[go: up one dir, main page]

CN115801281A - Authorization method, electronic device, and computer-readable storage medium - Google Patents

Authorization method, electronic device, and computer-readable storage medium Download PDF

Info

Publication number
CN115801281A
CN115801281A CN202211508694.0A CN202211508694A CN115801281A CN 115801281 A CN115801281 A CN 115801281A CN 202211508694 A CN202211508694 A CN 202211508694A CN 115801281 A CN115801281 A CN 115801281A
Authority
CN
China
Prior art keywords
digital
digital certificate
terminal
authorization
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211508694.0A
Other languages
Chinese (zh)
Inventor
张迪
赖育森
吴宇杰
廖时荣
余小龙
李新国
宫俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen National Engineering Laboratory Of Digital Television Co ltd
Original Assignee
Shenzhen National Engineering Laboratory Of Digital Television Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen National Engineering Laboratory Of Digital Television Co ltd filed Critical Shenzhen National Engineering Laboratory Of Digital Television Co ltd
Priority to CN202211508694.0A priority Critical patent/CN115801281A/en
Publication of CN115801281A publication Critical patent/CN115801281A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application provides an authorization method, an electronic device and a computer readable storage medium, wherein the method comprises the following steps: configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise a management type digital certificate and at least one type of common type digital certificate; issuing an authorization file to the terminal through the authority of the management digital certificate, and backing up the authorization file; acquiring an operation request reported by a terminal; verifying the validity of the first common digital certificate through the authorization file; under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature; and executing the operation corresponding to the operation request under the condition that the operation request is legal. According to the method, when the terminal authority needs to be changed, only the authority of the management-type digital certificate is needed to issue the authorization file to the terminal again, and the identity and the authority of each terminal are authenticated again according to the updated authorization file in the authentication stage, so that the flexibility of re-authorization when the terminal authority is changed is greatly improved.

Description

授权方法、电子设备、计算机可读存储介质Authorization method, electronic device, computer readable storage medium

技术领域technical field

本申请涉及线上授权技术领域,特别涉及一种授权方法、电子设备和计算机可读存储介质。The present application relates to the technical field of online authorization, in particular to an authorization method, electronic equipment and a computer-readable storage medium.

背景技术Background technique

在当前数字化办公的大趋势下,企事业单位在实行数字化办公时,往往需要建设相关的数字化管理平台来管理繁杂的业务,然而大型复杂的数字化管理平台,其其管理过程中必然容易出现单人管理难以兼顾所有业务,多人管理则容易造成权责不清,多头管理等乱象。细化任务、在数字化管理平台设置多种角色分管不同业务是非常必要的。如商场大厦、工业园或公共街道管理等,需要类似网络管理员、监控员、消防巡查员等多种角色共同管理。而如何在保证安全性,认证业务人员身份的前提下对多种角色授予相应的操作权限则显得至关重要,现有技术中,基于PKI建设数字证书管理体系可以实现在认证人员身份的同时对授予其相应的操作权限,然而,PKI(Pub l ic Key I nfrastructure,公钥基础设施)机制需要引入第三方机构进行认证,当面临业务人员权限变更时,其授权灵活性较低。Under the current general trend of digital office, when enterprises and institutions implement digital office, they often need to build relevant digital management platforms to manage complicated businesses. However, large and complex digital management platforms are bound to be prone to single-person It is difficult for management to take into account all businesses, and multi-person management can easily lead to confusion of rights and responsibilities, multi-management and other chaos. It is necessary to refine tasks and set up multiple roles on the digital management platform to manage different businesses. For example, the management of shopping malls, industrial parks, or public streets requires the joint management of multiple roles such as network administrators, monitors, and fire inspectors. On the premise of ensuring security and authenticating the identities of business personnel, it is very important to grant corresponding operation rights to various roles. In the existing technology, the construction of a digital certificate management system based on PKI can realize the authentication of personnel identities at the same time. Grant its corresponding operation authority, however, the PKI (Public Key Infrastructure, public key infrastructure) mechanism needs to introduce a third-party organization for authentication, and its authorization flexibility is low when faced with changes in the authority of business personnel.

发明内容Contents of the invention

本申请实施例的主要目的在于提出一种授权方法、电子设备和计算机可读存储介质,通过将数字证书分类,使每类数字证书对应不同操作权限,实现在对业务终端进行身份认证的同时授予其相应的操作权限,提高终端权限变更时重新授权的灵活性。The main purpose of the embodiment of the present application is to propose an authorization method, electronic equipment and computer-readable storage medium. By classifying digital certificates, each type of digital certificate corresponds to a different operation authority, so as to realize the authentication of business terminals while granting Its corresponding operation authority improves the flexibility of re-authorization when the terminal authority changes.

为实现上述目的,本申请实施例的第一方面提出一种授权方法,所述方法包括:In order to achieve the above purpose, the first aspect of the embodiment of the present application proposes an authorization method, the method includes:

配置多类数字证书,其中,所述数字证书至少包括管理类数字证书和普通类数字证书,所述管理类数字证书对应签发授权文件的权限;Configure multiple types of digital certificates, wherein the digital certificates at least include management digital certificates and common digital certificates, and the management digital certificates correspond to the authority to issue authorization documents;

通过所述管理类数字证书的权限向至少一个终端签发授权文件,并备份所述授权文件,其中,所述授权文件包括所述普通类数字证书和对应的数字签名;issuing an authorization file to at least one terminal through the authority of the management digital certificate, and backing up the authorization file, wherein the authorization file includes the general digital certificate and a corresponding digital signature;

获取终端上报的操作请求,其中,所述操作请求中携带有所述终端对应的第一普通类数字证书和第一数字签名;Obtaining an operation request reported by the terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal;

通过所述授权文件验证所述第一普通类数字证书的合法性;Verifying the legitimacy of the first common digital certificate through the authorization file;

在所述第一普通类数字证书合法的情况下,通过所述第一数字签名验证所述操作请求的合法性;In the case that the first common type digital certificate is legal, verify the legality of the operation request through the first digital signature;

在所述操作请求合法的情况下,执行所述操作请求对应的操作。If the operation request is valid, the operation corresponding to the operation request is executed.

在一些实施例中,所述方法还包括:In some embodiments, the method also includes:

配置预设解密模块,所述预设解密模块中存储有第一预设私钥和第一预设公钥中的至少一个,其中,所述第一预设私钥用于解密PCK文件,所述第一预设公钥用于对所述第一数字签名进行验签。A preset decryption module is configured, and at least one of a first preset private key and a first preset public key is stored in the preset decryption module, wherein the first preset private key is used to decrypt the PCK file, so The first preset public key is used to verify the first digital signature.

在一些实施例中,所述方法还包括:In some embodiments, the method also includes:

通过预设CA证书验证所述管理类数字证书的合法性;Verify the legitimacy of the management digital certificate through the preset CA certificate;

在所述管理类数字证书合法的情况下,通过所述授权文件验证所述第一普通类数字证书的合法性。In the case that the management-type digital certificate is legal, the validity of the first common-type digital certificate is verified through the authorization file.

在一些实施例中,所述通过所述授权文件验证所述第一普通类数字证书的合法性,包括:In some embodiments, the verifying the legitimacy of the first common digital certificate through the authorization file includes:

根据所述授权文件中存储的所述普通类数字证书和所述第一普通类数字证书的一致性确定所述第一普通类数字证书的合法性。Determine the legitimacy of the first common digital certificate according to the consistency between the common digital certificate stored in the authorization file and the first common digital certificate.

在一些实施例中,所述授权文件还包括预设摘要算法,所述预设摘要算法用于生成所述普通类数字证书的摘要,所述通过所述数字签名验证所述操作请求的合法性包括:In some embodiments, the authorization file further includes a preset digest algorithm, the preset digest algorithm is used to generate a digest of the common digital certificate, and the legitimacy of the operation request is verified by the digital signature include:

通过预设摘要算法生成所述第一普通类数字证书的第一摘要;generating a first digest of the first common digital certificate through a preset digest algorithm;

通过第一预设公钥解密所述第一数字签名,得到第二摘要;Decrypting the first digital signature by using a first preset public key to obtain a second digest;

根据所述第一摘要和所述第二摘要的一致性确定所述操作请求的合法性。Determine the legality of the operation request according to the consistency between the first digest and the second digest.

在一些实施例中,其特征在于,所述方法还包括:In some embodiments, it is characterized in that the method also includes:

向安全中心发送证书颁发请求;Send a certificate issuance request to Security Center;

接收所述安全中心响应于所述证书颁发请求反馈的PCK文件,其中,所述PCK文件为对P12数字信封使用所述第一预设公钥加密所得的文件;Receiving the PCK file fed back by the security center in response to the certificate issuance request, wherein the PCK file is a file obtained by encrypting the P12 digital envelope using the first preset public key;

通过第一预设私钥解密所述PCK文件,得到所述P12数字信封,其中,所述P12数字信封至少包括管理类数字证书和至少一类所述普通类数字证书;The PCK file is decrypted by the first preset private key to obtain the P12 digital envelope, wherein the P12 digital envelope includes at least a management digital certificate and at least one type of the general digital certificate;

从所述P12数字信封中提取并保存各类所述数字证书。Extract and save various types of digital certificates from the P12 digital envelope.

在一些实施例中,所述数字证书还包括审计类数字证书,所述审计类数字证书对应查看所述终端日志信息的操作权限。In some embodiments, the digital certificate further includes an audit-type digital certificate, and the audit-type digital certificate corresponds to an operation authority for viewing log information of the terminal.

在一些实施例中,所述数字证书至少包括使用者项或扩展项,所述方法还包括:In some embodiments, the digital certificate includes at least a user item or an extension item, and the method further includes:

通过所述数字证书中的使用者项确定所述数字证书的类型;determining the type of the digital certificate through the user item in the digital certificate;

or

通过所述数字证书中的扩展项确定所述数字证书的类型。The type of the digital certificate is determined through an extension item in the digital certificate.

本申请实施例的第二方面提出一种电子设备,包括:存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,其特征在于,所述处理器执行所述计算机程序时实现如第一方面实施例中任意一项所述的授权方法。The second aspect of the embodiments of the present application proposes an electronic device, including: a memory, a processor, and a computer program stored in the memory and operable on the processor, wherein when the processor executes the computer program Implement the authorization method described in any one of the embodiments of the first aspect.

本申请实施例的第三方面提出一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有一个或者多个程序,所述一个或者多个程序可被一个或者多个处理器运行,以实现如第一方面实施例中任一项所述的授权方法。The third aspect of the embodiments of the present application proposes a computer-readable storage medium, which is characterized in that the computer-readable storage medium stores one or more programs, and the one or more programs can be processed by one or more The device runs to implement the authorization method described in any one of the embodiments of the first aspect.

本申请实施例所提出的授权方法、电子设备和计算机可读存储介质,方法包括:配置多类数字证书,其中,所述数字证书至少包括管理类数字证书和普通类数字证书,所述管理类数字证书对应签发授权文件的权限;通过所述管理类数字证书的权限向至少一个终端签发授权文件,并备份所述授权文件,其中,所述授权文件包括所述普通类数字证书和对应的数字签名;获取终端上报的操作请求,其中,所述操作请求中携带有所述终端对应的第一普通类数字证书和第一数字签名;通过所述授权文件验证所述第一普通类数字证书的合法性;在所述第一普通类数字证书合法的情况下,通过所述第一数字签名验证所述操作请求的合法性;在所述操作请求合法的情况下,执行所述操作请求对应的操作。在本申请中,通过在本地预先配置多类数字证书,其中包括管理类数字证书和多种普通类数字证书,其中管理类数字证书对应向终端签发授权文件的权限,终端在获取授权文件后,完成对终端身份的确认,当终端需要执行某一操作时,则会向系统上报操作请求,操作请求中会携带与终端身份对应的第一普通类数字证书以及对应的第一数字签名,系统在接收到操作请求后,首先通过系统备份的授权文件验证终端所对应的第一普通类数字证书的合法性,合法则说明该终端是通过系统授权的,再通过第一数字签名验证操作请求的合法性,若验证通过,说明该操作请求是由第一普通数字证书对应的终端所发出的,该操作请求合法,可以执行。基于本申请实施例所提出的方法,在终端身份变更,需要修改终端权限时,仅需通过管理类数字证书的权限重新向各个终端签发授权文件即可,重新签发授权文件后,本地的备份的授权文件也随之更新,由此,若某终端使用更新前的第一数字证书身份上报操作请求,则会验证不通过,基于此,在保证授权信任链可信度的前提下,大大提高了终端身份变更时重新授权的灵活性。The authorization method, electronic device, and computer-readable storage medium proposed in the embodiments of the present application include: configuring multiple types of digital certificates, wherein the digital certificates at least include management type digital certificates and common type digital certificates, and the management type The digital certificate corresponds to the authority to issue the authorization file; through the authority of the management digital certificate, the authorization file is issued to at least one terminal, and the authorization file is backed up, wherein the authorization file includes the general digital certificate and the corresponding digital certificate. signature; obtaining an operation request reported by the terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal; verifying the identity of the first common digital certificate through the authorization file Legitimacy: in the case that the first common type digital certificate is legal, verify the legitimacy of the operation request through the first digital signature; in the case that the operation request is legal, execute the corresponding operation request operate. In this application, multiple types of digital certificates are pre-configured locally, including management digital certificates and various common digital certificates. The management digital certificates correspond to the authority to issue authorization files to the terminal. After the terminal obtains the authorization file, Complete the confirmation of the terminal identity. When the terminal needs to perform an operation, it will report the operation request to the system. The operation request will carry the first common digital certificate corresponding to the terminal identity and the corresponding first digital signature. After receiving the operation request, first verify the legitimacy of the first common digital certificate corresponding to the terminal through the authorization file backed up by the system. If it is legal, it means that the terminal is authorized by the system, and then verify the legitimacy of the operation request through the first digital signature. If the verification is successful, it means that the operation request is sent by the terminal corresponding to the first ordinary digital certificate, and the operation request is legal and can be executed. Based on the method proposed in the embodiment of this application, when the identity of the terminal changes and the authority of the terminal needs to be modified, it is only necessary to re-issue the authorization file to each terminal through the authority of the management digital certificate. After the authorization file is re-issued, the local backup The authorization file is also updated accordingly. Therefore, if a terminal uses the identity of the first digital certificate before the update to report the operation request, the verification will fail. Based on this, on the premise of ensuring the credibility of the authorization chain of trust, greatly improved Flexibility to re-authorize when terminal identity changes.

附图说明Description of drawings

图1是本申请一个实施例提供的授权方法的流程图;FIG. 1 is a flowchart of an authorization method provided by an embodiment of the present application;

图2是本申请一个实施例提供的授权方法的示意图;Fig. 2 is a schematic diagram of an authorization method provided by an embodiment of the present application;

图3是本申请一个实施例提供的授权方法的子流程图;Fig. 3 is a subflow chart of an authorization method provided by an embodiment of the present application;

图4是本申请一个实施例提供的授权方法的子流程图;Fig. 4 is a subflow chart of an authorization method provided by an embodiment of the present application;

图5是本申请一个实施例提供的授权方法的子流程图;Fig. 5 is a subflow chart of an authorization method provided by an embodiment of the present application;

图6是本申请一个实施例提供的授权方法的示意图;Fig. 6 is a schematic diagram of an authorization method provided by an embodiment of the present application;

图7是本申请一个实施例提供的电子设备的示意图。Fig. 7 is a schematic diagram of an electronic device provided by an embodiment of the present application.

附图用来提供对本申请技术方案的进一步理解,并且构成说明书的一部分,与本申请的实施例一起用于解释本申请的技术方案,并不构成对本申请技术方案的限制。The accompanying drawings are used to provide a further understanding of the technical solution of the present application, and constitute a part of the specification, and are used together with the embodiments of the present application to explain the technical solution of the present application, and do not constitute a limitation to the technical solution of the present application.

具体实施方式Detailed ways

为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。In order to make the purpose, technical solution and advantages of the present application clearer, the present application will be further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present application, not to limit the present application.

除非另有定义,本文所使用的所有的技术和科学术语与属于本申请的技术领域的技术人员通常理解的含义相同。本文中所使用的术语只是为了描述本申请实施例的目的,不是旨在限制本申请。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field to which this application belongs. The terms used herein are only for the purpose of describing the embodiments of the present application, and are not intended to limit the present application.

此外,所描述的特征、结构或特性可以以任何合适的方式结合在一个或更多实施例中。在下面的描述中,提供许多具体细节从而给出对本公开的实施例的充分理解。然而,本领域技术人员将意识到,可以实践本公开的技术方案而没有特定细节中的一个或更多,或者可以采用其它的方法、组元、装置、步骤等。在其它情况下,不详细示出或描述公知方法、装置、实现或者操作以避免模糊本公开的各方面。Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided in order to give a thorough understanding of embodiments of the present disclosure. However, those skilled in the art will appreciate that the technical solutions of the present disclosure may be practiced without one or more of the specific details, or other methods, components, means, steps, etc. may be employed. In other instances, well-known methods, apparatus, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

本申请实施例提供的授权方法可应用于终端中,也可应用于服务器端中,还可以是运行于终端或服务器端中的软件。在一些实施例中,终端可以是智能手机、平板电脑、笔记本电脑、台式计算机或者智能手表等;服务器端可以配置成独立的物理服务器,也可以配置成多个物理服务器构成的服务器集群或者分布式系统,还可以配置成提供云服务、云数据库、云计算、云函数、云存储、网络服务、云通信、中间件服务、域名服务、安全服务、CDN以及大数据和人工智能平台等基础云计算服务的云服务器;软件可以是实现授权方法的应用等,但并不局限于以上形式。The authorization method provided in the embodiment of the present application can be applied to a terminal or a server, and can also be software running on the terminal or the server. In some embodiments, the terminal can be a smart phone, a tablet computer, a notebook computer, a desktop computer, or a smart watch; the server end can be configured as an independent physical server, or as a server cluster composed of multiple physical servers or as a distributed The system can also be configured to provide basic cloud computing such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communications, middleware services, domain name services, security services, CDN, and big data and artificial intelligence platforms. The cloud server of the service; the software can be an application that realizes the authorization method, etc., but is not limited to the above forms.

本公开实施例可用于众多通用或专用的计算机系统环境或配置中。例如:个人计算机、服务器计算机、手持设备或便携式设备、平板型设备、多处理器系统、基于微处理器的系统、置顶盒、可编程的消费电子设备、网络PC、小型计算机、大型计算机、包括以上任何系统或设备的分布式计算环境等等。本申请可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程存储介质中。Embodiments of the present disclosure may be used in numerous general purpose or special purpose computer system environments or configurations. Examples: personal computers, server computers, handheld or portable devices, tablet-type devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, including A distributed computing environment for any of the above systems or devices, etc. This application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote storage media including storage devices.

参照图1,图1是本申请实施例提出的授权方法,包括但不限于如下步骤S101至步骤S106。Referring to Fig. 1, Fig. 1 is an authorization method proposed by the embodiment of the present application, including but not limited to the following steps S101 to S106.

步骤S101,配置多类数字证书,其中,数字证书至少包括管理类数字证书和至少一类普通类数字证书,管理类数字证书对应向终端签发授权文件的权限;Step S101, configuring multiple types of digital certificates, wherein the digital certificates include at least management digital certificates and at least one type of common digital certificates, and the management digital certificates correspond to the authority to issue authorization documents to terminals;

步骤S102,通过管理类数字证书的权限向至少一个终端签发授权文件,并备份授权文件,其中,授权文件包括普通类数字证书和对应的数字签名;Step S102, issuing an authorization file to at least one terminal through the authority of the management digital certificate, and backing up the authorization file, wherein the authorization file includes a common digital certificate and a corresponding digital signature;

步骤S103,获取终端上报的操作请求,其中,操作请求中携带有终端对应的第一普通类数字证书和第一数字签名;Step S103, obtaining the operation request reported by the terminal, wherein the operation request carries the first common digital certificate and the first digital signature corresponding to the terminal;

步骤S104,通过授权文件验证第一普通类数字证书的合法性;Step S104, verifying the legitimacy of the first common digital certificate through the authorization file;

步骤S105,在第一普通类数字证书合法的情况下,通过第一数字签名验证操作请求的合法性;Step S105, in the case that the first common digital certificate is legal, verify the legitimacy of the operation request through the first digital signature;

步骤S106,在操作请求合法的情况下,执行操作请求对应的操作。Step S106, if the operation request is legal, perform the operation corresponding to the operation request.

在一些实施例中,预先在系统一侧配置多类数字证书,其中至少包括管理类数字证书和至少一种普通类数字证书,可以理解的是,每种数字证书对应不同的终端角色,由此即对应着不同的权限。需要指出的是,参照图2,管理类数字证书对应着向终端签发授权文件的权限,终端在接收到授权文件后,会根据据授权文件确定身份和对应的权限。In some embodiments, multiple types of digital certificates are pre-configured on the system side, including at least management digital certificates and at least one common digital certificate. It can be understood that each type of digital certificate corresponds to a different terminal role, thus That corresponds to different permissions. It should be pointed out that, referring to Figure 2, the management digital certificate corresponds to the authority to issue an authorization file to the terminal. After receiving the authorization file, the terminal will determine the identity and corresponding authority according to the authorization file.

在一些实施例中,系统侧基于业务需求确定所需签发的数字证书后,会将数字证书和对应的数字签名封装为授权文件,再通过管理类数字证书的权限向至少一个终端签发授权文件,并将该授权文件备份在系统本地以便后续接收到终端上报的操作请求后,可以基于授权文件逐步验证该操作请求的合法性。In some embodiments, after the system side determines the digital certificate to be issued based on business requirements, it will package the digital certificate and the corresponding digital signature into an authorization file, and then issue the authorization file to at least one terminal through the authority of the management digital certificate. The authorization file is backed up locally in the system so that after receiving the operation request reported by the terminal, the legitimacy of the operation request can be gradually verified based on the authorization file.

在一些实施例中,终端接收到授权文件,明确终端自身的身份和对应的权限后,会向系统上报操作请求,具体的,该操作请求中会携带用于认证终端身份的第一普通类数字证书以及用于验证操作请求是否由该终端发出的第一数字签名。In some embodiments, after receiving the authorization file, the terminal will report the operation request to the system after clarifying the terminal's own identity and corresponding authority. Specifically, the operation request will carry the first common type number used to authenticate the terminal A certificate and a first digital signature for verifying whether the operation request is sent by the terminal.

可以理解的是,为防止系统接收到非法终端上报的操作请求后执行错误操作,终端会在上报的操作请求中携带用于证明终端身份的第一普通类数字证书,系统在接收到终端上报的操作请求后,首先会通过本地备份的授权文件验证第一普通数字证书的合法性,从而验证终端身份,具体的,备份的授权文件中存储有各类由系统下发至终端的普通类数字证书,通过对比该第一普通类数字证书是否与授权文件中存储的普通类数字证书相同,若相同,则说明该第一普通类数字证书是经过管理类数字证书认证后由系统向终端签发的,该第一普通类数字证书合法;若不相同,即该第一普通类数字证书并没有经过管理类数字证书认证或者该第一管理类数字证书被篡改了,此时该第一普通类数字证书则不合法,说明系统并没有向该终端进行授权,该终端是非法终端,基于此,则直接拒绝执行其所上报的操作请求。It is understandable that, in order to prevent the system from performing wrong operations after receiving an operation request reported by an illegal terminal, the terminal will carry the first common digital certificate used to prove the identity of the terminal in the reported operation request, and the system will receive the operation request reported by the terminal. After the operation request, the legitimacy of the first ordinary digital certificate will be verified first through the local backup authorization file, thereby verifying the identity of the terminal. Specifically, the backup authorization file stores various ordinary digital certificates issued by the system to the terminal , by comparing whether the first common digital certificate is the same as the common digital certificate stored in the authorization file, if they are the same, it means that the first common digital certificate is issued by the system to the terminal after being authenticated by the management digital certificate, The first common digital certificate is legal; if it is not the same, that is, the first common digital certificate has not been certified by the management digital certificate or the first management digital certificate has been tampered with, then the first common digital certificate If it is illegal, it means that the system has not authorized the terminal, and the terminal is an illegal terminal. Based on this, it directly refuses to execute the reported operation request.

在第一普通类数字证书合法的情况下,即说明该终端是经由系统进行授权的,可以理解的是,为防止网络攻击者通过木马病毒或其它手段非法控制终端上传操作请求报文,终端在生成操作请求报文后,需对该操作请求报文进行签名,具体的,可以是通过预设摘要算法生成第一普通类数字证书的摘要,并通过预先配置的私钥对摘要进行加密生成与该终端的第一普通类数字证书对应数字签名,可以理解的是,由于网络攻击者无法预先得知所使用的摘要算法和预设私钥,由此其无法生成正确的数字签名。基于此,在系统接收到终端上报的操作请求并确定该终端合法后,还需对该操作请求进行验签,证明该操作请求是由合法的操作者通过该终端上报的。当上述验证均通过后,才能证明该操作请求完全合法,系统可以执行该操作请求。In the case that the first common type digital certificate is legal, it means that the terminal is authorized by the system. After the operation request message is generated, the operation request message needs to be signed. Specifically, the digest of the first common digital certificate can be generated through a preset digest algorithm, and the digest is encrypted with a pre-configured private key to generate and The terminal's first common digital certificate corresponds to a digital signature. It is understandable that since the network attacker cannot know the digest algorithm and preset private key used in advance, it cannot generate a correct digital signature. Based on this, after the system receives the operation request reported by the terminal and determines that the terminal is legal, it needs to verify the signature of the operation request to prove that the operation request is reported by a legal operator through the terminal. When all the above verifications are passed, the operation request can be proved to be completely legal, and the system can execute the operation request.

在一些实施例中,授权文件内带有时间戳或单调序列号支持授权文件的动态更新,验证方只认可最大的单调序列号,基于此,若授权文件被篡改,其时间戳或单调序列号也会更新,验证方在验证时则会发现授权文件被篡改,从而导致验证不通过,拒绝授权,基于此,进一步提高信任链的可靠度。In some embodiments, the authorization file contains a timestamp or a monotonic serial number to support the dynamic update of the authorization file, and the verifier only recognizes the largest monotonic serial number. Based on this, if the authorization file is tampered with, its timestamp or monotonic serial number It will also be updated, and the verifier will find that the authorization file has been tampered with during the verification, which will cause the verification to fail and the authorization will be rejected. Based on this, the reliability of the trust chain will be further improved.

在本申请实施例中,通过在本地预先配置多类数字证书,其中包括管理类数字证书和多种普通类数字证书,其中管理类数字证书对应向终端签发授权文件的权限,终端在获取授权文件后,完成对终端身份的确认,当终端需要执行某一操作时,则会向系统上报操作请求,操作请求中会携带与终端身份对应的第一普通类数字证书以及对应的第一数字签名,系统在接收到操作请求后,首先通过系统备份的授权文件验证终端所对应的第一普通类数字证书的合法性,合法则说明该终端是通过系统授权的,再通过第一数字签名验证操作请求的合法性,若验证通过,说明该操作请求是由第一普通数字证书对应的终端所发出的,该操作请求合法,可以执行。基于本申请实施例所提出的方法,在终端身份变更,需要修改终端权限时,仅需通过管理类数字证书的权限重新向各个终端签发授权文件即可,重新签发授权文件后,本地的备份的授权文件也随之更新,由此,若某终端使用更新前的第一数字证书身份上报操作请求,则会验证不通过,基于此,当需变更终端权限时,仅需在系统通过管理类数字证书的权限重新向各个终端签发授权文件即可,而无需向第三方认证机构重新签发数字证书并认证身份,大大提高了权限变更时重新进行授权的灵活性。In the embodiment of this application, by pre-configuring multiple types of digital certificates locally, including management digital certificates and various common digital certificates, where the management digital certificates correspond to the authority to issue authorization files to the terminal, the terminal obtains the authorization file Finally, the confirmation of the terminal identity is completed. When the terminal needs to perform an operation, it will report an operation request to the system. The operation request will carry the first common digital certificate corresponding to the terminal identity and the corresponding first digital signature. After receiving the operation request, the system first verifies the legality of the first common digital certificate corresponding to the terminal through the authorization file backed up by the system. If it is legal, it means that the terminal is authorized by the system, and then verifies the operation request through the first digital signature. If the verification is successful, it means that the operation request is sent by the terminal corresponding to the first ordinary digital certificate, and the operation request is legal and can be executed. Based on the method proposed in the embodiment of this application, when the identity of the terminal changes and the authority of the terminal needs to be modified, it is only necessary to re-issue the authorization file to each terminal through the authority of the management digital certificate. After the authorization file is re-issued, the local backup The authorization file is also updated accordingly. Therefore, if a terminal uses the identity of the first digital certificate before the update to report the operation request, the verification will fail. Based on this, when it is necessary to change the terminal authority, it only needs to pass the management digital certificate in the system. The authority of the certificate can re-issue the authorization file to each terminal without re-issuing the digital certificate and authenticating the identity to the third-party certification authority, which greatly improves the flexibility of re-authorization when the authority changes.

在一些实施例中,参照图3,授权方法还包括但不限于如下步骤S301至步骤S303。In some embodiments, referring to FIG. 3 , the authorization method further includes but not limited to the following steps S301 to S303.

步骤S301,通过预设CA证书验证管理类数字证书的合法性;Step S301, verifying the legitimacy of the management digital certificate through the preset CA certificate;

步骤S302,在管理类数字证书合法的情况下,通过授权文件验证第一普通类数字证书的合法性。Step S302, if the management digital certificate is legal, verify the legality of the first general digital certificate through the authorization file.

可以理解的是,通过第三方认证机构提供的CA认证服务认证管理类数字证书的合法性,证明管理类数字证书由CA认证机构颁发,可以降低网络攻击者使用伪造的管理类数字证书登录系统,从而认证非法的第一普通类数字证书的风险。具体的,可以通过管理类数字证书的对应的数字签名对管理类数字证书进行验签,由于数字签名是通过预设摘要算法对管理类证书进行摘要后再通过私钥签名所得,通过预设CA证书提供的公钥对签名进行解密,还原为摘要,再通过相同的摘要算法生成管理类数字证书的摘要,由于对相同的内容使用同种摘要算法生成的摘要是完全相同的,而一旦内容不相同,其所生成的摘要也会随之改变,通过比对解密所得的摘要与通过摘要算法生成的摘要是否完全相同,即可求证管理类数字证书是否被篡改,实现对管理类数字证书的验签,从而验证管理类数字证书的合法性。It is understandable that the validity of management digital certificates can be verified through CA certification services provided by third-party certification bodies, proving that management digital certificates are issued by CA certification bodies, which can reduce the risk of network attackers using forged management digital certificates to log in to the system. Thereby the risk of authenticating illegal first common class digital certificates. Specifically, the management digital certificate can be verified through the corresponding digital signature of the management digital certificate. Since the digital signature is obtained by digesting the management certificate through the preset digest algorithm and then signing it with the private key, through the preset CA The public key provided by the certificate decrypts the signature, restores it to a digest, and then generates the digest of the management digital certificate through the same digest algorithm. Since the digests generated by using the same digest algorithm for the same content are exactly the same, once the content is different Similarly, the generated abstract will also change accordingly. By comparing whether the decrypted abstract is exactly the same as the abstract generated by the abstract algorithm, you can verify whether the management digital certificate has been tampered with, and realize the verification of the management digital certificate. Signature to verify the legitimacy of the management digital certificate.

在一些实施例中,参照图4,授权方法还包括但不限于如下步骤S401至步骤S403。In some embodiments, referring to FIG. 4 , the authorization method further includes but not limited to the following steps S401 to S403.

步骤S401,通过预设摘要算法生成第一普通类数字证书的第一摘要;Step S401, generating the first abstract of the first common digital certificate through a preset abstract algorithm;

步骤S402,通过第一预设公钥解密第一数字签名,得到第二摘要;Step S402, decrypting the first digital signature with the first preset public key to obtain the second digest;

步骤S403,根据第一摘要和第二摘要的一致性确定操作请求的合法性。Step S403, determine the legitimacy of the operation request according to the consistency between the first digest and the second digest.

可以理解的是,授权文件中还存储有预设摘要算法,该预设摘要算法即是通过第一普通类数字证书生成对应的数字签名时所使用的摘要算法,数字签名则是通过该预设摘要算法生成第一普通类数字证书的摘要,再使用私钥加密后所得,系统收到操作请求后通过公钥解密操作请求中携带的第一签名,即可得到对应的第二摘要,再将该第二摘要与通过预设摘要算法生成的第一普通类数字证书的第一摘要进行比对,若第一摘要与第二摘要完全相同,则说明该第一数字签名是合法的,操作请求是通过终端认证并签名后上报的,可以执行。若第一摘要与第二摘要不相同,则说明该第一数字签名非法,该操作请求并没有通过终端认证,系统拒绝执行。It can be understood that a preset digest algorithm is also stored in the authorization file, and the preset digest algorithm is the digest algorithm used when generating the corresponding digital signature through the first common digital certificate, and the digital signature is passed through the preset digest algorithm. The digest algorithm generates the digest of the first ordinary digital certificate, and then encrypts it with the private key. After receiving the operation request, the system decrypts the first signature carried in the operation request with the public key to obtain the corresponding second digest. The second digest is compared with the first digest of the first common digital certificate generated by the preset digest algorithm. If the first digest is exactly the same as the second digest, it means that the first digital signature is legal. The operation request It is reported after being authenticated and signed by the terminal, and can be executed. If the first digest is different from the second digest, it means that the first digital signature is illegal, the operation request has not passed the terminal authentication, and the system refuses to execute it.

参照图5,在一些实施例中,授权方法还包括但不限于如下步骤S501至步骤S504.Referring to Fig. 5, in some embodiments, the authorization method further includes but not limited to the following steps S501 to S504.

步骤S501,向安全中心发送证书颁发请求;Step S501, sending a certificate issuance request to the security center;

步骤S502,接收安全中心响应于证书颁发请求反馈的PCK文件,其中,PCK文件为对P12数字信封使用第一预设公钥加密所得的文件;Step S502, receiving the PCK file fed back by the security center in response to the certificate issuance request, wherein the PCK file is a file obtained by encrypting the P12 digital envelope using the first preset public key;

步骤S503,通过第一预设私钥解密PCK文件,得到P12数字信封,其中,P12数字信封至少包括管理类数字证书和至少一类普通类数字证书;Step S503, decrypting the PCK file with the first preset private key to obtain a P12 digital envelope, wherein the P12 digital envelope includes at least a management digital certificate and at least one general digital certificate;

步骤S504,从P12数字信封中提取并保存各类数字证书。Step S504, extract and save various digital certificates from the P12 digital envelope.

在一些实施例中,系统可以通过与安全中心之间建立的通信通道发送证书颁发请求,比如通过邮件或者系统与安全中心之间建立的专用于发送证书颁发请求的通信链路向安全中心发送证书颁发请求。In some embodiments, the system can send a certificate issuance request through a communication channel established with the security center, such as sending a certificate to the security center through an email or a communication link dedicated to sending certificate issuance requests established between the system and the security center Issue the request.

在一些实施例中,安全中心在接收到来自系统的证书颁发请求后,会根据证书颁发请求确定需颁发的数字证书的类型,并将各类数字证书封装为P12数字信封,再对P12数字信封进行加密,得到PCK文件,并将PCK文件通过邮件或与系统之间建立的专用于下发PCK文件的通信链路等形式将PCK文件下发至系统,数字证书至少包括管理类数字证书和普通类数字证书。In some embodiments, after receiving the certificate issuance request from the system, the security center will determine the type of digital certificate to be issued according to the certificate issuance request, and package various digital certificates into P12 digital envelopes, and then P12 digital envelopes Encrypt the PCK file to obtain the PCK file, and send the PCK file to the system through mail or a communication link established between the system and the system for sending the PCK file. Digital certificates include at least management digital certificates and ordinary certificates. class digital certificate.

在一些实施例中,通过在系统预先配置USB Dong l e,并在其中存储第一预设私钥,在接收到PCK文件后通过该第一预设私钥对PCK文件进行解密得到P12数字信封,可以理解的是,为保证P12数字信封下发过程中不会因为遭受网络攻击被黑客劫持数据包而导致数字证书泄露或被黑客截取证书颁发请求后返回的伪造的数字证书导致网络攻击者可以使用预先备份的伪造的数字证书进行授权等情况,可以通过在安全中心对P12数字信封使用预设公钥进行加密生成PCK文件,并在系统预先配置与安全中心的预设公钥对应的第一预设私钥,当系统接收到PCK文件后,使用第一预设私钥对PCK文件进行解密,从而还原成P12数字信封并获取其中的数字证书,具体的,可以是通过RSA算法或RSA2算法生成第一预设公钥和第一预设私钥,通过在安全中心使用公钥加密,在系统使用私钥解密这种非对称加密的方式,使得即使在数字证书下发过程中被劫持,劫持者也由于不具备对应的第一预设私钥,无法解密PCK文件得到数字证书,从而保证了数字证书下发过程中的安全性。In some embodiments, by preconfiguring the USB Dongle in the system and storing the first preset private key therein, after receiving the PCK file, the PCK file is decrypted by the first preset private key to obtain the P12 digital envelope, It is understandable that in order to ensure that the P12 digital envelope will not be leaked due to network attacks and hijacked data packets by hackers, or the forged digital certificate returned after the hacker intercepts the certificate issuance request will allow network attackers to use In the case of authorization with a pre-backed forged digital certificate, etc., you can generate a PCK file by encrypting the P12 digital envelope with a preset public key in the security center, and pre-configure the first preset corresponding to the preset public key in the security center in the system. Set the private key, when the system receives the PCK file, use the first preset private key to decrypt the PCK file, so as to restore it into a P12 digital envelope and obtain the digital certificate in it. Specifically, it can be generated by the RSA algorithm or RSA2 algorithm The first preset public key and the first preset private key are encrypted by using the public key in the security center and decrypted by the private key in the system. Also, because they do not have the corresponding first preset private key, they cannot decrypt the PCK file to obtain the digital certificate, thereby ensuring the security in the process of issuing the digital certificate.

在本申请实施例中,通过向安全中心上报证书颁发请求,并在接收安全中心基于证书颁发请求反馈的PCK文件,该过程中,在安全中心将数字证书封装为P12数字信封,再通过第一预设公钥对该P12数字信封进行加密生成PCK文件后下发至系统,而系统在接收到PCK文件后再通过预先配置于系统的与第一预设公钥对应的第一预设私钥对PCK文件进行解密,基于该非对称加密的形式,保证数字证书从安全中心下发至系统时即使被劫持也无需担心数字证书泄露,从而保证了数字证书下发过程中的安全性。In the embodiment of this application, by reporting the certificate issuance request to the security center, and receiving the PCK file fed back by the security center based on the certificate issuance request, in the process, the security center encapsulates the digital certificate into a P12 digital envelope, and then passes the first The preset public key encrypts the P12 digital envelope to generate a PCK file and then sends it to the system. After receiving the PCK file, the system passes the first preset private key corresponding to the first preset public key pre-configured in the system. Decrypt the PCK file, based on the form of asymmetric encryption, to ensure that even if the digital certificate is hijacked when the digital certificate is issued from the security center to the system, there is no need to worry about the digital certificate leakage, thus ensuring the security of the digital certificate issuance process.

在一些实施例中,通过引入第三方机构作为安全中心,由其提供CA(电子认证服务,是指为电子签名相关各方提供真实性、可靠性验证的活动)认证服务,由此获取CA私钥,并通过CA私钥签发各类数字证书,之后在系统本地保存各类数字证书,在后续签发数字证书时,无需再向第三方机构请求CA认证服务,而仅需将各类数字证书和数字签名封装为授权文件下发至各终端即可,由此实现一次部署,多次使用,降低了成本,大大提高了授权的灵活性。In some embodiments, by introducing a third-party organization as a security center, it provides CA (electronic certification service, which refers to activities that provide authenticity and reliability verification for all parties related to electronic signatures) certification services, thereby obtaining CA private information. Key, and use the CA private key to issue various digital certificates, and then store various digital certificates locally in the system. When issuing digital certificates in the future, there is no need to request CA certification services from third-party organizations. Instead, all kinds of digital certificates and The digital signature is packaged as an authorization file and sent to each terminal, thus realizing one-time deployment and multiple uses, reducing costs and greatly improving the flexibility of authorization.

可以理解的是,在一些实施例中,可以在系统处预先配置预设解密模块,预设解密模块中存储有第一预设公钥和第一预设私钥中的至少一个,第一预设私钥用于解密PCK文件,将PCK文件还原为P12数字信封,第一预设公钥用于对数字签名进行验签。通过在系统处预先配置存储有第一预设私钥和第一预设公钥的预设解密模块,在证书颁发过程中,安全中心会对颁发的数字证书封装为P12数字信封,再对数字信封使用公钥加密得到PCK文件,系统收到PCK文件后会使用第一预设私钥进行解密,还原为P12数字信封,在此过程中,即使PCK文件传输过程被网络攻击者劫取,由于网络攻击者没有第一预设私钥,无法将PCK文件解密还原为P12信封,基于此在证书颁发过程中的使用公钥加密,私钥解密的方式保证证书颁发的安全性;在授权验证过程中,由于终端上报的操作请求中,会携带有与其对应的数字签名,基于非对称加密的形式,在终端上传操作请求时通过第一预设私钥签名,在系统侧使用第一预设公钥进行验签,由于网络攻击者没有第一预设私钥,因此,其伪造操作请求时,无法通过第一预设私钥对请求报文进行签名,基于此,可以有效防止网络攻击者伪造操作请求,保证终端上报请求时的安全性。It can be understood that, in some embodiments, a preset decryption module may be preconfigured at the system, and at least one of a first preset public key and a first preset private key is stored in the preset decryption module, and the first preset The private key is used to decrypt the PCK file, and the PCK file is restored to a P12 digital envelope, and the first preset public key is used to verify the digital signature. By pre-configuring the preset decryption module storing the first preset private key and the first preset public key at the system, during the certificate issuance process, the security center will package the issued digital certificate into a P12 digital envelope, and then digitally The envelope is encrypted with a public key to obtain a PCK file. After receiving the PCK file, the system will use the first preset private key to decrypt it and restore it to a P12 digital envelope. The network attacker does not have the first preset private key, and cannot decrypt the PCK file and restore it to the P12 envelope. Based on this, the use of public key encryption and private key decryption during the certificate issuance process ensures the security of the certificate issuance; during the authorization verification process Among them, since the operation request reported by the terminal will carry the corresponding digital signature, based on the form of asymmetric encryption, when the terminal uploads the operation request, it will be signed by the first preset private key, and the first preset public key will be used on the system side. Since the network attacker does not have the first preset private key, when he forges an operation request, he cannot use the first preset private key to sign the request message. Based on this, it can effectively prevent the network attacker from forging Operation requests to ensure the security when the terminal reports the request.

在一些实施例中,参照图2,数字证书还包括审计类数字证书,审计类数字证书对应查看系统日志信息的操作权限,基于此,通过审计类数字证书设置外部管理类终端对系统的进行审计,从而构建更为完善的信任链。In some embodiments, referring to FIG. 2, the digital certificate also includes an audit digital certificate, which corresponds to the operation authority to view system log information. Based on this, an external management terminal is set to audit the system through the audit digital certificate. , so as to build a more complete chain of trust.

在一些实施例中,数字证书中至少包括使用者项或扩展项,通过数字证书中的使用者项确定数字证书的类型,或者通过数字证书中的扩展项确定数字证书的类型。In some embodiments, the digital certificate includes at least a subject item or an extension item, and the type of the digital certificate is determined through the subject item in the digital certificate, or the type of the digital certificate is determined through the extension item in the digital certificate.

参照图6,如下是基于本申请实施例的授权方法的一个实施例,以公共大屏显示管理系统为例,业务需求为限制公共大屏仅能播放已审核的合法素材。基于该需求,可以设置四类业务终端角色,分别为上传终端、审核终端、管理类终端和审计终端。Referring to Fig. 6, the following is an embodiment of the authorization method based on the embodiment of the present application. Taking the public large-screen display management system as an example, the business requirement is to restrict the public large-screen to only play approved legal materials. Based on this requirement, four types of business terminal roles can be set, namely upload terminal, audit terminal, management terminal and audit terminal.

首先在系统和安全中心分别配置存储有公私钥对的解密USB dong l e(带USB接口的硬件密码模块。内配置有公私钥对,可对数据进行加解密和签名验签),并在安全中心配置存储有CA私钥的签发USB dong l e。可以理解的是,此步骤仅第一次进行授权时需要进行配置,在第一次授权完成签发USB Dong l e以及解密USB Dong l e的配置后即可多次复用。Firstly configure the decrypted USB dong l e (a hardware cryptographic module with a USB interface with a public-private key pair inside which can encrypt and decrypt data and verify signatures) with public and private key pairs stored in the system and the security center respectively, and Configure the issuing USB dong l e that stores the CA private key. It can be understood that this step only needs to be configured when authorization is performed for the first time, and it can be reused multiple times after the first authorization is completed to issue the USB Dongle e and decrypt the configuration of the USB Dongle e.

系统向安全中心发送审计类、审核类、管理类以及上传类四类数字证书的证书颁发请求。其中、审核类和上传类数字证书均为普通类数字证书,安全中心接收该请求后通过CA私钥签发各类数字证书,并封装为P12数字信封,再通过解密USB Dong l e中存储的第一预设公钥对P12数字信封进行加密生成PCK文件,并将PCK文件下发至系统。系统接收到PCK文件后,通过存储在USB Dong l e中的第一预设私钥对PCK文件进行解密,还原为P12数字信封,并保存在本地,管理类数字证书持有者,即管理类终端将各类数字证书分发至对应的业务终端,由此完成数字证书分发的过程。可以理解的是,上述实施例是以首次使用系统进行授权、需要向安全中心发送证书颁发请求为例。The system sends certificate issuance requests for four types of digital certificates: audit, audit, management, and upload to the security center. Among them, the auditing and uploading digital certificates are all ordinary digital certificates. After receiving the request, the security center issues various digital certificates through the CA private key, and encapsulates them into P12 digital envelopes, and then decrypts the first data stored in the USB Dongle. The preset public key encrypts the P12 digital envelope to generate a PCK file, and sends the PCK file to the system. After the system receives the PCK file, it decrypts the PCK file through the first preset private key stored in the USB dongle, restores it to a P12 digital envelope, and saves it locally. The holder of the management digital certificate is the management terminal Distribute various digital certificates to corresponding business terminals, thus completing the process of digital certificate distribution. It can be understood that the above embodiment is an example where the system is used for authorization for the first time and a certificate issuance request needs to be sent to the security center.

系统接收到安全中心颁发的上述数字证书后,通过管理类数字证书向审核终端以及上传终端签发授权文件,具体的,即向上传终端签发上传素材权限的授权文件、向审核终端签发审核素材权限的授权文件。上传终端上传业务素材后,审核终端对业务素材进行审核,审核通过后,审核终端使用审核终端数字证书对应的私钥对素材数据进行数字签名,并审核后的业务素材、审核终端对应的第一普通类数字证书封装为操作请求报文提交至系统,系统接收到该素材后,首先通过CA根证书验证管理类终端数字证书的合法性,之后再根据授权文件中验证审核终端数字证书的合法性,最后再根据审核终端数字证书对应的数字签名对业务素材进行验签,若上述验签均通过,则说明管理类终端是由CA证书认证的,审核终端是通过管理类终端认证的,素材是通过审核终端审核的,可以播放,基于此构建完整的信任链,并且当审核终端身份变更时,仅需通过管理类数字证书向审核终端重新签发其他类型的普通类数字证书所构成的授权文件即可,在保证信任链安全可靠的前提下提高了权限变更时重新授权的灵活性。After receiving the above-mentioned digital certificate issued by the security center, the system issues authorization documents to the audit terminal and the upload terminal through the management digital certificate. authorization file. After the upload terminal uploads the business material, the audit terminal will review the business material. After the audit is passed, the audit terminal will use the private key corresponding to the audit terminal digital certificate to digitally sign the material data, and the audited business material, the first corresponding to the audit terminal Ordinary digital certificates are packaged into operation request messages and submitted to the system. After the system receives the material, it first verifies the validity of the management terminal digital certificate through the CA root certificate, and then verifies and audits the legitimacy of the terminal digital certificate according to the authorization file. , and finally verify the business material according to the digital signature corresponding to the audit terminal digital certificate. If the above verifications pass, it means that the management terminal is certified by the CA certificate, the audit terminal is certified by the management terminal, and the material is Those that have passed the review of the review terminal can be played, based on which a complete chain of trust is built, and when the identity of the review terminal changes, it is only necessary to re-issue the authorization file composed of other types of common digital certificates to the review terminal through the management digital certificate. Yes, on the premise of ensuring the safety and reliability of the trust chain, the flexibility of re-authorization when the authority changes is improved.

本申请实施例还公开一种电子设备700。The embodiment of the present application also discloses an electronic device 700 .

具体地,该电子设备700包括:存储器710和一个或多个处理器720,图7中以一个处理器720及存储器710为例。处理器720和存储器710可以通过总线730或者其他方式连接,图7中以通过总线连接为例。Specifically, the electronic device 700 includes: a memory 710 and one or more processors 720 , one processor 720 and the memory 710 are taken as an example in FIG. 7 . The processor 720 and the memory 710 may be connected through a bus 730 or in other ways, and connection through a bus is taken as an example in FIG. 7 .

存储器710作为一种非暂态计算机可读存储介质,可用于存储非暂态软件程序以及非暂态性计算机可执行程序,如上述本申请实施例中的授权方法。处理器720通过运行存储在存储器710中的非暂态软件程序以及程序,从而实现上述本申请实施例中的授权方法。例如执行以上图1中的步骤S101至步骤S106,图3中步骤S301至步骤S302,图4中的步骤S401至步骤S403,图5中的步骤S501至步骤S504。As a non-transitory computer-readable storage medium, the memory 710 can be used to store non-transitory software programs and non-transitory computer-executable programs, such as the authorization method in the above embodiments of the present application. The processor 720 executes the non-transitory software program and the program stored in the memory 710, so as to implement the above-mentioned authorization method in the embodiment of the present application. For example, execute steps S101 to S106 in FIG. 1 , steps S301 to S302 in FIG. 3 , steps S401 to S403 in FIG. 4 , and steps S501 to S504 in FIG. 5 .

存储器710可以包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需要的应用程序;存储数据区可存储执行上述本申请实施例中的授权方法所需的数据等。此外,存储器710可以包括高速随机存取存储器,还可以包括非暂态存储器,例如至少一个磁盘存储器件、闪存器件、或其他非暂态固态存储器件。在一些实施方式中,存储器可选包括相对于处理器远程设置的存储器,这些远程存储器可以通过网络连接至该电子设备。上述网络的实例包括但不限于互联网、企业内部网、局域网、移动通信网及其组合。The memory 710 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and at least one application required by a function; the data storage area may store the data required to execute the authorization method in the above-mentioned embodiment of the present application wait. In addition, the memory 710 may include a high-speed random access memory, and may also include a non-transitory memory, such as at least one magnetic disk storage device, a flash memory device, or other non-transitory solid-state storage devices. In some embodiments, the memory may optionally include memory located remotely from the processor, and these remote memories may be connected to the electronic device via a network. Examples of the aforementioned networks include, but are not limited to, the Internet, intranets, local area networks, mobile communication networks, and combinations thereof.

实现上述本申请实施例中的授权方法所需的非暂态软件程序以及程序存储在存储器710中,当被一个或者多个处理器执行时,执行上述本申请实施例中的授权方法。The non-transitory software programs and programs required to implement the authorization method in the above embodiment of the present application are stored in the memory 710, and when executed by one or more processors, the authorization method in the above embodiment of the present application is executed.

此外,本申请实施例还提供了一种计算机可读存储介质,该计算机可读存储介质存储有计算机可执行程序,该计算机可执行程序被一个或多个控制处理器执行,例如执行以上图1中的步骤S101至步骤S106,图3中步骤S301至步骤S302,图4中的步骤S401至步骤S403,图5中的步骤S501至步骤S504。In addition, the embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer-executable program, and the computer-executable program is executed by one or more control processors, for example, executing the above-mentioned Figure 1 Step S101 to step S106 in FIG. 3 , step S301 to step S302 in FIG. 3 , step S401 to step S403 in FIG. 4 , and step S501 to step S504 in FIG. 5 .

附图中所示的方框图仅仅是功能实体,不一定必须与物理上独立的实体相对应。即,可以采用软件形式来实现这些功能实体,或在一个或多个硬件模块或集成电路中实现这些功能实体,或在不同网络和/或处理器装置和/或微控制器装置中实现这些功能实体。The block diagrams shown in the drawings are merely functional entities and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices entity.

本申请实施例描述的实施例是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域技术人员可知,随着技术的演变和新应用场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。The embodiments described in the embodiments of the present application are to illustrate the technical solutions of the embodiments of the present application more clearly, and do not constitute a limitation to the technical solutions provided by the embodiments of the present application. Those skilled in the art know that with the evolution of technology and new For the emergence of application scenarios, the technical solutions provided by the embodiments of the present application are also applicable to similar technical problems.

本领域技术人员可以理解的是,图1至图7中示出的技术方案并不构成对本申请实施例的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件。Those skilled in the art can understand that the technical solutions shown in Figures 1 to 7 do not constitute a limitation to the embodiments of the present application, and may include more or less components than those shown in the illustrations, or combine certain components, or different components.

应当理解,在本申请中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上。“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。It should be understood that in this application, "at least one (item)" means one or more, and "multiple" means two or more. "And/or" is used to describe the association relationship of associated objects, indicating that there can be three types of relationships, for example, "A and/or B" can mean: only A exists, only B exists, and A and B exist at the same time , where A and B can be singular or plural. The character "/" generally indicates that the contextual objects are an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one item (piece) of a, b or c can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c ", where a, b, c can be single or multiple.

以上参照附图说明了本申请实施例的优选实施例,并非因此局限本申请实施例的权利范围。本领域技术人员不脱离本申请实施例的范围和实质内所作的任何修改、等同替换和改进,均应在本申请实施例的权利范围之内。The preferred embodiments of the embodiments of the present application have been described above with reference to the accompanying drawings, which does not limit the scope of rights of the embodiments of the present application. Any modifications, equivalent replacements and improvements made by those skilled in the art without departing from the scope and essence of the embodiments of the present application shall fall within the scope of rights of the embodiments of the present application.

Claims (10)

1. A method of authorization, the method comprising:
configuring a plurality of types of digital certificates, wherein the digital certificates at least comprise management type digital certificates and at least one type of common type digital certificates, and the management type digital certificates correspond to the authority of issuing authorization files to the terminal;
issuing an authorization file to at least one terminal through the authority of the management type digital certificate, and backing up the authorization file, wherein the authorization file comprises the common type digital certificate and a corresponding digital signature;
acquiring an operation request reported by a terminal, wherein the operation request carries a first common digital certificate and a first digital signature corresponding to the terminal;
verifying the validity of the first common digital certificate through the authorization file;
under the condition that the first common digital certificate is legal, verifying the legality of the operation request through the first digital signature;
and executing the operation corresponding to the operation request under the condition that the operation request is legal.
2. The method of claim 1, further comprising:
and configuring a preset decryption module, wherein at least one of a first preset private key and a first preset public key is stored in the preset decryption module, the first preset private key is used for decrypting the PCK file, and the first preset public key is used for verifying the first digital signature.
3. The method of claim 1, further comprising:
verifying the legality of the management digital certificate through a preset CA certificate;
and under the condition that the management digital certificate is legal, verifying the legality of the first common digital certificate through the authorization file.
4. The method according to claim 2, wherein said verifying the validity of the first generic type digital certificate by the authorization file comprises:
and determining the legality of the first common digital certificate according to the consistency of the common digital certificate stored in the authorization file and the first common digital certificate.
5. The method of claim 2, wherein the authorization file further comprises a preset digest algorithm, the preset digest algorithm is used for generating a digest of the generic digital certificate, and the verifying the validity of the operation request through the digital signature comprises:
generating a first abstract of the first common digital certificate through a preset abstract algorithm;
decrypting the first digital signature through a first preset public key to obtain a second abstract;
and determining the legality of the operation request according to the consistency of the first abstract and the second abstract.
6. The method of claim 2, wherein configuring the plurality of types of digital certificates comprises:
sending a certificate issuance request to a security center;
receiving a PCK file fed back by the security center in response to the certificate issuance request, wherein the PCK file is obtained by encrypting a P12 digital envelope by using the first preset public key;
decrypting the PCK file through a first preset private key to obtain the P12 digital envelope, wherein the P12 digital envelope at least comprises a management digital certificate and at least one type of the common digital certificate;
and extracting and storing various types of digital certificates from the P12 digital envelope.
7. The method according to any one of claims 1 to 6, wherein the digital certificate further comprises an audit-type digital certificate, and the audit-type digital certificate corresponds to an operation authority for viewing the terminal log information.
8. The method of any of claims 1-6, the digital certificate including at least a user item or an extension item, the method further comprising:
determining the type of the digital certificate through a user item in the digital certificate;
or
And determining the type of the digital certificate through the extension item in the digital certificate.
9. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the authorization method according to any of claims 1 to 8 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs which are executable by one or more processors to implement the authorization method according to any one of claims 1 to 8.
CN202211508694.0A 2022-11-29 2022-11-29 Authorization method, electronic device, and computer-readable storage medium Pending CN115801281A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211508694.0A CN115801281A (en) 2022-11-29 2022-11-29 Authorization method, electronic device, and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211508694.0A CN115801281A (en) 2022-11-29 2022-11-29 Authorization method, electronic device, and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN115801281A true CN115801281A (en) 2023-03-14

Family

ID=85442862

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211508694.0A Pending CN115801281A (en) 2022-11-29 2022-11-29 Authorization method, electronic device, and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN115801281A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915881A (en) * 2023-07-03 2023-10-20 亚数信息科技(上海)有限公司 A digital certificate statistical method, device, electronic equipment and medium
CN117354069A (en) * 2023-12-06 2024-01-05 自然资源陕西省卫星应用技术中心 A remote sensing data management system and method based on data lake

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442404A (en) * 2008-12-30 2009-05-27 北京中企开源信息技术有限公司 Multilevel management system and method for license
CN102202307A (en) * 2011-06-17 2011-09-28 刘明晶 Mobile terminal identity authentication system and method based on digital certificate
JP2020014168A (en) * 2018-07-20 2020-01-23 Gmoグローバルサイン株式会社 Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method
CN114567444A (en) * 2022-02-24 2022-05-31 广东电网有限责任公司 Digital signature verification method and device, computer equipment and storage medium
CN114598455A (en) * 2020-12-04 2022-06-07 华为技术有限公司 Method, apparatus, terminal entity and system for issuing digital certificate

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101442404A (en) * 2008-12-30 2009-05-27 北京中企开源信息技术有限公司 Multilevel management system and method for license
CN102202307A (en) * 2011-06-17 2011-09-28 刘明晶 Mobile terminal identity authentication system and method based on digital certificate
JP2020014168A (en) * 2018-07-20 2020-01-23 Gmoグローバルサイン株式会社 Electronic signature system, certificate issuing system, key management system, and electronic certificate issuing method
CN114598455A (en) * 2020-12-04 2022-06-07 华为技术有限公司 Method, apparatus, terminal entity and system for issuing digital certificate
CN114567444A (en) * 2022-02-24 2022-05-31 广东电网有限责任公司 Digital signature verification method and device, computer equipment and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915881A (en) * 2023-07-03 2023-10-20 亚数信息科技(上海)有限公司 A digital certificate statistical method, device, electronic equipment and medium
CN117354069A (en) * 2023-12-06 2024-01-05 自然资源陕西省卫星应用技术中心 A remote sensing data management system and method based on data lake
CN117354069B (en) * 2023-12-06 2024-02-13 自然资源陕西省卫星应用技术中心 Remote sensing data management system and method based on data lake

Similar Documents

Publication Publication Date Title
JP7602539B2 (en) Quantum Safe Networking
CN108235806B (en) Method, device and system for safely accessing block chain, storage medium and electronic equipment
US10142107B2 (en) Token binding using trust module protected keys
US11888997B1 (en) Certificate manager
US9137017B2 (en) Key recovery mechanism
US9219607B2 (en) Provisioning sensitive data into third party
WO2020062668A1 (en) Identity authentication method, identity authentication device, and computer readable medium
CN110750803A (en) Method and device for providing and fusing data
WO2020050390A1 (en) Right holder terminal, user terminal, right holder program, user program, content utilization system, and content utilization method
CN107079036A (en) Registration and authorization method, device and system
US9438595B2 (en) Network resource access control methods and systems using transactional artifacts
CN109981287B (en) Code signing method and storage medium thereof
CN110932850B (en) Communication encryption method and system
CN110611657A (en) A method, device and system for file stream processing based on blockchain
EP4145763B1 (en) Exporting remote cryptographic keys
CN114417309A (en) Bidirectional identity authentication method, device, equipment and storage medium
CN114697040B (en) Electronic signature method and system based on symmetric key
CN101212293B (en) A method and system for identity authentication
CN115801232A (en) Private key protection method, device, equipment and storage medium
CN115134144A (en) Enterprise-level business system authentication method, device and system
JP2014022920A (en) Electronic signature system, electronic signature method, and electronic signature program
CN115801281A (en) Authorization method, electronic device, and computer-readable storage medium
WO2025098706A1 (en) Securely generating and multi-party sharing of a root of trust in a clustered cryptosystem
CN118842634A (en) Digital certificate distribution method, attribute certificate management terminal and certificate application terminal
CN118540135A (en) System component communication method and storage medium applied to port network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination