Background technology
Along with Internet development, people more and more rely on network to finish the transaction of some sensitive datas, such as: e-bank, ecommerce or the like.The electronization of the transaction of these sensitive datas causes extremely important and data secret are transmitted in the network of being everlasting.For this reason, people have invented the transmission that a lot of new technology guarantee that the data of these important and secrets are can be in network safe and reliable, increasing user uses SSL (Secure Socket Layer, SSL) and TLS (Transport Layer Security, Transport Layer Security) encryption mechanism such as, they can be constructed escape way and carry out transfer of data between client/browser and service end.
The SSL/TLS communications protocol mainly contains four parts and forms: record protocol (Record Protocol), Handshake Protocol (Handshake Protocol), alarm agreement (Alert Protocol) and application protocol (Application Protocol).The effect of these agreements is as follows: 1, record protocol: it is based upon on the host-host protocol (as TCP, UDP etc.), and the support of data encapsulation, compression, encrypt/decrypt is provided for upper-layer protocol.2, Handshake Protocol: before being used for application data transmission beginning, communication two party carries out authentication, consulted encryption algorithm, exchange encryption keys etc.3, alarm agreement: be used for transmitting the relevant alarm of SSL/TLS to peer-entities.4, application protocol: the data that application service is real.By above-mentioned four agreements, the SSL/TLS communications protocol can solve the problem of communication security well, but also brings huge computing expense to server simultaneously.Especially second portion Handshake Protocol, this agreement will be handled the Authentication Questions of X509 digital certificate, need carry out complicated certificate and read and analytical work.
To the parsing and the checking of X509 digital certificate, traditional solution is in the mode of ASN.1 (AbstractSyntax Notation One, abstract syntax expresses 1) coding rule file to be decoded, and cover is used in the middle of the structure of X509 digital certificate then.The benefit of doing like this is to utilize ready-made general ASN.1 coding method and program to realize, but to the design feature of X509 digital certificate itself utilize not enough, can only compare definite again content during parsing according to the identifier that defines among the ASN.1.The method is used the mode of recursive call usually, therefore extremely expends system times such as CPU, and the speed of security affairs processing simultaneously also can reduce greatly, and a lot of clients' security affairs request response can be very slow.Therefore optimize security affairs and handle, improving client response just becomes very urgent and has the demand of realistic meaning.
Summary of the invention
At the problems referred to above, the purpose of this invention is to provide a kind of security affairs and handle low to system resources consumption simultaneously X509 digital certificate quick analyzing and the verification method of efficient height.
For achieving the above object, the present invention takes following technical scheme: a kind of X509 digital certificate quick analyzing and verification method, it may further comprise the steps: 1) according to the design feature of X509 digital certificate, the X509 digital certificate is splitted into certificate main body, certificate signature algorithm sign and three parts of certificate signature value; 2) according to the coded format of X509 digital certificate, from the certificate main body, locate and parse each critical field; 3) set up a concordance list according to the positional information of all critical fielies that parse, and the locating information of all critical fielies is stored in the concordance list; 4) when using certificate critical field information once more, directly from the concordance list that step 3) is set up, read.
Owing to adopted above technical scheme, the present invention has the following advantage: 1, owing to design feature and the coded format of the present invention according to the X509 digital certificate, can navigate to the accurate position of critical field fast, therefore in the Handshake Protocol process, when using the certificate content at every turn, all can read relevant information fast, improve the process that certificate is resolved and verified greatly, accelerate the response time that security affairs are handled.2, when needs are used certificate critical field information once more, the present invention can be directly from before read the concordance list of foundation, therefore saved repeatedly follow-up and certificate parsing work that repeat, for subsequent access provides a great convenience.3, because certificate of the present invention is resolved and the operating efficiency of checking has improved, therefore the loss to system resource (as processor, internal memory or the like) reduces greatly.
Embodiment
Below in conjunction with drawings and Examples the present invention is described in detail.
As shown in Figure 1, the structure of X509 digital certificate comprises certificate main body (TBSCertificate), certificate signature algorithm sign (signatureAlgorithm) and certificate signature value (signatureValue).Wherein TBSCertificate partly is a key component, and it has comprised a lot of critical fielies of certificate.As shown in Figure 2, such as: the PKI (subjectPublicKeyInfo) of principal name (subject), the person's of signing and issuing title (issuer), main body, the term of validity (validity) and other the relevant information of certificate, these critical fielies be needed data in the Handshake Protocol just.
Because X509 digital certificate file structure is very clear, when resolving the X509 digital certificate, the complete and loaded down with trivial details parsing of going ahead of the rest of the form that need not encode according to ASN.1 fully.Analytic method of the present invention can rely on the characteristics of ASN.1 BER (Basic Encoding Rules, basic coding standard) coding criterion and the characteristics of X509 digital certificate structure and resolve fast.
For the effect that describes method of the present invention in detail and reached, now lift following examples:
1, the design feature according to the X509 digital certificate splits into certificate main body, certificate signature algorithm sign and three parts of certificate signature value with certificate.
The main contents of an X509 digital certificate are as follows:
30?8x?yy?yy?
30?8w?yy?yy?TBSCertificate?30zz...
30?0D?06?09...
30?81?81......
In the above-mentioned X509 digital certificate binary data stream any one independent sector content all with "
30" start the beginning that identifies new portion, closely follow "
30" data length of numeral new portion of back.Such as "
8x "Expression be the total length of three parts that will break, "
8w" expression be that the length of TBSCertificate has the w position, the byte of taking out the length of w position is exactly the TBSCertificate part.And the like,
" 30 0D "Expression signatureAlgorithm has 13,
" 30 81 81 "Expression signatureValue has 129.
2,, from the certificate main body, read out the positional information of each critical field behind the accurate position of location crux word according to the coded format of X509 digital certificate.
The critical field that need parse comprises indispensable territory of certificate and the whole extension field in the certificate main body at present, and the PKI of principal name, the person's of signing and issuing title, main body, the term of validity of certificate and other relevant information are specifically arranged.
As shown in Figure 3, basic process how to locate and read a critical field has been described:
1. at first navigate to " 30 " beginning and identify new portion; 2. comparing immediately following the numeral of " 30 " and numeral 80 as the certificate field opening flag; If 3. comparative result is " no ", then calculate length according to function length=* (P+1), wherein P+1 represents a pointer, the content that * (P+1) expression is taken out from the P+1 pointer, this content is exactly a length; If 4. Bi Jiao result is " yes ", then calculate the value of offset earlier, then according to circulation length*=256, length+=* (P+2+1), i++ calculates the length of content; 5. read the content of this crux field according to the content-length of calculating.
3, set up a concordance list according to the positional information of all critical fielies that parse, and the locating information of all critical fielies is stored in the concordance list.
Concordance list is represented with a simple array, and is as shown below:
Certificate[1]=12/* first be body data original position */
Certificate[2]=second of 34/* be the person's of signing and issuing data original position */
Certificate[3]=the 3rd of 86/* be ... ... ... ... ... */
.................. ........................................
4, from this step, everyly to use all directly from the concordance list that step 3 is set up, reading out of critical field information.Like this in the Handshake Protocol process, when using X509 digital certificate content at every turn, all can read relevant information fast, improved the process that certificate is resolved and verified greatly, accelerated the response time that security affairs are handled, and, the loss of system resource (as processor, internal memory or the like) is reduced greatly because the X509 digital certificate is resolved and the operating efficiency of checking has improved.
The foregoing description only is a preferred embodiment of the present invention, and in essence intention scope of the present invention, the algorithm that the present invention adopts can have many variations or replacement, and the variation of these algorithms or replacement should not got rid of outside protection scope of the present invention.