+

CN106161037A - Digital signature method and device - Google Patents

Digital signature method and device Download PDF

Info

Publication number
CN106161037A
CN106161037A CN201610694577.6A CN201610694577A CN106161037A CN 106161037 A CN106161037 A CN 106161037A CN 201610694577 A CN201610694577 A CN 201610694577A CN 106161037 A CN106161037 A CN 106161037A
Authority
CN
China
Prior art keywords
file
signed
server
account
designated account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610694577.6A
Other languages
Chinese (zh)
Other versions
CN106161037B (en
Inventor
梁博
赵枝阳
赵亚帆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN201610694577.6A priority Critical patent/CN106161037B/en
Publication of CN106161037A publication Critical patent/CN106161037A/en
Application granted granted Critical
Publication of CN106161037B publication Critical patent/CN106161037B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Stored Programmes (AREA)

Abstract

本公开是关于一种数字签名方法及装置,属于网络技术领域。所述方法包括:通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。本公开通过将签名过程与编译过程分离,编译过程不在签名服务器上进行,而签名过程由签名服务器上具有访问密钥权限的第二指定账户进行,从而降低了私钥泄露的可能性,保证了密钥的安全性。

The present disclosure relates to a digital signature method and device, and belongs to the field of network technology. The method includes: adding a file to be signed in the task queue through a first designated account, the first designated account has permission to copy files; obtaining the file to be signed from the task queue through a second designated account, The second designated account has digital signature authority; the key is read by the second designated account, and the file to be signed is signed to obtain a signed file. This disclosure separates the signing process from the compiling process, the compiling process is not performed on the signing server, and the signing process is performed by the second designated account with access key authority on the signing server, thereby reducing the possibility of private key leakage and ensuring Key security.

Description

数字签名方法及装置Digital signature method and device

技术领域technical field

本公开是关于网络技术领域,具体来说是关于一种数字签名方法及装置。The present disclosure relates to the field of network technology, in particular to a digital signature method and device.

背景技术Background technique

在如今网络技术发达的时代,服务器与终端之间交互数据频繁。为避免恶意的第三方修改数据或冒充发送方的服务器伪造数据,产生了数字签名技术。In today's era of advanced network technology, data exchange between servers and terminals is frequent. In order to prevent a malicious third party from modifying data or posing as a sender's server to falsify data, a digital signature technology is produced.

例如,以安卓系统中应用升级的场景为例,有编译权限的账户可以在服务器进行编译,以得到升级文件,再读取密钥,使得服务器根据该密钥对升级文件进行签名,得到升级数据包。如果某个终端需要进行升级,可以获取该升级数据包,并通过服务器的密钥验证签名,确认该升级数据包来自该服务器,并基于该升级数据包进行升级。For example, taking the application upgrade scenario in the Android system as an example, an account with compile permissions can compile on the server to obtain the upgrade file, and then read the key, so that the server can sign the upgrade file according to the key and obtain the upgrade data Bag. If a certain terminal needs to be upgraded, the upgrade data package can be obtained, and the signature can be verified by the key of the server to confirm that the upgrade data package comes from the server, and the upgrade can be performed based on the upgrade data package.

发明内容Contents of the invention

为了解决相关技术中存在的问题,本公开提供了一种数字签名方法及装置。所述技术方案如下:In order to solve the problems existing in related technologies, the present disclosure provides a digital signature method and device. Described technical scheme is as follows:

根据本公开实施例的第一方面,提供了一种数字签名方法,所述方法包括:According to a first aspect of an embodiment of the present disclosure, a digital signature method is provided, the method comprising:

通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;Add the file to be signed in the task queue through the first designated account, and the first designated account has the right to copy the file;

通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;Obtain the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority;

通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。The key is read by the second specified account, and the file to be signed is signed to obtain a signed file.

在一种可能实现方式中,所述通过第一指定账户,在任务队列中添加待签名文件之前,所述方法还包括:In a possible implementation manner, before adding the file to be signed in the task queue through the first specified account, the method further includes:

通过所述第一指定账户与编译服务器进行密钥认证;performing key authentication through the first designated account and the compilation server;

当所述密钥认证通过时,建立与所述编译服务器之间的访问连接;When the key authentication is passed, establish an access connection with the compilation server;

通过所述访问连接监听到所述编译服务器编译完成时,通过所述第一指定账户从所述编译服务器中拷贝所述待签名文件。copying the file to be signed from the compiling server through the first designated account when monitoring the compiling completion of the compiling server through the access connection.

在一种可能实现方式中,所述通过第二指定账户,从所述任务队列中获取所述待签名文件包括:In a possible implementation manner, the obtaining the file to be signed from the task queue through the second specified account includes:

通过所述第二指定账户监听所述任务队列;monitor the task queue through the second specified account;

当监听到在所述任务队列中添加所述待签名文件时,从所述任务队列中获取所述待签名文件。When it is detected that the file to be signed is added to the task queue, the file to be signed is acquired from the task queue.

在一种可能实现方式中,所述待签名文件携带文件标识,所述通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件之后,所述方法还包括:In a possible implementation manner, the file to be signed carries a file identifier, and the key is read through the second designated account to sign the file to be signed, and after obtaining the signed file, the method further include:

在指定区域保存所述已签名文件,所述已签名文件携带所述文件标识,使编译服务器根据所述文件标识,从所述指定区域中获取所述已签名文件。The signed file is saved in a designated area, and the signed file carries the file identifier, so that the compiling server acquires the signed file from the designated area according to the file identifier.

在一种可能实现方式中,所述签名服务器上所述第一指定账户和所述第二指定账户的网络访问权限为访问所述编译服务器的权限,且所述签名服务器的被访问权限面向于所述编译服务器。In a possible implementation manner, the network access authority of the first designated account and the second designated account on the signature server is the authority to access the compilation server, and the access authority of the signature server is oriented to The compile server.

根据本公开实施例的第二方面,提供了一种数字签名装置,所述装置包括:According to a second aspect of an embodiment of the present disclosure, a digital signature device is provided, and the device includes:

添加模块,用于通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;The adding module is used to add the file to be signed in the task queue through the first designated account, and the first designated account has the permission to copy the file;

获取模块,用于通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;An acquisition module, configured to acquire the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority;

签名模块,用于通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。A signature module, configured to read the key through the second specified account, sign the file to be signed, and obtain a signed file.

在一种可能实现方式中,所述装置还包括:In a possible implementation manner, the device further includes:

认证模块,用于通过所述第一指定账户与编译服务器进行密钥认证;An authentication module, configured to perform key authentication through the first designated account and the compilation server;

建立模块,用于当所述密钥认证通过时,建立与所述编译服务器之间的访问连接;An establishment module, configured to establish an access connection with the compilation server when the key authentication is passed;

拷贝模块,用于通过所述访问连接监听到所述编译服务器编译完成时,通过所述第一指定账户从所述编译服务器中拷贝所述待签名文件。The copying module is configured to copy the file to be signed from the compilation server through the first specified account when monitoring the completion of compilation by the compilation server through the access connection.

在一种可能实现方式中,所述获取模块包括:监听子模块和获取子模块;In a possible implementation manner, the acquisition module includes: a monitoring submodule and an acquisition submodule;

所述监听子模块,用于通过所述第二指定账户监听所述任务队列;The monitoring submodule is configured to monitor the task queue through the second specified account;

所述获取子模块,用于当监听到在所述任务队列中添加所述待签名文件时,从所述任务队列中获取所述待签名文件。The acquiring submodule is configured to acquire the file to be signed from the task queue when it is detected that the file to be signed is added to the task queue.

在一种可能实现方式中,所述装置还包括:In a possible implementation manner, the device further includes:

保存模块,用于在指定区域保存所述已签名文件,所述已签名文件携带所述文件标识,使编译服务器根据所述文件标识,从所述指定区域中获取所述已签名文件。The saving module is configured to save the signed file in a designated area, the signed file carries the file identifier, and enables the compiling server to obtain the signed file from the designated area according to the file identifier.

在一种可能实现方式中,所述签名服务器上所述第一指定账户和所述第二指定账户的网络访问权限为访问所述编译服务器的权限,且所述签名服务器的被访问权限面向于所述编译服务器。In a possible implementation manner, the network access authority of the first designated account and the second designated account on the signature server is the authority to access the compilation server, and the access authority of the signature server is oriented to The compile server.

根据本公开实施例的第三方面,提供了一种数字签名装置,所述装置包括:处理器;用于存储处理器可执行的指令的存储器;其中,所述处理器被配置为:According to a third aspect of an embodiment of the present disclosure, there is provided a digital signature device, the device comprising: a processor; a memory for storing instructions executable by the processor; wherein the processor is configured to:

通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;Add the file to be signed in the task queue through the first designated account, and the first designated account has the right to copy the file;

通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;Obtain the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority;

通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。The key is read by the second specified account, and the file to be signed is signed to obtain a signed file.

本公开的实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present disclosure may include the following beneficial effects:

本实施例提供的方法和装置,通过将签名过程与编译过程分离,编译过程不在签名服务器上进行,而签名过程由签名服务器上具有访问密钥权限的第二指定账户进行,从而降低了私钥泄露的可能性,保证了密钥的安全性。The method and device provided in this embodiment, by separating the signing process from the compiling process, the compiling process is not performed on the signing server, and the signing process is performed by the second designated account with access key authority on the signing server, thereby reducing the private key. The possibility of leakage ensures the security of the key.

在一种可能实现方式中,编译服务器与签名服务器之间进行密钥认证,避免了第三方伪造身份,骗取签名服务器的密钥,提高了密钥的安全性。In a possible implementation manner, key authentication is performed between the compiling server and the signing server, which prevents a third party from forging an identity and defrauding the key of the signing server, and improves the security of the key.

在一种可能实现方式中,签名服务器上账户的网络权限限于访问编译服务器,且签名服务器的访问权限面向于编译服务器,避免第三方通过网络手段窃取密钥或修改文件,提高签名服务器的网络安全性。In a possible implementation, the network authority of the account on the signature server is limited to access to the compilation server, and the access authority of the signature server is oriented to the compilation server, preventing third parties from stealing keys or modifying files through network means, and improving the network security of the signature server sex.

应当理解的是,以上的一般描述和后文的细节描述是示例性的,并不能限制本公开。It is to be understood that both the foregoing general description and the following detailed description are exemplary and not restrictive of the present disclosure.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本公开的实施例,并与说明书一起用于解释本公开的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description serve to explain the principles of the disclosure.

图1是根据一示例性实施例示出的一种数字签名方法的流程图;Fig. 1 is a flowchart of a digital signature method shown according to an exemplary embodiment;

图2是根据一示例性实施例示出的一种数字签名方法的流程图;Fig. 2 is a flowchart of a digital signature method shown according to an exemplary embodiment;

图3是根据一示例性实施例示出的一种数字签名装置的框图;Fig. 3 is a block diagram of a digital signature device according to an exemplary embodiment;

图4是根据一示例性实施例示出的一种数字签名装置的框图;Fig. 4 is a block diagram of a digital signature device according to an exemplary embodiment;

图5是根据一示例性实施例示出的一种数字签名装置的框图;Fig. 5 is a block diagram of a digital signature device according to an exemplary embodiment;

图6是根据一示例性实施例示出的一种数字签名装置的框图;Fig. 6 is a block diagram of a digital signature device according to an exemplary embodiment;

图7是根据一示例性实施例示出的一种数字签名装置700的框图。Fig. 7 is a block diagram of a digital signature device 700 according to an exemplary embodiment.

具体实施方式detailed description

为使本公开的目的、技术方案和优点更加清楚明白,下面结合实施方式和附图,对本公开做进一步详细说明。在此,本公开的示意性实施方式及其说明用于解释本公开,但并不作为对本公开的限定。In order to make the purpose, technical solutions and advantages of the present disclosure clearer, the present disclosure will be described in further detail below in conjunction with the implementation manners and accompanying drawings. Here, the exemplary embodiments of the present disclosure and their descriptions are used to explain the present disclosure, but not to limit the present disclosure.

图1是根据一示例性实施例示出的一种数字签名方法的流程图,如图1所示,数字签名方法用于签名服务器中,包括以下步骤:Fig. 1 is a flowchart of a digital signature method shown according to an exemplary embodiment. As shown in Fig. 1, the digital signature method is used in a signature server, including the following steps:

在步骤101中,通过第一指定账户,在任务队列中添加待签名文件,第一指定账户具备拷贝文件权限。In step 101, the file to be signed is added to the task queue through the first designated account, and the first designated account has the right to copy the file.

在步骤102中,通过第二指定账户,从任务队列中获取待签名文件,第二指定账户具有数字签名权限。In step 102, the file to be signed is obtained from the task queue through a second designated account, and the second designated account has digital signature authority.

在步骤103中,通过第二指定账户读取密钥,对待签名文件进行签名,得到已签名文件。In step 103, read the key through the second designated account, sign the file to be signed, and obtain the signed file.

相关技术中,所有具有编译权限的账户同时有访问密钥的权限,若任一账户泄露密钥,都可能导致第三方获取密钥,密钥安全性差,均可能导致恶意的第三方基于非法获取的密钥伪造签名,从而向其他终端发送一些伪造文件,而终端在接收到该伪造文件时,如果签名验证通过,也会认为是合法文件,导致终端的安全性也无法保证。In related technologies, all accounts with compiling authority have access to the key at the same time. If any account leaks the key, it may cause a third party to obtain the key. Poor security of the key may lead to a malicious third party based on illegal acquisition. The key forges the signature, so as to send some forged files to other terminals, and when the terminal receives the forged file, if the signature verification passes, it will also consider it to be a legal file, resulting in the security of the terminal cannot be guaranteed.

本公开实施例中,通过将签名过程与编译过程分离,编译过程不在签名服务器上进行,而签名过程由签名服务器上具有访问密钥权限的第二指定账户进行,从而降低了私钥泄露的可能性,保证了密钥的安全性。In the embodiment of the present disclosure, by separating the signing process from the compiling process, the compiling process is not performed on the signing server, and the signing process is performed by a second designated account with access key authority on the signing server, thereby reducing the possibility of private key leakage To ensure the security of the key.

在一种可能实现方式中,方法还包括:通过第一指定账户与编译服务器进行密钥认证;当密钥认证通过时,建立与编译服务器之间的访问连接;通过访问连接监听到编译服务器编译完成时,通过第一指定账户从编译服务器中拷贝待签名文件。In a possible implementation, the method further includes: performing key authentication with the compilation server through the first designated account; when the key authentication is passed, establishing an access connection with the compilation server; When completed, the file to be signed is copied from the compiling server through the first designated account.

在一种可能实现方式中,方法包括:通过第二指定账户监听任务队列;当监听到在任务队列中添加待签名文件时,从任务队列中获取待签名文件。In a possible implementation manner, the method includes: monitoring the task queue through the second specified account; when it is detected that a file to be signed is added to the task queue, acquiring the file to be signed from the task queue.

在一种可能实现方式中,方法还包括:在指定区域保存已签名文件,已签名文件携带文件标识,使编译服务器根据文件标识,从指定区域中获取已签名文件。In a possible implementation manner, the method further includes: saving the signed file in a designated area, the signed file carrying a file identifier, so that the compiling server obtains the signed file from the designated area according to the file identifier.

在一种可能实现方式中,签名服务器上第一指定账户和第二指定账户的网络访问权限为访问编译服务器的权限,且签名服务器的被访问权限面向于编译服务器。In a possible implementation manner, the network access rights of the first designated account and the second designated account on the signature server are rights to access the compilation server, and the access rights of the signature server are oriented to the compilation server.

上述所有可选技术方案,可以采用任意结合形成本公开的可选实施例,在此不再一一赘述。All the above optional technical solutions may be combined in any way to form optional embodiments of the present disclosure, which will not be repeated here.

图2是根据一示例性实施例示出的一种数字签名方法的流程图,如图2所示,本公开实施例涉及签名服务器和编译服务器之间的交互过程,包括以下步骤:Fig. 2 is a flow chart of a digital signature method according to an exemplary embodiment. As shown in Fig. 2 , the embodiment of the present disclosure relates to an interaction process between a signature server and a compilation server, including the following steps:

在步骤200中,签名服务器通过第一指定账户与编译服务器进行密钥认证。In step 200, the signature server conducts key authentication with the compilation server through the first designated account.

发明人认识到,相关技术中,编译与签名的过程均在同一服务器上进行,编译权限与签名权限关联,导致该服务器上具有编译权限的账户也可以获取密钥,密钥的安全性差,因此,在本公开实施例中,编译与签名的过程在分别在两个服务器上实现,其中一个服务器可以是编译服务器,用于进行编译,另一个服务器可以是签名服务器,用于进行签名,以隔离编译权限与签名权限。The inventor realized that in related technologies, the process of compiling and signing is carried out on the same server, and the compiling authority is associated with the signing authority, so that the account with compiling authority on the server can also obtain the key, and the security of the key is poor, so , in the embodiment of the present disclosure, the process of compiling and signing is implemented on two servers respectively, one of which server may be a compiling server for compiling, and the other server may be a signing server for signing to isolate Compilation permission and signing permission.

本公开实施例中,密钥认证用于编译服务器和签名服务器之间通过密钥算法相互认证身份。例如,密钥认证可以使用RSA密钥算法(Ron Rivest、Adi Shamir、LeonardAdleman),签名服务器在第一指定账户中存放公钥,编译服务器存放私钥,由编译服务器发送连接请求,签名服务器使用公钥认证后,与编译服务器建立访问连接。In the embodiment of the present disclosure, the key authentication is used for mutually authenticating identities between the compiling server and the signing server through a key algorithm. For example, key authentication can use RSA key algorithm (Ron Rivest, Adi Shamir, Leonard Adleman). The signature server stores the public key in the first designated account, and the compilation server stores the private key. The compilation server sends a connection request, and the signature server uses the public key. After key authentication, an access connection is established with the compilation server.

其中,第一指定账户是签名服务器上的一种账户,签名服务器上允许存在一个或多个该种账户,且第一指定账户仅具有从编译服务器拷贝文件权限。本公开实施例对第一指定账户不做进一步限定。例如,第一指定账户可以是Linux服务器中的work账户。Wherein, the first designated account is a type of account on the signature server, one or more accounts of this type are allowed to exist on the signature server, and the first designated account only has the right to copy files from the compilation server. The embodiment of the present disclosure does not further limit the first designated account. For example, the first specified account may be a work account in the Linux server.

在一种可能实现方式中,为了提高待签名文件的安全性,除允许第一指定账户具有从编译服务器拷贝文件权限外,禁止第一指定账户的其他操作权限,从而避免待签名文件被第一指定账户修改。In a possible implementation, in order to improve the security of the file to be signed, in addition to allowing the first designated account to have the right to copy the file from the compilation server, other operation rights of the first designated account are prohibited, thereby preventing the file to be signed from being copied by the first designated account. Specify account modification.

在步骤201中,当密钥认证通过时,签名服务器建立与编译服务器之间的访问连接。In step 201, when the key authentication passes, the signature server establishes an access connection with the compilation server.

需要说明的是,基于密钥认证建立访问连接,可以保证编译服务器和签名服务器的身份真实,避免了第三方冒充二者中其中一方,骗取二者中另一方的数据。It should be noted that establishing an access connection based on key authentication can ensure that the identities of the compiling server and the signing server are true, and prevent a third party from impersonating one of the two and defrauding the data of the other.

本公开实施例中,步骤200与步骤201的密钥认证是可选步骤,可以保证编译过程与签名过程在衔接时更安全,事实上,本公开实施例也可以直接进行步骤202以下的步骤,以解决相关技术中密钥安全性差的问题。In the embodiment of the present disclosure, the key authentication in step 200 and step 201 is an optional step, which can ensure that the compilation process and the signing process are more secure when connecting. In fact, the embodiment of the present disclosure can also directly perform the steps below step 202. In order to solve the problem of poor key security in related technologies.

在步骤202中,编译服务器进行编译过程。In step 202, the compiling server performs compiling process.

在本公开实施例中,由于签名服务器需从编译服务器获取待签名文件,因此,签名服务器可以通过访问连接进行监听,以即时获取编译服务器的编译进度。In the embodiment of the present disclosure, since the signature server needs to obtain the file to be signed from the compilation server, the signature server can monitor through the access connection to obtain the compilation progress of the compilation server in real time.

在步骤203中,签名服务器通过访问连接监听到编译服务器编译完成时,通过第一指定账户从该编译服务器中拷贝待签名文件,该待签名文件携带文件标识。In step 203, when the signature server detects that the compiling server has completed compiling through the access connection, it copies the file to be signed from the compiling server through the first designated account, and the file to be signed carries a file identifier.

由于本公开实施例中,编译与签名过程分离,签名服务器为获取待签名文件,需要监听编译服务器的编译进度,在编译完成时,通过第一指定账户从编译服务器中拷贝待签名文件。其中,文件标识可以唯一标识每个待签名文件,因此,在编译服务器与签名服务器交互过程中,文件标识用于区分每个待签名文件。例如,文件标识可以是通过一种命名规则得到的待签名文件名称,本公开实施例对此不做限定。Since the compiling and signing processes are separated in the embodiment of the present disclosure, the signature server needs to monitor the compiling progress of the compiling server in order to obtain the file to be signed. When the compiling is completed, the file to be signed is copied from the compiling server through the first designated account. Wherein, the file identifier can uniquely identify each file to be signed. Therefore, during the interaction process between the compilation server and the signature server, the file identifier is used to distinguish each file to be signed. For example, the file identifier may be the name of the file to be signed obtained through a naming rule, which is not limited in this embodiment of the present disclosure.

在步骤204中,签名服务器通过第一指定账户,在任务队列中添加待签名文件。In step 204, the signature server adds the file to be signed in the task queue through the first specified account.

需要说明的是,任务队列是签名服务器保存待签名文件的存储区域,签名服务器通过第一指定账户,将拷贝的待签名文件添加到该存储区域。该存储区域可以采用不同的存储方式,例如,可以采用队列的存储方式,该存储可以是按照保存顺序进行。本公开实施例对任务队列的存储方式不做限定。It should be noted that the task queue is a storage area where the signature server saves the files to be signed, and the signature server adds the copied files to be signed to the storage area through the first designated account. The storage area can adopt different storage methods, for example, a queue storage method can be used, and the storage can be performed according to the order of saving. The embodiment of the present disclosure does not limit the storage manner of the task queue.

在步骤205中,当签名服务器通过第二指定账户监听到在任务队列中添加了待签名文件时,从任务队列中获取待签名文件,该第二指定账户具有数字签名权限。In step 205, when the signature server detects that the file to be signed has been added to the task queue through the second designated account, the second designated account has digital signature authority, and acquires the file to be signed from the task queue.

为避免同一账户具有多权限,导致签名过程安全性低,本公开实施例中,将签名过程中涉及的权限进一步分离,将从编译服务器获取待签名文件的操作分配给第一指定账户完成,将从任务队列获取待签名文件的操作分配给第二指定账户完成。In order to avoid the same account having multiple permissions, resulting in low security of the signature process, in the embodiment of the present disclosure, the permissions involved in the signature process are further separated, and the operation of obtaining the file to be signed from the compilation server is assigned to the first designated account to complete, and the The operation of obtaining the file to be signed from the task queue is assigned to the second designated account for completion.

由于第一指定账户与第二指定账户之间无直接关联,签名服务器需通过第二指定监听任务队列,即保存待签名文件的存储区域,以获知待签名文件是否添加到该存储区域。例如,该存储区域可以遵循先入先出的原则,当有多个待签名文件被顺序存入存储区域时,签名服务器通过第二指定账户,按照保存顺序从该指定区域中获取先存入的待签名文件。本公开实施例对获取待签名文件的顺序不做限定。Since there is no direct relationship between the first designated account and the second designated account, the signature server needs to listen to the task queue through the second designation, that is, the storage area where the file to be signed is stored, so as to know whether the file to be signed is added to the storage area. For example, the storage area may follow the first-in-first-out principle. When multiple files to be signed are sequentially stored in the storage area, the signature server obtains the files to be stored first from the designated area according to the storage order through the second designated account. Sign the document. The embodiment of the present disclosure does not limit the order of obtaining the files to be signed.

在一种可能实现方式中,以签名服务器为Linux服务器为例进行说明,第二指定账户可以是Linux服务器上唯一的root账户,具有签名服务器的最高权限,包括数字签名权限。在其他平台上,该第二指定账户还可以是其他类型账户,本公开实施例对第二指定账户不做限定。In a possible implementation manner, the signature server is a Linux server as an example for illustration, and the second designated account may be the only root account on the Linux server, which has the highest authority of the signature server, including digital signature authority. On other platforms, the second designated account may also be another type of account, and this embodiment of the present disclosure does not limit the second designated account.

在步骤206中,签名服务器通过第二指定账户读取密钥,对待签名文件进行签名,得到已签名文件。In step 206, the signature server reads the key through the second designated account, signs the file to be signed, and obtains the signed file.

需要说明的是,为提高密钥的安全性,密钥保存在签名服务器中,通过对密钥进行访问限制,本公开是实施例对访问限制的方式不做限定。例如,访问密钥的权限仅对第二指定账户开放,使签名服务器仅通过第二指定账户才能读取密钥,对待签名文件进行签名。It should be noted that, in order to improve the security of the key, the key is stored in the signature server, and access restriction is performed on the key, and the embodiment of the present disclosure does not limit the access restriction method. For example, the authority to access the key is only open to the second designated account, so that the signature server can only read the key through the second designated account and sign the document to be signed.

其中,密钥类型是对称密钥或非对称密钥。一对对称密钥是指两个相同的密钥,一对非对称密钥包括一个公钥和一个私钥,公钥与私钥可以不同。相比对称密钥,非对称密钥采用两种不同的密钥,安全性更高。因此,本公开实施例中,以一对非对称密钥为例进行说明,这对非对称密钥中的私钥保存在签名服务器中,用于对文件进行签名,这对非对称密钥的公钥保存在发送目标的终端,用于验证签名。本公开实施例对密钥类型不做限定。Wherein, the key type is a symmetric key or an asymmetric key. A pair of symmetric keys refers to two identical keys, and a pair of asymmetric keys includes a public key and a private key, and the public key and the private key can be different. Compared with symmetric keys, asymmetric keys use two different keys and are more secure. Therefore, in this disclosed embodiment, a pair of asymmetric keys is used as an example for illustration. The public key is stored in the sending destination's terminal and is used to verify the signature. The embodiment of the present disclosure does not limit the key type.

在步骤207中,签名服务器在指定区域保存已签名文件,该已签名文件携带文件标识。In step 207, the signature server saves the signed file in the specified area, and the signed file carries the file identifier.

为避免编译服务器与第二指定账户直接关联,在第二指定账户完成签名后,签名服务器将已签名文件保存在指定区域。在一种可能实现方式中,指定区域可以是签名服务器设置的一块本地存储区域,该本地存储区域可以称为web区域,本公开实施例对指定区域的存储方式不做限定。例如,该存储区域采用队列的存储方式,该存储可以是按照保存顺序进行。In order to prevent the compilation server from being directly associated with the second designated account, after the second designated account finishes signing, the signature server saves the signed file in the designated area. In a possible implementation manner, the designated area may be a local storage area set by the signature server, and the local storage area may be called a web area, and the embodiment of the present disclosure does not limit the storage manner of the designated area. For example, the storage area adopts a queue storage method, and the storage may be performed according to the order of saving.

在步骤208中,编译服务器根据文件标识,从指定区域中获取已签名文件。In step 208, the compilation server obtains the signed file from the specified area according to the file identifier.

本公开实施例中,为保证密钥的安全性,签名服务器上第一指定账户和第二指定账户的网络访问权限为访问编译服务器的权限,使第一指定账户和第二指定账户均不能通过签名服务器不能向其他网络设备发送已签名文件,且签名服务器的被访问权限面向于编译服务器,使得编译服务器具有从指定区域获取已签名文件权限。本公开实施例对签名服务器与编译服务器之间的网络访问权限不做进一步限定。In the disclosed embodiment, in order to ensure the security of the key, the network access authority of the first designated account and the second designated account on the signature server is the right to access the compilation server, so that neither the first designated account nor the second designated account can pass through The signature server cannot send signed files to other network devices, and the access authority of the signature server is oriented to the compilation server, so that the compilation server has the authority to obtain signed files from the specified area. The embodiment of the present disclosure does not further limit the network access authority between the signature server and the compilation server.

鉴于签名服务器上的账户可能不只是第一指定账户和第二指定账户,为了已签名文件的安全性,在一种可能实现方式中,签名服务器上任一账户的网络访问权限仅面向于该编译服务器,使得签名服务器上的所有账户均不能向其他网络设备发送已签名文件。In view of the fact that the accounts on the signing server may not only be the first designated account and the second designated account, for the security of signed files, in a possible implementation, the network access rights of any account on the signing server are only for the compilation server , so that all accounts on the signing server cannot send signed files to other network devices.

为了进一步提高已签名文件的安全性,在另一种可能实现方式中,签名服务器的被访问权限仅面向于编译服务器,使得仅有编译服务器具有从指定区域获取已签名文件权限,而其他网络设备无此权限。In order to further improve the security of signed files, in another possible implementation, the access authority of the signature server is only for the compilation server, so that only the compilation server has the authority to obtain signed files from the specified area, while other network devices No such permission.

上述访问权限与被访问权限的限制,能够在网络层面上实现访问控制,保证只有编译服务器才能和签名服务器相互访问。The above restrictions on access rights and access rights can implement access control at the network level, ensuring that only the compilation server can communicate with the signature server.

需要说明的是,已签名文件携带的文件标识与待签名文件携带的标识相同,使编译服务器根据文件标识,在指定区域中获取已签名文件,也即是,在本地存储区域中获取已签名文件。例如,该存储区域可以遵循先入先出的原则,当有多个已签名文件被顺序存入存储区域时,编译服务器按照保存顺序从该指定区域中获取先存入的已签名文件。It should be noted that the file identifier carried by the signed file is the same as the identifier carried by the file to be signed, so that the compilation server can obtain the signed file in the specified area according to the file identifier, that is, obtain the signed file in the local storage area . For example, the storage area may follow the principle of first-in-first-out. When multiple signed files are sequentially stored in the storage area, the compilation server obtains the signed file stored first from the specified area according to the storage order.

本公开实施例中,编译服务器至少有两种获取已签名文件的方式:In the embodiment of the present disclosure, the compilation server has at least two ways to obtain signed files:

在第一种方式中,编译服务器通过访问连接,监听指定区域,当通过监听获知已签名文件已经保存至指定区域时,根据文件标识,获取待签名文件对应的已签名文件。In the first method, the compilation server monitors the designated area through the access connection, and when it learns that the signed file has been saved in the designated area through monitoring, obtains the signed file corresponding to the file to be signed according to the file identifier.

在第二种方式中,签名服务器通过访问连接,向编译服务器发送已签名文件在指定区域中的保存地址和文件标识,编译服务器通过该保存地址和文件标识,获取该已签名文件。In the second method, the signature server sends the storage address and file ID of the signed file in the specified area to the compilation server through the access connection, and the compilation server obtains the signed file through the storage address and file ID.

相关技术中,所有具有编译权限的账户同时有访问密钥的权限,若任一账户泄露密钥,都可能导致第三方获取密钥,密钥安全性差,可能导致恶意的第三方基于非法获取的密钥伪造签名,从而向其他终端发送一些伪造文件,而终端在接收到该伪造文件时,如果签名验证通过,也会认为是合法文件,导致终端的安全性无法保证。In related technologies, all accounts with compiling authority have access to the key at the same time. If any account leaks the key, it may lead to a third party obtaining the key. The security of the key is poor, which may lead to a malicious third party The key forges the signature, so as to send some forged files to other terminals, and when the terminal receives the forged file, if the signature verification passes, it will also consider it to be a legal file, resulting in the security of the terminal cannot be guaranteed.

本公开实施例中,通过将签名过程与编译过程分离,编译过程不在签名服务器上进行,而签名过程由签名服务器上具有访问密钥权限的第二指定账户进行,从而降低了私钥泄露的可能性,保证了密钥的安全性。In the embodiment of the present disclosure, by separating the signing process from the compiling process, the compiling process is not performed on the signing server, and the signing process is performed by a second designated account with access key authority on the signing server, thereby reducing the possibility of private key leakage To ensure the security of the key.

另外,本公开实施例中,编译服务器与签名服务器之间进行密钥认证,避免了第三方伪造身份,骗取签名服务器的密钥,提高了密钥的安全性。In addition, in the embodiment of the present disclosure, the key authentication is performed between the compiling server and the signature server, which prevents a third party from forging the identity and fraudulently obtaining the key of the signature server, and improves the security of the key.

另外,本公开实施例中,签名服务器上账户的网络权限限于访问编译服务器,且签名服务器的访问权限面向于编译服务器,实现了在网络层面的访问控制,避免第三方通过网络手段窃取密钥或修改文件,从而提高了签名服务器的网络安全性。In addition, in the embodiment of the present disclosure, the network authority of the account on the signature server is limited to access to the compilation server, and the access authority of the signature server is oriented to the compilation server, which realizes access control at the network level and prevents third parties from stealing keys or Modifies the file, thereby increasing the network security of the signing server.

图3是根据一示例性实施例示出的一种数字签名装置的框图。参见图3,该装置包括添加模块301,获取模块302和签名模块303。Fig. 3 is a block diagram of a digital signature device according to an exemplary embodiment. Referring to FIG. 3 , the device includes an adding module 301 , an obtaining module 302 and a signature module 303 .

该添加模块301被配置为通过第一指定账户,在任务队列中添加待签名文件,第一指定账户具备拷贝文件权限。The adding module 301 is configured to add the file to be signed in the task queue through the first designated account, and the first designated account has the right to copy the file.

该获取模块302被配置为通过第二指定账户,从任务队列中获取所述添加模块301所添加的待签名文件,第二指定账户具有数字签名权限。The obtaining module 302 is configured to obtain the file to be signed added by the adding module 301 from the task queue through a second designated account, and the second designated account has digital signature authority.

该签名模块303被配置为通过第二指定账户读取密钥,对所述获取模块302所获取到的待签名文件进行签名,得到已签名文件。The signature module 303 is configured to read the key through the second specified account, sign the file to be signed obtained by the acquisition module 302, and obtain the signed file.

在一种可能实现方式中,基于图3的装置组成,参见图4,装置还包括认证模块304,建立模块305和拷贝模块306。In a possible implementation manner, based on the composition of the apparatus in FIG. 3 , referring to FIG. 4 , the apparatus further includes an authentication module 304 , an establishment module 305 and a copy module 306 .

该认证模块304被配置为通过第一指定账户与编译服务器进行密钥认证。The authentication module 304 is configured to perform key authentication with the compilation server through the first designated account.

该建立模块305被配置为当密钥认证通过时,建立与编译服务器之间的访问连接。The establishment module 305 is configured to establish an access connection with the compilation server when the key authentication is passed.

该拷贝模块306被配置为通过访问连接监听到编译服务器编译完成时,通过第一指定账户从编译服务器中拷贝待签名文件。The copy module 306 is configured to copy the file to be signed from the compilation server through the first designated account when the compilation server is monitored through the access connection and the compilation is completed.

在一种可能实现方式中,基于图3的装置组成,参见图5,该装置的获取模块302包括监听子模块3021和获取子模块3022。In a possible implementation manner, based on the composition of the apparatus in FIG. 3 , referring to FIG. 5 , the acquisition module 302 of the apparatus includes a monitoring submodule 3021 and an acquisition submodule 3022 .

该获取子模块3021被配置为通过第二指定账户监听任务队列。The acquiring submodule 3021 is configured to monitor the task queue through the second specified account.

该获取子模块3022被配置为当监听到在任务队列中添加待签名文件时,从任务队列中获取待签名文件。The obtaining sub-module 3022 is configured to obtain the file to be signed from the task queue when it is detected that the file to be signed is added to the task queue.

在一种可能实现方式中,基于图3的装置组成,参见图6,装置还包括保存模块307。In a possible implementation manner, based on the composition of the device in FIG. 3 , referring to FIG. 6 , the device further includes a saving module 307 .

该保存模块307被配置为在指定区域保存已签名文件,已签名文件携带文件标识,使编译服务器根据文件标识,从指定区域中获取已签名文件。The saving module 307 is configured to save the signed file in a designated area, the signed file carries a file identifier, so that the compiling server obtains the signed file from the designated area according to the file identifier.

在一种可能实现方式中,签名服务器上第一指定账户和第二指定账户的网络访问权限限于访问编译服务器,且签名服务器的被访问权限面向于编译服务器。In a possible implementation manner, the network access rights of the first designated account and the second designated account on the signature server are limited to access to the compilation server, and the access rights of the signature server are oriented to the compilation server.

上述所有可选技术方案,可以采用任意结合形成本公开的可选实施例,在此不再一一赘述。All the above optional technical solutions may be combined in any way to form optional embodiments of the present disclosure, which will not be repeated here.

本公开实施例中,通过将签名过程与编译过程分离,编译过程不在签名服务器上进行,而签名过程由签名服务器上具有访问密钥权限的第二指定账户进行,从而降低了私钥泄露的可能性,保证了密钥的安全性。In the embodiment of the present disclosure, by separating the signing process from the compiling process, the compiling process is not performed on the signing server, and the signing process is performed by a second designated account with access key authority on the signing server, thereby reducing the possibility of private key leakage To ensure the security of the key.

另外,本公开实施例中,编译服务器与签名服务器之间进行密钥认证,避免了第三方伪造身份,骗取签名服务器的密钥,提高了密钥的安全性。In addition, in the embodiment of the present disclosure, the key authentication is performed between the compiling server and the signature server, which prevents a third party from forging the identity and fraudulently obtaining the key of the signature server, and improves the security of the key.

另外,本公开实施例中,签名服务器上账户的网络权限限于访问编译服务器,且签名服务器的访问权限面向于编译服务器,实现了在网络层面的访问控制,避免第三方通过网络手段窃取密钥或修改文件,从而提高了签名服务器的网络安全性。In addition, in the embodiment of the present disclosure, the network authority of the account on the signature server is limited to access to the compilation server, and the access authority of the signature server is oriented to the compilation server, which realizes access control at the network level and prevents third parties from stealing keys or Modifies the file, thereby increasing the network security of the signing server.

关于上述实施例中的装置,其中各个模块执行操作的具体方式已经在有关该方法的实施例中进行了详细描述,此处将不做详细阐述说明。Regarding the apparatus in the above embodiments, the specific manner in which each module executes operations has been described in detail in the embodiments related to the method, and will not be described in detail here.

需要说明的是:上述实施例提供的数字签名装置在数字签名时,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。另外,上述实施例提供的数字签名装置与数字签名方法实施例属于同一构思,其具体实现过程详见方法实施例,这里不再赘述。It should be noted that: the digital signature device provided by the above-mentioned embodiment only uses the division of the above-mentioned functional modules as an example to illustrate the digital signature. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to needs. The internal structure of the device is divided into different functional modules to complete all or part of the functions described above. In addition, the digital signature device and the digital signature method embodiments provided by the above embodiments belong to the same idea, and the specific implementation process thereof is detailed in the method embodiments, and will not be repeated here.

图7是根据一示例性实施例示出的一种数字签名装置700的框图。例如,装置700可以被提供为一服务器。参照图7,装置700包括处理组件722,其进一步包括一个或多个处理器,以及由存储器732所代表的存储器资源,用于存储可由处理组件722的执行的指令,例如应用程序。存储器732中存储的应用程序可以包括一个或一个以上的每一个对应于一组指令的模块。此外,处理组件722被配置为执行指令,以执行上述数字签名方法。Fig. 7 is a block diagram of a digital signature device 700 according to an exemplary embodiment. For example, the apparatus 700 may be provided as a server. 7, apparatus 700 includes processing component 722, which further includes one or more processors, and a memory resource represented by memory 732 for storing instructions executable by processing component 722, such as application programs. The application program stored in memory 732 may include one or more modules each corresponding to a set of instructions. In addition, the processing component 722 is configured to execute instructions to perform the above digital signature method.

装置700还可以包括一个电源组件726被配置为执行装置700的电源管理,一个有线或无线网络接口750被配置为将装置700连接到网络,和一个输入输出(I/O)接口758。装置700可以操作基于存储在存储器732的操作系统,例如Windows ServerTM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTM或类似。Device 700 may also include a power component 726 configured to perform power management of device 700 , a wired or wireless network interface 750 configured to connect device 700 to a network, and an input output (I/O) interface 758 . The apparatus 700 can operate based on an operating system stored in the memory 732, such as Windows Server , Mac OS X , Unix , Linux , FreeBSD or the like.

本领域技术人员在考虑说明书及实践这里公开的发明后,将容易想到本公开的其它实施方案。本申请旨在涵盖本公开的任何变型、用途或者适应性变化,这些变型、用途或者适应性变化遵循本公开的一般性原理并包括本公开未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的,本公开的真正范围和精神由下面的权利要求指出。Other embodiments of the present disclosure will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any modification, use or adaptation of the present disclosure, and these modifications, uses or adaptations follow the general principles of the present disclosure and include common knowledge or conventional technical means in the technical field not disclosed in the present disclosure . The specification and examples are to be considered exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

应当理解的是,本公开并不局限于上面已经描述并在附图中示出的精确结构,并且可以在不脱离其范围进行各种修改和改变。本公开的范围仅由所附的权利要求来限制。It should be understood that the present disclosure is not limited to the precise constructions which have been described above and shown in the drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (11)

1.一种数字签名方法,其特征在于,应用于签名服务器,所述方法包括:1. A digital signature method, characterized in that being applied to a signature server, said method comprising: 通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;Add the file to be signed in the task queue through the first designated account, and the first designated account has the right to copy the file; 通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;Obtain the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority; 通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。The key is read by the second specified account, and the file to be signed is signed to obtain a signed file. 2.根据权利要求1所述的方法,其特征在于,所述通过第一指定账户,在任务队列中添加待签名文件之前,所述方法还包括:2. The method according to claim 1, characterized in that, before adding the file to be signed in the task queue through the first designated account, the method further comprises: 通过所述第一指定账户与编译服务器进行密钥认证;performing key authentication through the first designated account and the compilation server; 当所述密钥认证通过时,建立与所述编译服务器之间的访问连接;When the key authentication is passed, establish an access connection with the compilation server; 通过所述访问连接监听到所述编译服务器编译完成时,通过所述第一指定账户从所述编译服务器中拷贝所述待签名文件。copying the file to be signed from the compiling server through the first designated account when monitoring the compiling completion of the compiling server through the access connection. 3.根据权利要求1所述的方法,其特征在于,所述通过第二指定账户,从所述任务队列中获取所述待签名文件包括:3. The method according to claim 1, wherein the obtaining the file to be signed from the task queue through the second designated account comprises: 通过所述第二指定账户监听所述任务队列;monitor the task queue through the second designated account; 当监听到在所述任务队列中添加所述待签名文件时,从所述任务队列中获取所述待签名文件。When it is detected that the file to be signed is added to the task queue, the file to be signed is acquired from the task queue. 4.根据权利要求1所述的方法,其特征在于,所述待签名文件携带文件标识,所述通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件之后,所述方法还包括:4. The method according to claim 1, wherein the file to be signed carries a file identifier, and the key is read through the second specified account to sign the file to be signed to obtain a signed After the file, the method also includes: 在指定区域保存所述已签名文件,所述已签名文件携带所述文件标识。The signed file is saved in a designated area, and the signed file carries the file identifier. 5.根据权利要求1至4任一项所述的方法,其特征在于,所述签名服务器上所述第一指定账户和所述第二指定账户的网络访问权限为访问编译服务器的权限,且所述签名服务器的被访问权限面向于所述编译服务器。5. The method according to any one of claims 1 to 4, wherein the network access authority of the first specified account and the second specified account on the signature server is the authority to access the compilation server, and The access right of the signature server is for the compilation server. 6.一种数字签名装置,其特征在于,应用于签名服务器,所述装置包括:6. A digital signature device, characterized in that it is applied to a signature server, and the device comprises: 添加模块,用于通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;The adding module is used to add the file to be signed in the task queue through the first designated account, and the first designated account has the permission to copy the file; 获取模块,用于通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;An acquisition module, configured to acquire the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority; 签名模块,用于通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。A signature module, configured to read the key through the second specified account, sign the file to be signed, and obtain a signed file. 7.根据权利要求6所述的装置,其特征在于,所述装置还包括:7. The device according to claim 6, further comprising: 认证模块,用于通过所述第一指定账户与编译服务器进行密钥认证;An authentication module, configured to perform key authentication through the first designated account and the compilation server; 建立模块,用于当所述密钥认证通过时,建立与所述编译服务器之间的访问连接;An establishment module, configured to establish an access connection with the compilation server when the key authentication is passed; 拷贝模块,用于通过所述访问连接监听到所述编译服务器编译完成时,通过所述第一指定账户从所述编译服务器中拷贝所述待签名文件。The copying module is configured to copy the file to be signed from the compilation server through the first specified account when monitoring the completion of compilation by the compilation server through the access connection. 8.根据权利要求6所述的装置,其特征在于,所述获取模块包括:8. The device according to claim 6, wherein the acquiring module comprises: 监听子模块,用于通过所述第二指定账户监听所述任务队列;A monitoring submodule, configured to monitor the task queue through the second designated account; 获取子模块,用于当监听到在所述任务队列中添加所述待签名文件时,从所述任务队列中获取所述待签名文件。The acquiring submodule is configured to acquire the file to be signed from the task queue when it is detected that the file to be signed is added to the task queue. 9.根据权利要求6所述的装置,其特征在于,所述装置还包括:9. The device according to claim 6, further comprising: 保存模块,用于在指定区域保存所述已签名文件,所述已签名文件携带所述文件标识,使编译服务器根据所述文件标识,从所述指定区域中获取所述已签名文件。The saving module is configured to save the signed file in a designated area, the signed file carries the file identifier, and enables the compiling server to obtain the signed file from the designated area according to the file identifier. 10.根据权利要求6至9任一项所述的装置,其特征在于,所述签名服务器上所述第一指定账户和所述第二指定账户的网络访问权限为访问编译服务器的权限,且所述签名服务器的被访问权限面向于所述编译服务器。10. The device according to any one of claims 6 to 9, wherein the network access authority of the first specified account and the second specified account on the signature server is the authority to access the compilation server, and The access right of the signature server is for the compilation server. 11.一种数字签名装置,其特征在于,包括:11. A digital signature device, characterized in that it comprises: 处理器;processor; 用于存储处理器可执行的指令的存储器;memory for storing processor-executable instructions; 其中,所述处理器被配置为:Wherein, the processor is configured as: 通过第一指定账户,在任务队列中添加待签名文件,所述第一指定账户具备拷贝文件权限;Add the file to be signed in the task queue through the first designated account, and the first designated account has the right to copy the file; 通过第二指定账户,从所述任务队列中获取所述待签名文件,所述第二指定账户具有数字签名权限;Obtain the file to be signed from the task queue through a second designated account, where the second designated account has digital signature authority; 通过所述第二指定账户读取密钥,对所述待签名文件进行签名,得到已签名文件。The key is read by the second specified account, and the file to be signed is signed to obtain a signed file.
CN201610694577.6A 2016-08-19 2016-08-19 Digital signature method and device Active CN106161037B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610694577.6A CN106161037B (en) 2016-08-19 2016-08-19 Digital signature method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610694577.6A CN106161037B (en) 2016-08-19 2016-08-19 Digital signature method and device

Publications (2)

Publication Number Publication Date
CN106161037A true CN106161037A (en) 2016-11-23
CN106161037B CN106161037B (en) 2019-05-10

Family

ID=57341660

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610694577.6A Active CN106161037B (en) 2016-08-19 2016-08-19 Digital signature method and device

Country Status (1)

Country Link
CN (1) CN106161037B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769927A (en) * 2017-09-30 2018-03-06 飞天诚信科技股份有限公司 A kind of method and device that intelligent cipher key equipment is operated in MacOSX systems
CN110826092A (en) * 2018-08-14 2020-02-21 珠海金山办公软件有限公司 A file signature processing system
CN112506793A (en) * 2020-12-18 2021-03-16 航天信息股份有限公司 Embedded software unit testing method, system, readable medium and electronic equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1722656A (en) * 2004-04-08 2006-01-18 梁庆生 A digital signature method and digital signature tool
CN101477659A (en) * 2009-02-10 2009-07-08 百富计算机技术(深圳)有限公司 Method and apparatus for file automatic signature
US20090208000A1 (en) * 2008-02-19 2009-08-20 Fujitsu Limited Signature management method and signature management device
CN102148687A (en) * 2011-05-09 2011-08-10 北京数码大方科技有限公司 Signature method and device in information management system
CN102868688A (en) * 2012-09-05 2013-01-09 天地融科技股份有限公司 Certification system and method and electronic signature tool
CN104618120A (en) * 2015-03-04 2015-05-13 青岛微智慧信息有限公司 Digital signature method for escrowing private key of mobile terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1722656A (en) * 2004-04-08 2006-01-18 梁庆生 A digital signature method and digital signature tool
US20090208000A1 (en) * 2008-02-19 2009-08-20 Fujitsu Limited Signature management method and signature management device
CN101477659A (en) * 2009-02-10 2009-07-08 百富计算机技术(深圳)有限公司 Method and apparatus for file automatic signature
CN102148687A (en) * 2011-05-09 2011-08-10 北京数码大方科技有限公司 Signature method and device in information management system
CN102868688A (en) * 2012-09-05 2013-01-09 天地融科技股份有限公司 Certification system and method and electronic signature tool
CN104618120A (en) * 2015-03-04 2015-05-13 青岛微智慧信息有限公司 Digital signature method for escrowing private key of mobile terminal

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107769927A (en) * 2017-09-30 2018-03-06 飞天诚信科技股份有限公司 A kind of method and device that intelligent cipher key equipment is operated in MacOSX systems
CN110826092A (en) * 2018-08-14 2020-02-21 珠海金山办公软件有限公司 A file signature processing system
CN112506793A (en) * 2020-12-18 2021-03-16 航天信息股份有限公司 Embedded software unit testing method, system, readable medium and electronic equipment
CN112506793B (en) * 2020-12-18 2024-05-28 航天信息股份有限公司 Method and system for testing embedded software unit, readable medium and electronic equipment

Also Published As

Publication number Publication date
CN106161037B (en) 2019-05-10

Similar Documents

Publication Publication Date Title
CN112422532B (en) Service communication method, system and device and electronic equipment
US9184918B2 (en) Trusted hardware for attesting to authenticity in a cloud environment
CN110677240B (en) Method, apparatus and medium for providing highly available computing services through certificate issuance
CN112737779B (en) Cryptographic machine service method, device, cryptographic machine and storage medium
US8856544B2 (en) System and method for providing secure virtual machines
US9819496B2 (en) Method and system for protecting root CA certificate in a virtualization environment
CN105933125B (en) Southbound security authentication method and device in software-defined network
US20220294646A1 (en) Identity management for software components
AU2014226162A1 (en) Configuration and verification by trusted provider
CN109492358A (en) A kind of open interface uniform authentication method
CN111880919B (en) Data scheduling method, system and computer equipment
CN114268478B (en) Call request authentication method, device, equipment and medium of edge cloud platform
CN109450976A (en) A kind of method and device of the access of operation system
CN106161037A (en) Digital signature method and device
US8601544B1 (en) Computer system employing dual-band authentication using file operations by trusted and untrusted mechanisms
CN112738005A (en) Access processing method, device, system, first authentication server and storage medium
CN105814834A (en) Push-Based Trust Model For Public Cloud Applications
EP4433924A1 (en) Correlating remote attestation quotes with a virtualized network function (vnf) resource allocation event
US9240988B1 (en) Computer system employing dual-band authentication
CN108063679B (en) Method and device for upgrading cloud management platform
US12170656B1 (en) Authenticated assessment of network system assets
US12445492B1 (en) Signed remote execution for assessment of network system assets
CN116186709B (en) Method, device and medium for unloading UEFI (unified extensible firmware interface) safe start based on virtualized VirtIO technology
CN109313678B (en) API calling method and terminal
CN118410469B (en) Application verification method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载