+

WO2025001230A1 - Digital certificate management method, apparatus, device and system and readable storage medium - Google Patents

Digital certificate management method, apparatus, device and system and readable storage medium Download PDF

Info

Publication number
WO2025001230A1
WO2025001230A1 PCT/CN2024/078901 CN2024078901W WO2025001230A1 WO 2025001230 A1 WO2025001230 A1 WO 2025001230A1 CN 2024078901 W CN2024078901 W CN 2024078901W WO 2025001230 A1 WO2025001230 A1 WO 2025001230A1
Authority
WO
WIPO (PCT)
Prior art keywords
digital certificate
certificate
level digital
level
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/078901
Other languages
French (fr)
Chinese (zh)
Inventor
麻付强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Mass Information Technology Research Institute
Original Assignee
Shandong Mass Information Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Mass Information Technology Research Institute filed Critical Shandong Mass Information Technology Research Institute
Publication of WO2025001230A1 publication Critical patent/WO2025001230A1/en
Pending legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of digital certificate technology, and in particular to a digital certificate management method, device, equipment, system and non-volatile readable storage medium.
  • a digital certificate is a digital identity document used to prove the identity of an entity (usually a person, organization, or website).
  • a digital certificate is created using encryption technology and contains a public key and related identification information, such as the certificate holder's name, email address, organization name, etc.
  • Digital certificates are widely used in e-commerce, Internet banking, email security, network security, and other fields.
  • Digital certificates are usually issued by an authoritative certificate authority (CA) to the certificate owner.
  • the digital certificate contains the digital signature of the certificate authority for the certificate user to verify the legitimacy of the certificate owner.
  • this digital certificate management mechanism is highly dependent on a third party (i.e., the certificate authority).
  • the certificate authority When the certificate authority is under security threat or attacked by a man-in-the-middle attack, it poses a great threat to the security of the certificate user.
  • the purpose of this application is to provide a digital certificate management method, device, equipment, system and non-volatile readable storage medium, which are used to improve the security of the digital certificate management system, thereby improving the security of the certificate owner and the security of the certificate user.
  • the present application provides a digital certificate management method, including:
  • the target business is deployed using the certificate chain
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • At least one level of digital certificates in the certificate chain includes a public key infrastructure certificate and a confidential computing certificate.
  • the digital certificate device generates a certificate chain for the target service, including:
  • the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, thereby determining that the first-level digital certificate is legitimate and the first-level digital certificate device has the authority to issue digital certificates;
  • the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, and determines that the current-level digital certificate is legal;
  • the certificate chain is obtained.
  • the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, and determines that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, including:
  • the first-level digital certificate device is a certificate authority device, and the first-level digital certificate device signs the local digital certificate information with the private key in the locally generated asymmetric key to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key in the locally generated asymmetric key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates;
  • the first-level digital certificate device is a confidential computing device with a confidential computing environment.
  • the first-level digital certificate device signs the local digital certificate information with the private key of the asymmetric key generated in the local confidential computing environment to obtain the first-level digital certificate.
  • the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • determining that the current-level digital certificate is legitimate includes:
  • the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, and uses the public key in the asymmetric key generated by the previous-level digital certificate device to verify the signature of the current-level digital certificate. After the current-level digital certificate is passed, it is determined that the current-level digital certificate is legal;
  • the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, receives the private key in the asymmetric key generated by the previous-level digital certificate device, signs the self-signed local digital certificate information to obtain the current-level digital certificate, uses the public key in the asymmetric key generated in the local confidential computing environment to self-sign the current-level digital certificate, and after the current-level digital certificate is verified by the public key in the asymmetric key generated by the previous-level digital certificate device, the current-level digital certificate is determined to be legal.
  • the first-level digital certificate device signs the local digital certificate information using a private key of an asymmetric key generated in a local confidential computing environment, including:
  • the first-level digital certificate device After verifying the authenticity of the local confidential computing environment, the first-level digital certificate device signs the local digital certificate information using the private key of the asymmetric key generated in the local confidential computing environment.
  • the current-level digital certificate device uses a private key in an asymmetric key generated in a local confidential computing environment to perform a self-signing process on the local digital certificate information of the current-level digital certificate device, including:
  • the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device.
  • the asymmetric key generated by the previous digital certificate device is an asymmetric key generated in a local confidential computing environment
  • the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device using the private key in the asymmetric key generated by the previous-level digital certificate device, including:
  • the current-level digital certificate device After the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information of the current-level digital certificate device to obtain the current-level digital certificate;
  • the current-level digital certificate device receives the private key in the asymmetric key generated by the previous-level digital certificate device and signs the local digital certificate information after the self-signature processing to obtain the current-level digital certificate, including:
  • the current level digital certificate device After triggering and passing the authenticity verification of the local confidential computing environment of the previous level digital certificate device, the current level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous level digital certificate device to sign the local digital certificate information after self-signing to obtain the current level digital certificate.
  • performing authenticity verification on a local confidential computing environment includes:
  • the remote attestation data in the local digital certificate information of the device is sent to the device manufacturer to verify the authenticity of the local confidential computing environment.
  • the remote attestation data includes trustworthiness metric information of the device.
  • the remote attestation data includes a remote attestation data plaintext and a remote attestation data signature obtained by signing the remote attestation data plaintext using a hardware remote attestation private key of a local confidential computing environment of the device;
  • the remote proof data plaintext includes a hash value of a public key in an asymmetric key generated in a local confidential computing environment of the device and the trust measurement information of the device.
  • the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, the first-level digital certificate is determined to be legitimate and the first-level digital certificate device has the authority to issue digital certificates, including:
  • the first-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate. After the first-level digital certificate is signed and verified by the entity public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • the current-level digital certificate device uses a public key in an asymmetric key generated in a local confidential computing environment to perform self-signature verification on the current-level digital certificate, including:
  • the current-level digital certificate device compares and calculates the hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate, and verifies the signature of the current-level digital certificate through the entity public key.
  • the digital certificate device generates a certificate chain for the target service, including:
  • the current-level digital certificate device that has the current-level digital certificate will verify the signature of the previous-level digital certificate device and determine that the current-level digital certificate is legal;
  • the current-level digital certificate device determines that the current-level digital certificate is legal after verifying the signatures of the first preset number of the multiple signatures;
  • the first preset number is smaller than the number of signatures of the previous level digital certificate device in the current level digital certificate.
  • the current-level digital certificate device determines that the current-level digital certificate is legitimate after verifying a first preset number of signatures among the multiple signatures, including:
  • the current-level digital certificate is determined to be legal after the current-level digital certificate device passes the signature verification of a second preset number of public key infrastructure signatures among the multiple signatures and passes the signature verification of a third preset number of confidential computing signatures among the multiple signatures;
  • the second preset number is less than the public key infrastructure signature of the previous digital certificate device in the current digital certificate.
  • the third preset number is less than the number of confidential computing signatures of the previous level digital certificate device in the current level digital certificate.
  • generating a digital certificate issuance request based on the needs of the target business includes:
  • the method further includes:
  • the certificate chain After receiving an application request for a target service from a requesting device, the certificate chain is verified for legitimacy so that the requesting device determines that the target service is legitimate after determining that the certificate chain is legitimate.
  • the method is applied to a server that performs a Hypertext Transfer Protocol Secure connection
  • the digital certificate management method also includes:
  • the certificate chain corresponding to the server's Hypertext Transfer Protocol Security connection service is verified and passed, and the last-level digital certificate of the certificate chain corresponding to the Hypertext Transfer Protocol Security connection service is sent to the client so that the client can verify the last-level digital certificate, so that after the client verifies the last-level digital certificate, it can determine that the Hypertext Transfer Protocol Security connection service is legal and establish a Hypertext Transfer Protocol Security channel with the server.
  • the digital certificate management method also includes:
  • the digital certificates at all levels of the certificate chain are provided to the file receiving device, so that the file receiving device receives the target file after the legitimacy verification of the digital certificates at all levels of the certificate chain is passed.
  • the present application also provides a digital certificate management method, including:
  • the business device generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device;
  • the digital certificate device generates a certificate chain for the target business according to the digital certificate issuance request;
  • the business equipment After the business equipment verifies the legitimacy of the certificate chain and passes it, it uses the certificate chain to deploy the target business;
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the present application also provides a digital certificate management system, including: a business device and a digital certificate device;
  • the business device is used to generate a digital certificate issuance request according to the needs of the target business; send the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business; after the certificate chain is verified for legitimacy, the target business is deployed using the certificate chain;
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the present application also provides a digital certificate management device, including:
  • a request unit used to generate a digital certificate issuance request according to the needs of the target business
  • a sending unit used to send a digital certificate issuance request to a digital certificate device, so that the digital certificate device generates a certificate chain for a target service
  • a deployment unit is used to deploy the target business using the certificate chain after the certificate chain passes the legitimacy verification
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the present application also provides a digital certificate management device, including:
  • the processor is used to execute a computer program, and when the computer program is executed by the processor, the steps of any one of the digital certificate management methods described above are implemented.
  • the present application also provides a non-volatile readable storage medium, on which a computer program is stored.
  • a computer program is stored on which a computer program is stored.
  • the steps of any one of the above digital certificate management methods are implemented.
  • the digital certificate management method provided in the present application generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business, and the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment; through the certificate chain composed of a hybrid digital certificate consisting of a public key infrastructure certificate and a confidential computing certificate, compared with a single public key infrastructure certificate or a certificate chain consisting only of a public key infrastructure certificate in the related technology, the trusted party in the certificate chain is increased, that is, in addition to the certificate authority, a trusted execution environment for generating confidential computing certificates is introduced as one of the trusted parties, thereby reducing the security dependence on the certificate authority, improving the security of the certificate chain, and further improving the security of the certificate owner and the security of the certificate user.
  • the target business is deployed after the certificate chain is verified and passed, thereby improving the security of the target business.
  • At least one level of digital certificate in the certificate chain can include a public key infrastructure certificate and a confidential computing certificate, so as to further improve the security of a single-level digital certificate on the basis that digital certificates at all levels are of a single type of digital certificate, thereby improving the security of the entire certificate chain, and improving the security of certificate owners and certificate users.
  • the digital certificate management method provided in the present application obtains a more secure digital certificate signature scheme by first self-signing the current level confidential computing certificate through the confidential computing device in the digital certificate device, and then signing it by the digital certificate device of the previous level.
  • the present application also provides a digital certificate management device, equipment, system and non-volatile readable storage medium, which have the above-mentioned beneficial effects and are not repeated here.
  • FIG1 is a schematic diagram of the structure of a digital certificate management system provided in an embodiment of the present application.
  • FIG2 is a flow chart of a digital certificate management method provided in an embodiment of the present application.
  • FIG3 is a flow chart of a digital certificate device generating a certificate chain for a target service provided by an embodiment of the present application
  • FIG4 is a schematic diagram of a first certificate chain scenario provided in an embodiment of the present application.
  • FIG5 is a schematic diagram of a second certificate chain scenario provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of a third certificate chain scenario provided in an embodiment of the present application.
  • FIG7 is a schematic diagram of a fourth certificate chain scenario provided in an embodiment of the present application.
  • FIG8 is a schematic diagram of a fifth certificate chain scenario provided in an embodiment of the present application.
  • FIG9 is a schematic diagram of a sixth certificate chain scenario provided in an embodiment of the present application.
  • FIG10 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.
  • FIG11 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.
  • the core of this application is to provide a digital certificate management method, device, equipment, system and non-volatile readable storage medium to improve the security of the digital certificate management system, thereby improving the security of the certificate owner and the security of the certificate user.
  • FIG1 is a schematic diagram of the structure of a digital certificate management system provided in an embodiment of the present application.
  • the digital certificate management system includes: a business device 101 and a digital certificate device 102;
  • the service device 101 is used to generate a digital certificate issuance request according to the needs of the target service; send the digital certificate issuance request to the digital certificate device 102, so that the digital certificate device 102 generates a certificate chain of the target service; after the certificate chain is verified to be legitimate, the target service is deployed using the certificate chain;
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • PKI Public Key Infrastructure
  • CA Certificate Authority
  • TEE Trusted Execution Environment
  • a complete public key infrastructure basic structure consists of a certificate authority (CA), a digital certificate registration center (RA), an issuance system, a key management platform, and an application programming interface (API).
  • CA certificate authority
  • RA digital certificate registration center
  • API application programming interface
  • a digital certificate issued by a certificate authority is defined as a public key infrastructure certificate.
  • the trusted execution environment is a secure area built in the central processing unit through software and hardware methods to ensure that the programs and data loaded inside it are protected in terms of confidentiality and integrity.
  • the equipment that builds the trusted execution environment needs to be pre-installed with an integrated commercial central processing unit computing chip.
  • a trusted self-signed certificate can be constructed in the trusted execution environment, and the hardware trusted execution environment can be used as a hardware trusted root to strongly bind the certificate to the hardware environment, eliminating the influence of the public certificate authority.
  • a device with a trusted execution environment is defined as a confidential computing device, and a certificate constructed in a trusted execution environment is defined as a confidential computing certificate.
  • the owner of a digital certificate can be a person, organization, or website and can be deployed in a device.
  • the digital certificate management system often provides a single type of digital certificate, that is, either providing a single public key infrastructure certificate or a certificate chain consisting of multiple public key infrastructure certificates, or generating a confidential computing certificate based on a trusted execution environment. It is understandable that since the confidential computing certificate generated based on a trusted execution environment binds the credibility of the certificate to the hardware environment, compared with the public key infrastructure issued by a third-party certificate authority, the confidential computing certificate generated based on the trusted execution environment is more reliable than the public key infrastructure issued by a third-party certificate authority. Facility certificates are more secure. However, relying solely on confidential computing certificates still relies on trust in the hardware environment.
  • a hybrid data certificate solution is provided.
  • a certificate chain containing a hybrid digital certificate is generated, that is, the certificate chain contains both a public key infrastructure certificate and a confidential computing certificate.
  • the trust system has been expanded from a single trust system to two trust systems, reducing the reliance on a single trust system, thereby further improving the security of the certificate chain, and the security of the certificate owner and the security of the certificate user have also been further improved.
  • the digital certificate device 102 and the business device 101 together constitute the digital certificate device 102 corresponding to the digital certificates at each level of the certificate chain, that is, the business device 101 exists as the last level of digital certificate device 102, and the digital certificate devices 102 at each level hold the corresponding digital certificates.
  • the certificate chain includes at least two levels of digital certificates, that is, in addition to the business device 101, at least one digital certificate device 102 is included to cooperate in generating the certificate chain.
  • a first-level digital certificate may include multiple digital certificates. In the embodiment of the present application, "level" represents the link of the certificate chain.
  • the business device 101 When the business device 101 has a need to deploy the target business, it needs to obtain a digital certificate corresponding to the target business.
  • the combination of different types of digital certificates in the certificate chain can be determined according to the security level of the target business, and then the digital certificate issuance request is sent to the digital certificate devices 102 at each level.
  • the process of the digital certificate device 102 generating a certificate chain starts from the first-level digital certificate device 102, and first generates a root certificate obtained by self-signing. After the first-level certificate device passes the self-signature verification, it issues a second-level digital certificate to the second-level digital certificate device 102.
  • the second-level digital certificate device 102 confirms that the second-level digital certificate is legal after passing the second-level digital certificate.
  • third-level digital certificate device 102 If there is still a third-level digital certificate device 102, continue to execute the step of issuing a third-level digital certificate to the third-level digital certificate device 102.
  • the second-level digital certificate device 102 is the business device 101, then after the business device 101 receives the second-level digital certificate and passes the signature verification, it uses the legal second-level digital certificate to cooperate in deploying the target business.
  • the business demander wants to use the target business, the business demander obtains the digital certificates at each level in the certificate chain corresponding to the target business and verifies the signatures step by step. After passing the verification step by step, it is determined that the target business is legal and can be used.
  • FIG2 is a flow chart of a digital certificate management method provided in an embodiment of the present application.
  • the digital certificate management method includes:
  • S201 Generate a digital certificate issuance request according to the needs of the target business.
  • S202 Send a digital certificate issuance request to a digital certificate device so that the digital certificate device generates a certificate chain for the target business; wherein the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the digital certificate management method provided in the embodiment of the present application can be applied to individual user devices or collective user devices, for example, it can be applied to file sending devices or service servers.
  • the steps of the digital certificate management method provided in the embodiment of the present application executed by the target device are defined.
  • a service server When a service server needs to launch a service, it needs to obtain a digital certificate to ensure the legitimacy of the service in order to deploy the target service.
  • a file sending device When a file sending device needs to send a file, such as user A needs to send a file to user B, the file sent by user A must have a legal digital certificate to ensure the legitimacy of the file.
  • digital certificates can also be used as a legitimacy verification tool.
  • the target business may include but is not limited to the business launched by the business server mentioned above, the file sending requirements of the file sending device, and the data encryption and decryption business.
  • a digital certificate issuance request is generated according to the needs of the target business. Specifically, when the public infrastructure certificate and the confidential computing certificate are combined, various types of digital certificates can be generated according to different scenarios, requirements, and security levels for users to flexibly choose.
  • S202: generating a digital certificate issuance request according to the requirements of the target business may include:
  • the first-level digital certificate of the certificate chain can include multiple digital certificates, which can also include digital certificates generated by multiple methods, to improve the security of the single-level digital certificate and further improve the security of the certificate chain.
  • the device that generates the target business demand is the last level digital certificate device corresponding to the certificate chain, and the previous level digital certificate devices are all devices that generate and issue digital certificates.
  • the business device sends a digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business.
  • the business device can first send a digital certificate issuance request to the upper level digital certificate device.
  • the digital certificate issuance request carries the information of the digital certificate devices at all levels corresponding to the entire certificate chain and the type of digital certificate that needs to be generated, so that the upper level digital certificate device of the business device passes the digital certificate issuance request upward step by step, and then generates digital certificates step by step downward to form a certificate chain.
  • the business device can also send digital certificate issuance requests to digital certificate devices at all levels according to the corresponding digital certificate devices in the certificate chain.
  • the digital certificate issuance request carries the information of the digital certificate devices at all levels corresponding to the entire certificate chain and the type of digital certificate that needs to be generated, so that the first level digital certificate device of the certificate chain generates digital certificates step by step downward to form a certificate chain.
  • the certificate chain includes at least one public key infrastructure certificate and one confidential computing certificate.
  • the certificate chain includes two levels of digital certificates and each level corresponds to a digital certificate, then one of the two levels of digital certificates is a public key infrastructure certificate and the other is a confidential computing certificate.
  • the legitimacy of the digital certificate is verified during the generation of the certificate chain, that is, during the step-by-step generation of the digital certificate.
  • the digital certificate issuer signs the digital certificate information using the private key in the asymmetric key to obtain a digital certificate containing the plain text of the digital certificate information and the corresponding digital signature.
  • the digital certificate issuer issues the digital certificate and the corresponding public key to the digital certificate owner.
  • the digital certificate owner verifies the digital certificate using the public key in the asymmetric key, that is, decrypts the digital signature in the digital certificate using the public key and compares it with the plain text of the digital certificate information. If they are consistent, the digital certificate is determined to be legal, and if they are inconsistent, the digital certificate is determined to be illegal.
  • the signature verification is also carried out step by step.
  • Each digital certificate of the next level can only be generated after the legitimacy verification is carried out through the signature verification before entering the generation process of the next level of digital certificate.
  • a certificate chain that passes the legitimacy verification is obtained, which can be used to deploy the digital certificate of the target business.
  • the digital certificate information may include, but is not limited to: certificate issuer information, certificate owner information, and user-defined extended information.
  • the digital certificate information of a confidential computing certificate also includes the public key of the certificate owner and even the remote attestation device of the certificate owner.
  • the management cycle of a digital certificate includes not only the process of generating a digital certificate, but also the process of using a digital certificate.
  • the digital certificate management method provided in the embodiment of the present application may also include: after receiving an application request from a requesting device for a target service, verifying the legitimacy of the certificate chain so that the requesting device determines that the target service is legitimate after determining that the certificate chain is legitimate.
  • the digital certificate user is defined as the requesting device that wants to apply the target service.
  • the service device provides the target service to the requesting device, or the requesting device requests the service device to use the target service
  • the requesting device needs to verify the legitimacy of the certificate chain corresponding to the target service.
  • the legitimacy verification process is similar to the legitimacy verification process when the certificate chain is generated. By verifying the signatures step by step, when it is determined that the digital certificates at all levels of the certificate chain are legal, the requesting device completes the handshake with the service device and can use the target service.
  • the digital certificate management method provided in the embodiment of the present application generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business, and the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment; the certificate chain composed of a hybrid digital certificate consisting of a public key infrastructure certificate and a confidential computing certificate increases the trusted party in the certificate chain compared to a single public key infrastructure certificate or a certificate chain consisting only of a public key infrastructure certificate in the related technology, that is, in addition to the certificate authority, a trusted execution environment for generating a confidential computing certificate is introduced as one of the trusted parties, thereby reducing the security dependence on the certificate authority, improving the security of the certificate chain, and further improving the security of the certificate owner and the security of the certificate user.
  • the target business is deployed after the certificate chain is verified and passed, thereby improving the security of the target business
  • the security of the certificate chain in addition to including at least one public key infrastructure certificate and one confidential computing certificate in the certificate chain, the security of the certificate chain can also be improved by including multiple digital certificates in the primary digital certificate.
  • the primary digital certificate can also be a hybrid digital certificate solution.
  • At least one level of digital certificate in the certificate chain can be set to include a public key infrastructure certificate and a confidential computing certificate.
  • At least one level of digital certificate in the certificate chain can include a public key infrastructure certificate and a confidential computing certificate, so as to further improve the security of a single-level digital certificate on the basis that digital certificates at all levels are of a single type of digital certificate, thereby improving the security of the entire certificate chain, and improving the security of certificate owners and certificate users.
  • FIG3 is a flow chart of a digital certificate device generating a certificate chain for a target business provided by an embodiment of the present application.
  • the embodiments of the present application further illustrate the process of generating a certificate chain.
  • the digital certificate device in S202, the digital certificate device generates a certificate chain for the target service, including:
  • the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates a first-level digital certificate by self-signing and verifies the first-level digital certificate, thereby determining that the first-level digital certificate is legal and that the first-level digital certificate device has the authority to issue digital certificates.
  • the current-level digital certificate device Starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, and determines that the current-level digital certificate is legal.
  • the owner of the first-level digital certificate corresponding to the certificate chain is the first-level digital certificate device.
  • the first-level digital certificate device generates the first-level digital certificate by self-signing, which is the root certificate of the certificate chain.
  • the first-level digital certificate device verifies the signature of the first-level digital certificate by itself, and after passing the verification, it is determined that the first-level digital certificate is legal, and the first-level digital certificate device has the authority to issue digital certificates.
  • the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the first-level digital certificate, and determines that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, which may include:
  • the first-level digital certificate device is a certificate authority device, and the first-level digital certificate device signs the local digital certificate information with the private key in the locally generated asymmetric key to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key in the locally generated asymmetric key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates;
  • the first-level digital certificate device is a confidential computing device with a confidential computing environment.
  • the first-level digital certificate device signs the local digital certificate information with the private key of the asymmetric key generated in the local confidential computing environment to obtain the first-level digital certificate.
  • the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • the public key infrastructure certificate in the first-level digital certificate is generated and issued by a certificate authority.
  • the first-level digital certificate device should be a certificate authority device, so as to generate a first-level public key infrastructure certificate by itself.
  • the first-level digital certificate device generates a pair of asymmetric keys locally, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining a first-level digital certificate containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information.
  • the first-level digital certificate device then verifies the signature of the first-level digital certificate using the public key in the above-mentioned asymmetric key. If it passes, it is determined that the first-level digital certificate is legal, and at this time the first-level digital certificate device can issue a digital certificate to the second-level digital certificate device.
  • the confidential computing certificate in the first-level digital certificate should be generated based on the local precision computing environment, so the first-level digital certificate device should be a confidential computing device with a confidential computing environment.
  • the first-level confidential computing device generates a pair of asymmetric keys in the local precision computing environment, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining a first-level digital certificate containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information.
  • the first-level precision computing device then verifies the signature of the first-level digital certificate using the public key in the above asymmetric key. If it passes, it is determined that the first-level digital certificate is legal, and at this time the first-level digital certificate device can issue a digital certificate to the second-level digital certificate device.
  • the first-level digital certificate device signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment, which may include: after the first-level digital certificate device verifies the authenticity of the local confidential computing environment, it signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment.
  • the step of the first-level digital certificate device verifying the authenticity of the local confidential computing environment and the step of the first-level digital certificate device signing the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment may have no sequential relationship
  • the step of the first-level digital certificate device verifying the authenticity of the local confidential computing environment and the step of the first-level digital certificate device signing the local digital certificate information by using the public key of the locally generated asymmetric key The steps of verifying the signature of the certificate may also have no order relationship, that is, after the first-level digital certificate device verifies the authenticity of the local confidential computing environment and verifies the signature of the first-level digital certificate through the public key in the locally generated asymmetric key, it can be determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • the generation of digital certificates at all levels requires the help of the previous-level digital certificate device.
  • the current-level digital certificate device provides the local digital certificate information to the previous-level digital certificate device, and the previous-level digital certificate device signs the local digital certificate information of the current-level digital certificate device using the public key in the locally generated asymmetric key to obtain the current-level digital certificate, and provides the current-level digital certificate and the corresponding public key to the current-level digital certificate device.
  • the current-level digital certificate device verifies the signature of the current-level digital certificate using the public key, it is determined that the current-level digital certificate is legal.
  • S302 From the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, after the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, determining that the current-level digital certificate is legal may include:
  • the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, and uses the public key in the asymmetric key generated by the previous-level digital certificate device to verify the signature of the current-level digital certificate. After the current-level digital certificate is passed, it is determined that the current-level digital certificate is legal;
  • the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, receives the private key in the asymmetric key generated by the previous-level digital certificate device, signs the self-signed local digital certificate information to obtain the current-level digital certificate, uses the public key in the asymmetric key generated in the local confidential computing environment to self-sign the current-level digital certificate, and after the current-level digital certificate is verified by the public key in the asymmetric key generated by the previous-level digital certificate device, the current-level digital certificate is determined to be legal.
  • the public key infrastructure certificate in the non-first-level digital certificate is completely signed and issued by the previous-level digital certificate device.
  • the current-level digital certificate device provides the local digital certificate information to the previous-level digital certificate device, and the previous-level digital certificate device uses the private key in the locally generated asymmetric key to sign the local digital certificate information of the current-level digital certificate device, and obtains the current-level digital certificate containing the local digital certificate information plaintext of the current-level digital certificate device and the digital signature of the local digital certificate information of the current-level digital certificate device.
  • the previous-level digital certificate device sends the current-level digital certificate and the corresponding public key to the current-level digital certificate device.
  • the current-level digital certificate device verifies the signature of the current-level digital certificate through the public key, and determines that the current-level digital certificate is legal after passing. If the current-level digital certificate device is a business device, the certificate chain is generated; if the current-level digital certificate device is not a business device, the current-level digital certificate device continues to issue digital certificates to the next-level digital certificate device.
  • the confidential computing certificates in non-first-level digital certificates are self-signed by the current-level digital certificate device and signed using the private key of the previous-level digital certificate device.
  • the current-level digital certificate device generates a pair of asymmetric keys in the local confidential computing environment, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining local digital certificate information containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information.
  • the current-level digital certificate device then signs the self-signed local digital certificate information using the private key in the asymmetric key generated by the previous-level digital certificate device, thereby obtaining the current-level digital certificate containing the self-signature and the previous-level signature.
  • the current-level digital certificate device uses the corresponding public key in the local confidential computing environment to sign the self-signed signature in the current-level digital certificate. Verify the signature and use the public key provided by the previous digital certificate device to verify the previous signature in the current digital certificate.
  • the embodiment of the present application provides a new confidential computing certificate solution, that is, the confidential computing certificate contains both a self-signature and an upper-level signature, which is more secure than the confidential computing certificate in the related technology.
  • the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, which can include: after the current-level digital certificate device verifies the authenticity of the local confidential computing environment, it uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device.
  • the security of generating confidential computing certificates is further improved.
  • the step in which the current-level digital certificate device verifies the authenticity of the local confidential computing environment and the step in which the current-level digital certificate device signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment may have no sequential relationship
  • the step in which the current-level digital certificate device verifies the authenticity of the local confidential computing environment and the step in which the current-level digital certificate device verifies the signature of the current-level digital certificate by using the public key in the locally generated asymmetric key may also have no sequential relationship, that is, the current-level digital certificate can be determined to be legal after the current-level digital certificate device verifies the authenticity of the local confidential computing environment and verifies the signature of the current-level digital certificate by using the public key in the locally generated asymmetric key.
  • the current-level digital certificate it needs to be signed by the previous-level digital certificate device. If the asymmetric key provided by the previous-level digital certificate device for signing and verifying the signature is generated in a confidential computing environment, the authenticity of the local confidential computing environment should also be verified for the previous-level digital certificate device on the previous-level digital signature device.
  • the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, which may include: after the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate obtained by obtaining the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information of the current-level digital certificate device.
  • the current-level digital certificate device receives the private key in the asymmetric key generated by the previous-level digital certificate device to sign the self-signed local digital certificate information to obtain the current-level digital certificate, which may include: after the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, obtaining the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the self-signed local digital certificate information to obtain the current-level digital certificate.
  • the previous-level digital certificate device uses the private key in the asymmetric key generated in the confidential computing environment to sign the digital certificate for the current-level digital certificate device, the authenticity of the confidential computing environment of the previous-level digital certificate device must be verified first, and then the current-level digital certificate issued by the previous-level digital certificate device is received.
  • determining that the first-level digital certificate is legitimate and the first-level digital certificate device has the authority to issue the digital certificate may include: the first-level digital certificate device compares the calculated confidential computing certificate with the subject The hash value of the public key is consistent with the hash value of the public key in the remote attestation data in the confidential computing certificate, and after the signature of the first-level digital certificate is verified by the main body public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • the remote attestation data is the data in the confidential computing certificate used to verify the authenticity of the local confidential computing environment of the device.
  • the legality verification of the public key hash value can be completed when the authenticity of the local confidential computing environment of the first-level digital certificate device is remotely attested.
  • the first-level digital certificate device verifies the signature of the local confidential computing certificate, after the local confidential computing environment is remotely attested, the hash value of the main body public key in the confidential computing certificate calculated is compared with the hash value of the public key in the remote attestation data in the confidential computing certificate. After the signature of the first-level digital certificate is verified by the main body public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.
  • the current-level digital certificate device uses the public key in the asymmetric key generated in the local confidential computing environment to perform self-signature verification on the current-level digital certificate, which may include: the current-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate to be consistent, and verifies the current-level digital certificate through the entity public key.
  • the current-level digital certificate device When the current-level digital certificate device generates the current-level digital certificate, by placing the hash value of the public key in the asymmetric key generated based on the confidential computing environment in the remote attestation data, the legitimacy of the public key hash value can be verified when the authenticity of the local confidential computing environment of the current-level digital certificate device is remotely proven, and when the current-level digital certificate device verifies the local confidential computing certificate, after the local confidential computing environment is remotely proven to be authentic, the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate are compared to be consistent, and after the current-level digital certificate is verified through the entity public key, it is determined that the current-level digital certificate is legal and the current-level digital certificate device has the authority to issue digital certificates.
  • the entity public key carried in the confidential computing certificate is consistent with the public key hash value in the remote attestation data, it can be determined that the confidential computing certificate was generated in the local confidential computing environment, and then the entity public key can be used to verify the self-signature in the confidential computing certificate.
  • the previous-level digital certificate device After the current-level digital certificate device triggers the previous-level digital certificate device to verify the authenticity of the local confidential computing environment, the previous-level digital certificate device completes the above steps and passes the authenticity verification of the local confidential computing environment and the consistency verification of the entity public key. It can then sign or verify the current-level digital certificate performed by the previous-level confidential computing device, thereby further improving the security of the digital certificate.
  • the digital certificate management method provided in the embodiment of the present application obtains a more secure digital certificate signature scheme by having the confidential computing device in the digital certificate device first self-sign the current level confidential computing certificate, and then having the previous level digital certificate device sign it.
  • the embodiments of the present application further illustrate a method for verifying the authenticity of a local confidential computing environment of a confidential computing device.
  • authenticity verification of the local confidential computing environment may include: sending remote certification data in the local digital certificate information of the device to the device manufacturer to verify the authenticity of the local confidential computing environment.
  • the remote attestation data includes the trust measurement information of the device, such as the hardware trust measurement information of the device.
  • the device manufacturer uses the trust measurement information in the remote attestation data to determine that the device has a confidential computing environment and feedbacks the authenticity of the local confidential computing environment to the device.
  • the remote attestation data may include the remote attestation data plaintext and the remote attestation data signature obtained by signing the remote attestation data plaintext using the hardware remote attestation private key of the local confidential computing environment of the device; wherein the remote attestation data plaintext includes the hash value of the public key in the asymmetric key generated in the local confidential computing environment of the device and the trust measurement information of the device.
  • the first-level digital certificate of the certificate chain may include one digital certificate or multiple digital certificates.
  • the situation of including multiple digital certificates can further improve the security of the certificate chain.
  • a digital certificate device with multiple digital certificates can add multiple signatures when issuing a certificate for a digital certificate device at the next level, that is, the signature corresponds to the digital certificate device that issued the certificate one by one. If the current-level digital certificate has multiple signatures of the previous-level digital certificate device, when verifying the signature, it can be set that the current-level digital certificate must be confirmed to be legal only by verifying all signatures, or it can be set to confirm the legality of the current-level digital certificate by verifying some signatures.
  • the digital certificate device generates a certificate chain for the target service in S202, which may include:
  • the current-level digital certificate device that has the current-level digital certificate will verify the signature of the previous-level digital certificate device and determine that the current-level digital certificate is legal;
  • the current-level digital certificate device determines that the current-level digital certificate is legal after verifying the signatures of the first preset number of the multiple signatures;
  • the first preset number is smaller than the number of signatures of the previous level digital certificate device in the current level digital certificate.
  • the embodiment of the present application adopts a threshold signature verification method for the situation where the current-level digital certificate has signatures of multiple previous-level digital certificate devices. That is, the current-level digital certificate can be determined to be legal after only some of the signatures of the previous-level digital certificate devices are verified.
  • the previous-level digital certificate device if the previous-level digital certificate device has both a public key infrastructure certificate and a confidential computing certificate, the previous-level digital certificate device can perform a public key infrastructure signature and a confidential computing signature on the current-level digital certificate, and at this time, the type can be distinguished and set a threshold. If the current-level digital certificate has signatures of multiple previous-level digital certificate devices, the current-level digital certificate device determines that the current-level digital certificate is legal after the first preset number of signatures in the multiple signatures are verified, including:
  • the current-level digital certificate is determined to be legal after the current-level digital certificate device passes the signature verification of a second preset number of public key infrastructure signatures among the multiple signatures and passes the signature verification of a third preset number of confidential computing signatures among the multiple signatures;
  • the second preset number is less than the number of public key infrastructure signatures of the previous level digital certificate device in the current level digital certificate
  • the third preset number is less than the number of confidential computing signatures of the previous level digital certificate device in the current level digital certificate.
  • previous-level digital certificate device has multiple previous-level digital certificates, multiple pairs of corresponding asymmetric keys can be generated for signing and verifying the current-level digital certificate, but not all private keys need to be used for signing the current-level digital certificate.
  • Figure 4 is a schematic diagram of the first certificate chain scenario provided in an embodiment of the present application
  • Figure 5 is a schematic diagram of the second certificate chain scenario provided in an embodiment of the present application
  • Figure 6 is a schematic diagram of the third certificate chain scenario provided in an embodiment of the present application
  • Figure 7 is a schematic diagram of the fourth certificate chain scenario provided in an embodiment of the present application
  • Figure 8 is a schematic diagram of the fifth certificate chain scenario provided in an embodiment of the present application
  • Figure 9 is a schematic diagram of the sixth certificate chain scenario provided in an embodiment of the present application.
  • the embodiments of the present application use two adjacent levels of digital certificates in a certificate chain to illustrate the scenarios, which may specifically include six scenarios.
  • the previous-level digital certificate and the current-level digital certificate can both be public key infrastructure certificates. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate is a self-signed public key infrastructure certificate, and the current-level digital certificate is signed by the private key provided by the previous-level digital certificate device 401, and verified by the public key provided by the previous-level digital certificate device 401. If the previous-level digital certificate is not the first-level digital certificate of the certificate chain, it will be issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain. The next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the previous-level digital certificate is a public key infrastructure certificate
  • the current-level digital certificate is a confidential computing certificate.
  • the previous-level digital certificate is the first-level digital certificate of the certificate chain
  • the previous-level digital certificate is a self-signed public key infrastructure certificate
  • the current-level confidential computing certificate is generated in a local confidential computing environment, and is self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate device 401 using the private key generated locally, to ensure the credibility of the current-level digital certificate and improve the efficiency of using the current-level digital certificate.
  • next-level digital certificate is not the first-level digital certificate of the certificate chain, it will be issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, the next-level digital certificate can be derived to extend the certificate chain.
  • the next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the previous-level digital certificate and the current-level digital certificate are both confidential computing certificates.
  • the previous-level digital certificate is the first-level digital certificate of the certificate chain
  • the previous-level digital certificate is a self-signed confidential computing certificate, which is specifically generated by the confidential computing environment of the previous-level digital certificate device 401.
  • the current-level confidential computing certificate is generated in a local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate device 401 using the private key generated locally.
  • next-level digital certificate is not the first-level digital certificate of the certificate chain, it is then issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain.
  • the next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the previous-level digital certificate is a confidential computing certificate
  • the current-level digital certificate is a public key infrastructure certificate.
  • the previous-level digital certificate is the first-level digital certificate in the certificate chain
  • the previous-level digital certificate is a self-signed confidential computing certificate, which is specifically generated by the confidential computing environment of the previous-level digital certificate device 401.
  • the current-level confidential computing certificate is generated in the local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate.
  • Device 401 signs with a locally generated private key.
  • next digital certificate device If the previous digital certificate is not the first digital certificate of the certificate chain, it will be issued by the next digital certificate device according to the certificate type.
  • the next digital certificate can be derived to extend the certificate chain.
  • the next digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the previous digital certificate is a hybrid certificate, that is, the previous digital certificate device 401 has both a public key infrastructure certificate and a confidential computing certificate, and the current digital certificate is a confidential computing certificate.
  • the previous digital certificate is the first-level digital certificate of the certificate chain
  • the previous digital certificate includes a self-signed public key infrastructure certificate and a self-signed confidential computing certificate.
  • the current confidential computing certificate is generated in a local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous digital certificate device 401 using the private key generated locally.
  • the previous digital certificate is not the first-level digital certificate of the certificate chain, it is issued by the next-level digital certificate device according to the certificate type.
  • the next digital certificate can be derived to extend the certificate chain.
  • the next digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the previous-level digital certificate is a hybrid certificate, that is, the previous-level digital certificate device 401 has both a public key infrastructure certificate and a confidential computing certificate, and the current-level digital certificate is a public key infrastructure certificate. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate includes a self-signed public key infrastructure certificate and a self-signed confidential computing certificate. The current-level digital certificate is signed by the private key provided by the previous-level digital certificate device 401 and verified by the public key provided by the first-level digital certificate device.
  • next-level digital certificate is not the first-level digital certificate of the certificate chain, it is issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain.
  • the next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.
  • the embodiments of the present application illustrate an application scenario of a digital certificate management method.
  • the business server includes a server for performing a Hypertext Transfer Protocol Security connection.
  • the digital certificate management method provided in the embodiment of the present application may also include: after receiving an access request to a server sent by a client, after verifying the certificate chain corresponding to the server's Hypertext Transfer Protocol Secure (HTTPS) protocol connection service, the last-level digital certificate of the certificate chain corresponding to the HTTPS protocol connection service is sent to the client so that the client can verify the last-level digital certificate, so that after verifying the last-level digital certificate, the client can determine that the HTTPS protocol connection service is legal and establish a HTTPS protocol secure channel with the server.
  • HTTPS Hypertext Transfer Protocol Secure
  • the embodiment of the present application describes an application scenario of another digital certificate management method.
  • the digital certificate management method provided in the embodiment of the present application can also be applied to a file sending device.
  • the digital certificate management method provided in the embodiment of the present application may also include: after receiving the legitimacy verification of the target file to be sent by the file receiving device, providing the digital certificates at all levels of the certificate chain to the file receiving device, so that the file receiving device receives the target file after performing legitimacy verification on the digital certificates at all levels of the certificate chain.
  • a file receiving device receives a file sent by a file sending device, it needs to verify the signature of the certificate chain corresponding to the file, and confirm that the file is legal after passing the verification.
  • the present application also provides a digital certificate management method, including:
  • the business device generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device;
  • the digital certificate device generates a certificate chain for the target business according to the digital certificate issuance request;
  • the business equipment After the business equipment verifies the legitimacy of the certificate chain and passes it, it uses the certificate chain to deploy the target business;
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the present application also discloses a digital certificate management apparatus, device and non-volatile readable storage medium corresponding to the above method.
  • FIG10 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.
  • the digital certificate management device provided in the embodiment of the present application includes:
  • the request unit 1001 is used to generate a digital certificate issuance request according to the requirements of the target business;
  • the sending unit 1002 is used to send the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target service;
  • the deployment unit 1003 is used to deploy the target service using the certificate chain after the certificate chain passes the validity verification
  • the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.
  • the digital certificate management device provided in the embodiments of the present application may also include:
  • the first verification unit is used to verify the legitimacy of the certificate chain after receiving an application request for a target service from a requesting device, so that the requesting device can determine that the target service is legitimate after determining that the certificate chain is legitimate.
  • the digital certificate management device provided in the embodiment of the present application is applied to a business server, specifically a server for performing a Hypertext Transfer Protocol Security connection; then the digital certificate management device provided in the embodiment of the present application may also include:
  • the second verification unit is used to, after receiving an access request to the server sent by the client, verify the certificate chain corresponding to the server's Hypertext Transfer Protocol Security connection service, and then send the last-level digital certificate of the certificate chain corresponding to the Hypertext Transfer Protocol Security connection service to the client so that the client can verify the last-level digital certificate, so that after the client verifies the last-level digital certificate, it can determine that the Hypertext Transfer Protocol Security connection service is legal and establish a Hypertext Transfer Protocol Security channel with the server.
  • the digital certificate management device provided in the embodiment of the present application is applied to a file sending device; then the digital certificate management device provided in the embodiment of the present application may also include:
  • the third verification unit is used to provide the digital certificates of each level of the certificate chain to the file receiving device after receiving the legitimacy verification of the target file to be sent by the file receiving device, so that the file receiving device receives the target file after passing the legitimacy verification of the digital certificates of each level of the certificate chain.
  • FIG11 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.
  • the digital certificate management device provided in the embodiment of the present application includes:
  • a memory 1110 used for storing a computer program 1111
  • the processor 1120 is used to execute the computer program 1111.
  • the steps of the digital certificate management method in any of the above embodiments are implemented.
  • the processor 1120 may include one or more processing cores, such as a 3-core processor, an 8-core processor, etc.
  • the processor 1120 may be implemented in at least one hardware form of a digital signal processing DSP (Digital Signal Processing), a field-programmable gate array FPGA (Field-Programmable Gate Array), and a programmable logic array PLA (Programmable Logic Array).
  • the processor 1120 may also include a main processor and a coprocessor.
  • the main processor is a processor for processing data in the awake state, also known as a central processing unit CPU (Central Processing Unit);
  • the coprocessor is a low-power processor for processing data in the standby state.
  • the processor 1120 may be integrated with a graphics processor GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the display screen.
  • the processor 1120 may also include an artificial intelligence AI (Artificial Intelligence) processor, which is used to process computing operations related to machine learning.
  • AI Artificial Intelligence
  • the memory 1110 may include one or more non-volatile readable storage media, which may be non-transitory.
  • the memory 1110 may also include a high-speed random access memory, and a non-volatile memory, such as one or more disk storage devices, flash memory storage devices.
  • the memory 1110 is at least used to store the following computer program 1111, wherein the computer program 1111, after being loaded and executed by the processor 1120, can implement the relevant steps in the digital certificate management method disclosed in any of the aforementioned embodiments.
  • the resources stored in the memory 1110 may also include an operating system 1112 and data 1113, etc., and the storage method may be temporary storage or permanent storage.
  • the operating system 1112 may be Windows.
  • Data 1113 may include, but is not limited to, the data involved in the above method.
  • the digital certificate management device may further include a display screen 1130 , a power supply 1140 , a communication interface 1150 , an input/output interface 1160 , a sensor 1170 , and a communication bus 1180 .
  • FIG. 11 does not constitute a limitation on the digital certificate management device, and may include more or fewer components than those shown in the figure.
  • the digital certificate management device provided in the embodiment of the present application includes a memory and a processor.
  • the processor executes the program stored in the memory, it can implement the above digital certificate management method, and the effect is the same as above.
  • the above-described embodiments of the apparatus and equipment are merely schematic.
  • the division of modules is merely a logical function division.
  • multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed.
  • Another point is that the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection of the apparatus or modules, which may be electrical, mechanical or other forms.
  • the modules described as separate components may or may not be physically separated, and the components shown as modules may or may not be physical modules, that is, they may be located in one place. Or it can be distributed to multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • each functional module in each embodiment of the present application can be integrated into a processing module, or each module can exist physically separately, or two or more modules can be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or software functional modules.
  • the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a non-volatile readable storage medium.
  • the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium to execute all or part of the steps of the various embodiments of the present application.
  • an embodiment of the present application further provides a non-volatile readable storage medium, on which a computer program is stored.
  • a computer program is stored on which a computer program is stored.
  • the non-volatile readable storage medium may include: a U disk, a mobile hard disk, a read-only memory ROM (Read-Only Memory), a random access memory RAM (Random Access Memory), a magnetic disk or an optical disk, and other media that can store program codes.
  • the computer program contained in the non-volatile readable storage medium provided in this embodiment can implement the steps of the above digital certificate management method when executed by the processor, and the effect is the same as above.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The present application relates to the technical field of digital certificates. Particularly disclosed are a digital certificate management method, apparatus, device and system and a nonvolatile readable storage medium, the method comprising: generating a digital certificate issuing request according to a demand of a target service and sending the digital certificate issuing request to a digital certificate device, such that the digital certificate device generates a certificate chain for the target service, the certificate chain at least comprising a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated on the basis of a confidential computing environment. Compared with a single public key infrastructure certificate or a certificate chain constituted only by public key infrastructure certificates in the prior art, the present application increases trusted parties in the certificate chain, thus reducing the security dependence on the certificate authority, improving the security of the certificate chain, and accordingly improving the security of certificate owners and the security of certificate users. The target service is deployed after the certificate chain passes signature verification, thereby improving the security of the target service.

Description

数字证书管理方法、装置、设备、系统及可读存储介质Digital certificate management method, device, equipment, system and readable storage medium

相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS

本申请要求于2023年06月28日提交中国专利局,申请号为202310772031.8,申请名称为“数字证书管理方法、装置、设备、系统及可读存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on June 28, 2023, with application number 202310772031.8, and application name “Digital Certificate Management Method, Device, Equipment, System and Readable Storage Medium”, all contents of which are incorporated by reference in this application.

技术领域Technical Field

本申请涉及数字证书技术领域,特别是涉及一种数字证书管理方法、装置、设备、系统及非易失性可读存储介质。The present application relates to the field of digital certificate technology, and in particular to a digital certificate management method, device, equipment, system and non-volatile readable storage medium.

背景技术Background Art

数字证书(Digital Certificate)是一种数字身份证明,用于证明某个实体(通常是一个人、组织或网站)的身份。数字证书是通过使用加密技术创建的,其中包含了一个公钥以及相关的标识信息,例如证书持有人的姓名、电子邮件地址、组织名称等。数字证书在电子商务、互联网银行、电子邮件安全、网络安全等领域广泛应用。A digital certificate is a digital identity document used to prove the identity of an entity (usually a person, organization, or website). A digital certificate is created using encryption technology and contains a public key and related identification information, such as the certificate holder's name, email address, organization name, etc. Digital certificates are widely used in e-commerce, Internet banking, email security, network security, and other fields.

数字证书通常由权威的证书颁发机构(Certificate Authority,CA)颁发给证书拥有者,数字证书中具有证书颁发机构的数字签名,以供证书使用者对证书拥有者进行合法性验证。然而,这种数字证书管理机制对第三方(即证书颁发机构)依赖性较高,在证书颁发机构受到安全威胁或被中间人攻击的情况下,对证书用户的安全性造成极大威胁。Digital certificates are usually issued by an authoritative certificate authority (CA) to the certificate owner. The digital certificate contains the digital signature of the certificate authority for the certificate user to verify the legitimacy of the certificate owner. However, this digital certificate management mechanism is highly dependent on a third party (i.e., the certificate authority). When the certificate authority is under security threat or attacked by a man-in-the-middle attack, it poses a great threat to the security of the certificate user.

如何提高数字证书管理系统的安全性,进而提高证书拥有者的安全性和证书使用者的安全性,是本领域技术人员需要解决的技术问题。How to improve the security of the digital certificate management system, and thereby improve the security of certificate owners and certificate users, is a technical problem that technical personnel in this field need to solve.

发明内容Summary of the invention

本申请的目的是提供一种数字证书管理方法、装置、设备、系统及非易失性可读存储介质,用于提高数字证书管理系统的安全性,进而提高证书拥有者的安全性和证书使用者的安全性。The purpose of this application is to provide a digital certificate management method, device, equipment, system and non-volatile readable storage medium, which are used to improve the security of the digital certificate management system, thereby improving the security of the certificate owner and the security of the certificate user.

为解决上述技术问题,本申请提供一种数字证书管理方法,包括:In order to solve the above technical problems, the present application provides a digital certificate management method, including:

根据目标业务的需求,生成数字证书颁发请求;Generate a digital certificate issuance request based on the needs of the target business;

将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链;Sending a digital certificate issuance request to a digital certificate device so that the digital certificate device generates a certificate chain for a target business;

对证书链进行合法性验证通过后,利用证书链部署目标业务;After the certificate chain is verified to be legitimate, the target business is deployed using the certificate chain;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

在一些实施中,证书链中至少一级数字证书包括公钥基础设施证书和机密计算证书。In some implementations, at least one level of digital certificates in the certificate chain includes a public key infrastructure certificate and a confidential computing certificate.

在一些实施中,数字证书设备生成目标业务的证书链,包括:In some implementations, the digital certificate device generates a certificate chain for the target service, including:

用于持有证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成第一级数字证书并对第一级数字证书验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限;The first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, thereby determining that the first-level digital certificate is legitimate and the first-level digital certificate device has the authority to issue digital certificates;

自用于持有证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对当前级数字证书验签通过后,确定当前级数字证书合法;Starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, and determines that the current-level digital certificate is legal;

在生成证书链的各级数字证书且各级数字证书均通过合法性验证后,得到证书链。 After the digital certificates at each level of the certificate chain are generated and all the digital certificates at each level pass the legitimacy verification, the certificate chain is obtained.

在一些实施中,用于持有证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成第一级数字证书并对第一级数字证书验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限,包括:In some implementations, the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, and determines that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, including:

若第一级数字证书为公钥基础设施证书,则第一级数字证书设备为证书颁发机构设备,第一级数字证书设备通过本地生成的非对称密钥中的私钥对本地数字证书信息进行签名,得到第一级数字证书;第一级数字证书设备通过本地生成的非对称密钥中的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限;If the first-level digital certificate is a public key infrastructure certificate, the first-level digital certificate device is a certificate authority device, and the first-level digital certificate device signs the local digital certificate information with the private key in the locally generated asymmetric key to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key in the locally generated asymmetric key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates;

若第一级数字证书为机密计算证书,则第一级数字证书设备为具有机密计算环境的机密计算设备,第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,得到第一级数字证书;第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。If the first-level digital certificate is a confidential computing certificate, the first-level digital certificate device is a confidential computing device with a confidential computing environment. The first-level digital certificate device signs the local digital certificate information with the private key of the asymmetric key generated in the local confidential computing environment to obtain the first-level digital certificate. After the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.

在一些实施中,自用于持有证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对当前级数字证书验签通过后,确定当前级数字证书合法,包括:In some implementations, starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, after the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, determining that the current-level digital certificate is legitimate includes:

若当前级数字证书为公钥基础设施证书,则当前级数字证书设备接收通过上一级数字证书设备生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书,并利用上一级数字证书设备生成的非对称密钥中的公钥对当前级数字证书验签通过后,确定当前级数字证书合法;If the current-level digital certificate is a public key infrastructure certificate, the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, and uses the public key in the asymmetric key generated by the previous-level digital certificate device to verify the signature of the current-level digital certificate. After the current-level digital certificate is passed, it is determined that the current-level digital certificate is legal;

若当前级数字证书为机密计算证书,则当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理后,接收上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书,利用本地机密计算环境中生成的非对称密钥中的公钥对当前级数字证书进行自签名验签通过,并利用上一级数字证书设备生成的非对称密钥中的公钥对当前级数字证书进行验签通过后,确定当前级数字证书合法。If the current-level digital certificate is a confidential computing certificate, the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, receives the private key in the asymmetric key generated by the previous-level digital certificate device, signs the self-signed local digital certificate information to obtain the current-level digital certificate, uses the public key in the asymmetric key generated in the local confidential computing environment to self-sign the current-level digital certificate, and after the current-level digital certificate is verified by the public key in the asymmetric key generated by the previous-level digital certificate device, the current-level digital certificate is determined to be legal.

在一些实施中,第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,包括:In some implementations, the first-level digital certificate device signs the local digital certificate information using a private key of an asymmetric key generated in a local confidential computing environment, including:

第一级数字证书设备在通过对本地机密计算环境进行真实性验证后,通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名。After verifying the authenticity of the local confidential computing environment, the first-level digital certificate device signs the local digital certificate information using the private key of the asymmetric key generated in the local confidential computing environment.

在一些实施中,当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理,包括:In some implementations, the current-level digital certificate device uses a private key in an asymmetric key generated in a local confidential computing environment to perform a self-signing process on the local digital certificate information of the current-level digital certificate device, including:

当前级数字证书设备在通过对本地机密计算环境进行真实性验证后,利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理。After the authenticity of the local confidential computing environment is verified, the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device.

在一些实施中,若上一级数字证书设备生成的非对称密钥为在本地机密计算环境中生成的非对称密钥,In some implementations, if the asymmetric key generated by the previous digital certificate device is an asymmetric key generated in a local confidential computing environment,

当前级数字证书设备接收通过上一级数字证书设备生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书,包括: The current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device using the private key in the asymmetric key generated by the previous-level digital certificate device, including:

当前级数字证书设备在触发对上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书;After the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information of the current-level digital certificate device to obtain the current-level digital certificate;

当前级数字证书设备接收上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书,包括:The current-level digital certificate device receives the private key in the asymmetric key generated by the previous-level digital certificate device and signs the local digital certificate information after the self-signature processing to obtain the current-level digital certificate, including:

当前级数字证书设备在触发对上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书。After triggering and passing the authenticity verification of the local confidential computing environment of the previous level digital certificate device, the current level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous level digital certificate device to sign the local digital certificate information after self-signing to obtain the current level digital certificate.

在一些实施中,对本地机密计算环境进行真实性验证,包括:In some implementations, performing authenticity verification on a local confidential computing environment includes:

将所在设备的本地数字证书信息中的远程证明数据发送至设备厂商以进行本地机密计算环境的真实性验证。The remote attestation data in the local digital certificate information of the device is sent to the device manufacturer to verify the authenticity of the local confidential computing environment.

在一些实施中,远程证明数据包括所在设备的可信度量信息。In some implementations, the remote attestation data includes trustworthiness metric information of the device.

在一些实施中,远程证明数据包括远程证明数据明文和利用所在设备的本地机密计算环境的硬件远程证明私钥对远程证明数据明文进行签名得到的远程证明数据签名;In some implementations, the remote attestation data includes a remote attestation data plaintext and a remote attestation data signature obtained by signing the remote attestation data plaintext using a hardware remote attestation private key of a local confidential computing environment of the device;

其中,远程证明数据明文包括利用所在设备的本地机密计算环境中生成的非对称密钥中的公钥的哈希值和所在设备的可信度量信息。The remote proof data plaintext includes a hash value of a public key in an asymmetric key generated in a local confidential computing environment of the device and the trust measurement information of the device.

在一些实施中,第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限,包括:In some implementations, after the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, the first-level digital certificate is determined to be legitimate and the first-level digital certificate device has the authority to issue digital certificates, including:

第一级数字证书设备比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。The first-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate. After the first-level digital certificate is signed and verified by the entity public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.

在一些实施中,当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的公钥对当前级数字证书进行自签名验签通过,包括:In some implementations, the current-level digital certificate device uses a public key in an asymmetric key generated in a local confidential computing environment to perform self-signature verification on the current-level digital certificate, including:

当前级数字证书设备比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对当前级数字证书进行验签通过。The current-level digital certificate device compares and calculates the hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate, and verifies the signature of the current-level digital certificate through the entity public key.

在一些实施中,数字证书设备生成目标业务的证书链,包括:In some implementations, the digital certificate device generates a certificate chain for the target service, including:

若当前级数字证书具有一个上一级数字证书设备的签名,则拥有当前级数字证书的当前级数字证书设备对上一级数字证书设备的签名验签通过后,确定当前级数字证书合法;If the current-level digital certificate has a signature of a previous-level digital certificate device, the current-level digital certificate device that has the current-level digital certificate will verify the signature of the previous-level digital certificate device and determine that the current-level digital certificate is legal;

若当前级数字证书具有多个上一级数字证书设备的签名,则当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定当前级数字证书合法;If the current-level digital certificate has multiple signatures of the previous-level digital certificate device, the current-level digital certificate device determines that the current-level digital certificate is legal after verifying the signatures of the first preset number of the multiple signatures;

其中,第一预设数量小于当前级数字证书中上一级数字证书设备的签名的数量。The first preset number is smaller than the number of signatures of the previous level digital certificate device in the current level digital certificate.

在一些实施中,若当前级数字证书具有多个上一级数字证书设备的签名,则当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定当前级数字证书合法,包括:In some implementations, if the current-level digital certificate has multiple signatures of the previous-level digital certificate device, the current-level digital certificate device determines that the current-level digital certificate is legitimate after verifying a first preset number of signatures among the multiple signatures, including:

若当前级数字证书具有的多个上一级数字证书设备的签名中既包括公钥基础设施签名又包括机密计算签名,则当前级数字证书设备对多个签名中的第二预设数量公钥基础设施签名验签通过且对多个签名中的第三预设数量机密计算签名验签通过后,确定当前级数字证书合法;If the signatures of multiple upper-level digital certificate devices possessed by the current-level digital certificate include both public key infrastructure signatures and confidential computing signatures, the current-level digital certificate is determined to be legal after the current-level digital certificate device passes the signature verification of a second preset number of public key infrastructure signatures among the multiple signatures and passes the signature verification of a third preset number of confidential computing signatures among the multiple signatures;

其中,第二预设数量小于当前级数字证书中上一级数字证书设备的的公钥基础设施签名 的数量,第三预设数量小于当前级数字证书中上一级数字证书设备的机密计算签名的数量。The second preset number is less than the public key infrastructure signature of the previous digital certificate device in the current digital certificate. The third preset number is less than the number of confidential computing signatures of the previous level digital certificate device in the current level digital certificate.

在一些实施中,根据目标业务的需求,生成数字证书颁发请求,包括:In some implementations, generating a digital certificate issuance request based on the needs of the target business includes:

根据目标业务的安全需求,确定证书链中公钥基础设施证书和机密计算证书的组合方式;Determine the combination of the public key infrastructure certificate and confidential computing certificate in the certificate chain based on the security requirements of the target business;

根据证书链中公钥基础设施证书和机密计算证书的组合方式,确定对应的数字证书设备;Determine the corresponding digital certificate device according to the combination of the public key infrastructure certificate and the confidential computing certificate in the certificate chain;

生成对各数字证书设备的数字证书颁发请求。Generate a digital certificate issuance request for each digital certificate device.

在一些实施中,还包括:In some implementations, the method further includes:

在接收到请求方设备对目标业务的应用请求后,对证书链进行合法性验证以使请求方设备在确定证书链合法后确定目标业务合法。After receiving an application request for a target service from a requesting device, the certificate chain is verified for legitimacy so that the requesting device determines that the target service is legitimate after determining that the certificate chain is legitimate.

在一些实施中,应用于进行超文本传输安全协议连接的服务器;In some implementations, the method is applied to a server that performs a Hypertext Transfer Protocol Secure connection;

数字证书管理方法还包括:The digital certificate management method also includes:

在接收到客户端发送的对服务器的访问请求后,对服务器的超文本传输安全协议连接业务对应的证书链进行验签通过后,将超文本传输安全协议连接业务对应的证书链的最后一级数字证书发送至客户端以使客户端对最后一级数字证书进行验签,以使客户端在对最后一级数字证书验签通过后,确定超文本传输安全协议连接业务合法并与服务器建立超文本传输安全协议安全信道。After receiving the access request to the server sent by the client, the certificate chain corresponding to the server's Hypertext Transfer Protocol Security connection service is verified and passed, and the last-level digital certificate of the certificate chain corresponding to the Hypertext Transfer Protocol Security connection service is sent to the client so that the client can verify the last-level digital certificate, so that after the client verifies the last-level digital certificate, it can determine that the Hypertext Transfer Protocol Security connection service is legal and establish a Hypertext Transfer Protocol Security channel with the server.

在一些实施中,应用于文件发送设备;In some implementations, applied to a file sending device;

数字证书管理方法还包括:The digital certificate management method also includes:

在接收到文件接收设备对待发送的目标文件的合法性验证后,将证书链的各级数字证书提供给文件接收设备,以使文件接收设备对证书链的各级数字证书均进行合法性验证通过后接收目标文件。After receiving the legitimacy verification of the target file to be sent by the file receiving device, the digital certificates at all levels of the certificate chain are provided to the file receiving device, so that the file receiving device receives the target file after the legitimacy verification of the digital certificates at all levels of the certificate chain is passed.

为解决上述技术问题,本申请还提供一种数字证书管理方法,包括:To solve the above technical problems, the present application also provides a digital certificate management method, including:

业务设备根据目标业务的需求,生成数字证书颁发请求,并将数字证书颁发请求发送至数字证书设备;The business device generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device;

数字证书设备根据数字证书颁发请求生成目标业务的证书链;The digital certificate device generates a certificate chain for the target business according to the digital certificate issuance request;

业务设备对证书链进行合法性验证通过后,利用证书链部署目标业务;After the business equipment verifies the legitimacy of the certificate chain and passes it, it uses the certificate chain to deploy the target business;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

为解决上述技术问题,本申请还提供一种数字证书管理系统,包括:业务设备和数字证书设备;In order to solve the above technical problems, the present application also provides a digital certificate management system, including: a business device and a digital certificate device;

其中,业务设备用于根据目标业务的需求,生成数字证书颁发请求;将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链;对证书链进行合法性验证通过后,利用证书链部署目标业务;The business device is used to generate a digital certificate issuance request according to the needs of the target business; send the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business; after the certificate chain is verified for legitimacy, the target business is deployed using the certificate chain;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

为解决上述技术问题,本申请还提供一种数字证书管理装置,包括:In order to solve the above technical problems, the present application also provides a digital certificate management device, including:

请求单元,用于根据目标业务的需求,生成数字证书颁发请求;A request unit, used to generate a digital certificate issuance request according to the needs of the target business;

发送单元,用于将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链;A sending unit, used to send a digital certificate issuance request to a digital certificate device, so that the digital certificate device generates a certificate chain for a target service;

部署单元,用于对证书链进行合法性验证通过后,利用证书链部署目标业务; A deployment unit is used to deploy the target business using the certificate chain after the certificate chain passes the legitimacy verification;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

为解决上述技术问题,本申请还提供一种数字证书管理设备,包括:In order to solve the above technical problems, the present application also provides a digital certificate management device, including:

存储器,用于存储计算机程序;Memory for storing computer programs;

处理器,用于执行计算机程序,计算机程序被处理器执行时实现如上述任意一项数字证书管理方法的步骤。The processor is used to execute a computer program, and when the computer program is executed by the processor, the steps of any one of the digital certificate management methods described above are implemented.

为解决上述技术问题,本申请还提供一种非易失性可读存储介质,其上存储有计算机程序,计算机程序被处理器执行时实现如上述任意一项数字证书管理方法的步骤。In order to solve the above technical problems, the present application also provides a non-volatile readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the steps of any one of the above digital certificate management methods are implemented.

本申请所提供的数字证书管理方法,通过根据目标业务的需求,生成数字证书颁发请求,将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链,该证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书;通过由公钥基础设施证书和机密计算证书构成的混合数字证书组成的证书链,相较于相关技术中的单个公钥基础设施证书或仅由公钥基础设施证书构成的证书链,增加了证书链中的信任方,即除了证书颁发机构外,引入了生成机密计算证书的可信执行环境作为其中一个信任方,从而减少了对证书颁发机构的安全依赖,提高了证书链的安全性,进而提高了证书拥有者的安全性和证书使用者的安全性。在对证书链进行验签通过后再部署目标业务,提高了目标业务的安全性。The digital certificate management method provided in the present application generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business, and the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment; through the certificate chain composed of a hybrid digital certificate consisting of a public key infrastructure certificate and a confidential computing certificate, compared with a single public key infrastructure certificate or a certificate chain consisting only of a public key infrastructure certificate in the related technology, the trusted party in the certificate chain is increased, that is, in addition to the certificate authority, a trusted execution environment for generating confidential computing certificates is introduced as one of the trusted parties, thereby reducing the security dependence on the certificate authority, improving the security of the certificate chain, and further improving the security of the certificate owner and the security of the certificate user. The target business is deployed after the certificate chain is verified and passed, thereby improving the security of the target business.

本申请提供的数字证书管理方法中,还可以通过证书链中至少一级数字证书包括公钥基础设施证书和机密计算证书,以在各级数字证书均为单种类型的数字证书的基础上进一步提高单级数字证书的安全性,进而提高整个证书链的安全性,提高证书拥有者的安全性和证书使用者的安全性。In the digital certificate management method provided in the present application, at least one level of digital certificate in the certificate chain can include a public key infrastructure certificate and a confidential computing certificate, so as to further improve the security of a single-level digital certificate on the basis that digital certificates at all levels are of a single type of digital certificate, thereby improving the security of the entire certificate chain, and improving the security of certificate owners and certificate users.

本申请提供的数字证书管理方法,通过数字证书设备中的机密计算设备先对当前级的机密计算证书进行自签名后,再由上一级数字证书设备进行签名,得到了一种更具安全性的数字证书签名方案。The digital certificate management method provided in the present application obtains a more secure digital certificate signature scheme by first self-signing the current level confidential computing certificate through the confidential computing device in the digital certificate device, and then signing it by the digital certificate device of the previous level.

本申请还提供一种数字证书管理装置、设备、系统及非易失性可读存储介质,具有上述有益效果,在此不再赘述。The present application also provides a digital certificate management device, equipment, system and non-volatile readable storage medium, which have the above-mentioned beneficial effects and are not repeated here.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚的说明本申请实施例或现有技术的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单的介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions of the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1为本申请实施例提供的一种数字证书管理系统的结构示意图;FIG1 is a schematic diagram of the structure of a digital certificate management system provided in an embodiment of the present application;

图2为本申请实施例提供的一种数字证书管理方法的流程图;FIG2 is a flow chart of a digital certificate management method provided in an embodiment of the present application;

图3为本申请实施例提供的一种数字证书设备生成目标业务的证书链的流程图;FIG3 is a flow chart of a digital certificate device generating a certificate chain for a target service provided by an embodiment of the present application;

图4为本申请实施例提供的第一种证书链场景示意图;FIG4 is a schematic diagram of a first certificate chain scenario provided in an embodiment of the present application;

图5为本申请实施例提供的第二种证书链场景示意图;FIG5 is a schematic diagram of a second certificate chain scenario provided in an embodiment of the present application;

图6为本申请实施例提供的第三种证书链场景示意图;FIG6 is a schematic diagram of a third certificate chain scenario provided in an embodiment of the present application;

图7为本申请实施例提供的第四种证书链场景示意图;FIG7 is a schematic diagram of a fourth certificate chain scenario provided in an embodiment of the present application;

图8为本申请实施例提供的第五种证书链场景示意图; FIG8 is a schematic diagram of a fifth certificate chain scenario provided in an embodiment of the present application;

图9为本申请实施例提供的第六种证书链场景示意图;FIG9 is a schematic diagram of a sixth certificate chain scenario provided in an embodiment of the present application;

图10为本申请实施例提供的一种数字证书管理装置的结构示意图;FIG10 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application;

图11为本申请实施例提供的一种数字证书管理设备的结构示意图。FIG11 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.

具体实施方式DETAILED DESCRIPTION

本申请的核心是提供一种数字证书管理方法、装置、设备、系统及非易失性可读存储介质,用于提高数字证书管理系统的安全性,进而提高证书拥有者的安全性和证书使用者的安全性。The core of this application is to provide a digital certificate management method, device, equipment, system and non-volatile readable storage medium to improve the security of the digital certificate management system, thereby improving the security of the certificate owner and the security of the certificate user.

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

下面对本申请实施例一进行说明。The first embodiment of the present application is described below.

图1为本申请实施例提供的一种数字证书管理系统的结构示意图。FIG1 is a schematic diagram of the structure of a digital certificate management system provided in an embodiment of the present application.

为便于理解,首先对本申请提供的数字证书管理系统和相关定义进行介绍。To facilitate understanding, the digital certificate management system and related definitions provided by this application are first introduced.

如图1所示,本申请实施例提供的数字证书管理系统,包括:业务设备101和数字证书设备102;As shown in FIG1 , the digital certificate management system provided in the embodiment of the present application includes: a business device 101 and a digital certificate device 102;

其中,业务设备101用于根据目标业务的需求,生成数字证书颁发请求;将数字证书颁发请求发送至数字证书设备102,以使数字证书设备102生成目标业务的证书链;对证书链进行合法性验证通过后,利用证书链部署目标业务;The service device 101 is used to generate a digital certificate issuance request according to the needs of the target service; send the digital certificate issuance request to the digital certificate device 102, so that the digital certificate device 102 generates a certificate chain of the target service; after the certificate chain is verified to be legitimate, the target service is deployed using the certificate chain;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

数字证书的类型主要有两种,分别为证书颁发机构(Certificate Authority,CA)颁发的公钥基础设施(Public Key Infrastructure,PKI)证书和基于可信执行环境(Trusted Execution Environment,TEE)生成的机密计算证书。There are two main types of digital certificates: Public Key Infrastructure (PKI) certificates issued by a Certificate Authority (CA) and confidential computing certificates generated based on a Trusted Execution Environment (TEE).

一个完整的公钥基础设施基本结构由证书颁发机构(Certificate Authority,CA)、数字证书注册中心(Registration Authority,RA)、签发系统、密钥管理平台、应用程序接口(Application Programming Interface,API)组成。在本申请实施例中,定义由证书颁发机构颁发的数字证书为公钥基础设施证书。A complete public key infrastructure basic structure consists of a certificate authority (CA), a digital certificate registration center (RA), an issuance system, a key management platform, and an application programming interface (API). In the embodiment of the present application, a digital certificate issued by a certificate authority is defined as a public key infrastructure certificate.

可信执行环境为通过软硬件方法在中央处理器中构建一个安全区域,保证其内部加载的程序和数据在机密性和完整性上得到保护。搭建可信执行环境的设备需要预置集成的商用中央处理器计算芯片。在相关技术中,可以在可信执行环境中构造可信的自签名证书,将硬件可信执行环境作为硬件可信根,将证书与硬件环境强绑定,剔除了公有证书颁发机构的影响。在本申请实施例中,定义拥有可信执行环境的设备为机密计算设备,利用可信执行环境中构造的证书为机密计算证书。The trusted execution environment is a secure area built in the central processing unit through software and hardware methods to ensure that the programs and data loaded inside it are protected in terms of confidentiality and integrity. The equipment that builds the trusted execution environment needs to be pre-installed with an integrated commercial central processing unit computing chip. In the related technology, a trusted self-signed certificate can be constructed in the trusted execution environment, and the hardware trusted execution environment can be used as a hardware trusted root to strongly bind the certificate to the hardware environment, eliminating the influence of the public certificate authority. In the embodiment of the present application, a device with a trusted execution environment is defined as a confidential computing device, and a certificate constructed in a trusted execution environment is defined as a confidential computing certificate.

数字证书的拥有者可以是一个人、组织或网站,可以部署于设备中。The owner of a digital certificate can be a person, organization, or website and can be deployed in a device.

在相关技术中,对于生成证书的请求,数字证书管理体系往往是给予单种类型的数字证书,即要么提供单个公钥基础设施证书或多个公钥基础设施证书构成的证书链,要么是基于可信执行环境生成精密计算证书。可以理解的是,由于基于可信执行环境生成的机密计算证书将证书的可信度与硬件环境进行绑定,相较于由第三方的证书颁发机构来颁发的公钥基础 设施证书安全性更高。但是仅仅靠机密计算证书,还是依赖于对硬件环境的信任。故在本申请实施例中,提供一种混合数据证书的方案。对于生成证书的请求,生成包含混合数字证书的证书链,即证书链中既有公钥基础设施证书又有机密计算证书。在本申请实施例提供的数字证书管理系统生成的证书链中,相较于相关技术中的单种类型数字证书,由单个信任体系扩大到了两个信任体系,减弱了对单个信任体系的依赖,从而进一步提高了证书链的安全性,而证书拥有者的安全性和证书使用者的安全性也得到了进一步的提升。In the related art, for requests to generate certificates, the digital certificate management system often provides a single type of digital certificate, that is, either providing a single public key infrastructure certificate or a certificate chain consisting of multiple public key infrastructure certificates, or generating a confidential computing certificate based on a trusted execution environment. It is understandable that since the confidential computing certificate generated based on a trusted execution environment binds the credibility of the certificate to the hardware environment, compared with the public key infrastructure issued by a third-party certificate authority, the confidential computing certificate generated based on the trusted execution environment is more reliable than the public key infrastructure issued by a third-party certificate authority. Facility certificates are more secure. However, relying solely on confidential computing certificates still relies on trust in the hardware environment. Therefore, in an embodiment of the present application, a hybrid data certificate solution is provided. For a request to generate a certificate, a certificate chain containing a hybrid digital certificate is generated, that is, the certificate chain contains both a public key infrastructure certificate and a confidential computing certificate. In the certificate chain generated by the digital certificate management system provided in the embodiment of the present application, compared to a single type of digital certificate in the related art, the trust system has been expanded from a single trust system to two trust systems, reducing the reliance on a single trust system, thereby further improving the security of the certificate chain, and the security of the certificate owner and the security of the certificate user have also been further improved.

需要说明的是,在本申请实施例中,数字证书设备102和业务设备101共同构成了证书链的各级数字证书所对应的数字证书设备102,即业务设备101作为最后一级数字证书设备102存在,各级数字证书设备102均持有对应的数字证书。证书链至少包括两级数字证书,即除了业务设备101外,至少包括一个数字证书设备102配合生成证书链。一级数字证书可以包括多个数字证书。在本申请实施例中,“级”代表证书链的环节。It should be noted that in the embodiment of the present application, the digital certificate device 102 and the business device 101 together constitute the digital certificate device 102 corresponding to the digital certificates at each level of the certificate chain, that is, the business device 101 exists as the last level of digital certificate device 102, and the digital certificate devices 102 at each level hold the corresponding digital certificates. The certificate chain includes at least two levels of digital certificates, that is, in addition to the business device 101, at least one digital certificate device 102 is included to cooperate in generating the certificate chain. A first-level digital certificate may include multiple digital certificates. In the embodiment of the present application, "level" represents the link of the certificate chain.

当业务设备101产生部署目标业务的需求时,需要得到与目标业务对应的数字证书,则可以根据目标业务的安全级别来确定证书链中不同类型数字证书的组合方式,而后对应将数字证书颁发请求发送给各级数字证书设备102。数字证书设备102生成证书链的过程为自第一级数字证书设备102开始,先生成先通过自签名得到的根证书。第一级证书设备自行验签通过后,签发对第二级数字证书设备102的第二级数字证书。第二级数字证书设备102对第二级数字证书通过后确认第二级数字证书合法。如还存在第三级数字证书设备102则继续执行向第三级数字证书设备102签发第三级数字证书的步骤。若第二级数字证书设备102即为业务设备101,则业务设备101收到第二级数字证书并验签通过后,利用合法的第二级数字证书配合部署目标业务。当业务需求方想要使用目标业务时,业务需求方则获取目标业务对应的证书链中的各级数字证书进行逐级验签,逐级验签通过后确定目标业务合法,可以使用。When the business device 101 has a need to deploy the target business, it needs to obtain a digital certificate corresponding to the target business. The combination of different types of digital certificates in the certificate chain can be determined according to the security level of the target business, and then the digital certificate issuance request is sent to the digital certificate devices 102 at each level. The process of the digital certificate device 102 generating a certificate chain starts from the first-level digital certificate device 102, and first generates a root certificate obtained by self-signing. After the first-level certificate device passes the self-signature verification, it issues a second-level digital certificate to the second-level digital certificate device 102. The second-level digital certificate device 102 confirms that the second-level digital certificate is legal after passing the second-level digital certificate. If there is still a third-level digital certificate device 102, continue to execute the step of issuing a third-level digital certificate to the third-level digital certificate device 102. If the second-level digital certificate device 102 is the business device 101, then after the business device 101 receives the second-level digital certificate and passes the signature verification, it uses the legal second-level digital certificate to cooperate in deploying the target business. When the business demander wants to use the target business, the business demander obtains the digital certificates at each level in the certificate chain corresponding to the target business and verifies the signatures step by step. After passing the verification step by step, it is determined that the target business is legal and can be used.

参考上述数字证书管理系统,下面结合附图对本申请实施例提供的数字证书管理方法进行说明。With reference to the above-mentioned digital certificate management system, the digital certificate management method provided in the embodiment of the present application is described below in conjunction with the accompanying drawings.

下面对本申请实施例二进行说明。The second embodiment of the present application is described below.

图2为本申请实施例提供的一种数字证书管理方法的流程图。FIG2 is a flow chart of a digital certificate management method provided in an embodiment of the present application.

如图2所示,本申请实施例提供的数字证书管理方法包括:As shown in FIG2 , the digital certificate management method provided in the embodiment of the present application includes:

S201:根据目标业务的需求,生成数字证书颁发请求。S201: Generate a digital certificate issuance request according to the needs of the target business.

S202:将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链;其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。S202: Send a digital certificate issuance request to a digital certificate device so that the digital certificate device generates a certificate chain for the target business; wherein the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

S203:对证书链进行合法性验证通过后,利用证书链部署目标业务。S203: After the certificate chain is verified to be legitimate, the target service is deployed using the certificate chain.

在具体实施中,本申请实施例提供的数字证书管理方法可以应用于个人用户设备或集体用户设备,例如可以应用于文件发送设备或业务服务器。在本申请实施例中,定义由目标设备执行本申请实施例提供的数字证书管理方法的步骤。In specific implementation, the digital certificate management method provided in the embodiment of the present application can be applied to individual user devices or collective user devices, for example, it can be applied to file sending devices or service servers. In the embodiment of the present application, the steps of the digital certificate management method provided in the embodiment of the present application executed by the target device are defined.

当业务服务器需要推出业务时,需要得到数字证书确保业务的合法性,以进行对目标业务的部署。当文件发送设备需要发送文件时,如用户A需要向用户B发送文件,则用户A发送的文件需具有合法的数字证书以保证文件的合法性。在数据加解密场景,也可以应用数字证书作为合法性验证工具。 When a service server needs to launch a service, it needs to obtain a digital certificate to ensure the legitimacy of the service in order to deploy the target service. When a file sending device needs to send a file, such as user A needs to send a file to user B, the file sent by user A must have a legal digital certificate to ensure the legitimacy of the file. In data encryption and decryption scenarios, digital certificates can also be used as a legitimacy verification tool.

对于S201,目标业务可以包括但不限于上文提出的业务服务器所推出的业务、文件发送设备的文件发送需求以及数据加解密业务。根据目标业务的需求生成数字证书颁发请求,具体在将公共基础设施证书和机密计算证书结合的情况下,可以根据场景、需求、安全等级的不同,产生多种类型的数字证书,供使用者灵活选择。For S201, the target business may include but is not limited to the business launched by the business server mentioned above, the file sending requirements of the file sending device, and the data encryption and decryption business. A digital certificate issuance request is generated according to the needs of the target business. Specifically, when the public infrastructure certificate and the confidential computing certificate are combined, various types of digital certificates can be generated according to different scenarios, requirements, and security levels for users to flexibly choose.

在一种实施中,S202:根据目标业务的需求,生成数字证书颁发请求,可以包括:In one implementation, S202: generating a digital certificate issuance request according to the requirements of the target business may include:

根据目标业务的安全需求,确定证书链中公钥基础设施证书和机密计算证书的组合方式;Determine the combination of the public key infrastructure certificate and confidential computing certificate in the certificate chain based on the security requirements of the target business;

根据证书链中公钥基础设施证书和机密计算证书的组合方式,确定对应的数字证书设备;Determine the corresponding digital certificate device according to the combination of the public key infrastructure certificate and the confidential computing certificate in the certificate chain;

生成对各数字证书设备的数字证书颁发请求。Generate a digital certificate issuance request for each digital certificate device.

由于机密计算证书的安全性相较于公共设施证书相对较高,若目标业务的安全需求较高,则可以在证书链中部署较多的机密计算证书。而由于机密计算证书对所在设备有硬件要求,生成成本较高,在目标业务的安全需求不高的情况下,可以在证书链中部署较少的机密计算证书。为了进一步提高目标业务的安全程度,证书链的一级数字证书可以包括多个数字证书,其中还可以包括由多种方式生成的数字证书,以提高单级数字证书的安全性,进一步提高证书链的安全性。Since the security of confidential computing certificates is relatively higher than that of public utility certificates, if the security requirements of the target business are high, more confidential computing certificates can be deployed in the certificate chain. However, since confidential computing certificates have hardware requirements for the device where they are located and the generation cost is high, if the security requirements of the target business are not high, fewer confidential computing certificates can be deployed in the certificate chain. In order to further improve the security of the target business, the first-level digital certificate of the certificate chain can include multiple digital certificates, which can also include digital certificates generated by multiple methods, to improve the security of the single-level digital certificate and further improve the security of the certificate chain.

对于S202,如本申请上一实施例所介绍的,产生目标业务需求的设备为证书链所对应的最后一级数字证书设备,而前级数字证书设备均为生成并颁发数字证书的设备。业务设备将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链,可以由业务设备先向上一级数字证书设备发送数字证书颁发请求,数字证书颁发请求中携带整个证书链所对应的各级数字证书设备的信息以及所需要生成数字证书的类型,以使业务设备的上一级数字证书设备向上逐级传递数字证书颁发请求,再逐级向下生成数字证书,形成证书链。或者,业务设备也可以根据证书链中对应的数字证书设备分别将数字证书颁发请求发送给各级数字证书设备,数字证书颁发请求中携带整个证书链所对应的各级数字证书设备的信息以及所需要生成数字证书的类型,以使证书链的第一级数字证书设备向下逐级生成数字证书,形成证书链。For S202, as described in the previous embodiment of the present application, the device that generates the target business demand is the last level digital certificate device corresponding to the certificate chain, and the previous level digital certificate devices are all devices that generate and issue digital certificates. The business device sends a digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business. The business device can first send a digital certificate issuance request to the upper level digital certificate device. The digital certificate issuance request carries the information of the digital certificate devices at all levels corresponding to the entire certificate chain and the type of digital certificate that needs to be generated, so that the upper level digital certificate device of the business device passes the digital certificate issuance request upward step by step, and then generates digital certificates step by step downward to form a certificate chain. Alternatively, the business device can also send digital certificate issuance requests to digital certificate devices at all levels according to the corresponding digital certificate devices in the certificate chain. The digital certificate issuance request carries the information of the digital certificate devices at all levels corresponding to the entire certificate chain and the type of digital certificate that needs to be generated, so that the first level digital certificate device of the certificate chain generates digital certificates step by step downward to form a certificate chain.

基于本申请实施例提供的混合证书方案,证书链至少包括一个公钥基础设施证书和一个机密计算证书。例如,证书链包括两级数字证书且各级均对应一个数字证书,则两级数字证书中一个为公钥基础设施证书,另一个为机密计算证书。Based on the hybrid certificate solution provided in the embodiment of the present application, the certificate chain includes at least one public key infrastructure certificate and one confidential computing certificate. For example, the certificate chain includes two levels of digital certificates and each level corresponds to a digital certificate, then one of the two levels of digital certificates is a public key infrastructure certificate and the other is a confidential computing certificate.

对于S203,在证书链的生成过程中,即逐级生成数字证书的过程中进行数字证书的合法性验证。证书链的生成过程中,数字证书颁发者利用非对称密钥中的私钥对数字证书信息进行签名后得到包含数字证书信息明文和对应的数字签名的数字证书。数字证书颁发者将数字证书和对应的公钥一起颁发给数字证书拥有者。数字证书拥有者则利用非对称密钥中的公钥对数字证书进行验签,即通过公钥对数字证书中的数字签名进行解密后与数字证书信息明文对比,若一致则确定数字证书合法,如果不一致则确定数字证书不合法。则在逐级生成数字证书的过程中,验签也是逐级进行的,每生成一级数字证书,均通过验签进行合法性验证后才能进入下一级数字证书的生成过程。而在各级数字证书均通过合法性验证后,得到一条通过合法性验证的证书链,从而可以用于部署目标业务的数字证书。For S203, the legitimacy of the digital certificate is verified during the generation of the certificate chain, that is, during the step-by-step generation of the digital certificate. During the generation of the certificate chain, the digital certificate issuer signs the digital certificate information using the private key in the asymmetric key to obtain a digital certificate containing the plain text of the digital certificate information and the corresponding digital signature. The digital certificate issuer issues the digital certificate and the corresponding public key to the digital certificate owner. The digital certificate owner verifies the digital certificate using the public key in the asymmetric key, that is, decrypts the digital signature in the digital certificate using the public key and compares it with the plain text of the digital certificate information. If they are consistent, the digital certificate is determined to be legal, and if they are inconsistent, the digital certificate is determined to be illegal. In the step-by-step generation of the digital certificate, the signature verification is also carried out step by step. Each digital certificate of the next level can only be generated after the legitimacy verification is carried out through the signature verification before entering the generation process of the next level of digital certificate. After the digital certificates at all levels pass the legitimacy verification, a certificate chain that passes the legitimacy verification is obtained, which can be used to deploy the digital certificate of the target business.

数字证书信息可以包括但不限于:证书颁发者信息、证书拥有者信息和用户自定义扩展信息。机密计算证书的数字证书信息还包括证书拥有者的公钥,乃至证书拥有者的远程证明设备。 The digital certificate information may include, but is not limited to: certificate issuer information, certificate owner information, and user-defined extended information. The digital certificate information of a confidential computing certificate also includes the public key of the certificate owner and even the remote attestation device of the certificate owner.

数字证书的管理周期除了包括数字证书的生成过程外,还可以包括数字证书的使用过程。则本申请实施例提供的数字证书管理方法还可以包括:在接收到请求方设备对目标业务的应用请求后,对证书链进行合法性验证以使请求方设备在确定证书链合法后确定目标业务合法。The management cycle of a digital certificate includes not only the process of generating a digital certificate, but also the process of using a digital certificate. The digital certificate management method provided in the embodiment of the present application may also include: after receiving an application request from a requesting device for a target service, verifying the legitimacy of the certificate chain so that the requesting device determines that the target service is legitimate after determining that the certificate chain is legitimate.

在本申请实施例中,定义数字证书使用者为想要应用目标业务的请求方设备。在业务设备提供目标业务给请求方设备使用,或请求方设备向业务设备请求使用目标业务时,请求方设备均需要对目标业务对应的证书链进行合法性验证。合法性验证的过程与生成证书链时的合法性验证过程类似,通过逐级向上验签,在确定证书链的各级数字证书均合法时,请求方设备与业务设备完成握手,可以使用目标业务。In the embodiment of the present application, the digital certificate user is defined as the requesting device that wants to apply the target service. When the service device provides the target service to the requesting device, or the requesting device requests the service device to use the target service, the requesting device needs to verify the legitimacy of the certificate chain corresponding to the target service. The legitimacy verification process is similar to the legitimacy verification process when the certificate chain is generated. By verifying the signatures step by step, when it is determined that the digital certificates at all levels of the certificate chain are legal, the requesting device completes the handshake with the service device and can use the target service.

本申请实施例提供的数字证书管理方法,通过根据目标业务的需求,生成数字证书颁发请求,将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链,该证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书;通过由公钥基础设施证书和机密计算证书构成的混合数字证书组成的证书链,相较于相关技术中的单个公钥基础设施证书或仅由公钥基础设施证书构成的证书链,增加了证书链中的信任方,即除了证书颁发机构外,引入了生成机密计算证书的可信执行环境作为其中一个信任方,从而减少了对证书颁发机构的安全依赖,提高了证书链的安全性,进而提高了证书拥有者的安全性和证书使用者的安全性。在对证书链进行验签通过后再部署目标业务,提高了目标业务的安全性。The digital certificate management method provided in the embodiment of the present application generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target business, and the certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment; the certificate chain composed of a hybrid digital certificate consisting of a public key infrastructure certificate and a confidential computing certificate increases the trusted party in the certificate chain compared to a single public key infrastructure certificate or a certificate chain consisting only of a public key infrastructure certificate in the related technology, that is, in addition to the certificate authority, a trusted execution environment for generating a confidential computing certificate is introduced as one of the trusted parties, thereby reducing the security dependence on the certificate authority, improving the security of the certificate chain, and further improving the security of the certificate owner and the security of the certificate user. The target business is deployed after the certificate chain is verified and passed, thereby improving the security of the target business.

下面对本申请实施例三进行说明。The third embodiment of the present application is described below.

在上述实施例中介绍了,为进一步提高证书链的安全性,除了证书链中至少包括一个公钥基础设施证书和一个机密计算证书外,还可以通过一级数字证书包括多个数字证书来提高证书链的安全性。而一级数字证书也可以为混合数字证书方案。In the above embodiment, in order to further improve the security of the certificate chain, in addition to including at least one public key infrastructure certificate and one confidential computing certificate in the certificate chain, the security of the certificate chain can also be improved by including multiple digital certificates in the primary digital certificate. The primary digital certificate can also be a hybrid digital certificate solution.

则在上述实施例的基础上,在本申请实施例提供的数字证书管理方法中,可以设置证书链中至少一级数字证书包括公钥基础设施证书和机密计算证书。On the basis of the above embodiments, in the digital certificate management method provided in the embodiments of the present application, at least one level of digital certificate in the certificate chain can be set to include a public key infrastructure certificate and a confidential computing certificate.

本申请提供的数字证书管理方法中,还可以通过证书链中至少一级数字证书包括公钥基础设施证书和机密计算证书,以在各级数字证书均为单种类型的数字证书的基础上进一步提高单级数字证书的安全性,进而提高整个证书链的安全性,提高证书拥有者的安全性和证书使用者的安全性。In the digital certificate management method provided in the present application, at least one level of digital certificate in the certificate chain can include a public key infrastructure certificate and a confidential computing certificate, so as to further improve the security of a single-level digital certificate on the basis that digital certificates at all levels are of a single type of digital certificate, thereby improving the security of the entire certificate chain, and improving the security of certificate owners and certificate users.

下面对本申请实施例四进行说明。The fourth embodiment of the present application is described below.

图3为本申请实施例提供的一种数字证书设备生成目标业务的证书链的流程图。FIG3 is a flow chart of a digital certificate device generating a certificate chain for a target business provided by an embodiment of the present application.

在上述实施例的基础上,本申请实施例进一步对生成证书链的过程进行说明。Based on the above embodiments, the embodiments of the present application further illustrate the process of generating a certificate chain.

在本申请实施例提供的数字证书管理方法中,S202中数字证书设备生成目标业务的证书链,包括:In the digital certificate management method provided in the embodiment of the present application, in S202, the digital certificate device generates a certificate chain for the target service, including:

S301:用于持有证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成第一级数字证书并对第一级数字证书验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。S301: The first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates a first-level digital certificate by self-signing and verifies the first-level digital certificate, thereby determining that the first-level digital certificate is legal and that the first-level digital certificate device has the authority to issue digital certificates.

S302:自用于持有证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对当前级数字证书验签通过后,确定当前级数字证书合法。S302: Starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, and determines that the current-level digital certificate is legal.

S303:在生成证书链的各级数字证书且各级数字证书均通过合法性验证后,得到证书链。 S303: After the digital certificates at all levels of the certificate chain are generated and all the digital certificates at all levels pass the legitimacy verification, the certificate chain is obtained.

在具体实施中,对于S301,证书链对应的第一级数字证书的拥有者为第一级数字证书设备。第一级数字证书设备通过自签名方式生成第一级数字证书,即为证书链的根证书。第一级数字证书设备自行对第一级数字证书进行验签,通过后确定第一级数字证书合法,且第一级数字证书设备具有颁发数字证书的权限。In the specific implementation, for S301, the owner of the first-level digital certificate corresponding to the certificate chain is the first-level digital certificate device. The first-level digital certificate device generates the first-level digital certificate by self-signing, which is the root certificate of the certificate chain. The first-level digital certificate device verifies the signature of the first-level digital certificate by itself, and after passing the verification, it is determined that the first-level digital certificate is legal, and the first-level digital certificate device has the authority to issue digital certificates.

S301:用于持有证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成第一级数字证书并对第一级数字证书验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限,可以包括:S301: The first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the first-level digital certificate, and determines that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, which may include:

若第一级数字证书为公钥基础设施证书,则第一级数字证书设备为证书颁发机构设备,第一级数字证书设备通过本地生成的非对称密钥中的私钥对本地数字证书信息进行签名,得到第一级数字证书;第一级数字证书设备通过本地生成的非对称密钥中的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限;If the first-level digital certificate is a public key infrastructure certificate, the first-level digital certificate device is a certificate authority device, and the first-level digital certificate device signs the local digital certificate information with the private key in the locally generated asymmetric key to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key in the locally generated asymmetric key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates;

若第一级数字证书为机密计算证书,则第一级数字证书设备为具有机密计算环境的机密计算设备,第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,得到第一级数字证书;第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。If the first-level digital certificate is a confidential computing certificate, the first-level digital certificate device is a confidential computing device with a confidential computing environment. The first-level digital certificate device signs the local digital certificate information with the private key of the asymmetric key generated in the local confidential computing environment to obtain the first-level digital certificate. After the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.

第一级数字证书中的公钥基础设施证书,是由证书颁发机构生成并颁发的。而作为第一级数字证书时,第一级数字证设备应为证书颁发机构设备,从而自行生成第一级的公钥基础设施证书。在生成过程中,第一级数字证书设备在本地生成一对非对称秘钥,利用其中的私钥对本地数字证书信息的明文进行签名,得到包含本地数字证书信息明文和本地数字证书信息的数字签名的第一级数字证书。第一级数字证书设备再通过上述非对称密钥中的公钥对第一级数字证书进行验签,通过后确定第一级数字证书合法,且此时第一级数字证书设备可以向第二级数字证书设备颁发数字证书。The public key infrastructure certificate in the first-level digital certificate is generated and issued by a certificate authority. When used as a first-level digital certificate, the first-level digital certificate device should be a certificate authority device, so as to generate a first-level public key infrastructure certificate by itself. During the generation process, the first-level digital certificate device generates a pair of asymmetric keys locally, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining a first-level digital certificate containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information. The first-level digital certificate device then verifies the signature of the first-level digital certificate using the public key in the above-mentioned asymmetric key. If it passes, it is determined that the first-level digital certificate is legal, and at this time the first-level digital certificate device can issue a digital certificate to the second-level digital certificate device.

第一级数字证书中的机密计算证书,应基于本地的精密计算环境生成,则第一级数字证书设备应为具有机密计算环境的机密计算设备。在生成过程中,第一级的机密计算设备在本地精密计算环境中生成一对非对称密钥,并利用其中的私钥对本地数字证书信息的明文进行签名,得到包含本地数字证书信息的明文和本地数字证书信息的数字签名的第一级数字证书。第一级的精密计算设备再通过上述非对称密钥中的公钥对第一级数字证书进行验签,通过后确定第一级数字证书合法,且此时第一级数字证书设备可以向第二级数字证书设备颁发数字证书。The confidential computing certificate in the first-level digital certificate should be generated based on the local precision computing environment, so the first-level digital certificate device should be a confidential computing device with a confidential computing environment. During the generation process, the first-level confidential computing device generates a pair of asymmetric keys in the local precision computing environment, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining a first-level digital certificate containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information. The first-level precision computing device then verifies the signature of the first-level digital certificate using the public key in the above asymmetric key. If it passes, it is determined that the first-level digital certificate is legal, and at this time the first-level digital certificate device can issue a digital certificate to the second-level digital certificate device.

为保证第一级数字证书中的机密计算证书是在机密计算环境中生成的,需要对本地机密计算环境进行真实性验证。则第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,可以包括:第一级数字证书设备在通过对本地机密计算环境进行真实性验证后,通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名。需要说明的是,第一级数字证书设备对本地机密计算环境进行真实性验证的步骤与第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名的步骤可以无顺序关系,第一级数字证书设备对本地机密计算环境进行真实性验证的步骤与第一级数字证书设备通过本地生成的非对称密钥中的公钥对第一级数字 证书进行验签的步骤也可以无顺序关系,即可以在第一级数字证书设备通过对本地机密计算环境进行真实性验证并通过本地生成的非对称密钥中的公钥对第一级数字证书进行验签后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。对于S302,在本申请实施例中,自证书链的第二级数字证书起,各级数字证书的生成均需要借助上一级数字证书设备。当前级数字证书设备将本地数字证书信息提供给上一级数字证书设备,上一级数字证书设备利用本地生成的非对称密钥中的公钥对当前级数字证书设备的本地数字证书信息进行签名,得到当前级数字证书,将当前级数字证书及对应的公钥提供给当前级数字证书设备,由当前级数字证书设备利用该公钥对当前级数字证书进行验签通过后,确定当前级数字证书合法。In order to ensure that the confidential computing certificate in the first-level digital certificate is generated in a confidential computing environment, the authenticity of the local confidential computing environment needs to be verified. Then the first-level digital certificate device signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment, which may include: after the first-level digital certificate device verifies the authenticity of the local confidential computing environment, it signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment. It should be noted that the step of the first-level digital certificate device verifying the authenticity of the local confidential computing environment and the step of the first-level digital certificate device signing the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment may have no sequential relationship, and the step of the first-level digital certificate device verifying the authenticity of the local confidential computing environment and the step of the first-level digital certificate device signing the local digital certificate information by using the public key of the locally generated asymmetric key The steps of verifying the signature of the certificate may also have no order relationship, that is, after the first-level digital certificate device verifies the authenticity of the local confidential computing environment and verifies the signature of the first-level digital certificate through the public key in the locally generated asymmetric key, it can be determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates. For S302, in the embodiment of the present application, starting from the second-level digital certificate of the certificate chain, the generation of digital certificates at all levels requires the help of the previous-level digital certificate device. The current-level digital certificate device provides the local digital certificate information to the previous-level digital certificate device, and the previous-level digital certificate device signs the local digital certificate information of the current-level digital certificate device using the public key in the locally generated asymmetric key to obtain the current-level digital certificate, and provides the current-level digital certificate and the corresponding public key to the current-level digital certificate device. After the current-level digital certificate device verifies the signature of the current-level digital certificate using the public key, it is determined that the current-level digital certificate is legal.

S302:自用于持有证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对当前级数字证书验签通过后,确定当前级数字证书合法,可以包括:S302: From the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, after the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, determining that the current-level digital certificate is legal may include:

若当前级数字证书为公钥基础设施证书,则当前级数字证书设备接收通过上一级数字证书设备生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书,并利用上一级数字证书设备生成的非对称密钥中的公钥对当前级数字证书验签通过后,确定当前级数字证书合法;If the current-level digital certificate is a public key infrastructure certificate, the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, and uses the public key in the asymmetric key generated by the previous-level digital certificate device to verify the signature of the current-level digital certificate. After the current-level digital certificate is passed, it is determined that the current-level digital certificate is legal;

若当前级数字证书为机密计算证书,则当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理后,接收上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书,利用本地机密计算环境中生成的非对称密钥中的公钥对当前级数字证书进行自签名验签通过,并利用上一级数字证书设备生成的非对称密钥中的公钥对当前级数字证书进行验签通过后,确定当前级数字证书合法。If the current-level digital certificate is a confidential computing certificate, the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, receives the private key in the asymmetric key generated by the previous-level digital certificate device, signs the self-signed local digital certificate information to obtain the current-level digital certificate, uses the public key in the asymmetric key generated in the local confidential computing environment to self-sign the current-level digital certificate, and after the current-level digital certificate is verified by the public key in the asymmetric key generated by the previous-level digital certificate device, the current-level digital certificate is determined to be legal.

非第一级数字证书中的公钥基础设施证书,是完全由上一级数字证书设备进行签名并颁发的。在生成过程中,当前级数字证书设备将本地数字证书信息提供给上一级数字证书设备,由上一级证数字证书设备利用本地生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名,得到包含当前级数字证书设备的本地数字证书信息明文和当前级数字证书设备的本地数字证书信息的数字签名的当前级数字证书。上一级数字证书设备将当前级数字证书和对应的公钥发送给当前级数字证书设备。当前级数字证书设备通过该公钥对当前级数字证书进行验签,通过后确定当前级数字证书合法。若当前级数字证书设备为业务设备,则证书链生成完毕;若当前级数字证书设备不是业务设备,则当前级数字证书设备继续为下一级数字证书设备颁发数字证书。The public key infrastructure certificate in the non-first-level digital certificate is completely signed and issued by the previous-level digital certificate device. During the generation process, the current-level digital certificate device provides the local digital certificate information to the previous-level digital certificate device, and the previous-level digital certificate device uses the private key in the locally generated asymmetric key to sign the local digital certificate information of the current-level digital certificate device, and obtains the current-level digital certificate containing the local digital certificate information plaintext of the current-level digital certificate device and the digital signature of the local digital certificate information of the current-level digital certificate device. The previous-level digital certificate device sends the current-level digital certificate and the corresponding public key to the current-level digital certificate device. The current-level digital certificate device verifies the signature of the current-level digital certificate through the public key, and determines that the current-level digital certificate is legal after passing. If the current-level digital certificate device is a business device, the certificate chain is generated; if the current-level digital certificate device is not a business device, the current-level digital certificate device continues to issue digital certificates to the next-level digital certificate device.

非第一级数字证书中的机密计算证书,则是分别通过当前级数字证书设备进行自签名以及利用上一级数字证书设备的私钥进行签名。在生成过程中,当前级数字证书设备在本地机密计算环境中生成一对非对称密钥,利用其中的私钥对本地数字证书信息的明文进行签名,得到包含本地数字证书信息的明文和本地数字证书信息的数字签名的本地数字证书信息。当前级数字证书设备再通过上一级数字证书设备生成的非对称密钥中的私钥对自签名后的本地数字证书信息进行签名,得到包含自签名和上一级签名的当前级数字证书。在进行验签时,当前级数字证书设备分别利用本地机密计算环境中对应的公钥对当前级数字证书中的自签名 进行验签,以及利用上一级数字证书设备提供的公钥对当前级数字证书中的上一级签名进行验签。The confidential computing certificates in non-first-level digital certificates are self-signed by the current-level digital certificate device and signed using the private key of the previous-level digital certificate device. During the generation process, the current-level digital certificate device generates a pair of asymmetric keys in the local confidential computing environment, and uses the private key therein to sign the plaintext of the local digital certificate information, thereby obtaining local digital certificate information containing the plaintext of the local digital certificate information and the digital signature of the local digital certificate information. The current-level digital certificate device then signs the self-signed local digital certificate information using the private key in the asymmetric key generated by the previous-level digital certificate device, thereby obtaining the current-level digital certificate containing the self-signature and the previous-level signature. When verifying the signature, the current-level digital certificate device uses the corresponding public key in the local confidential computing environment to sign the self-signed signature in the current-level digital certificate. Verify the signature and use the public key provided by the previous digital certificate device to verify the previous signature in the current digital certificate.

可以看到,本申请实施例提供了一种新的机密计算证书方案,即该机密计算证书既包含自签名又包含上一级签名,相较于相关技术中的机密计算证书安全性更高。It can be seen that the embodiment of the present application provides a new confidential computing certificate solution, that is, the confidential computing certificate contains both a self-signature and an upper-level signature, which is more secure than the confidential computing certificate in the related technology.

为保证当前级数字证书中的机密计算证书是在机密计算环境中生成的,需要对本地机密计算环境进行真实性验证。则当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理,可以包括:当前级数字证书设备在通过对本地机密计算环境进行真实性验证后,利用本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行自签名处理。通过在进行自签名之前先对本地机密计算环境进行真实性验证,通过真实性验证后,再利用本地机密计算环境中生成的非对称密钥中的私钥进行自签名,进一步提高了生成机密计算证书的安全性。需要说明的是,当前级数字证书设备对本地机密计算环境进行真实性验证的步骤与当前级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名的步骤可以无顺序关系,当前级数字证书设备对本地机密计算环境进行真实性验证的步骤与当前级数字证书设备通过本地生成的非对称密钥中的公钥对当前级数字证书进行验签的步骤也可以无顺序关系,即可以在当前级数字证书设备通过对本地机密计算环境进行真实性验证并通过本地生成的非对称密钥中的公钥对当前级数字证书进行验签后,确定当前级数字证书合法。In order to ensure that the confidential computing certificate in the current-level digital certificate is generated in a confidential computing environment, the authenticity of the local confidential computing environment needs to be verified. Then the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, which can include: after the current-level digital certificate device verifies the authenticity of the local confidential computing environment, it uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device. By verifying the authenticity of the local confidential computing environment before self-signing, and then using the private key in the asymmetric key generated in the local confidential computing environment to self-sign after the authenticity verification, the security of generating confidential computing certificates is further improved. It should be noted that the step in which the current-level digital certificate device verifies the authenticity of the local confidential computing environment and the step in which the current-level digital certificate device signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment may have no sequential relationship, and the step in which the current-level digital certificate device verifies the authenticity of the local confidential computing environment and the step in which the current-level digital certificate device verifies the signature of the current-level digital certificate by using the public key in the locally generated asymmetric key may also have no sequential relationship, that is, the current-level digital certificate can be determined to be legal after the current-level digital certificate device verifies the authenticity of the local confidential computing environment and verifies the signature of the current-level digital certificate by using the public key in the locally generated asymmetric key.

而不论当前级数字证书的类型是什么,均需要由上一级数字证书设备进行签名,若上一级数字证书设备提供用于进行签名以及验签的非对称密钥是在机密计算环境中生成的,则还应该对上一级数字签名设备上一级数字证书设备进行本地机密计算环境的真实性验证。Regardless of the type of the current-level digital certificate, it needs to be signed by the previous-level digital certificate device. If the asymmetric key provided by the previous-level digital certificate device for signing and verifying the signature is generated in a confidential computing environment, the authenticity of the local confidential computing environment should also be verified for the previous-level digital certificate device on the previous-level digital signature device.

则若上一级数字证书设备生成的非对称密钥为在本地机密计算环境中生成的非对称密钥,当前级数字证书设备接收通过上一级数字证书设备生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书,可以包括:当前级数字证书设备在触发对上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对当前级数字证书设备的本地数字证书信息进行签名处理得到的当前级数字证书。If the asymmetric key generated by the previous-level digital certificate device is an asymmetric key generated in a local confidential computing environment, the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, which may include: after the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate obtained by obtaining the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information of the current-level digital certificate device.

若上一级数字证书设备生成的非对称密钥为在本地机密计算环境中生成的非对称密钥,当前级数字证书设备接收上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书,可以包括:当前级数字证书设备在触发对上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到当前级数字证书。If the asymmetric key generated by the previous-level digital certificate device is an asymmetric key generated in the local confidential computing environment, the current-level digital certificate device receives the private key in the asymmetric key generated by the previous-level digital certificate device to sign the self-signed local digital certificate information to obtain the current-level digital certificate, which may include: after the current-level digital certificate device triggers and passes the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, obtaining the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the self-signed local digital certificate information to obtain the current-level digital certificate.

即是说,若上一级数字证书设备为当前级数字证书设备签发数字证书时是采用机密计算环境中生成的非对称密钥中的私钥进行签名的,则先通过对上一级数字证书设备的机密计算环境的真实性验证,再接收上一级数字证书设备签发的当前级数字证书。That is to say, if the previous-level digital certificate device uses the private key in the asymmetric key generated in the confidential computing environment to sign the digital certificate for the current-level digital certificate device, the authenticity of the confidential computing environment of the previous-level digital certificate device must be verified first, and then the current-level digital certificate issued by the previous-level digital certificate device is received.

在一些实施中,第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限,可以包括:第一级数字证书设备比较计算得到的机密计算证书中的本体 公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。远程证明数据是机密计算证书中用于进行所在设备的本地机密计算环境真实性验证的数据,第一级数字证书设备在生成第一级数字证书时,通过将基于机密计算环境生成的非对称密钥中的公钥的哈希值放在远程证明数据中,可以在经过远程证明第一级数字证书设备的本地机密计算环境的真实性时完成对公钥哈希值的合法性验证,而在第一级数字证书设备对本地的机密计算证书进行验签时,在经过远程证明本地机密计算环境具有真实性后,比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对第一级数字证书进行验签通过后,确定第一级数字证书合法且第一级数字证书设备具有颁发数字证书的权限。In some implementations, after the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, determining that the first-level digital certificate is legitimate and the first-level digital certificate device has the authority to issue the digital certificate may include: the first-level digital certificate device compares the calculated confidential computing certificate with the subject The hash value of the public key is consistent with the hash value of the public key in the remote attestation data in the confidential computing certificate, and after the signature of the first-level digital certificate is verified by the main body public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates. The remote attestation data is the data in the confidential computing certificate used to verify the authenticity of the local confidential computing environment of the device. When the first-level digital certificate device generates the first-level digital certificate, by placing the hash value of the public key in the asymmetric key generated based on the confidential computing environment in the remote attestation data, the legality verification of the public key hash value can be completed when the authenticity of the local confidential computing environment of the first-level digital certificate device is remotely attested. When the first-level digital certificate device verifies the signature of the local confidential computing certificate, after the local confidential computing environment is remotely attested, the hash value of the main body public key in the confidential computing certificate calculated is compared with the hash value of the public key in the remote attestation data in the confidential computing certificate. After the signature of the first-level digital certificate is verified by the main body public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates.

同理,当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的公钥对当前级数字证书进行自签名验签通过,可以包括:当前级数字证书设备比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对当前级数字证书进行验签通过。当前级数字证书设备在生成当前级数字证书时,通过将基于机密计算环境生成的非对称密钥中的公钥的哈希值放在远程证明数据中,可以在经过远程证明当前级数字证书设备的本地机密计算环境的真实性时完成对公钥哈希值的合法性验证,而在当前级数字证书设备对本地的机密计算证书进行验签时,在经过远程证明本地机密计算环境具有真实性后,比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过本体公钥对当前级数字证书进行验签通过后,确定当前级数字证书合法且当前级数字证书设备具有颁发数字证书的权限。Similarly, the current-level digital certificate device uses the public key in the asymmetric key generated in the local confidential computing environment to perform self-signature verification on the current-level digital certificate, which may include: the current-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate to be consistent, and verifies the current-level digital certificate through the entity public key. When the current-level digital certificate device generates the current-level digital certificate, by placing the hash value of the public key in the asymmetric key generated based on the confidential computing environment in the remote attestation data, the legitimacy of the public key hash value can be verified when the authenticity of the local confidential computing environment of the current-level digital certificate device is remotely proven, and when the current-level digital certificate device verifies the local confidential computing certificate, after the local confidential computing environment is remotely proven to be authentic, the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate are compared to be consistent, and after the current-level digital certificate is verified through the entity public key, it is determined that the current-level digital certificate is legal and the current-level digital certificate device has the authority to issue digital certificates.

则对于机密计算证书中自签名的验签,在通过远程证明数据证明本地机密计算环境存在,且机密计算证书中携带的本体公钥与远程证明数据中的公钥哈希值一致,则可以确定机密计算证书是在本地机密计算环境中生成的,继而可以利用该本体公钥对机密计算证书中的自签名进行验签。For the verification of the self-signature in the confidential computing certificate, if the existence of the local confidential computing environment is proved by remote attestation data, and the entity public key carried in the confidential computing certificate is consistent with the public key hash value in the remote attestation data, it can be determined that the confidential computing certificate was generated in the local confidential computing environment, and then the entity public key can be used to verify the self-signature in the confidential computing certificate.

对于上一级的机密计算设备提供的在机密计算环境中生成的非对称密钥进行签名和验签时同理,当前级数字证书设备触发上一级数字证书设备进行本地机密计算环境的真实性验证后,上一级数字证书设备进行如上述的步骤完成并通过本地机密计算环境的真实性验证以及本体公钥的一致性验证,可以进行当前级数字证书中由上一级的机密计算设备进行的签名或验签,从而进一步提高数字证书的安全性。The same applies to signing and verifying the asymmetric key generated in the confidential computing environment provided by the previous-level confidential computing device. After the current-level digital certificate device triggers the previous-level digital certificate device to verify the authenticity of the local confidential computing environment, the previous-level digital certificate device completes the above steps and passes the authenticity verification of the local confidential computing environment and the consistency verification of the entity public key. It can then sign or verify the current-level digital certificate performed by the previous-level confidential computing device, thereby further improving the security of the digital certificate.

本申请实施例提供的数字证书管理方法,通过数字证书设备中的机密计算设备先对当前级的机密计算证书进行自签名后,再由上一级数字证书设备进行签名,得到了一种更具安全性的数字证书签名方案。The digital certificate management method provided in the embodiment of the present application obtains a more secure digital certificate signature scheme by having the confidential computing device in the digital certificate device first self-sign the current level confidential computing certificate, and then having the previous level digital certificate device sign it.

下面对本申请实施例五进行说明。The fifth embodiment of the present application is described below.

在上述实施例的基础上,本申请实施例进一步对机密计算设备的本地机密计算环境进行真实性验证的方法进行说明。Based on the above embodiments, the embodiments of the present application further illustrate a method for verifying the authenticity of a local confidential computing environment of a confidential computing device.

在本申请实施例提供的数字证书管理方法中,对本地机密计算环境进行真实性验证,可以包括:将所在设备的本地数字证书信息中的远程证明数据发送至设备厂商以进行本地机密计算环境的真实性验证。 In the digital certificate management method provided in the embodiment of the present application, authenticity verification of the local confidential computing environment may include: sending remote certification data in the local digital certificate information of the device to the device manufacturer to verify the authenticity of the local confidential computing environment.

其中,远程证明数据包括所在设备的可信度量信息,例如所在设备的硬件可信度量信息。设备厂商利用远程证明数据中的可信度量信息,确定为具有机密计算环境的设备,向该设备反馈本地机密计算环境具有真实性的信息。The remote attestation data includes the trust measurement information of the device, such as the hardware trust measurement information of the device. The device manufacturer uses the trust measurement information in the remote attestation data to determine that the device has a confidential computing environment and feedbacks the authenticity of the local confidential computing environment to the device.

为进一步提高真实性验证的可靠性,远程证明数据可以包括远程证明数据明文和利用所在设备的本地机密计算环境的硬件远程证明私钥对远程证明数据明文进行签名得到的远程证明数据签名;其中,远程证明数据明文包括利用所在设备的本地机密计算环境中生成的非对称密钥中的公钥的哈希值和所在设备的可信度量信息。设备厂商利用该设备的本地机密计算环境的远程证明公钥对远程证明数据进行验签通过后,即可确定该设备通过真实性验证,并向该设备反馈本地机密计算环境具有真实性的信息。To further improve the reliability of authenticity verification, the remote attestation data may include the remote attestation data plaintext and the remote attestation data signature obtained by signing the remote attestation data plaintext using the hardware remote attestation private key of the local confidential computing environment of the device; wherein the remote attestation data plaintext includes the hash value of the public key in the asymmetric key generated in the local confidential computing environment of the device and the trust measurement information of the device. After the device manufacturer verifies the remote attestation data using the remote attestation public key of the local confidential computing environment of the device, it can be determined that the device has passed the authenticity verification, and feedback to the device that the local confidential computing environment is authentic.

下面对本申请实施例六进行说明。The sixth embodiment of the present application is described below.

在上述实施例中介绍了,证书链的一级数字证书可以包括一个数字证书,也可以包括多个数字证书。而包括多个数字证书的情况可以进一步提高证书链的安全性。拥有多个数字证书的数字证书设备可以对下一级数字证书设备签发证书时添加多个签名,即签名与签发证书的数字证书设备一一对应。若当前级数字证书中具有多个上一级数字证书设备的签名,在验签时可以设置为必须通过对所有签名的验签才确认当前级数字证书合法,或者可以设置为通过部分签名的验签即确认当前级数字证书合法。In the above embodiment, it is introduced that the first-level digital certificate of the certificate chain may include one digital certificate or multiple digital certificates. The situation of including multiple digital certificates can further improve the security of the certificate chain. A digital certificate device with multiple digital certificates can add multiple signatures when issuing a certificate for a digital certificate device at the next level, that is, the signature corresponds to the digital certificate device that issued the certificate one by one. If the current-level digital certificate has multiple signatures of the previous-level digital certificate device, when verifying the signature, it can be set that the current-level digital certificate must be confirmed to be legal only by verifying all signatures, or it can be set to confirm the legality of the current-level digital certificate by verifying some signatures.

则在本申请实施例提供的数字证书管理方法中,S202中数字证书设备生成目标业务的证书链,可以包括:In the digital certificate management method provided in the embodiment of the present application, the digital certificate device generates a certificate chain for the target service in S202, which may include:

若当前级数字证书具有一个上一级数字证书设备的签名,则拥有当前级数字证书的当前级数字证书设备对上一级数字证书设备的签名验签通过后,确定当前级数字证书合法;If the current-level digital certificate has a signature of a previous-level digital certificate device, the current-level digital certificate device that has the current-level digital certificate will verify the signature of the previous-level digital certificate device and determine that the current-level digital certificate is legal;

若当前级数字证书具有多个上一级数字证书设备的签名,则当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定当前级数字证书合法;If the current-level digital certificate has multiple signatures of the previous-level digital certificate device, the current-level digital certificate device determines that the current-level digital certificate is legal after verifying the signatures of the first preset number of the multiple signatures;

其中,第一预设数量小于当前级数字证书中上一级数字证书设备的签名的数量。The first preset number is smaller than the number of signatures of the previous level digital certificate device in the current level digital certificate.

在具体实施中,本申请实施例对于当前级数字证书具有多个上一级数字证书设备的签名的情况,采用门限验签的方式,即可以仅对其中的部分上一级数字证书设备的签名进行验签通过后即确定当前级数字证书合法。In specific implementations, the embodiment of the present application adopts a threshold signature verification method for the situation where the current-level digital certificate has signatures of multiple previous-level digital certificate devices. That is, the current-level digital certificate can be determined to be legal after only some of the signatures of the previous-level digital certificate devices are verified.

考虑到本申请上述实施例提供的一级数字证书包括公钥基础设施证书和机密计算证书的情况,若上一级数字证书设备既拥有公钥基础设施证书又拥有机密计算证书,则上一级数字证书设备可以对当前级数字证书进行公钥基础设施签名和机密计算签名,此时可以区分类型设置门限。则若当前级数字证书具有多个上一级数字证书设备的签名,则当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定当前级数字证书合法,包括:Considering the situation that the first-level digital certificate provided by the above embodiment of the present application includes a public key infrastructure certificate and a confidential computing certificate, if the previous-level digital certificate device has both a public key infrastructure certificate and a confidential computing certificate, the previous-level digital certificate device can perform a public key infrastructure signature and a confidential computing signature on the current-level digital certificate, and at this time, the type can be distinguished and set a threshold. If the current-level digital certificate has signatures of multiple previous-level digital certificate devices, the current-level digital certificate device determines that the current-level digital certificate is legal after the first preset number of signatures in the multiple signatures are verified, including:

若当前级数字证书具有的多个上一级数字证书设备的签名中既包括公钥基础设施签名又包括机密计算签名,则当前级数字证书设备对多个签名中的第二预设数量公钥基础设施签名验签通过且对多个签名中的第三预设数量机密计算签名验签通过后,确定当前级数字证书合法;If the signatures of multiple upper-level digital certificate devices possessed by the current-level digital certificate include both public key infrastructure signatures and confidential computing signatures, the current-level digital certificate is determined to be legal after the current-level digital certificate device passes the signature verification of a second preset number of public key infrastructure signatures among the multiple signatures and passes the signature verification of a third preset number of confidential computing signatures among the multiple signatures;

其中,第二预设数量小于当前级数字证书中上一级数字证书设备的的公钥基础设施签名的数量,第三预设数量小于当前级数字证书中上一级数字证书设备的机密计算签名的数量。 Among them, the second preset number is less than the number of public key infrastructure signatures of the previous level digital certificate device in the current level digital certificate, and the third preset number is less than the number of confidential computing signatures of the previous level digital certificate device in the current level digital certificate.

需要说明的是,若上一级数字证书设备具有多个上一级数字证书,即可以生成对应的多对非对称密钥用于当前级数字证书的签名和验签,但可以不用采用全部的私钥用于当前级数字证书的签名。It should be noted that if the previous-level digital certificate device has multiple previous-level digital certificates, multiple pairs of corresponding asymmetric keys can be generated for signing and verifying the current-level digital certificate, but not all private keys need to be used for signing the current-level digital certificate.

下面对本申请实施例七进行说明。The seventh embodiment of the present application is described below.

图4为本申请实施例提供的第一种证书链场景示意图;图5为本申请实施例提供的第二种证书链场景示意图;图6为本申请实施例提供的第三种证书链场景示意图;图7为本申请实施例提供的第四种证书链场景示意图;图8为本申请实施例提供的第五种证书链场景示意图;图9为本申请实施例提供的第六种证书链场景示意图。Figure 4 is a schematic diagram of the first certificate chain scenario provided in an embodiment of the present application; Figure 5 is a schematic diagram of the second certificate chain scenario provided in an embodiment of the present application; Figure 6 is a schematic diagram of the third certificate chain scenario provided in an embodiment of the present application; Figure 7 is a schematic diagram of the fourth certificate chain scenario provided in an embodiment of the present application; Figure 8 is a schematic diagram of the fifth certificate chain scenario provided in an embodiment of the present application; Figure 9 is a schematic diagram of the sixth certificate chain scenario provided in an embodiment of the present application.

在上述实施例的基础上,本申请实施例以证书链中的相邻两级数字证书进行场景说明,具体可以包括六种场景。Based on the above embodiments, the embodiments of the present application use two adjacent levels of digital certificates in a certificate chain to illustrate the scenarios, which may specifically include six scenarios.

如图4所示,在第一种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书和当前级数字证书可以均为公钥基础设施证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书为自签名的公钥基础设施证书,当前级数字证书由上一级数字证书设备401提供的私钥进行签名,由上一级数字证书设备401提供的公钥进行验签。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。若当前级数字证书不是业务证书,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in Figure 4, in the first scenario, corresponding to the previous-level digital certificate device 401 and the current-level digital certificate device 402, the previous-level digital certificate and the current-level digital certificate can both be public key infrastructure certificates. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate is a self-signed public key infrastructure certificate, and the current-level digital certificate is signed by the private key provided by the previous-level digital certificate device 401, and verified by the public key provided by the previous-level digital certificate device 401. If the previous-level digital certificate is not the first-level digital certificate of the certificate chain, it will be issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain. The next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

如图5所示,在第二种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书为公钥基础设施证书,当前级数字证书为机密计算证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书为自签名的公钥基础设施证书,当前级的机密计算证书在本地的机密计算环境中生成,由本地机密计算环境生成的非对称密钥中的私钥进行自签名,再由上一级数字证书设备401通过本地生成的私钥进行签名,保证当前级数字证书的可信性,提高当前级数字证书的使用效率。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。若当前级数字证书不是业务证书,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in FIG5 , in the second scenario, corresponding to the previous-level digital certificate device 401 and the current-level digital certificate device 402, the previous-level digital certificate is a public key infrastructure certificate, and the current-level digital certificate is a confidential computing certificate. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate is a self-signed public key infrastructure certificate, and the current-level confidential computing certificate is generated in a local confidential computing environment, and is self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate device 401 using the private key generated locally, to ensure the credibility of the current-level digital certificate and improve the efficiency of using the current-level digital certificate. If the previous-level digital certificate is not the first-level digital certificate of the certificate chain, it will be issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, the next-level digital certificate can be derived to extend the certificate chain. The next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

如图6所示,在第三种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书和当前级数字证书均为机密计算证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书为自签名的机密计算证书,具体由上一级数字证书设备401的机密计算环境生成。当前级的机密计算证书在本地的机密计算环境中生成,由本地机密计算环境生成的非对称密钥中的私钥进行自签名,再由上一级数字证书设备401通过本地生成的私钥进行签名。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。若当前级数字证书不是业务证书,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in FIG6 , in the third scenario, corresponding to the previous-level digital certificate device 401 and the current-level digital certificate device 402, the previous-level digital certificate and the current-level digital certificate are both confidential computing certificates. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate is a self-signed confidential computing certificate, which is specifically generated by the confidential computing environment of the previous-level digital certificate device 401. The current-level confidential computing certificate is generated in a local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate device 401 using the private key generated locally. If the previous-level digital certificate is not the first-level digital certificate of the certificate chain, it is then issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain. The next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

如图7所示,在第四种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书为机密计算证书,当前级数字证书为公钥基础设施证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书为自签名的机密计算证书,具体由上一级数字证书设备401的机密计算环境生成。当前级的机密计算证书在本地的机密计算环境中生成,由本地机密计算环境生成的非对称密钥中的私钥进行自签名,再由上一级数字证书 设备401通过本地生成的私钥进行签名。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。当当前级数字证书不是业务证书时,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in FIG7 , in the fourth scenario, corresponding to the previous-level digital certificate device 401 and the current-level digital certificate device 402, the previous-level digital certificate is a confidential computing certificate, and the current-level digital certificate is a public key infrastructure certificate. If the previous-level digital certificate is the first-level digital certificate in the certificate chain, the previous-level digital certificate is a self-signed confidential computing certificate, which is specifically generated by the confidential computing environment of the previous-level digital certificate device 401. The current-level confidential computing certificate is generated in the local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous-level digital certificate. Device 401 signs with a locally generated private key. If the previous digital certificate is not the first digital certificate of the certificate chain, it will be issued by the next digital certificate device according to the certificate type. When the current digital certificate is not a business certificate, the next digital certificate can be derived to extend the certificate chain. The next digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

如图8所示,在第五种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书为混合证书,即上一级数字证书设备401既拥有公钥基础设施证书又拥有机密计算证书,当前级数字证书为机密计算证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书包括自签名的公钥基础设施证书和自签名的机密计算证书。当前级的机密计算证书在本地的机密计算环境中生成,由本地机密计算环境生成的非对称密钥中的私钥进行自签名,再由上一级数字证书设备401通过本地生成的私钥进行签名。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。当当前级数字证书不是业务证书时,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in FIG8 , in the fifth scenario, corresponding to the previous digital certificate device 401 and the current digital certificate device 402, the previous digital certificate is a hybrid certificate, that is, the previous digital certificate device 401 has both a public key infrastructure certificate and a confidential computing certificate, and the current digital certificate is a confidential computing certificate. If the previous digital certificate is the first-level digital certificate of the certificate chain, the previous digital certificate includes a self-signed public key infrastructure certificate and a self-signed confidential computing certificate. The current confidential computing certificate is generated in a local confidential computing environment, self-signed by the private key in the asymmetric key generated by the local confidential computing environment, and then signed by the previous digital certificate device 401 using the private key generated locally. If the previous digital certificate is not the first-level digital certificate of the certificate chain, it is issued by the next-level digital certificate device according to the certificate type. When the current digital certificate is not a business certificate, the next digital certificate can be derived to extend the certificate chain. The next digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

如图9所示,在第六种场景下,对应上一级数字证书设备401和当前级数字证书设备402,上一级数字证书为混合证书,即上一级数字证书设备401既拥有公钥基础设施证书又拥有机密计算证书,当前级数字证书为公钥基础设施证书。若上一级数字证书为证书链的第一级数字证书,则上一级数字证书包括自签名的公钥基础设施证书和自签名的机密计算证书。当前级数字证书由上一级数字证书设备401提供的私钥进行签名,由第一级数字证书设备提供的公钥进行验签。若上一级数字证书不是证书链的第一级数字证书,则再根据证书类型由再上一级数字证书设备进行签发。若当前级数字证书不是业务证书,可以派生出下一级数字证书,延长证书链。下一级数字证书可以为公钥基础设施证书,也可以为机密计算证书。As shown in FIG9 , in the sixth scenario, corresponding to the previous-level digital certificate device 401 and the current-level digital certificate device 402, the previous-level digital certificate is a hybrid certificate, that is, the previous-level digital certificate device 401 has both a public key infrastructure certificate and a confidential computing certificate, and the current-level digital certificate is a public key infrastructure certificate. If the previous-level digital certificate is the first-level digital certificate of the certificate chain, the previous-level digital certificate includes a self-signed public key infrastructure certificate and a self-signed confidential computing certificate. The current-level digital certificate is signed by the private key provided by the previous-level digital certificate device 401 and verified by the public key provided by the first-level digital certificate device. If the previous-level digital certificate is not the first-level digital certificate of the certificate chain, it is issued by the next-level digital certificate device according to the certificate type. If the current-level digital certificate is not a business certificate, a next-level digital certificate can be derived to extend the certificate chain. The next-level digital certificate can be a public key infrastructure certificate or a confidential computing certificate.

下面对本申请实施例八进行说明。The eighth embodiment of the present application is described below.

在上述实施例的基础上,本申请实施例对一种数字证书管理方法的应用场景进行说明。Based on the above embodiments, the embodiments of the present application illustrate an application scenario of a digital certificate management method.

在本申请实施例提供的数字证书管理方法中,业务服务器包括用于进行超文本传输安全协议连接的服务器。In the digital certificate management method provided in the embodiment of the present application, the business server includes a server for performing a Hypertext Transfer Protocol Security connection.

则本申请实施例提供的数字证书管理方法还可以包括:接收到客户端发送的对服务器的访问请求后,对服务器的超文本传输安全(Hypertext Transfer Protocol Secure,HTTPS)协议连接业务对应的证书链进行验签通过后,将超文本传输安全协议连接业务对应的证书链的最后一级数字证书发送至客户端以使客户端对最后一级数字证书进行验签,以使客户端在对最后一级数字证书验签通过后,确定超文本传输安全协议连接业务合法并与服务器建立超文本传输安全协议安全信道。The digital certificate management method provided in the embodiment of the present application may also include: after receiving an access request to a server sent by a client, after verifying the certificate chain corresponding to the server's Hypertext Transfer Protocol Secure (HTTPS) protocol connection service, the last-level digital certificate of the certificate chain corresponding to the HTTPS protocol connection service is sent to the client so that the client can verify the last-level digital certificate, so that after verifying the last-level digital certificate, the client can determine that the HTTPS protocol connection service is legal and establish a HTTPS protocol secure channel with the server.

需要说明的是,每当客户端重新打开业务服务器的网站,均需要重新执行一次对证书链的验签过程。It should be noted that every time the client reopens the website of the business server, it needs to re-execute the signature verification process of the certificate chain.

下面对本申请实施例九进行说明。The ninth embodiment of the present application is described below.

在上述实施例的基础上,本申请实施例对再一种数字证书管理方法的应用场景进行说明。Based on the above embodiments, the embodiment of the present application describes an application scenario of another digital certificate management method.

本申请实施例提供的数字证书管理方法还可以应用于文件发送设备。The digital certificate management method provided in the embodiment of the present application can also be applied to a file sending device.

则本申请实施例提供的数字证书管理方法还可以包括:在接收到文件接收设备对待发送的目标文件的合法性验证后,将证书链的各级数字证书提供给文件接收设备,以使文件接收设备对证书链的各级数字证书均进行合法性验证通过后接收目标文件。 The digital certificate management method provided in the embodiment of the present application may also include: after receiving the legitimacy verification of the target file to be sent by the file receiving device, providing the digital certificates at all levels of the certificate chain to the file receiving device, so that the file receiving device receives the target file after performing legitimacy verification on the digital certificates at all levels of the certificate chain.

文件接收设备每接收一次文件发送设备发送的文件时,均需要对该文件对应的证书链进行验签,通过后确认该文件合法。Each time a file receiving device receives a file sent by a file sending device, it needs to verify the signature of the certificate chain corresponding to the file, and confirm that the file is legal after passing the verification.

下面对本申请实施例十进行说明。The tenth embodiment of the present application is described below.

在上述实施例的基础上,本申请实施例还提供一种数字证书管理方法,包括:Based on the above embodiments, the present application also provides a digital certificate management method, including:

业务设备根据目标业务的需求,生成数字证书颁发请求,并将数字证书颁发请求发送至数字证书设备;The business device generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device;

数字证书设备根据数字证书颁发请求生成目标业务的证书链;The digital certificate device generates a certificate chain for the target business according to the digital certificate issuance request;

业务设备对证书链进行合法性验证通过后,利用证书链部署目标业务;After the business equipment verifies the legitimacy of the certificate chain and passes it, it uses the certificate chain to deploy the target business;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

本申请实施例与上部分方法实施例相互对应,因此本申请实施例的具体实施方式请参见上部分方法部分的实施例的描述,这里暂不赘述。The embodiments of the present application correspond to the embodiments of the methods in the above part, so the specific implementation methods of the embodiments of the present application can be found in the description of the embodiments of the methods in the above part, which will not be repeated here.

上文详述了数字证书管理方法对应的各个实施例,在此基础上,本申请还公开了与上述方法对应的数字证书管理装置、设备及非易失性可读存储介质。The above describes in detail various embodiments corresponding to the digital certificate management method. On this basis, the present application also discloses a digital certificate management apparatus, device and non-volatile readable storage medium corresponding to the above method.

下面对本申请实施例十一进行说明。The eleventh embodiment of the present application is described below.

图10为本申请实施例提供的一种数字证书管理装置的结构示意图。FIG10 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.

如图10所示,本申请实施例提供的数字证书管理装置包括:As shown in FIG10 , the digital certificate management device provided in the embodiment of the present application includes:

请求单元1001,用于根据目标业务的需求,生成数字证书颁发请求;The request unit 1001 is used to generate a digital certificate issuance request according to the requirements of the target business;

发送单元1002,用于将数字证书颁发请求发送至数字证书设备,以使数字证书设备生成目标业务的证书链;The sending unit 1002 is used to send the digital certificate issuance request to the digital certificate device so that the digital certificate device generates a certificate chain for the target service;

部署单元1003,用于对证书链进行合法性验证通过后,利用证书链部署目标业务;The deployment unit 1003 is used to deploy the target service using the certificate chain after the certificate chain passes the validity verification;

其中,证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment.

在一些实施中,本申请实施例提供的数字证书管理装置还可以包括:In some implementations, the digital certificate management device provided in the embodiments of the present application may also include:

第一验证单元,用于在接收到请求方设备对目标业务的应用请求后,对证书链进行合法性验证以使请求方设备在确定证书链合法后确定目标业务合法。The first verification unit is used to verify the legitimacy of the certificate chain after receiving an application request for a target service from a requesting device, so that the requesting device can determine that the target service is legitimate after determining that the certificate chain is legitimate.

在一些实施中,本申请实施例提供的数字证书管理装置应用于业务服务器,具体为用于进行超文本传输安全协议连接的服务器;则本申请实施例提供的数字证书管理装置还可以包括:In some implementations, the digital certificate management device provided in the embodiment of the present application is applied to a business server, specifically a server for performing a Hypertext Transfer Protocol Security connection; then the digital certificate management device provided in the embodiment of the present application may also include:

第二验证单元,用于在接收到客户端发送的对服务器的访问请求后,对服务器的超文本传输安全协议连接业务对应的证书链进行验签通过后,将超文本传输安全协议连接业务对应的证书链的最后一级数字证书发送至客户端以使客户端对最后一级数字证书进行验签,以使客户端在对最后一级数字证书验签通过后,确定超文本传输安全协议连接业务合法并与服务器建立超文本传输安全协议安全信道。The second verification unit is used to, after receiving an access request to the server sent by the client, verify the certificate chain corresponding to the server's Hypertext Transfer Protocol Security connection service, and then send the last-level digital certificate of the certificate chain corresponding to the Hypertext Transfer Protocol Security connection service to the client so that the client can verify the last-level digital certificate, so that after the client verifies the last-level digital certificate, it can determine that the Hypertext Transfer Protocol Security connection service is legal and establish a Hypertext Transfer Protocol Security channel with the server.

在一些实施中,本申请实施例提供的数字证书管理装置,应用于文件发送设备;则本申请实施例提供的数字证书管理装置还可以包括:In some implementations, the digital certificate management device provided in the embodiment of the present application is applied to a file sending device; then the digital certificate management device provided in the embodiment of the present application may also include:

第三验证单元,用于在接收到文件接收设备对待发送的目标文件的合法性验证后,将证书链的各级数字证书提供给文件接收设备,以使文件接收设备对证书链的各级数字证书均进行合法性验证通过后接收目标文件。 The third verification unit is used to provide the digital certificates of each level of the certificate chain to the file receiving device after receiving the legitimacy verification of the target file to be sent by the file receiving device, so that the file receiving device receives the target file after passing the legitimacy verification of the digital certificates of each level of the certificate chain.

由于装置部分的实施例与方法部分的实施例相互对应,因此装置部分的实施例请参见方法部分的实施例的描述,这里暂不赘述。Since the embodiments of the apparatus part correspond to the embodiments of the method part, please refer to the description of the embodiments of the method part for the embodiments of the apparatus part, which will not be repeated here.

下面对本申请实施例十二进行说明。The twelfth embodiment of the present application is described below.

图11为本申请实施例提供的一种数字证书管理设备的结构示意图。FIG11 is a schematic diagram of the structure of a digital certificate management device provided in an embodiment of the present application.

如图11所示,本申请实施例提供的数字证书管理设备包括:As shown in FIG11 , the digital certificate management device provided in the embodiment of the present application includes:

存储器1110,用于存储计算机程序1111;A memory 1110, used for storing a computer program 1111;

处理器1120,用于执行计算机程序1111,该计算机程序1111被处理器1120执行时实现如上述任意一项实施例数字证书管理方法的步骤。The processor 1120 is used to execute the computer program 1111. When the computer program 1111 is executed by the processor 1120, the steps of the digital certificate management method in any of the above embodiments are implemented.

其中,处理器1120可以包括一个或多个处理核心,比如3核心处理器、8核心处理器等。处理器1120可以采用数字信号处理DSP(Digital Signal Processing)、现场可编程门阵列FPGA(Field-Programmable Gate Array)、可编程逻辑阵列PLA(Programmable Logic Array)中的至少一种硬件形式来实现。处理器1120也可以包括主处理器和协处理器,主处理器是用于对在唤醒状态下的数据进行处理的处理器,也称中央处理器CPU(Central Processing Unit);协处理器是用于对在待机状态下的数据进行处理的低功耗处理器。在一些实施例中,处理器1120可以集成有图像处理器GPU(Graphics Processing Unit),GPU用于负责显示屏所需要显示的内容的渲染和绘制。一些实施例中,处理器1120还可以包括人工智能AI(Artificial Intelligence)处理器,该AI处理器用于处理有关机器学习的计算操作。Among them, the processor 1120 may include one or more processing cores, such as a 3-core processor, an 8-core processor, etc. The processor 1120 may be implemented in at least one hardware form of a digital signal processing DSP (Digital Signal Processing), a field-programmable gate array FPGA (Field-Programmable Gate Array), and a programmable logic array PLA (Programmable Logic Array). The processor 1120 may also include a main processor and a coprocessor. The main processor is a processor for processing data in the awake state, also known as a central processing unit CPU (Central Processing Unit); the coprocessor is a low-power processor for processing data in the standby state. In some embodiments, the processor 1120 may be integrated with a graphics processor GPU (Graphics Processing Unit), which is responsible for rendering and drawing the content to be displayed on the display screen. In some embodiments, the processor 1120 may also include an artificial intelligence AI (Artificial Intelligence) processor, which is used to process computing operations related to machine learning.

存储器1110可以包括一个或多个非易失性可读存储介质,该非易失性可读存储介质可以是非暂态的。存储器1110还可包括高速随机存取存储器,以及非易失性存储器,比如一个或多个磁盘存储设备、闪存存储设备。本实施例中,存储器1110至少用于存储以下计算机程序1111,其中,该计算机程序1111被处理器1120加载并执行之后,能够实现前述任一实施例公开的数字证书管理方法中的相关步骤。另外,存储器1110所存储的资源还可以包括操作系统1112和数据1113等,存储方式可以是短暂存储或者永久存储。其中,操作系统1112可以为Windows。数据1113可以包括但不限于上述方法所涉及到的数据。The memory 1110 may include one or more non-volatile readable storage media, which may be non-transitory. The memory 1110 may also include a high-speed random access memory, and a non-volatile memory, such as one or more disk storage devices, flash memory storage devices. In this embodiment, the memory 1110 is at least used to store the following computer program 1111, wherein the computer program 1111, after being loaded and executed by the processor 1120, can implement the relevant steps in the digital certificate management method disclosed in any of the aforementioned embodiments. In addition, the resources stored in the memory 1110 may also include an operating system 1112 and data 1113, etc., and the storage method may be temporary storage or permanent storage. Among them, the operating system 1112 may be Windows. Data 1113 may include, but is not limited to, the data involved in the above method.

在一些实施例中,数字证书管理设备还可包括有显示屏1130、电源1140、通信接口1150、输入输出接口1160、传感器1170以及通信总线1180。In some embodiments, the digital certificate management device may further include a display screen 1130 , a power supply 1140 , a communication interface 1150 , an input/output interface 1160 , a sensor 1170 , and a communication bus 1180 .

本领域技术人员可以理解,图11中示出的结构并不构成对数字证书管理设备的限定,可以包括比图示更多或更少的组件。Those skilled in the art will appreciate that the structure shown in FIG. 11 does not constitute a limitation on the digital certificate management device, and may include more or fewer components than those shown in the figure.

本申请实施例提供的数字证书管理设备,包括存储器和处理器,处理器在执行存储器存储的程序时,能够实现如上的数字证书管理方法,效果同上。The digital certificate management device provided in the embodiment of the present application includes a memory and a processor. When the processor executes the program stored in the memory, it can implement the above digital certificate management method, and the effect is the same as above.

下面对本申请实施例十三进行说明。The thirteenth embodiment of the present application is described below.

需要说明的是,以上所描述的装置、设备实施例仅仅是示意性的,例如,模块的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个模块或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或模块的间接耦合或通信连接,可以是电性,机械或其它的形式。作为分离部件说明的模块可以是或者也可以不是物理上分开的,作为模块显示的部件可以是或者也可以不是物理模块,即可以位于一个地方, 或者也可以分布到多个网络模块上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。It should be noted that the above-described embodiments of the apparatus and equipment are merely schematic. For example, the division of modules is merely a logical function division. There may be other division methods in actual implementation. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Another point is that the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection of the apparatus or modules, which may be electrical, mechanical or other forms. The modules described as separate components may or may not be physically separated, and the components shown as modules may or may not be physical modules, that is, they may be located in one place. Or it can be distributed to multiple network modules. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

另外,在本申请各个实施例中的各功能模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。In addition, each functional module in each embodiment of the present application can be integrated into a processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The above integrated modules can be implemented in the form of hardware or software functional modules.

集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,可以存储在一个非易失性可读存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,执行本申请各个实施例方法的全部或部分步骤。If the integrated module is implemented in the form of a software function module and sold or used as an independent product, it can be stored in a non-volatile readable storage medium. Based on this understanding, the technical solution of the present application, or the part that contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium to execute all or part of the steps of the various embodiments of the present application.

为此,本申请实施例还提供一种非易失性可读存储介质,该非易失性可读存储介质上存储有计算机程序,计算机程序被处理器执行时实现如数字证书管理方法的步骤。To this end, an embodiment of the present application further provides a non-volatile readable storage medium, on which a computer program is stored. When the computer program is executed by a processor, the steps of the digital certificate management method are implemented.

该非易失性可读存储介质可以包括:U盘、移动硬盘、只读存储器ROM(Read-Only Memory)、随机存取存储器RAM(Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The non-volatile readable storage medium may include: a U disk, a mobile hard disk, a read-only memory ROM (Read-Only Memory), a random access memory RAM (Random Access Memory), a magnetic disk or an optical disk, and other media that can store program codes.

本实施例中提供的非易失性可读存储介质所包含的计算机程序能够在被处理器执行时实现如上的数字证书管理方法的步骤,效果同上。The computer program contained in the non-volatile readable storage medium provided in this embodiment can implement the steps of the above digital certificate management method when executed by the processor, and the effect is the same as above.

以上对本申请所提供的一种数字证书管理方法、装置、设备、系统及非易失性可读存储介质进行了详细介绍。说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似部分互相参见即可。对于实施例公开的装置、设备及非易失性可读存储介质而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。应当指出,对于本技术领域的普通技术人员来说,在不脱离本申请原理的前提下,还可以对本申请进行若干改进和修饰,这些改进和修饰也落入本申请权利要求的保护范围内。The above is a detailed introduction to a digital certificate management method, device, equipment, system and non-volatile readable storage medium provided by the present application. The various embodiments in the specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments. The same and similar parts between the embodiments can be referenced to each other. For the devices, equipment and non-volatile readable storage medium disclosed in the embodiments, since they correspond to the methods disclosed in the embodiments, the description is relatively simple, and the relevant parts can be referred to the method part description. It should be pointed out that for ordinary technicians in this technical field, without departing from the principles of the present application, several improvements and modifications can be made to the present application, and these improvements and modifications also fall within the scope of protection of the claims of the present application.

还需要说明的是,在本说明书中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括要素的过程、方法、物品或者设备中还存在另外的相同要素。 It should also be noted that, in this specification, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "comprise", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the statement "comprises a ..." does not exclude the presence of other identical elements in the process, method, article or device including the element.

Claims (24)

一种数字证书管理方法,其特征在于,包括:A digital certificate management method, characterized by comprising: 根据目标业务的需求,生成数字证书颁发请求;Generate a digital certificate issuance request based on the needs of the target business; 将所述数字证书颁发请求发送至数字证书设备,以使所述数字证书设备生成所述目标业务的证书链;Sending the digital certificate issuance request to a digital certificate device so that the digital certificate device generates a certificate chain for the target service; 对所述证书链进行合法性验证通过后,利用所述证书链部署所述目标业务;After the certificate chain is verified to be legitimate, the target service is deployed using the certificate chain; 其中,所述证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment. 根据权利要求1所述的数字证书管理方法,其特征在于,所述证书链中至少一级数字证书包括公钥基础设施证书和机密计算证书。The digital certificate management method according to claim 1 is characterized in that at least one level of digital certificate in the certificate chain includes a public key infrastructure certificate and a confidential computing certificate. 根据权利要求1所述的数字证书管理方法,其特征在于,所述数字证书设备生成所述目标业务的证书链,包括:The digital certificate management method according to claim 1, wherein the digital certificate device generates a certificate chain for the target service, comprising: 用于持有所述证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成所述第一级数字证书并对所述第一级数字证书验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限;The first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, and determines that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates; 自用于持有所述证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对所述当前级数字证书验签通过后,确定所述当前级数字证书合法;Starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, and determines that the current-level digital certificate is legal; 在生成所述证书链的各级数字证书且各级数字证书均通过合法性验证后,得到所述证书链。After the digital certificates at each level of the certificate chain are generated and all the digital certificates at each level pass the legitimacy verification, the certificate chain is obtained. 根据权利要求3所述的数字证书管理方法,其特征在于,用于持有所述证书链的第一级数字证书的第一级数字证书设备通过自签名方式生成所述第一级数字证书并对所述第一级数字证书验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限,包括:The digital certificate management method according to claim 3 is characterized in that, after the first-level digital certificate device for holding the first-level digital certificate of the certificate chain generates the first-level digital certificate by self-signing and verifies the signature of the first-level digital certificate, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, including: 若所述第一级数字证书为公钥基础设施证书,则所述第一级数字证书设备为证书颁发机构设备,所述第一级数字证书设备通过本地生成的非对称密钥中的私钥对本地数字证书信息进行签名,得到所述第一级数字证书;所述第一级数字证书设备通过本地生成的非对称密钥中的公钥对所述第一级数字证书进行验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限;If the first-level digital certificate is a public key infrastructure certificate, the first-level digital certificate device is a certificate authority device, and the first-level digital certificate device signs the local digital certificate information with the private key in the locally generated asymmetric key to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key in the locally generated asymmetric key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates; 若所述第一级数字证书为机密计算证书,则所述第一级数字证书设备为具有机密计算环境的机密计算设备,所述第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,得到所述第一级数字证书;所述第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对所述第一级数字证书进行验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限。If the first-level digital certificate is a confidential computing certificate, then the first-level digital certificate device is a confidential computing device with a confidential computing environment, and the first-level digital certificate device signs the local digital certificate information with the private key of the asymmetric key generated in the local confidential computing environment to obtain the first-level digital certificate; after the first-level digital certificate device verifies the signature of the first-level digital certificate with the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates. 根据权利要求3所述的数字证书管理方法,其特征在于,自用于持有所述证书链的第二级数字证书的第二级数字证书设备起,当前级数字证书设备接收上一级数字证书设备颁发的当前级数字证书并对所述当前级数字证书验签通过后,确定所述当前级数字证书合法,包括: The digital certificate management method according to claim 3 is characterized in that, starting from the second-level digital certificate device for holding the second-level digital certificate of the certificate chain, after the current-level digital certificate device receives the current-level digital certificate issued by the previous-level digital certificate device and verifies the signature of the current-level digital certificate, it is determined that the current-level digital certificate is legal, including: 若所述当前级数字证书为公钥基础设施证书,则所述当前级数字证书设备接收通过所述上一级数字证书设备生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行签名处理得到的所述当前级数字证书,并利用所述上一级数字证书设备生成的非对称密钥中的公钥对所述当前级数字证书验签通过后,确定所述当前级数字证书合法;If the current-level digital certificate is a public key infrastructure certificate, the current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, and after the current-level digital certificate is verified by the public key in the asymmetric key generated by the previous-level digital certificate device, determines that the current-level digital certificate is legal; 若所述当前级数字证书为机密计算证书,则所述当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行自签名处理后,接收所述上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到所述当前级数字证书,利用本地机密计算环境中生成的非对称密钥中的公钥对所述当前级数字证书进行自签名验签通过,并利用所述上一级数字证书设备生成的非对称密钥中的公钥对所述当前级数字证书进行验签通过后,确定所述当前级数字证书合法。If the current-level digital certificate is a confidential computing certificate, the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to self-sign the local digital certificate information of the current-level digital certificate device, receives the private key in the asymmetric key generated by the previous-level digital certificate device, signs the self-signed local digital certificate information to obtain the current-level digital certificate, uses the public key in the asymmetric key generated in the local confidential computing environment to self-sign the current-level digital certificate, and after the public key in the asymmetric key generated by the previous-level digital certificate device is used to verify the signature of the current-level digital certificate, it is determined that the current-level digital certificate is legal. 根据权利要求4所述的数字证书管理方法,其特征在于,所述第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名,包括:The digital certificate management method according to claim 4 is characterized in that the first-level digital certificate device signs the local digital certificate information by using the private key of the asymmetric key generated in the local confidential computing environment, comprising: 所述第一级数字证书设备在通过对本地机密计算环境进行真实性验证后,通过本地机密计算环境中生成的非对称密钥的私钥对本地数字证书信息进行签名。After verifying the authenticity of the local confidential computing environment, the first-level digital certificate device signs the local digital certificate information using the private key of the asymmetric key generated in the local confidential computing environment. 根据权利要求5所述的数字证书管理方法,其特征在于,所述当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行自签名处理,包括:The digital certificate management method according to claim 5 is characterized in that the current-level digital certificate device uses a private key in an asymmetric key generated in a local confidential computing environment to perform self-signature processing on the local digital certificate information of the current-level digital certificate device, comprising: 所述当前级数字证书设备在通过对本地机密计算环境进行真实性验证后,利用本地机密计算环境中生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行自签名处理。After verifying the authenticity of the local confidential computing environment, the current-level digital certificate device uses the private key in the asymmetric key generated in the local confidential computing environment to perform self-signature processing on the local digital certificate information of the current-level digital certificate device. 根据权利要求5所述的数字证书管理方法,其特征在于,若所述上一级数字证书设备生成的非对称密钥为在本地机密计算环境中生成的非对称密钥,The digital certificate management method according to claim 5 is characterized in that if the asymmetric key generated by the upper-level digital certificate device is an asymmetric key generated in a local confidential computing environment, 所述当前级数字证书设备接收通过所述上一级数字证书设备生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行签名处理得到的所述当前级数字证书,包括:The current-level digital certificate device receives the current-level digital certificate obtained by signing the local digital certificate information of the current-level digital certificate device with the private key in the asymmetric key generated by the previous-level digital certificate device, including: 所述当前级数字证书设备在触发对所述上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取所述上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对所述当前级数字证书设备的本地数字证书信息进行签名处理得到的所述当前级数字证书;After triggering and passing the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information of the current-level digital certificate device to obtain the current-level digital certificate; 所述当前级数字证书设备接收所述上一级数字证书设备生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到所述当前级数字证书,包括:The current-level digital certificate device receives the private key in the asymmetric key generated by the previous-level digital certificate device and performs a signing process on the local digital certificate information after the self-signature process to obtain the current-level digital certificate, including: 所述当前级数字证书设备在触发对所述上一级数字证书设备的本地机密计算环境的真实性验证并通过后,获取所述上一级数字证书设备的本地机密计算环境中生成的非对称密钥中的私钥对自签名处理后的本地数字证书信息进行签名处理得到所述当前级数字证书。After triggering and passing the authenticity verification of the local confidential computing environment of the previous-level digital certificate device, the current-level digital certificate device obtains the private key in the asymmetric key generated in the local confidential computing environment of the previous-level digital certificate device to sign the local digital certificate information after self-signature processing to obtain the current-level digital certificate. 根据权利要求6至8任意一项所述的数字证书管理方法,其特征在于,对本地机密计算环境进行真实性验证,包括:The digital certificate management method according to any one of claims 6 to 8, characterized in that the authenticity verification of the local confidential computing environment comprises: 将所在设备的本地数字证书信息中的远程证明数据发送至设备厂商以进行本地机密计算环境的真实性验证。 The remote attestation data in the local digital certificate information of the device is sent to the device manufacturer to verify the authenticity of the local confidential computing environment. 根据权利要求9所述的数字证书管理方法,其特征在于,所述远程证明数据包括所在设备的可信度量信息。The digital certificate management method according to claim 9 is characterized in that the remote certification data includes trust measurement information of the device. 根据权利要求9所述的数字证书管理方法,其特征在于,所述远程证明数据包括远程证明数据明文和利用所在设备的本地机密计算环境的硬件远程证明私钥对所述远程证明数据明文进行签名得到的远程证明数据签名;The digital certificate management method according to claim 9, characterized in that the remote attestation data includes a plain text of the remote attestation data and a remote attestation data signature obtained by signing the plain text of the remote attestation data using a hardware remote attestation private key of a local confidential computing environment of the device; 其中,所述远程证明数据明文包括利用所在设备的本地机密计算环境中生成的非对称密钥中的公钥的哈希值和所在设备的可信度量信息。The remote attestation data plain text includes a hash value of a public key in an asymmetric key generated in a local confidential computing environment of the device and trust measurement information of the device. 根据权利要求4所述的数字证书管理方法,其特征在于,所述第一级数字证书设备通过本地机密计算环境中生成的非对称密钥的公钥对所述第一级数字证书进行验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限,包括:The digital certificate management method according to claim 4 is characterized in that after the first-level digital certificate is verified by the public key of the asymmetric key generated in the local confidential computing environment, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates, including: 所述第一级数字证书设备比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过所述本体公钥对所述第一级数字证书进行验签通过后,确定所述第一级数字证书合法且所述第一级数字证书设备具有颁发数字证书的权限。The first-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote attestation data in the confidential computing certificate and finds that they are consistent. After the first-level digital certificate is signed and verified by the entity public key, it is determined that the first-level digital certificate is legal and the first-level digital certificate device has the authority to issue digital certificates. 根据权利要求5所述的数字证书管理方法,其特征在于,所述当前级数字证书设备利用本地机密计算环境中生成的非对称密钥中的公钥对所述当前级数字证书进行自签名验签通过,包括:The digital certificate management method according to claim 5 is characterized in that the current-level digital certificate device uses the public key in the asymmetric key generated in the local confidential computing environment to perform self-signature verification on the current-level digital certificate, comprising: 所述当前级数字证书设备比较计算得到的机密计算证书中的本体公钥的哈希值和机密计算证书中的远程证明数据中的公钥哈希值一致,且通过所述本体公钥对所述当前级数字证书进行验签通过。The current-level digital certificate device compares the calculated hash value of the entity public key in the confidential computing certificate and the public key hash value in the remote certification data in the confidential computing certificate and verifies the signature of the current-level digital certificate through the entity public key. 根据权利要求1所述的数字证书管理方法,其特征在于,所述数字证书设备生成所述目标业务的证书链,包括:The digital certificate management method according to claim 1, wherein the digital certificate device generates a certificate chain for the target service, comprising: 若当前级数字证书具有一个上一级数字证书设备的签名,则拥有所述当前级数字证书的当前级数字证书设备对所述上一级数字证书设备的签名验签通过后,确定所述当前级数字证书合法;If the current-level digital certificate has a signature of a previous-level digital certificate device, the current-level digital certificate device that has the current-level digital certificate verifies the signature of the previous-level digital certificate device and determines that the current-level digital certificate is legal; 若所述当前级数字证书具有多个所述上一级数字证书设备的签名,则所述当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定所述当前级数字证书合法;If the current-level digital certificate has multiple signatures of the previous-level digital certificate device, the current-level digital certificate device determines that the current-level digital certificate is legal after verifying a first preset number of signatures among the multiple signatures; 其中,第一预设数量小于所述当前级数字证书中所述上一级数字证书设备的签名的数量。The first preset number is smaller than the number of signatures of the previous-level digital certificate device in the current-level digital certificate. 根据权利要求14所述的数字证书管理方法,其特征在于,若所述当前级数字证书具有多个所述上一级数字证书设备的签名,则所述当前级数字证书设备对多个签名中的第一预设数量签名验签通过后,确定所述当前级数字证书合法,包括:The digital certificate management method according to claim 14 is characterized in that if the current-level digital certificate has multiple signatures of the previous-level digital certificate device, the current-level digital certificate device determines that the current-level digital certificate is legitimate after verifying a first preset number of signatures among the multiple signatures, including: 若所述当前级数字证书具有的多个所述上一级数字证书设备的签名中既包括公钥基础设施签名又包括机密计算签名,则所述当前级数字证书设备对多个签名中的第二预设数量公钥基础设施签名验签通过且对多个签名中的第三预设数量机密计算签名验签通过后,If the signatures of the multiple previous-level digital certificate devices in the current-level digital certificate include both public key infrastructure signatures and confidential computing signatures, after the current-level digital certificate device passes the signature verification of the second preset number of public key infrastructure signatures in the multiple signatures and passes the signature verification of the third preset number of confidential computing signatures in the multiple signatures, 确定所述当前级数字证书合法;Determining that the current-level digital certificate is legitimate; 其中,第二预设数量小于所述当前级数字证书中上一级数字证书设备的的公钥基础设施签名的数量,第三预设数量小于所述当前级数字证书中上一级数字证书设备的机密计算签名的数量。 Among them, the second preset number is smaller than the number of public key infrastructure signatures of the previous level digital certificate device in the current level digital certificate, and the third preset number is smaller than the number of confidential computing signatures of the previous level digital certificate device in the current level digital certificate. 根据权利要求1所述的数字证书管理方法,其特征在于,根据目标业务的需求,生成数字证书颁发请求,包括:The digital certificate management method according to claim 1 is characterized in that generating a digital certificate issuance request according to the needs of the target business includes: 根据所述目标业务的安全需求,确定所述证书链中公钥基础设施证书和机密计算证书的组合方式;Determining a combination method of a public key infrastructure certificate and a confidential computing certificate in the certificate chain according to the security requirements of the target business; 根据所述证书链中公钥基础设施证书和机密计算证书的组合方式,确定对应的所述数字证书设备;Determine the corresponding digital certificate device according to the combination of the public key infrastructure certificate and the confidential computing certificate in the certificate chain; 生成对各所述数字证书设备的数字证书颁发请求。Generate a digital certificate issuance request for each of the digital certificate devices. 根据权利要求1所述的数字证书管理方法,其特征在于,还包括:The digital certificate management method according to claim 1, further comprising: 在接收到请求方设备对所述目标业务的应用请求后,对所述证书链进行合法性验证以使所述请求方设备在确定所述证书链合法后确定所述目标业务合法。After receiving the application request of the target service from the requesting device, the certificate chain is verified for legitimacy so that the requesting device determines that the target service is legitimate after determining that the certificate chain is legitimate. 根据权利要求1所述的数字证书管理方法,其特征在于,应用于进行超文本传输安全协议连接的服务器;The digital certificate management method according to claim 1 is characterized in that it is applied to a server that performs a Hypertext Transfer Protocol Security connection; 数字证书管理方法还包括:The digital certificate management method also includes: 在接收到客户端发送的对所述服务器的访问请求后,对所述服务器的超文本传输安全协议连接业务对应的所述证书链进行验签通过后,将所述超文本传输安全协议连接业务对应的所述证书链的最后一级数字证书发送至所述客户端以使所述客户端对最后一级数字证书进行验签,以使所述客户端在对最后一级数字证书验签通过后,确定所述超文本传输安全协议连接业务合法并与所述服务器建立超文本传输安全协议安全信道。After receiving an access request to the server sent by the client, after verifying the certificate chain corresponding to the server's Hypertext Transfer Protocol Security connection service, the last-level digital certificate of the certificate chain corresponding to the Hypertext Transfer Protocol Security connection service is sent to the client so that the client can verify the last-level digital certificate, so that after verifying the last-level digital certificate, the client can determine that the Hypertext Transfer Protocol Security connection service is legal and establish a Hypertext Transfer Protocol Security secure channel with the server. 根据权利要求1所述的数字证书管理方法,其特征在于,应用于文件发送设备;The digital certificate management method according to claim 1 is characterized in that it is applied to a file sending device; 数字证书管理方法还包括:The digital certificate management method also includes: 在接收到文件接收设备对待发送的目标文件的合法性验证后,将所述证书链的各级数字证书提供给所述文件接收设备,以使所述文件接收设备对所述证书链的各级数字证书均进行合法性验证通过后接收所述目标文件。After receiving the legitimacy verification of the target file to be sent by the file receiving device, the digital certificates at all levels of the certificate chain are provided to the file receiving device, so that the file receiving device receives the target file after the legitimacy verification of the digital certificates at all levels of the certificate chain is passed. 一种数字证书管理方法,其特征在于,包括:A digital certificate management method, characterized by comprising: 业务设备根据目标业务的需求,生成数字证书颁发请求,并将所述数字证书颁发请求发送至数字证书设备;The business device generates a digital certificate issuance request according to the needs of the target business, and sends the digital certificate issuance request to the digital certificate device; 所述数字证书设备根据所述数字证书颁发请求生成目标业务的证书链;The digital certificate device generates a certificate chain of the target service according to the digital certificate issuance request; 所述业务设备对所述证书链进行合法性验证通过后,利用所述证书链部署所述目标业务;After the business device verifies the legitimacy of the certificate chain, the target business is deployed using the certificate chain; 其中,所述证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment. 一种数字证书管理系统,其特征在于,包括:业务设备和数字证书设备;A digital certificate management system, characterized in that it comprises: a business device and a digital certificate device; 其中,所述业务设备用于根据目标业务的需求,生成数字证书颁发请求;将所述数字证书颁发请求发送至数字证书设备,以使所述数字证书设备生成所述目标业务的证书链;The service device is used to generate a digital certificate issuance request according to the needs of the target service; the digital certificate issuance request is sent to the digital certificate device so that the digital certificate device generates a certificate chain for the target service; 对所述证书链进行合法性验证通过后,利用所述证书链部署所述目标业务;After the certificate chain is verified to be legitimate, the target service is deployed using the certificate chain; 其中,所述证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment. 一种数字证书管理装置,其特征在于,包括:A digital certificate management device, comprising: 请求单元,用于根据目标业务的需求,生成数字证书颁发请求;A request unit, used to generate a digital certificate issuance request according to the needs of the target business; 发送单元,用于将所述数字证书颁发请求发送至数字证书设备,以使所述数字证书设备生成所述目标业务的证书链; A sending unit, configured to send the digital certificate issuance request to a digital certificate device, so that the digital certificate device generates a certificate chain for the target service; 部署单元,用于对所述证书链进行合法性验证通过后,利用所述证书链部署所述目标业务;A deployment unit, configured to deploy the target service using the certificate chain after the certificate chain passes the legitimacy verification; 其中,所述证书链至少包括一个由证书颁发机构颁发的公钥基础设施证书和一个基于机密计算环境生成的机密计算证书。The certificate chain includes at least a public key infrastructure certificate issued by a certificate authority and a confidential computing certificate generated based on a confidential computing environment. 一种数字证书管理设备,其特征在于,包括:A digital certificate management device, comprising: 存储器,用于存储计算机程序;Memory for storing computer programs; 处理器,用于执行所述计算机程序,所述计算机程序被所述处理器执行时实现如权利要求1至20任意一项所述数字证书管理方法的步骤。A processor is used to execute the computer program, and when the computer program is executed by the processor, the steps of the digital certificate management method as described in any one of claims 1 to 20 are implemented. 一种非易失性可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至20任意一项所述数字证书管理方法的步骤。 A non-volatile readable storage medium having a computer program stored thereon, characterized in that when the computer program is executed by a processor, the steps of the digital certificate management method as described in any one of claims 1 to 20 are implemented.
PCT/CN2024/078901 2023-06-28 2024-02-28 Digital certificate management method, apparatus, device and system and readable storage medium Pending WO2025001230A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310772031.8 2023-06-28
CN202310772031.8A CN116506134B (en) 2023-06-28 2023-06-28 Digital certificate management method, device, equipment, system and readable storage medium

Publications (1)

Publication Number Publication Date
WO2025001230A1 true WO2025001230A1 (en) 2025-01-02

Family

ID=87328800

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/078901 Pending WO2025001230A1 (en) 2023-06-28 2024-02-28 Digital certificate management method, apparatus, device and system and readable storage medium

Country Status (2)

Country Link
CN (1) CN116506134B (en)
WO (1) WO2025001230A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116506134B (en) * 2023-06-28 2023-09-15 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium
CN116846682B (en) * 2023-08-29 2024-01-23 山东海量信息技术研究院 Communication channel establishment method, device, equipment and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008013656A2 (en) * 2006-07-07 2008-01-31 Sandisk Corporation Content control system and method using certificate chains
US20170161505A1 (en) * 2015-12-07 2017-06-08 Amazon Technologies, Inc. Chained security systems
CN114362951A (en) * 2020-10-13 2022-04-15 华为终端有限公司 Method and apparatus for updating certificates
CN115225289A (en) * 2022-07-28 2022-10-21 上海光之树科技有限公司 Trust chain construction and verification method based on ARM Trustzone
CN115643028A (en) * 2022-10-20 2023-01-24 浙江大华技术股份有限公司 Business certificate management method and device, storage medium and electronic device
CN116506134A (en) * 2023-06-28 2023-07-28 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007079499A2 (en) * 2006-01-04 2007-07-12 Nytor, Inc. Trusted host platform
US8468355B2 (en) * 2008-12-19 2013-06-18 University Of South Carolina Multi-dimensional credentialing using veiled certificates
EP3387576B1 (en) * 2016-07-14 2020-12-16 Huawei Technologies Co., Ltd. Apparatus and method for certificate enrollment
DE102017214359A1 (en) * 2017-08-17 2019-02-21 Siemens Aktiengesellschaft A method for safely replacing a first manufacturer's certificate already placed in a device
CN108768664B (en) * 2018-06-06 2020-11-03 腾讯科技(深圳)有限公司 Key management method, device, system, storage medium and computer equipment
WO2022124431A1 (en) * 2020-12-08 2022-06-16 주식회사 앰진시큐러스 Method for automating trusted execution environment-based non-contact identity generation and mutual authentication
US11698968B2 (en) * 2021-03-05 2023-07-11 Red Hat, Inc. Management of building of software packages using a trusted execution environment
CN113824566B (en) * 2021-10-19 2022-12-02 恒宝股份有限公司 Certificate authentication method, code number downloading method, device, server and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008013656A2 (en) * 2006-07-07 2008-01-31 Sandisk Corporation Content control system and method using certificate chains
US20170161505A1 (en) * 2015-12-07 2017-06-08 Amazon Technologies, Inc. Chained security systems
CN114362951A (en) * 2020-10-13 2022-04-15 华为终端有限公司 Method and apparatus for updating certificates
CN115225289A (en) * 2022-07-28 2022-10-21 上海光之树科技有限公司 Trust chain construction and verification method based on ARM Trustzone
CN115643028A (en) * 2022-10-20 2023-01-24 浙江大华技术股份有限公司 Business certificate management method and device, storage medium and electronic device
CN116506134A (en) * 2023-06-28 2023-07-28 山东海量信息技术研究院 Digital certificate management method, device, equipment, system and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
WANG YONG, WU HAO: "Certificate Path Processing Mechanism Opimizing Design in PMI", SCIENCE TECHNOLOGY AND ENGINEERING, ZHONGGUO JISHU JINGJI YANJIUHUI, CN, vol. 6, no. 12, 3 June 2006 (2006-06-03), CN , pages 1706 - 1709, XP093254523, ISSN: 1671-1815 *
ZHU GUO-DONG, NING HONG-ZHOU, HE DE-QUAN: "Leak in trusted root certificates management and the method for solving", JOURNAL ON COMMUNICATIONS, RENMIN YOUDIAN CHUBANSHE, BEIJING, CN, vol. 26, no. 6, 25 June 2005 (2005-06-25), CN , pages 100 - 104, XP093254521, ISSN: 1000-436X *

Also Published As

Publication number Publication date
CN116506134A (en) 2023-07-28
CN116506134B (en) 2023-09-15

Similar Documents

Publication Publication Date Title
US12294661B2 (en) Personal device security using cryptocurrency wallets
US10523659B2 (en) Server authentication using multiple authentication chains
CN108512846B (en) Bidirectional authentication method and device between terminal and server
JP2021516495A (en) Key management methods, devices, systems, computer equipment and computer programs
CA2838322C (en) Secure implicit certificate chaining
US20160080157A1 (en) Network authentication method for secure electronic transactions
CN107079036A (en) Registration and authorization method, device and system
CN109981287B (en) Code signing method and storage medium thereof
CN110224811B (en) Internet of things encryption processing method, device and system
WO2025001230A1 (en) Digital certificate management method, apparatus, device and system and readable storage medium
EP3997852A1 (en) Computer-implemented system and method for facilitating transactions associated with a blockchain using a network identifier for participating entities
CN111600903A (en) Communication method, system, equipment and readable storage medium
KR20120091618A (en) Digital signing system and method using chained hash
CN115664655B (en) A TEE trusted authentication method, device, equipment and medium
CN113672973B (en) Database system for embedded devices based on RISC-V architecture based on trusted execution environment
CN115426106B (en) Identity authentication method, device and system, electronic equipment and storage medium
CN115834149A (en) Numerical control system safety protection method and device based on state cryptographic algorithm
TWI698113B (en) Identification method and systerm of electronic device
CN117675244B (en) Task key distribution method and device based on cluster environment
CN118555068B (en) PUF-based TEE trusted root generation and use method and related device
JP2013179473A (en) Account generation management system, account generation management server, account generation management method, account generation management program
Appiah et al. Secure IoT firmware updates against supply chain attacks
WO2024098452A1 (en) Secure data transmission system and method, and storage medium and electronic device
CN115442123A (en) Real-name system authentication method and device, electronic equipment and computer readable medium
CN111641507A (en) Software communication system structure component registration management method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24829887

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载