CN115859261A

Movatterモバイル変換

Info

Publication number: CN115859261A
Application number: CN202310001264.8A
Authority: CN
Inventors: 徐永明; 金刚; 邓鸿亮; 焦清旺; 李军
Original assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Current assignee: China United Network Communications Group Co Ltd; Unicom Digital Technology Co Ltd
Priority date: 2023-01-03
Filing date: 2023-01-03
Publication date: 2023-03-28

Abstract

本申请提供一种密码云服务方法、平台、设备及存储介质。该方法包括：统一API接口模块接收任一业务系统发送的密码服务请求，确定对应的目标密码服务；统一API接口模块发送目标密码服务的服务请求至虚拟软件密码模块；虚拟软件密码模块根据目标密码服务的服务请求向密码服务资源模块发送目标密码服务的分配请求；密码服务资源模块根据目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果，并将结果返回至业务系统。本申请的方法通过统一API接口模块实现上层对业务系统提供统一的密码服务，下层适配不同的密码服务资源，实现了密码服务的统一及共享，方便了对密码服务的统一接口、集中维护与管理。

The present application provides a password cloud service method, platform, equipment and storage medium. The method includes: the unified API interface module receives the cryptographic service request sent by any business system, and determines the corresponding target cryptographic service; the unified API interface module sends the service request of the target cryptographic service to the virtual software cryptographic module; The service request of the service sends the distribution request of the target cryptographic service to the cryptographic service resource module; the cryptographic service resource module invokes the corresponding cryptographic service resource to complete the cryptographic operation according to the distribution request of the target cryptographic service, obtains the operation result, and returns the result to the business system . The method of this application realizes that the upper layer provides unified cryptographic services to the business system through the unified API interface module, and the lower layer adapts different cryptographic service resources, realizes the unification and sharing of cryptographic services, and facilitates the unified interface and centralized maintenance of cryptographic services. manage.

Description

Translated fromChinese

密码云服务方法、平台、设备及存储介质Password cloud service method, platform, device and storage medium

技术领域technical field

本申请涉及信息安全技术领域，尤其涉及一种密码云服务方法、平台、设备及存储介质。The present application relates to the technical field of information security, and in particular to a cryptographic cloud service method, platform, device and storage medium.

背景技术Background technique

云计算的高速发展，促进了大数据、物联网等新兴技术的发展。云计算的特点是超大规模、虚拟化、按需分配服务、高可靠性、可动态伸缩、广泛网络访问、节约能源，这些也促使了各种业务系统上云。随着人们安全意识的提高，越来越多的业务系统使用了密码服务。The rapid development of cloud computing has promoted the development of emerging technologies such as big data and the Internet of Things. The characteristics of cloud computing are ultra-large scale, virtualization, on-demand distribution of services, high reliability, dynamic scalability, extensive network access, and energy saving, which have also prompted various business systems to migrate to the cloud. With the improvement of people's security awareness, more and more business systems use cryptographic services.

现有技术中，传统的密码服务为集中式部署，如密码机服务、签名服务服务、电子签章服务等，这些服务无统一标准，各厂家产品的兼容性以及接口层差异较大。In the existing technology, traditional cryptographic services are deployed in a centralized manner, such as cryptographic machine service, signature service service, electronic signature service, etc. There is no uniform standard for these services, and the compatibility and interface layer of each manufacturer's products are quite different.

发明人发现，传统的密码服务无法统一以及共享，不方便统一接口、集中维护与管理。The inventors found that traditional password services cannot be unified and shared, and it is inconvenient to unify interfaces and centralize maintenance and management.

发明内容Contents of the invention

本申请提供一种密码云服务方法、平台、设备及存储介质，用以解决现有技术中传统的密码服务无法统一以及共享，不方便统一接口、集中维护与管理的问题。This application provides a cryptographic cloud service method, platform, equipment, and storage medium to solve the problems in the prior art that traditional cryptographic services cannot be unified and shared, and are inconvenient for unified interfaces and centralized maintenance and management.

第一方面，本申请提供一种密码云服务方法，应用于密码云服务平台，所述密码云服务平台包括统一API接口模块、虚拟软件密码模块和密码服务资源模块；In a first aspect, the present application provides a cryptographic cloud service method, which is applied to a cryptographic cloud service platform, and the cryptographic cloud service platform includes a unified API interface module, a virtual software cryptographic module, and a cryptographic service resource module;

所述方法包括：The methods include:

所述统一API接口模块接收任一业务系统发送的密码服务请求，其中所述密码服务请求中包括所述业务系统的租户标识和应用系统标识；The unified API interface module receives a password service request sent by any business system, wherein the password service request includes the tenant ID and application system ID of the business system;

所述统一API接口模块通过所述租户标识，获取所述租户标识对用的租户预配置的各应用系统与各密码服务的映射关系；并根据所述应用系统标识查询所述映射关系，确定对应的目标密码服务；The unified API interface module obtains the mapping relationship between each application system and each cryptographic service pre-configured by the tenant for the tenant identification through the tenant identification; and queries the mapping relationship according to the application system identification to determine the corresponding target cryptographic services;

所述统一API接口模块发送所述目标密码服务的服务请求至所述虚拟软件密码模块；The unified API interface module sends the service request of the target cryptographic service to the virtual software cryptographic module;

所述虚拟软件密码模块根据所述目标密码服务的服务请求向所述密码服务资源模块发送所述目标密码服务的分配请求；The virtual software cryptographic module sends an allocation request of the target cryptographic service to the cryptographic service resource module according to the service request of the target cryptographic service;

所述密码服务资源模块根据所述目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果；The cryptographic service resource module calls corresponding cryptographic service resources according to the distribution request of the target cryptographic service to complete cryptographic operations and obtain operational results;

所述密码服务资源模块依次通过所述虚拟软件密码模块和所述统一API接口模块将所述运算结果返回至业务系统。The cryptographic service resource module returns the operation result to the business system through the virtual software cryptographic module and the unified API interface module in sequence.

在一种可能的设计中，所述密码服务资源模块根据所述目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果，包括：所述密码服务资源模块根据所述目标密码服务的分配请求确定所述目标密码服务所适用的密码服务资源的类型；若所述目标密码服务所适用的密码服务资源的类型为软件密码资源，则所述密码服务资源模块根据所述目标密码服务的服务请求向所述软件密码资源提出请求，以调用所述软件密码资源完成密码运算，得到运算结果；若所述目标密码服务所适用的密码服务资源的类型为硬件密码资源，则所述密码服务资源模块根据所述目标密码服务的服务请求向所述硬件密码资源提出请求，以调用所述硬件密码资源完成密码运算，得到运算结果。In a possible design, the cryptographic service resource module invokes the corresponding cryptographic service resource to complete the cryptographic operation according to the distribution request of the target cryptographic service, and obtains the operation result, including: the cryptographic service resource module according to the target The cryptographic service allocation request determines the type of cryptographic service resource applicable to the target cryptographic service; if the type of cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module The service request of the cryptographic service makes a request to the software cryptographic resource to call the software cryptographic resource to complete the cryptographic operation and obtain the operation result; if the type of cryptographic service resource applicable to the target cryptographic service is a hardware cryptographic resource, then the The cryptographic service resource module makes a request to the hardware cryptographic resource according to the service request of the target cryptographic service, so as to call the hardware cryptographic resource to complete cryptographic operations and obtain a computation result.

在一种可能的设计中，所述若所述目标密码服务所适用的密码服务资源的类型为软件密码资源，则所述密码服务资源模块根据所述目标密码服务的服务请求向所述软件密码资源提出请求，以调用所述软件密码资源完成密码运算，得到运算结果，包括：若所述目标密码服务所适用的密码服务资源的类型为软件密码资源，则密码服务资源模块将软件密码资源的Docker镜像从软件密码服务镜像仓库中下载至指定的虚拟机或物理机集群上；所述密码服务资源模块根据所述目标密码服务的服务请求向所述虚拟机或物理机集群提出请求，以使所述虚拟机或物理机集群启动所述Docker镜像完成密码运算，得到运算结果。In a possible design, if the type of the cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module sends the software cryptographic The resource makes a request to call the software cryptographic resource to complete the cryptographic operation and obtain the operation result, including: if the type of cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module converts the cryptographic resource of the software cryptographic resource to The Docker image is downloaded from the software cryptographic service image warehouse to a designated virtual machine or physical machine cluster; the cryptographic service resource module makes a request to the virtual machine or physical machine cluster according to the service request of the target cryptographic service, so that The virtual machine or physical machine cluster starts the Docker image to complete the cryptographic operation and obtain the operation result.

在一种可能的设计中，所述密码云服务平台还包括密码云服务系统；所述统一API接口模块接收业务系统发送的密码服务请求之前，还包括：密码云服务系统根据租户创建的不同的应用系统，通过配置各应用系统与密码服务的映射关系，生成密码服务配置信息，并将所述密码服务配置信息发送至所述统一API接口模块；所述统一API接口模块保存所述密码服务配置信息，其中所述密码服务配置信息中包括所述各应用系统与密码服务的映射关系。In a possible design, the password cloud service platform also includes a password cloud service system; before the unified API interface module receives the password service request sent by the business system, it also includes: different passwords created by the password cloud service system according to tenants The application system generates cryptographic service configuration information by configuring the mapping relationship between each application system and the cryptographic service, and sends the cryptographic service configuration information to the unified API interface module; the unified API interface module saves the cryptographic service configuration information, wherein the password service configuration information includes the mapping relationship between the application systems and the password service.

在一种可能的设计中，所述统一API接口模块接收业务系统发送的密码服务请求之前，还包括：密码云服务系统上传所述软件密码资源的Docker镜像文件至所述软件密码服务镜像仓库。In a possible design, before the unified API interface module receives the cryptographic service request sent by the business system, it further includes: the cryptographic cloud service system uploads the Docker image file of the software cryptographic resource to the software cryptographic service mirror warehouse.

第二方面，本申请提供一种密码云服务平台，包括：统一API接口模块、虚拟软件密码模块和密码服务资源模块；In a second aspect, the present application provides a cryptographic cloud service platform, including: a unified API interface module, a virtual software cryptographic module, and a cryptographic service resource module;

统一API接口模块，用于接收任一业务系统发送的密码服务请求，其中所述密码服务请求中包括所述业务系统的租户标识和应用系统标识；A unified API interface module, configured to receive a cryptographic service request sent by any business system, wherein the cryptographic service request includes the tenant ID and the application system ID of the business system;

统一API接口模块，还用于通过所述租户标识，获取所述租户标识对用的租户预配置的各应用系统与各密码服务的映射关系；并根据所述应用系统标识查询所述映射关系，确定对应的目标密码服务；The unified API interface module is also used to obtain the mapping relationship between each application system and each cryptographic service pre-configured by the tenant ID for the tenant through the tenant ID; and query the mapping relationship according to the application system ID, Determine the corresponding target cryptographic service;

统一API接口模块，还用于发送所述目标密码服务的服务请求至所述虚拟软件密码模块；The unified API interface module is also used to send the service request of the target cryptographic service to the virtual software cryptographic module;

虚拟软件密码模块，用于根据所述目标密码服务的服务请求向所述密码服务资源模块发送所述目标密码服务的分配请求；A virtual software cryptographic module, configured to send a distribution request of the target cryptographic service to the cryptographic service resource module according to the service request of the target cryptographic service;

密码服务资源模块，用于根据所述目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果；A cryptographic service resource module, configured to call corresponding cryptographic service resources to complete cryptographic operations according to the distribution request of the target cryptographic service, and to obtain a computation result;

密码服务资源模块，还用于依次通过所述虚拟软件密码模块和所述统一API接口模块将所述运算结果返回至业务系统。The cryptographic service resource module is further configured to return the operation result to the business system through the virtual software cryptographic module and the unified API interface module in sequence.

在一种可能的设计中，所述密码服务资源模块具体用于，根据所述目标密码服务的分配请求确定所述目标密码服务所适用的密码服务资源的类型；若所述目标密码服务所适用的密码服务资源的类型为软件密码资源，则所述密码服务资源模块根据所述目标密码服务的服务请求向所述软件密码资源提出请求，以调用所述软件密码资源完成密码运算，得到运算结果；若所述目标密码服务所适用的密码服务资源的类型为硬件密码资源，则所述密码服务资源模块根据所述目标密码服务的服务请求向所述硬件密码资源提出请求，以调用所述硬件密码资源完成密码运算，得到运算结果。In a possible design, the cryptographic service resource module is specifically configured to determine the type of cryptographic service resource applicable to the target cryptographic service according to the allocation request of the target cryptographic service; The type of the cryptographic service resource is a software cryptographic resource, then the cryptographic service resource module makes a request to the software cryptographic resource according to the service request of the target cryptographic service, so as to call the software cryptographic resource to complete the cryptographic operation and obtain the operation result ; If the type of the cryptographic service resource applicable to the target cryptographic service is a hardware cryptographic resource, the cryptographic service resource module makes a request to the hardware cryptographic resource according to the service request of the target cryptographic service to call the hardware The cryptographic resource completes the cryptographic operation and obtains the operation result.

在一种可能的设计中，所述密码服务资源模块具体用于，若所述目标密码服务所适用的密码服务资源的类型为软件密码资源，则密码服务资源模块将软件密码资源的Docker镜像从软件密码服务镜像仓库中下载至指定的虚拟机或物理机集群上；所述密码服务资源模块根据所述目标密码服务的服务请求向所述虚拟机或物理机集群提出请求，以使所述虚拟机或物理机集群启动所述Docker镜像完成密码运算，得到运算结果。In a possible design, the cryptographic service resource module is specifically configured to, if the type of cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module converts the Docker image of the software cryptographic resource from The software cryptographic service mirror warehouse is downloaded to the specified virtual machine or physical machine cluster; the cryptographic service resource module makes a request to the virtual machine or physical machine cluster according to the service request of the target cryptographic service, so that the virtual The machine or physical machine cluster starts the Docker image to complete the cryptographic calculation and obtain the calculation result.

第三方面，本申请提供一种密码云服务设备，包括：存储器和处理器；In a third aspect, the present application provides a cryptographic cloud service device, including: a memory and a processor;

所述存储器存储计算机执行指令；所述处理器执行所述存储器存储的计算机执行指令，使得所述处理器执行如第一方面及第一方面任一种可能的设计中的密码云服务方法。The memory stores computer-executable instructions; the processor executes the computer-executable instructions stored in the memory, so that the processor executes the cryptographic cloud service method in any possible design of the first aspect and the first aspect.

第四方面，本申请提供一种可读存储介质，所述计算机可读存储介质中存储有计算机程序/指令，所述计算机程序/指令被处理器执行时用于实现如第一方面及第一方面任一种可能的设计中的密码云服务方法。In a fourth aspect, the present application provides a readable storage medium, where computer programs/instructions are stored in the computer-readable storage medium, and when executed by a processor, the computer programs/instructions are used to implement the first aspect and the first A password cloud service method in any possible design.

本申请提供的密码云服务方法、平台、设备及存储介质，通过统一API接口模块接收业务系统发送的密码服务请求并确定对应的目标密码服务，发送目标密码服务的服务请求至虚拟软件密码模块，虚拟软件密码模块根据目标密码服务向密码服务资源模块提出请求，以调用密码服务资源模块完成密码运算，得到运算结果，最后将运算结果返回至业务系统，通过统一API接口模块实现上层对租户的业务系统提供统一的密码服务，下层适配不同的密码服务资源，实现了密码服务的统一及共享，方便了密码服务过程中对密码服务的统一接口、集中维护与管理。The encryption cloud service method, platform, equipment and storage medium provided by this application receive the encryption service request sent by the business system through the unified API interface module and determine the corresponding target encryption service, and send the service request of the target encryption service to the virtual software encryption module, The virtual software cryptographic module makes a request to the cryptographic service resource module according to the target cryptographic service, so as to call the cryptographic service resource module to complete the cryptographic calculation, obtain the calculation result, and finally return the calculation result to the business system, and realize the business of the upper layer to the tenant through the unified API interface module The system provides unified cryptographic services, and the lower layer adapts different cryptographic service resources, realizing the unification and sharing of cryptographic services, and facilitating the unified interface, centralized maintenance and management of cryptographic services during the cryptographic service process.

附图说明Description of drawings

为了更清楚地说明本申请或现有技术中的技术方案，下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图是本申请的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in this application or the prior art, the accompanying drawings that need to be used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the accompanying drawings in the following description are the present For some embodiments of the application, those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本申请一实施例提供的密码云服务方法的应用场景示意图；FIG. 1 is a schematic diagram of an application scenario of a password cloud service method provided by an embodiment of the present application;

图2为本申请一实施例提供的密码云服务方法的流程图一；Fig. 2 is aflow chart 1 of a password cloud service method provided by an embodiment of the present application;

图3为本申请一实施例提供的密码云服务方法的流程图二；Fig. 3 is aflow chart 2 of a password cloud service method provided by an embodiment of the present application;

图4为本申请一实施例提供的VHSM的密钥管理体系中VHSM中密钥与HSM中密钥对应关系示意图一；Fig. 4 is a schematic diagram 1 of the corresponding relationship between the key in the VHSM and the key in the HSM in the key management system of the VHSM provided by an embodiment of the present application;

图5为本申请一实施例提供的VHSM的密钥管理体系中VHSM中密钥与HSM中密钥对应关系示意图二；FIG. 5 is a second schematic diagram of the corresponding relationship between the key in the VHSM and the key in the HSM in the key management system of the VHSM provided by an embodiment of the present application;

图6为本申请一实施例提供的密码云服务平台中的密码服务资源模块下载Docker镜像的示意图；6 is a schematic diagram of downloading a Docker image by a cryptographic service resource module in a cryptographic cloud service platform provided by an embodiment of the present application;

图7为本申请一实施例提供的密码云服务平台的结构示意图；FIG. 7 is a schematic structural diagram of a cryptographic cloud service platform provided by an embodiment of the present application;

图8为本申请一实施例提供的密码云服务设备的硬件结构示意图。FIG. 8 is a schematic diagram of a hardware structure of a cryptographic cloud service device provided by an embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚，下面将结合本申请中的附图，对本申请中的技术方案进行清楚、完整地描述，显然，所描述的实施例是本申请一部分实施例，而不是全部的实施例。基于本申请中的实施例，本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例，都属于本申请保护的范围。In order to make the purpose, technical solutions and advantages of this application clearer, the technical solutions in this application will be clearly and completely described below in conjunction with the accompanying drawings in this application. Obviously, the described embodiments are part of the embodiments of this application , but not all examples. Based on the embodiments in this application, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the scope of protection of this application.

云计算的高速发展，促进了大数据、物联网等新兴技术的发展。云计算的特点是超大规模、虚拟化、按需分配服务、高可靠性、可动态伸缩、广泛网络访问、节约能源，这些也促使了各种业务系统上云。随着人们安全意识的提高，越来越多的业务系统使用了密码服务。现有技术中，传统的密码服务为集中式部署，如密码机服务、签名服务服务、电子签章服务等这些服务无统一标准，各厂家产品的兼容性以及接口层差异较大。发明人发现现有技术至少存在如下技术问题：传统的密码服务为集中式部署，无法契合云上业务的按需分配、动态伸缩的需求。且密码服务当前并无业务上的标准，不同的业务对接了不同的密码产品以及不同类型的接口，也使密码服务无法统一以及共享，不方便统一接口、集中维护与管理。因此传统密码服务，无法提供统一的密码服务，下层不能适配不同的密码产品。The rapid development of cloud computing has promoted the development of emerging technologies such as big data and the Internet of Things. The characteristics of cloud computing are ultra-large scale, virtualization, on-demand distribution of services, high reliability, dynamic scalability, extensive network access, and energy saving, which have also prompted various business systems to migrate to the cloud. With the improvement of people's security awareness, more and more business systems use cryptographic services. In the existing technology, traditional cryptographic services are deployed in a centralized manner, such as cryptographic machine service, signature service service, electronic signature service, etc. There is no uniform standard for these services, and the compatibility and interface layer of each manufacturer's products are quite different. The inventors have found at least the following technical problems in the prior art: traditional cryptographic services are deployed in a centralized manner, which cannot meet the requirements of on-demand allocation and dynamic scaling of services on the cloud. Moreover, there is currently no business standard for cryptographic services, and different businesses are connected to different cryptographic products and different types of interfaces, which also makes it impossible to unify and share cryptographic services, making it inconvenient to unify interfaces and centralize maintenance and management. Therefore, traditional cryptographic services cannot provide unified cryptographic services, and the lower layer cannot adapt to different cryptographic products.

针对上述问题，本申请提出了一种密码云服务方法，通过统一API接口模块接收业务系统发送的密码服务请求并确定对应的目标密码服务，发送目标密码服务的服务请求至虚拟软件密码模块，虚拟软件密码模块根据目标密码服务向密码服务资源模块提出请求，以调用密码服务资源模块完成密码运算，得到运算结果，最后将运算结果返回至业务系统。In view of the above problems, this application proposes a cryptographic cloud service method, which receives the cryptographic service request sent by the business system through the unified API interface module and determines the corresponding target cryptographic service, sends the service request of the target cryptographic service to the virtual software cryptographic module, and the virtual The software cryptographic module makes a request to the cryptographic service resource module according to the target cryptographic service, so as to call the cryptographic service resource module to complete the cryptographic operation, obtain the operation result, and finally return the operation result to the business system.

下面以具体地实施例对本申请的技术方案进行详细说明。下面这几个具体的实施例可以相互结合，对于相同或相似的概念或过程可能在某些实施例不再赘述。The technical solution of the present application will be described in detail below with specific embodiments. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments.

图1为本申请一实施例提供的密码云服务方法的应用场景示意图。如图1所示，业务系统发送密码服务请求至密码云服务平台中的统一API接口模块，统一API接口模块确定目标密码服务后，发送目标密码服务的服务请求至密码云服务平台中的虚拟软件密码模块，虚拟软件密码模块根据目标密码服务的服务请求向密码云服务平台中的密码服务资源模块提出请求，以调用密码服务资源模块中的软件密码资源或这硬件密码资源完成密码运算。FIG. 1 is a schematic diagram of an application scenario of a password cloud service method provided by an embodiment of the present application. As shown in Figure 1, the business system sends a cryptographic service request to the unified API interface module in the cryptographic cloud service platform. After the unified API interface module determines the target cryptographic service, it sends the service request of the target cryptographic service to the virtual software in the cryptographic cloud service platform. The cryptographic module, the virtual software cryptographic module sends a request to the cryptographic service resource module in the cryptographic cloud service platform according to the service request of the target cryptographic service, so as to call the software cryptographic resource or the hardware cryptographic resource in the cryptographic service resource module to complete the cryptographic operation.

图2为本申请一实施例提供的密码云服务方法的流程图一。本实施例的执行主体为图1所示实施例中的密码云服务平台，密码云服务平台包括统一API接口模块、虚拟软件密码模块和密码服务资源模块，本实施例的方法可以包括如下步骤：FIG. 2 is a first flowchart of a password cloud service method provided by an embodiment of the present application. The executor of this embodiment is the password cloud service platform in the embodiment shown in Figure 1, and the password cloud service platform includes a unified API interface module, a virtual software password module and a password service resource module, and the method of this embodiment may include the following steps:

S201、密码云服务系统根据租户创建的不同的应用系统，通过配置各应用系统与密码服务的映射关系，生成密码服务配置信息，并将密码服务配置信息发送至统一API接口模块；统一API接口模块保存密码服务配置信息，其中密码服务配置信息中包括各应用系统与密码服务的映射关系。S201. The password cloud service system generates password service configuration information by configuring the mapping relationship between each application system and the password service according to the different application systems created by the tenant, and sends the password service configuration information to the unified API interface module; the unified API interface module The password service configuration information is saved, wherein the password service configuration information includes the mapping relationship between each application system and the password service.

本实施例中，应用系统可以包括多种类型，比如个税网站系统、OA系统和BS系统等。密码云服务系统包括密码云管理模块和密码云租户模块。其中，密码云管理模块包括密码态势、密码服务管理、订单管理、密码机管理、密码资源管理、租户管理、审计以及统计功能。密码态势展现当前密码服务的健康状态以及并发情况。密码服务管理通过配置密码服务名称，将密码服务与具体额密码资源进行绑定。订单管理针对管理员以及租户的业务系统提交的密码服务请求的订单进行管理，可对订单进行通过拒绝等操作。密码机管理为管理在用的服务器密码机与云服务器密码机，通过此功能配置服务器密码机与云服务器密码机的密钥信息。密码资源管理，对于硬件密码资源，可配置签名服务器、电子签章、时间戳等硬件密码资源的配置信息，支持多厂家配置；密码资源管理，对于软件密码资源，可以上传软件密码资源的docker镜像文件至软件密码服务镜像仓库。租户管理可对租户进行添加以及状态变更。审计可以对密码云服务平台的管理员对平台的操作进行审计。统计功能基于租户、密码资源、时间三个维度统计密码服务的使用情况。In this embodiment, the application system may include various types, such as individual tax website system, OA system, and BS system. The password cloud service system includes a password cloud management module and a password cloud tenant module. Among them, the password cloud management module includes password situation, password service management, order management, password machine management, password resource management, tenant management, audit and statistical functions. The password situation shows the health status and concurrency of the current password service. Password service management binds the password service with specific password resources by configuring the password service name. Order management manages orders for password service requests submitted by administrators and tenants' business systems, and operations such as acceptance and rejection of orders can be performed. Cipher machine management is to manage the server cipher machine and cloud server cipher machine in use, and configure the key information of the server cipher machine and cloud server cipher machine through this function. Password resource management, for hardware password resources, you can configure the configuration information of hardware password resources such as signature server, electronic signature, and time stamp, and support multi-manufacturer configuration; password resource management, for software password resources, you can upload the docker image of software password resources Files to the software cryptographic service mirror warehouse. Tenant management can add and change the status of tenants. Auditing can audit the operation of the platform by the administrator of the password cloud service platform. The statistical function counts the usage of password services based on three dimensions: tenant, password resource, and time.

密码云租户模块包括密码态势、密码服务申请、密码服务管理、服务授权、以及审计功能。密码态势展示当前租户的密码服务的健康状态以及并发情况。密码服务申请为租户提供密码服务请求功能。密码服务管理为租户提供已申请的密码服务管理功能，包括状态管理以及密码服务分配给具体应用系统的授权。审计管理提供租户对密码云服务平台操作的审计功能。The password cloud tenant module includes password posture, password service application, password service management, service authorization, and audit functions. The password status shows the health status and concurrency of the current tenant's password service. Password service application provides tenants with the function of requesting password services. Cryptographic service management provides tenants with applied cryptographic service management functions, including state management and authorization of cryptographic services assigned to specific application systems. Audit management provides tenants with the ability to audit the operation of the password cloud service platform.

S202、密码云服务系统上传软件密码资源的Docker镜像文件至软件密码服务镜像仓库。S202. The password cloud service system uploads the Docker image file of the software password resource to the software password service mirror warehouse.

本实施例中，Docker是一个开源的应用容器引擎，Docker支持将软件编译成一个镜像，然后在镜像中可以做好各种软件的配置。Docker镜像为软件打包好的镜像，密码云服务系统将软件密码资源的打包好的Docker镜像文件上传到软件密码服务镜像仓库中待下载和使用。In this embodiment, Docker is an open source application container engine, and Docker supports compiling software into a mirror image, and then various software configurations can be done in the mirror image. The Docker image is a packaged image of the software, and the password cloud service system uploads the packaged Docker image file of the software password resource to the software password service mirror warehouse to be downloaded and used.

S203、统一API接口模块接收任一业务系统发送的密码服务请求，其中密码服务请求中包括业务系统的租户标识和应用系统标识。S203. The unified API interface module receives a cryptographic service request sent by any business system, wherein the cryptographic service request includes a tenant ID and an application system ID of the business system.

本实施例中，业务系统属于租户，一个租户可以有多个业务系统，业务系统用来发送租户的密码服务请求。密码服务请求中的租户标识可以用来识别该租户预配置的应用系统与密码服务的映射关系，应用系统标识可以用来查询该租户预配置的应用系统与密码服务的映射关系。In this embodiment, the service system belongs to the tenant, and a tenant may have multiple service systems, and the service system is used to send the tenant's password service request. The tenant ID in the cryptographic service request can be used to identify the mapping relationship between the tenant's pre-configured application system and the cryptographic service, and the application system ID can be used to query the mapping relationship between the tenant's pre-configured application system and the cryptographic service.

S204、统一API接口模块通过租户标识，获取租户标识对用的租户预配置的各应用系统与各密码服务的映射关系；并根据应用系统标识查询映射关系，确定对应的目标密码服务。S204. The unified API interface module obtains the mapping relationship between each application system and each cryptographic service pre-configured by the tenant for the tenant through the tenant ID; and queries the mapping relationship according to the application system ID to determine the corresponding target cryptographic service.

本实施例中，由步骤S203已知密码服务请求中的租户标识可以用来识别该租户预配置的应用系统与密码服务的映射关系，应用系统标识可以用来查询该租户预配置的应用系统与密码服务的映射关系，此处不再赘述。从该租户预配置的应用系统与密码服务的映射关系中可以确定改租户的业务系统本次发送的密码服务请求所对应得目标密码服务。In this embodiment, it is known from step S203 that the tenant ID in the password service request can be used to identify the mapping relationship between the tenant’s pre-configured application system and the password service, and the application system ID can be used to query the tenant’s pre-configured application system and The mapping relationship of cryptographic services will not be repeated here. The target cryptographic service corresponding to the cryptographic service request sent by the tenant's business system this time can be determined from the mapping relationship between the application system and the cryptographic service preconfigured by the tenant.

S205、统一API接口模块发送目标密码服务的服务请求至虚拟软件密码模块。S205. The unified API interface module sends the service request of the target cryptographic service to the virtual software cryptographic module.

本实施例中，目标密码服务的服务请求中包括了租户的业务系统本次发送的密码服务请求所适用得密码服务资源的类型，例如，包括了租户的业务系统本次发送的密码服务请求适用的是软件密码资源还是硬件密码资源。In this embodiment, the service request of the target cryptographic service includes the type of cryptographic service resources applicable to the cryptographic service request sent by the tenant's business system this time, for example, the cryptographic service request sent by the tenant's business system this time is applicable to Whether it is a software cryptographic resource or a hardware cryptographic resource.

S206、虚拟软件密码模块根据目标密码服务的服务请求向密码服务资源模块发送目标密码服务的分配请求。S206. The virtual software cryptographic module sends the distribution request of the target cryptographic service to the cryptographic service resource module according to the service request of the target cryptographic service.

本实施例中，虚拟软件密码模块根据目标密码服务的服务请求向密码服务资源提出请求，以调用密码服务资源完成密码运算。其中，密码服务资源的类型包括：软件密码资源和硬件密码资源。In this embodiment, the virtual software cryptographic module makes a request to the cryptographic service resource according to the service request of the target cryptographic service, so as to call the cryptographic service resource to complete the cryptographic operation. Wherein, the types of cryptographic service resources include: software cryptographic resources and hardware cryptographic resources.

具体的，统一API接口模块通过接口服务，以及密码服务请求的服务请求找到本次密码服务请求使用的密码服务资源是软件密码资源还是硬件密码资源，然后请求具体的软件密码资源或硬件密码资源提供密码服务设施。Specifically, the unified API interface module finds out whether the cryptographic service resource used in this cryptographic service request is a software cryptographic resource or a hardware cryptographic resource through the interface service and the service request of the cryptographic service request, and then requests the specific software cryptographic resource or hardware cryptographic resource to provide Password service facility.

S207、密码服务资源模块根据目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果。S207. The cryptographic service resource module invokes corresponding cryptographic service resources according to the distribution request of the target cryptographic service to complete the cryptographic operation and obtain the operation result.

本实施例中，密码服务资源模块通过密码服务请求的服务请求找到本次密码服务请求使用的密码服务资源是软件密码资源还是硬件密码资源，然后请求具体的软件密码资源或硬件密码资源提供密码服务设施。In this embodiment, the cryptographic service resource module finds out whether the cryptographic service resource used in this cryptographic service request is a software cryptographic resource or a hardware cryptographic resource through the service request of the cryptographic service request, and then requests specific software cryptographic resources or hardware cryptographic resources to provide cryptographic services facility.

S208、密码服务资源模块依次通过虚拟软件密码模块和统一API接口模块将运算结果返回至业务系统。S208. The cryptographic service resource module returns the operation result to the business system through the virtual software cryptographic module and the unified API interface module in sequence.

本实施例中，密码服务资源模块完成密码运算后将运算结果发送至虚拟软件密码模块，虚拟软件密码模块接收运算结果并将运算结果发送至统一API接口模块，统一API接口模块接收运算结果并将运算结果发送至租客的业务系统。In this embodiment, the cryptographic service resource module sends the computation result to the virtual software cryptographic module after completing the cryptographic computation, the virtual software cryptographic module receives the computation result and sends the computation result to the unified API interface module, and the unified API interface module receives the computation result and The calculation result is sent to the tenant's business system.

综上，本申请提供的密码云服务方法，通过统一API接口模块接收业务系统发送的密码服务请求并确定对应的目标密码服务，发送目标密码服务的服务请求至虚拟软件密码模块，虚拟软件密码模块根据目标密码服务向密码服务资源模块提出请求，以调用密码服务资源模块完成密码运算，得到运算结果，最后将运算结果返回至业务系统，通过统一API接口模块实现上层对租户的业务系统提供统一的密码服务，下层适配不同的密码服务资源，实现了密码服务的统一及共享，方便了密码服务过程中对密码服务的统一接口、集中维护与管理。To sum up, the cryptographic cloud service method provided by this application receives the cryptographic service request sent by the business system through the unified API interface module and determines the corresponding target cryptographic service, and sends the service request of the target cryptographic service to the virtual software cryptographic module, and the virtual software cryptographic module According to the target password service, a request is made to the password service resource module to call the password service resource module to complete the password calculation, obtain the calculation result, and finally return the calculation result to the business system. Through the unified API interface module, the upper layer can provide unified services to the tenant's business system. For cryptographic services, the lower layer adapts different cryptographic service resources, realizes the unification and sharing of cryptographic services, and facilitates the unified interface, centralized maintenance and management of cryptographic services during the cryptographic service process.

图3为本申请一实施例提供的密码云服务方法的流程图二。在图2实施例的基础上，本实施例对步骤S207中密码服务资源模块根据目标密码服务的分配请求调用相应的密码服务资源以完成密码运算，得到运算结果的步骤进行了详细的描述。如图3所示，以密码云服务平台为执行主体，本实施例的方法可以包括如下步骤：FIG. 3 is the second flowchart of the password cloud service method provided by an embodiment of the present application. On the basis of the embodiment in FIG. 2 , this embodiment describes in detail the steps of step S207 in which the cryptographic service resource module invokes the corresponding cryptographic service resources to complete the cryptographic operation and obtain the operation result according to the distribution request of the target cryptographic service. As shown in Figure 3, with the password cloud service platform as the execution subject, the method of this embodiment may include the following steps:

S301、密码服务资源模块根据目标密码服务的分配请求确定目标密码服务所适用的密码服务资源的类型。S301. The cryptographic service resource module determines the type of cryptographic service resources applicable to the target cryptographic service according to the allocation request of the target cryptographic service.

本实施例中，从步骤S201已知密码服务请求中包括业务系统的租户标识和应用系统标识。密码服务资源模块通过密码服务请求中的租户标识和应用系统标识来确定目标密码服务所适用的密码服务资源的类型。在本申请中，目标密码服务所适用的密码服务资源的类型包括软件密码资源和硬件密码资源两种。In this embodiment, it is known from step S201 that the password service request includes the tenant ID and the application system ID of the business system. The cryptographic service resource module determines the type of cryptographic service resource applicable to the target cryptographic service through the tenant ID and the application system ID in the cryptographic service request. In this application, the types of cryptographic service resources applicable to the target cryptographic service include software cryptographic resources and hardware cryptographic resources.

S302、若目标密码服务所适用的密码服务资源的类型为软件密码资源，则密码服务资源模块根据目标密码服务的服务请求向软件密码资源提出请求，以调用软件密码资源完成密码运算，得到运算结果。S302. If the type of the cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module makes a request to the software cryptographic resource according to the service request of the target cryptographic service, so as to call the software cryptographic resource to complete the cryptographic operation and obtain the operation result .

本实施例中，若目标密码服务所适用的密码服务资源的类型为软件密码资源，则密码服务资源模块将软件密码资源的Docker镜像从软件密码服务镜像仓库中下载至指定的虚拟机或物理机集群上。In this embodiment, if the type of cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the cryptographic service resource module downloads the Docker image of the software cryptographic resource from the software cryptographic service mirror warehouse to a specified virtual machine or physical machine on the cluster.

密码服务资源模块根据目标密码服务的服务请求向虚拟机或物理机集群提出请求，以使虚拟机或物理机集群启动Docker镜像完成密码运算，得到运算结果。The cryptographic service resource module sends a request to the virtual machine or physical machine cluster according to the service request of the target cryptographic service, so that the virtual machine or physical machine cluster starts the Docker image to complete the cryptographic operation and obtain the operation result.

具体的，软件密码资源为虚拟密码机(VHSM，Virtual Hardware SecurityModule)。密码云服务平台还包括VHSM模块，VHSM模块将服务器密码机以及云服务器密码机中密码资源抽象化，并进行重新划分，将服务器密码机以及云服务器密码机中密码资源分成若干个VHSM，每个提出密码服务请求的租户一个VHSM。Specifically, the software cryptographic resource is a virtual cryptographic machine (VHSM, Virtual Hardware Security Module). The password cloud service platform also includes a VHSM module. The VHSM module abstracts the password resources in the server encryption machine and the cloud server encryption machine, and re-divides the encryption resources in the server encryption machine and the cloud server encryption machine into several VHSMs. One VHSM for the tenant making the cryptographic service request.

VHSM的密钥管理体系如下：The key management system of VHSM is as follows:

图4为本申请一实施例提供的VHSM的密钥管理体系中VHSM中密钥与HSM中密钥对应关系示意图一。默认VHSM有10个密钥，数字代表密钥号。VHSM中密钥与实体密码机(hardware security module，HSM)中密钥对应关系如图4所示，即虽VHSM中密钥号都是1-10，与实际对应的HSM中密钥号可以是不同的。例如，VHSM1的密钥号为1-10，其实际对应的HSM1的密钥号为1-10；VHSM2的密钥号为1-10，其实际对应的HSM2的密钥号为11-20。图5为本申请一实施例提供的VHSM的密钥管理体系中VHSM中密钥与HSM中密钥对应关系示意图二。针对一个VHSM关联多个HSM的情况，VHSM中的密钥号可对应不同HSM密钥号，如图5所示，VHSM中的1-10密钥号对应的是HSM1的1-10密钥号，VHSM中11对应的是HSM2中的1号密钥。FIG. 4 is a first schematic diagram of the corresponding relationship between keys in the VHSM and keys in the HSM in the key management system of the VHSM provided by an embodiment of the present application. The default VHSM has 10 keys, and the number represents the key number. The corresponding relationship between the keys in the VHSM and the keys in the physical cipher machine (hardware security module, HSM) is shown in Figure 4, that is, although the key numbers in the VHSM are all 1-10, the actual corresponding key numbers in the HSM can be different. For example, the key number of VHSM1 is 1-10, and the corresponding key number of HSM1 is 1-10; the key number of VHSM2 is 1-10, and the corresponding key number of HSM2 is 11-20. FIG. 5 is a second schematic diagram of the corresponding relationship between keys in the VHSM and keys in the HSM in the key management system of the VHSM provided by an embodiment of the present application. For the case where a VHSM is associated with multiple HSMs, the key numbers in the VHSM can correspond to different HSM key numbers. As shown in Figure 5, the 1-10 key numbers in the VHSM correspond to the 1-10 key numbers of HSM1 , 11 in VHSM corresponds to key 1 in HSM2.

图6为本申请一实施例提供的密码云服务平台中的密码服务资源模块下载Docker镜像的示意图。具体的，密码服务资源模块将软件密码资源的Docker镜像从软件密码服务镜像仓库中下载至指定的虚拟机或物理机集群上的过程如图6所示，密码服务资源模块向虚拟机或物理机集群下发指令，虚拟机或物理机集群根据指令向软件密码服务镜像仓库请求Docker镜像，软件密码服务镜像仓库返回Docker镜像至指定的虚拟机或物理机集群上，虚拟机或物理机集群根据指令启动Docker镜像，还可以对Docker镜像进行维护。FIG. 6 is a schematic diagram of downloading a Docker image by a cryptographic service resource module in a cryptographic cloud service platform provided by an embodiment of the present application. Specifically, the cryptographic service resource module downloads the Docker image of the software cryptographic resource from the software cryptographic service image warehouse to the designated virtual machine or physical machine cluster, as shown in Figure 6. The cluster issues instructions, and the virtual machine or physical machine cluster requests the Docker image from the software cryptographic service mirror warehouse according to the command. Start the Docker image and maintain the Docker image.

S303、若目标密码服务所适用的密码服务资源的类型为硬件密码资源，则虚拟软件密码模块根据目标密码服务的服务请求硬件密码资源提出请求，以调用硬件密码资源完成密码运算，得到运算结果。S303. If the type of the cryptographic service resource applicable to the target cryptographic service is a hardware cryptographic resource, the virtual software cryptographic module makes a request for the hardware cryptographic resource according to the service request of the target cryptographic service, so as to call the hardware cryptographic resource to complete the cryptographic operation and obtain the operation result.

具体的，硬件密码资源包括：签名服务器、时间戳、电子签章等。并且硬件密码资源分为：硬件共享密码资源和硬件独享密码资源。Specifically, the hardware cryptographic resource includes: a signature server, a time stamp, an electronic signature, and the like. And the hardware password resources are divided into: hardware shared password resources and hardware exclusive password resources.

综上，本申请提供的密码云服务方法，通过确定目标密码服务所适用的密码服务资源为软件密码资源或硬件密码资源，从而向租户的业务系统提出的密码服务请求提供更加精准的密码服务。并且当适用的密码服务资源的类型为软件密码资源时，通过VHSM的密钥管理体系的设计，对租户屏蔽实体密码机，提高了密码机的使用效率，当租户对密码机有扩容需求时，可以将实体密码机剩余密钥动态增加分配至VHSM中，达到动态分配的效果。To sum up, the cryptographic cloud service method provided by this application provides more accurate cryptographic services to the cryptographic service requests made by tenants’ business systems by determining the cryptographic service resources applicable to the target cryptographic service as software cryptographic resources or hardware cryptographic resources. And when the applicable cryptographic service resources are software cryptographic resources, through the design of the VHSM key management system, the physical cryptographic machine is shielded from the tenant, which improves the efficiency of the cryptographic machine. When the tenant has a demand for capacity expansion of the cryptographic machine, The remaining keys of the physical cipher machine can be dynamically increased and allocated to the VHSM to achieve the effect of dynamic allocation.

图7为本申请一实施例提供的密码云服务平台的结构示意图，如图7所示，本实施例的密码云服务平台用于实现上述任一方法实施例中对应于密码云服务平台的操作，本实施例的密码云服务平台包括：统一API接口模块701、虚拟软件密码模块702和密码服务资源模块703。Fig. 7 is a schematic structural diagram of a cryptographic cloud service platform provided by an embodiment of the present application. As shown in Fig. 7, the cryptographic cloud service platform of this embodiment is used to implement the operation corresponding to the cryptographic cloud service platform in any of the above method embodiments , the cryptographic cloud service platform of this embodiment includes: a unifiedAPI interface module 701 , a virtual softwarecryptographic module 702 and a cryptographicservice resource module 703 .

统一API接口模块701，用于接收业务系统发送的密码服务请求。The unifiedAPI interface module 701 is configured to receive the password service request sent by the business system.

统一API接口模块701，还用于通过租户标识，获取该租户预配置的应用系统与密码服务的映射关系；并根据应用系统标识查询映射关系，确定对应的目标密码服务。The unifiedAPI interface module 701 is also used to obtain the mapping relationship between the tenant's pre-configured application system and the cryptographic service through the tenant ID; and query the mapping relationship according to the application system ID to determine the corresponding target cryptographic service.

统一API接口模块701，还用于发送目标密码服务的服务请求至虚拟软件密码模块。The unifiedAPI interface module 701 is also used to send the service request of the target cryptographic service to the virtual software cryptographic module.

虚拟软件密码模块702，用于根据目标密码服务的服务请求向密码服务资源模块提出请求，以调用密码服务资源模块完成密码运算，得到运算结果。The virtual softwarecryptographic module 702 is configured to make a request to the cryptographic service resource module according to the service request of the target cryptographic service, so as to call the cryptographic service resource module to complete the cryptographic operation and obtain the operation result.

密码服务资源模块703，用于依次通过虚拟软件密码模块和统一API接口模块将运算结果返回至业务系统。The cryptographicservice resource module 703 is used to return the operation result to the business system through the virtual software cryptographic module and the unified API interface module in sequence.

在一种可能的实现方式中，统一API接口模块701还用于，通过密码服务请求的服务请求确定目标密码服务所适用的密码服务资源的类型；虚拟软件密码模块702，还用于根据目标密码服务的服务请求向适用的密码服务资源提出请求，以调用适用的密码服务资源完成密码运算，得到运算结果；其中，密码服务资源的类型包括：软件密码资源和硬件密码资源。In a possible implementation, the unifiedAPI interface module 701 is also used to determine the type of cryptographic service resource applicable to the target cryptographic service through the service request of the cryptographic service request; the virtual softwarecryptographic module 702 is also used to The service request of the service makes a request to the applicable cryptographic service resource to call the applicable cryptographic service resource to complete the cryptographic operation and obtain the operation result; wherein, the types of cryptographic service resources include: software cryptographic resources and hardware cryptographic resources.

在一种可能的实现方式中，虚拟软件密码模块702还用于，若目标密码服务所适用的密码服务资源的类型为软件密码资源，则虚拟软件密码模块将软件密码资源的Docker镜像从软件密码服务镜像仓库中下载至指定的虚拟机或物理机集群上。虚拟软件密码模块702根据目标密码服务的服务请求向软件密码资源提出请求，并启动Docker镜像完成密码运算，得到运算结果。In a possible implementation manner, the virtual softwarecryptographic module 702 is also used to: if the type of cryptographic service resource applicable to the target cryptographic service is a software cryptographic resource, the virtual software cryptographic module converts the Docker image of the software cryptographic resource from the software cryptographic Download it from the service mirror warehouse to the specified virtual machine or physical machine cluster. The virtualsoftware encryption module 702 makes a request to the software encryption resource according to the service request of the target encryption service, and starts the Docker image to complete the encryption operation and obtain the operation result.

在一种可能的实现方式中，虚拟软件密码模块702还用于，若目标密码服务所适用的密码服务资源的类型为硬件密码资源，则虚拟软件密码模块根据目标密码服务的服务请求硬件密码资源提出请求，以调用硬件密码资源完成密码运算，得到运算结果。In a possible implementation manner, the virtual softwarecryptographic module 702 is also configured to, if the type of cryptographic service resource applicable to the target cryptographic service is a hardware cryptographic resource, the virtual software cryptographic module requests the hardware cryptographic resource according to the service of the target cryptographic service A request is made to call hardware cryptographic resources to complete cryptographic operations and obtain operational results.

在一种可能的实现方式中，密码云服务平台还包括密码云服务系统704，用于根据租户创建的不同的应用系统，通过配置各应用系统与密码服务的映射关系，生成密码服务配置信息，并将密码服务配置信息发送至统一API接口模块；统一API接口模块701，用于保存密码服务配置信息，其中密码服务配置信息中包括各应用系统与密码服务的映射关系。In a possible implementation manner, the password cloud service platform further includes a password cloud service system 704, which is used to generate password service configuration information by configuring the mapping relationship between each application system and the password service according to different application systems created by the tenant, And send the password service configuration information to the unified API interface module; the unifiedAPI interface module 701 is used to save the password service configuration information, wherein the password service configuration information includes the mapping relationship between each application system and the password service.

在一种可能的实现方式中，密码云服务系统704，还用于密码云服务系统上传软件密码资源的Docker镜像文件至软件密码服务镜像仓库。In a possible implementation manner, the password cloud service system 704 is also used for the password cloud service system to upload the Docker image file of the software password resource to the software password service mirror warehouse.

本申请实施例提供的密码云服务平台，可执行上述方法实施例，其具体实现原理和技术效果，可参见上述方法实施例，本实施例此处不再赘述。The cryptographic cloud service platform provided by the embodiment of the present application can execute the above-mentioned method embodiment. For the specific implementation principle and technical effect, please refer to the above-mentioned method embodiment, and this embodiment will not repeat it here.

图8为本申请一实施例提供的密码云服务设备的硬件结构示意图。如图8所示，该密码云服务设备，用于实现上述任一方法实施例中对应于密码云服务设备的操作，本实施例的密码云服务设备可以包括：存储器802和处理器801。FIG. 8 is a schematic diagram of a hardware structure of a cryptographic cloud service device provided by an embodiment of the present application. As shown in FIG. 8 , the password cloud service device is used to implement operations corresponding to the password cloud service device in any of the above method embodiments. The password cloud service device in this embodiment may include: amemory 802 and aprocessor 801 .

存储器802存储计算机执行指令。该存储器802可能包含高速随机存取存储器(Random Access Memory，RAM)，也可能还包括非易失性存储(Non-Volatile Memory，NVM)，例如至少一个磁盘存储器，还可以为U盘、移动硬盘、只读存储器、磁盘或光盘等。Memory 802 stores computer-executable instructions. Thememory 802 may include a high-speed random access memory (Random Access Memory, RAM), and may also include a non-volatile storage (Non-Volatile Memory, NVM), such as at least one disk storage, and may also be a U disk, a mobile hard disk , read-only memory, disk or CD-ROM, etc.

处理器801执行存储器802存储的计算机执行指令，使得处理器801执行上述实施例中的密码云服务方法。具体可以参见前述方法实施例中的相关描述。该处理器801可以是中央处理单元(Central Processing Unit，CPU)，还可以是其他通用处理器、数字信号处理器(Digital Signal Processor，DSP)、专用集成电路(Application Specific IntegratedCircuit，ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合发明所公开的方法的步骤可以直接体现为硬件处理器执行完成，或者用处理器中的硬件及软件模块组合执行完成。Theprocessor 801 executes the computer-executed instructions stored in thememory 802, so that theprocessor 801 executes the cryptographic cloud service method in the foregoing embodiments. For details, refer to the related descriptions in the foregoing method embodiments. Theprocessor 801 may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), etc. A general-purpose processor may be a microprocessor, or the processor may be any conventional processor, or the like. The steps of the method disclosed in conjunction with the invention can be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.

可选地，存储器802既可以是独立的，也可以跟处理器801集成在一起。Optionally, thememory 802 can be independent or integrated with theprocessor 801 .

当存储器802是独立于处理器801之外的器件时，密码云服务设备还可以包括总线803。该总线803用于连接存储器802和处理器801。该总线803可以是工业标准体系结构(Industry Standard Architecture，ISA)总线、外部设备互连(Peripheral ComponentInterconnect，PCI)总线或扩展工业标准体系结构(Extended Industry StandardArchitecture，EISA)总线等。总线可以分为地址总线、数据总线、控制总线等。为便于表示，本申请附图中的总线并不限定仅有一根总线或一种类型的总线。When thememory 802 is a device independent of theprocessor 801 , the cryptographic cloud service device may further include abus 803 . Thebus 803 is used to connect thememory 802 and theprocessor 801 . Thebus 803 may be an Industry Standard Architecture (Industry Standard Architecture, ISA) bus, a Peripheral Component Interconnect (PCI) bus, or an Extended Industry Standard Architecture (Extended Industry Standard Architecture, EISA) bus, etc. The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, the buses in the drawings of the present application are not limited to only one bus or one type of bus.

本实施例提供的密码云服务设备可用于执行上述的密码云服务方法，其实现方式和技术效果类似，本实施例此处不再赘述。The cryptographic cloud service device provided in this embodiment can be used to implement the above-mentioned cryptographic cloud service method, and its implementation method and technical effect are similar, so this embodiment will not repeat them here.

本申请还提供一种计算机可读存储介质，计算机可读存储介质中存储有计算机程序/指令，计算机程序/指令被处理器执行时用于实现上述的各种实施方式提供的方法。The present application also provides a computer-readable storage medium, in which computer programs/instructions are stored, and when the computer programs/instructions are executed by a processor, they are used to implement the methods provided by the above-mentioned various implementations.

其中，计算机可读存储介质可以是计算机存储介质，也可以是通信介质。通信介质包括便于从一个地方向另一个地方传送计算机程序的任何介质。计算机存储介质可以是通用或专用计算机能够存取的任何可用介质。例如，计算机可读存储介质耦合至处理器，从而使处理器能够从该计算机可读存储介质读取信息，且可向该计算机可读存储介质写入信息。当然，计算机可读存储介质也可以是处理器的组成部分。处理器和计算机可读存储介质可以位于专用集成电路(Application Specific Integrated Circuits，ASIC)中。另外，该ASIC可以位于用户设备中。当然，处理器和计算机可读存储介质也可以作为分立组件存在于通信设备中。Wherein, the computer-readable storage medium may be a computer storage medium or a communication medium. Communication media includes any medium that facilitates transfer of a computer program from one place to another. Computer storage media can be any available media that can be accessed by a general purpose or special purpose computer. For example, a computer-readable storage medium is coupled to the processor such that the processor can read information from, and write information to, the computer-readable storage medium. Of course, the computer-readable storage medium can also be an integral part of the processor. The processor and the computer-readable storage medium may reside in application specific integrated circuits (Application Specific Integrated Circuits, ASIC). Additionally, the ASIC may be located in the user equipment. Of course, the processor and the computer-readable storage medium can also exist in the communication device as discrete components.

具体地，该计算机可读存储介质可以是由任何类型的易失性或非易失性存储设备或者它们的组合实现，如静态随机存取存储器(Static Random-Access Memory，SRAM)，电可擦除可编程只读存储器(Electrically-Erasable Programmable Read-Only Memory，EEPROM)，可擦除可编程只读存储器(Erasable Programmable Read Only Memory，EPROM)，可编程只读存储器(Programmable read-only memory，PROM)，只读存储器(Read-OnlyMemory，ROM)，磁存储器，快闪存储器，磁盘或光盘。存储介质可以是通用或专用计算机能够存取的任何可用介质。Specifically, the computer-readable storage medium may be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as a static random-access memory (Static Random-Access Memory, SRAM), an electrically erasable Electrically-Erasable Programmable Read-Only Memory (EEPROM), Erasable Programmable Read-Only Memory (EPROM), Programmable Read-Only Memory (PROM) ), read-only memory (Read-OnlyMemory, ROM), magnetic memory, flash memory, magnetic disk or optical disk. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.

本申请还提供一种计算机程序产品，该计算机程序产品包括计算机程序/指令，该计算机程序/指令存储在计算机可读存储介质中。设备的至少一个处理器可以从计算机可读存储介质中读取该计算机程序/指令，至少一个处理器执行该计算机程序/指令使得设备实施上述的各种实施方式提供的方法。The present application also provides a computer program product, which includes a computer program/instruction, and the computer program/instruction is stored in a computer-readable storage medium. At least one processor of the device may read the computer program/instruction from the computer-readable storage medium, and the at least one processor executes the computer program/instruction so that the device implements the methods provided by the above-mentioned various implementations.

在本申请所提供的几个实施例中，应该理解到，所揭露的装置和方法，可以通过其它的方式实现。例如，以上所描述的装置实施例仅是示意性的，例如，模块的划分，仅仅为一种逻辑功能划分，实际实现时可以有另外的划分方式，例如多个模块可以结合或者可以集成到另一个系统，或一些特征可以忽略，或不执行。另一点，所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口，装置或模块的间接耦合或通信连接，可以是电性，机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules can be combined or integrated into another A system, or some feature, can be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms.

其中，各个模块可以是物理上分开的，例如安装于一个的设备的不同位置，或者安装于不同的设备上，或者分布到多个网络单元上，或者分布到多个处理器上。各个模块也可以是集成在一起的，例如，安装于同一个设备中，或者，集成在一套代码中。各个模块可以以硬件的形式存在，或者也可以以软件的形式存在，或者也可以采用软件加硬件的形式实现。本申请可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。Wherein, each module may be physically separated, for example, installed in different positions of one device, or installed on different devices, or distributed to multiple network units, or distributed to multiple processors. Various modules can also be integrated together, for example, installed in the same device, or integrated in a set of codes. Each module may exist in the form of hardware, or may also exist in the form of software, or may also be implemented in the form of software plus hardware. The present application may select some or all of the modules according to actual needs to achieve the purpose of the solution of this embodiment.

当各个模块以软件功能模块的形式实现的集成的模块，可以存储在一个计算机可读取存储介质中。上述软件功能模块存储在一个存储介质中，包括若干指令用以使得一台计算机设备(可以是个人计算机，服务器，或者网络设备等)或处理器执行本申请各个实施例方法的部分步骤。When each module is implemented in the form of a software function module, the integrated module can be stored in a computer-readable storage medium. The above-mentioned software function modules are stored in a storage medium, and include several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) or a processor execute some steps of the methods in various embodiments of the present application.

应该理解的是，虽然上述实施例中的流程图中的各个步骤按照箭头的指示依次显示，但是这些步骤并不是必然按照箭头指示的顺序依次执行。除非本文中有明确的说明，这些步骤的执行并没有严格的顺序限制，其可以以其他的顺序执行。而且，图中的至少一部分步骤可以包括多个子步骤或者多个阶段，这些子步骤或者阶段并不必然是在同一时刻执行完成，而是可以在不同的时刻执行，其执行顺序也不必然是依次进行，而是可以与其他步骤或者其他步骤的子步骤或者阶段的至少一部分轮流或者交替地执行。It should be understood that although the steps in the flow charts in the above embodiments are shown sequentially as indicated by the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless otherwise specified herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some of the steps in the figure may include multiple sub-steps or multiple stages, these sub-steps or stages are not necessarily executed at the same time, but may be executed at different times, and the execution order is not necessarily sequential Instead, it may be performed alternately or alternately with at least a part of other steps or sub-steps or stages of other steps.

最后应说明的是：以上各实施例仅用以说明本申请的技术方案，而非对其限制。尽管参照前述各实施例对本申请进行了详细的说明，本领域的普通技术人员应当理解：其依然可以对前述各实施例所记载的技术方案进行修改，或者对其中部分或者全部技术特征进行等同替换。而这些修改或者替换，并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present application, rather than to limit it. Although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: they can still modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features . However, these modifications or replacements do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present application.