[go: up one dir, main page]

CN116915881B - Digital certificate statistical method, device, electronic equipment and medium - Google Patents

Digital certificate statistical method, device, electronic equipment and medium

Info

Publication number
CN116915881B
CN116915881B CN202310806829.XA CN202310806829A CN116915881B CN 116915881 B CN116915881 B CN 116915881B CN 202310806829 A CN202310806829 A CN 202310806829A CN 116915881 B CN116915881 B CN 116915881B
Authority
CN
China
Prior art keywords
digital
certificate
software
envelope
counted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310806829.XA
Other languages
Chinese (zh)
Other versions
CN116915881A (en
Inventor
王占飞
厚建勇
尹嘉豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yastar Information Technology Shanghai Co ltd
Original Assignee
Yastar Information Technology Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yastar Information Technology Shanghai Co ltd filed Critical Yastar Information Technology Shanghai Co ltd
Priority to CN202310806829.XA priority Critical patent/CN116915881B/en
Priority to PCT/CN2023/108343 priority patent/WO2025007373A1/en
Publication of CN116915881A publication Critical patent/CN116915881A/en
Application granted granted Critical
Publication of CN116915881B publication Critical patent/CN116915881B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The embodiment of the application discloses a digital certificate statistical method, a digital certificate statistical device, electronic equipment and a digital certificate statistical medium. The embodiment of the application comprises the steps of carrying out data positioning identification on the software to be counted, downloading to obtain a digital signature envelope data segment of the software to be counted, and analyzing digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment. The application not only can effectively improve the efficiency of data analysis and save bandwidth resources, but also can efficiently count the service condition of the software code signature certificate on the Internet, and provides powerful support and data foundation for CA organization to carry out policy adjustment such as certificate issuing and the like.

Description

Digital certificate statistical method, device, electronic equipment and medium
Technical Field
The present application relates to the field of digital certificate statistics technologies, and in particular, to a digital certificate statistics method, device, electronic apparatus, and medium.
Background
The CA center, also known as the CA Authority, or certificate authority (CERTIFICATE AUTHORITY), is the trusted third party in e-commerce transactions, assuming the responsibility of the validity check of the public key in the public key hierarchy. The CA center can provide key escrow services, backup and manage encryption key pairs of customers according to the requirements of the customers. The CA center issues a digital certificate for each user using the public key, the digital certificate serving to prove that the user listed in the certificate legitimately owns the public key listed in the certificate. The digital signature of the CA institution prevents an attacker from forging and tampering with the certificate. In a SET transaction, the CA issues certificates not only to cardholders, merchants, but also to the acquiring banks, gateways. It is responsible for generating, distributing and managing digital certificates required by all individuals participating in online transactions and is therefore the key element of secure electronic transactions.
In addition, there are a large number of software programs submitted by companies or individuals in the internet software market for users to download. As a CA organization, according to policy adjustment needs, the CA organization needs to count whether software on the market has a digital certificate signature, whether a digital certificate is valid, whether the digital certificate is a soft certificate or a hard certificate, and the like, and therefore, needs to download the software one by one for data analysis. However, due to the large number of software and the large files of 2G and above, the whole process consumes very much bandwidth resources and the data analysis is very inefficient.
Disclosure of Invention
In view of the foregoing, the present specification is directed to providing a digital certificate statistics method, apparatus, electronic device, and medium that overcome, or at least partially solve, the foregoing problems.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
In a first aspect, an embodiment of the present application provides a digital certificate statistics method, which includes performing data location identification on software to be counted, downloading a digital signature envelope data segment to the software to be counted, and analyzing digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
In some embodiments, the digital signature envelope data segment of the software to be counted is downloaded by carrying out data positioning identification on the software to be counted, wherein the digital signature envelope data segment comprises determining the size of a PE file header data segment, writing a first character string into HTTP HEADER according to the PE file header data segment to send a first downloading request, only downloading the PE file header data segment to obtain the software to be counted, carrying out data analysis on the PE file header data segment, obtaining the offset M of the digital envelope from the PE file header data segment, and writing a second character string into HTTP HEADER according to the offset M of the digital envelope to send a second downloading request, and only downloading the data segment containing the digital envelope in the software to be counted to obtain the digital signature envelope data segment of the software to be counted.
In some embodiments, the digital certificate information corresponding to the software to be counted is analyzed according to the digital signature envelope data segment, and the method comprises the steps of loading digital envelope data segment data, decoding and analyzing the digital envelope data segment data to obtain a digital envelope, extracting data with an object identifier in an unverified attribute segment of the digital envelope as a preset object identifier to obtain a multi-signature digital envelope, and counting the digital certificate information corresponding to the software to be counted according to the multi-signature digital envelope.
In some embodiments, digital certificate information corresponding to software to be counted is counted according to a multi-signature digital envelope, wherein the multi-signature digital envelope comprises a plurality of digital envelopes, the method comprises the steps of extracting signer information from the plurality of digital envelopes, and obtaining the digital certificate information according to the signer information.
In some embodiments, the signer information includes, but is not limited to, organization name, digital certificate user, certificate expiration date, certificate issuer information.
In some embodiments, the digital certificate information is obtained according to signer information, and the method comprises the steps of comparing an organization name with an existing order database to obtain an organization name comparison result, performing SHA256 hash computation on the organization name by adopting desensitization processing in the comparison process, performing cross matching, calculating different digital certificate type duty ratios by extracting digital certificate types, judging whether the digital certificate types are EV types by judging whether commercial type values are contained in digital certificate users in the digital certificate type extraction process, judging whether the digital certificate types are OV types by judging whether certificate policy values in certificate extension attributes contain organization information when the digital certificate types are EV types, calculating certificate expiration time and month distribution by using certificate validity periods, and obtaining an O field by using certificate issuer information for performing certificate brand analysis.
In some embodiments, the digital certificate information includes, but is not limited to, a certificate version, a serial number, a signature algorithm, an issuer, a validity period, a principal name, public key information, extension information, a signature.
In a second aspect, the embodiment of the application provides a digital certificate statistics device, which comprises a data identification module and a statistics module, wherein the data identification module is used for carrying out data positioning identification on software to be counted and downloading a digital signature envelope data segment of the software to be counted, and the statistics module is used for analyzing digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment. In a third aspect, an embodiment of the present application provides an electronic device, including a memory storing a plurality of instructions, and a processor loading the instructions from the memory to perform any one of the steps in the digital certificate statistics method provided by the embodiment of the present application.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a plurality of instructions adapted to be loaded by a processor to perform steps in any of the digital certificate statistics methods provided by the embodiments of the present application.
The embodiment of the application can firstly perform data identification on the software to be counted to obtain the first data segment of the software to be counted, then perform memory loading on the first data segment, acquire the digital signature envelope data segment from the first data segment, and then count the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
The invention only downloads the data part containing the digital certificate for each piece of software no matter the specific size, then carries out memory loading on the small-scale data, analyzes the digital envelope format and collects the certificate information. The invention can efficiently count the service condition of the software code signature certificate on the Internet, and is convenient for CA institutions to carry out policy adjustment such as certificate issuing and the like based on the statistical data.
The invention can effectively improve the efficiency of data analysis and save bandwidth resources. Only the data part containing the digital certificate in the software is downloaded, but not the whole software, so that the downloading time and the bandwidth consumption can be greatly reduced. Meanwhile, only a small-scale data part is loaded, but not the whole software, and analysis of a digital envelope format and collection of certificate information can be rapidly carried out. By the technical scheme of the invention, the service condition of the software code signature certificate on the Internet can be counted efficiently, and powerful support and data foundation are provided for the CA organization to carry out policy adjustment such as certificate issuing and the like.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic view of a scenario of a digital certificate statistics method provided by an embodiment of the present application;
fig. 2a is a schematic flow chart of a digital certificate statistics method according to an embodiment of the present application;
Fig. 2b is a schematic structural diagram of a PE file corresponding to software to be counted according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a digital certificate statistics device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
The embodiment of the application provides a digital certificate statistical method, a digital certificate statistical device, electronic equipment and a digital certificate statistical medium.
The digital certificate statistics device can be integrated in an electronic device, and the electronic device can be a terminal, a server and other devices. The terminal can be a mobile phone, a tablet personal computer, an intelligent Bluetooth device, a notebook computer, a personal computer (Personal Computer, PC) or other devices, and the server can be a single server or a server cluster formed by a plurality of servers.
In some embodiments, the digital certificate statistics apparatus may also be integrated in a plurality of electronic devices, for example, the digital certificate statistics apparatus may be integrated in a plurality of servers, and the digital certificate statistics method of the present application is implemented by the plurality of servers.
In some embodiments, the server may also be implemented in the form of a terminal.
For example, referring to fig. 1, a schematic view of a scenario of a digital certificate statistics method provided by an embodiment of the present application may include a server 100 and a storage terminal 110, where the server 100 and the storage 110 may be connected to each other by communication, which is not described herein.
The storage terminal 110 may store software to be counted, etc. The server 100 can perform data positioning identification on the software to be counted, download the data segment of the digital signature envelope to the software to be counted, analyze the digital certificate information corresponding to the software to be counted according to the data segment of the digital signature envelope, and the like.
The following will describe in detail. The numbers of the following examples are not intended to limit the preferred order of the examples.
In this embodiment, a digital certificate statistical method is provided, as shown in fig. 2a, and the specific flow of the digital certificate statistical method applied to a server may be as follows:
200. And carrying out data positioning identification on the software to be counted, and downloading to obtain a digital signature envelope data segment of the software to be counted.
In some embodiments, the digital signature envelope data segment of the software to be counted is downloaded by carrying out data positioning identification on the software to be counted, wherein the digital signature envelope data segment comprises determining the size of a PE file header data segment, writing a first character string into HTTP HEADER according to the PE file header data segment to send a first downloading request, only downloading the PE file header data segment to obtain the software to be counted, carrying out data analysis on the PE file header data segment, obtaining the offset M of the digital envelope from the PE file header data segment, and writing a second character string into HTTP HEADER according to the offset M of the digital envelope to send a second downloading request, and only downloading the data segment containing the digital envelope in the software to be counted to obtain the digital signature envelope data segment of the software to be counted.
In the embodiment of the present application HTTP HEADER is an HTTP request and corresponding core, carrying relevant information about the client browser, the request page, the server, etc.
In the embodiment of the application, data positioning identification is carried out on software to be counted to obtain a digital envelope data segment of the software to be counted, and the method specifically comprises the steps of firstly determining the size of the PE file header data segment, for example, the size of the PE file header data segment is 512 bytes, then writing a first character string at HTTP HEADER according to the size of the PE file header data segment to send a first downloading request, for example, the first character string is "Range: bytes=0-511", writing "Range: bytes=0-511" at HTTP HEADER to send the downloading request, only downloading the PE file header data segment of the software to be counted, then carrying out data analysis on the PE file header data segment, obtaining the offset M of a digital envelope from the PE file header data segment, and then writing a second character string at HTTP HEADER according to the offset M of the digital envelope to send a second downloading request, for example, the second character string is "Range: bytes= -M", and the embodiment of the application only comprises the digital envelope data in the digital envelope data segment to be counted by writing "Range: bytes= -M" at HTTP HEADER.
In some embodiments, the first data segment is subjected to memory loading, and a digital signature envelope data segment is obtained from the first data segment, wherein the digital signature envelope data segment is a data segment of a digital signature envelope in which a digital certificate is used for digitally signing software data when the software to be counted is subjected to code signing, and the digital signature envelope is embedded in the first data segment.
In the embodiment of the application, the digital signature envelope data segment is a data segment of the digital signature envelope which is embedded in the first data segment by using a digital certificate to digitally sign software data when the software to be counted carries out code signature. When the software signs codes, the digital certificate is used for digitally signing the software data, and a digital signature envelope data segment is embedded in a proper position of the file. The digital signature data segment follows the PKCS#7 standard format and internally contains digital certificate DER format data.
In some embodiments, the method comprises the steps of carrying out data identification on the software to be counted, obtaining an executable software program corresponding to the software to be counted, and identifying PE files corresponding to the software to be counted according to the executable software program corresponding to the software to be counted.
In an embodiment of the present application, the executable software program includes, but is not limited to, exe, msi, dll or the like. The executable software program has a PE-COFF standard data format.
In the embodiment of the application, the software to be counted comprises an executable software program, and the executable software program has a structure of an executable file (image) and an object file. These files are referred to as portable executable files (Portable Executable, PE) and generic object file format (Common Object File Format, COFF) files, respectively. The executable software program has a PE-COFF standard data format, and in particular, the portable executable file has a PE standard data format and the generic object file format file has a COFF standard data format.
Specifically, as shown in fig. 2b, the structure of the PE file corresponding to the software to be counted includes two parts, one part is a file Header, and the file Header includes a disk operating system Header file (DOS Header), a portable executable Header file (PE Header), an optional Header file (Optional Header), a section table (Sections Table), and the like. Another part is a file section Sections, file section Sections includes Code (Code), entry file (Imports), data segment, etc.
210. And analyzing the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
In the embodiment of the application, the digital certificate information is a digital certificate obtained from a digital signature envelope, and the digital certificate contains information such as company information, address and the like.
In particular, the digital certificate information includes, but is not limited to, a certificate version, a serial number, a signature algorithm, an issuer, a validity period, a subject name, public key information, extension information, a signature, and the like.
In the embodiment of the application, the version is the corresponding version in the certificate format standard, and the digital certificate of the embodiment of the application uses the version of X.509. The serial number is a positive integer distributed to the certificate by the issuer, and the serial numbers of the certificates issued by the same issuer are different and can be used together with the name of the issuer as the unique identification of the certificate. Signature algorithm-a signature algorithm used by an issuer to issue a certificate. The name of the device that issued the certificate must be consistent with the subject name in the issuer's certificate. Typically the name of the CA server. And the validity period comprises a valid starting date and a valid ending date, and the certificate which is not in the validity period range is an invalid certificate. Principal name: the name of the certificate owner, if the same as the issuer, indicates that the certificate is a self-signed certificate. Public key information, namely public key and public key algorithm information which are disclosed by a user. The extension information generally comprises optional fields such as certificate usage, issuing address of CRL and the like. Signing, namely signing the certificate information by using a private key by an issuer.
In some embodiments, the digital certificate information corresponding to the software to be counted is analyzed according to the digital signature envelope data segment, and the method comprises the steps of loading digital envelope data segment data, decoding and analyzing the digital envelope data segment data to obtain a digital envelope, extracting data with an object identifier in an unverified attribute segment of the digital envelope as a preset object identifier to obtain a multi-signature digital envelope, and counting the digital certificate information corresponding to the software to be counted according to the multi-signature digital envelope.
The digital envelope data segment analysis process comprises the steps of loading digital envelope data segment data, carrying out decoding analysis to obtain a digital envelope, and then extracting data with an object identifier of a preset object identifier in an unverified attribute segment of the digital envelope, such as extracting data with an OID of '1.3.6.1.4.1.311.2.4.1' in the unverified attribute segment to obtain a double-signature (compatibility of different operating systems can be met by double-signature software) digital envelope, and even a multiple-digital signature envelope.
In some embodiments, digital certificate information corresponding to software to be counted is counted according to a multi-signature digital envelope, wherein the multi-signature digital envelope comprises a plurality of digital envelopes, the method comprises the steps of extracting signer information from the plurality of digital envelopes, and obtaining the digital certificate information according to the signer information.
In the embodiment of the application, the signer information is extracted from a plurality of digital envelopes to obtain the certificate, and the digital certificate detailed information can be obtained by analyzing the certificate.
In some embodiments, digital certificate information is obtained according to signer information, including but not limited to organization names, digital certificate users, certificate validity periods and certificate issuer information, including comparing organization names with an existing order database to obtain organization name comparison results, performing SHA256 hash computation on the organization names by desensitization processing in the comparison process, performing cross matching, calculating different digital certificate type duty ratios by extracting digital certificate types, judging whether the digital certificate types are EV types by judging whether commercial type values are contained in the digital certificate users, judging whether the digital certificate types are OV types by judging whether certificate policy values in certificate extension attributes contain organization information when the digital certificate types are EV types, calculating certificate expiration time month distribution by the certificate validity periods, and obtaining an O field by the certificate issuer information for performing certificate brand analysis.
The embodiment of the application can perform data positioning identification on the software to be counted, download the digital signature envelope data segment to the software to be counted, and analyze the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
The invention only downloads the data part containing the digital certificate for each piece of software no matter the specific size, then carries out memory loading on the small-scale data, analyzes the digital envelope format and collects the certificate information. The invention can efficiently count the service condition of the software code signature certificate on the Internet, and is convenient for CA institutions to carry out policy adjustment such as certificate issuing and the like based on the statistical data.
The invention can effectively improve the efficiency of data analysis and save bandwidth resources. Only the data part containing the digital certificate in the software is downloaded, but not the whole software, so that the downloading time and the bandwidth consumption can be greatly reduced. Meanwhile, only a small-scale data part is loaded, but not the whole software, and analysis of a digital envelope format and collection of certificate information can be rapidly carried out. By the technical scheme of the invention, the service condition of the software code signature certificate on the Internet can be counted efficiently, and powerful support and data foundation are provided for the CA organization to carry out policy adjustment such as certificate issuing and the like.
In order to better implement the method, the embodiment of the application also provides a digital certificate statistical device which can be integrated in electronic equipment, wherein the electronic equipment can be a terminal, a server and the like. The terminal can be a mobile phone, a tablet personal computer, an intelligent Bluetooth device, a notebook computer, a personal computer and other devices, and the server can be a single server or a server cluster consisting of a plurality of servers.
For example, in the present embodiment, a method according to an embodiment of the present application will be described in detail by taking a specific integration of a digital certificate counting apparatus in an electronic device as an example.
For example, as shown in FIG. 3, the digital certificate statistics apparatus may include a data identification module 300 and a statistics module 310. The data identification module 300 is configured to perform data positioning identification on the software to be counted, and download the digital signature envelope data segment to the software to be counted, and the counting module 310 is configured to analyze the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
In some embodiments, the data identification module 300 comprises a data identification sub-module configured to determine a size of a PE file header data segment, write a first character string at HTTP HEADER according to the PE file header data segment size to send a first download request, download only the PE file header data segment to obtain the software to be counted, perform data analysis on the PE file header data segment, obtain an offset M of the digital envelope from the PE file header data segment, write a second character string at HTTP HEADER according to the offset M of the digital envelope to send a second download request, and download only the data segment containing the digital envelope in the software to be counted to obtain the digitally signed envelope data segment of the software to be counted.
In some embodiments, the statistics module 310 includes an analysis module configured to load digital envelope data segment data, decode and analyze the digital envelope data segment data to obtain a digital envelope, extract data in an unverified attribute segment of the digital envelope, where an object identifier is a preset object identifier, obtain a multi-signature digital envelope, and count digital certificate information corresponding to software to be counted according to the multi-signature digital envelope.
In some embodiments, the multi-signed digital envelope comprises a plurality of digital envelopes, and the analysis module comprises an extraction module configured to extract signer information from the plurality of digital envelopes and derive digital certificate information from the signer information.
In some embodiments, the signer information comprises, but is not limited to, an organization name, a digital certificate user, a certificate validity period and certificate issuer information, the extraction module comprises an extraction submodule, the extraction submodule is configured to compare the organization name with an existing order database to obtain an organization name comparison result, the comparison process adopts desensitization processing to carry out SHA256 hash computation on the organization name and then carries out cross matching, the digital certificate type extraction process calculates different digital certificate type duty ratios, the digital certificate type extraction process judges whether the digital certificate type is an EV type through whether commercial type values are contained in the digital certificate user, judges whether the digital certificate type is an OV type through whether the certificate policy values in certificate extension attributes contain organization information when the digital certificate type is the EV type, calculates certificate expiration time month distribution through the certificate validity period, and obtains an O field through the certificate issuer information for carrying out brand analysis.
In some embodiments, the digital certificate information includes, but is not limited to, a certificate version, a serial number, a signature algorithm, an issuer, a validity period, a principal name, public key information, extension information, a signature.
In the implementation, each unit may be implemented as an independent entity, or may be implemented as the same entity or several entities in any combination, and the implementation of each unit may be referred to the foregoing method embodiment, which is not described herein again.
As can be seen from the above, the digital certificate statistics device of the embodiment can perform data positioning identification on the software to be counted, download the data segment of the digital signature envelope of the software to be counted, and analyze the digital certificate information corresponding to the software to be counted according to the data segment of the digital signature envelope.
The invention only downloads the data part containing the digital certificate for each piece of software no matter the specific size, then carries out memory loading on the small-scale data, analyzes the digital envelope format and collects the certificate information. The invention can efficiently count the service condition of the software code signature certificate on the Internet, and is convenient for CA institutions to carry out policy adjustment such as certificate issuing and the like based on the statistical data.
The invention can effectively improve the efficiency of data analysis and save bandwidth resources. Only the data part containing the digital certificate in the software is downloaded, but not the whole software, so that the downloading time and the bandwidth consumption can be greatly reduced. Meanwhile, only a small-scale data part is loaded, but not the whole software, and analysis of a digital envelope format and collection of certificate information can be rapidly carried out. By the technical scheme of the invention, the service condition of the software code signature certificate on the Internet can be counted efficiently, and powerful support and data foundation are provided for the CA organization to carry out policy adjustment such as certificate issuing and the like.
The embodiment of the application also provides electronic equipment which can be a terminal, a server and other equipment. The terminal can be a mobile phone, a tablet computer, an intelligent Bluetooth device, a notebook computer, a personal computer and the like, and the server can be a single server or a server cluster formed by a plurality of servers and the like.
In some embodiments, the digital certificate statistics apparatus may also be integrated in a plurality of electronic devices, for example, the digital certificate statistics apparatus may be integrated in a plurality of servers, and the digital certificate statistics method of the present application is implemented by the plurality of servers.
In this embodiment, a detailed description will be given taking an example that the electronic device of this embodiment is a server, for example, as shown in fig. 4, which shows a schematic structural diagram of the server according to the embodiment of the present application, specifically:
The server may include one or more processors 401 of a processing core, memory 402 of one or more computer readable storage media, a power supply 403, an input module 404, and a communication module 405, among other components. Those skilled in the art will appreciate that the server architecture shown in fig. 4 is not limiting of the server and may include more or fewer components than shown, or may combine certain components, or a different arrangement of components. Wherein:
The processor 401 is a control center of the server, connects respective portions of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 402 and calling data stored in the memory 402, thereby performing overall monitoring of the server. In some embodiments, processor 401 may include one or more processing cores, and in some embodiments, processor 401 may integrate an application processor primarily processing operating systems, user interfaces, applications, and the like, with a modem processor primarily processing wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 401.
The memory 402 may be used to store software programs and modules, and the processor 401 executes various functional applications and data processing by executing the software programs and modules stored in the memory 402. The memory 402 may mainly include a storage program area that may store an operating system, an application program required for at least one function (such as a sound playing function, an image playing function, etc.), etc., and a storage data area that may store data created according to the use of the server, etc. In addition, memory 402 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device. Accordingly, the memory 402 may also include a memory controller to provide the processor 401 with access to the memory 402.
The server also includes a power supply 403 for powering the various components, and in some embodiments, the power supply 403 may be logically connected to the processor 401 by a power management system, such that charge, discharge, and power consumption management functions are performed by the power management system. The power supply 403 may also include one or more of any of a direct current or alternating current power supply, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The server may also include an input module 404, which input module 404 may be used to receive entered numeric or character information and to generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
The server may also include a communication module 405, and in some embodiments the communication module 405 may include a wireless module, through which the server may wirelessly transmit over short distances, thereby providing wireless broadband internet access to the user. For example, the communication module 405 may be used to assist a user in e-mail, browsing web pages, accessing streaming media, and so forth.
Although not shown, the server may further include a display unit or the like, which is not described herein. In this embodiment, the processor 401 in the server loads executable files corresponding to the processes of one or more application programs into the memory 402 according to the following instructions, and the processor 401 executes the application programs stored in the memory 402, so as to implement various functions in the digital certificate statistics device.
In some embodiments, a computer program product is also presented, comprising a computer program or instructions which, when executed by a processor, implement the steps of any of the digital certificate statistics methods described above.
The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.
From the above, the embodiment of the application can perform data positioning identification on the software to be counted, download the digital signature envelope data segment of the software to be counted, and analyze the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment.
The invention only downloads the data part containing the digital certificate for each piece of software no matter the specific size, then carries out memory loading on the small-scale data, analyzes the digital envelope format and collects the certificate information. The invention can efficiently count the service condition of the software code signature certificate on the Internet, and is convenient for CA institutions to carry out policy adjustment such as certificate issuing and the like based on the statistical data.
The invention can effectively improve the efficiency of data analysis and save bandwidth resources. Only the data part containing the digital certificate in the software is downloaded, but not the whole software, so that the downloading time and the bandwidth consumption can be greatly reduced. Meanwhile, only a small-scale data part is loaded, but not the whole software, and analysis of a digital envelope format and collection of certificate information can be rapidly carried out. By the technical scheme of the invention, the service condition of the software code signature certificate on the Internet can be counted efficiently, and powerful support and data foundation are provided for the CA organization to carry out policy adjustment such as certificate issuing and the like.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions, or by instructions controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor.
To this end, embodiments of the present application provide a computer readable storage medium having stored therein a plurality of instructions capable of being loaded by a processor to perform the steps of any of the digital certificate statistics methods provided by embodiments of the present application. For example, the instruction can execute the steps of firstly carrying out data positioning identification on the software to be counted, downloading a digital signature envelope data segment of the software to be counted, analyzing digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment, and the like.
The storage medium may include a Read Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or the like.
According to one aspect of the present application, there is provided a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions are read from the computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the methods provided in the various alternative implementations of the digital certificate statistics aspects provided in the above-described embodiments.
The instructions stored in the storage medium can execute the steps in any digital certificate statistical method provided by the embodiment of the present application, so that the beneficial effects that any digital certificate statistical method provided by the embodiment of the present application can be achieved, and detailed descriptions of the foregoing embodiments are omitted herein.
The foregoing describes in detail a digital certificate statistics method, apparatus, server and computer readable storage medium provided by embodiments of the present application, wherein specific examples are provided herein to illustrate the principles and embodiments of the present application, and the above examples are provided to assist in understanding the method and core ideas of the present application, and meanwhile, the present application should not be construed as being limited to the specific embodiments and application scope of the present application, since variations in terms of the ideas of the present application will occur to those skilled in the art.

Claims (8)

1. A digital certificate accounting method, comprising:
The method comprises the steps of carrying out data positioning identification on software to be counted, downloading to obtain a digital signature envelope data segment of the software to be counted, determining the size of a PE file header data segment, writing a first character string into HTTP HEADER according to the PE file header data segment to send a first downloading request, downloading only to obtain a PE file header data segment of the software to be counted, carrying out data analysis on the PE file header data segment, obtaining an offset M of a digital envelope from the PE file header data segment, writing a second character string into HTTP HEADER according to the offset M of the digital envelope to send a second downloading request, and downloading only the data segment containing the digital envelope in the software to be counted to obtain the digital signature envelope data segment of the software to be counted;
Analyzing digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment, loading the digital envelope data segment data, decoding and analyzing the digital envelope data segment data to obtain a digital envelope, extracting data with an object identifier of a preset object identifier in an unverified attribute segment of the digital envelope to obtain a multi-signature digital envelope, and counting the digital certificate information corresponding to the software to be counted according to the multi-signature digital envelope.
2. The digital certificate counting method according to claim 1, wherein the digital certificate information corresponding to the software to be counted is counted according to the multiple signature digital envelopes, the multiple signature digital envelopes including a plurality of digital envelopes, comprising:
extracting signer information from the plurality of digital envelopes;
and obtaining digital certificate information according to the signer information.
3. The digital certificate statistics method as set forth in claim 2, wherein the signer information includes an organization name, a digital certificate user, a certificate validity period, and a certificate issuer information.
4. A digital certificate statistics method according to claim 3, wherein said deriving digital certificate information from said signer information comprises:
Comparing the organization name with the existing order database to obtain an organization name comparison result, performing SHA256 hash calculation on the organization name by desensitization in the comparison process, and performing cross matching;
Calculating different digital certificate type duty ratios by extracting digital certificate types, judging whether the digital certificate types are EV types or not by judging whether commercial type values are contained in digital certificate users or not in the process of extracting the digital certificate types, and judging whether the digital certificate types are OV types or not by judging whether certificate strategy values in certificate extension attributes contain organization information or not when the digital certificate types are EV types;
Calculating certificate expiration time monthly distribution through the certificate validity period;
and acquiring an O field through the certificate issuer information, wherein the O field is used for performing certificate brand analysis.
5. The digital certificate statistics method as set forth in claim 1, wherein the digital certificate information includes a certificate version, a serial number, a signature algorithm, an issuer, a validity period, a principal name, public key information, and extension information.
6. A digital certificate accounting device, comprising:
The data identification module is used for carrying out data positioning identification on the software to be counted and downloading the data into the digital signature envelope data section of the software to be counted, wherein the size of the PE file header data section is determined, a first character string is written in HTTP HEADER according to the size of the PE file header data section to send a first downloading request, only the PE file header data section of the software to be counted is obtained by downloading, the data analysis is carried out on the PE file header data section, the offset M of a digital envelope is obtained from the PE file header data section, and only the data section of the digital envelope contained in the software to be counted is downloaded according to the offset M of the digital envelope by writing a second character string in HTTP HEADER to send a second downloading request, so that the digital signature envelope data section of the software to be counted is obtained;
the statistics module is used for analyzing the digital certificate information corresponding to the software to be counted according to the digital signature envelope data segment, wherein the digital envelope data segment data is loaded, decoding and analyzing are carried out on the digital envelope data segment data to obtain a digital envelope, the data with the object identifier being the preset object identifier in the unverified attribute segment of the digital envelope is extracted to obtain a multi-signature digital envelope, and the digital certificate information corresponding to the software to be counted is counted according to the multi-signature digital envelope.
7. An electronic device comprising a processor and a memory, the memory storing a plurality of instructions, the processor loading instructions from the memory to perform the steps in the digital certificate statistics method as recited in any one of claims 1-5.
8. A computer readable storage medium having stored thereon a plurality of instructions adapted to be loaded by a processor to perform the steps of the digital certificate accounting method of any one of claims 1-5.
CN202310806829.XA 2023-07-03 2023-07-03 Digital certificate statistical method, device, electronic equipment and medium Active CN116915881B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310806829.XA CN116915881B (en) 2023-07-03 2023-07-03 Digital certificate statistical method, device, electronic equipment and medium
PCT/CN2023/108343 WO2025007373A1 (en) 2023-07-03 2023-07-20 Statistical compilation method and apparatus for digital certificate, and electronic device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310806829.XA CN116915881B (en) 2023-07-03 2023-07-03 Digital certificate statistical method, device, electronic equipment and medium

Publications (2)

Publication Number Publication Date
CN116915881A CN116915881A (en) 2023-10-20
CN116915881B true CN116915881B (en) 2025-12-09

Family

ID=88364002

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310806829.XA Active CN116915881B (en) 2023-07-03 2023-07-03 Digital certificate statistical method, device, electronic equipment and medium

Country Status (2)

Country Link
CN (1) CN116915881B (en)
WO (1) WO2025007373A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119299110B (en) * 2024-12-12 2025-05-02 中国交通信息科技集团有限公司 A software installation package signature method and system based on digital certificate status check

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100620313B1 (en) * 2005-06-15 2006-09-06 (주)이월리서치 Malicious program detection system and method using structural characteristics of Microsoft executable file

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9917844B2 (en) * 2006-12-17 2018-03-13 Fortinet, Inc. Detection of undesired computer files using digital certificates
KR100942795B1 (en) * 2007-11-21 2010-02-18 한국전자통신연구원 Malware detection device and method
US20140156687A1 (en) * 2011-05-31 2014-06-05 Qiliang Chen Identifying duplicate files
US8650638B2 (en) * 2011-10-18 2014-02-11 Mcafee, Inc. System and method for detecting a file embedded in an arbitrary location and determining the reputation of the file
KR101645412B1 (en) * 2014-05-28 2016-08-04 주식회사 안랩 Malicious file diagnosis device and control method thereof
CN106330812B (en) * 2015-06-15 2019-07-05 腾讯科技(深圳)有限公司 File security recognition methods and device
US10642976B2 (en) * 2015-06-27 2020-05-05 Mcafee, Llc Malware detection using a digital certificate
CN110532775A (en) * 2019-07-26 2019-12-03 苏州浪潮智能科技有限公司 Method and tool for computer process control
WO2021077504A1 (en) * 2019-10-24 2021-04-29 华为技术有限公司 Method for protecting integrity of software in apparatus for continuity scenario
CN112202719B (en) * 2020-09-04 2022-09-13 广州江南科友科技股份有限公司 Signature method, system, device and storage medium based on digital certificate
CN113761595B (en) * 2021-09-13 2025-07-29 哈尔滨理工大学 Code signature verification method based on computer memory evidence obtaining technology
CN115801281B (en) * 2022-11-29 2025-12-23 深圳数字电视国家工程实验室股份有限公司 Authorization method, electronic device, computer-readable storage medium

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100620313B1 (en) * 2005-06-15 2006-09-06 (주)이월리서치 Malicious program detection system and method using structural characteristics of Microsoft executable file

Also Published As

Publication number Publication date
WO2025007373A1 (en) 2025-01-09
CN116915881A (en) 2023-10-20

Similar Documents

Publication Publication Date Title
US11210661B2 (en) Method for providing payment gateway service using UTXO-based protocol and server using same
CN112100460B (en) Block chain-based network page evidence storing method, device, medium and electronic equipment
CN111309745B (en) Virtual resource processing method and device, electronic equipment and storage medium
CN102999852B (en) The generation method of electronic ticket data and device
CN110597908B (en) Credit recording method, equipment and storage medium based on blockchain
CN110445615B (en) Network request security verification method, device, medium and electronic equipment
CN109377389A (en) A kind of payment based reminding method, server and computer readable storage medium
CN114338212A (en) Identity authentication token management method and device, electronic equipment and readable storage medium
CN111367965A (en) Target object determination method and device, electronic equipment and storage medium
CN112163412A (en) Data verification method, device, electronic device and storage medium
CN111431908B (en) An access processing method, device, management server and readable storage medium
CN111641605B (en) Electronic signature method and system based on dynamic password
CN116915881B (en) Digital certificate statistical method, device, electronic equipment and medium
CN114741446B (en) A data chain method, device, terminal and storage medium
CN112258092A (en) Block chain-based data asset reliability assessment method and device
CN111274612A (en) Practitioners trust verification method and system, witness service system and storage medium
CN111178536B (en) Data information processing method and device, electronic equipment and storage medium
US12282957B2 (en) Funding central bank digital currency (CBDC) wallet accounts
CN112184246A (en) Account book management method, device, equipment and storage medium
CN114640531B (en) Device fingerprint generation method and device, electronic device and storage medium
Satoh et al. Single sign on architecture with dynamic tokens
CN118331766A (en) Verification method, device, electronic device and storage medium for computing network services
CN108241732A (en) Electronic device, the method for information processing and storage medium
CN109559115A (en) A kind of method for building up, method of commerce and the relevant apparatus of intelligence contract
CN115601040B (en) Payment business authentication methods, computer equipment and computer storage media

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant