a blockchain network recording a public key of the CA of the first participant in the blockchain network; when the CA of the first participant receives a certificate authorization request of any user, confirming, according to user identity information carried in the certificate authorization request, whether the user is a user of the CA of the first participant; if so, acquiring a public key of the user from the certificate authorization request, and acquiring, according to a ring signature certificate issuing rule, public keys of CAs of any N second participants from the blockchain network, wherein N is equal to the set number of public keys in the ring signature certificate issuing rule; and the CA of the first participant performing, according to the public key and a private key of the CA of the first participant and public keys of CAs of the N second participants, ring signature on the user identity information and the public key of the user and generating a digital certificate, and sending same to the user. Using the embodiments of the present application can improve the identity privacy of an issuer of a digital certificate.

Description

数字证书的处理方法及相关装置Digital certificate processing method and related device
本申请要求于2018年10月9日提交中国专利局、申请号为201811175201.X、申请名称为“数字证书的处理方法及相关装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application requires the priority of the Chinese patent application filed on October 9, 2018 with the Chinese Patent Office, application number 201811175201.X, and the application name as "Digital Certificate Processing Method and Related Devices", the entire contents of which are incorporated by reference in In this application.
技术领域Technical field
本申请涉及区块链技术领域,尤其涉及一种数字证书的处理方法及相关装置。This application relates to the field of blockchain technology, in particular to a digital certificate processing method and related devices.
背景技术Background technique
目前很多联盟链应用都开始引入数字证书颁发机构(Certificate Authority,CA)为区块链上的参与方颁发数字证书。由于很多参与方(例如大多数银行)都有自己的CA,因此都会要求可以通过自己的CA为自己的客户来颁发数字证书。例如,银行A有自己的CA(例如CA-A),银行B有自己的CA(比如CA-B),银行C有自己的CA(比如CA-C)等等,各个银行均可通过自己的CA为自己的客户颁发数字证书。在联盟链网络中,银行A、银行B以及银行C等任一参与方均会认同其他参与方的CA给其客户颁发的数字证书。然而,由于所有联盟链上的参与方也都可以通过一个客户的数字证书来判断该客户的哪个参与方的客户,比如银行B可以通过一个企业的数字证书的签发方来判断这个企业是哪个银行的客户。比如说,该企业的数字证书是由银行A颁发,银行B则可确定该企业是银行A的客户等等。目前联盟链上的这种数字证书的颁发方式导致联盟链交易的交易信息对于联盟链上的各个参与方是完全公开的,交易双方的身份暴露无遗,难以满足各个参与方的交易需求,适用性差。At present, many alliance chain applications have begun to introduce digital certificate authorities (Certificate Authorities, CA) to issue digital certificates for participants on the blockchain. Since many participants (such as most banks) have their own CA, they will require that they can issue digital certificates for their customers through their own CA. For example, Bank A has its own CA (such as CA-A), Bank B has its own CA (such as CA-B), Bank C has its own CA (such as CA-C), etc. Each bank can use its own CA issues digital certificates for its customers. In the alliance chain network, any participant such as Bank A, Bank B, and Bank C will recognize the digital certificate issued by the CA of other participants to its customers. However, since all the participants on the alliance chain can also use a customer's digital certificate to determine which customer's client of the customer, for example, Bank B can determine the bank of the enterprise through the issuer of an enterprise's digital certificate. customer of. For example, the digital certificate of the enterprise is issued by Bank A, and Bank B can determine that the enterprise is a customer of Bank A and so on. At present, this method of issuing digital certificates on the alliance chain leads to the fact that the transaction information of the alliance chain transaction is completely open to all parties on the alliance chain. The identity of the two parties of the transaction is exposed, it is difficult to meet the transaction needs of each party, and the applicability is poor. .
发明内容Summary of the invention
本申请实施例提供一种数字证书的处理方法及相关装置,可实现数字证书的匿名签发,增强数字证书的签发方的身份私密性,适用性强。The embodiments of the present application provide a digital certificate processing method and related device, which can realize the anonymous issuance of the digital certificate, enhance the identity privacy of the issuer of the digital certificate, and have strong applicability.
第一方面,本申请实施例提供了一种数字证书的签发方法,上述方法适用于数字证书的签发方,上述方法包括:In a first aspect, an embodiment of the present application provides a digital certificate issuance method. The above method is applicable to a digital certificate issuer. The above method includes:
区块链网络中的第一参与方的证书颁发机构CA将上述第一参与方的CA公钥记录至区块链网络中,上述第一参与方为上述区块链网络中数字证书的签发方,上述区块链网络中还记录了至少一个第二参与方的CA公钥,上述第二参与方为上述区块链网络中除上述第二参与方之外的参与方;The certificate authority CA of the first party in the blockchain network records the CA public key of the first party in the blockchain network, and the first party is the issuer of the digital certificate in the blockchain network At least one CA public key of the second party is also recorded in the above-mentioned blockchain network, and the above-mentioned second party is a party other than the above-mentioned second party in the above-mentioned blockchain network;
当上述第一参与方的CA接收到任一用户的证书授权请求时,根据上述证书授权请求中携带的用户身份信息确认上述用户是否为上述第一参与方的CA的用户;When the CA of the first participant receives a certificate authorization request from any user, it determines whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request;
若上述签发方的CA确认上述用户是上述第一参与方的CA的用户,则从上述证书授权请求中获取上述用户的公钥,并根据预先设定的环签名证书签发规则,从上述区块链网络中获取任意N个上述第二参与方的CA公钥,其中,N等于上述环签名证书签发规则中设定的公钥数量;If the issuer's CA confirms that the user is a user of the first participant's CA, it obtains the user's public key from the certificate authorization request, and according to the preset ring signature certificate issuance rules, from the block Obtain any N public CA keys of the above-mentioned second parties from the chain network, where N is equal to the number of public keys set in the above ring signing certificate issuance rules;
上述签发方的CA根据上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书,并向上述用户发送上述数字证书。The CA of the issuer performs a ring signature on the user identity information and public key of the user and forms a digital certificate based on the public key and private key of the CA of the first participant and the CA public keys of the N second participants And send the above digital certificate to the above users.
第二方面,本申请实施例提供了一种数字证书的验证方法,上述方法适用于数字证书的验证方,上述方法包括:In a second aspect, an embodiment of the present application provides a digital certificate verification method. The above method is applicable to a digital certificate verification party. The above method includes:
当验证方获得区块链网络中的任一签名交易时,上述验证方获取上述签名交易的发起方的数字证书;上述签名交易的发起方可为上述区块链网络中的参与方之一,上述区块链网络中记录了包括上述交易的发起方在内的各个参与方的证书颁发机构CA公钥;When the verifier obtains any signature transaction in the blockchain network, the verifier obtains the digital certificate of the initiator of the signature transaction; the initiator of the signature transaction may be one of the participants in the blockchain network, The above-mentioned blockchain network records the CA public key of the certification authority of each participant, including the initiator of the above transaction;
上述验证方基于预设的环签名证书签发规则从上述数字证书中获取上述数字证书的环签名的公钥信息,并根据上述公钥信息确定上述数字证书的环签名对应的所有公钥,上述环签名对应的所有公钥为上述区块链网络中的多个参与方的CA公钥,且上述环签名对应的公钥数量等于上述环签名证书签发规则中设定的公钥数量;The verifier obtains the public key information of the ring signature of the digital certificate from the digital certificate based on the preset ring signing certificate issuance rule, and determines all the public keys corresponding to the ring signature of the digital certificate according to the public key information. All the public keys corresponding to the signatures are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate;
上述验证方根据上述环签名对应的所有公钥对上述签名交易的签名进行验证。The verifier verifies the signature of the signed transaction based on all public keys corresponding to the ring signature.
第三方面,本申请实施例提供了一种数字证书的签发装置,上述装置适用于数字证书的签发方的证书颁发机构CA,上述装置包括:In a third aspect, an embodiment of the present application provides a digital certificate issuance device. The above device is suitable for a certificate issuing authority CA of a digital certificate issuer. The above device includes:
记录单元,用于将上述第一参与方的CA公钥记录至区块链网络中,上述第一参与方为上述区块链网络中数字证书的签发方,上述区块链网络中还记录了至少一个第二参与方的CA公钥,上述第二参与方为上述区块链网络中除上述第一参与方之外的参与方;The recording unit is used to record the CA public key of the first party into the blockchain network, the first party is the issuer of the digital certificate in the blockchain network, and the blockchain network also records At least one CA public key of a second participant, the second participant is a participant other than the first participant in the blockchain network;
确认单元,用于在接收到任一用户的证书授权请求时,根据上述证书授权请求中携带的用户身份信息确认上述用户是否为上述第一参与方的CA的用户;The confirmation unit is configured to confirm whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request when receiving a certificate authorization request from any user;
获取单元,用于在上述确认单元确认上述用户是上述第一参与方的CA的用户时,从上述证书授权请求中获取上述用户的公钥,并根据预先设定的环签名证书签发规则,从上述区块链网络中获取任意N个上述第二参与方的CA公钥,其中,N等于上述环签名证书签发规则中设定的公钥数量;The obtaining unit is configured to obtain the public key of the user from the certificate authorization request when the confirmation unit confirms that the user is the user of the CA of the first participant, and according to the preset ring signing certificate issuance rules, from Obtain any N public CA keys of the above-mentioned second parties from the above-mentioned blockchain network, where N is equal to the number of public keys set in the above-mentioned ring signature certificate issuance rules;
签发单元,用于根据上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书,并向上述用户发送上述数字证书。An issuance unit for performing ring signature on the user identity information and public key of the user and forming a digital certificate based on the public key and private key of the CA of the first party and the CA public keys of the N second parties And send the above digital certificate to the above users.
第四方面,本申请实施例提供了一种数字证书的验证装置,上述装置适用于数字证书的验证方,上述装置包括:According to a fourth aspect, an embodiment of the present application provides a digital certificate verification device. The above device is suitable for a digital certificate verification party. The above device includes:
获取单元,用于在获得区块链网络中的任一签名交易时,获取上述签名交易的发起方的数字证书;上述签名交易的发起方可以为上述区块链网络中的参与方之一,上述区块链网络中记录了包括上述交易的发起方在内的各个参与方的证书颁发机构CA公钥;The obtaining unit is used to obtain the digital certificate of the initiator of the above-mentioned signature transaction when obtaining any signature transaction in the blockchain network; the initiator of the above-mentioned signature transaction may be one of the participants in the above-mentioned blockchain network, The above-mentioned blockchain network records the CA public key of the certification authority of each participant, including the initiator of the above transaction;
确定单元,用于基于预设的环签名证书签发规则从上述数字证书中获取上述数字证书的环签名的公钥信息,并根据上述公钥信息确定上述数字证书的环签名对应的所有公钥,上述环签名对应的所有公钥为上述区块链网络中的多个参与方的CA公钥,且上述环签名对应的公钥数量等于上述环签名证书签发规则中设定的公钥数量;A determining unit, configured to acquire the public key information of the ring signature of the digital certificate from the digital certificate based on preset ring signature certificate issuance rules, and determine all public keys corresponding to the ring signature of the digital certificate based on the public key information, All public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate;
验证单元,用于根据上述确定单元确定的上述环签名对应的所有公钥对上述签名交易的签名进行验证。The verification unit is configured to verify the signature of the signature transaction based on all public keys corresponding to the ring signature determined by the determination unit.
第五方面,本申请实施例提供了一种终端,该终端包括处理器、存储器和/或收发器,上述处理器、存储器和/或收发器相互连接,其中,上述存储器用于存储计算机程序,上述计算机程序包括程序指令,上述处理器和/或上述收发器被配置用于调用上述程序指令,执行上述第一方面以及第一方面任一种可能的实现方式提供的方法,或者上述第二方面以及第二方面任一种可能的实现方式提供的方法。According to a fifth aspect, an embodiment of the present application provides a terminal, the terminal includes a processor, a memory, and / or a transceiver, and the processor, the memory, and / or the transceiver are connected to each other, wherein the memory is used to store a computer program, The computer program includes program instructions, and the processor and / or transceiver is configured to call the program instructions to perform the method provided in the first aspect and any possible implementation manner of the first aspect, or the second aspect. And the method provided in any possible implementation manner of the second aspect.
第六方面,本申请实施例提供了一种计算机可读存储介质,上述计算机可读存储介质存储有计算机程序,上述计算机程序包括程序指令,上述程序指令当被处理器执行时使上述处理器执行上述第一方面以及第一方面任一种可能的实现方式提供的方法,或者上述第二方面以及第二方面任一种可能的实现方式提供的方法。According to a sixth aspect, an embodiment of the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and the computer program includes program instructions, which when executed by a processor causes the processor to execute The method provided by the foregoing first aspect and any possible implementation manner of the first aspect, or the foregoing second aspect and any possible implementation manner of the second aspect.
基于本申请实施例,可实现作为数字证书的签发机构的任一参与方的无条件匿名,实现数字证书签发机构向其用户匿名签发数字证书,可避免数字证书的签发机构的身份泄露,避免区块链网络中的其他参与方获知数字证书的签发机构的信息,从而可增强数字证书的签发机构的身份私密性,保障数字证书的签发机构的交易信息的私密性,适用性强。Based on the embodiments of the present application, unconditional anonymity of any participant as a digital certificate issuer can be realized, and the digital certificate issuer can anonymously issue digital certificates to its users, which can avoid the identity leakage of the digital certificate issuer and avoid blocks The other participants in the chain network are informed of the issuer of the digital certificate, which can enhance the identity privacy of the issuer of the digital certificate, ensure the privacy of the transaction information of the issuer of the digital certificate, and have strong applicability.
附图说明BRIEF DESCRIPTION
为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍。In order to more clearly explain the technical solutions of the embodiments of the present application, the drawings required in the description of the embodiments will be briefly introduced below.
图1是本申请实施例提供的数字证书签发通用流程的示意图;FIG. 1 is a schematic diagram of a general process of digital certificate issuance provided by an embodiment of the present application;
图2是本申请实施例提供的数字证书的处理方法的流程示意图;2 is a schematic flowchart of a method for processing a digital certificate provided by an embodiment of the present application;
图3是本申请实施例提供的数字证书的签发装置的结构示意图;3 is a schematic structural diagram of a digital certificate issuance device provided by an embodiment of the present application;
图4是本申请实施例提供的数字证书的验证装置的结构示意图;4 is a schematic structural diagram of a digital certificate verification device provided by an embodiment of the present application;
图5是本申请实施例提供的终端的一结构示意图;5 is a schematic structural diagram of a terminal provided by an embodiment of the present application;
图6是本申请实施例提供的终端的另一结构示意图。6 is another schematic structural diagram of a terminal provided by an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述。The technical solutions in the embodiments of the present application will be described clearly and completely with reference to the drawings in the embodiments of the present application.
本申请实施例提供的数字证书的处理方法(包括数字证书的签发方法和数字证书的验证方法,为方便描述,以下简称本申请实施例提供的方法)及相关装置可适用于是银行、保险、证券、商业协会、集团企业及上下游企业等机构的业务交易和/或企业信息处理等应用场景中,具体可根据实际应用场景确定,在此不做限制。可选的,上述银行、保险、证券、商业协会、集团企业及上下游企业等机构可作为同一个联盟链网络中的多个参与方。可选的,上述银行、保险、证券、商业协会、集团企业及上下游企业等机构也可以有各自的联盟链网络,在上述银行、保险、证券、商业协会、集团企业及上下游企业等机构各自的联盟链网络中,各个机构的客户和/或员工可以是联盟链网络中的参与方,具体可根据实际应用场景确定,在此不做限制。为方便描述,下面将以上述银行、保险、证券、商业协会、集团企业及上下游企业等机构可作为同一个联盟链网络中的多个参与方为例进行说明。为方便理解,下面将对本申请实施例提供的方法所涉及的联盟链以及数字证书进行简要说 明。The processing method of the digital certificate provided in the embodiment of the present application (including the method of issuing the digital certificate and the verification method of the digital certificate, for convenience of description, hereinafter referred to as the method provided in the embodiment of the present application) and related devices can be applied to banks, insurance, securities , Business associations, group companies, upstream and downstream enterprises and other business transactions and / or enterprise information processing and other application scenarios, specific can be determined according to the actual application scenarios, no restrictions are made here. Optionally, the above-mentioned institutions such as banks, insurance, securities, business associations, group enterprises, and upstream and downstream enterprises can serve as multiple participants in the same alliance chain network. Optionally, the above banks, insurance, securities, business associations, group companies, and upstream and downstream enterprises can also have their own alliance chain network. In the above banks, insurance, securities, business associations, group enterprises, and upstream and downstream enterprises, etc. In their respective alliance chain networks, customers and / or employees of various institutions may be participants in the alliance chain network, which can be determined according to actual application scenarios, and no limitation is made here. For the convenience of description, the following will take the above banks, insurance, securities, business associations, group companies and upstream and downstream enterprises and other institutions as examples of multiple participants in the same alliance chain network. In order to facilitate understanding, the alliance chain and digital certificate involved in the method provided in the embodiments of the present application will be briefly described below.
一、联盟链1. Alliance Chain
区块链诞生于移动互联网时代,上述银行、保险、证券、商业协会、集团企业及上下游企业等机构普遍己经是IT化和互联网化的组织和/或机构,区块链对于进一步提升这些机构圈子的产业链条中的公证、结算清算业务和价值交换等业务的处理效率很有帮助。然而,传统区块链(比如公有链)的处理性能、隐私保护、合规性等都不能满足这些机构的业务需求,采用公有链来处理公证、结算清算业务或者价值交换等业务,会颠覆这些机构的现有商业模式和固有利益,风险较大。因此,基于上述各个机构的业务需求,具备更好的隐私保护的区块链体系——联盟链,应运而生。联盟链,只针对特定某个群体的成员和有限的第三方,内部指定多个预选的节点为记账人,每个区块的生成由所有的预选节点共同决定,其他接入节点可以参与交易,但不过问记账过程,其他第三方可以通过该联盟链开放的应用程序编程接口(Application Programming Interface,API)进行限定查询。有了准入机制,可以使得联盟链网络中各个参与方之间的交易性能得到提高,私密性更强。Blockchain was born in the era of mobile Internet. The above-mentioned banks, insurance, securities, business associations, group companies and upstream and downstream enterprises are generally IT-based and Internet-based organizations and / or institutions. The processing efficiency of notarization, settlement and clearing business and value exchange in the industrial chain of the institutional circle is very helpful. However, the processing performance, privacy protection, and compliance of traditional blockchains (such as public chains) cannot meet the business needs of these institutions. The use of public chains to handle notarization, settlement and settlement services, or value exchange services will subvert these. The organization's existing business model and inherent benefits are at greater risk. Therefore, based on the business needs of the above institutions, a blockchain system with better privacy protection, the alliance chain, came into being. The alliance chain only targets members of a certain group and limited third parties, and internally designates multiple pre-selected nodes as bookkeepers. The generation of each block is determined jointly by all pre-selected nodes, and other access nodes can participate in transactions , But just ask about the billing process, other third parties can make limited queries through the application programming interface (API) opened by the alliance chain. With the access mechanism, the transaction performance between the various parties in the alliance chain network can be improved, and the privacy is stronger.
二、数字证书2. Digital Certificate
数字证书是互联网通讯中用于标识各个通讯方身份信息的一串数字,数字证书的出现为互联网通讯提供了一种在互联网上验证各个通讯方的通信实体身份的方式。数字证书不是数字身份证,而是各个通信实体的身份认证机构盖在各个通信实体的数字身份证上的一个章或印(或者说加在各个通信实体的数字身份证上的一个签名)。数字证书是由权威机构——CA发行的,可以在互联网上用数字证书来识别各个通信实体的身份。数字证书是一个经CA数字签名的文件,其中包含公开密钥(简称公钥)的持有者信息以及公开密钥的文件。最简单的数字证书中可以包含一个公钥、公钥的持有者名称以及证书授权中心的数字签名,且数字证书只在特定的时间段内有效。Digital certificate is a string of numbers used to identify the identity information of each communication party in Internet communication. The emergence of digital certificate provides a way for Internet communication to verify the identity of each communication party's communication entity on the Internet. A digital certificate is not a digital ID card, but a stamp or seal (or a signature added to each communication entity's digital ID card) affixed to each communication entity's digital ID card by the identity authentication agencies of each communication entity. The digital certificate is issued by an authority, CA, and can be used on the Internet to identify the identity of each communication entity. A digital certificate is a file digitally signed by a CA, which contains the holder information of the public key (public key for short) and the file of the public key. The simplest digital certificate can contain a public key, the name of the holder of the public key and the digital signature of the certificate authority, and the digital certificate is only valid for a specific period of time.
数字证书是一种权威性的电子文档,可以由权威公正的第三方机构,即CA(例如中国各地方的CA公司)签发的证书,也可以由企业级的CA(比如银行A的CA-A)进行签发。数字证书可用于:发送安全电子邮件、访问安全站点、网上证券交易、网上招标采购、网上办公、网上保险、网上税务、网上签约和网上银行等安全电子事务处理和安全电子交易签名。数字证书里存有很多数字和英文,当使用数字证书进行身份认证时,它将随机生成128位的身份码,每份数字证书都能生成相应但每次都不可能相同的数码,从而保证数据传输的保密性,即相当于生成一个复杂的密码。数字证书绑定了公钥以及公钥持有者的真实身份,它类似于现实生活中的居民身份证,所不同的是数字证书不再是纸质的证照,而是一段含有数字证书的持有者身份信息并经过认证中心审核签发的电子数据,可以更加方便灵活地运用在电子商务和电子政务中。A digital certificate is an authoritative electronic document. It can be issued by an authoritative and impartial third-party organization, that is, a CA (such as a CA company in various places in China), or an enterprise-level CA (such as CA-A of Bank A ) To issue. Digital certificates can be used to: send secure e-mails, visit secure sites, online securities transactions, online bidding and procurement, online offices, online insurance, online taxation, online contracting and online banking and other secure electronic transaction processing and secure electronic transaction signatures. There are many numbers and English stored in the digital certificate. When the digital certificate is used for identity authentication, it will randomly generate a 128-bit identity code. Each digital certificate can generate a corresponding number, but it is impossible for the same number every time, thereby ensuring data The confidentiality of transmission is equivalent to generating a complex password. The digital certificate binds the public key and the true identity of the public key holder. It is similar to the resident ID card in real life. The difference is that the digital certificate is no longer a paper certificate, but a piece of digital certificate. Owner's identity information and electronic data issued by the certification center can be more easily and flexibly used in e-commerce and e-government.
参见图1,图1是本申请实施例提供的数字证书签发通用流程的示意图。本申请实施例提供的数字证书的签发过程一般包括如下步骤S11和S12:Referring to FIG. 1, FIG. 1 is a schematic diagram of a general process of digital certificate issuance provided by an embodiment of the present application. The digital certificate issuance process provided by the embodiment of the present application generally includes the following steps S11 and S12:
S11,用户向机构的CA发送证书授权请求。S11. The user sends a certificate authorization request to the organization's CA.
在一些可行的实施方式中,当用户(比如银行、保险或者企业等机构的客户)请求与机构(比如银行、保险或者企业等)进行交易时,可首先产生自己的密钥对,该密钥对中包括公钥和私钥,并通过向机构的CA发送证书授权请求的方式将公钥以及部分用户身份信 息传送给机构的CA。换句话说,用户向机构的CA发送的证书授权请求中可包括部分的用户身份信息和用户的公钥,以向机构的CA请求对用户的用户身份信息和公钥进行签名并颁发数字证书。In some feasible implementation manners, when a user (such as a customer of a bank, insurance, or enterprise) requests a transaction with an organization (such as a bank, insurance, or enterprise, etc.), it can first generate its own key pair. The pair includes the public key and the private key, and transmits the public key and some user identity information to the organization's CA by sending a certificate authorization request to the organization's CA. In other words, the certificate authorization request sent by the user to the organization's CA may include part of the user's identity information and the user's public key to request the organization's CA to sign the user's user identity information and public key and issue a digital certificate.
S12,机构的CA验证用户身份并签发数字证书。S12, the organization's CA verifies the user's identity and issues a digital certificate.
在一些可行的实施方式中,用户请求签名交易的机构,可通过机构的CA核实用户的身份。机构的CA核实用户的身份(即用户为自己的客户)时,可对用户发送的证书授权请求中包括的用户身份信息进行确定,以确认证书授权请求确实由自己的客户(即用户)发送而来。机构的CA确认证书授权请求由用户发送而来时,向用户发送一个数字证书,该数字证书内包含用户的用户身份信息和用户的公钥,同时还附有机构的CA的签名信息。用户就可以使用机构的CA签发的数字证书进行相关的交易签名。各个机构的CA给其客户颁发的数字证书由各个机构独立的证书发行机构(即CA)发布。数字证书各不相同,每种证书可提供不同级别的可信度,各个机构的各个客户用户(即用户)可以从各个机构的CA获得自己的数字证书。In some feasible implementation manners, the institution that the user requests to sign the transaction can verify the identity of the user through the institution's CA. When the organization's CA verifies the user's identity (that is, the user is its own customer), it can determine the user identity information included in the certificate authorization request sent by the user to confirm that the certificate authorization request is indeed sent by its own customer (ie, user). Come. When the organization's CA confirms that the certificate authorization request is sent by the user, it sends a digital certificate to the user. The digital certificate contains the user's user identity information and the user's public key, as well as the organization's CA's signature information. The user can use the digital certificate issued by the organization's CA to sign the relevant transaction. Digital certificates issued by CAs of various institutions to their customers are issued by independent certificate issuing institutions (ie CAs) of each institution. Digital certificates are different, each certificate can provide different levels of credibility, and each customer user (ie, user) of each institution can obtain their own digital certificate from the CA of each institution.
数字证书采用公钥体制,即利用一对互相匹配的密钥进行数字签名和验签。每个用户自己设定一把特定的且仅为本人所知的私有密钥(即私钥),基于该私钥可进行与机构交易的交易信息的数字签名。同时,用户可设定一把对应的公共密钥(即公钥)并由本人公开,为一组用户所共享,用于对交易信息进行签名验证。公钥技术解决了密钥发布的管理问题,用户可以公开其所持有的公钥,而保留其所持有的私钥。用户也可以采用自己的私钥对交易信息加以处理,由于私钥仅为本人所有,这样就产生了别人无法生成的文件,也就形成了数字签名。采用数字签名,可以保证交易信息是由发送方自己签名发送的,发送方不能否认或难以否认,同时也可保证交易信息自发送方签发后至接收方收到为止未曾作过任何修改,签发的文件是真实文件,保证了交易信息的不可篡改性。Digital certificates use a public key system, which uses a pair of matching keys for digital signature and verification. Each user sets a specific private key (that is, a private key) known only to himself, and based on the private key, digital signatures of transaction information for transactions with institutions can be performed. At the same time, the user can set a corresponding public key (that is, the public key) and disclose it by himself, shared by a group of users, and used for signature verification of transaction information. Public key technology solves the management problem of key issuance. Users can publicly hold the public key they hold while retaining the private key they hold. The user can also use his own private key to process the transaction information. Since the private key is owned only by himself, a file that cannot be generated by others is generated, and a digital signature is formed. The use of digital signatures can ensure that the transaction information is sent by the sender's own signature, and the sender cannot deny or be difficult to deny. At the same time, it can also ensure that the transaction information has not been modified since the sender signed it until the receiver received it. The document is a real document, which ensures that the transaction information cannot be tampered with.
基于上述联盟链的特性以及数字证书的特性,本申请实施例提供了一种基于分布式数字证书的数字证书的处理方法及相关装置,包括数字证书的签发方法及装置、和数字证书的验证方法及装置,可实现对联盟链网络中的任一参与方的客户签发数字证书,并可实现基于任一签名交易的发起方的数字证书确定数字证书的环签名对应的所有公钥以基于数字证书的环签名对应的所有公钥对该交易的签名进行验证。联盟链中的各个参与方的CA可基于本申请实施例提供的数字证书签发方法为与自己的客户签发数字证书,实现作为签名者(即数字证书的签发方)的任一参与方的CA的无条件匿名,从而可避免数字证书的签发方的CA的身份泄露,避免联盟链网络中的其他参与方获知数字证书的签发方的CA的客户信息,从而可保障数字证书的签发方的交易信息的私密性,保证签发方的客户信息的安全性,适用性更强,具体可参见如下各个实施例所提供的实现方式。具体的,本申请实施例提供的方法可通过联盟链网络记录联盟链网络中所有可以被认可参与方(或非参与方)的CA的公钥(例如银行A的CA-A,银行B的CA-B,……)。当任一机构的CA要为自己的一个客户(或以用户进行说明)颁发数字证书时,该机构的CA会用环签名来对该客户签发数字证书(传统方式是CA用自己的私钥对其颁发给其客户的数字证书进行签名),这样使得第三方无法判断这个数字证书究竟是哪一个机构的CA签发。也就是说其他第三方无法判断该客户是联盟链网络中哪一个被认可参与方的CA的客户,从而可实现各个被认可参与方的CA的 数字证书匿名发送,从而保护了联盟链网络中各个被认可参与方的CA为其客户颁发数字证书的私密性,可提高数字证书签发方的CA的身份私密性,从而可增强数据证书的签发方式的适用性。Based on the characteristics of the aforementioned alliance chain and the characteristics of digital certificates, embodiments of the present application provide a digital certificate processing method and related device based on distributed digital certificates, including a digital certificate issuance method and device, and a digital certificate verification method And device, which can issue digital certificates to customers of any participant in the alliance chain network, and can determine all public keys corresponding to the ring signature of the digital certificate based on the digital certificate of the initiator of any signed transaction to be based on the digital certificate All public keys corresponding to the ring signature verify the transaction signature. The CAs of each participant in the alliance chain can issue digital certificates with their own customers based on the digital certificate issuance method provided in this embodiment of the present application, to realize the CA of any participant as the signer (that is, the issuer of the digital certificate) Unconditional anonymity, which can avoid the leakage of the identity of the CA of the digital certificate issuer and prevent other participants in the alliance chain network from learning the customer information of the CA of the digital certificate issuer, thereby ensuring the transaction information of the digital certificate issuer. The privacy guarantees the security of the issuer's customer information and is more applicable. For details, please refer to the implementation methods provided in the following embodiments. Specifically, the method provided in the embodiment of the present application can record the public keys of all CAs in the alliance chain network that can be recognized as participants (or non-participants) through the alliance chain network (for example, the CA-A of Bank A and the CA of Bank B -B, ...). When any organization's CA wants to issue a digital certificate for one of its customers (or user instructions), the organization's CA will issue a digital certificate to the customer with a ring signature (traditionally, the CA uses its own private key pair The digital certificate issued to its customers to sign), so that the third party can not judge which organization's CA issued the digital certificate. In other words, other third parties cannot judge which customer of the CA of the authorized participant in the alliance chain network, so that the digital certificate of each authorized participant's CA can be sent anonymously, thereby protecting each of the alliance chain network. The CA of the recognized participant issues the privacy of the digital certificate for its customers, which can improve the identity privacy of the CA of the issuer of the digital certificate, thereby enhancing the applicability of the issuing method of the data certificate.
参见图2,是本申请实施例提供的数字证书的处理方法的流程示意图。参见图2,联盟链网络中包括的任一参与方的CA采用环签名为自己的客户签发数字证书签名以及任一验证方对任一签名交易进行验签的实现方式可参见如下步骤S21至S24所提供的实现方式。为方便描述,下面将以任一参与方的CA为自己的客户(或称用户)签发数字证书的实现方式为例进行说明,其中该任一参与方可以签发方(即第一参与方)为例进行说明。换句话说,这里的签发方指代联盟链网络中任一需要为自己的用户签发数字证书的参与方,对应的,对数字证书进行验证的任一机构可以验证方为例进行说明,具体可根据实际应用场景确定,在此不做限制。2 is a schematic flowchart of a digital certificate processing method provided in an embodiment of the present application. Referring to FIG. 2, the CA of any participant included in the alliance chain network uses ring signatures to issue digital certificate signatures to its customers and any verification party to verify any signature transaction for implementation. Please refer to the following steps S21 to S24 The implementation provided. For the convenience of description, the following will take the implementation of the CA of any participant to issue digital certificates for its customers (or users) as an example, where any of the participants can be the issuer (that is, the first participant) is Examples. In other words, the issuer here refers to any participant in the alliance chain network that needs to issue a digital certificate for its own users. Correspondingly, any organization that verifies the digital certificate can use the verification party as an example to explain. It is determined according to the actual application scenario, and is not limited here.
S21,签发方的CA将自己的公钥记录至区块链网络中。S21, the issuer's CA records its public key into the blockchain network.
在一些可行的实施方式中,联盟链网络(即区块链网络)中的任一被认可参与方(为方便描述下面简称参与方)的CA(或简称参与方CA)产生一个公钥和一个私钥,并可通过智能加密合约(Smart Crypto Contract,SCC)将自己(即参与方CA)的信息和公钥记录到联盟链网络中。比如说,对于被认可的多个银行,每个银行的CA可产生一个公钥和一个私钥,并且每个银行的CA产生的公钥可由每个银行的CA自己公开,并由联盟链网络记录每个银行的CA的公钥(即每个银行的CA的公钥),每个银行的CA的私钥由每个银行的CA自己所知。换句话说,假设签发方为联盟链网络中的参与方之一(假设为第一参与方),联盟链网络中记录了签发方(为方便描述,区块链网络中的数字证书的签发方可以第一参与方为例进行说明)的CA的公钥(或简称CA公钥)之外,还记录了签发方之外的其他各个参与方(为方便描述,区块链网络中除了数字证书的签发方之外的其他任意参与方可以第二参与方为例进行说明)的CA公钥。In some feasible implementation manners, the CA (or the participant CA for short) of any recognized participant (referred to as the participant hereinafter for convenience) in the alliance chain network (that is, the blockchain network) generates a public key and a The private key, and can record its own information (that is, the participant CA) and the public key to the alliance chain network through Smart Crypto Contract (SCC). For example, for multiple banks that are recognized, each bank ’s CA can generate a public key and a private key, and the public key generated by each bank ’s CA can be disclosed by each bank ’s CA itself and is fed by the consortium chain network. Record the public key of each bank's CA (that is, the public key of each bank's CA). The private key of each bank's CA is known by each bank's CA. In other words, assuming that the issuer is one of the participants in the alliance chain network (assuming it is the first participant), the issuer is recorded in the alliance chain network (for ease of description, the issuer of the digital certificate in the blockchain network The first participant can be used as an example to illustrate the public key of the CA (or CA public key for short), and also records other parties other than the issuer (for convenience of description, in addition to digital certificates in the blockchain network Any participant other than the issuer can use the second participant as an example to illustrate the CA public key.
可以理解,这里各个参与方的CA公钥都记录在联盟链网络中,因此联盟链中的任一参与方均可知道联盟链网络中其他各个参与方的CA公钥。在任一参与方(比如第一参与方,即签发方)的CA需要为自己的客户(签发方的CA的客户,同时也为签发方的客户,为方便描述,下面以签发方的CA的客户为例进行说明)的数字证书进行签名时,可以采用环签名的方式,从联盟链网络中获取其他一个或者多个参与方的CA公钥,结合自己的公钥和私钥(即签发方的CA的公钥和私钥)为自己的客户签发数字证书,具体可参见如下步骤说明。It can be understood that the CA public keys of each participant here are recorded in the alliance chain network, so any participant in the alliance chain can know the CA public keys of other participants in the alliance chain network. The CA in any participant (such as the first participant, that is, the issuer) needs to be its own customer (the customer of the issuer's CA, and also the customer of the issuer. For the convenience of description, the following is the customer of the issuer's CA For example, when signing a digital certificate, you can use the ring signature method to obtain the CA public key of one or more participants from the alliance chain network, and combine your own public key and private key (that is, the issuer's CA's public key and private key) issue digital certificates for their customers. For details, please refer to the following steps.
S22,当签发方的CA接收到任一用户的证书授权请求时,根据证书授权请求中携带的用户身份信息确认用户是否为自己的用户。S22. When the CA of the issuer receives a certificate authorization request from any user, it determines whether the user is his own according to the user identity information carried in the certificate authorization request.
在一些可行的实施方式中,当任一用户(比如银行A的任一客户)请求与机构(比如银行A)进行交易时,可通过向银行A的CA(为方便描述,将以签发方的CA作为银行A的CA的示例进行说明)发送证书授权请求(或称认证请求)的方式将公钥以及用户身份信息传送给签发方的CA。换句话说,用户向签发方的CA发送的证书授权请求中可包括用户身份信息和用户的公钥,以向签发方的CA请求对用户的用户身份信息和公钥进行签名并颁发数字证书给用户。签发方的CA可根据证书授权请求中包括的用户身份信息核实用户的身份(即核实用户是否为自己的客户),即签发方的CA可对用户发送的证书授权请求中包括的 用户身份信息进行确定,以确认证书授权请求确实由自己的客户发送而来。签发方的CA确定发送证书授权请求的用户为自己的用户(即签发方的CA的用户,也就是第一参与方的CA的用户)之后,则可向用户签发数字证书。In some feasible implementation manners, when any user (such as any customer of Bank A) requests a transaction with an institution (such as Bank A), the bank ’s CA (for convenience of description, the issuer ’s The CA is described as an example of the CA of Bank A). The method of sending a certificate authorization request (or authentication request) transmits the public key and user identity information to the CA of the issuer. In other words, the certificate authorization request sent by the user to the issuer's CA may include the user's identity information and the user's public key to request the issuer's CA to sign the user's user identity information and public key and issue a digital certificate to user. The issuer's CA can verify the user's identity based on the user identity information included in the certificate authorization request (that is, verify whether the user is its own customer), that is, the issuer's CA can perform the user identity information included in the certificate authorization request sent by the user Confirm to confirm that the certificate authorization request is indeed sent by its own client. After the issuer's CA determines that the user sending the certificate authorization request is its own user (that is, the user of the issuer's CA, that is, the user of the first participant's CA), it can issue a digital certificate to the user.
S23,若签发方的CA确认上述用户是自己的用户,则从证书授权请求中获取用户的公钥,并根据预先设定的环签名证书签发规则,从区块链网络中获取其他任意N个参与方的CA公钥。S23, if the issuer's CA confirms that the above user is its own user, it obtains the user's public key from the certificate authorization request, and obtains any other N number from the blockchain network according to the preset ring signing certificate issuance rules The CA public key of the participant.
在一些可行的实施方式中,各个参与方的环签名证书签发规则(即采用环签名的方式签发数字证书的规则)可由各个参与方的CA自行制定,每个参与方的CA均可以根据自身需求,任意选择一个或者多个(为方便描述可假设为N个)第三方公钥,结合自身的公钥和私钥来完成环签名。这里,对应任一联盟链网络中的任一参与方的CA来说,其所任意选择的N个第三方公钥可以是联盟链网络中除了该参与方之外的任意N个参与方的CA记录在联盟链网络中的CA公钥。换句话说,任一参与方自行制定的环签名证书签发规则中,该参与方的CA给其用户签发数字证书所使用的公钥数量可由该参与方的CA自行设定。可选的,联盟链网络中的各个参与方的CA可以共同制定的环签名证书签发规则并写入联盟链网络中,包括但不限于环签名所需公钥数量以及规范,可以提前在联盟链网络范围设置,在此不做限制。In some feasible implementation manners, the ring signature certificate issuance rules of each participant (that is, the rules for issuing digital certificates by means of ring signature) can be formulated by the CAs of each participant, and each CA of the participant can be based on its own needs , Arbitrarily choose one or more (for convenience of description can be assumed to be N) third-party public key, combined with its own public key and private key to complete the ring signature. Here, for any CA of any participant in any alliance chain network, the N third-party public keys arbitrarily selected may be CAs of any N participants in the alliance chain network except the participant The CA public key recorded in the alliance chain network. In other words, in the rules for issuing ring signature certificates issued by any participant, the number of public keys used by the participant's CA to issue digital certificates to its users can be set by the participant's CA. Optionally, the CAs of the various parties in the alliance chain network can jointly formulate the ring signature certificate issuance rules and write them into the alliance chain network, including but not limited to the number of public keys and specifications required for ring signatures. Network range settings, no restrictions here.
可选的,在一些可行的实施方式中,各个参与方自行制定的环签名证书签发规则可写入联盟链网络中,包括但不限于环签名所需公钥数量以及规范(即由X509格式的数字证书构成的规范,比如数字证书格式(X509)和/或X509中用于记录环签名的公钥信息的预设字段),可以提前在联盟链网络范围设置。举例来说,联盟链网络中的各个参与方的CA(比如签发方的CA)采用环签名为自己的用户签发数字证书时所需的公钥数量,以及X509格式的数字证书构成的规范(或称环签名证书签发规范)等,可以提前在联盟链网络范围设置,从而可帮助验证方基于上述规范等信息对联盟链网络中的交易进行验签验证。其中,上述X509中用于记录环签名的公钥信息的预设字段包括但不限于数字证书格式中的签发方标注字段和/或扩展字段,具体可根据实际应用场景确定,在此不做限制。Optionally, in some feasible implementation manners, the ring signature certificate issuance rules formulated by each participant can be written into the alliance chain network, including but not limited to the number of public keys and specifications required for ring signature (that is, the X509 format The specifications of the digital certificate, such as the digital certificate format (X509) and / or the preset field in X509 used to record the public key information of the ring signature, can be set in advance within the scope of the alliance chain network. For example, the CA of each participant in the alliance chain network (such as the issuer's CA) uses ring signatures to sign the number of public keys required for its users to issue digital certificates, and the specification of X509 format digital certificates (or It is called the ring signature certificate issuance specification), etc., which can be set in the range of the alliance chain network in advance, which can help the verifier to verify and verify the transactions in the alliance chain network based on the above specifications and other information. Among them, the preset fields used to record the public key information of the ring signature in the above X509 include but are not limited to the issuer label field and / or the extension field in the digital certificate format, which can be determined according to the actual application scenario, without limitation .
可选的,上述X509中包括扩展字段(Extension),该扩展字段可用于记录数字证书的环签名对应的所有公钥(比如环签名对应的N个参与方的CA公钥),和/或该环签名对应的所有公钥(比如环签名对应的N个参与方的CA公钥)的标识等公钥信息。验证方基于上述X509中包括的扩展字段中所记录的所有公钥确定环签名对应的所有公钥,和/或所有公钥的标识从联盟链网络中查找对应的公钥,以基于环签名对应的所有公钥对交易的签名进行验证。Optionally, the above X509 includes an extension field (Extension), which can be used to record all public keys corresponding to the ring signature of the digital certificate (such as the CA public keys of N parties corresponding to the ring signature), and / or Public key information such as the identification of all public keys corresponding to the ring signature (such as the CA public keys of the N participants corresponding to the ring signature). The verifier determines all public keys corresponding to the ring signature based on all the public keys recorded in the extension field included in the above X509, and / or the identification of all public keys searches the corresponding public key from the alliance chain network to correspond based on the ring signature All of the public keys of the verify the signature of the transaction.
可选的,在一些可行的实施方式中,联盟链网络也可以将联盟链网络中各个参与方的CA公钥分为不同的公钥分组,并可为每个公钥分组制定分组标识符。其中,上述每个分组的分组标识符可以帮助验证方找到环签名对应的公钥分组(为方便描述可以目标分组为例进行说明),进而可将环签名对应的公钥分组中的公钥确定为环签名对应的公钥,从而可获取各个公钥所属的CA的信息。验证方基于上述X509的扩展字段中确定出环签名的公钥信息,其中该环签名的公钥信息包括分组标识,进而可基于数字证书中包括的该分组标识符从联盟链网络中记录的多个公钥分组中确定出目标分组,从而可将目标分组中包括的所有 公钥确定为环签名对应的所有公钥,以基于环签名对应的所有公钥对交易的签名进行验证。Optionally, in some feasible implementation manners, the consortium chain network may also divide the CA public keys of the participants in the consortium chain network into different public key groups, and a group identifier may be formulated for each public key group. Among them, the group identifier of each group can help the verifier to find the public key group corresponding to the ring signature (for convenience of description, the target group can be used as an example for illustration), and then the public key in the public key group corresponding to the ring signature can be determined The public key corresponding to the ring signature, so that the information of the CA to which each public key belongs can be obtained. The verifier determines the public key information of the ring signature based on the extension field of X509 above, where the public key information of the ring signature includes the group identification, and then can be recorded from the alliance chain network based on the group identifier included in the digital certificate. The target group is determined from each public key group, so that all public keys included in the target group can be determined as all public keys corresponding to the ring signature, and the transaction signature can be verified based on all the public keys corresponding to the ring signature.
S24,签发方的CA根据自己的公钥、私钥和其他任意N个参与方的CA公钥对用户的用户身份信息和公钥进行环签名并形成数字证书,并向用户发送上述数字证书。S24. The issuer's CA performs ring signature on the user's user identity information and public key and forms a digital certificate based on its public key, private key, and any other N participants' CA public keys, and sends the digital certificate to the user.
其中,N等于上述步骤S23中预先设定的环签名证书签发规则中设定的公钥数量。Wherein, N is equal to the number of public keys set in the ring signing certificate issuance rule preset in the above step S23.
在一些可行的实施方式中,当联盟链网络中的任一参与方(即签发方,比如银行A)的CA准备给自己的客户(即用户,比如企业1)签发数字证书时,该签发方的CA会用自己的公钥和私钥(比如银行A的CA的公钥和私钥),以及联盟链网络中其他任意多个参与方的CA公钥(比如其他银行的CA公钥,假设是N个公钥,可以理解,上述多个参与方的CA公钥都记录在联盟链网络中)为企业1的身份信息和公钥签名并形成数字证书,且该数字证书的X509中的预设字段中携带该数字证书的环签名的公钥信息。例如,假设银行A的CA收到其客户的证书授权请求(假设客户为m),其中包括部分用户身份信息以及用户需要被验证的公钥。银行A的CA核实证书授权请求中携带的用户身份信息对应的用户的身份且确认m确实是自己的客户之后,银行A的CA可以使用联盟链中N个环成员的CA公钥、以及银行A的CA自己的公钥和私钥作为输入,对客户m的公钥和身份信息申请产生一个签名R。银行A的CA可将通过上述R签名的数字证书颁发给该客户(该证书包含客户的基本信息和客户的公钥),客户就可以使用银行A的CA签发给自己的数字证书进行交易签名。In some feasible implementation manners, when the CA of any participant in the alliance chain network (ie, issuer, such as Bank A) is ready to issue digital certificates to its own customers (ie, users, such as Enterprise 1), the issuer The CA will use its own public key and private key (such as the public key and private key of the bank A's CA), as well as the CA public keys of any other multiple parties in the alliance chain network (such as the CA public keys of other banks, assuming It is N public keys. It can be understood that the CA public keys of the above multiple parties are recorded in the alliance chain network.) Sign the identity information and public key of enterprise 1 and form a digital certificate. Set the field to carry the public key information of the ring signature of the digital certificate. For example, suppose that the CA of Bank A receives a certificate authorization request from its customer (assuming that the customer is m), which includes some user identity information and the public key that the user needs to be verified. After Bank A ’s CA verifies the identity of the user corresponding to the user identity information carried in the certificate authorization request and confirms that m is indeed its own customer, Bank A ’s CA can use the CA public keys of N ring members in the consortium chain and Bank A The CA's own public key and private key are used as input to generate a signature R for the client m's public key and identity information application. The CA of Bank A can issue the digital certificate signed by the above R to the customer (the certificate contains the basic information of the customer and the public key of the customer), and the customer can use the digital certificate issued by the CA of Bank A to sign the transaction.
在一些可行的实施方式中,联盟链网络中的签发方的CA给自己的客户签发数字证书采用传统的X509格式,签发的数字证书符合ITU-TX.509国际标准。需要说明的是,这里签发数字证书采用X509,但是在X509中对证书签发方(Issuer)的标注不再是一个机构的名称,而是与证书签发方的CA对应的区块链网络(比如联盟链网络)的标识。这里,假设X509中对证书签发方CA的标注是X509中的某一个字段,在该字段中记录与证书签发方的CA对应的区块链网络的标识,为方便描述,可将该字段假设为签发方标注字段。换句话说,X509中的签发方标注字段可以是X509中任一用于记录与证书签发方的CA对应的区块链网络的标识的字段,具体可根据实际应用场景确定,在此不做限制。In some feasible implementation manners, the CA of the issuer in the alliance chain network issues digital certificates to its customers in the traditional X509 format, and the issued digital certificates conform to the ITU-TX.509 international standard. It should be noted that the issue of digital certificates here uses X509, but the label of the issuer (Issuer) in X509 is no longer the name of an organization, but the blockchain network corresponding to the CA of the certificate issuer (such as the alliance Chain network). Here, it is assumed that the label of the certificate issuer CA in X509 is a field in X509, and the identifier of the blockchain network corresponding to the certificate issuer's CA is recorded in this field. For convenience of description, this field can be assumed as The issuer labels the field. In other words, the issuer label field in X509 can be any field in X509 used to record the identity of the blockchain network corresponding to the CA of the certificate issuer, which can be determined according to the actual application scenario, without limitation .
可选的,在X509中对证书签发方(Issuer)的标注中记录与证书签发方的CA对应的公钥指示信息。其中,上述公钥指示信息包括但不限于:该数字证书的环签名对应的所有公钥信息,该数字证书的环签名对应的所有公钥的标识符。换句话说,可以在X509的签发方标注字段中记录与证书签发方的CA对应的公钥指示信息,该公钥指示信息包括但不限于:该数字证书的环签名对应的所有公钥信息,该数字证书的环签名对应的所有公钥的标识符,在此不做限制。Optionally, the public key indication information corresponding to the CA of the certificate issuer is recorded in the label of the certificate issuer (Issuer) in X509. Wherein, the public key indication information includes but is not limited to: all public key information corresponding to the ring signature of the digital certificate, and identifiers of all public keys corresponding to the ring signature of the digital certificate. In other words, the public key indication information corresponding to the CA of the certificate issuer may be recorded in the labeling field of the issuer of X509, and the public key indication information includes but is not limited to: all public key information corresponding to the ring signature of the digital certificate, The identifiers of all public keys corresponding to the ring signature of the digital certificate are not limited here.
可选的,可以在X509的扩展(Extension)字段中记录与证书签发方的CA对应的公钥信息。其中,上述公钥信息包括但不限于:该数字证书的环签名对应的所有公钥,该数字证书的环签名对应的所有公钥的标识符。可选的,可以在X509的扩展字段中记录数字证书的环签名对应的公钥分组标识符,该公钥分组标识符用于指示数字证书的环签名对应的公钥的所属分组,以帮助数字证书的验证方基于公钥的所属分组找到环签名对应的公钥。Optionally, the public key information corresponding to the CA of the certificate issuer may be recorded in the Extension field of X509. Wherein, the above public key information includes but is not limited to: all public keys corresponding to the ring signature of the digital certificate, and identifiers of all public keys corresponding to the ring signature of the digital certificate. Optionally, the public key group identifier corresponding to the ring signature of the digital certificate can be recorded in the extension field of X509. The public key group identifier is used to indicate the group of the public key corresponding to the ring signature of the digital certificate to help the digital The verifier of the certificate finds the public key corresponding to the ring signature based on the group to which the public key belongs.
可选的,在一些可行的实施方式中,如果联盟链网络中有规范制定(例如统一制定,或者约定)的环签名证书签发规则,则X509的扩展字段不需要更多的记录,具体可根据实际应用场景确定,在此不做限制。Optionally, in some feasible implementation manners, if there are ring signature certificate issuance rules formulated in the alliance chain network (such as unified formulation, or agreement), the X509 extension field does not need more records, which can be based on The actual application scenario is determined, and is not limited here.
S25,当验证方获得区块链网络中的任一签名交易时,验证方获取上述交易的发起方的数字证书,基于预设的环签名证书签发规则从上述数字证书中获取环签名的公钥信息,并根据上述公钥信息确定环签名对应的所有公钥,根据环签名对应的所有公钥对上述交易的签名进行验证。S25. When the verifier obtains any signed transaction in the blockchain network, the verifier obtains the digital certificate of the initiator of the above transaction, and obtains the ring signature public key from the digital certificate based on the preset ring signature certificate signing rules Information, and determine all public keys corresponding to the ring signature based on the above public key information, and verify the signature of the transaction based on all public keys corresponding to the ring signature.
在一些可行的实施方式中,这里验证方可以是任意机构,在此不做限制。下面以联盟链网络中的任一参与方为例进行说明,具体不做限制。上述环签名证书签发规则记录于区块链网络中,环签名证书签发规则中包括环签名的公钥数量和环签名证书签发规范,环签名证书签发规范中包括数字证书格式X509中用于记录环签名的公钥信息的预设字段。上述数字证书中包括的公钥信息包括数字证书格式X509的预设字段中所包括的区块链网络的标识、数字证书的环签名对应的所有参与方的CA公钥,和/或数字证书的环签名对应的所有参与方的CA公钥的标识。其中,上述预设字段包括签发方标注字段和/或扩展字段。可选的,若联盟链网络中记录的各个参与方的CA公钥为多个分组,且一个分组对应一个分组标识符,则上述公钥信息可包括数字证书中包括的分组标识符,该分组标识符用于确定区块链网络中所包括的目标分组,以基于目标分组中包括的公钥确定数字证书的环签名对应的所有参与方的CA公钥。具体可参见上述步骤S24中数字证书的签名对应的验证方操作方式,在此不做限制。In some feasible implementation manners, the verifier can be any organization here, and is not limited herein. The following uses any participant in the alliance chain network as an example for description, without specific restrictions. The above ring signing certificate issuance rules are recorded in the blockchain network. The ring signing certificate issuance rules include the number of ring signature public keys and ring signing certificate issuance specifications. The ring signing certificate issuance specifications include digital certificate format X509 for recording rings The preset field of the signed public key information. The public key information included in the above digital certificate includes the identification of the blockchain network included in the preset field of the digital certificate format X509, the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the digital certificate Identification of the CA public keys of all parties corresponding to the ring signature. Wherein, the above-mentioned preset fields include an issuer label field and / or an extension field. Optionally, if the CA public keys of each participant recorded in the alliance chain network are multiple groups, and one group corresponds to a group identifier, the above public key information may include the group identifier included in the digital certificate, the group The identifier is used to determine the target group included in the blockchain network to determine the CA public keys of all parties corresponding to the ring signature of the digital certificate based on the public key included in the target group. For details, refer to the operation mode of the verifier corresponding to the signature of the digital certificate in step S24 above, which is not limited herein.
在一些可行的实施方式中,当联盟链网络中收到任意一个签名交易时,联盟链网络中的验证方获得该签名交易时,可获取该签名交易的发起方的数字证书。数据证书格式为X509,验证方可以通过写在X509中的标识符从联盟链网络中找到该发起方的数字证书的环签名对应的所有公钥。换句话说,验证方对任一签名交易的签名进行验证时,可以通过该交易的发起方签发数字证书时写在X509中的标识符从联盟链网络中找到该数字证书的环签名对应的所有公钥。可选的,验证方还可通过交易发起方的数字证书找到写在X509的签发方(Issuer)的标注中的公钥信息(比如X509中签发方标注字段中包括的公钥信息),该公钥信息包括但不限于数字证书的环签名对应的所有公钥,和/或该数字证书的环签名对应的所有公钥的标识符。可选的,验证方还可通过交易发起方的数字证书找到写在X509的扩展字段中公钥信息,该公钥信息包括但不限于数字证书的环签名对应的所有公钥,和/或该数字证书的环签名对应的所有公钥的标识符。可选的,验证方还可通过交易发起方的数字证书找到写在x509的扩展字段中的公钥分组标识符,基于该公钥分组标识符从联盟链网络中包括的各个公钥分组中找到数字证书的环签名对应的公钥所属分组,进而可基于找到的公钥所属分组确定该数字证书的环签名对应的所有公钥。具体实现中,验证方基于何种方式找到环签名对应的公钥具体可根据X509中的信息确定,在此不做限制。验证方找到交易发起方的数字证书的环签名对应的所有公钥之后,则可基于找到的所有公钥对该交易的签名进行验证,具体验证过程在此不做限制。换句话说,数字证书的环签名的公钥信息具体由数字证书中的何种信息来携带和/或指示,在此不做限制。或者说,数字证书的环签名的公钥信息具体由数字证书格式(X509)中的何字段来携带和/或指示,在此不做限制。具体可参见上述步骤S24中数字证书的签名对应的验证方操作方式,在此不做限制。In some feasible implementation manners, when any signature transaction is received in the alliance chain network, when the verifier in the alliance chain network obtains the signature transaction, the digital certificate of the initiator of the signature transaction may be obtained. The format of the data certificate is X509, and the verifier can find all the public keys corresponding to the ring signature of the initiator's digital certificate from the alliance chain network through the identifier written in X509. In other words, when the verifier verifies the signature of any signed transaction, all identifiers corresponding to the ring signature of the digital certificate can be found from the consortium chain network through the identifier written in X509 when the initiator of the transaction issued the digital certificate Public key. Optionally, the verifier can also find the public key information written in the label of the issuer (Issuer) of X509 (such as the public key information included in the label field of the issuer in X509) through the digital certificate of the transaction initiator. The key information includes but is not limited to all public keys corresponding to the ring signature of the digital certificate, and / or identifiers of all public keys corresponding to the ring signature of the digital certificate. Optionally, the verifier can also find the public key information written in the extension field of X509 through the digital certificate of the transaction initiator. The public key information includes but is not limited to all public keys corresponding to the ring signature of the digital certificate, and / or The identifier of all public keys corresponding to the ring signature of the digital certificate. Optionally, the verifier can also find the public key group identifier written in the extension field of x509 through the digital certificate of the transaction initiator, and find it from each public key group included in the alliance chain network based on the public key group identifier The group to which the public key corresponding to the ring signature of the digital certificate belongs, and then all the public keys corresponding to the ring signature of the digital certificate can be determined based on the found group to which the public key belongs. In a specific implementation, the method by which the verifier finds the public key corresponding to the ring signature can be determined according to the information in X509, and no limitation is made here. After the verifier finds all the public keys corresponding to the ring signature of the digital certificate of the transaction initiator, it can verify the signature of the transaction based on all the public keys found. The specific verification process is not limited here. In other words, the public key information of the ring signature of the digital certificate is specifically carried and / or indicated by what kind of information in the digital certificate, which is not limited herein. In other words, the public key information of the ring signature of the digital certificate is specifically carried and / or indicated by any field in the digital certificate format (X509), and is not limited herein. For details, refer to the operation mode of the verifier corresponding to the signature of the digital certificate in step S24 above, which is not limited herein.
由上可知,基于本申请实施例提供的方法实现对数字证书的环签名,可实现数字证书的签发方的无条件匿名,对于验证方来说,签发方是完全正确匿名的。基于本申请实施例 提供的方法实现对数字证书的环签名包括但不限于如下安全性属性:It can be seen from the above that the ring signature of the digital certificate is realized based on the method provided in the embodiment of the present application, and the unconditional anonymity of the issuer of the digital certificate can be achieved. For the verifier, the issuer is completely anonymous. Based on the method provided by the embodiment of the present application, the ring signature of the digital certificate includes but is not limited to the following security attributes:
1)无条件匿名性。攻击者即使非法获取了所有可能签名者的私钥,能确定出真正的签名者的概率不超过1/n,这里n为环成员(即可能签名者)的个数;1) Unconditional anonymity. Even if the attacker illegally obtains the private keys of all possible signers, the probability that the true signer can be determined does not exceed 1 / n, where n is the number of ring members (that is, possible signers);
2)不可伪造性。攻击者在不知道任何环成员的私钥的情况下,即使能够从一个产生环签名的随机预言者那里得到任何用户的签名,可以成功伪造该用户的合法签名的概率几乎可以忽略;2) Unforgeability. Without knowing the private key of any ring member, even if the attacker can obtain the signature of any user from a random oracle who generates the ring signature, the probability of successfully forging the legal signature of the user can be almost ignored;
3)环签名具有良好的特性。可以实现签名者的无条件匿名,签名者可以自由指定自己的匿名范围,可以实现群签名的主要功能但无需可信第三方或群管理员等。3) Ring signatures have good characteristics. Unconditional anonymity of signers can be achieved, signers can freely specify their own anonymity range, and the main function of group signatures can be achieved without the need for trusted third parties or group administrators.
在本申请实施例中,基于数字证书的签发方的CA自行制定的环签名证书签发规则,对签发方的CA的用户签发数字证书,可保证数字证书的签发方的CA之外的其他任意参与方无法判断数字证书由哪个参与方的CA签发。也就是说联盟链网络中除了数字证书的签发方的CA之外的其他任意参与方的CA均无法判断该数字证书的接收方是联盟链中哪一个参与方的CA的客户,从而可实现联盟链中各个参与方的CA为其用户签发数字证书的私密性,实现各个参与方的CA向其用户匿名发送数字证书,保证数字证书的签发方的CA的身份私密性,增强联盟链网络中各个参与方的CA与其用户之间的交易的信息安全性,可满足联盟链网络中各个参与方的更多业务需求,适用性更强。In the embodiment of the present application, the ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to the users of the CA of the issuer can ensure that any other than the CA of the digital issuer can participate The party cannot determine which party's CA issued the digital certificate. That is to say, the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized The CAs of each participant in the chain sign the privacy of digital certificates for their users, so that the CAs of each participant can send digital certificates anonymously to their users, ensuring the privacy of the identity of the CA of the issuer of the digital certificate and enhancing each of the alliance chain network The information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
参见图3,是本申请实施例提供的数字证书的签发装置的结构示意图。该数字证书签发装置适用于数字证书的签发方,可以是联盟链网络中任一需要为自己的用户签发数字证书的参与方,在此不做限制。该数字证书签发装置可包括:Referring to FIG. 3, it is a schematic structural diagram of a digital certificate issuing apparatus provided by an embodiment of the present application. The digital certificate issuance device is suitable for the issuer of the digital certificate, and may be any participant in the alliance chain network that needs to issue a digital certificate for its own users, and no limitation is made here. The digital certificate issuing device may include:
记录单元31,用于将上述第一参与方的CA公钥记录至区块链网络中,上述第一参与方为上述区块链网络中数字证书的签发方,上述区块链网络中还记录了至少一个第二参与方的CA公钥,上述第二参与方为上述区块链网络中除上述第一参与方之外的参与方。The recording unit 31 is used to record the CA public key of the first party into the blockchain network, the first party is the issuer of the digital certificate in the blockchain network, and the blockchain network also records The CA public key of at least one second party is obtained, and the second party is a party other than the first party in the blockchain network.
确认单元32,用于在接收到任一用户的证书授权请求时,根据上述证书授权请求中携带的用户身份信息确认上述用户是否为上述第一参与方的CA的用户。The confirmation unit 32 is configured to confirm whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request when receiving a certificate authorization request from any user.
获取单元33,用于在上述确认单元32确认上述用户是上述第一参与方的CA的用户时,从上述证书授权请求中获取上述用户的公钥,并根据预先设定的环签名证书签发规则,从上述区块链网络中获取其他任意N个上述第二参与方的CA公钥,其中,N等于上述环签名证书签发规则中设定的公钥数量。The obtaining unit 33 is configured to obtain the public key of the user from the certificate authorization request when the confirmation unit 32 confirms that the user is a user of the CA of the first participant, and according to a preset ring signing certificate issuance rule Obtain any other N public CA public keys of the above-mentioned second parties from the above-mentioned blockchain network, where N is equal to the number of public keys set in the above-mentioned ring signing certificate issuance rules.
签发单元34,用于根据上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书,并向上述用户发送上述数字证书。The signing unit 34 is configured to perform ring signature on the user identity information and public key of the user and form a digital certificate based on the public key and private key of the CA of the first participant and the CA public keys of the N second participants And send the digital certificate to the user.
在一些可行的实施方式中,上述环签名证书签发规则由上述第一参与方的CA自行制定,或者由上述区块链网络中的各个参与方的CA共同制定;上述环签名证书签发规则被记录于上述区块链网络中。In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are formulated by the above-mentioned first party's CA, or jointly formulated by the above-mentioned blockchain network's CA of each participant; the above-mentioned ring signature certificate issuance rules are recorded In the above-mentioned blockchain network.
在一些可行的实施方式中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; the above-mentioned X509 includes preset fields for recording public key information of the ring signature;
上述签发单元34用于:The above issuance unit 34 is used to:
基于上述规范,使用上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的 CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书,上述数字证书的上述预设字段中携带上述数字证书的环签名的公钥信息。Based on the above specifications, the public key and private key of the first party CA and the N public keys of the second party CA are used to perform ring signature on the user identity information and public key of the user and form a digital certificate. The preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
在一些可行的实施方式中,上述X509中包括签发方标注字段,上述签发方标注字段中包括上述第一参与方的CA对应的区块链网络标识和/或上述数字证书的环签名的公钥信息;In some feasible implementation manners, the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier corresponding to the CA of the first party and / or a ring signature public key of the digital certificate information;
其中,上述公钥信息包括上述数字证书的环签名对应的上述N个上述第二参与方的CA公钥,和/或上述环签名对应的上述N个上述第二参与方的CA公钥的标识。Wherein, the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the identifiers of the CA public keys of the N second parties corresponding to the ring signature .
在一些可行的实施方式中,上述预设字段包括上述X509中的扩展字段,上述扩展字段中携带的上述环签名的公钥信息包括上述数字证书的环签名对应的上述N个上述第二参与方的CA公钥,和/或上述环签名对应的上述N个上述第二参与方的CA公钥的标识。In some feasible implementation manners, the preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes the N of the second parties corresponding to the ring signature of the digital certificate The public key of the CA, and / or the identifiers of the CA public keys of the above N second parties corresponding to the ring signature.
在一些可行的实施方式中,上述区块链网络中记录的各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;In some feasible implementation manners, the CA public keys of each participant recorded in the above-mentioned blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
上述预设字段包括上述X509中的扩展字段,上述扩展字段中携带的上述环签名的公钥信息包括分组标识符,上述分组标识符用于指示上述环签名对应的上述N个上述第二参与方的CA公钥的所属分组,以帮助上述数字证书的验证方基于上述N个上述第二参与方的CA公钥的所属分组找到上述N个上述第二参与方的CA公钥。The preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the N number of the second parties corresponding to the ring signature The grouping of the CA public key of the CA helps the verifier of the digital certificate to find the CA public keys of the N second parties based on the grouping of the CA public keys of the N second parties.
具体实现中,作为数字证书签发方的数字证书签发装置可通过其内置的各个功能单元执行上述实施例中各个步骤所提供的实现方式。可选的,上述记录单元31用于执行上述实施例中步骤S21所提供的实现方式,具体可参见上述步骤S21中数字证书签发装置所执行的操作,在此不做限制。上述确认单元32用于执行上述实施例中步骤S22所提供的实现方式,具体可参见上述步骤S22中数字证书签发装置所执行的操作,在此不做限制。上述获取单元33用于执行上述实施例中步骤S23所提供的实现方式,具体可参见上述步骤S23中数字证书签发装置所执行的操作,在此不做限制。上述签发单元34用于执行上述实施例中步骤S24所提供的实现方式,具体可参见上述步骤S24中数字证书签发装置所执行的操作,在此不做限制。In a specific implementation, a digital certificate issuing apparatus that is a digital certificate issuer may execute the implementation provided by the steps in the foregoing embodiments through its built-in functional units. Optionally, the recording unit 31 is used to implement the implementation provided by step S21 in the foregoing embodiment. For details, refer to the operation performed by the digital certificate issuing device in step S21, and no limitation is made here. The confirmation unit 32 is used to execute the implementation provided in step S22 in the above embodiment. For details, refer to the operation performed by the digital certificate issuing device in step S22, and no limitation is made here. The obtaining unit 33 is used to execute the implementation provided in step S23 in the above embodiment. For details, refer to the operation performed by the digital certificate issuing device in step S23, and no limitation is made here. The above-mentioned issuance unit 34 is used to execute the implementation provided in step S24 in the above embodiment. For details, refer to the operation performed by the digital certificate issuance device in step S24, and no limitation is made here.
在本申请实施例中,数字证书的签发方的CA可自行制定环签名证书签发规则,包括环签名所需的公钥数量以及环签名证书签发规范等。基于数字证书的签发方的CA自行制定的环签名证书签发规则,对签发方的CA的用户签发数字证书,可保证数字证书的签发方的CA之外的其他任意参与方的CA无法判断数字证书由哪个参与方的CA签发。也就是说联盟链网络中除了数字证书的签发方的CA之外的其他任意参与方的CA均无法判断该数字证书的接收方是联盟链中哪一个参与方的CA的客户,从而可实现联盟链中各个参与方的CA为其用户颁发数字证书的私密性,实现各个参与方的CA向其用户匿名发送数字证书,保证数字证书的签发方的CA的身份私密性,增强联盟链网络中各个参与方的CA与其用户之间的交易的信息安全性,可满足联盟链网络中各个参与方的更多业务需求,适用性更强。In the embodiment of the present application, the CA of the issuer of the digital certificate may formulate the rules for issuing the ring signature certificate, including the number of public keys required for the ring signature and the specifications for issuing the ring signature certificate. The ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to users of the CA of the issuer can ensure that the CA of any participant other than the CA of the digital certificate cannot judge the digital certificate Is issued by the CA of which party. That is to say, the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized The CA of each participant in the chain issues the privacy of the digital certificate for its users, so that the CA of each participant can send the digital certificate anonymously to its users, to ensure the identity privacy of the CA of the issuer of the digital certificate, and enhance each of the alliance chain network The information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
参见图4,是本申请实施例提供的数字证书的验证装置的结构示意图。该数字证书的验证装置适用于数字证书的验证方,在此不做限制。该数字证书签发装置可包括:4 is a schematic structural diagram of a digital certificate verification device provided by an embodiment of the present application. The verification device of the digital certificate is suitable for the verifier of the digital certificate, and is not limited here. The digital certificate issuing device may include:
获取单元41,用于在获得区块链网络中的任一签名交易时,获取上述签名交易的发起方的数字证书,上述签名交易的发起方可以为上述区块链网络中的参与方之一,上述区块链网络中记录了包括上述交易的发起方在内的各个参与方的证书颁发机构CA公钥。The obtaining unit 41 is used to obtain the digital certificate of the initiator of the above-mentioned signed transaction when obtaining any signed transaction in the blockchain network. The initiator of the above-mentioned signed transaction may be one of the participants in the above-mentioned blockchain network In the above-mentioned blockchain network, the public key of the certification authority CA of each participant including the initiator of the above transaction is recorded.
确定单元42,用于基于预设的环签名证书签发规则从上述数字证书中获取上述数字证书的环签名的公钥信息,并根据上述公钥信息确定上述数字证书的环签名对应的所有公钥,上述环签名对应的所有公钥为上述区块链网络中的多个参与方的CA公钥,且上述环签名对应的公钥数量等于上述环签名证书签发规则中设定的公钥数量。The determining unit 42 is configured to acquire the public key information of the ring signature of the digital certificate from the digital certificate based on the preset ring signing certificate issuance rule, and determine all the public keys corresponding to the ring signature of the digital certificate according to the public key information All public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to the number of public keys set in the rules for issuing the ring signature certificate.
验证单元43,用于根据上述确定单元42确定的上述环签名对应的所有公钥对上述签名交易的签名进行验证。The verification unit 43 is configured to verify the signature of the signature transaction based on all public keys corresponding to the ring signature determined by the determination unit 42.
在一些可行的实施方式中,上述环签名证书签发规则被记录于上述区块链网络中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
上述公钥信息包括上述预设字段中所包括的区块链网络的标识,和/或数字证书的环签名对应的所有参与方的CA公钥,和/或上述所有参与方的CA公钥的标识;The above public key information includes the identification of the blockchain network included in the above preset fields, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CA public keys of all the above parties Logo
其中,上述预设字段包括签发方标注字段和/或扩展字段。Wherein, the above-mentioned preset fields include an issuer label field and / or an extension field.
在一些可行的实施方式中,上述环签名证书签发规则被记录于上述区块链网络中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
上述区块链网络中记录的上述各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The CA public keys of the above parties recorded in the blockchain network are divided into multiple groups, and each group corresponds to a group identifier;
上述公钥信息包括上述预设字段中所包括的分组标识符,上述分组标识符用于确定上述区块链网络中所包括的目标分组,以基于上述目标分组中包括的CA公钥确定上述数字证书的环签名对应的所有参与方的CA公钥。The public key information includes the group identifier included in the preset field, and the group identifier is used to determine the target group included in the blockchain network to determine the number based on the CA public key included in the target group The CA public keys of all parties corresponding to the ring signature of the certificate.
具体实现中,上述作为验证方的数字证书签发装置可通过其内置的各个功能单元执行上述各个实施例中验证方所执行的实现方式,包括但不限于上述步骤S25所提供的实现方式中验证方所执行的操作,具体可参见上述各个步骤所提供的实现方式,在此不再赘述。In a specific implementation, the above digital certificate issuing device as a verifier can execute the implementation manners performed by the verifier in the foregoing embodiments through various built-in functional units, including but not limited to the verification manner in the implementation manner provided in step S25 For the operations performed, reference may be made to the implementation manners provided in the foregoing steps, and details are not described herein again.
在本申请实施例中,验证方可根据联盟链网络中各个参与方制定的环签名证书签发规则确定环签名所需的公钥数量和环签名证书签发规范,并可基于联盟链网络中记录的各个参与方的CA公钥确定该数字证书的环签名对应的所有公钥。基于环签名对应的所有公钥实现对数字证书持有者发起的交易的验证,操作简单,完成交易的验证的同时也增强了数字证书的签发方的CA身份的私密性,可满足更多参与方的业务需求,适用性更强。In the embodiment of the present application, the verifier can determine the number of public keys required for the ring signature and the ring signing certificate issuance specifications according to the ring signature certificate issuance rules formulated by each participant in the alliance chain network, and can be based on the The CA public key of each participant determines all public keys corresponding to the ring signature of the digital certificate. All public keys corresponding to ring signatures are used to verify the transaction initiated by the digital certificate holder. The operation is simple. The verification of the transaction also enhances the privacy of the CA identity of the issuer of the digital certificate, which can meet more participation. The business needs of the party are more applicable.
参见图5,图5是本申请实施例提供的终端的一结构示意图。该终端适用于数字证书的签发方,该签发方可以是联盟链网络中的任一需要为自己的用户签发数字证书的参与方,具体可根据实际应用场景确定,在此不做限制。Referring to FIG. 5, FIG. 5 is a schematic structural diagram of a terminal provided by an embodiment of the present application. The terminal is suitable for the issuer of digital certificates. The issuer can be any participant in the alliance chain network that needs to issue digital certificates for its users. The specific can be determined according to the actual application scenario, and no restrictions are made here.
如图5所示,本实施例中的终端可以包括:一个或多个处理器501、存储器502和一个或多个收发器503。上述处理器501、存储器502和收发器503通过总线504连接。存储器502用于存储计算机程序,该计算机程序包括程序指令,处理器501和收发器503用于执行存储器502存储的程序指令。其中,上述处理器501和收发器503被配置用于调用该程序指令执行如下操作:As shown in FIG. 5, the terminal in this embodiment may include: one or more processors 501, a memory 502, and one or more transceivers 503. The processor 501, the memory 502, and the transceiver 503 are connected through a bus 504. The memory 502 is used to store a computer program, and the computer program includes program instructions. The processor 501 and the transceiver 503 are used to execute the program instructions stored in the memory 502. The processor 501 and the transceiver 503 are configured to call the program instructions to perform the following operations:
收发器503,用于将第一参与方的CA公钥发送并记录至区块链网络中,上述第一参与方为上述区块链网络中数字证书的签发方,上述区块链网络中还记录了至少一个第二参与 方的CA公钥,上述第二参与方为上述区块链网络中除上述第二参与方之外的参与方。The transceiver 503 is used to send and record the CA public key of the first party to the blockchain network. The first party is the issuer of the digital certificate in the blockchain network. The CA public key of at least one second participant is recorded, and the second participant is a participant other than the second participant in the blockchain network.
处理器501,用于当上述收发器503接收到任一用户的证书授权请求时,根据上述证书授权请求中携带的用户身份信息确认上述用户是否为上述第一参与方的CA的用户;若确认上述用户是上述第一参与方的CA的用户,则从上述证书授权请求中获取上述用户的公钥,并根据预先设定的环签名证书签发规则,从上述区块链网络中获取任意N个上述第二参与方的CA公钥,其中,N等于上述环签名证书签发规则中设定的公钥数量。The processor 501 is configured to confirm whether the user is the user of the CA of the first participant according to the user identity information carried in the certificate authorization request when the transceiver 503 receives the certificate authorization request of any user; The user is the user of the CA of the first party, and then obtains the public key of the user from the certificate authorization request, and obtains any N number from the blockchain network according to the preset ring signing certificate issuance rules For the CA public key of the above-mentioned second party, where N is equal to the number of public keys set in the above-mentioned ring signing certificate issuance rules.
处理器501,还用于根据上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书。The processor 501 is further configured to perform ring signature on the user identity information and public key of the user based on the public key and private key of the CA of the first party and the CA public keys of the N second parties and form a number certificate.
收发器503,还用于向上述用户发送上述数字证书。The transceiver 503 is also used to send the digital certificate to the user.
在一些可行的实施方式中,上述环签名证书签发规则由上述第一参与方的CA自行制定,或者由上述区块链网络中的各个参与方的CA共同制定;上述环签名证书签发规则被记录于上述区块链网络中。In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are formulated by the above-mentioned first party's CA, or jointly formulated by the above-mentioned blockchain network's CA of each participant; the above-mentioned ring signature certificate issuance rules are recorded In the above-mentioned blockchain network.
在一些可行的实施方式中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; the above-mentioned X509 includes preset fields for recording public key information of the ring signature;
上述处理器501用于:The above processor 501 is used for:
基于上述规范,使用上述第一参与方的CA的公钥、私钥和上述N个上述第二参与方的CA公钥对上述用户的用户身份信息和公钥进行环签名并形成数字证书,上述数字证书的上述预设字段中携带上述数字证书的环签名的公钥信息。Based on the above specifications, the public key and private key of the first party CA and the N public keys of the second party CA are used to perform ring signature on the user identity information and public key of the user and form a digital certificate. The preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
在一些可行的实施方式中,上述X509中包括签发方标注字段,上述签发方标注字段中包括上述第一参与方的CA对应的区块链网络标识和/或上述数字证书的环签名的公钥信息;In some feasible implementation manners, the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier corresponding to the CA of the first party and / or a ring signature public key of the digital certificate information;
其中,上述公钥信息包括上述数字证书的环签名对应的上述N个上述第二参与方的CA公钥,和/或上述环签名对应的上述N个上述第二参与方的CA公钥的标识。Wherein, the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the identifiers of the CA public keys of the N second parties corresponding to the ring signature .
在一些可行的实施方式中,上述预设字段包括上述X509中的扩展字段,上述扩展字段中携带的上述环签名的公钥信息包括上述数字证书的环签名对应的上述N个上述第二参与方的CA公钥,和/或上述环签名对应的上述N个上述第二参与方的CA公钥的标识。In some feasible implementation manners, the preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes the N of the second parties corresponding to the ring signature of the digital certificate The public key of the CA, and / or the identifiers of the CA public keys of the above N second parties corresponding to the ring signature.
在一些可行的实施方式中,上述区块链网络中记录的各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;In some feasible implementation manners, the CA public keys of each participant recorded in the above-mentioned blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
上述预设字段包括上述X509中的扩展字段,上述扩展字段中携带的上述环签名的公钥信息包括分组标识符,上述分组标识符用于指示上述环签名对应的上述N个上述第二参与方的CA公钥的所属分组,以帮助上述数字证书的验证方基于上述N个第二参与方的CA公钥的所属分组找到上述N个上述第二参与方的CA公钥。The preset field includes the extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the N number of the second parties corresponding to the ring signature The grouping of the CA public key of the CA helps the verifier of the digital certificate to find the CA public keys of the N second parties based on the grouping of the CA public keys of the N second parties.
在一些可行的实施方式中,上述处理器501可以是中央处理单元(central processing unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(digital signal processor,DSP)、专用集成电路(application specific integrated circuit,ASIC)、现成可编程门阵列(field-programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。In some feasible implementation manners, the processor 501 may be a central processing unit (CPU), and the processor may also be other general-purpose processors, digital signal processors (DSPs), and dedicated integrations. Circuit (application specific integrated circuit, ASIC), ready-made programmable gate array (field-programmable gate array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
该存储器502可以包括只读存储器和随机存取存储器,并向处理器501和收发器503 提供指令和数据。存储器502的一部分还可以包括非易失性随机存取存储器。例如,存储器502还可以存储设备类型的信息。The memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501 and the transceiver 503. A portion of the memory 502 may also include non-volatile random access memory. For example, the memory 502 may also store device type information.
在一些可行的实施方式中,上述终端可通过其内置的处理器501和收发器503各个功能模块执行如上述实施例中各个步骤所提供的实现方式中签发方的CA所执行的操作,具体可参见上述各个步骤所提供的实现方式,在此不再赘述。In some feasible implementation manners, the above-mentioned terminal may perform the operations performed by the CA of the issuer in the implementation provided by the steps in the above-mentioned embodiments through the various functional modules of its built-in processor 501 and transceiver 503, specifically Please refer to the implementation provided by the above steps, which will not be repeated here.
在本申请实施例中,作为数字证书签发方CA的终端可自行制定环签名证书签发规则,包括环签名所需的公钥数量以及环签名证书签发规范等。基于数字证书的签发方的CA自行制定的环签名证书签发规则,对签发方的CA的用户签发数字证书,可保证数字证书的签发方的CA之外的其他任意参与方的CA无法判断数字证书由哪个参与方的CA签发。也就是说联盟链网络中除了数字证书的签发方的CA之外的其他任意参与方的CA均无法判断该数字证书的接收方是联盟链中哪一个参与方的CA的客户,从而可实现联盟链中各个参与方的CA为其用户颁发数字证书的私密性,实现各个参与方的CA向其用户匿名发送数字证书,保证数字证书的签发方的CA的身份私密性,增强联盟链网络中各个参与方的CA与其用户之间的交易的信息安全性,可满足联盟链网络中各个参与方的更多业务需求,适用性更强。In the embodiment of the present application, a terminal that is a digital certificate issuer CA can formulate a ring signature certificate issuance rule, including the number of public keys required for ring signature and ring signature certificate issuance specifications, etc. The ring signature certificate issuance rules established by the CA of the digital certificate issuer to issue digital certificates to users of the CA of the issuer can ensure that the CA of any participant other than the CA of the digital certificate cannot judge the digital certificate Is issued by the CA of which party. That is to say, the CA of any participant in the alliance chain network except the CA of the issuer of the digital certificate cannot determine which recipient of the digital certificate is a customer of the CA of the participant in the alliance chain, so that the alliance can be realized The CA of each participant in the chain issues the privacy of the digital certificate for its users, so that the CA of each participant can send the digital certificate anonymously to its users, to ensure the identity privacy of the CA of the issuer of the digital certificate, and enhance each of the alliance chain network The information security of the transaction between the CA of the participant and its users can meet the more business needs of each participant in the alliance chain network, and the applicability is stronger.
参见图6,图6是本申请实施例提供的终端的另一结构示意图。该终端适用于数字证书的验证方。如图6所示,本实施例中的终端可以包括:一个或多个处理器601和存储器602。上述处理器601和存储器602通过总线603连接。存储器602用于存储计算机程序,该计算机程序包括程序指令,处理器601用于执行存储器602存储的程序指令。其中,上述处理器601被配置用于调用该程序指令执行如下操作:Referring to FIG. 6, FIG. 6 is another schematic structural diagram of a terminal provided by an embodiment of the present application. The terminal is suitable for the verifier of digital certificates. As shown in FIG. 6, the terminal in this embodiment may include: one or more processors 601 and a memory 602. The processor 601 and the memory 602 are connected through a bus 603. The memory 602 is used to store a computer program, and the computer program includes program instructions, and the processor 601 is used to execute the program instructions stored in the memory 602. The above processor 601 is configured to call the program instruction to perform the following operations:
当验证方获得区块链网络中的任一签名交易时,获取上述签名交易的发起方的数字证书,上述签名交易的发起方可以为上述区块链网络中的参与方之一,上述区块链网络中记录了包括上述交易的发起方在内的各个参与方的证书颁发机构CA公钥;When the verifier obtains any signature transaction in the blockchain network, it obtains the digital certificate of the initiator of the signature transaction. The initiator of the signature transaction may be one of the participants in the blockchain network. The public key of the certification authority CA of each participant including the initiator of the above transaction is recorded in the chain network;
基于预设的环签名证书签发规则从上述数字证书中获取上述数字证书的环签名的公钥信息,并根据上述公钥信息确定上述数字证书的环签名对应的所有公钥,上述环签名对应的所有公钥为上述区块链网络中的多个参与方的CA公钥,上述多个参与方的参与方数量等于上述环签名证书签发规则中设定的公钥数量;Obtain the public key information of the ring signature of the digital certificate from the digital certificate based on the preset ring signature certificate issuance rule, and determine all the public keys corresponding to the ring signature of the digital certificate according to the public key information. All public keys are the CA public keys of multiple participants in the blockchain network, and the number of participants in the multiple participants is equal to the number of public keys set in the rules for issuing ring signature certificates;
根据上述环签名对应的所有公钥对上述签名交易的签名进行验证。The signature of the above signature transaction is verified according to all public keys corresponding to the above ring signature.
在一些可行的实施方式中,上述环签名证书签发规则被记录于上述区块链网络中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
上述公钥信息包括上述预设字段中所包括的区块链网络的标识,和/或数字证书的环签名对应的所有参与方的CA公钥,和/或上述所有参与方的CA公钥的标识;The above public key information includes the identification of the blockchain network included in the above preset fields, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CA public keys of all the above parties Logo
其中,上述预设字段包括签发方标注字段和/或扩展字段。Wherein, the above-mentioned preset fields include an issuer label field and / or an extension field.
在一些可行的实施方式中,上述环签名证书签发规则被记录于上述区块链网络中,上述环签名证书签发规则中还包括由X509的数字证书构成的规范;上述X509中包括用于记录环签名的公钥信息的预设字段;In some feasible implementation manners, the above-mentioned ring signature certificate issuance rules are recorded in the above-mentioned blockchain network, and the above-mentioned ring signature certificate issuance rules also include specifications composed of X509 digital certificates; The preset field of the signed public key information;
上述区块链网络中记录的上述各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The CA public keys of the above parties recorded in the blockchain network are divided into multiple groups, and each group corresponds to a group identifier;
上述公钥信息包括上述预设字段中所包括的分组标识符,上述分组标识符用于确定上述区块链网络中所包括的目标分组,以基于上述目标分组中包括的CA公钥确定上述数字证书的环签名对应的所有参与方的CA公钥。The public key information includes the group identifier included in the preset field, and the group identifier is used to determine the target group included in the blockchain network to determine the number based on the CA public key included in the target group The CA public keys of all parties corresponding to the ring signature of the certificate.
在一些可行的实施方式中,上述终端可通过其内置的处理器601等各个功能器件执行如上述实施例中各个步骤所提供的实现方式中验证方所执行的操作,具体可参见上述各个步骤所提供的实现方式,在此不再赘述。In some feasible implementation manners, the above-mentioned terminal may perform the operations performed by the verifier in the implementation manners provided by the various steps in the foregoing embodiments through various functional devices such as its built-in processor 601. The implementation provided will not be repeated here.
在本申请实施例中,作为数字证书验证方的终端,可根据联盟链网络中各个参与方的CA制定的环签名证书签发规则确定环签名所需的公钥数量和环签名证书签发规范,并可基于联盟链网络中记录的各个参与方的CA公钥确定该数字证书的环签名对应的所有公钥。基于环签名对应的所有公钥实现对数字证书持有者发起的交易验证,操作简单,完成交易验证的同时也增强了数字证书的签发方的CA的身份私密性,可满足更多参与方的业务需求,适用性更强。In the embodiment of the present application, as the terminal of the digital certificate verifier, the number of public keys required for the ring signature and the issuance specifications of the ring signature certificate can be determined according to the ring signature certificate issuance rules established by the CAs of the participants in the alliance chain network All public keys corresponding to the ring signature of the digital certificate can be determined based on the CA public keys of each participant recorded in the alliance chain network. All public keys corresponding to ring signatures implement transaction verification initiated by digital certificate holders. The operation is simple. Completing transaction verification also enhances the identity privacy of the CA of the issuer of the digital certificate, which can satisfy more participants. Business requirements are more applicable.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质存储有计算机程序,该计算机程序包括程序指令,该程序指令被处理器执行时实现图2中各个步骤所提供的方法,具体可参见上述各个步骤所提供的实现方式,在此不再赘述。Embodiments of the present application also provide a computer-readable storage medium that stores a computer program, and the computer program includes program instructions, which are executed by a processor to implement the method provided in each step in FIG. 2 For details, please refer to the implementation provided by the above steps, which will not be repeated here.
上述计算机可读存储介质可以是前述任一实施例提供的数字证书签发装置或者上述终端的内部存储单元,例如电子设备的硬盘或内存。该计算机可读存储介质也可以是该电子设备的外部存储设备,例如该电子设备上配备的插接式硬盘,智能存储卡(smart media card,SMC),安全数字(secure digital,SD)卡,闪存卡(flash card)等。进一步地,该计算机可读存储介质还可以既包括该电子设备的内部存储单元也包括外部存储设备。该计算机可读存储介质用于存储该计算机程序以及该电子设备所需的其他程序和数据。该计算机可读存储介质还可以用于暂时地存储已经输出或者将要输出的数据。The above-mentioned computer-readable storage medium may be the digital certificate issuing apparatus provided in any of the foregoing embodiments or the internal storage unit of the above-mentioned terminal, such as a hard disk or a memory of an electronic device. The computer-readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk equipped on the electronic device, a smart memory card (smart media card, SMC), a secure digital (SD) card Flash card (flash card), etc. Further, the computer-readable storage medium may also include both an internal storage unit of the electronic device and an external storage device. The computer-readable storage medium is used to store the computer program and other programs and data required by the electronic device. The computer-readable storage medium can also be used to temporarily store data that has been or will be output.
本申请的权利要求书和说明书及附图中的术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置展示该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。在本申请说明书和所附权利要求书中使用的术语“和/或”是指相关联列出的项中的一个或多个的任何组合以及所有可能组合,并且包括这些组合。The terms "comprising" and "having" in the claims and specification and drawings of this application and any variations thereof are intended to cover non-exclusive inclusion. Reference herein to "embodiments" means that specific features, structures, or characteristics described in connection with the embodiments may be included in at least one embodiment of the present application. The display of the phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment mutually exclusive with other embodiments. The term "and / or" used in the specification of the present application and the appended claims refers to any and all possible combinations of one or more of the associated listed items and includes these combinations.

Claims (20)

  1. 一种数字证书的签发方法,其特征在于,所述方法适用于数字证书的签发方,所述方法包括:A digital certificate issuance method, characterized in that the method is suitable for a digital certificate issuer, the method includes:
    区块链网络的第一参与方的证书颁发机构CA将所述第一参与方的CA公钥记录至区块链网络中,所述第一参与方为所述区块链网络中数字证书的签发方,所述区块链网络中还记录了至少一个第二参与方的CA公钥,所述第二参与方为所述区块链网络中除所述第一参与方之外的参与方;The certificate authority CA of the first participant of the blockchain network records the public key of the CA of the first participant to the blockchain network, and the first participant is the digital certificate of the blockchain network. Issuer, the blockchain public network also records at least one CA public key of the second participant, the second participant is a participant in the blockchain network other than the first participant ;
    当所述第一参与方的CA接收到任一用户的证书授权请求时,根据所述证书授权请求中携带的用户身份信息确认所述用户是否为目标用户,所述目标用户为所述第一参与方的CA的用户;When the CA of the first party receives a certificate authorization request from any user, it determines whether the user is a target user according to the user identity information carried in the certificate authorization request, and the target user is the first The user of the CA of the participant;
    若所述第一参与方的CA确认所述用户是目标用户,则从所述证书授权请求中获取所述用户的公钥,并根据预先设定的环签名证书签发规则,从所述区块链网络中获取任意N个所述第二参与方的CA公钥,其中,N等于所述环签名证书签发规则中设定的公钥数量;If the CA of the first participant confirms that the user is the target user, the public key of the user is obtained from the certificate authorization request, and according to the preset ring signing certificate issuance rules, from the block Obtain any N public CA keys of the second participant in the chain network, where N is equal to the number of public keys set in the ring signing certificate issuance rules;
    所述第一参与方的CA根据所述第一参与方的CA的公钥、私钥和所述N个所述第二参与方的CA公钥对所述用户的用户身份信息和公钥进行环签名并形成数字证书,并向所述用户发送所述数字证书。The CA of the first participant performs the user identity information and the public key of the user according to the public key and private key of the CA of the first participant and the N CA public keys of the second participant The ring signs and forms a digital certificate, and sends the digital certificate to the user.
  2. 根据权利要求1所述的方法,其特征在于,所述环签名证书签发规则由所述第一参与方的CA自行制定,或者由所述区块链网络中的各个参与方的CA共同制定;所述环签名证书签发规则被记录于所述区块链网络中。The method according to claim 1, characterized in that the ring signature certificate issuance rules are formulated by the CA of the first participant or jointly formulated by the CAs of the participants in the blockchain network; The ring signature certificate issuance rules are recorded in the blockchain network.
  3. 根据权利要求2所述的方法,其特征在于,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The method according to claim 2, wherein the ring signing certificate issuance rule further includes a specification composed of X509 digital certificates; the X509 includes a preset field for recording public key information of the ring signature ;
    所述第一参与方的CA根据所述第一参与方的CA的公钥、私钥和所述N个第二参与方的CA公钥对所述用户的用户身份信息和公钥进行环签名并形成数字证书包括:The CA of the first participant signs the user identity information and public key of the user according to the public key and private key of the CA of the first participant and the CA public keys of the N second participants And form a digital certificate including:
    所述第一参与方的CA基于所述规范,使用所述第一参与方的CA的公钥、私钥和所述N个所述第二参与方的CA公钥对所述用户的用户身份信息和公钥进行环签名并形成数字证书,所述数字证书的所述预设字段中携带所述数字证书的环签名的公钥信息。Based on the specification, the first party ’s CA uses the public key and private key of the first party ’s CA and the N second party ’s CA public keys to identify the user of the user The information and the public key are ring-signed and form a digital certificate, and the preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
  4. 根据权利要求3所述的方法,其特征在于,所述X509中包括签发方标注字段,所述签发方标注字段中包括所述第一参与方的CA对应的区块链网络标识和/或所述数字证书的环签名的公钥信息;The method according to claim 3, wherein the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier and / or all corresponding to the CA of the first party The public key information of the ring signature of the digital certificate;
    其中,所述公钥信息包括所述数字证书的环签名对应的所述N个所述第二参与方的CA公钥,和/或所述环签名对应的所述N个所述第二参与方的CA公钥的标识。Wherein, the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the N second participations corresponding to the ring signature The ID of the party's CA public key.
  5. 根据权利要求3所述的方法,其特征在于,所述预设字段包括所述X509中的扩展字段,所述扩展字段中携带的所述环签名的公钥信息包括所述数字证书的环签名对应的所述N个所述第二参与方的CA公钥,和/或所述环签名对应的所述N个所述第二参与方的CA公钥的标识。The method according to claim 3, wherein the preset field includes an extension field in the X509, and the public key information of the ring signature carried in the extension field includes the ring signature of the digital certificate Corresponding to the N public CA public keys of the second participants, and / or identifiers of the N public CA public keys of the second participants corresponding to the ring signature.
  6. 根据权利要求3所述的方法,其特征在于,所述区块链网络中记录的各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The method according to claim 3, wherein the CA public keys of each participant recorded in the blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
    所述预设字段包括所述X509中的扩展字段,所述扩展字段中携带的所述环签名的公钥信息包括分组标识符,所述分组标识符用于指示所述环签名对应的所述N个所述第二参与方的CA公钥的所属分组,以帮助所述数字证书的验证方基于所述N个所述第二参与方的CA公钥的所属分组找到所述N个所述第二参与方的CA公钥。The preset field includes an extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the corresponding to the ring signature N belonging groups of the CA public keys of the second participants to help the verifier of the digital certificate find the N said groups based on the belonging groups of the N public CAs of the second parties The CA public key of the second participant.
  7. 一种数字证书的验证方法,其特征在于,所述方法适用于数字证书的验证方,所述方法包括:A digital certificate verification method, characterized in that the method is suitable for a digital certificate verifier, and the method includes:
    当验证方获得区块链网络中的任一签名交易时,所述验证方获取所述签名交易的发起方的数字证书;When the verifier obtains any signed transaction in the blockchain network, the verifier obtains the digital certificate of the initiator of the signed transaction;
    所述验证方基于预设的环签名证书签发规则从所述数字证书中获取所述数字证书的环签名的公钥信息,并根据所述公钥信息确定所述数字证书的环签名对应的所有公钥,所述环签名对应的所有公钥为所述区块链网络中的多个参与方的CA公钥,且所述环签名对应的公钥数量等于所述环签名证书签发规则中设定的公钥数量;The verifier obtains the public key information of the ring signature of the digital certificate from the digital certificate based on a preset ring signing certificate issuance rule, and determines all corresponding to the ring signature of the digital certificate according to the public key information Public key, all public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to that set in the rules for issuing the ring signature certificate The number of fixed public keys;
    所述验证方根据所述环签名对应的所有公钥对所述签名交易的签名进行验证。The verifier verifies the signature of the signed transaction based on all public keys corresponding to the ring signature.
  8. 根据权利要求7所述的方法,其特征在于,所述环签名证书签发规则被记录于所述区块链网络中,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The method according to claim 7, characterized in that the ring signing certificate issuance rules are recorded in the blockchain network, and the ring signing certificate issuance rules also include specifications composed of X509 digital certificates; The X509 includes a preset field for recording public key information of the ring signature;
    所述公钥信息包括所述预设字段中所包括的区块链网络的标识,和/或数字证书的环签名对应的所有参与方的CA公钥,和/或所述所有参与方的CA公钥的标识;The public key information includes the identification of the blockchain network included in the preset field, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CAs of all parties Public key identification;
    其中,所述预设字段包括签发方标注字段和/或扩展字段。Wherein, the preset field includes an issuer label field and / or an extension field.
  9. 根据权利要求7所述的方法,其特征在于,所述环签名证书签发规则被记录于所述区块链网络中,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The method according to claim 7, characterized in that the ring signing certificate issuance rules are recorded in the blockchain network, and the ring signing certificate issuance rules also include specifications composed of X509 digital certificates; The X509 includes a preset field for recording public key information of the ring signature;
    所述区块链网络中记录的所述各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The CA public keys of the various parties recorded in the blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
    所述公钥信息包括所述预设字段中所包括的分组标识符,所述分组标识符用于确定所述区块链网络中所包括的目标分组,以基于所述目标分组中包括的CA公钥确定所述数字证书的环签名对应的所有参与方的CA公钥。The public key information includes a packet identifier included in the preset field, and the packet identifier is used to determine a target packet included in the blockchain network to be based on the CA included in the target packet The public key determines the CA public keys of all parties corresponding to the ring signature of the digital certificate.
  10. 一种数字证书的签发装置,其特征在于,所述装置适用于数字证书的签发方的证书颁发机构CA,所述装置包括:A digital certificate issuing device, characterized in that the device is suitable for a certificate issuing authority CA of a digital certificate issuer, and the device includes:
    记录单元,用于将第一参与方的CA公钥记录至区块链网络中,所述第一参与方为所述区块链网络中数字证书的签发方,所述区块链网络中还记录了至少一个第二参与方的CA公钥,所述第二参与方为所述区块链网络中除所述第一参与方之外的参与方;The recording unit is used to record the CA public key of the first party into the blockchain network, the first party is the issuer of the digital certificate in the blockchain network, and the blockchain network also Recorded the CA public key of at least one second participant, the second participant is a participant other than the first participant in the blockchain network;
    确认单元,用于在接收到任一用户的证书授权请求时,根据所述证书授权请求中携带的用户身份信息确认所述用户是否为所述第一参与方的CA的用户;A confirmation unit, configured to confirm whether the user is a user of the CA of the first participant according to the user identity information carried in the certificate authorization request when receiving a certificate authorization request from any user;
    获取单元,用于在所述确认单元确认所述用户是所述第一参与方的CA的用户时,从所述证书授权请求中获取所述用户的公钥,并根据预先设定的环签名证书签发规则,从所述区块链网络中获取任意N个所述第二参与方的CA公钥,其中,N等于所述环签名证书签发规则中设定的公钥数量;An obtaining unit, configured to obtain the public key of the user from the certificate authorization request when the confirmation unit confirms that the user is a user of the CA of the first participant, and sign according to a preset ring Certificate issuance rules, obtaining any N public CA keys of the second party from the blockchain network, where N is equal to the number of public keys set in the ring signature certificate issuance rules;
    签发单元,用于根据所述第一参与方的CA的公钥、私钥和所述N个所述第二参与方的CA公钥对所述用户的用户身份信息和公钥进行环签名并形成数字证书,并向所述用户发送所述数字证书。An issuance unit for ring-signing the user identity information and public key of the user based on the public key and private key of the first party's CA and the N public keys of the second party Form a digital certificate and send the digital certificate to the user.
  11. 根据权利要求10所述的装置,其特征在于,所述环签名证书签发规则由所述第一参与方的CA自行制定,或者由所述区块链网络中的各个参与方的CA共同制定;所述环签名证书签发规则被记录于所述区块链网络中。The device according to claim 10, characterized in that the ring signature certificate issuance rules are formulated by the CA of the first participant or jointly formulated by the CAs of the participants in the blockchain network; The ring signature certificate issuance rules are recorded in the blockchain network.
  12. 根据权利要求11所述的装置,其特征在于,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The apparatus according to claim 11, wherein the ring signing certificate issuance rule further includes a specification composed of X509 digital certificates; the X509 includes a preset field for recording public key information of the ring signature ;
    所述签发单元用于:The issuance unit is used for:
    基于所述规范,使用所述第一参与方的CA的公钥、私钥和所述N个所述第二参与方的CA公钥对所述用户的用户身份信息和公钥进行环签名并形成数字证书,所述数字证书的所述预设字段中携带所述数字证书的环签名的公钥信息。Based on the specification, use the public key and private key of the first party's CA and the N public keys of the second party to sign the user's user identity information and public key in a ring and sign A digital certificate is formed, and the preset field of the digital certificate carries the public key information of the ring signature of the digital certificate.
  13. 根据权利要求12所述的装置,其特征在于,所述X509中包括签发方标注字段,所述签发方标注字段中包括所述第一参与方的CA对应的区块链网络标识和/或所述数字证书的环签名的公钥信息;The apparatus according to claim 12, wherein the X509 includes an issuer label field, and the issuer label field includes a blockchain network identifier and / or all corresponding to the CA of the first party The public key information of the ring signature of the digital certificate;
    其中,所述公钥信息包括所述数字证书的环签名对应的所述N个所述第二参与方的CA公钥,和/或所述环签名对应的所述N个所述第二参与方的CA公钥的标识。Wherein, the public key information includes the CA public keys of the N second parties corresponding to the ring signature of the digital certificate, and / or the N second participations corresponding to the ring signature The ID of the party's CA public key.
  14. 根据权利要求12所述的装置,其特征在于,所述预设字段包括所述X509中的扩展字段,所述扩展字段中携带的所述环签名的公钥信息包括所述数字证书的环签名对应的所述N个所述第二参与方的CA公钥,和/或所述环签名对应的所述N个所述第二参与方的CA公钥的标识。The device according to claim 12, wherein the preset field includes an extension field in the X509, and the public key information of the ring signature carried in the extension field includes the ring signature of the digital certificate Corresponding to the N public CA public keys of the second participants, and / or identifiers of the N public CA public keys of the second participants corresponding to the ring signature.
  15. 根据权利要求12所述的装置,其特征在于,所述区块链网络中记录的各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The device according to claim 12, wherein the CA public keys of each participant recorded in the blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
    所述预设字段包括所述X509中的扩展字段,所述扩展字段中携带的所述环签名的公钥信息包括分组标识符,所述分组标识符用于指示所述环签名对应的所述N个所述第二参与方的CA公钥的所属分组,以帮助所述数字证书的验证方基于所述N个所述第二参与方的CA公钥的所属分组找到所述N个所述第二参与方的CA公钥。The preset field includes an extension field in the X509, and the public key information of the ring signature carried in the extension field includes a group identifier, and the group identifier is used to indicate the corresponding to the ring signature N belonging groups of the CA public keys of the second participants to help the verifier of the digital certificate find the N said groups based on the belonging groups of the N public CAs of the second parties The CA public key of the second participant.
  16. 一种数字证书的验证装置,其特征在于,所述装置适用于数字证书的验证方,所述装置包括:A digital certificate verification device, characterized in that the device is suitable for a digital certificate verifier, and the device includes:
    获取单元,用于在获得区块链网络中的任一签名交易时,获取所述交易的发起方的数字证书;The obtaining unit is used to obtain the digital certificate of the initiator of the transaction when obtaining any signed transaction in the blockchain network;
    确定单元,用于基于预设的环签名证书签发规则从所述数字证书中获取所述数字证书的环签名的公钥信息,并根据所述公钥信息确定所述数字证书的环签名对应的所有公钥,所述环签名对应的所有公钥为所述区块链网络中的多个参与方的CA公钥,且所述环签名对应的公钥数量等于所述环签名证书签发规则中设定的公钥数量;A determining unit, configured to obtain the public key information of the ring signature of the digital certificate from the digital certificate based on a preset ring signing certificate issuance rule, and determine the ring signature corresponding to the digital certificate according to the public key information All public keys, all public keys corresponding to the ring signature are the CA public keys of multiple participants in the blockchain network, and the number of public keys corresponding to the ring signature is equal to that in the ring signing certificate issuance rules The set number of public keys;
    验证单元,用于根据所述确定单元确定的所述环签名对应的所有公钥对所述交易的签名进行验证。The verification unit is configured to verify the signature of the transaction based on all public keys corresponding to the ring signature determined by the determination unit.
  17. 根据权利要求16所述的装置,其特征在于,所述环签名证书签发规则被记录于所 述区块链网络中,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The device according to claim 16, characterized in that the ring signing certificate issuance rules are recorded in the blockchain network, and the ring signing certificate issuance rules further include specifications composed of X509 digital certificates; The X509 includes a preset field for recording public key information of the ring signature;
    所述公钥信息包括所述预设字段中所包括的区块链网络的标识,和/或数字证书的环签名对应的所有参与方的CA公钥,和/或所述所有参与方的CA公钥的标识;The public key information includes the identification of the blockchain network included in the preset field, and / or the CA public keys of all parties corresponding to the ring signature of the digital certificate, and / or the CAs of all parties Public key identification;
    其中,所述预设字段包括签发方标注字段和/或扩展字段。Wherein, the preset field includes an issuer label field and / or an extension field.
  18. 根据权利要求16所述的装置,其特征在于,所述环签名证书签发规则被记录于所述区块链网络中,所述环签名证书签发规则中还包括由X509的数字证书构成的规范;所述X509中包括用于记录环签名的公钥信息的预设字段;The device according to claim 16, characterized in that the ring signing certificate issuance rules are recorded in the blockchain network, and the ring signing certificate issuance rules further include specifications composed of X509 digital certificates; The X509 includes a preset field for recording public key information of the ring signature;
    所述区块链网络中记录的所述各个参与方的CA公钥分为多个分组,且一个分组对应一个分组标识符;The CA public keys of the various parties recorded in the blockchain network are divided into multiple groups, and one group corresponds to one group identifier;
    所述公钥信息包括所述预设字段中所包括的分组标识符,所述分组标识符用于确定所述区块链网络中所包括的目标分组,以基于所述目标分组中包括的CA公钥确定所述数字证书的环签名对应的所有参与方的CA公钥。The public key information includes a packet identifier included in the preset field, and the packet identifier is used to determine a target packet included in the blockchain network to be based on the CA included in the target packet The public key determines the CA public keys of all parties corresponding to the ring signature of the digital certificate.
  19. 一种终端,其特征在于,包括处理器和存储器,所述处理器、收发器和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器和所述收发器被配置用于调用所述程序指令,执行如权利要求1-6任一项所述的方法,或者如权利要求7-9任一项所述的方法。A terminal is characterized by comprising a processor and a memory, wherein the processor, transceiver and memory are connected to each other, wherein the memory is used to store a computer program, and the computer program includes program instructions, and the processor and The transceiver is configured to call the program instructions to perform the method according to any one of claims 1-6, or the method according to any one of claims 7-9.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-6任一项所述的方法,或者如权利要求7-9任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and the computer program includes program instructions, which when executed by a processor cause the processor to execute as rights The method according to any one of claims 1 to 6, or the method according to any one of claims 7 to 9.
PCT/CN2019/070234 2018-10-09 2019-01-03 Processing method for digital certificate and related apparatus WO2020073546A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
SG11201913856UA SG11201913856UA (en) 2018-10-09 2019-01-03 Digital certificate processing method and related apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811175201.XA CN109547206B (en) 2018-10-09 2018-10-09 Digital certificate processing method and related device
CN201811175201.X 2018-10-09

Publications (1)

Publication Number Publication Date
WO2020073546A1 true WO2020073546A1 (en) 2020-04-16

Family

ID=65843489

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/070234 WO2020073546A1 (en) 2018-10-09 2019-01-03 Processing method for digital certificate and related apparatus

Country Status (3)

Country Link
CN (1) CN109547206B (en)
SG (1) SG11201913856UA (en)
WO (1) WO2020073546A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114168923A (en) * 2022-02-10 2022-03-11 亿次网联(杭州)科技有限公司 Group CA certificate generation method and system based on digital certificate

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110620776B (en) * 2019-09-24 2021-11-26 腾讯科技(深圳)有限公司 Data transfer information transmission method and device
CN113132319A (en) * 2019-12-31 2021-07-16 鄢华中 Block chain-based digital certificate, identity authentication and block chain certificate issuing system
CN112015814B (en) * 2020-08-26 2022-10-04 深圳壹账通智能科技有限公司 Data generation method, device, node and storage medium based on block chain network
CN112615719B (en) * 2020-12-15 2023-07-25 平安消费金融有限公司 Off-centering on-line contract signing method, device, equipment and medium
CN112712365B (en) * 2021-01-06 2024-02-02 中国工商银行股份有限公司 Processing method and device for digital certificate
WO2022193084A1 (en) * 2021-03-15 2022-09-22 华为技术有限公司 Digital certificate verification method and verification apparatus
CN112910660B (en) * 2021-03-25 2023-02-24 中国工商银行股份有限公司 Certificate issuing method, adding method and transaction processing method of blockchain system
CN114189830B (en) * 2021-11-24 2023-06-06 中汽数据(天津)有限公司 Main body authority control method, equipment and storage medium based on Internet of vehicles

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106779704A (en) * 2016-12-06 2017-05-31 杭州趣链科技有限公司 A kind of block chain anonymous deal method based on ring signatures
US20170308872A1 (en) * 2015-04-20 2017-10-26 Coinplug Inc. Digital virtual currency transaction system and method having block chain between concerned parties
CN107453865A (en) * 2017-07-18 2017-12-08 众安信息技术服务有限公司 A kind of multiparty data sharing method and system for protecting data transmission source privacy

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100563150C (en) * 2005-07-14 2009-11-25 华为技术有限公司 A kind of distributed identity-card signature method
CN101192928B (en) * 2006-12-01 2010-09-29 华为技术有限公司 Mobile ad hoc authentication method and system
KR101475282B1 (en) * 2010-12-20 2014-12-22 한국전자통신연구원 Key validity verifying method and sever for performing the same
US8874769B2 (en) * 2011-06-30 2014-10-28 Qualcomm Incorporated Facilitating group access control to data objects in peer-to-peer overlay networks
CN104539426A (en) * 2014-12-29 2015-04-22 南京邮电大学 Method for guaranteeing user behavior safety under converged network
CN104917615B (en) * 2015-04-24 2018-06-01 广东电网有限责任公司信息中心 A kind of credible calculating platform attribute verification method based on ring signatures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170308872A1 (en) * 2015-04-20 2017-10-26 Coinplug Inc. Digital virtual currency transaction system and method having block chain between concerned parties
CN106779704A (en) * 2016-12-06 2017-05-31 杭州趣链科技有限公司 A kind of block chain anonymous deal method based on ring signatures
CN107453865A (en) * 2017-07-18 2017-12-08 众安信息技术服务有限公司 A kind of multiparty data sharing method and system for protecting data transmission source privacy

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114168923A (en) * 2022-02-10 2022-03-11 亿次网联(杭州)科技有限公司 Group CA certificate generation method and system based on digital certificate

Also Published As

Publication number Publication date
CN109547206B (en) 2020-11-06
CN109547206A (en) 2019-03-29
SG11201913856UA (en) 2020-05-28

Similar Documents

Publication Publication Date Title
WO2020073546A1 (en) Processing method for digital certificate and related apparatus
JP7181539B2 (en) METHOD AND APPARATUS FOR MANAGING USER IDENTIFICATION AND AUTHENTICATION DATA
TWI713353B (en) Communication method between blockchain nodes, digital certificate management method, device and electronic equipment
US9871655B2 (en) Method for deriving a verification token from a credential
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
WO2019105407A1 (en) Zero-knowledge proof method suitable for block chain privacy protection, and medium
CN108650077B (en) Block chain based information transmission method, terminal, equipment and readable storage medium
WO2021169107A1 (en) Internet identity protection method and apparatus, electronic device, and storage medium
US20080126805A1 (en) Methods, Apparatus And Computer Programs For Generating And/Or Using Conditional Electronic Signatures For Reporting Status Changes
CN109905360B (en) Data verification method and terminal equipment
WO2020051710A1 (en) System and process for managing digitized security tokens
JP2003234729A (en) Revocation and updating of token in public key infrastructure system
JP2002164884A (en) Proxy server, electronic signature system, electronic signature verification system, network system, electronic signature method, electronic signature verification method, recording medium and program transmission device
JP2004023796A (en) Selectively disclosable digital certificate
JP2002057660A (en) System and method for using role certificate as signature, digital seal, and digital signature in coding
CN109981287B (en) Code signing method and storage medium thereof
GB2434724A (en) Secure transactions using authentication tokens based on a device "fingerprint" derived from its physical parameters
TW201025970A (en) Verifying and enforcing certificate use
CN110601816A (en) Lightweight node control method and device in block chain system
CN111460457A (en) Real estate property registration supervision method, device, electronic equipment and storage medium
TW201911145A (en) License management system and method using blockchain
CN110189184A (en) A kind of electronic invoice storage method and device
Ahmed et al. Turning trust around: smart contract-assisted public key infrastructure
Rattan et al. E-Commerce Security using PKI approach
CN114270386A (en) Authenticator application for consent framework

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19870125

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 07.07.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19870125

Country of ref document: EP

Kind code of ref document: A1