CN103117862A - Method for using X.509 digital certificate of openssl for verifying Java certificate - Google Patents
Method for using X.509 digital certificate of openssl for verifying Java certificate Download PDFInfo
- Publication number
- CN103117862A CN103117862A CN2013100527710A CN201310052771A CN103117862A CN 103117862 A CN103117862 A CN 103117862A CN 2013100527710 A CN2013100527710 A CN 2013100527710A CN 201310052771 A CN201310052771 A CN 201310052771A CN 103117862 A CN103117862 A CN 103117862A
- Authority
- CN
- China
- Prior art keywords
- certificate
- java
- openssl
- pki
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 29
- 230000006870 function Effects 0.000 claims abstract description 26
- 238000006243 chemical reaction Methods 0.000 claims abstract description 12
- 238000003491 array Methods 0.000 claims description 8
- 238000009434 installation Methods 0.000 abstract description 4
- 238000012795 verification Methods 0.000 abstract description 3
- 238000013475 authorization Methods 0.000 abstract 2
- 239000000284 extract Substances 0.000 description 4
- 230000000694 effects Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000001788 irregular Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for using an X.509 digital certificate of openssl for verifying a Java certificate so as to eliminate difficulties of cross-language certificate verification and provide convenience for Android system safety customizing. An X.509 digital certificate structure of the openssl is stepwise converted into a Java main public key information object, namely a public key in the X.509 digital certificate of the openssl is switched to the Java environment, and the digital certificate is verified whether to be an authorization certificate or not according to universal certificate verification steps under the Java environment. By the method, one CA (certificate authority) certificate stored in a safety module can be used for verifying a third-party Android installation program, and when an installation program signature does not conform to CA authorization, the third-party Android installation program is blocked from installation. Besides, the method is used when an Android system verifies server identities. The method has the advantages that the method is high in implementation efficiency and low in use cost, and used conversion functions are common functions, are included in a function library of the Android system and need not to modify or add.
Description
Technical field
The present invention relates to the digital certificate technique field, specifically a kind of method of the X.509 digital certificate checking Java certificate with openssl.
Background technology
In Android system, with the CA certificate checking Java certificate that is stored in hardware module.In safety applications, CA certificate can not be kept under the low system path of Prevention-Security degree usually, but is kept in some hardware module with safe speciality.The read-write of hardware module drives normally C language compilation, and CA certificate is generally the X.509 form of openssl when reading from drive.The certificate of verifying at Android Java layer, is the Java certificate form.This certification authentication across language need to be used specific verification method.
When Android system carries out the digital certificate checking at present, only provide the method under same programming language environment.If CA certificate is placed under any system path, can guarantee same programming language environment, but degree of safety is lower usually, easily is maliciously tampered.When CA certificate is saved in the hardware of safe speciality, just become the certification authentication across language environment.Because the driving of access hardware is generally the C language compilation, can not be that Java writes, and the certificate of Android system application layer be the Java certificate certainly.
Summary of the invention
The objective of the invention is to eliminate this difficulty across the language certification authentication, provide convenience for the Android system security customization, a kind of method of verifying the Java certificate with the X.509 digital certificate of openssl is provided, its application background is: attempt with being kept at certain CA certificate in security module, checking third party Android installation procedure, when the installation procedure signature does not meet the CA mandate, stop its installation.Simultaneously also can use this method when Android system authentication server identity.The server certificate of sending with certain the CA certificate authentication server end that is kept in security module is authorized if server certificate is not CA, and broken clients end and server is connected so.
According to technical scheme provided by the invention, described X.509 digital certificate with openssl verifies that the method for Java certificate comprises the following steps:
(1) with driving the CA certificate of interface reading and saving in hardware, return to the X.509 digital certificate structure of an openssl;
(2) PKI ASN.1 coding, public key algorithm and the parameter in the described X.509 digital certificate structure of taking-up;
(3) transfer public key algorithm and parameter the character array char * type of C language to by the ASN.1 transfer function of openssl;
(4) transfer described PKI ASN.1 coding, public key algorithm and parameter three's character array type the byte arrays byte[of Java language to by the JNI rule again] type;
(5) the byte arrays type of described public key algorithm conversion is further transferred again to the character string String type of Java;
(6) public key algorithm of completing conversion becomes the algorithm identifier AlgorithmIdentifier object of Java with parametric configuration;
(7) byte arrays of described algorithm identifier object and PKI ASN.1 coding is configured to the main body public key information SubjectPublicKeyInfo object of Java;
(8) described main body public key information object can use its member function to obtain the PKI object of Java; The PKI object of described Java is exactly the PKI of CA certificate in the Java environment, namely the PKI in the X.509 digital certificate of openssl is forwarded under the Java environment;
Whether is (9) certificate of authority according to certification authentication step checking digital certificate general under the Java environment, method is:
A, obtain Java certificate object to be verified;
B, call the checking member function verify of this certificate object, and the PKI object of Java is imported into as function parameter;
C, seizure are extremely; If extremely just do not show by checking, it is the certificate of authority; If have extremely, show authentication failed, proof procedure is wrong.If being signature exception, Exception Type shows that certificate is unauthorized.
Advantage of the present invention is: implementation efficiency is high, and use cost is low, and conversion function used is common function, and these functions exist in the function library of Android system, need not to revise or add.
Description of drawings
Fig. 1 is the invention process schematic flow sheet.
Embodiment
The invention will be further described below in conjunction with drawings and Examples.
The principle of paper CA certificate checking once digital certificate.
Generally, digital certificate all comprises authorized person's signature.Signature has been exactly the authorized person with own encrypted private key one section plaintext that extracts from digital certificate, and the ciphertext of generation.This section ciphertext only has authorized person's PKI to decipher.And comprised authorized person's PKI in authorized person's CA certificate.Therefore, the checking principle is exactly with the PKI decrypted signature that extracts in CA certificate, the plaintext of result after deciphering contrast extraction, if both are identical, digital certificate belongs to the CA certificate mandate, otherwise does not belong to mandate.
When CA certificate takes out, be generally the X.509 form of openssl from drive.This is an X.509 structure, has preserved all information of CA certificate in structure.Verify the Java certificate, key will obtain the PKI under the Java environment.The present invention extracts PKI ASN.1 coding, public key algorithm and parameter from the X.509 digital certificate of openssl, conversion through Android system JNI layer, go out the algorithm identifier object (AlgorithmIdentifier) of Java by public key algorithm and parametric configuration, construct the main body public key information object (SubjectPublicKeyInfo) of Java by PKI ASN.1 coding and algorithm identifier object.This object can use its member function to obtain the PKI object of Java.The PKI object of this Java is exactly the PKI of CA certificate in the Java environment.Next only need to just can verify whether digital certificate is the certificate of authority according to certification authentication step general under the Java environment.
As shown in Figure 1, the method for verifying the Java certificate with the X.509 digital certificate of openssl of the present invention, its implementing procedure is as follows:
1. read CA certificate with the driving interface, return to the X.509 digital certificate structure of an openssl.
2. take out wherein PKI ASN.1 coding, public key algorithm and parameter.
Described PKI ASN.1 coding is a pointer that points to character array (this pointer is the character array type, and the access of this pointer is equivalent to access to character array pointed), and this character array has been preserved the ASN.1 coding of PKI.Following being coded in of ASN.1 standard keeps the character array content constant under different platform.
Described public key algorithm is the pointer that points to the ASN1_OBJECT that preserves public key algorithm information.
Described parameter is to point to the pointer of the ASN1_TYPE that preserves the public key algorithm parameter information.ASN1_OBJECT and ASN1_TYPE are the type that defines in openssl, can pass through the ASN.1 transfer function, and content is changed and is saved in character array.
3. transfer public key algorithm and parameter character array (char *) type of C language to by the ASN.1 transfer function of openssl.Be specially: public key algorithm is transferred to the character array type of C language by the OBJ_obj2txt function, parameter is also transferred to the character array type of C language by the ASN1_TYPE_get_octetstring function.
4. more described PKI ASN.1 coding, public key algorithm and parameter three's character array type is transferred to byte arrays (the byte[]) type of Java language by the JNI rule, three's content all has been saved in the character array of Java by conversion like this.This is converted to general JNI transformation rule.
5. also to further transfer character string (String) type of Java to for public key algorithm.Conversion method used is the constructed fuction of character string, the Java byte arrays can be configured to character string.
6. complete the public key algorithm of conversion and the algorithm identifier object (AlgorithmIdentifier) that parameter can be configured to Java.Building method used is the constructed fuction of algorithm identifier object.
7. the ASN.1 encoded byte array of algorithm identifier object and PKI can be configured to the main body public key information object (SubjectPublicKeyInfo) of Java.Building method used is the constructed fuction of main body public key information object.
8. main body public key information object can use its member function to obtain the PKI object of Java.
9. the PKI object of above-mentioned Java, be exactly the PKI of CA certificate in the Java environment.Because the key of checking digital certificate is to obtain the Java PKI of CA, and successfully the PKI in the X.509 digital certificate of openssl is forwarded under the Java environment to this step.Therefore next only need to just can verify whether digital certificate is the certificate of authority according to certification authentication step general under the Java environment.Step is as follows:
1. obtain Java certificate object to be verified.
2. call the checking member function (verify) of this certificate object, and the PKI object of Java is imported into as function parameter.
3. catching extremely, if extremely just do not show by checking, is the certificate of authority; If have extremely, show authentication failed, proof procedure is wrong, if wherein Exception Type is that signature exception (SignatureException) shows that certificate is unauthorized.
Divide according to function when this method realizes with software and comprise 3 modules: module one. the driver module of safe speciality hardware, module two. Android JNI layer across the language form conversion module, module three. the digital certificate authentication module of Android Java layer.
These three modules are that order is carried out, and first module one work after only having the work success, just enters module two work.If module two is also worked successfully, enter module three work, module three works, and software work is successful.Any one module irregular working, software is just worked unsuccessfully.
Three functions of modules are as follows: module one use driving interface reads CA certificate, returns to the X.509 digital certificate structure of an openssl.Module two extracts PKI, public key algorithm and the parameter in structure X.509, is converted into the operable type of Java language by the JNI rule.Module three is carried out general digital certificate authentication function under the Java environment, and the prompting certificate granting, certificate is unauthorized and other results of makeing mistakes.
It is below the explanation of some terms that the present invention relates to.
CA:(Certificate Authority) certificate granting center is to be responsible for the office that grant a certificate, certificate of certification, management have been issued certificate.
CA certificate: be the certificate that CA signs and issues, can be used for verifying the certificate that the CA certificate owner authorizes.
Digital certificate: be one through the file that comprises certificate main information and public-key cryptography of CA or CA certificate owner digital signature.
X.509 digital certificate: a kind of digital certificate.X.509 be a kind of general certificate format, form follow ITUT X.509 the certificate of international standard be called X.509 digital certificate.X.509 the digital certificate of a standard comprises following contents:
The version information of certificate; The sequence number of certificate; The signature algorithm that certificate uses; Issuer's title of certificate; The term of validity of certificate; The proprietary title of certificate; The proprietary public-key cryptography of certificate; The signature of certificate issue person to certificate.
Openssl: the famous code library of openssl by name, the C language compilation has comprised X.509 structure and the certificate operation-interface of digital certificate.
Java certificate: the object of the class of the expression certificate in Java.
ASN.1:ASN.1 is the regular set of ITU-T, and it has been specified in which way data are encoded, so that other any platforms and third party's instrument can both be explained its content.Its effect is to make same data have unified coding at different platforms.
JNI:(Java Native Interface) Java local interface, in Android system Java and C++ call mutually, the software layer of conversion in type.
Claims (3)
1. verify the method for Java certificate with the X.509 digital certificate of openssl, it is characterized in that comprising the following steps:
(1) with driving the CA certificate of interface reading and saving in hardware, return to the X.509 digital certificate structure of an openssl;
(2) PKI ASN.1 coding, public key algorithm and the parameter in the described X.509 digital certificate structure of taking-up;
(3) transfer public key algorithm and parameter the character array char * type of C language to by the ASN.1 transfer function of openssl;
(4) transfer described PKI ASN.1 coding, public key algorithm and parameter three's character array type the byte arrays byte[of Java language to by the JNI rule again] type;
(5) the byte arrays type of described public key algorithm conversion is further transferred again to the character string String type of Java;
(6) public key algorithm of completing conversion becomes the algorithm identifier AlgorithmIdentifier object of Java with parametric configuration;
(7) byte arrays of described algorithm identifier object and PKI ASN.1 coding is configured to the main body public key information SubjectPublicKeyInfo object of Java;
(8) described main body public key information object can use its member function to obtain the PKI object of Java; The PKI object of described Java is exactly the PKI of CA certificate in the Java environment, namely the PKI in the X.509 digital certificate of openssl is forwarded under the Java environment;
(9) whether be the certificate of authority according to certification authentication step checking digital certificate general under the Java environment.
2. as claimed in claim 1 with the method for the X.509 digital certificate of openssl checking Java certificate, it is characterized in that, in step 9, whether the checking digital certificate is that the method for the certificate of authority is:
A, obtain Java certificate object to be verified;
B, call the checking member function verify of this certificate object, and the PKI object of Java is imported into as function parameter;
C, seizure are extremely; If extremely just do not show by checking, it is the certificate of authority; If have extremely, show authentication failed, proof procedure is wrong.
3. verify as claimed in claim 2 the method for Java certificate with the X.509 digital certificate of openssl, it is characterized in that, if in step c, Exception Type is that signature exception shows that certificate is unauthorized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310052771.0A CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310052771.0A CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103117862A true CN103117862A (en) | 2013-05-22 |
| CN103117862B CN103117862B (en) | 2015-11-25 |
Family
ID=48416143
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310052771.0A Expired - Fee Related CN103117862B (en) | 2013-02-18 | 2013-02-18 | By the method for the X.509 digital certificate authentication Java certificate of openssl |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103117862B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971034A (en) * | 2014-04-24 | 2014-08-06 | 福建联迪商用设备有限公司 | Method and device for protecting Java software |
| CN104680061A (en) * | 2015-02-28 | 2015-06-03 | 国鼎网络空间安全技术有限公司 | Method and system for verifying code signing during startup of application in Android environment |
| CN105721154A (en) * | 2014-12-05 | 2016-06-29 | 航天信息股份有限公司 | Encryption protection method based on Android platform communication interface |
| CN105721162A (en) * | 2016-01-30 | 2016-06-29 | 飞天诚信科技股份有限公司 | Method and device for automatically importing digital certificate to application program |
| CN106936789A (en) * | 2015-12-30 | 2017-07-07 | 上海格尔软件股份有限公司 | The application process that a kind of use double certificate is authenticated |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
| CN111884813A (en) * | 2020-08-05 | 2020-11-03 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020120840A1 (en) * | 2000-12-15 | 2002-08-29 | International Business Machines Corporation | Configurable PKI architecture |
| CN1956372A (en) * | 2005-10-21 | 2007-05-02 | 惠普开发有限公司 | A digital certificate that indicates a parameter of an associated cryptographic token |
| CN102055759A (en) * | 2010-06-30 | 2011-05-11 | 北京飞天诚信科技有限公司 | Hardware engine realization method |
-
2013
- 2013-02-18 CN CN201310052771.0A patent/CN103117862B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020120840A1 (en) * | 2000-12-15 | 2002-08-29 | International Business Machines Corporation | Configurable PKI architecture |
| CN1956372A (en) * | 2005-10-21 | 2007-05-02 | 惠普开发有限公司 | A digital certificate that indicates a parameter of an associated cryptographic token |
| CN102055759A (en) * | 2010-06-30 | 2011-05-11 | 北京飞天诚信科技有限公司 | Hardware engine realization method |
Non-Patent Citations (2)
| Title |
|---|
| D.COOPER等: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", 《NETWORK WORKING GROUP RFC5280》 * |
| 唐雪莲: "通过CA证书获取安全认证的Java实现", 《电脑开发与应用》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103971034A (en) * | 2014-04-24 | 2014-08-06 | 福建联迪商用设备有限公司 | Method and device for protecting Java software |
| CN105721154A (en) * | 2014-12-05 | 2016-06-29 | 航天信息股份有限公司 | Encryption protection method based on Android platform communication interface |
| CN105721154B (en) * | 2014-12-05 | 2020-02-18 | 航天信息股份有限公司 | Encryption protection method based on Android platform communication interface |
| CN104680061A (en) * | 2015-02-28 | 2015-06-03 | 国鼎网络空间安全技术有限公司 | Method and system for verifying code signing during startup of application in Android environment |
| CN106936789A (en) * | 2015-12-30 | 2017-07-07 | 上海格尔软件股份有限公司 | The application process that a kind of use double certificate is authenticated |
| CN106936789B (en) * | 2015-12-30 | 2021-04-13 | 格尔软件股份有限公司 | Application method for authentication by using double certificates |
| CN105721162A (en) * | 2016-01-30 | 2016-06-29 | 飞天诚信科技股份有限公司 | Method and device for automatically importing digital certificate to application program |
| CN105721162B (en) * | 2016-01-30 | 2019-03-05 | 飞天诚信科技股份有限公司 | The method and device of digital certificate is automatically imported into application program |
| CN108134676A (en) * | 2017-12-19 | 2018-06-08 | 上海闻泰电子科技有限公司 | Android system safe starting method and readable storage medium storing program for executing |
| CN111884813A (en) * | 2020-08-05 | 2020-11-03 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
| CN111884813B (en) * | 2020-08-05 | 2022-03-25 | 哈尔滨工业大学(威海) | Malicious certificate detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103117862B (en) | 2015-11-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103117862B (en) | By the method for the X.509 digital certificate authentication Java certificate of openssl | |
| CN102171652B (en) | The method providing trusted software for electronic installation | |
| CN108924147B (en) | Communication terminal digital certificate issuing method, server and communication terminal | |
| CN112182609A (en) | Block chain-based data uplink storage method and tracing method, device and equipment | |
| CN112651036B (en) | Identity authentication method based on collaborative signature and computer readable storage medium | |
| CN101009556A (en) | Intelligent card and U disk compound device and its access security improvement method based on bidirectional authentication mechanism | |
| CN103036681B (en) | A kind of password safety keyboard device and system | |
| CN109495268B (en) | A two-dimensional code authentication method, device and computer-readable storage medium | |
| CN112865965B (en) | A method and system for train business data processing based on quantum key | |
| CN101894235B (en) | A Smart Card Security Conversation System | |
| CN113515756B (en) | High-credibility digital identity management method and system based on block chain | |
| CN112332975A (en) | Internet of things equipment secure communication method and system | |
| CN109246055B (en) | Medical information safety interaction system and method | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| EP4072064A1 (en) | Electronic signature system and tamper-resistant device | |
| CN111082941B (en) | Internet of things data sharing method and system based on block chain technology | |
| CN109981287A (en) | A kind of code signature method and its storage medium | |
| CN104484628B (en) | It is a kind of that there is the multi-application smart card of encrypting and decrypting | |
| CN114513310A (en) | Authentication method and device for vehicle diagnosis equipment, electronic equipment and medium | |
| CN113852628A (en) | Decentralized single sign-on method, decentralized single sign-on device and storage medium | |
| CN112257046A (en) | Method, system and equipment for realizing trusted digital identity decryption and signature verification by using software library | |
| CN110635900B (en) | Key management method and system suitable for Internet of things system | |
| CN103259689A (en) | Method for changing password of equipment and recovering password after failure | |
| CN111756531B (en) | Communication system and method of LoRa terminal based on CPK | |
| CN103260157B (en) | Towards Subscriber Management System and the using method thereof of satellite communications services |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160223 Address after: 315500, Hengfeng Road, 19 square Bridge Development Zone, Zhejiang, Fenghua Patentee after: Fenghua capital machinery Casting Co., Ltd. Address before: 214135 Jiangsu Province, Wuxi City District Road No. 18 Wuxi Zhenze National Software Park Sagittarius B building 4 floor Patentee before: Wuxi Cynovo Tech Co., Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160620 Address after: 214135 Jiangsu Province, Wuxi City District Road No. 18 Wuxi Zhenze National Software Park Sagittarius B building 4 floor Patentee after: Wuxi Cynovo Tech Co., Ltd. Address before: 315500, Hengfeng Road, 19 square Bridge Development Zone, Zhejiang, Fenghua Patentee before: Fenghua capital machinery Casting Co., Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190422 Address after: Room 616-1, Building 2, Changfeng Building, 14 Xinghuo Road, Jiangbei New District, Nanjing, Jiangsu Province, 210000 Patentee after: Nanjing ningsano Intelligent Technology Co., Ltd. Address before: 214135 building 4, Sagittarius B, Wuxi National Software Park, 18, Zhen Ze Road, Wuxi New District, Jiangsu. Patentee before: Wuxi Cynovo Tech Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151125 Termination date: 20210218 |