Step 19-4: the presupposed information in described public and private key file structure is filled to the key pair that obtains generation according to described file ID and recording mechanism.

Concrete, described presupposed information comprises uidRecordFID and uidRecordNo.

For example, the generation key receiving is 80 70 00 00 00000C 0,100 0,100 000 10,000 1,001 0100 to instruction, and the presupposed information comprising in the right file structure of the key of generation is: uidRecordFID=1001, uidRecordNo=0100.

Further, before above-mentioned steps 19-2, also comprise: judge whether described generation key meets the 5th preset structure to the data field data of instruction, to perform step the key pair of 19-2 to step 19-4 generation SM2 type, otherwise generate the key pair of other types, the key of other types to and corresponding endorsement method not within the scope of the invention, at this, do not describe in detail.

Preferably, before above-mentioned steps 19, can also comprise: in the default memory block of judgement, whether storing signature pre-service result, is that the described signature pre-service result of first removing in default memory block performs step 19 again; Otherwise directly perform step 19.And the signature pre-service result store calculating in step 19 is arrived to default memory block.

Step 20: return and produce key to response message to host computer, then return to step 2.

Concrete, when step 19 is correct while carrying out, this step is returned to the generation key that comprises status code and response data to response message, and the status code SW1SW2 value comprising is the first preset value, and the response data comprising is specially the key of generation to related data; When mistake appears in step 19 in the process of implementation, this step is returned to the generation key that comprises status code to response message, and the status code SW1SW2 comprising is taken as other values.For example, other values are 0x6700,0x6A88 and 0x6A94.

Step 21: judge whether current logging status is user's logging status, is to perform step 22, otherwise returns to the status code of not supporting, returns to step 2;

Step 22: determine the specified containers under current application according to the application ID comprising in signature command and Container ID, according to the right file structure of the key in specified containers, obtain file ID and recording mechanism, according to the file ID obtaining and recording mechanism, from log file, obtain record data, according to cipher key pair PKI and described record data, calculate a signature pre-service result, according to signature pre-service result, cipher key pair private key, the data to be signed that comprise in signature command are calculated to signature result;

This step specifically comprises:

Step 22-1: obtain a length value according to the 5th of signature command the to the 7th byte, judge whether the length of the 7th byte data field data afterwards conforms to this length value, be to carry out next step, otherwise generate the signature response message that comprises status code;

Preferably, the value of described status code SW1SW2 is the second preset value, and for example the second preset value is 0x6700.

Step 22-2: ID, Container ID and data to be signed are applied from described data field data according to the 6th preset structure;

Concrete, described the 6th preset structure is: application ID+ Container ID+data to be signed;

Step 22-3: determine the specified containers under current application according to application ID and Container ID, from specified containers, obtain key pair, according to the right file structure of key, obtain file ID and recording mechanism, according to the file ID obtaining and recording mechanism, from log file, obtain record data;

Concrete, according to file ID, find a log file, according to recording mechanism, can in this log file, read record data.

Further, if can not find application according to application ID on equipment, generate the signature response message that comprises status code, preferred, the value of this status code SW1SW2 is the 6th preset value, and for example the 6th preset value is 6A88.If can not find specified containers according to Container ID under current application, generate the signature response message that comprises status code, preferred, the value of this status code SW1SW2 is the 11 preset value, for example the 11 preset value is 6A94; If obtain from specified containers less than key pair, generate the signature response message that comprises status code, preferred, the value of described status code SW1SW2 is the 12 preset value, for example the 12 preset value is 6A95.If can not find corresponding with it log file or obtain less than corresponding with it record data according to file ID and recording mechanism, generate the signature response message that comprises status code, preferred, described status code value is the 13 preset value.

Step 22-4: calculate a signature pre-service result according to the PKI of cipher key pair and the described record data that obtain, according to the private key of signature pre-service result, cipher key pair, described data to be signed are calculated to signature result.

For example, the signature command receiving is: 80 74 03 00 000,024 01,000,100 12345678123456781234567812345678.

Preferably, in above-mentioned steps 22, can also comprise: in the default memory block of judgement, whether store signature pre-service result, to obtain described signature pre-service result, otherwise obtain file identification and recording mechanism according to the right file structure of the key in specified containers, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to cipher key pair PKI and described record data, calculate a signature pre-service result and store default memory block into.

Step 23: return to signature response message to host computer, then return to step 2.

It should be noted that, before above-mentioned steps 22, also comprising: whether the 3rd byte that judges signature command is default value, is to perform step 22 execution SM2 signatures, otherwise carries out other algorithm signatures, other algorithms are signed not within the scope of the invention, at this, do not describe in detail.Preferably, described default value is 0x03.

Concrete, when step 22 is correct while carrying out, this step is returned to the signature response message that comprises status code and response data, and the status code SW1SW2 value comprising is the first preset value, and the response data comprising is specially signature result; When mistake appears in step 22 in the process of implementation, this step is returned to the signature response message that comprises status code, and the status code SW1SW2 comprising is taken as other values.For example, other values are 0x6700,0x6A88,0x6A94 and 0x6A95.

The endorsement method of the signature device that the present embodiment proposes, may be summarized to be: first, the management function of infosystem possesses the distribution function of initializing of USBKey, at initial phase, in USBKey, create log file and preserve the record data of user's related application, after initialization completes, USBKey enters the application stage.

When user applies for certificate, in USBKey, generate key to rear, automatic mark with indicated with key associated record data, when signature operation, use.

When signature, use and specified with key, the record data that are associated are calculated to Z value, thereby complete the preprocessing function of endorsement method, complete signature.

What in the present embodiment, mention is preferably implementation of one, the implementation of embodiment 1 relatively, it is registrant's identity that the endorsement method of the present embodiment further defines main body, when logining, keeper can complete the establishment of record data, when user's login is signed, by opening application instruction, open container instruction, produce key instruction and signature command are completed to whole signature process, can reach equally association between strengthening main body and signature key, effectively prevent identity and mandate abuse, strengthen the effect of the security of signing.The ID mentioning in the present embodiment does same understanding with the sign of mentioning in embodiment 1.

The above; only for preferably embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with those skilled in the art in technical scope disclosed by the invention; the variation that can expect easily or replacement, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims

1. an endorsement method for signature device, is characterized in that, comprising:

Device power, initialized step;

The step of the instruction that equipment reception host computer issues;

Equipment judges the type of the instruction receiving, and according to the type of described instruction, carries out command adapted thereto operation, and to host computer, returns to the step of response message;

The type that judges described instruction when equipment when opening application instruction, is opened the application corresponding with described Apply Names on equipment according to the described Apply Names comprising in application instruction of opening, to host computer return comprise application identities open application responds message;

The type that judges described instruction when equipment is when opening container instruction, according to the described application identities comprising in container instruction of opening, determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, to host computer return comprise container identification open container response message;

2. method according to claim 1, it is characterized in that, described method also comprises: the type that judges described instruction when equipment is when testing PIN instruction, from the described PIN of testing instruction, obtain PIN sign, application identities and PIN code, according to described PIN sign, determine registrant's identity, according to described application identities, determine current application, and verify that whether described PIN code is correct, according to described registrant's identity, current logging status to be set, to host computer return state code be the first preset value test PIN response message, otherwise be other values to host computer return state code, test PIN response message.

3. method according to claim 2, is characterized in that, describedly from the described PIN of testing instruction, obtains PIN sign, application identities and PIN code, is specially:

A1: obtain PIN sign according to the 4th of the described PIN of testing instruction the byte, according to the 5th to the 7th byte, obtain a length value, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out a2, otherwise generate status code be the second preset value test PIN response message;

A2: sign and PIN code are applied from described data field data according to the first preset structure.

4. method according to claim 3, is characterized in that, described the first preset structure is: the PIN code of application identities+16 of a 2 bytes byte.

5. method according to claim 1, it is characterized in that, described method also comprises: when equipment judges the type of described instruction, be while creating log file instruction, according to the application identities comprising in the instruction of described establishment log file, determine current application, according to the log file information comprising in the instruction of described establishment log file, under current application, create a log file, to host computer, return and create log file response message.

6. method according to claim 5, it is characterized in that, describedly according to the application identities comprising in the instruction of described establishment log file, determine current application, according to the log file information comprising in the instruction of described establishment log file, under current application, create a log file, be specially:

B1: according to the 3rd and the 4th of the instruction of described establishment log file the byte sign that is applied, determine current application according to described application identities;

B2: obtain a length value according to the 5th of the instruction of described establishment log file the to the 7th byte, whether the length that judges the 7th the data field data after byte conforms to this length value, being to carry out b3, is the establishment log file response message of the second preset value otherwise generate status code;

B3: obtain the log file information that will create according to the second preset structure from described data field data;

B4: create log file according to described log file information under current application.

7. method according to claim 6, is characterized in that, described the second preset structure is: the write permission sign of+4 bytes of read right sign of file size+4 byte of filename+4 of a 32 bytes byte.

8. method according to claim 5, is characterized in that, when equipment judges the type of described instruction, is while creating log file instruction, also comprises and confirms that current logging status is the step of keeper's logging status.

9. method according to claim 1, it is characterized in that, described method also comprises: the type that judges described instruction when equipment is when writing recording instruction, according to the application identities comprising in said write recording instruction, determine current application, according to the filename comprising in said write recording instruction, under current application, find a log file, according to the side-play amount comprising in said write recording instruction, the record data to be written that comprise in said write recording instruction are written to the appropriate address in described log file, to host computer, return and write recording responses message.

10. method according to claim 9, it is characterized in that, describedly according to the application identities comprising in said write recording instruction, determine current application, according to the filename comprising in said write recording instruction, under current application, find a log file, according to the side-play amount comprising in said write recording instruction, the record data to be written that comprise in said write recording instruction are written to the appropriate address in described log file, are specially:

C1: according to the 5th and the 6th of said write recording instruction the byte sign that is applied, determine current application according to described application identities;

C2: obtain a length value according to the 7th and the 8th of said write recording instruction the byte, whether the length that judges the 8th the data field data after byte conforms to this length value, to carry out c3, otherwise generate status code be the second preset value write recording responses message;

C3: obtain side-play amount, filename and record data to be written according to the 3rd preset structure from described data field data;

C4: find a log file according to described filename under current application, determine in described log file according to described side-play amount and a writing address described record data to be written are write to said write address.

11. methods according to claim 10, is characterized in that, described the 3rd preset structure is: the length+record data to be written of the record data to be written of filename length+filename+2 byte of side-play amount+2 of a 2 bytes byte.

12. methods according to claim 1, it is characterized in that, described in described basis, open the Apply Names comprising in application instruction and open the application corresponding with described Apply Names on equipment, comprise: according to described the 5th and the 6th byte opening application instruction, obtain a length value, whether the length that judges the 6th byte data field data afterwards conforms to this length value, if conform to according to the described data field data title that is applied, open application corresponding with described Apply Names on equipment, otherwise what generate status code and be the second preset value opens application responds message.

13. methods according to claim 1, it is characterized in that, described in described basis, open the application identities comprising in container instruction and determine current application, according to the described Container Name comprising in container instruction of opening, open the specified containers corresponding with described Container Name under current application, comprising:

A1: obtain a length value according to described the 5th to the 7th byte opening container instruction, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out A2, otherwise generate status code be the second preset value open container response message;

A2: sign and Container Name are applied from described data field data according to the 4th preset structure;

A3: determine current application according to application identities, find specified containers according to Container Name under current application, open specified containers.

14. methods according to claim 13, is characterized in that, described the 4th preset structure is: application identities+Container Name.

15. methods according to claim 1, it is characterized in that, describedly according to described generation key, the application identities comprising in instruction and container identification are determined to the specified containers under current application, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers, according to described generation key, the file identification comprising in instruction and recording mechanism are filled to the key pair that obtains generation to the presupposed information in described public and private key file structure, comprising:

B1: the 5th of instruction the to the 7th byte obtained to a length value according to described generation key, whether the length that judges the 7th byte data field data afterwards conforms to this length value, to carry out B2, otherwise generate status code be the second preset value open container response message;

B2: sign, container identification, key information, file identification and recording mechanism are applied from described data field data according to the 5th preset structure;

B3: determine the specified containers under current application according to described application identities and described container identification, according to described generation key, the key information comprising in instruction is created to public and private key file structure in specified containers;

B4: the presupposed information in described public and private key file structure is filled and obtained key pair according to described file identification and described recording mechanism.

16. methods according to claim 15, is characterized in that, described the 5th preset structure is: the recording mechanism of file identification+2 byte of key information+2 byte of container identification+4 byte of application identities+2 of a 2 bytes byte; Described key information comprises that the right position of generation key is long.

17. methods according to claim 1, it is characterized in that, describedly according to the application identities comprising in described signature command and container identification, determine the specified containers under current application, according to the right file structure of the key in specified containers, obtain file identification and recording mechanism, according to the file identification obtaining and recording mechanism, from the log file corresponding with described file identification, obtain record data corresponding with described recording mechanism, according to the PKI of cipher key pair and described record data, calculate a signature pre-service result, according to described signature pre-service result, the private key of cipher key pair calculates signature result to the data to be signed that comprise in described signature command, comprise:

C1: obtaining a length value according to the 5th of described signature command the to the 7th byte, judge whether the length of the 7th byte data field data afterwards conforms to this length value, is to carry out C2, is the signature response message of the second preset value otherwise generate status code;

C2: sign, container identification and data to be signed are applied from described data field data according to the 6th preset structure;

C3: determine the specified containers under current application according to application identities and container identification, from specified containers, obtain key pair, according to the right file structure of key, obtain file identification and recording mechanism, according to the file identification obtaining and recording mechanism, from log file, obtain record data;

C4: calculate a signature pre-service result according to the PKI of cipher key pair and the described record data that obtain, according to the private key of signature pre-service result, cipher key pair, described data to be signed are calculated to signature result.

18. methods according to claim 17, is characterized in that, described the 6th preset structure is: application identities+container identification+data to be signed.

19. methods according to claim 1, is characterized in that, the type that judges described instruction when equipment when opening container instruction or producing key to instruction or signature command, also comprises and confirms that current logging status is the step of user's logging status.