技术领域technical field
本发明涉及移动互联网领域的信息安全技术,尤其涉及一种签名方法及服务器。The invention relates to information security technology in the field of mobile Internet, in particular to a signature method and a server.
背景技术Background technique
随着移动终端的普及、移动互联网业务的蓬勃发展,信息安全从互联网转移到了移动互联网,移动终端引发的颠覆性变革揭开了移动互联网产业发展的序幕,移动终端也极大的影响着用户的生活方式,但是在移动终端向智能化、开放化发展的同时,也面临越来越多的安全威胁。谷歌的安卓操作系统是一个开放平台,因此,成为了移动终端恶意软件主要感染的平台,但是无法对安卓手机恶意软件的开发者身份进行有效的溯源进而追究其法律责任,导致恶意软件开发者违法成本低,是造成安卓平台移动终端恶意软件泛滥的主要原因之一。With the popularity of mobile terminals and the vigorous development of mobile Internet services, information security has shifted from the Internet to the mobile Internet. The disruptive changes triggered by mobile terminals have opened the prelude to the development of the mobile Internet industry. However, while mobile terminals are developing toward intelligence and openness, they are also facing more and more security threats. Google's Android operating system is an open platform, so it has become the main platform for mobile terminal malware infection, but it is impossible to effectively trace the identity of the developer of Android mobile phone malware and pursue its legal responsibility, which leads to malware developers breaking the law. The low cost is one of the main reasons for the proliferation of malware on mobile terminals on the Android platform.
现有技术中,通过可信代码签名技术来确保应用安全,并对开发者的身份进行追溯,具体的,要求开发者使用第三方合法代码签名(CA,Code Signing)机构颁发的代码签名数字证书来完成代码签名操作,开发者的身份有第三方CA机构严格审查并核实,确保开发者身份真实可信,在必要时,可通过读取应用程序中的数字签名信息,来确认应用程序开发者的身份,对其进行责任追溯。In the prior art, trusted code signing technology is used to ensure application security, and the identity of the developer is traced. Specifically, the developer is required to use a code signing digital certificate issued by a third-party legal code signing (CA, Code Signing) organization To complete the code signing operation, the developer's identity is strictly reviewed and verified by a third-party CA organization to ensure that the developer's identity is authentic and credible. When necessary, the application developer can be confirmed by reading the digital signature information in the application identity, trace their responsibilities.
然而,现有的安卓可信代码签名技术方案,会导致存量应用签名后不能正常平滑升级,也不能进行多方可信签名的问题。However, the existing Android trusted code signing technology solution will lead to the problem that the stock application cannot be upgraded normally and smoothly after signing, and the multi-party trusted signature cannot be performed.
发明内容Contents of the invention
为解决上述技术问题,本发明实施例期望提供一种签名方法及服务器,能够使存量应用签名后能够平滑升级、并进行多方可信签名。In order to solve the above technical problems, the embodiment of the present invention expects to provide a signature method and server, which can enable smooth upgrade of existing applications after signing, and perform multi-party trusted signatures.
本发明实施例提供一种签名方法,其特征在于,所述方法包括:An embodiment of the present invention provides a signature method, characterized in that the method includes:
接收用户的签名操作请求,并根据所述签名操作请求获取第一数据包;receiving a user's signature operation request, and obtaining a first data packet according to the signature operation request;
对所述第一数据包进行预处理,得到第一签名原文;Preprocessing the first data packet to obtain the original text of the first signature;
当允许进行副署签名操作时,响应所述签名操作请求,通过签名工具对所述第一签名原文进行副署签名操作,得到第一副署签名信息;When the counter-signature operation is allowed, in response to the signature operation request, perform the counter-signature operation on the original text of the first signature through the signature tool, and obtain the first counter-signature information;
将所述第一副署签名信息添加到所述第一数据包中,得到第二数据包。Adding the first counter-signature information to the first data packet to obtain a second data packet.
在上述方法中,所述对所述第一数据包进行预处理,得到第一签名原文,包括:In the above method, the preprocessing of the first data packet to obtain the original text of the first signature includes:
解析所述第一数据包,并获得所述第一数据包对应的第一应用程序文件;Parsing the first data packet, and obtaining a first application file corresponding to the first data packet;
对所述第一应用程序文件进行哈希计算,得到所述第一签名原文。Perform hash calculation on the first application program file to obtain the original text of the first signature.
在上述方法中,所述得到第一签名原文之后,所述响应所述签名操作请求之前,所述方法还包括:In the above method, after the first original signature is obtained and before the response to the signature operation request, the method further includes:
解析所述第一数据包,并获得所述第一数据包对应的第一原签名文件;Analyzing the first data packet, and obtaining a first original signature file corresponding to the first data packet;
对所述第一原签名文件进行解析,得到第一原生签名信息;Analyzing the first original signature file to obtain the first original signature information;
通过根据所述第一签名原文和所述第一原生签名信息进行第一原生签名验证,来判断是否允许进行所述副署签名操作;By performing first original signature verification according to the first original signature text and the first original signature information, it is judged whether to allow the counter-signature operation;
当所述第一原生签名验证成功时,表征允许进行所述副署签名操作;When the verification of the first original signature is successful, the representation allows the counter-signature operation;
当所述第一原生签名验证失败时,表征不允许进行所述副署签名操作。When the verification of the first original signature fails, the representation does not allow the counter-signature operation.
在上述方法中,所述得到第二数据包之后,所述方法还包括:In the above method, after the second data packet is obtained, the method further includes:
接收用户的副署签名验证请求,并根据所述副署签名验证请求获取所述第二数据包;receiving the user's countersignature verification request, and obtaining the second data packet according to the countersignature verification request;
解析所述第二数据包,并获得所述第二数据包对应的第二应用程序文件和第二原签名文件;Analyzing the second data packet, and obtaining a second application program file and a second original signature file corresponding to the second data packet;
对所述第二应用程序文件进行哈希计算,得到第二签名原文;Perform hash calculation on the second application file to obtain the original text of the second signature;
对所述第二原签名文件进行解析,得到第二原生签名信息;Analyzing the second original signature file to obtain second original signature information;
根据所述第二签名原文和所述第二原生签名信息进行第二原生签名验证;performing second native signature verification according to the second original signature text and the second native signature information;
当所述第二原生签名验证成功时,响应所述副署签名验证请求,提取所述第二数据包中的第二副署签名信息,并对所述第二副署签名信息进行验证,生成验证结果。When the verification of the second original signature is successful, in response to the verification request of the counter-signature, extract the second counter-signature information in the second data packet, and verify the second counter-signature information to generate Validation results.
在上述方法中,所述将所述第一副署签名信息添加到所述第一数据包中,得到第二数据包,包括:In the above method, adding the first counter-signature information to the first data packet to obtain the second data packet includes:
将所述第一副署签名信息添加到所述第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件,所述非认证属性集合是所有所述第一副署签名信息的集合;Adding the first countersignature signature information to the non-authentication attribute set of the first original signature file to generate a third original signature file containing the first countersignature signature information, the non-authentication attribute set is all the A collection of first countersignature signature information;
将所述第三原签名文件进行打包,生成所述第二数据包。Packing the third original signature file to generate the second data packet.
本发明实施例提供一种签名服务器,其特征在于,所述服务器包括:An embodiment of the present invention provides a signature server, wherein the server includes:
待签名程序获取模块,用于接收用户的签名操作请求,并根据所述签名操作请求获取第一数据包;The program acquisition module to be signed is used to receive the user's signature operation request, and obtain the first data package according to the signature operation request;
签名原文生成模块,用于对所述第一数据包进行预处理,得到第一签名原文;A signature original text generating module, configured to preprocess the first data packet to obtain a first signature original text;
副署签名处理模块,用于当允许进行副署签名操作时,响应所述签名操作请求,通过签名工具对所述第一签名原文进行副署签名操作,得到第一副署签名信息;The counter-signature processing module is used to respond to the signature operation request when the counter-signature operation is allowed, and perform the counter-signature operation on the original text of the first signature through the signature tool to obtain the first counter-signature information;
数据包生成模块,用于将所述第一副署签名信息添加到所述第一数据包中,得到第二数据包。A data packet generating module, configured to add the first counter-signature information to the first data packet to obtain a second data packet.
在上述签名服务器中,所述签名服务器还包括:数据包处理模块和签名原文计算模块;In the above signature server, the signature server also includes: a data packet processing module and a signature original text calculation module;
所述数据包处理模块,用于解析所述第一数据包,并获得所述第一数据包对应的应用程序文件和第一原签名文件;The data packet processing module is configured to parse the first data packet, and obtain the application file and the first original signature file corresponding to the first data packet;
所述签名原文计算模块,用于对所述应用程序文件进行哈希计算,得到所述第一签名原文。The original signature calculation module is configured to perform hash calculation on the application file to obtain the first original signature.
在上述签名服务器中,所述签名服务器还包括:加密消息的语法标准(PKCS#7)文件处理模块;In the above signature server, the signature server also includes: a syntax standard (PKCS#7) file processing module for encrypted messages;
所述PKCS#7文件处理模块,用于对所述第一原签名文件进行解析,得到原生签名信息;The PKCS#7 file processing module is used to analyze the first original signature file to obtain original signature information;
所述PKCS#7文件处理模块,还用于通过根据所述第一签名原文和所述原生签名信息进行第一原生签名验证,来判断是否允许进行副署签名操作;当所述第一原生签名验证成功时,表征允许进行副署签名操作;当所述第一原生签名验证失败时,表征不允许进行副署签名操作。The PKCS#7 file processing module is also used to determine whether to allow a counter-signature operation by performing the first original signature verification according to the original signature text and the original signature information; when the first original signature When the verification is successful, the representation allows the counter-signature operation; when the verification of the first original signature fails, the representation does not allow the counter-signature operation.
在上述签名服务器中,所述待签名程序获取模块,还用于接收用户的副署签名验证请求,并根据所述副署签名验证请求获取所述第二数据包;In the above-mentioned signature server, the acquisition module of the program to be signed is further configured to receive a user's counter-signature verification request, and obtain the second data package according to the counter-signature verification request;
所述数据包处理模块,还用于解析所述第二数据包,并获得所述第二数据包对应的第二应用程序文件和第二原签名文件;The data packet processing module is further configured to parse the second data packet, and obtain a second application file and a second original signature file corresponding to the second data packet;
所述签名原文计算模块,还用于对所述第二应用程序文件进行哈希计算,得到第二签名原文;The original signature calculation module is further configured to perform hash calculation on the second application file to obtain a second original signature;
所述PKCS#7文件处理模块,还用于对所述第一原签名文件进行解析,得到第二原生签名信息;根据所述第二签名原文和所述第二原生签名信息进行第二所述原生签名验证;The PKCS#7 file processing module is also used to analyze the first original signature file to obtain the second original signature information; perform the second description according to the second original signature text and the second original signature information. Native signature verification;
所述副署签名处理模块,还用于当所述第二原生签名验证成功时,响应所述副署签名验证请求,提取所述第二数据包中的所述第一副署签名信息,并对所述第一副署签名信息进行验证,生成验证结果。The counter-signature processing module is further configured to respond to the counter-signature verification request when the second original signature verification is successful, extract the first counter-signature information in the second data packet, and Verifying the first counter-signature information to generate a verification result.
在上述签名服务器中,所述PKSC#7文件处理模块,还用于将所述第一副署签名信息添加到所述第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件,所述非认证属性集合是所有所述第一副署签名信息的集合;In the above-mentioned signature server, the PKSC#7 file processing module is further configured to add the first counter-signature information to the non-authentication attribute set of the first original signature file, and generate a signature containing the first counter-signature The third original signature file of the information, the non-authentication attribute set is the set of all the first counter-signature information;
所述数据包处理模块,还用于将封装的所述第三原签名文件进行打包,生成所述第二数据包。The data packet processing module is further configured to pack the encapsulated third original signature file to generate the second data packet.
本发明实施例提供了一种签名方法及服务器,该方法可以包括:接收用户的签名操作请求,并根据签名操作请求获取第一数据包;对第一数据包进行预处理,得到第一签名原文;当允许进行副署签名操作时,响应签名操作请求,通过签名工具对第一签名原文进行副署签名操作,得到第一副署签名信息;将第一副署签名信息添加到第一数据包中,得到第二数据包。采用上述技术实现方案,由于本方案可以在不影响原生签名信息的前提下,附加一个或者多个副署签名信息,并将第一副署签名信息存储至认证属性集合并列的非认证属性中,不影响原有应用程序的打包签名流程,因此,本方案能够使存量应用签名后能够平滑升级、并进行多方可信签名。An embodiment of the present invention provides a signature method and server, the method may include: receiving a signature operation request from a user, and obtaining a first data packet according to the signature operation request; preprocessing the first data packet to obtain the original signature text ; When the counter-signature operation is allowed, respond to the signature operation request, and use the signature tool to perform the counter-signature operation on the original text of the first signature to obtain the first counter-signature information; add the first counter-signature information to the first data packet , get the second data packet. Using the above-mentioned technical implementation scheme, because this scheme can add one or more countersignature signature information without affecting the original signature information, and store the first countersignature signature information in the non-authentication attribute parallel to the authentication attribute set, It does not affect the packaging and signing process of the original application. Therefore, this solution can enable the smooth upgrade of the stock application after signing, and perform multi-party trusted signature.
附图说明Description of drawings
图1为本发明实施例提供的一种签名方法的流程图一;Fig. 1 is a flow chart 1 of a signature method provided by an embodiment of the present invention;
图2为本发明实施例提供的一种签名方法的流程图二;Fig. 2 is a flowchart 2 of a signature method provided by an embodiment of the present invention;
图3为本发明实施例提供的一种示例性的副署签名信息的存储示意图;FIG. 3 is a schematic diagram of storage of an exemplary countersignature signature information provided by an embodiment of the present invention;
图4为本发明实施例提供的一种示例性的副署签名的流程图;FIG. 4 is a flowchart of an exemplary counter-signature provided by an embodiment of the present invention;
图5为本发明实施例提供的一种签名方法的流程图三;FIG. 5 is a flowchart three of a signature method provided by an embodiment of the present invention;
图6为本发明实施例提供的一种示例性的副署签名验证及提取的流程图;Fig. 6 is a flow chart of an exemplary countersignature signature verification and extraction provided by an embodiment of the present invention;
图7为本发明实施例提供的一种签名服务器的结构示意图一;FIG. 7 is a first structural diagram of a signature server provided by an embodiment of the present invention;
图8为本发明实施例提供的一种签名服务器的结构示意图二;FIG. 8 is a second structural diagram of a signature server provided by an embodiment of the present invention;
图9为本发明实施例提供的一种签名服务器的结构示意图三。FIG. 9 is a third schematic structural diagram of a signature server provided by an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention.
实施例一Embodiment one
本发明实施例提供一种签名方法,如图1所示,该方法可以包括:An embodiment of the present invention provides a signature method, as shown in Figure 1, the method may include:
S101、接收用户的签名操作请求,并根据签名操作请求获取第一数据包。S101. Receive a user's signature operation request, and acquire a first data packet according to the signature operation request.
本发明实施例提供的一种签名方法适用于对已经进行了数字签名的应用程序再次进行签名操作的场景下。The signature method provided by the embodiment of the present invention is applicable to the scenario of re-signing an application program that has already been digitally signed.
本发明实施例中,当用户需要对已经进行了数字签名的应用程序再次进行签名操作时,用户向签名服务器发送签名操作请求,来请求签名服务器对该应用程序进行副署签名操作,此时,签名服务器根据该签名操作请求来获取包含第一签名原文和第一原签名文件的第一数据包。In the embodiment of the present invention, when the user needs to sign the application program that has already been digitally signed, the user sends a signature operation request to the signature server to request the signature server to perform a counter-signature operation on the application program. At this time, According to the signature operation request, the signature server obtains the first data packet including the first original signature text and the first original signature file.
本发明实施例中,在应用程序生命周期的各个环节中,包含开发、检测和发布等环节,都需要进行数字签名,而在应用程序的第一个环节进行了原生签名操作之后,用户请求的每一次数字签名都是请求的副署签名。In the embodiment of the present invention, digital signatures are required in all links of the application life cycle, including development, testing, and release, and after the native signature operation is performed on the first link of the application, the Each digital signature is a countersignature of the request.
示例性的,当用户对开发完成的APK应用检测完成时,用户需要进行数字签名来认证检测该APK应用的责任人,此时,用户向签名服务器发送签名操作请求。Exemplarily, when the user finishes testing the developed APK application, the user needs to perform a digital signature to authenticate the person responsible for testing the APK application. At this time, the user sends a signature operation request to the signature server.
S102、对第一数据包进行预处理,得到第一签名原文。S102. Perform preprocessing on the first data packet to obtain the original text of the first signature.
当签名服务器获取到待签名的第一数据包之后,签名服务器从第一数据包中提取待签名的第一签名原文。After the signature server obtains the first data packet to be signed, the signature server extracts the first signature text to be signed from the first data packet.
本发明实施例中,签名服务器解析获取到的第一数据包,得到第一数据包对应的第一应用程序文件,然后对第一应用程序文件进行哈希计算,得到待签名的第一签名原文。In the embodiment of the present invention, the signature server parses the obtained first data packet to obtain the first application file corresponding to the first data packet, and then performs hash calculation on the first application file to obtain the first original signature text to be signed .
S103、当允许进行副署签名操作时,响应签名操作请求,通过签名工具对第一签名原文进行副署签名操作,得到第一副署签名信息。S103. When the counter-signature operation is allowed, respond to the signature operation request, and use the signature tool to perform a counter-signature operation on the original text of the first signature, to obtain first counter-signature information.
当签名服务器获取到第一签名原文之后,签名服务器首先判断是否允许进行副署签名操作,当判断为允许进行副署签名操作时,签名服务器使用签名工具对第一签名原文进行副署签名操作,并得到第一副署签名信息。After the signature server obtains the original text of the first signature, the signature server first judges whether to allow the counter-signature operation. And get the first countersignature signature information.
本发明实施例中,签名服务器解析获取到的第一数据包,得到第一数据包对应的第一原签名文件,并对第一原签名文件进行解析,得到第一原生签名信息,然后将第一原生签名信息与步骤S102中得到的第一签名原文进行第一原生签名验证,当第一原生签名验证成功时,表征第一应用程序文件没有被恶意篡改,此时,允许进行副署签名操作;当第一原生签名验证失败时,表征待签名的应用程序已经被进行了恶意篡改,此时,不允许进行副署签名操作。In the embodiment of the present invention, the signature server parses the acquired first data packet to obtain the first original signature file corresponding to the first data packet, and parses the first original signature file to obtain the first original signature information, and then converts the first original signature file to Perform the first original signature verification with the first original signature information obtained in step S102. When the first original signature verification is successful, it means that the first application file has not been maliciously tampered with. At this time, the counter-signature operation is allowed. ; When the verification of the first original signature fails, it indicates that the application program to be signed has been maliciously tampered with, and at this time, the counter-signature operation is not allowed.
本发明实施例中,当签名服务器判断允许进行副署签名操作时,签名服务器响应用户的签名操作请求,使用签名工具对第一签名原文进行副署签名操作。In the embodiment of the present invention, when the signature server determines that the counter-signature operation is allowed, the signature server responds to the user's signature operation request, and uses the signature tool to perform the counter-signature operation on the first signed original text.
可选的,本发明实施例中的签名工具可以为第三方CA机构签发的代码签名证书等可以进行副署签名操作的签名工具,具体的根据实际情况进行选择,本发明实施例不做具体限定。Optionally, the signature tool in the embodiment of the present invention can be a code signing certificate issued by a third-party CA institution, etc., which can perform counter-signature signature operations. The specific choice is made according to the actual situation, and the embodiment of the present invention does not specifically limit it. .
S104、将第一副署签名信息添加到第一数据包中,得到第二数据包。S104. Add the first counter-signature information to the first data packet to obtain a second data packet.
当签名服务器得到第一副署签名信息之后,签名服务器将第一副署签名信息添加到第一数据包中,得到包含第一副署签名信息的第二数据包。After the signature server obtains the first counter-signature information, the signature server adds the first counter-signature information to the first data packet, and obtains a second data packet including the first counter-signature information.
本发明实施例中,签名服务器将第一副署签名信息添加到第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件,然后将第二原签名文件进行打包,生成第二数据包。In the embodiment of the present invention, the signature server adds the first counter-signature information to the non-authentication attribute set of the first original signature file, generates a third original signature file containing the first counter-signature information, and then adds the second original signature The files are packaged to generate a second data package.
本发明实施例中,用户可以对同一待签名应用程序进行多次副署签名操作,得到多个副署签名信息,对于副署签名信息的个数根据实际情况来决定,本发明实施例不做具体限定。In the embodiment of the present invention, the user can perform multiple counter-signature operations on the same application program to be signed to obtain multiple counter-signature information. The number of counter-signature information is determined according to the actual situation. The embodiment of the present invention does not Specific limits.
可以理解的是,本发明实施例中在待签名应用程序中,可在不影响原生签名信息的前提下,附加一个或者多个副署签名信息,能够进行多方可信签名;且签名服务器将第一副署签名信息存储至与认证属性集合并列的非认证属性中,不影响原有应用程序的打包签名流程,能够在进行重签名之后能够平滑升级。It can be understood that in the embodiment of the present invention, in the application program to be signed, one or more countersignature signature information can be added without affecting the original signature information, and multi-party trusted signature can be performed; and the signature server will A copy of the signature information is stored in the non-authentication attribute parallel to the authentication attribute set, which does not affect the packaging and signing process of the original application, and can be upgraded smoothly after re-signing.
实施例二Embodiment two
本发明实施例提供一种签名方法,如图2所示,该方法可以包括:An embodiment of the present invention provides a signature method, as shown in Figure 2, the method may include:
S201、签名服务器接收用户的签名操作请求,并根据签名操作请求获取第一数据包。S201. The signature server receives a signature operation request from a user, and obtains a first data packet according to the signature operation request.
本发明实施例提供的一种签名方法适用于对已经进行了数字签名的应用程序再次进行签名操作的场景下。The signature method provided by the embodiment of the present invention is applicable to the scenario of re-signing an application program that has already been digitally signed.
本发明实施例中,当用户需要对已经进行了数字签名的应用程序再次进行签名操作时,用户向签名服务器发送签名操作请求,来请求签名服务器对该应用程序进行副署签名操作,此时,签名服务器的待签名程序获取模块根据该签名操作请求来获取包含第一签名原文和第一原签名文件的第一数据包。In the embodiment of the present invention, when the user needs to sign the application program that has already been digitally signed, the user sends a signature operation request to the signature server to request the signature server to perform a counter-signature operation on the application program. At this time, The acquisition module of the program to be signed in the signature server acquires the first data packet including the first signed original text and the first original signed file according to the signature operation request.
本发明实施例中,在应用程序生命周期的各个环节中,包含开发、检测和发布等环节,都需要进行数字签名,而在应用程序的第一个环节进行了原生签名操作之后,用户请求的每一次数字签名都是请求的副署签名。In the embodiment of the present invention, digital signatures are required in all links of the application life cycle, including development, testing, and release, and after the native signature operation is performed on the first link of the application, the Each digital signature is a countersignature of the request.
示例性的,当用户对开发完成的APK应用检测完成时,用户需要进行数字签名来认证检测该APK应用的责任人,此时,用户向签名服务器发送签名操作请求。Exemplarily, when the user finishes testing the developed APK application, the user needs to perform a digital signature to authenticate the person responsible for testing the APK application. At this time, the user sends a signature operation request to the signature server.
S202、签名服务器解析第一数据包,并获得第一数据包对应的第一应用程序文件。S202. The signature server parses the first data packet, and obtains a first application program file corresponding to the first data packet.
当签名服务器获取到第一数据包之后,签名服务器的数据包处理模块就要对第一数据包对应的第一应用程序文件进行副署签名操作了,具体的,首先数据包处理模块先通过解析第一数据包来获取第一数据包对应得到第一应用程序文件。After the signature server obtains the first data packet, the data packet processing module of the signature server will perform a counter-signature operation on the first application file corresponding to the first data packet. Specifically, the data packet processing module first passes the analysis The first data package is obtained by obtaining the first data package corresponding to the first application program file.
本发明实施例中,签名服务器的数据包处理模块通过解析第一数据包获得第一数据包对应的第一应用程序文件,该第一应用程序文件中包含有待签名的第一签名原文。In the embodiment of the present invention, the data packet processing module of the signature server obtains the first application program file corresponding to the first data packet by parsing the first data packet, and the first application program file includes the first original signature text to be signed.
S203、签名服务器对第一应用程序文件进行哈希计算,得到第一签名原文。S203. The signature server performs hash calculation on the first application program file to obtain the original text of the first signature.
当签名服务器获取到第一数据包对应的第一应用程序文件之后,就要获取第一应用程序文件中的第一签名原文了。After the signature server obtains the first application program file corresponding to the first data package, it needs to obtain the original text of the first signature in the first application program file.
本发明实施例中,签名服务器的签名原文计算模块通过对第一应用程序文件进行哈希计算来获取第一应用程序文件对应的第一签名原文。In the embodiment of the present invention, the original signature calculation module of the signature server acquires the first original signature corresponding to the first application file by performing hash calculation on the first application file.
进一步地,本发明实施例不限定必须使用哈希算法来获取第一应用程序文件对应的第一签名原文,具体的根据实际情况进行选择,本发明实施例不做具体限定。Further, the embodiment of the present invention does not limit that the hash algorithm must be used to obtain the original text of the first signature corresponding to the first application file, and the specific choice is made according to the actual situation, and the embodiment of the present invention does not make specific limitations.
S204、签名服务器解析第一数据包,并获得第一数据包对应的第一原签名文件。S204. The signature server parses the first data packet, and obtains a first original signature file corresponding to the first data packet.
当签名服务器获取到第一签名原文之后,签名服务器就要对第一签名原文的合法性进行判断,具体的,签名服务器首先获得第一数据包对应的第一原签名文件。After the signature server obtains the first original signature, the signature server will judge the legitimacy of the first original signature. Specifically, the signature server first obtains the first original signature file corresponding to the first data packet.
本发明实施例中,签名服务器的加密消息的语法标准(PKCS#7)文件处理模块通过解析第一数据包来获得第一数据包对应的第一原签名文件,该第一原签名文件中包含有第一原生签名信息。In the embodiment of the present invention, the syntax standard (PKCS#7) file processing module of the encrypted message of the signature server obtains the first original signature file corresponding to the first data packet by parsing the first data packet, and the first original signature file contains There is first native signature information.
S205、签名服务器对第一原签名文件进行解析,得到第一原生签名信息。S205. The signature server parses the first original signature file to obtain the first original signature information.
当签名服务器获得第一原签名文件之后,PKCS#7文件处理模块对第一原签名文件进行解析,得到第一原生签名信息。After the signature server obtains the first original signature file, the PKCS#7 file processing module analyzes the first original signature file to obtain the first original signature information.
本发明实施例中,PKCS#7文件处理模块通过解析第一原签名文件来获得第一原生签名信息,以供签名服务器判断第一应用程序文件的合法性。In the embodiment of the present invention, the PKCS#7 file processing module obtains the first original signature information by parsing the first original signature file, so that the signature server can judge the legality of the first application program file.
S206、签名服务器通过根据第一签名原文和第一原生签名信息进行第一原生签名验证,来判断是否允许进行所述副署签名操作。S206. The signature server judges whether to allow the counter-signature operation by verifying the first native signature according to the original text of the first signature and the first native signature information.
签名服务器通过根据获得的第一签名原文和第一原生签名信息来判断第一应用程序文件的合法性。The signature server judges the legitimacy of the first application program file according to the obtained first original signature text and first native signature information.
本发明实施例中,PKCS#7文件处理模块根据第一签名原文和第一原生签名信息第一原生签名验证,当第一原生签名验证成功时,表征第一应用程序文件没有被恶意篡改,此时判断第一应用程序文件合法;当第一原生签名验证失败时,表征第一应用程序文件已经被恶意篡改,此时判断第一应用程序文件不合法,而只有在第一应用程序文件合法的情况下,对第一应用程序文件进行副署签名操作才是有意义的。In the embodiment of the present invention, the PKCS#7 file processing module verifies the first original signature according to the first original signature text and the first original signature information. When the first original signature verification is successful, it indicates that the first application file has not been maliciously tampered with. When the first application file is judged to be legal; when the first native signature verification fails, it indicates that the first application file has been maliciously tampered with. In this case, it is meaningful to perform a counter-signature operation on the first application program file.
S207、当第一原生签名验证成功时,表征签名服务器允许进行副署签名操作。S207. When the verification of the first original signature is successful, the representative signature server allows the counter-signature operation.
当第一原生签名验证成功时,表征允许进行副署签名操作。When the verification of the first native signature is successful, the representation allows the countersignature operation.
本发明实施例中,当第一应用程序文件没有被恶意篡改时,表征允许进行副署签名操作。In the embodiment of the present invention, when the first application program file has not been maliciously tampered with, the representation allows the counter-signature operation.
S208、当允许进行副署签名操作时,签名服务器响应签名操作请求,该签名服务器通过签名工具对第一签名原文进行副署签名操作,得到第一副署签名信息。S208. When the counter-signature operation is allowed, the signature server responds to the signature operation request, and the signature server performs the counter-signature operation on the original text of the first signature through the signature tool to obtain the first counter-signature information.
当签名服务器判断允许进行副署签名操作时,签名服务器的副署签名模块对第一签名原文进行副署签名操作,得到第一副署签名信息。When the signature server determines that the counter-signature operation is allowed, the counter-signature module of the signature server performs the counter-signature operation on the original text of the first signature to obtain the first counter-signature information.
本发明实施例中,当签名服务器判断允许进行副署签名操作时,签名服务器响应用户的签名操作请求,使用签名工具对第一签名原文进行副署签名操作。In the embodiment of the present invention, when the signature server determines that the counter-signature operation is allowed, the signature server responds to the user's signature operation request, and uses the signature tool to perform the counter-signature operation on the first signed original text.
可选的,本发明实施例中的签名工具可以为第三方CA机构签发的代码签名证书等可以进行副署签名操作的签名工具,具体的根据实际情况进行选择,本发明实施例不做具体限定。Optionally, the signature tool in the embodiment of the present invention can be a code signing certificate issued by a third-party CA institution, etc., which can perform counter-signature signature operations. The specific choice is made according to the actual situation, and the embodiment of the present invention does not specifically limit it. .
S209、签名服务器将第一副署签名信息添加到第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件,非认证属性集合是所有第一副署签名信息的集合。S209. The signature server adds the first counter-signature signature information to the non-authentication attribute set of the first original signature file, and generates a third original signature file containing the first counter-signature signature information. The non-authentication attribute set is all first counter-signatures A collection of signature information.
签名服务器获取到第一副署签名信息之后,将第一副署签名信息添加到第一原签名文件的非认证属性集合中。After obtaining the first countersignature signature information, the signature server adds the first countersignature signature information to the non-authentication attribute set of the first original signature file.
本发明实施例中,签名服务器的PKCS#7文件处理模块将第一副署签名信息添加到第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件。In the embodiment of the present invention, the PKCS#7 file processing module of the signature server adds the first countersignature signature information to the non-authentication attribute set of the first original signature file, and generates the third original signature file containing the first countersignature signature information .
S210、签名服务器将第三原签名文件进行打包,生成第二数据包。S210. The signature server packages the third original signature file to generate a second data package.
当签名服务器对获取到第三原签名文件之后,将第三原签名文件打包至第一数据包中,生成第二数据包。After the signature server pair obtains the third original signature file, it packs the third original signature file into the first data package to generate a second data package.
本发明实施例中,签名服务器的数据包处理模块将第三原签名文件添加至第一数据包中,得到第二数据包,此时,完成了对待签名的第一数据包进行副署签名的过程。In the embodiment of the present invention, the data packet processing module of the signature server adds the third original signature file to the first data packet to obtain the second data packet. At this time, the counter-signature of the first data packet to be signed is completed. process.
本发明实施例中,用户可以对同一待签名应用程序进行多次副署签名操作,得到多个副署签名信息,对于副署签名信息的个数根据实际情况来决定,本发明实施例不做具体限定。In the embodiment of the present invention, the user can perform multiple counter-signature operations on the same application to be signed to obtain multiple counter-signature information. The number of counter-signature information is determined according to the actual situation. The embodiment of the present invention does not Specific limits.
S211、当第一原生签名验证失败时,表征签名服务器不允许进行副署签名操作。S211. When the verification of the first original signature fails, the representative signature server does not allow a counter-signature operation.
当第一原生签名验证失败时,表征第一应用程序文件已经被恶意篡改,此时,不允许进行副署签名操作。When the verification of the first original signature fails, it indicates that the first application program file has been maliciously tampered with, and at this time, the counter-signature operation is not allowed.
示例性的,如图3所示,对应用程序进行的签名操作遵循PKCS#7标准签名结构,一共包括目录信息、数字证书和签名者所有信息这三个部分,其中开发者的签名证书存放在数字证书中,本发明实施例中的副署签名者证书和开发者的签名证书一起存放至数字证书中,开发者的签名信息存放在签名者所有信息的签名者信息中,在签名者信息下添加了非认证属性集合,本发明实施例中的副署签名信息存储在非认证属性集合下,这样就实现了本发明实施例的副署签名相关信息的存储方式。Exemplarily, as shown in Figure 3, the signing operation for the application program follows the PKCS#7 standard signature structure, including three parts: directory information, digital certificate and all information of the signer, where the developer's signature certificate is stored in In the digital certificate, the counter-signer certificate in the embodiment of the present invention is stored in the digital certificate together with the developer's signature certificate, and the developer's signature information is stored in the signer information of all information of the signer, under the signer information The non-authentication attribute set is added, and the counter-signature information in the embodiment of the present invention is stored under the non-authentication attribute set, thus realizing the storage method of the counter-signature related information in the embodiment of the present invention.
示例性的,如图4所示,签名服务器进行副署签名的过程如下:Exemplarily, as shown in FIG. 4, the process of the signature server performing a counter-signature is as follows:
1、待签名程序获取模块接收用户发送的对APK包进行副署签名的请求,并获取待进行副署签名的APK包。1. The program acquisition module to be signed receives a request from the user for counter-signing the APK package, and obtains the APK package to be counter-signed.
2、数据包处理模块解析APK包,得到APK包中的应用程序文件。2. The data packet processing module parses the APK package to obtain application program files in the APK package.
3、签名原文计算模块对应用程序文件进行哈希计算,得到签名原文。3. The original signature calculation module performs hash calculation on the application file to obtain the original signature.
4、PKCS#7文件处理模块解析签名文件,获取原生签名信息。4. The PKCS#7 file processing module parses the signature file and obtains the original signature information.
5、PKCS#7文件处理模块根据签名原文和原生签名信息进行来验证原生签名信息的合法性。5. The PKCS#7 file processing module verifies the legitimacy of the original signature information according to the original signature text and original signature information.
6、当原生签名信息合法时,副署签名处理模块使用第三方CA机构颁发的代码签名证书对签名原文进行副署签名操作,并返回签名值。6. When the original signature information is legal, the counter-signature processing module uses the code signing certificate issued by the third-party CA organization to perform the counter-signature operation on the original signed text, and returns the signature value.
7、PKCS#7文件处理模块对签名值进行封装,生成包含副署签名信息的签名文件。7. The PKCS#7 file processing module encapsulates the signature value and generates a signature file containing countersignature signature information.
8、数据包处理模块对签名文件进行打包,形成新的APK包,完成副署签名操作。8. The data package processing module packages the signature file to form a new APK package and completes the counter-signature operation.
9、当原生签名信息不合法时,PKCS#7文件处理模块返回副署签名失败信息至数据包处理模块。9. When the original signature information is invalid, the PKCS#7 file processing module returns the countersignature signature failure information to the data packet processing module.
可以理解的是,本发明实施例中在待签名应用程序中,可在不影响原生签名信息的前提下,附加一个或者多个副署签名信息,能够进行多方可信签名;且签名服务器将第一副署签名信息存储至与认证属性集合并列的非认证属性中,不影响原有应用程序的打包签名流程,能够在进行重签名之后能够平滑升级。It can be understood that in the embodiment of the present invention, in the application program to be signed, one or more countersignature signature information can be added without affecting the original signature information, and multi-party trusted signature can be performed; and the signature server will A copy of the signature information is stored in the non-authentication attribute parallel to the authentication attribute set, which does not affect the packaging and signing process of the original application, and can be upgraded smoothly after re-signing.
进一步地,在步骤S211之后,本发明实施例还包括副署签名信息的验证提取方法,如图5所示,该方法可以包括:Further, after step S211, the embodiment of the present invention also includes a method for verifying and extracting countersignature signature information, as shown in FIG. 5 , the method may include:
S212、签名服务器接收用户的副署签名验证请求,并根据副署签名验证请求获取第二数据包。S212. The signature server receives the user's countersignature verification request, and obtains the second data packet according to the countersignature verification request.
当签名服务器获取到包含副署签名信息的第二数据包之后,签名服务器可以进行副署签名信息的验证和提取,首先,签名服务器接收用户的副署签名验证请求,并根据副署签名验证请求获取第二数据包。After the signature server obtains the second data packet containing the counter-signature information, the signature server can verify and extract the counter-signature information. First, the signature server receives the user's counter-signature verification request, and according to the counter-signature verification request Get the second data packet.
本发明实施例中,用户需要确认应用程序的每个环节的签名者信息时,用户向签名服务器发送副署签名验证请求,签名服务器待签名程序获取模块接收到用户发送的副署签名验证请求之后,获取第二数据包。In the embodiment of the present invention, when the user needs to confirm the signer information of each link of the application program, the user sends a countersignature signature verification request to the signature server, and the signature server waits for the signature program acquisition module to receive the countersignature signature verification request sent by the user. , get the second data packet.
S213、签名服务器解析第二数据包,并获得第二数据包对应的第二应用程序文件和第二原签名文件。S213. The signature server parses the second data packet, and obtains a second application program file and a second original signature file corresponding to the second data packet.
当签名服务器获取到第二数据包之后,签名服务器需要判断第一应用程序文件的合法性,首先,签名服务器获取第二数据包对应的第二应用程序文件和第二原签名文件。After the signature server obtains the second data package, the signature server needs to judge the legitimacy of the first application program file. First, the signature server obtains the second application program file and the second original signature file corresponding to the second data package.
本发明实施例中,签名服务器的数据包处理模块通过解析第二数据包来获取第二数据包对应的第二应用程序文件和第二原签名文件。In the embodiment of the present invention, the data packet processing module of the signature server obtains the second application program file and the second original signature file corresponding to the second data packet by parsing the second data packet.
本发明实施例中,第二应用程序文件可以和第一应用程序文件相同,第二原签名文件可以和第一原签名文件相同,具体的根据实际情况进行判断,本发明实施例不做具体限定。In the embodiment of the present invention, the second application program file can be the same as the first application program file, and the second original signature file can be the same as the first original signature file. The specific judgment is made according to the actual situation, and the embodiment of the present invention does not specifically limit it. .
S214、签名服务器对第二应用程序文件进行哈希计算,得到第二签名原文。S214. The signature server performs hash calculation on the second application program file to obtain the original text of the second signature.
当签名服务器获取到第二应用程序文件之后,签名服务器的签名原文计算模块对第二应用程序文件进行哈希计算,得到第二签名原文。After the signature server acquires the second application program file, the original signature calculation module of the signature server performs hash calculation on the second application program file to obtain the second original signature text.
可选的,本发明实施例不限定必须使用哈希算法来得到第二签名原文,具体的根据实际情况来进行选择,本发明实施例不做具体限定。Optionally, the embodiment of the present invention does not limit that the hash algorithm must be used to obtain the original text of the second signature, and the specific selection is made according to the actual situation, and is not specifically limited in the embodiment of the present invention.
S215、签名服务器对第二原签名文件进行解析,得到第二原生签名信息。S215. The signature server parses the second original signature file to obtain second original signature information.
当签名服务器获取到第二原签名文件之后,签名服务器的PKCS#7文件处理模块对第二原签名文件进行解析,得到第二原生签名信息。After the signature server obtains the second original signature file, the PKCS#7 file processing module of the signature server analyzes the second original signature file to obtain the second original signature information.
S216、签名服务器根据第二签名原文和第二原生签名信息进行第二原生签名验证。S216. The signature server verifies the second native signature according to the original text of the second signature and the second native signature information.
签名服务器根据获取到的第二签名原文和第二原生签名信息进行第二原生签名验证,来判断第二应用程序文件的合法性。The signature server performs the verification of the second native signature according to the obtained second original signature text and the second native signature information to judge the legitimacy of the second application program file.
本发明实施例中,签名服务器的PKCS#7文件处理模块根据第二签名原文和第二原生签名信息进行第二原生签名验证,当第二原生签名验证成功时,表征第二应用程序文件没有被恶意篡改,此时,PKCS#7文件处理模块允许进行副署签名的验证和提取;当第二原生签名验证失败时,表征第二应用程序文件被恶意篡改,此时,PKCS#7文件处理模块不允许进行副署签名的验证和提取操作。In the embodiment of the present invention, the PKCS#7 file processing module of the signature server performs the second original signature verification according to the second original signature text and the second original signature information. When the second original signature verification is successful, it indicates that the second application program file has not been Malicious tampering, at this time, the PKCS#7 file processing module allows the verification and extraction of the countersignature signature; when the second original signature verification fails, it indicates that the second application file has been maliciously tampered with, at this time, the PKCS#7 file processing module Verification and extraction of countersignatures are not allowed.
S217、当第二原生签名验证成功时,签名服务器响应副署签名验证请求,签名服务器提取第二数据包中的第二副署签名信息,并对第二副署签名信息进行验证,生成验证结果。S217. When the verification of the second original signature is successful, the signature server responds to the countersignature verification request, the signature server extracts the second countersignature signature information in the second data packet, and verifies the second countersignature signature information to generate a verification result .
当第二原生签名验证成功时,签名服务器响应签名验证请求,完成副署签名的验证和提取操作。When the verification of the second original signature is successful, the signature server responds to the signature verification request and completes the verification and extraction of the counter-signature.
本发明实施例中,签名服务器的副署签名模块可以从第二副署签名信息中提取指定的副署签名信息,也可以提取全部的第二副署签名信息,具体的根据实际情况进行选择,本发明实施例不做具体的限定。In the embodiment of the present invention, the counter-signature module of the signature server can extract the specified counter-signature information from the second counter-signature information, or can extract all the second counter-signature information, and specifically select according to the actual situation. The embodiments of the present invention do not make specific limitations.
本发明实施例中,当第二原生签名验证成功时,签名服务器的副署签名模块从第三原签名文件中提取第二副署签名信息,并且对第二副署签名信息进行验证,最后向用户返回副署签名的验证结果及签名者信息。In the embodiment of the present invention, when the verification of the second original signature is successful, the countersignature signature module of the signature server extracts the second countersignature signature information from the third original signature file, and verifies the second countersignature signature information, and finally sends the The user returns the verification result of the countersignature and the information of the signer.
示例性的,如图6所示,签名服务器进行副署签名信息的验证和提取的过程如下:Exemplarily, as shown in FIG. 6, the signature server verifies and extracts the countersignature signature information as follows:
1、待签名程序获取模块接收用户发送的对APK包进行副署签名验证及签名者信息提取的请求,并获取待进行副署签名验证及提取的APK包。1. The program acquisition module to be signed receives the request sent by the user to verify the signature of the APK package and extract the signer information, and obtain the APK package to be verified and extracted by the signature of the countersignature.
2、数据包处理模块解析APK包,得到应用程序文件。2. The data packet processing module parses the APK packet to obtain the application program file.
3、签名原文计算模块对应用程序文件进行哈希计算,得到签名原文。3. The original signature calculation module performs hash calculation on the application file to obtain the original signature.
4、PKCS#7文件处理模块解析签名文件,获取原生签名信息。4. The PKCS#7 file processing module parses the signature file and obtains the original signature information.
5、PKCS#7文件处理模块通过根据签名原文和原生签名信息来验证原生签名信息的合法性。5. The PKCS#7 file processing module verifies the legitimacy of the original signature information according to the original signature text and original signature information.
6、当原生签名信息合法时,副署签名处理模块提取副署签名信息,并对副署签名信息进行验证。6. When the original signature information is legal, the countersignature processing module extracts the countersignature information and verifies the countersignature information.
7、副署签名处理模块向用户返回副署签名验证结果及签名者信息,完成副署签名信息的提取和验证操作。7. The countersignature processing module returns the countersignature verification result and signer information to the user, and completes the extraction and verification of the countersignature information.
8、当原生签名信息不合法时,PKCS#7文件处理模块返回签名验证失败的指示。8. When the original signature information is invalid, the PKCS#7 file processing module returns an indication that the signature verification failed.
可以理解的是,在验证了原生签名信息合法的情况下,对副署签名信息进行验证和提取,能够更精确的锁定应用程序中每个环节的责任人。It is understandable that, after verifying that the original signature information is legal, verifying and extracting the counter-signature information can more precisely lock the person responsible for each link in the application.
实施例三Embodiment Three
本发明实施例提供一种签名服务器1,如图7所示,该签名服务器1可以包括:An embodiment of the present invention provides a signature server 1. As shown in FIG. 7, the signature server 1 may include:
待签名程序获取模块10,用于接收用户的签名操作请求,并根据所述签名操作请求获取第一数据包。The program acquisition module 10 to be signed is configured to receive a user's signature operation request, and obtain the first data package according to the signature operation request.
签名原文生成模块11,用于对所述第一数据包进行预处理,得到第一签名原文。The original signature generation module 11 is configured to preprocess the first data packet to obtain the first original signature.
副署签名处理模块12,用于当允许进行副署签名操作时,响应所述签名操作请求,通过签名工具对所述第一签名原文进行副署签名操作,得到第一副署签名信息。The counter-signature processing module 12 is configured to, when the counter-signature operation is allowed, respond to the signature operation request, perform a counter-signature operation on the first original signature text through a signature tool, and obtain first counter-signature information.
数据包生成模块13,用于将所述第一副署签名信息添加到所述第一数据包中,得到第二数据包。A data packet generating module 13, configured to add the first counter-signature information to the first data packet to obtain a second data packet.
可选的,基于图7如图8所示,所述签名服务器1还包括:数据包处理模块14和签名原文计算模块15。Optionally, as shown in FIG. 8 based on FIG. 7 , the signature server 1 further includes: a data packet processing module 14 and a signature original text calculation module 15 .
所述数据包处理模块14,用于解析所述第一数据包,并获得所述第一数据包对应的应用程序文件和第一原签名文件。The data packet processing module 14 is configured to parse the first data packet, and obtain the application program file and the first original signature file corresponding to the first data packet.
所述签名原文计算模块15,用于对所述应用程序文件进行哈希计算,得到所述第一签名原文。The original signature calculation module 15 is configured to perform hash calculation on the application file to obtain the first original signature.
可选的,基于图8如图9所示,所述签名服务器1还包括:加密消息的语法标准(PKCS#7)文件处理模块16。Optionally, as shown in FIG. 9 based on FIG. 8 , the signature server 1 further includes: a syntax standard (PKCS#7) file processing module 16 for encrypted messages.
所述PKCS#7文件处理模块16,用于对所述第一原签名文件进行解析,得到原生签名信息。The PKCS#7 file processing module 16 is configured to analyze the first original signature file to obtain original signature information.
所述PKCS#7文件处理模块16,还用于通过根据所述第一签名原文和所述原生签名信息进行第一原生签名验证,来判断是否允许进行副署签名操作;当所述第一原生签名验证成功时,表征允许进行副署签名操作;当所述第一原生签名验证失败时,表征不允许进行副署签名操作。The PKCS#7 file processing module 16 is also used to determine whether to allow a counter-signature operation by performing the first original signature verification according to the original signature text and the original signature information; when the first original signature When the signature verification is successful, the representation allows the counter-signature operation; when the verification of the first original signature fails, the representation does not allow the counter-signature operation.
可选的,所述待签名程序获取模块10,还用于接收用户的副署签名验证请求,并根据所述副署签名验证请求获取所述第二数据包。Optionally, the to-be-signed program acquiring module 10 is further configured to receive a user's counter-signature verification request, and acquire the second data package according to the counter-signature verification request.
所述数据包处理模块14,还用于解析所述第二数据包,并获得所述第二数据包对应的第二应用程序文件和第二原签名文件。The data packet processing module 14 is further configured to parse the second data packet, and obtain a second application program file and a second original signature file corresponding to the second data packet.
所述签名原文计算模块15,还用于对所述第二应用程序文件进行哈希计算,得到第二签名原文。The original signature calculation module 15 is further configured to perform hash calculation on the second application program file to obtain a second original signature.
所述PKCS#7文件处理模块16,还用于对所述第一原签名文件进行解析,得到得人原生签名信息;根据所述第二签名原文和所述第二原生签名信息进行第二原生签名验证。The PKCS#7 file processing module 16 is also used to analyze the first original signature file to obtain original signature information; perform the second original signature information according to the second signature text and the second original signature information. Signature verification.
所述副署签名处理模块12,还用于当所述第二原生签名验证成功时,响应所述副署签名验证请求,提取所述第二数据包中的第二副署签名信息,并对所述第一副署签名信息进行验证,生成验证结果。The countersignature processing module 12 is further configured to respond to the countersignature verification request when the second original signature verification is successful, to extract the second countersignature information in the second data packet, and to The first countersignature signature information is verified to generate a verification result.
可选的,所述PKSC#7文件处理模块16,还用于将所述第一副署签名信息添加到所述第一原签名文件的非认证属性集合中,生成包含第一副署签名信息的第三原签名文件,所述非认证属性集合是所有所述第一副署签名信息的集合。Optionally, the PKSC#7 file processing module 16 is further configured to add the first counter-signature information to the non-authentication attribute set of the first original signature file, and generate a file containing the first counter-signature information. The third original signature file, the non-authentication attribute set is a set of all the first countersignature signature information.
所述数据包处理模块14,还用于将所述第三原签名文件进行打包,生成所述第二数据包。The data packet processing module 14 is further configured to pack the third original signature file to generate the second data packet.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用硬件实施例、软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器和光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present invention may be provided as methods, systems, or computer program products. Accordingly, the present invention can take the form of a hardware embodiment, a software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage and optical storage, etc.) having computer-usable program code embodied therein.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
以上所述,仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710084356.1ACN106888094B (en) | 2017-02-16 | 2017-02-16 | A signature method and server |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710084356.1ACN106888094B (en) | 2017-02-16 | 2017-02-16 | A signature method and server |
| Publication Number | Publication Date |
|---|---|
| CN106888094Atrue CN106888094A (en) | 2017-06-23 |
| CN106888094B CN106888094B (en) | 2019-06-14 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710084356.1AActiveCN106888094B (en) | 2017-02-16 | 2017-02-16 | A signature method and server |
| Country | Link |
|---|---|
| CN (1) | CN106888094B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911222A (en)* | 2017-11-21 | 2018-04-13 | 沃通电子认证服务有限公司 | Digital signature generation, verification method and its equipment and storage medium |
| CN112989435A (en)* | 2021-03-26 | 2021-06-18 | 武汉深之度科技有限公司 | Digital signature method and computing device |
| CN113094659A (en)* | 2021-03-17 | 2021-07-09 | 青岛海尔科技有限公司 | Method, device, platform equipment and system for publishing application file |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105320900A (en)* | 2014-07-24 | 2016-02-10 | 方正国际软件(北京)有限公司 | PDF digital signature method and system and PDF digital signature verification method and system |
| CN105873030A (en)* | 2015-01-22 | 2016-08-17 | 卓望数码技术(深圳)有限公司 | Method for performing countersigning on an application of terminal |
| CN106209379A (en)* | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105320900A (en)* | 2014-07-24 | 2016-02-10 | 方正国际软件(北京)有限公司 | PDF digital signature method and system and PDF digital signature verification method and system |
| CN105873030A (en)* | 2015-01-22 | 2016-08-17 | 卓望数码技术(深圳)有限公司 | Method for performing countersigning on an application of terminal |
| CN106209379A (en)* | 2016-07-04 | 2016-12-07 | 江苏先安科技有限公司 | A kind of Android APK countersignature verification method |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107911222A (en)* | 2017-11-21 | 2018-04-13 | 沃通电子认证服务有限公司 | Digital signature generation, verification method and its equipment and storage medium |
| CN107911222B (en)* | 2017-11-21 | 2020-08-28 | 沃通电子认证服务有限公司 | Digital signature generating method, digital signature verifying method, digital signature generating apparatus, digital signature verifying apparatus, and storage medium storing digital signature verifying program |
| CN113094659A (en)* | 2021-03-17 | 2021-07-09 | 青岛海尔科技有限公司 | Method, device, platform equipment and system for publishing application file |
| CN112989435A (en)* | 2021-03-26 | 2021-06-18 | 武汉深之度科技有限公司 | Digital signature method and computing device |
| Publication number | Publication date |
|---|---|
| CN106888094B (en) | 2019-06-14 |
| Publication | Publication Date | Title |
|---|---|---|
| CN107463806B (en) | Signature and signature verification method for Android application program installation package | |
| CN113190834B (en) | File signing method, computing device and storage medium | |
| CN102880456B (en) | Plug-in loading method and system | |
| KR101740256B1 (en) | Apparatus for mobile app integrity assurance and method thereof | |
| CN108683502B (en) | Digital signature verification method, medium and equipment | |
| CN104426658B (en) | The method and device of authentication is carried out to the application on mobile terminal | |
| CN102024127A (en) | Control platform, user terminal, distribution system and method of application software | |
| CN108259479B (en) | Business data processing method, client and computer readable storage medium | |
| CN107301343A (en) | Secure data processing method, device and electronic equipment | |
| KR20150035249A (en) | Recording medium storing application package, method and apparatus of creating application package, method and apparatus of executing application package | |
| US20160380771A1 (en) | Binary code authentication | |
| CN106709281B (en) | Patch granting and acquisition methods, device | |
| CN112433742A (en) | Secure firmware updating method, device, equipment and storage medium | |
| CN106888094A (en) | A kind of endorsement method and server | |
| CN115048630A (en) | Integrity verification method and device of application program, storage medium and electronic equipment | |
| CN105873044B (en) | application program publishing method based on android platform, developer tracing method and device | |
| CN114185702B (en) | Cross-platform calling method, device and equipment for shared application and storage medium | |
| CN116244756A (en) | Browser plug-in verification method, device, and computing device | |
| CN107145342B (en) | Method and device for processing channel information of application | |
| WO2020062233A1 (en) | Method and apparatus for processing and deploying application program, and computer-readable medium | |
| CN110602051B (en) | Information processing method based on consensus protocol and related device | |
| CN111274552A (en) | Signature and signature verification method of upgrade package and storage medium | |
| CN116582279A (en) | An HTTP request processing method and device | |
| CN109165512A (en) | A kind of the intention agreement URL leak detection method and device of application program | |
| CN117519813A (en) | File running method and device |
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |