CN101257387B - X509 digital certificate quick analyzing and verifying method - Google Patents
X509 digital certificate quick analyzing and verifying method Download PDFInfo
- Publication number
- CN101257387B CN101257387B CN200810101869XA CN200810101869A CN101257387B CN 101257387 B CN101257387 B CN 101257387B CN 200810101869X A CN200810101869X A CN 200810101869XA CN 200810101869 A CN200810101869 A CN 200810101869A CN 101257387 B CN101257387 B CN 101257387B
- Authority
- CN
- China
- Prior art keywords
- certificate
- digital certificate
- main body
- primary key
- digital
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention relates to a fast analysis and verification method of X509 digital certificate, which comprises following steps: 1) on the basis of structure characteristics, dismantling the X509 digital certificate into a certificate main body, a certificate signature algorithm identification and a certificate signature value; 2) on the basis of coding format of X509 digital certificate, locating and analyzing the respective primary key from the certificate main body; 3) establishing an index list on the basis the location information of all of the analyzed primary key, and storing the location information of all of the primary key in the index list; when reusing the certificate primary key information, directly reading the index list established in step 3. The invention improves the security transaction processing efficiency and reduces the consumption of the system resource and then provides a huge convenience to the follow-up access.
Description
Technical field
The present invention relates to a kind of the Internet that is used for, to carrying out X509 digital certificate quick analyzing and the verification method that the electronic transaction both sides carry out authentication.
Background technology
Along with Internet development, people more and more rely on network to finish the transaction of some sensitive datas, such as: e-bank, ecommerce or the like.The electronization of the transaction of these sensitive datas causes extremely important and data secret are transmitted in the network of being everlasting.For this reason, people have invented the transmission that a lot of new technology guarantee that the data of these important and secrets are can be in network safe and reliable, increasing user uses SSL (Secure Socket Layer, SSL) and TLS (Transport Layer Security, Transport Layer Security) encryption mechanism such as, they can be constructed escape way and carry out transfer of data between client/browser and service end.
The SSL/TLS communications protocol mainly contains four parts and forms: record protocol (Record Protocol), Handshake Protocol (Handshake Protocol), alarm agreement (Alert Protocol) and application protocol (Application Protocol).The effect of these agreements is as follows: 1, record protocol: it is based upon on the host-host protocol (as TCP, UDP etc.), and the support of data encapsulation, compression, encrypt/decrypt is provided for upper-layer protocol.2, Handshake Protocol: before being used for application data transmission beginning, communication two party carries out authentication, consulted encryption algorithm, exchange encryption keys etc.3, alarm agreement: be used for transmitting the relevant alarm of SSL/TLS to peer-entities.4, application protocol: the data that application service is real.By above-mentioned four agreements, the SSL/TLS communications protocol can solve the problem of communication security well, but also brings huge computing expense to server simultaneously.Especially second portion Handshake Protocol, this agreement will be handled the Authentication Questions of X509 digital certificate, need carry out complicated certificate and read and analytical work.
To the parsing and the checking of X509 digital certificate, traditional solution is in the mode of ASN.1 (AbstractSyntax Notation One, abstract syntax expresses 1) coding rule file to be decoded, and cover is used in the middle of the structure of X509 digital certificate then.The benefit of doing like this is to utilize ready-made general ASN.1 coding method and program to realize, but to the design feature of X509 digital certificate itself utilize not enough, can only compare definite again content during parsing according to the identifier that defines among the ASN.1.The method is used the mode of recursive call usually, therefore extremely expends system times such as CPU, and the speed of security affairs processing simultaneously also can reduce greatly, and a lot of clients' security affairs request response can be very slow.Therefore optimize security affairs and handle, improving client response just becomes very urgent and has the demand of realistic meaning.
Summary of the invention
At the problems referred to above, the purpose of this invention is to provide a kind of security affairs and handle low to system resources consumption simultaneously X509 digital certificate quick analyzing and the verification method of efficient height.
For achieving the above object, the present invention takes following technical scheme: a kind of X509 digital certificate quick analyzing and verification method, it may further comprise the steps: 1) according to the design feature of X509 digital certificate, the X509 digital certificate is splitted into certificate main body, certificate signature algorithm sign and three parts of certificate signature value; 2) according to the coded format of X509 digital certificate, from the certificate main body, locate and parse each critical field; 3) set up a concordance list according to the positional information of all critical fielies that parse, and the locating information of all critical fielies is stored in the concordance list; 4) when using certificate critical field information once more, directly from the concordance list that step 3) is set up, read.
Owing to adopted above technical scheme, the present invention has the following advantage: 1, owing to design feature and the coded format of the present invention according to the X509 digital certificate, can navigate to the accurate position of critical field fast, therefore in the Handshake Protocol process, when using the certificate content at every turn, all can read relevant information fast, improve the process that certificate is resolved and verified greatly, accelerate the response time that security affairs are handled.2, when needs are used certificate critical field information once more, the present invention can be directly from before read the concordance list of foundation, therefore saved repeatedly follow-up and certificate parsing work that repeat, for subsequent access provides a great convenience.3, because certificate of the present invention is resolved and the operating efficiency of checking has improved, therefore the loss to system resource (as processor, internal memory or the like) reduces greatly.
Description of drawings
Fig. 1 is the X509 digital certificate overall structure schematic diagram of institute of the present invention reference
Fig. 2 is a certificate agent structure schematic diagram of the present invention
Fig. 3 is a used certificate field analyzing and positioning procedure chart among the present invention
Embodiment
Below in conjunction with drawings and Examples the present invention is described in detail.
As shown in Figure 1, the structure of X509 digital certificate comprises certificate main body (TBSCertificate), certificate signature algorithm sign (signatureAlgorithm) and certificate signature value (signatureValue).Wherein TBSCertificate partly is a key component, and it has comprised a lot of critical fielies of certificate.As shown in Figure 2, such as: the PKI (subjectPublicKeyInfo) of principal name (subject), the person's of signing and issuing title (issuer), main body, the term of validity (validity) and other the relevant information of certificate, these critical fielies be needed data in the Handshake Protocol just.
Because X509 digital certificate file structure is very clear, when resolving the X509 digital certificate, the complete and loaded down with trivial details parsing of going ahead of the rest of the form that need not encode according to ASN.1 fully.Analytic method of the present invention can rely on the characteristics of ASN.1 BER (Basic Encoding Rules, basic coding standard) coding criterion and the characteristics of X509 digital certificate structure and resolve fast.
For the effect that describes method of the present invention in detail and reached, now lift following examples:
1, the design feature according to the X509 digital certificate splits into certificate main body, certificate signature algorithm sign and three parts of certificate signature value with certificate.
The main contents of an X509 digital certificate are as follows:
30?8x?yy?yy?
30?8w?yy?yy?TBSCertificate?30zz...
30?0D?06?09...
30?81?81......
In the above-mentioned X509 digital certificate binary data stream any one independent sector content all with "
30" start the beginning that identifies new portion, closely follow "
30" data length of numeral new portion of back.Such as "
8x "Expression be the total length of three parts that will break, "
8w" expression be that the length of TBSCertificate has the w position, the byte of taking out the length of w position is exactly the TBSCertificate part.And the like,
" 30 0D "Expression signatureAlgorithm has 13,
" 30 81 81 "Expression signatureValue has 129.
2,, from the certificate main body, read out the positional information of each critical field behind the accurate position of location crux word according to the coded format of X509 digital certificate.
The critical field that need parse comprises indispensable territory of certificate and the whole extension field in the certificate main body at present, and the PKI of principal name, the person's of signing and issuing title, main body, the term of validity of certificate and other relevant information are specifically arranged.
As shown in Figure 3, basic process how to locate and read a critical field has been described:
1. at first navigate to " 30 " beginning and identify new portion; 2. comparing immediately following the numeral of " 30 " and numeral 80 as the certificate field opening flag; If 3. comparative result is " no ", then calculate length according to function length=* (P+1), wherein P+1 represents a pointer, the content that * (P+1) expression is taken out from the P+1 pointer, this content is exactly a length; If 4. Bi Jiao result is " yes ", then calculate the value of offset earlier, then according to circulation length*=256, length+=* (P+2+1), i++ calculates the length of content; 5. read the content of this crux field according to the content-length of calculating.
3, set up a concordance list according to the positional information of all critical fielies that parse, and the locating information of all critical fielies is stored in the concordance list.
Concordance list is represented with a simple array, and is as shown below:
Certificate[1]=12/* first be body data original position */
Certificate[2]=second of 34/* be the person's of signing and issuing data original position */
Certificate[3]=the 3rd of 86/* be ... ... ... ... ... */
.................. ........................................
4, from this step, everyly to use all directly from the concordance list that step 3 is set up, reading out of critical field information.Like this in the Handshake Protocol process, when using X509 digital certificate content at every turn, all can read relevant information fast, improved the process that certificate is resolved and verified greatly, accelerated the response time that security affairs are handled, and, the loss of system resource (as processor, internal memory or the like) is reduced greatly because the X509 digital certificate is resolved and the operating efficiency of checking has improved.
The foregoing description only is a preferred embodiment of the present invention, and in essence intention scope of the present invention, the algorithm that the present invention adopts can have many variations or replacement, and the variation of these algorithms or replacement should not got rid of outside protection scope of the present invention.
Claims (1)
1. X509 digital certificate quick analyzing and verification method, it may further comprise the steps:
1) according to the design feature of X509 digital certificate, the X509 digital certificate is splitted into certificate main body, certificate signature algorithm sign and three parts of certificate signature value;
2) according to the coded format of X509 digital certificate, from the certificate main body, locate and parse each critical field;
3) set up a concordance list according to the positional information of all critical fielies that parse, and the locating information of all critical fielies is stored in the concordance list;
4) when using certificate critical field information once more, directly from the concordance list that step 3) is set up, read.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810101869XA CN101257387B (en) | 2008-03-13 | 2008-03-13 | X509 digital certificate quick analyzing and verifying method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810101869XA CN101257387B (en) | 2008-03-13 | 2008-03-13 | X509 digital certificate quick analyzing and verifying method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101257387A CN101257387A (en) | 2008-09-03 |
| CN101257387B true CN101257387B (en) | 2010-07-21 |
Family
ID=39891881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810101869XA Active CN101257387B (en) | 2008-03-13 | 2008-03-13 | X509 digital certificate quick analyzing and verifying method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101257387B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101826962B (en) * | 2009-10-13 | 2012-03-28 | 北京信安世纪科技有限公司 | Method for quickly processing digital certificates |
| CN102299801A (en) * | 2011-08-31 | 2011-12-28 | 四川长虹电器股份有限公司 | Method for analyzing digital certificate based on linked list structure |
| US11032379B2 (en) | 2015-04-24 | 2021-06-08 | Citrix Systems, Inc. | Secure in-band service detection |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5774552A (en) * | 1995-12-13 | 1998-06-30 | Ncr Corporation | Method and apparatus for retrieving X.509 certificates from an X.500 directory |
| CN1493063A (en) * | 2001-06-01 | 2004-04-28 | 绰 | Method and device for certification of trasaction |
| CN1682488A (en) * | 2002-09-16 | 2005-10-12 | 艾利森电话股份有限公司 | Loading data onto an electronic device |
| CN1787525A (en) * | 2005-11-15 | 2006-06-14 | 上海格尔软件股份有限公司 | Method for application of double certificate in SSL protocol |
| CN101136916A (en) * | 2007-06-11 | 2008-03-05 | 夏莹杰 | P2P transmission method based on roles and credit access control mechanism |
-
2008
- 2008-03-13 CN CN200810101869XA patent/CN101257387B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5774552A (en) * | 1995-12-13 | 1998-06-30 | Ncr Corporation | Method and apparatus for retrieving X.509 certificates from an X.500 directory |
| CN1493063A (en) * | 2001-06-01 | 2004-04-28 | 绰 | Method and device for certification of trasaction |
| CN1682488A (en) * | 2002-09-16 | 2005-10-12 | 艾利森电话股份有限公司 | Loading data onto an electronic device |
| CN1787525A (en) * | 2005-11-15 | 2006-06-14 | 上海格尔软件股份有限公司 | Method for application of double certificate in SSL protocol |
| CN101136916A (en) * | 2007-06-11 | 2008-03-05 | 夏莹杰 | P2P transmission method based on roles and credit access control mechanism |
Non-Patent Citations (4)
| Title |
|---|
| ITU-T.ASN.1 encoding rules:Specification of Basic Encoding Rules(BER),Canonical Encoding Rules (CER) andDistinguishedEncoding Rules (DERObjectIdentifier tree.X.690.2002,3,4,18. * |
| R. Housley等.Internet X.509 Public Key Infrastructure CertificateandCertificate Revocation List (CRL) Profile.RFC3280.2002,14-15. * |
| 崔永祯等.安全操作系统中证书认证模型的设计与实现.计算机应用与软件 4.2005,(4),113-115,142. |
| 崔永祯等.安全操作系统中证书认证模型的设计与实现.计算机应用与软件 4.2005,(4),113-115,142. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101257387A (en) | 2008-09-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150499B (en) | Method and device for dynamically encrypting data, computer equipment and storage medium | |
| EP3697042A1 (en) | Traffic analysis method, public service traffic attribution method and corresponding computer system | |
| CN111131278B (en) | Data processing method and device, computer storage medium and electronic equipment | |
| CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
| CN112511514A (en) | HTTP encrypted transmission method and device, computer equipment and storage medium | |
| CN111917552B (en) | Handle authority control method, device and system based on identification key | |
| KR20220069020A (en) | Distributed technology for data validation in transport layer security and other contexts | |
| CN100589390C (en) | Authentication method and authentication system | |
| CN101257387B (en) | X509 digital certificate quick analyzing and verifying method | |
| CN104168117A (en) | Voice digital signature method | |
| CN104994107B (en) | A kind of MMS message off-line analysis methods based on IEC62351 | |
| CN111249740A (en) | Resource data access method and system | |
| CN113922968A (en) | Access token generation and verification method and device, electronic equipment and storage medium | |
| CN112202794A (en) | Transaction data protection method and device, electronic equipment and medium | |
| CN115098890B (en) | Privacy calculation security audit method and system | |
| CN114710289B (en) | Internet of things terminal security registration and access method and system | |
| CN113037760B (en) | Message sending method and device | |
| CN110517045B (en) | Block chain data processing method, device, equipment and storage medium | |
| CN112231662A (en) | Registration authentication method and system of two-dimensional code based on SM2 algorithm | |
| CN115002141B (en) | File storage method and device based on block chain | |
| CN117033448B (en) | Data query method and system based on trusted execution environment | |
| CN110490003B (en) | User trusted data generation method, user trusted data acquisition method, device and system | |
| CN101699812A (en) | Quick processing method of digital certificate revocation list | |
| KR102041752B1 (en) | Roaming data management device and method | |
| JP2001069139A (en) | User verifying method, terminal equipment for user, verification center and medium recording programs therefor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee |
Owner name: HUAYAO (CHINA) TECHNOLOGY CO., LTD. Free format text: FORMER NAME: ARRAY NETWORKS (BEIJING), INC. |
|
| CP03 | Change of name, title or address |
Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001-1017 twenty-first Century Patentee after: Array Networks (Beijing), Inc. Address before: 100016 Beijing city Chaoyang District No. 26 Xiaoyun Road, Eagle building, A2308 Patentee before: Array Networks (Beijing), Inc. |
|
| CP01 | Change in the name or title of a patent holder |
Address after: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001-1017 twenty-first Century Patentee after: Beijing Huayao Technology Co., Ltd Address before: 100125 Beijing city Chaoyang District Liangmaqiao Road No. 40 building 10 room 1001-1017 twenty-first Century Patentee before: Huayao (China) Technology Co., Ltd. |
|
| CP01 | Change in the name or title of a patent holder |