CN113014392B

Movatterモバイル変換

Info

Publication number: CN113014392B
Application number: CN202110190971.7A
Authority: CN
Inventors: 马超群; 王一然; 周中定; 李信儒; 兰秋军; 万丽
Original assignee: Hunan University
Current assignee: Hunan University
Priority date: 2021-02-19
Filing date: 2021-02-19
Publication date: 2022-04-08
Anticipated expiration: 2041-02-19
Also published as: CN113014392A

Abstract

The invention discloses a block chain-based digital certificate management method, a system, equipment and a storage medium, wherein in the method, a certificate template can be issued only after a registration program, strict control is carried out from the source of certificate issuance, and the certificate template and a sending record of each certificate can be traced, so that the problem of certificate forgery is thoroughly solved, the certificate inspection cost can be reduced, and the certificate inspection efficiency can be improved. Before issuing the certificate and verifying the certificate, secure connection needs to be established between an applicant and an issuer and between a holder and a verifier, and the adopted DID technology provides a foundation for secure communication and increases the security of certificate transmission. In addition, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement combines the zero knowledge proof, the Mercker tree and other cryptographic technologies to selectively disclose the certificate attribute, so that the privacy of the certificate holder can be guaranteed not to be revealed, and the safety is improved.

Description

Translated fromChinese

基于区块链的数字证书管理方法及系统、设备、存储介质Blockchain-based digital certificate management method and system, equipment and storage medium

技术领域technical field

本发明涉及数字证书管理技术领域，特别地，涉及一种基于区块链的数字证书管理方法及系统、设备、计算机可读取的存储介质。The present invention relates to the technical field of digital certificate management, and in particular, to a blockchain-based digital certificate management method, system, device, and computer-readable storage medium.

背景技术Background technique

现有的证书颁发和验证流程为：X1：证书颁发者向某项资质合格者颁发证书；X2：证书持有者向验证者提供所持有的证书，供其验证；X3：验证者对证书持有者提供的证书进行验证。其中，现有的证书颁发和验证流程具有以下缺点：The existing certificate issuance and verification process is: X1: the certificate issuer issues a certificate to a qualified person; X2: the certificate holder provides the certificate held to the verifier for verification; X3: the verifier provides the certificate The certificate provided by the holder is verified. Among them, the existing certificate issuance and verification process has the following disadvantages:

1、在传统的证书颁发验证过程中，牵扯到了大量纸质证明的开立和验证，多数情况下，验证者与证书颁发者没有直接联系，因此需要通过电话沟通等形式向证书颁发者进行核实，降低了验证效率，造成大量人力、物力等资源的浪费。1. In the process of traditional certificate issuance and verification, it involves the issuance and verification of a large number of paper certificates. In most cases, the verifier has no direct contact with the certificate issuer, so it is necessary to verify the certificate issuer through telephone communication and other forms. , reducing the verification efficiency and causing a lot of waste of manpower, material resources and other resources.

2、纸质或电子证书存在造假的可能，且监管难度大，不利于证书验证过程的顺利进行。2. There is a possibility of forgery in paper or electronic certificates, and the supervision is difficult, which is not conducive to the smooth progress of the certificate verification process.

3、纸质证书不易保管，一旦丢失，可能会造成重要隐私信息泄露；同时补办证明流程繁琐、时间成本高。3. The paper certificate is not easy to keep. Once lost, it may cause the leakage of important private information; at the same time, the re-certification process is cumbersome and the time cost is high.

4、验证过程需要提供完整的证书，其中可能披露某些重要的、验证过程中不必要的信息，增加了隐私泄露的风险。4. The verification process needs to provide a complete certificate, which may disclose some important and unnecessary information in the verification process, increasing the risk of privacy leakage.

5、传统的证书颁发者的数据库为中心数据库，这种类型的数据库一旦遭到恶意攻击，会造成大量成员的隐私泄露。5. The traditional certificate issuer's database is a central database. Once this type of database is maliciously attacked, the privacy of a large number of members will be leaked.

发明内容SUMMARY OF THE INVENTION

本发明提供了一种基于区块链的数字证书管理方法及系统、设备、计算机可读取的存储介质，以解决传统的证书颁发和验证流程存在的效率低、安全性差的技术问题。The present invention provides a blockchain-based digital certificate management method, system, device, and computer-readable storage medium, so as to solve the technical problems of low efficiency and poor security in the traditional certificate issuance and verification process.

根据本发明的一个方面，提供一种基于区块链的数字证书管理方法，包括以下步骤：According to one aspect of the present invention, a method for managing digital certificates based on blockchain is provided, comprising the following steps:

步骤S1：在区块链的公共账本上注册凭证模板，注册成功后根据该模板对证书进行定义；Step S1: Register the certificate template on the public ledger of the blockchain, and define the certificate according to the template after the registration is successful;

步骤S2：证书申请方节点和证书颁发机构节点互相确认身份后建立安全连接；Step S2: The certificate applicant node and the certificate authority node establish a secure connection after confirming their identities with each other;

步骤S3：证书颁发机构节点为证书申请方节点发送数字证书，该证书的全部声明内容均拥有证书颁发机构节点的公钥DID签名；Step S3: the certificate authority node sends a digital certificate to the certificate applicant node, and all declaration contents of the certificate are signed by the public key DID of the certificate authority node;

步骤S4：证书验证机构节点与证书持有方节点互相确认身份后建立安全连接；Step S4: The certificate verification authority node and the certificate holder node establish a secure connection after confirming their identities with each other;

步骤S5：证书验证机构节点基于证书持有方节点提供的可验证声明验证数字证书的有效性，其中，所述证书持有方节点即为之前的证书申请方节点。Step S5: The certificate verification authority node verifies the validity of the digital certificate based on the verifiable statement provided by the certificate holder node, wherein the certificate holder node is the previous certificate applicant node.

进一步地，所述步骤S2包括以下步骤：Further, the step S2 includes the following steps:

步骤S21：证书颁发机构节点向证书申请方节点发送邀请信息；Step S21: the certificate authority node sends invitation information to the certificate applicant node;

步骤S22：证书申请方节点向公共账本申请该证书颁发机构节点的DID文档；Step S22: the certificate applicant node applies to the public ledger for the DID document of the certificate authority node;

步骤S23：公共账本根据证书申请方节点的请求返回相应的DID文档，证书申请方节点通过对比DID文档公钥内容与邀请者的公钥信息以确认邀请信息的发送者是否为证书颁发机构节点；Step S23: the public ledger returns the corresponding DID document according to the request of the certificate applicant node, and the certificate applicant node confirms whether the sender of the invitation information is a certificate authority node by comparing the public key content of the DID document with the public key information of the inviter;

步骤S24：证书申请方节点创建一个新的DID，该DID只用来与证书颁发机构节点交换信息；Step S24: the certificate applicant node creates a new DID, and the DID is only used to exchange information with the certificate authority node;

步骤S25：证书申请方节点接受证书颁发机构节点的邀请请求，并向其发送建立连接请求，该请求中需要提供证书申请方节点新创建的DID及相应的DID文档，该请求内容发送时需要进行加密，且只有使用证书颁发机构节点的公钥才能进行解密；Step S25: The certificate applicant node accepts the invitation request from the certificate authority node, and sends a connection establishment request to it. The request needs to provide the DID newly created by the certificate applicant node and the corresponding DID document. The content of the request needs to be sent. Encrypted and can only be decrypted using the public key of the certificate authority node;

步骤S26：证书颁发机构节点创建一对只用来与该证书申请方节点连接的DID；Step S26: the certificate authority node creates a pair of DIDs that are only used to connect with the certificate applicant node;

步骤S27：证书颁发机构节点接受证书申请方节点建立连接的请求，并向证书申请方节点返回接受响应，该响应中需要提供证书颁发机构节点新创建的DID及相应的DID文档，该请求发送时需要进行加密，且只有使用证书申请方节点新创建的DID公钥才能进行解密。Step S27: The certificate authority node accepts the request for establishing a connection from the certificate applicant node, and returns an acceptance response to the certificate applicant node. The response needs to provide the DID newly created by the certificate authority node and the corresponding DID document. When the request is sent Encryption is required, and decryption can only be performed using the DID public key newly created by the certificate applicant node.

进一步地，所述步骤S3包括以下步骤：Further, the step S3 includes the following steps:

步骤S31：证书颁发机构节点向证书申请方节点发送请求，若建立连接阶段证书申请方节点向证书颁发机构节点提供了客户端点，则该阶段自动完成；Step S31: the certificate authority node sends a request to the certificate applicant node, and if the certificate applicant node provides the client node to the certificate authority node in the connection establishment phase, this phase is automatically completed;

步骤S32：证书申请方节点在公共账本上下载证书的定义来确认该请求对应的证书类型与内容，公共账本返回证书申请方节点查询的证书定义；Step S32: the certificate applicant node downloads the definition of the certificate on the public account book to confirm the certificate type and content corresponding to the request, and the public account book returns the certificate definition queried by the certificate applicant node;

步骤S33：证书申请方节点接受证书颁发机构节点发送的请求，并向其发送该证书的申请链接；Step S33: The certificate applicant node accepts the request sent by the certificate authority node, and sends the certificate application link to it;

步骤S34：证书颁发机构节点向证书申请方节点发送生成该证书需要的数据属性，证书申请方节点向证书颁发机构节点提供相应的属性；Step S34: the certificate authority node sends the data attributes required for generating the certificate to the certificate applicant node, and the certificate applicant node provides the corresponding attribute to the certificate authority node;

步骤S35：证书颁发机构节点根据证书申请方节点提供的相应属性生成属于该申请人的证书，并将该证书发放记录的哈希头存储在公共账本上；Step S35: the certificate authority node generates a certificate belonging to the applicant according to the corresponding attribute provided by the certificate applicant node, and stores the hash header of the certificate issuance record on the public ledger;

步骤S36：证书颁发机构节点为证书申请方节点发送证书，该证书的全部声明内容都拥有证书颁发机构节点的公钥DID签名，以此保障该证书涉及的所有数据的真实性；Step S36: the certificate authority node sends a certificate to the certificate applicant node, and all the declared contents of the certificate are signed by the public key DID of the certificate authority node, so as to ensure the authenticity of all data involved in the certificate;

步骤S37：证书申请方节点收到证书后将其放入密钥管理系统中，以保障个人信息不被泄露。Step S37: After receiving the certificate, the certificate applicant node puts it into the key management system to ensure that personal information is not leaked.

进一步地，所述步骤S4包括以下步骤：Further, the step S4 includes the following steps:

步骤S41：证书验证机构节点向证书持有方节点发送邀请信息；Step S41: the certificate verification authority node sends invitation information to the certificate holder node;

步骤S42：证书持有方节点向公共账本申请证书验证机构节点的DID文档；Step S42: the certificate holder node applies to the public ledger for the DID document of the certificate verification authority node;

步骤S43：公共账本根据证书持有方节点的请求返回相应DID文档，证书持有方节点通过对比DID文档公钥内容与邀请发送者的公钥信息以确认邀请信息的发送者是否为证书验证机构节点；Step S43: The public ledger returns the corresponding DID document according to the request of the certificate holder node, and the certificate holder node confirms whether the sender of the invitation information is a certificate verification authority by comparing the public key content of the DID document with the public key information of the invitation sender node;

步骤S44：证书持有方节点创建一个新的DID，该DID只用来与证书验证机构节点交换信息；Step S44: the certificate holder node creates a new DID, and the DID is only used to exchange information with the certificate verification authority node;

步骤S45：证书持有方节点接受证书验证机构节点的邀请请求，并向其发送建立连接请求，该请求中需要提供证书持有方节点新创建的DID及相应的DID文档，该请求内容发送时需要进行加密，且只有使用证书验证机构节点的公钥才能进行解密；Step S45: The certificate holder node accepts the invitation request from the certificate verification authority node, and sends a connection establishment request to it. The request needs to provide the DID and the corresponding DID document newly created by the certificate holder node. Encryption is required, and decryption can only be performed using the public key of the certificate verification authority node;

步骤S46：证书验证机构节点创建一对只用来与该证书持有者连接的DID；Step S46: the certificate verification authority node creates a pair of DIDs that are only used to connect with the certificate holder;

步骤S47：证书验证机构节点接受证书持有方节点建立连接的请求，并向持有者返回接受响应，该响应中需要提供证书验证机构节点新创建的DID及相应的DID文档，该请求发送时需要进行加密，且只有使用证书持有方节点新创建的DID公钥才能进行解密。Step S47: The certificate verification authority node accepts the request for establishing a connection from the certificate holder node, and returns an acceptance response to the holder. The response needs to provide the DID and the corresponding DID document newly created by the certificate verification authority node. Encryption is required, and decryption is only possible using the newly created DID public key of the certificate holder node.

进一步地，所述步骤S5包括以下步骤：Further, the step S5 includes the following steps:

步骤S51：证书验证机构节点通过建立连接阶段使用的DID向证书持有方节点发送声明请求的消息；Step S51: the certificate verification authority node sends a message of claim request to the certificate holder node through the DID used in the connection establishment phase;

步骤S52：证书持有方节点判断是否要披露验证者需要的属性，并根据证书验证机构节点的要求为其提供可验证声明，该声明只披露证书的部分信息；Step S52: The certificate holder node determines whether to disclose the attributes required by the verifier, and provides it with a verifiable statement according to the requirements of the certificate verification authority node, and the statement only discloses part of the information of the certificate;

步骤S53：证书持有方节点对生成的可验证声明签字以确保证明由其生成，并将其发送给证书验证机构节点；Step S53: the certificate holder node signs the generated verifiable statement to ensure that the certificate is generated by it, and sends it to the certificate verification authority node;

步骤S54：证书验证机构节点根据证书持有方节点提供的可验证声明向公共账本查询相应证明的发放记录以验证其真实性，同时通过累加器验证该声明的撤销状态；Step S54: The certificate verification authority node queries the public ledger for the issuance record of the corresponding certificate according to the verifiable statement provided by the certificate holder node to verify its authenticity, and at the same time verifies the revocation status of the statement through the accumulator;

步骤S55：公共账本向证书验证机构节点返回其查询证书的发放记录及撤销状态，证书验证机构节点通过返回的内容可以证实证书持有方节点所持有的数字证书的有效性。Step S55 : the public ledger returns the issuance record and revocation status of its query certificate to the certificate verification authority node, and the certificate verification authority node can verify the validity of the digital certificate held by the certificate holder node through the returned content.

进一步地，生成可验证证书的过程具体包括以下内容：Further, the process of generating a verifiable certificate specifically includes the following contents:

通过RSA算法产生一对密钥，随机选择两个不相等的指数p和q，计算n＝p*q以及n的欧拉函数

随机选取与

互质的整数

计算e对应的模反元素d，可得到一对密钥Key＝(Pub_K,Pri_K)＝((n,e),(n,d))；Generate a pair of keys through the RSA algorithm, randomly select two unequal exponents p and q, and calculate n=p*q and the Euler function of n

randomly selected with

coprime integer

Calculating the modulo inverse element d corresponding to e, a pair of keys Key=(Pub_K,Pri_K)=((n,e),(n,d));

输入证书主体的相关属性及签发机构的信息raw_data；Enter the relevant attributes of the certificate subject and the information raw_data of the issuing organization;

对输入证书主体的相关属性及签发机构的信息后生成的内容进行hash计算，得到hash值H:H＝hash_function(raw_data)；Perform hash calculation on the content generated after inputting the relevant attributes of the certificate subject and the information of the issuing agency, and obtain the hash value H:H=hash_function(raw_data);

使用签发机构的私钥对哈希值H进行RSA签名：signature＝H^d mod n；Use the private key of the issuing authority to RSA sign the hash value H: signature=H^d mod n;

将输入证书主体的相关属性及签发机构的信息后生成的内容与使用签发机构的私钥对哈希值进行RSA签名后得到的内容连成一个文件就生成了可验证证书。The verifiable certificate is generated by concatenating the content generated after entering the relevant attributes of the certificate subject and the information of the issuing organization and the content obtained by RSA signing the hash value with the private key of the issuing organization into a file.

进一步地，对可验证声明进行验证的过程包括以下内容：Further, the process of verifying the verifiable claim includes the following:

对比声明中持有者公钥与提交者公钥相应的DID文档，验证声明签名的有效性，即声明的生成者与提交者一致；Compare the DID document corresponding to the public key of the holder and the public key of the submitter in the declaration to verify the validity of the declaration signature, that is, the generator of the declaration is the same as the submitter;

根据声明中的发行机构的名称，从账本中下载相应的DID文档，从文档中获得发行机构的公钥，验证发行机构是否具有权威性；According to the name of the issuer in the statement, download the corresponding DID document from the ledger, obtain the public key of the issuer from the document, and verify whether the issuer is authoritative;

对披露字段的相关数据进行验证，保证披露字段已经过发行机构认证；Verify the relevant data of the disclosed fields to ensure that the disclosed fields have been certified by the issuer;

经过上述验证步骤，即可显示可信的披露内容，同时不会获得除披露内容以外的信息，保障了证明持有者的隐私。After the above verification steps, the credible disclosure content can be displayed, and at the same time, no information other than the disclosure content will be obtained, which ensures the privacy of the certificate holder.

另外，本发明还提供一种基于区块链的数字证书管理系统，采用如上所述的数字证书管理方法，该系统包括：In addition, the present invention also provides a blockchain-based digital certificate management system, which adopts the above-mentioned digital certificate management method, and the system includes:

模板注册模块，用于在区块链的公共账本上注册凭证模板，注册成功后可根据该模板对证书进行定义；The template registration module is used to register the certificate template on the public ledger of the blockchain. After successful registration, the certificate can be defined according to the template;

身份确认模块，用于供双方节点互相确认身份后建立安全连接；The identity confirmation module is used for establishing a secure connection after the two nodes confirm the identity of each other;

数字证书颁发模块，用于供证书颁发机构节点为证书申请方节点发送数字证书，该证书的全部声明内容均拥有证书颁发机构节点的公钥DID签名；The digital certificate issuing module is used for the certificate authority node to send a digital certificate to the certificate applicant node, and all the declaration contents of the certificate are signed by the public key DID of the certificate authority node;

证书验证模块，用于供证书验证机构节点基于证书持有方节点提供的可验证声明验证数字证书的有效性。The certificate verification module is used for the certificate verification authority node to verify the validity of the digital certificate based on the verifiable claim provided by the certificate holder node.

另外，本发明还提供一种电子设备，包括处理器和存储器，所述存储器中存储有计算机程序，所述处理器通过调用所述存储器中存储的所述计算机程序，用于执行如上所述的方法的步骤。In addition, the present invention also provides an electronic device, including a processor and a memory, wherein a computer program is stored in the memory, and the processor is used to execute the above-mentioned computer program by calling the computer program stored in the memory. steps of the method.

另外，本发明还提供一种计算机可读取的存储介质，用于存储基于区块链进行数字证书管理的计算机程序，该计算机程序在计算机上运行时执行如上所述的方法的步骤。In addition, the present invention also provides a computer-readable storage medium for storing a computer program for digital certificate management based on a blockchain, the computer program executing the steps of the above method when running on a computer.

本发明具有以下效果：The present invention has the following effects:

本发明的基于区块链的数字证书管理方法，用于生成证书的凭证模板需要经过注册程序后才能发行，从证书发行的根源上进行了严格管控，提高了证书伪造的门槛，提高了公信度，并且，每个证书的凭证模板、发送记录均可溯源，彻底解决了证书伪造的问题，可降低证书检验成本、提高证书检验效率。并且，在颁发证书和验证证书之前，申请者与颁发者之间、持有者与验证者需要先建立安全连接，本发明采用的DID技术则为安全通信提供了基础，消息发送时使用公钥对信息进行加密，并将其发送到指定的服务端点，只有使用对应的私钥才能对密文进行解密，增加了证书传递的安全性。另外，在证书验证阶段，证书验证者基于持有者提供的可验证声明即可完成证书的有效性验证，而可验证申明的生成过程结合了零知识证明、默克尔树等密码学技术来选择性地披露证书属性，可以保障证书持有者的隐私不被泄露，提高了安全性。In the blockchain-based digital certificate management method of the present invention, the certificate template used to generate the certificate can only be issued after going through the registration process, and strict control is carried out from the root of the certificate issuance, which raises the threshold for certificate forgery and improves the credibility. , and the certificate templates and sending records of each certificate can be traced to the source, which completely solves the problem of certificate forgery, reduces the cost of certificate inspection, and improves the efficiency of certificate inspection. Moreover, before issuing the certificate and verifying the certificate, a secure connection needs to be established between the applicant and the issuer, the holder and the verifier. The DID technology adopted in the present invention provides a basis for secure communication, and the public key is used when the message is sent. Encrypt the information and send it to the specified service endpoint. Only the corresponding private key can be used to decrypt the ciphertext, which increases the security of certificate delivery. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement combines zero-knowledge proof, Merkle tree and other cryptographic techniques to Selective disclosure of certificate attributes can ensure that the privacy of certificate holders is not leaked and improve security.

另外，本发明的基于区块链的数字证书管理系统、设备、存储介质同样具有上述优点。In addition, the blockchain-based digital certificate management system, device, and storage medium of the present invention also have the above advantages.

除了上面所描述的目的、特征和优点之外，本发明还有其它的目的、特征和优点。下面将参照图，对本发明作进一步详细的说明。In addition to the objects, features and advantages described above, the present invention has other objects, features and advantages. The present invention will be described in further detail below with reference to the drawings.

附图说明Description of drawings

构成本申请的一部分的附图用来提供对本发明的进一步理解，本发明的示意性实施例及其说明用于解释本发明，并不构成对本发明的不当限定。在附图中：The accompanying drawings constituting a part of the present application are used to provide further understanding of the present invention, and the exemplary embodiments of the present invention and their descriptions are used to explain the present invention and do not constitute an improper limitation of the present invention. In the attached image:

图1是本发明优选实施例的基于区块链的数字证书管理方法的流程示意图。FIG. 1 is a schematic flowchart of a blockchain-based digital certificate management method according to a preferred embodiment of the present invention.

图2是图1中的步骤S2的子流程示意图。FIG. 2 is a schematic diagram of a sub-flow of step S2 in FIG. 1 .

图3是图1中的步骤S3的子流程示意图。FIG. 3 is a schematic diagram of a sub-flow of step S3 in FIG. 1 .

图4是图1中的步骤S4的子流程示意图。FIG. 4 is a schematic diagram of a sub-flow of step S4 in FIG. 1 .

图5是图1中的步骤S5的子流程示意图。FIG. 5 is a schematic diagram of a sub-flow of step S5 in FIG. 1 .

图6是本发明优选实施例中的数字证书的生命周期包含的各个阶段的示意图。FIG. 6 is a schematic diagram of various stages included in the life cycle of a digital certificate in a preferred embodiment of the present invention.

图7是本发明另一实施例的基于区块链的数字证书管理系统的模块结构示意图。FIG. 7 is a schematic structural diagram of a module of a blockchain-based digital certificate management system according to another embodiment of the present invention.

具体实施方式Detailed ways

以下结合附图对本发明的实施例进行详细说明，但是本发明可以由下述所限定和覆盖的多种不同方式实施。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings, but the present invention can be implemented in many different ways as defined and covered below.

如图1所示，本发明的优选实施例提供一种基于区块链的数字证书管理方法，包括以下步骤：As shown in Figure 1, a preferred embodiment of the present invention provides a blockchain-based digital certificate management method, including the following steps:

步骤S5：证书验证机构节点基于证书持有方节点提供的可验证声明验证数字证书的有效性。Step S5: The certificate verification authority node verifies the validity of the digital certificate based on the verifiable claim provided by the certificate holder node.

可以理解，根据功能的不同，区块链网络内用于证明的材料可分为凭证模板、可验证证书和可验证声明三种类型。其中，各证明的数据结构介绍如下：It can be understood that, according to different functions, the materials used for proof in the blockchain network can be divided into three types: credential templates, verifiable certificates and verifiable claims. Among them, the data structure of each proof is introduced as follows:

凭证模板是注册到分布式数据库中的证书模板，其由证书发行机构设计，经机构签名后注册到分布式账本上，凭证模板可包含凭证类型、凭证版本号、凭证数据结构、发行机构公钥及签名等内容，注册到分布式账本上的凭证模板可被系统中的所有人下载查看。A certificate template is a certificate template registered in a distributed database. It is designed by a certificate issuer and registered on the distributed ledger after being signed by the institution. The certificate template can include certificate type, certificate version number, certificate data structure, and the public key of the issuer. and signature, etc., the certificate template registered on the distributed ledger can be downloaded and viewed by everyone in the system.

可验证证书是根据凭证模板生成的数字证书，被个人、机构等实体所持有。一般来说，可验证证书需要包括以下内容：1、证书元数据，包含相关凭证的内容，如发行机构、凭证类型等；2、声明，一组关于持有主体的描述性说明；3、发行机构的数字签名，可验证证书的本质是一个DID给另一个DID的某些属性做背书而发出的描述性声明，因此需要附加背书方的数字签名，以保障证书的真实性；4持有者公钥，用来描述证书持有者的身份，由于可验证证书中包含用户的隐私信息，所以一般保存在私有设备或需要授权的网络地址中。Verifiable certificates are digital certificates generated from credential templates and held by individuals, institutions and other entities. Generally speaking, a verifiable certificate needs to include the following: 1. Certificate metadata, including the content of the relevant certificate, such as the issuer, certificate type, etc.; 2. Statement, a set of descriptive instructions about the holder; 3. Issuance The digital signature of the organization, the essence of the verifiable certificate is a descriptive statement issued by one DID to endorse some attributes of another DID, so the digital signature of the endorser needs to be attached to ensure the authenticity of the certificate; 4 Holder The public key is used to describe the identity of the certificate holder. Since the verifiable certificate contains the user's private information, it is generally stored in a private device or a network address that requires authorization.

可验证声明则是基于零知识证明原理、由可验证证书生成的、可选择性披露部分属性的、具有验证作用的声明，DID持有者可以通过可验证声明向其他组织或个人证明自己的某些断言是可信的，同时，结合零知识证明、默克尔树等密码学技术选择性地披露证书属性，可以保障证书持有者的隐私不被泄露。一般来说，可验证声明需要包括以下内容：1、证明列表，即披露的属性；2、持有者公钥，用来描述该声明生成者的身份；3、披露字段索引，通过索引可以在不泄露其他信息的情况下展示需要披露的属性；4、经过发证机构签名的默克尔根，证明披露的声明属性由颁发机关认证，且未被篡改。其中，DID是一个特定格式的字符串，用来代表一个实体的数字身份，DID标识独立于任何集中注册表、身份提供者或证书颁发机构，具有全球唯一性、可解析、可用性高、可加密验证等特点，每一个DID标识都会对应一个DID文档，该文档是一组JSON字符串，文档一般包含DID主题、公钥、服务端点、授权等内容。Verifiable claims are based on the principle of zero-knowledge proof, generated by verifiable certificates, and can selectively disclose some attributes. These assertions are credible, and at the same time, combined with zero-knowledge proof, Merkle tree and other cryptographic techniques to selectively disclose certificate attributes, it can ensure that the privacy of certificate holders is not leaked. Generally speaking, a verifiable claim needs to include the following: 1. The proof list, that is, the disclosed attributes; 2. The holder's public key, which is used to describe the identity of the claim generator; 3. The disclosure field index, which can be found in the Display the attributes that need to be disclosed without revealing other information; 4. The Merkel root signed by the issuing agency certifies that the disclosed attributes of the statement are certified by the issuing agency and have not been tampered with. Among them, DID is a string in a specific format used to represent the digital identity of an entity. The DID identification is independent of any centralized registry, identity provider or certificate authority, and is globally unique, parseable, highly usable, and encrypted. Verification and other characteristics, each DID identifier will correspond to a DID document, which is a set of JSON strings, and the document generally contains DID subject, public key, service endpoint, authorization and other content.

可以理解，本实施例的基于区块链的数字证书管理方法，用于生成证书的凭证模板需要经过注册程序后才能发行，从证书发行的根源上进行了严格管控，提高了证书伪造的门槛，提高了公信度，并且，每个证书的凭证模板、发送记录均可溯源，彻底解决了证书伪造的问题，可降低证书检验成本、提高证书检验效率。并且，在颁发证书和验证证书之前，申请者与颁发者之间、持有者与验证者需要先建立安全连接，本发明采用的DID技术则为安全通信提供了基础，消息发送时使用公钥对信息进行加密，并将其发送到指定的服务端点，只有使用对应的私钥才能对密文进行解密，增加了证书传递的安全性。另外，在证书验证阶段，证书验证者基于持有者提供的可验证声明即可完成证书的有效性验证，而可验证申明的生成过程结合了零知识证明、默克尔树等密码学技术来选择性地披露证书属性，可以保障证书持有者的隐私不被泄露，提高了安全性。因此，本发明的基于区块链的数字证书管理方法，设计了一种基于区块链的数字证书注册、颁发及验证方法，提升证书验证过程的效率，降低人力、物力成本，利用非对称加密、Hash算法、数字签名等技术实现了证书的数字化，并确保证书不可篡改、不可伪造，从而保证业务中用到的各种证书的真实性，并利用分布式账本技术，打破信息孤岛，实现数据共享，保证各类证书的真实性，还利用基于零知识证明的技术对敏感数据进行可控分享，在保证业务顺利进行的基础上，最大程度地保护了证书持有者的隐私，同时，利用区块链技术规范了各类证书注册流程及结构，有利于政府部门进行系统化监管。It can be understood that, in the blockchain-based digital certificate management method of this embodiment, the certificate template used to generate the certificate can only be issued after the registration process, and the source of certificate issuance is strictly controlled and the threshold for certificate forgery is raised. It improves the credibility, and the certificate template and sending records of each certificate can be traced back, which completely solves the problem of certificate forgery, reduces the cost of certificate inspection and improves the efficiency of certificate inspection. Moreover, before issuing the certificate and verifying the certificate, a secure connection needs to be established between the applicant and the issuer, the holder and the verifier. The DID technology adopted in the present invention provides a basis for secure communication, and the public key is used when the message is sent. Encrypt the information and send it to the specified service endpoint. Only the corresponding private key can be used to decrypt the ciphertext, which increases the security of certificate delivery. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement combines zero-knowledge proof, Merkle tree and other cryptographic techniques to Selective disclosure of certificate attributes can ensure that the privacy of certificate holders is not leaked and improve security. Therefore, the blockchain-based digital certificate management method of the present invention designs a blockchain-based digital certificate registration, issuance and verification method to improve the efficiency of the certificate verification process, reduce labor and material costs, and utilize asymmetric encryption. , Hash algorithm, digital signature and other technologies realize the digitization of certificates, and ensure that certificates cannot be tampered with or forged, thereby ensuring the authenticity of various certificates used in business, and using distributed ledger technology to break information islands and realize data Sharing, ensuring the authenticity of various certificates, and using zero-knowledge proof-based technology to control the sharing of sensitive data, on the basis of ensuring the smooth operation of the business, the privacy of certificate holders is protected to the greatest extent. Blockchain technology regulates the registration process and structure of various certificates, which is conducive to the systematic supervision of government departments.

可以理解，在所述步骤S1中，可以是证书颁发机构或者公共机构将凭证模板注册到公共账本上，凭证模板注册成功后，可以根据该模板对证书进行定义，例如证书名称、证书版本等。It can be understood that in the step S1, a certificate authority or a public institution can register the certificate template on the public account book. After the certificate template is successfully registered, the certificate can be defined according to the template, such as certificate name, certificate version, etc.

可以理解，如图2所示，所述步骤S2包括以下步骤：It can be understood that, as shown in FIG. 2 , the step S2 includes the following steps:

步骤S27：证书颁发机构节点接受证书申请方节点建立连接的请求，并向证书申请方节点返回接受响应，该响应中需要提供证书颁发机构节点新创建的DID及相应的DID文档，该请求发送时需要进行加密，且只有使用证书申请方节点新创建的DID公钥才能进行解密。至此，证书申请方节点与证书颁发机构节点已互相确认身份，且拥有安全交流的密钥，双方正式建立安全连接。Step S27: The certificate authority node accepts the request for establishing a connection from the certificate applicant node, and returns an acceptance response to the certificate applicant node. The response needs to provide the DID newly created by the certificate authority node and the corresponding DID document. When the request is sent Encryption is required, and decryption can only be performed using the DID public key newly created by the certificate applicant node. At this point, the certificate applicant node and the certificate authority node have confirmed their identities with each other and have the keys for secure exchange, and the two parties have formally established a secure connection.

可以理解，在正式颁发证书之前，申请者和颁发者基于DID技术进行身份的互相确认，且申请者和颁发者之间通过独一无二的DID来进行信息交互，建立了专属的信息通道，防止信息被泄露，确保了证书传递的安全性。It can be understood that before the certificate is officially issued, the applicant and the issuer confirm each other's identities based on DID technology, and the applicant and the issuer exchange information through a unique DID, establishing an exclusive information channel to prevent information from being used. Leakage ensures the security of certificate delivery.

可以理解，如图3所示，所述步骤S3包括以下步骤：It can be understood that, as shown in FIG. 3 , the step S3 includes the following steps:

可以理解，证书颁发机构与申请者建立安全连接后，颁发机构即可根据凭证模板和申请者提供的数据属性生成证书，通过加密的方式将证书发送给申请者，只有使用申请者的私钥才能对加密内容进行解密，并且将证书发放记录的哈希头存储在公共账本中，便于后期进行证书验证，并且，数字证书被存储在申请者的密钥管理系统中，与传统纸质证书相比不易丢失，减少了因补办证明而花费的时间、人力成本。It can be understood that after the certificate authority establishes a secure connection with the applicant, the authority can generate a certificate according to the certificate template and the data attributes provided by the applicant, and send the certificate to the applicant in an encrypted way. Decrypt the encrypted content, and store the hash header of the certificate issuance record in the public ledger, which is convenient for later certificate verification, and the digital certificate is stored in the applicant's key management system, compared with traditional paper certificates. It is not easy to be lost, reducing the time and labor costs for reissuing certificates.

可以理解，如图4所示，所述步骤S4包括以下步骤：It can be understood that, as shown in FIG. 4 , the step S4 includes the following steps:

可以理解，在正式进行证书验证之前，持有者(即之前的申请者)和验证机构基于DID技术进行身份的互相确认，且持有者和验证者之间通过独一无二的DID来进行信息交互，建立了专属的信息通道，防止信息被泄露，确保了信息传递的安全性。It can be understood that before the formal verification of the certificate, the holder (that is, the previous applicant) and the verification agency confirm each other's identity based on the DID technology, and the holder and the verifier exchange information through a unique DID. A dedicated information channel is established to prevent information from being leaked and ensure the security of information transmission.

可以理解，如图5所示，所述步骤S5包括以下步骤：It can be understood that, as shown in FIG. 5 , the step S5 includes the following steps:

步骤S54：证书验证机构节点根据证书持有方节点提供的可验证声明向公共账本查询相应证明的发放记录以验证其真实性，同时通过累加器验证该声明的撤销状态；若该声明处于撤销状态，则该数字证书处于失效状态；Step S54: The certificate verification authority node queries the public ledger for the issuance record of the corresponding certificate according to the verifiable statement provided by the certificate holder node to verify its authenticity, and at the same time verifies the revocation state of the statement through the accumulator; if the statement is in the revocation state , the digital certificate is invalid;

可以理解，证书持有者根据验证者的要求为其提供可验证声明进行验证，而不是直接提供证书进行验证，可验证声明是基于零知识证明原理、由可验证证书生成的、可选择性披露部分属性的、具有验证作用的声明，可以选择性地披露证书属性，既确保了证书验证有效进行，又可以保障证书持有者的隐私不被泄露，在提高数据分享、打破数据孤岛、增加验证各方互信的同时，保护了各个节点的敏感数据，对敏感数据进行了可控分享。It is understandable that the certificate holder provides a verifiable statement for verification according to the requirements of the verifier, rather than directly providing a certificate for verification. The verifiable statement is based on the principle of zero-knowledge proof, generated by a verifiable certificate, and optionally disclosed A statement with some attributes that has a verification function can selectively disclose certificate attributes, which not only ensures the effective verification of the certificate, but also ensures that the privacy of the certificate holder is not leaked. It improves data sharing, breaks data islands, and increases verification. While all parties trust each other, the sensitive data of each node is protected and the sensitive data is shared in a controlled manner.

可以理解，如图6所示，数字证书的整个生命周期可分成生成、颁发、生成可验证声明、验证、撤销五个阶段，在生成阶段：证书颁发机构与申请者建立安全连接后，颁发者根据凭证模板和申请者的属性生成证书；在颁发阶段：证书颁发机构通过加密的方式将证书发送给申请者，只有使用申请者的私钥才能对加密内容进行解密；在生成可验证声明阶段：以可验证证书为基础，结合默克尔树、数字签名等密码学技术，生成具有验证功能的、只披露部分属性的可验证声明的过程；在验证阶段：验证者收到可验证声明后，对声明的真实性和有效进行检验；在撤销阶段：因时效或其他原因，撤销可验证证书的定义，撤销后证书不再具有证明功能。It can be understood that, as shown in Figure 6, the entire life cycle of a digital certificate can be divided into five stages: generation, issuance, generation of verifiable claims, verification, and revocation. In the generation stage: after the certificate authority establishes a secure connection with the applicant, the issuer Generate a certificate based on the credential template and the attributes of the applicant; in the issuance phase: the certificate authority sends the certificate to the applicant in an encrypted way, and the encrypted content can only be decrypted using the applicant's private key; in the generation of the verifiable claim phase: Based on the verifiable certificate, combined with cryptographic techniques such as Merkle tree and digital signature, the process of generating a verifiable statement with verification function that only discloses some attributes; in the verification stage: after the verifier receives the verifiable statement, Verify the authenticity and validity of the statement; in the revocation stage: the definition of the verifiable certificate is revoked due to time limitation or other reasons, and the certificate no longer has the function of proof after revocation.

具体地，可验证证书的生成主要包括以下几个环节：Specifically, the generation of a verifiable certificate mainly includes the following steps:

1、通过RSA算法产生一对密钥，随机选择两个不相等的指数p和q，计算n＝p*q以及n的欧拉函数

随机选取与

互质的整数

计算e对应的模反元素d；可得到一对密钥：Key＝(Pub_K,Pri_K)＝((n,e),(n,d))；1. Generate a pair of keys through the RSA algorithm, randomly select two unequal exponents p and q, and calculate n=p*q and the Euler function of n

randomly selected with

coprime integer

Calculate the modulo inverse element d corresponding to e; a pair of keys can be obtained: Key=(Pub_K,Pri_K)=((n,e),(n,d));

2、输入证书主体的相关属性及签发机构的信息raw_data；2. Enter the relevant attributes of the certificate subject and the information raw_data of the issuing organization;

3、对步骤2生成的内容进行hash计算，得到hash值H:3. Perform hash calculation on the content generated in step 2 to obtain the hash value H:

H＝hash_function(raw_data)H=hash_function(raw_data)

4、使用签发机构的私钥对哈希值H进行RSA签名：4. Use the issuing authority's private key to RSA sign the hash value H:

signature＝H^d mod nsignature=H^d mod n

5、将步骤2和步骤4得到的内容连成一个文件就生成了可验证证书。5. Concatenate the content obtained in step 2 and step 4 into a file to generate a verifiable certificate.

另外，可验证证书的颁发过程具体为：In addition, the issuance process of the verifiable certificate is as follows:

当颁发者向申请者发送证书时，应用端需要对发送内容进行加密，申请者收到密文后需要进行解密，解密和解密的数学描述如下：When the issuer sends the certificate to the applicant, the application needs to encrypt the sent content, and the applicant needs to decrypt the ciphertext after receiving the ciphertext. The mathematical description of decryption and decryption is as follows:

1、加密过程：信息发送者sender选取一个非重复的随机数N_sender、当前时间t_sender、对方的标志信息ID_recipient以及其他需要加密的内容C_sender；用N_sender、t_sender、ID_recipient、C_sender组成明文信息m_sender＝{N_sender，t_sender，ID_recipient，C_sender}，并将m_sender表示成一个域元素

然后在[1，n-1]内随机选取一个随机数k，以及信息接收方的公钥信息Pb_Irecipient＝(F(sender),G,n,Q_recipient)；计算点(x₁，y₁)＝kG，点(x₂，y₂)＝kQ_recipient，生成以下密文：1. Encryption process: the sender of information selects a non-repeated random number N_sender , the current time t_sender , the identity information ID_recipient of the other party and other contents that need to be encrypted C_sender ; use N_sender , t_sender , ID_recipient , C sender_sender composes the plaintext message m_sender = {N_sender , t_sender , ID_recipient , C_sender }, and represents m_sender as a domain element

Then randomly select a random number k in [1, n-1], and the public key information of the recipient of the information Pb_Irecipient = (F(sender), G, n, Q_recipient ); calculation point (x₁ , y₁ ) = kG, point (x₂ , y₂ ) = kQ_recipient , generating the following ciphertext:

若(x₂，y₂)＝0，需要重新选取随机数k。If (x₂ , y₂ )=0, the random number k needs to be re-selected.

2、解密过程：对于密文

申请者可以使用自己的私钥d_rcipient对内容进行解密：2. Decryption process: for ciphertext

The applicant can use his own private key d_rcipient to decrypt the content:

解密后消息接收方就可获取明文m_sender的内容，同时通过标志信息ID_recipient可以验证自己是否为消息接收者。After decryption, the receiver of the message can obtain the content of the plaintext m_sender , and at the same time, he can verify whether he is the receiver of the message by identifying the ID_recipient .

另外，可验证声明的生成阶段具体为：In addition, the generation phase of the verifiable claim is as follows:

为了保障证书持有者的隐私数据，本发明结合零知识证明理论，采用随机盐和默克尔树两种方法生成可验证证明。首先对证书里的所有属性内容进行随机盐加密：In order to protect the privacy data of the certificate holder, the present invention combines the zero-knowledge proof theory and adopts two methods of random salt and Merkle tree to generate verifiable proof. First encrypt all attributes in the certificate with a random salt:

attr'＝Hash_function(attr+random_seed)attr'=Hash_function(attr+random_seed)

然后确定数据索引index，方便快速查询定位披露属性在默克尔树中的位置，最后提供默克尔根签名rootsignature保证数据没有被改动。Then determine the data index index, which is convenient to quickly query and locate the position of the disclosure attribute in the Merkle tree, and finally provide the Merkle root signature rootsignature to ensure that the data has not been changed.

可验证声明的验证阶段具体为：The verification phase of a verifiable claim is as follows:

验证者收到可验证声明后，需要通过以下步骤验证可验证声明的真实性：After the verifier receives the verifiable claim, it needs to verify the authenticity of the verifiable claim through the following steps:

1、对比声明中持有者公钥与提交者公钥相应的DID文档，验证声明签名的有效性，即声明的生成者与提交者一致；1. Compare the DID document corresponding to the public key of the holder and the public key of the submitter in the declaration to verify the validity of the declaration signature, that is, the generator of the declaration is the same as the submitter;

2、根据声明中的发行机构的名称，从账本中下载相应的DID文档，从文档中获得发行机构的公钥，验证发行机构是否具有权威性；2. According to the name of the issuer in the statement, download the corresponding DID document from the ledger, obtain the public key of the issuer from the document, and verify whether the issuer is authoritative;

3、对披露字段的数据索引、随机盐、默克尔根等相关数据进行验证，保证披露字段已经过发行机构认证；3. Verify the data index, random salt, Merkel root and other related data of the disclosed fields to ensure that the disclosed fields have been certified by the issuing agency;

4、经过上述验证步骤，即可显示可信的披露内容，同时不会获得除披露内容以外的信息，保障了证明持有者的隐私。4. After the above verification steps, the credible disclosure content can be displayed, and at the same time, no information other than the disclosure content will be obtained, which ensures the privacy of the certificate holder.

证书的撤销具体为：The revocation of the certificate is as follows:

证书的撤销过程使用基于密码学的累加器算法来实现。首先，令某个实体持有的证书集合为S＝x₁，x₂…x_n，用：The certificate revocation process is implemented using a cryptography-based accumulator algorithm. First, let the set of certificates held by an entity be S = x₁ , x₂ . . . x_n , use:

作为集合S的累加器；其中N＝p*q，p、q为值很大的素数，g是模N上的生成元。当撤销集合S中的证书x₁时，将累加器的状态更新为：As an accumulator for the set S; where N=p*q, p, q are prime numbers with large values, and g is a generator on modulo N. When the certificate x₁ in the set S is revoked, update the state of the accumulator to:

此时，根据裴蜀定理，在不知道x₁的具体内容的情况下，实体无法证明x₁∈S。At this time, according to Pei Shu's theorem, the entity cannot prove x₁ ∈ S without knowing the specific content of x₁ .

另外，如图7所示，本发明的另一实施例还提供一种基于区块链的数字证书管理系统，优选采用如上所述的数字证书管理方法，该系统包括：In addition, as shown in FIG. 7 , another embodiment of the present invention also provides a blockchain-based digital certificate management system, preferably using the above-mentioned digital certificate management method, the system includes:

可以理解，本实施例的基于区块链的数字证书管理系统，用于生成证书的凭证模板需要经过注册程序后才能发行，从证书发行的根源上进行了严格管控，提高了证书伪造的门槛，提高了公信度，并且，每个证书的凭证模板、发送记录均可溯源，彻底解决了证书伪造的问题，可降低证书检验成本、提高证书检验效率。并且，在颁发证书和验证证书之前，申请者与颁发者之间、持有者与验证者需要先建立安全连接，本发明采用的DID技术则为安全通信提供了基础，消息发送时使用公钥对信息进行加密，并将其发送到指定的服务端点，只有使用对应的私钥才能对密文进行解密，增加了证书传递的安全性。另外，在证书验证阶段，证书验证者基于持有者提供的可验证声明即可完成证书的有效性验证，而可验证申明的生成过程结合了零知识证明、默克尔树等密码学技术来选择性地披露证书属性，可以保障证书持有者的隐私不被泄露，提高了安全性。It can be understood that, in the blockchain-based digital certificate management system of this embodiment, the certificate template used to generate the certificate can only be issued after the registration process. The root cause of certificate issuance is strictly controlled and the threshold for certificate forgery is raised. It improves the credibility, and the certificate template and sending records of each certificate can be traced back, which completely solves the problem of certificate forgery, reduces the cost of certificate inspection and improves the efficiency of certificate inspection. Moreover, before issuing the certificate and verifying the certificate, a secure connection needs to be established between the applicant and the issuer, the holder and the verifier. The DID technology adopted in the present invention provides a basis for secure communication, and the public key is used when the message is sent. Encrypt the information and send it to the specified service endpoint. Only the corresponding private key can be used to decrypt the ciphertext, which increases the security of certificate delivery. In addition, in the certificate verification stage, the certificate verifier can complete the validity verification of the certificate based on the verifiable statement provided by the holder, and the generation process of the verifiable statement combines zero-knowledge proof, Merkle tree and other cryptographic techniques to Selective disclosure of certificate attributes can ensure that the privacy of certificate holders is not leaked and improve security.

一般计算机可读取介质的形式包括：软盘(floppy disk)、可挠性盘片(flexibledisk)、硬盘、磁带、任何其与的磁性介质、CD-ROM、任何其余的光学介质、打孔卡片(punchcards)、纸带(paper tape)、任何其余的带有洞的图案的物理介质、随机存取存储器(RAM)、可编程只读存储器(PROM)、可抹除可编程只读存储器(EPROM)、快闪可抹除可编程只读存储器(FLASH-EPROM)、其余任何存储器芯片或卡匣、或任何其余可让计算机读取的介质。指令可进一步被一传输介质所传送或接收。传输介质这一术语可包含任何有形或无形的介质，其可用来存储、编码或承载用来给机器执行的指令，并且包含数字或模拟通信信号或其与促进上述指令的通信的无形介质。传输介质包含同轴电缆、铜线以及光纤，其包含了用来传输计算机数据信号的总线的导线。Typical forms of computer readable media include: floppy disks, flexible disks, hard disks, magnetic tapes, any other magnetic media, CD-ROMs, any other optical media, punch cards ( punchcards), paper tape, any other physical media with a pattern of holes, random access memory (RAM), programmable read only memory (PROM), erasable programmable read only memory (EPROM) , Flash-Erasable Programmable Read-Only Memory (FLASH-EPROM), any other memory chip or cartridge, or any other computer-readable medium. The instructions may further be transmitted or received by a transmission medium. The term transmission medium can include any tangible or intangible medium that can be used to store, encode, or carry instructions for execution by a machine, and includes digital or analog communication signals or intangible media that facilitate communication of such instructions. Transmission media include coaxial cables, copper wire, and fiber optics, which contain the wires of a bus used to transmit computer data signals.

以上所述仅为本发明的优选实施例而已，并不用于限制本发明，对于本领域的技术人员来说，本发明可以有各种更改和变化。凡在本发明的精神和原则之内，所作的任何修改、等同替换、改进等，均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and changes. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims

Translated fromChinese

1.一种基于区块链的数字证书管理方法，其特征在于，包括以下步骤：1. a digital certificate management method based on block chain, is characterized in that, comprises the following steps:

步骤S5：证书验证机构节点基于证书持有方节点提供的可验证声明验证数字证书的有效性，其中，所述证书持有方节点即为之前的证书申请方节点；Step S5: the certificate verification authority node verifies the validity of the digital certificate based on the verifiable statement provided by the certificate holder node, wherein the certificate holder node is the previous certificate applicant node;

所述步骤S2包括以下步骤：The step S2 includes the following steps:

步骤S25：证书申请方节点接受证书颁发机构节点的邀请请求，并向其发送建立连接请求，该请求中需要提供证书申请方节点新创建的DID及相应的DID文档，该请求内容发送时需要进行加密，且只有使用证书颁发机构节点的公钥才能进行解密；Step S25: The certificate applicant node accepts the invitation request from the certificate authority node, and sends a connection establishment request to it. The request needs to provide the newly created DID of the certificate applicant node and the corresponding DID document. The content of the request needs to be sent. Encrypted and can only be decrypted using the public key of the certificate authority node;

2.如权利要求1所述的基于区块链的数字证书管理方法，其特征在于，2. The blockchain-based digital certificate management method as claimed in claim 1, characterized in that,

所述步骤S3包括以下步骤：The step S3 includes the following steps:

步骤S32：证书申请方节点在公共账本上下载证书的定义来确认该请求对应的证书类型与内容，公共账本返回证书申请方节点查询的证书定义；Step S32: the certificate applicant node downloads the definition of the certificate on the public ledger to confirm the certificate type and content corresponding to the request, and the public ledger returns the certificate definition queried by the certificate applicant node;

3.如权利要求2所述的基于区块链的数字证书管理方法，其特征在于，3. The blockchain-based digital certificate management method as claimed in claim 2, characterized in that,

所述步骤S4包括以下步骤：The step S4 includes the following steps:

4.如权利要求3所述的基于区块链的数字证书管理方法，其特征在于，4. The blockchain-based digital certificate management method as claimed in claim 3, wherein,

所述步骤S5包括以下步骤：The step S5 includes the following steps:

5.如权利要求2所述的基于区块链的数字证书管理方法，其特征在于，5. The blockchain-based digital certificate management method according to claim 2, wherein,

生成可验证证书的过程具体包括以下内容：The process of generating a verifiable certificate includes the following:

随机选取与

互质的整数

randomly selected with

coprime integer

Calculating the modulo inverse element d corresponding to e, a pair of keys Key=(Pub_K,Pri_K)=((n,e),(n,d));输入证书主体的相关属性及签发机构的信息raw_data；Enter the relevant attributes of the certificate subject and the information raw_data of the issuing organization;

6.如权利要求5所述的基于区块链的数字证书管理方法，其特征在于，6. The blockchain-based digital certificate management method as claimed in claim 5, characterized in that,

对可验证声明进行验证的过程包括以下内容：The process of validating a verifiable claim includes the following:

7.一种基于区块链的数字证书管理系统，采用如权利要求1～6任一项所述的数字证书管理方法，其特征在于，该系统包括：7. A blockchain-based digital certificate management system, using the digital certificate management method according to any one of claims 1 to 6, wherein the system comprises:

8.一种电子设备，其特征在于，包括处理器和存储器，所述存储器中存储有计算机程序，所述处理器通过调用所述存储器中存储的所述计算机程序，用于执行如权利要求1～6任一项所述的方法的步骤。8. An electronic device, characterized in that it comprises a processor and a memory, wherein a computer program is stored in the memory, and the processor is used to execute the computer program according to claim 1 by calling the computer program stored in the memory. ~6 steps of any one of the methods.

9.一种计算机可读取的存储介质，用于存储基于区块链进行数字证书管理的计算机程序，其特征在于，该计算机程序在计算机上运行时执行如权利要求1～6任一项所述的方法的步骤。9. A computer-readable storage medium for storing a computer program for digital certificate management based on a block chain, characterized in that, when the computer program is run on a computer, the execution of any one of claims 1 to 6 is performed. steps of the method described.