A digital certificate installation method and apparatus
By combining certificate data from terminal devices into a single target certificate for installation, the cumbersome certificate installation process in existing technologies is solved, user operation procedures are simplified, and user experience is improved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA IWNCOMM
- Filing Date
- 2020-05-27
- Publication Date
- 2026-07-10
AI Technical Summary
In existing technologies, installing a WAPI certificate on a terminal device requires installing a user certificate and an issuer certificate separately, which is cumbersome, results in a poor user experience, and is prone to errors.
The certificate receiving module and the certificate installation module combine the data from the first certificate file and the second certificate file into a set of target certificate data for installation. Users only need to perform a naming operation once, and can call the relevant data by selecting the name of the target certificate data when connecting to the network.
The naming process during certificate installation and the certificate selection process when connecting to the network have been simplified, improving the user experience.
Smart Images

Figure CN113746779B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of network communication, specifically to a digital certificate installation method and device. Background Technology
[0002] Wireless LAN Authentication and Privacy Infrastructure (WAPI) is a secure wireless LAN access technology. When a user's terminal device connects to a network with a WAPI certificate, both a user certificate and an issuer certificate need to be installed on the terminal device for authentication during the network connection process.
[0003] The most common certificate installation methods are as follows: The terminal device can receive the certificate file to be installed through applications such as communication software, browsers, and file managers. When the application detects that the user has triggered the operation of opening the certificate file, it sends a "open certificate file" request to the terminal device's operating system. The operating system forwards the request to the module associated with the certificate file type, which processes and installs the certificate file.
[0004] The following example uses the installation of a certificate file on a terminal device running the Android system. Figure 1 The illustrated procedure describes the existing certificate installation method described above. For example... Figure 1 As shown in Interface A, after the communication APP running on the terminal device receives the certificate file wapi_sta.cer, if it detects that the user clicks to trigger the opening of the certificate file, it will generate a "Open Certificate File" request and transmit it to the Android system. The certificate installer built into the Android system receives and processes the request, and pops up a "Name Certificate" dialog box as shown in Interface B on the display interface. After the user confirms that the certificate name has been entered, the certificate installer will install the certificate into the terminal device accordingly.
[0005] In practical applications, certificate installation typically requires executing the above process twice to install the user certificate and the issuer certificate separately. Specifically, the terminal device needs to respond to user input by sequentially opening the user certificate file and the issuer certificate file, and then naming both the user certificate and the issuer certificate. When connecting to the network, the user also needs to select the user certificate and the issuer certificate from the installed certificates. For users, this process is overly cumbersome, provides a poor user experience, and makes it highly likely that the wrong user certificate and / or issuer certificate will be selected. Summary of the Invention
[0006] This application provides a digital certificate installation method and device, which can simplify the operations required for users to install certificates and connect to the network, thereby improving the user experience.
[0007] In view of the above, the first aspect of this application provides a method for installing a digital certificate, the method comprising:
[0008] The certificate receiving module obtains the first and second certificate files to be installed.
[0009] When the certificate receiving module detects that an open operation is triggered for the first certificate file, it generates a first certificate file open request and transmits the first certificate file open request to the certificate installation module.
[0010] The certificate installation module obtains the first certificate data from the first certificate file based on the first certificate file open request, and stores the first certificate data in the private storage area of the certificate installation module.
[0011] When the certificate receiving module detects that an open operation has been triggered for the second certificate file, it generates a second certificate file open request and transmits the second certificate file open request to the certificate installation module.
[0012] The certificate installation module obtains the second certificate data from the second certificate file based on the second certificate file opening request; when it determines that the second certificate file is a matching certificate file, it reads the first certificate data from the private storage area, combines the first certificate data with the second certificate data to obtain a set of target certificate data, and provides the target certificate data to the certificate management module.
[0013] The certificate management module obtains the target certificate name configured for the target certificate data, and transmits the target certificate data to the certificate storage module based on the target certificate name, and the certificate storage module stores the target certificate data.
[0014] A second aspect of this application provides an apparatus comprising: a certificate receiving module, a certificate installation module, a certificate management module, and a certificate storage module;
[0015] The certificate receiving module is used to obtain the first certificate file and the second certificate file to be installed;
[0016] The certificate receiving module is further configured to generate a first certificate file opening request when an open operation is detected for the first certificate file, and transmit the first certificate file opening request to the certificate installation module;
[0017] The certificate installation module is used to obtain first certificate data from the first certificate file based on the first certificate file open request, and store the first certificate data in the private storage area of the certificate installation module.
[0018] The certificate receiving module is further configured to generate a second certificate file opening request when an opening operation is detected for the second certificate file, and transmit the second certificate file opening request to the certificate installation module;
[0019] The certificate installation module is further configured to obtain second certificate data from the second certificate file based on the second certificate file opening request; when it is determined that the second certificate file is a matching certificate file, read the first certificate data from the private storage area, combine the first certificate data and the second certificate data to obtain a set of target certificate data, and provide the target certificate data to the certificate management module;
[0020] The certificate management module is used to obtain the target certificate name configured for the target certificate data, and to transfer the target certificate data to the certificate storage module based on the target certificate name;
[0021] The certificate storage module is used to store the target certificate data.
[0022] A third aspect of this application provides an apparatus, the apparatus including a processor and a memory;
[0023] The memory is used to store computer programs;
[0024] The processor is configured to execute the digital certificate installation method described in the first aspect above according to the computer program.
[0025] A fourth aspect of this application provides a computer-readable storage medium, characterized in that the computer-readable storage medium is used to store a computer program, the computer program being used to execute the digital certificate installation method described in the first aspect above.
[0026] As can be seen from the above technical solutions, the embodiments of this application have the following advantages:
[0027] In the digital certificate installation method provided in this application embodiment, when the terminal device opens and installs the first certificate file and the second certificate file, the first certificate data in the first certificate file and the second certificate data in the second certificate file are combined into a set of target certificate data for installation. The user only needs to perform a naming operation on this set of target certificate data once, thus greatly simplifying the naming operation required by the user during the digital certificate installation process. Furthermore, when the terminal device subsequently connects to the certificate network, the user can simultaneously call the first and second certificate data in a set of certificate data by selecting its name. Compared to the implementation method of calling two certificate data separately by selecting their names, the method provided in this application embodiment also greatly simplifies the certificate selection operation required by the user when connecting to the certificate network. Attached Figure Description
[0028] Figure 1 A schematic diagram of the user interface for installing certificates on terminal devices in existing technologies;
[0029] Figure 2 A schematic diagram of the deployment structure of the certificate receiving module, certificate installation module, certificate management module and certificate storage module provided in the embodiments of this application in a terminal device;
[0030] Figure 3a An implementation framework diagram of an implementation scheme provided in an embodiment of this application;
[0031] Figure 3b An implementation framework diagram of another implementation scheme provided in the embodiments of this application;
[0032] Figure 4 A flowchart illustrating one implementation scheme provided in an embodiment of this application;
[0033] Figure 5 A schematic diagram of a certificate installation interface provided in an embodiment of this application;
[0034] Figure 6 A schematic diagram of a password input interface provided in an embodiment of this application;
[0035] Figure 7 A schematic diagram of an interface prompting for the selection of a second certificate file is provided for an embodiment of this application;
[0036] Figure 8 A schematic diagram of a certificate naming interface provided in an embodiment of this application;
[0037] Figure 9 A schematic diagram of the certificate storage process provided in this application embodiment;
[0038] Figure 10This application provides an example of an interface indicating successful certificate installation.
[0039] Figure 11 A flowchart illustrating another implementation scheme provided in this application embodiment;
[0040] Figure 12 This is a schematic diagram of another certificate installation interface provided in an embodiment of this application;
[0041] Figure 13 This is a schematic diagram of the structure of a device provided in an embodiment of this application. Detailed Implementation
[0042] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort are within the scope of protection of the present application.
[0043] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0044] In existing technologies, installing a WAPI certificate on a terminal device requires installing both a user certificate and an issuer certificate separately. This process necessitates naming both the user certificate and the issuer certificate separately. Correspondingly, when connecting to a WAPI certificate-based network, the terminal device needs to select the required user certificate and issuer certificate from the installed certificates based on their respective certificate names. For users, these certificate naming and selection operations are overly cumbersome, resulting in a poor user experience and a high risk of selecting the wrong user certificate and / or issuer certificate.
[0045] To address the problems existing in the prior art, this application provides a digital certificate installation method. This method can effectively simplify the certificate naming operation required during certificate installation and the certificate selection operation required during certificate network connection, thereby improving the user experience.
[0046] Specifically, in the digital certificate installation method provided in this application embodiment, after the certificate receiving module obtains the first certificate file and the second certificate file to be installed, if it detects that a user has triggered an open operation on the first certificate file, it generates a first certificate file open request accordingly and transmits the first certificate file open request to the certificate installation module. The certificate installation module can obtain first certificate data from the first certificate file based on the first certificate file open request and store the first certificate data in its own private storage area. If the certificate receiving module detects that a user has triggered an open operation on the second certificate file, it generates a second certificate file open request accordingly and transmits the second certificate file open request to the certificate installation module. The certificate installation module can obtain second certificate data from the second certificate file based on the second certificate file open request, and if it determines that the second certificate file is a matching certificate file for the first certificate file, it reads the first certificate data from its private storage area, combines the first certificate data with the second certificate data to obtain a set of target certificate data, and then provides the target certificate data to the certificate management module. The certificate management module obtains the target certificate name configured by the user for this set of target certificate data, and transmits the target certificate data to the certificate storage module based on the target certificate name, whereby the certificate storage module stores the set of target certificate data.
[0047] Compared to existing implementations, the digital certificate installation method provided in this application combines the first certificate data from the first certificate file and the second certificate data from the second certificate file into a single target certificate set for installation. Users only need to perform a single naming operation on this target certificate set, greatly simplifying the certificate naming process. Correspondingly, when connecting to a certificate network, users can simultaneously access both the first and second certificate data within a given set by selecting its name, further simplifying the certificate selection process.
[0048] It should be noted that in practical applications, the certificate receiving module, certificate installation module, certificate management module, and certificate storage module are deployed on the same terminal device, which can be a mobile phone, tablet computer, personal digital assistant (PDA), etc., with network connectivity.
[0049] The certificate receiving module, certificate installation module, certificate management module, and certificate storage module described below are respectively introduced. (See also...) Figure 2 , Figure 2 This diagram illustrates the deployment structure of the certificate receiving module, certificate installation module, certificate management module, and certificate storage module within a terminal device.
[0050] The certificate receiving module 201 runs as an APP user on the terminal device. It can receive certificate files from external sources and respond to user operations by opening the certificate files and generating a certificate file open request. Specifically, the certificate receiving module 201 can be an APP on the terminal device with file receiving capabilities, such as a communication APP, browser, file manager, etc.
[0051] The certificate installation module 202 runs as an APP user on the terminal device. It can receive certificate file opening requests generated by the certificate receiving module 201, process the certificate file accordingly based on the certificate file opening request, and then call the certificate management module 203 to perform certificate management and installation operations.
[0052] The certificate management module 203 runs as the "system" user on the terminal device and is primarily used to implement certificate management functions. In one possible implementation, the certificate management module 203 can perform certificate data management and installation operations based on a certificate installation request from the certificate installation module 202. In another possible implementation, the certificate management module 203 can process certificate files accordingly based on a certificate file open request from the certificate receiving module 201, thereby performing certificate data management and installation operations. The "system" user has higher access rights to system resources than the APP user.
[0053] The certificate storage module 204 is a built-in module of the terminal device, which can store certificate data in a secure storage area or other types of storage areas. The following embodiments illustrate the use of storing certificate data in a secure storage area to ensure the security of the certificate data.
[0054] This application provides two implementation schemes based on the certificate receiving module 201, certificate installation module 202, certificate management module 203, and certificate storage module 204 described above. The implementation framework of the first scheme is as follows: Figure 3a As shown, the implementation framework of the second implementation scheme is as follows: Figure 3b As shown.
[0055] like Figure 3aAs shown, in the first implementation scheme provided in this application, the certificate installation module 202 and the certificate management module 203 are different modules. The certificate installation module 202 is an independent non-system-level APP, while the certificate management module 203 is a system-level APP. In this implementation scheme, the certificate receiving module 201 transmits its generated certificate file opening request to the certificate installation module 202. After the certificate installation module 202 processes the certificate file, it calls the certificate management module 203 to perform certificate management and installation operations. Finally, the certificate management module 203 calls the certificate storage module 204 to install the certificate to the secure storage area. Figure 3a The application scenario is that users can conveniently and quickly install certificates and use them to connect to the network by additionally installing a certificate installation module on a terminal device (such as a mobile phone). Its advantage is that users do not need to upgrade or modify the system of the terminal device; they can simply implement the solution of this invention by installing an APP on the terminal device.
[0056] like Figure 3b As shown, in the second implementation scheme provided in this application, the certificate installation module 202 and the certificate management module 203 are the same module, that is, the certificate management module 203, which is a system-level APP, integrates the functions of the certificate installation module 202. In this implementation scheme, the certificate receiving module 201 directly transmits the request to open the generated certificate file to the certificate management module 203, which processes the certificate file, performs certificate management and installation operations, and finally calls the certificate storage module 204 to install the certificate to the secure storage area. Figure 3b The application scenario is as follows: the certificate installation module is integrated into the certificate management module, which can be pre-installed in the terminal device system by the terminal device manufacturer. Therefore, users can conveniently and quickly install certificates and use certificates to connect to the network using the terminal device. Its advantage is that users do not need to install the certificate installation module separately on the terminal device to implement the solution of this invention, and the execution efficiency is higher when using the terminal device to install certificates.
[0057] The first and second implementation schemes described above will be explained in detail below through examples.
[0058] See Figure 4 , Figure 4 This is a flowchart illustrating the first implementation scheme in the embodiments of this application. For example... Figure 4 As shown, the first implementation scheme includes the following steps:
[0059] Step 401: The certificate receiving module obtains the first certificate file and the second certificate file to be installed.
[0060] The certificate receiving module can obtain the first and second certificate files to be installed from external sources, such as receiving first and second certificate files sent by other devices. In scenarios connecting to networks using WAPI certificate types, the first certificate file is either a user certificate or an issuer certificate, and the second certificate file is either a user certificate or an issuer certificate.
[0061] Step 402: When the certificate receiving module detects that an open operation is triggered for the first certificate file, it generates a first certificate file open request and transmits the first certificate file open request to the certificate installation module.
[0062] For example, when the certificate receiving module detects that a user has triggered an open operation on the first certificate file, it can generate a first certificate file open request accordingly and transmit the first certificate file open request to the certificate installation module.
[0063] In practice, the certificate receiving module can generate a first certificate file open request based on the first certificate file. This open request includes the Uniform Resource Identifier (URI) and data type of the first certificate file. The URI identifies the path to obtain the first certificate file. The certificate receiving module then transmits this open request to the operating system of the terminal device. The operating system determines the certificate installation module based on the data type of the first certificate file and subsequently transmits the open request to that module.
[0064] In practical applications, if the operating system finds only one module that can process the first certificate file based on its data type, the operating system can directly identify that module as the certificate installation module and send the request to open the first certificate file to that certificate installation module.
[0065] If the operating system finds multiple candidate processing modules that can process the first certificate file based on the data type of the first certificate file, the operating system will display a screen listing these candidate processing modules, and finally determine the module selected by the user in the display screen as the certificate installation module.
[0066] To facilitate understanding of the implementation of steps 401 and 402 above, the following example uses the method provided in this application embodiment applied to a terminal device based on the Android system. Figure 5 The operation interface shown provides an example of how steps 401 and 402 are implemented.
[0067] like Figure 5As shown in interface (a), the terminal device can receive the user certificate file wapi_sta.cer and the issuer certificate file wapi_ca.cer through the communication APP (i.e., the certificate receiving module). If the communication APP detects that the user clicks on the user certificate file wapi_sta.cer, it can determine that the user has triggered an open operation for the user certificate file wapi_sta.cer, and then generate the corresponding certificate file open request, that is, generate the corresponding Intent object, and configure the Intent Action of the Intent object and the data and data type it carries. The configuration table of the Intent object is shown in Table 1:
[0068] Table 1
[0069]
[0070] It should be noted that an Intent object is essentially a message passing object used to request certain operations from other application components in the terminal device. In this embodiment, the Intent object is used to send a request to the terminal device's operating system to open the certificate file. The URI represents the read path of various available resources in the operating system. The data type MIME type represents the type of various resources in the operating system.
[0071] After the communication app sends its generated Intent object to the operating system, the operating system will locate the module that can process the user certificate file wapi_sta.cer based on the data type carried in the Intent object. Specifically, each processing module in the terminal device can configure the relevant settings in its AndroidManifest.xml file. <intent-filter>The tags indicate the data types that each processing module can handle. Based on this, the operating system can find candidate processing modules in the terminal device that can handle the user certificate file wapi_sta.cer according to the data types carried in the Intent object.
[0072] Then, the candidate processing modules are listed on the display interface of the terminal device, such as Figure 5 The interface shown in (b) is as follows. That is, Figure 5 When the user clicks on the user certificate file wapi_sta.cer in interface (a), Figure 5 In interface (b), the "Select another application to open" display will pop up. "WAPI Certificate Installation Service" corresponds to the certificate installation module for non-system apps, "WAPI Certificate Management" corresponds to the certificate management module for system apps, and "Certificate Installer" corresponds to the native certificate installation module in the Android system. Users can select the certificate installation module that processes the user certificate file wapi_sta.cer from the candidate processing modules listed on the display interface, i.e., select "WAPI Certificate Installation Service." The operating system will then transmit the Intent object generated by the communication app to this certificate installation module.
[0073] It should be understood that if the user is Figure 5 On the interface (a), select to trigger the opening of the issuer certificate file wapi_ca.cer. The operation process of the terminal device is similar to the above operation process, and will not be repeated here.
[0074] Step 403: Based on the first certificate file open request, the certificate installation module obtains the first certificate data from the first certificate file and stores the first certificate data in the private storage area of the certificate installation module.
[0075] Specifically, since the first certificate file open request carries the data type of the first certificate file, the certificate installation module can first determine whether the first certificate file is an encrypted certificate based on its data type. If it is determined that the first certificate file is not an encrypted certificate, the certificate installation module can read the first certificate file and obtain the first certificate data through the URI of the first certificate file carried in the first certificate file open request. If it is determined that the first certificate file is an encrypted certificate, a password input interface needs to be displayed. The certificate installation module obtains the target password entered by the user through this password input interface, reads the first certificate file through the URI of the first certificate file carried in the first certificate file open request, and then uses the target password to decrypt the first certificate file and obtain the first certificate data.
[0076] It should be noted that in scenarios connecting to networks using WAPI certificates, when the certificate installation module determines that the first certificate file is a user certificate based on the first certificate data, the first certificate data specifically includes user certificate data and user private key data, which are then stored in the certificate installation module's private storage area. Similarly, when the certificate installation module determines that the first certificate file is an issuer certificate based on the first certificate data, the first certificate data specifically includes issuer certificate data, which is then stored in the certificate installation module's private storage area.
[0077] After the certificate installation module stores the first certificate data in its private storage area, it can further prompt the user to install a second certificate file that matches the first certificate file. For example, in a scenario connecting to a network using WAPI certificates, when the first certificate file is determined to be a user certificate based on the first certificate data, the certificate installation module can control the terminal device to display a first prompt message. This first prompt message prompts the user to continue selecting an issuer certificate so that the user certificate and issuer certificate can be installed with the same name. When the first certificate file is determined to be an issuer certificate based on the first certificate data, the certificate installation module can control the terminal device to display a second prompt message. This second prompt message prompts the user to continue selecting a user certificate so that the issuer certificate and user certificate can be installed with the same name.
[0078] To facilitate understanding of how step 403 is implemented, the following will use... Figure 5 Based on the exemplary content corresponding to the shown user interface, further combined with Figure 6 and Figure 7 The operation interface shown provides an example of how step 403 is implemented.
[0079] After receiving the Intent object transmitted by the operating system, the certificate installation module can obtain the URI and MIME type corresponding to the user certificate file wapi_sta.cer from the data and data type carried by the Intent object. The certificate installation module can then determine whether the certificate file is in PEM or PKCS#12 format based on the MIME type. PEM format certificates are not encrypted, while PKCS#12 format certificates are. In this example, if the certificate is determined to be in PEM format, the certificate installation module can directly read the user certificate file wapi_sta.cer from the URI and obtain the certificate data. If the certificate is determined to be in PKCS#12 format, a pop-up message will appear. Figure 6 The password dialog box shown above, after detecting that the user has completed the password input and clicked the "OK" control, the certificate installation module obtains the target password entered by the user in the password dialog box, reads the certificate file according to the URI, and uses the obtained target password to parse the certificate data from the certificate file.
[0080] Because the certificate data contains information used to determine whether a certificate is a user certificate or an issuer certificate, the certificate installation module can determine whether the certificate file is a user certificate or an issuer certificate based on the certificate data. In scenarios connecting to networks using WAPI certificate types, if the certificate file is determined to be a user certificate, the certificate data retrieved from the certificate file includes the user certificate data and the user's private key data, and these two parts of data are saved to the certificate installation module's private storage area. If the certificate file is determined to be an issuer certificate, the certificate data retrieved from the certificate file is the issuer certificate data, and this part of the data is also saved to the certificate installation module's private storage area.
[0081] When the certificate installation module stores user certificate data and user private key data in the private storage area, the certificate installation module can control the terminal device to display, as shown below. Figure 7 The displayed prompt interface tells the user, "A user certificate has been selected. Please continue to select the issuer certificate. The system will install both certificates with a unified name." Similarly, when the certificate installation module stores issuer certificate data in the private storage area, the certificate installation module can control the terminal device to display the corresponding prompt interface, telling the user, "An issuer certificate has been selected. Please continue to select the user certificate. The system will install both certificates with a unified name."
[0082] Step 404: When the certificate receiving module detects that an open operation is triggered for the second certificate file, it generates a second certificate file open request and transmits the second certificate file open request to the certificate installation module.
[0083] For example, when the certificate receiving module subsequently detects that the user has triggered an open operation on the second certificate file, it can generate a second certificate file open request accordingly and transmit the second certificate file open request to the certificate installation module.
[0084] It should be noted that the specific implementation process of step 404 is the same as that of step 402, and will not be repeated here. For details, please refer to the relevant introduction in step 402.
[0085] Step 405: The certificate installation module obtains the second certificate data from the second certificate file based on the second certificate file open request; when it is determined that the second certificate file is a matching certificate file, it reads the first certificate data from the private storage area, combines the first certificate data and the second certificate data to obtain a set of target certificate data, and provides the target certificate data to the certificate management module.
[0086] Upon receiving a request to open the second certificate file, the certificate installation module can obtain the second certificate data from the file. Then, it determines whether the second certificate file is a matching certificate file corresponding to the first certificate file. If so, the certificate installation module can read the stored first certificate data from its private storage area and combine it with the second certificate data to obtain a set of target certificate data, which is then provided to the certificate management module.
[0087] Specifically, the operation of the certificate installation module to obtain the second certificate data from the second certificate file is the same as the operation of the certificate installation module to obtain the first certificate data from the first certificate file in step 403 above, and will not be repeated here. For details, please refer to the relevant introduction in step 403.
[0088] It should be noted that the aforementioned supporting certificate file is usually determined based on the first certificate data. In scenarios connecting to networks using WAPI certificate types, when the first certificate file is determined to be a user certificate based on the first certificate data, the supporting certificate file should be an issuer certificate; when the first certificate file is determined to be an issuer certificate based on the first certificate data, the supporting certificate file should be a user certificate.
[0089] Specifically, if the certificate installation module determines that the first certificate file is a user certificate, it can determine whether the second certificate file is an issuer certificate based on the obtained second certificate data. If so, the second certificate data is specifically issuer certificate data, and the certificate installation module reads the stored user certificate data and user private key data from its private storage area. Then, it calls the "Install Certificate" interface of the certificate management module, providing the interface parameters: user certificate data, issuer certificate data, user private key data, and a default target certificate name (which can be set to an empty string or generated according to a certain rule), to provide the combined target certificate data to the certificate management module.
[0090] If the certificate installation module determines that the first certificate file is an issuer certificate, it can then determine whether the second certificate file is a user certificate based on the obtained second certificate data. If so, the second certificate data specifically consists of user certificate data and user private key data. The certificate installation module then reads the stored issuer certificate data from its private storage area. Next, it calls the "Install Certificate" interface of the certificate management module, providing the interface parameters: user certificate data, issuer certificate data, user private key data, and a default target certificate name (which can be set to an empty string or generated according to a certain rule), to provide the combined target certificate data to the certificate management module.
[0091] It should be noted that in practical applications, if the certificate installation module determines that the second certificate file is not a matching certificate file corresponding to the first certificate file, the certificate installation module can use the second certificate data to replace the first certificate data already stored in the private storage area.
[0092] Specifically, in scenarios involving WAPI certificate-type networks, if the certificate installation module determines that the first certificate file is a user certificate, and if the certificate installation module determines that the second certificate file is also a user certificate based on the second certificate data, then the second certificate data obtained by the certificate installation module from the second certificate file specifically consists of user certificate data and user private key data. This user certificate data and user private key data are then used to replace the user certificate data and user private key data already stored in its private storage area.
[0093] If the certificate installation module determines that the first certificate file is an issuer certificate, and if the certificate installation module determines that the second certificate file is also an issuer certificate based on the second certificate data, then the second certificate data obtained by the certificate installation module from the second certificate file is specifically issuer certificate data, and the issuer certificate data already stored in its private storage area is replaced with the issuer certificate data.
[0094] Furthermore, if the second certificate file is not a matching certificate file corresponding to the first certificate file, the certificate installation module can also prompt the user to continue selecting the second certificate file. For example, assuming that both the second and first certificate files are user certificates, the certificate installation module can display a prompt message on the terminal device's display interface to encourage the user to continue selecting the issuer certificate.
[0095] Step 406: The certificate management module obtains the target certificate name configured for the target certificate data, and transmits the target certificate data to the certificate storage module based on the target certificate name, and the certificate storage module stores the target certificate data.
[0096] After the certificate management module receives the target certificate data provided by the certificate installation module, it can prompt the user to name the target certificate data and obtain the target certificate name configured by the user for the target certificate data. Then, it transmits the target certificate data to the certificate storage module according to the target certificate name, and the certificate storage module stores the target certificate data accordingly.
[0097] To ensure the correctness and compatibility of certificate installation, and to prevent users from being unable to connect to the network due to mismatches in the target certificate data, the certificate management module, after obtaining the target certificate data, can first verify the compatibility of the first and second certificate data within the target certificate data. If the verification result indicates that the first and second certificate data match, the certificate naming interface is further displayed, allowing users to configure the target certificate name for this set of target certificate data. If the verification result indicates that the first and second certificate data do not match, a message is displayed indicating that the certificate installation has failed.
[0098] The matching verification method for the first certificate data and the second certificate data in the target certificate data is as follows: perform signature verification based on the first certificate data and the second certificate data. If the signature verification fails, it is determined that the first certificate data and the second certificate data do not match. If the signature verification passes, it is determined that the first certificate data and the second certificate data match.
[0099] Specifically, in scenarios involving WAPI certificate-type networks, when the first certificate file is a user certificate and the second certificate file is an issuer certificate; or, when the first certificate file is an issuer certificate and the second certificate file is a user certificate, in either case, the signature verification based on the first certificate data and the second certificate data specifically involves the certificate management module using the public key of the issuer certificate in the issuer certificate data to verify the signature value of the user certificate in the user certificate data.
[0100] It should be noted that the embodiments of the present invention also provide another implementation method for verifying whether the first certificate data and the second certificate data in the target certificate data match. That is, before performing signature verification based on the first certificate data and the second certificate data, it is necessary to first determine whether the first target field in the first certificate data matches the second target field in the second certificate data. If they do not match, it is determined that the first certificate data and the second certificate data do not match. If they match, signature verification can be further performed based on the first certificate data and the second certificate data. If the signature verification fails, it is determined that the first certificate data and the second certificate data do not match. If the signature verification passes, it is determined that the first certificate data and the second certificate data match.
[0101] Specifically, in scenarios connecting to networks using WAPI certificate types, when the first certificate file is a user certificate and the second certificate file is an issuer certificate; or, when the first certificate file is an issuer certificate and the second certificate file is a user certificate, in either case, the certificate management module can first determine whether the "issuer field" of the user certificate data is the same as the "holder field" of the issuer certificate data. If they are different, it is determined that the user certificate data and the issuer certificate data do not match, which is equivalent to the first certificate data and the second certificate data not matching. If they are the same, the next step is executed: signature verification is performed based on the first certificate data and the second certificate data. The specific implementation method for signature verification based on the first certificate data and the second certificate data is as described above and will not be repeated here.
[0102] After the matching verification between the first certificate data and the second certificate data in the target certificate data is successful, the certificate management module can control the terminal device to display the certificate naming interface. An example certificate naming interface is as follows: Figure 8 As shown. Figure 8 The certificate name input box in the certificate naming interface can display the default target certificate name. Users can use this default target certificate name or re-enter the target certificate name in the certificate name input box, such as NAME1. After the user clicks the OK control, the certificate management module can name the certificate data in the target certificate data according to certain rules based on the target certificate name.
[0103] For example, user certificate data can be named "WAPI_USRCERT_" + target certificate name, issuer certificate data can be named "WAPI_CACERT_" + target certificate name, and user private key data can be named "WAPI_USRPKEY_" + target certificate name. When a user... Figure 8 When the target certificate name is set to NAME1 in the certificate naming interface shown, the names of each data in the target certificate data are as follows: WAPI_USRCERT_NAME1 (user certificate data), WAPI_CACERT_NAME1 (issuer certificate data), and WAPI_USRPKEY_NAME1 (user private key data).
[0104] Finally, the certificate management module calls the certificate storage module, which stores the first and second certificate data from the target certificate data into the secure storage area according to the target certificate name. For example... Figure 9 As shown, the certificate management module transmits the user certificate data, issuer certificate data, and user private key data (named according to the target certificate name) to the certificate storage module. The certificate storage module then stores these data in the system's internal secure storage area. After the target certificate data installation is complete, the terminal device successfully installs the certificate, for example, displaying... Figure 10 The prompt interface shown.
[0105] It should be noted that if the terminal device subsequently detects that the user has triggered a network operation based on the target certificate name, the network module in the terminal device can call the aforementioned certificate storage module to obtain the user certificate data, issuer certificate data, and user private key data named according to the target certificate name. For example, assuming the user triggers a connection to a network using a WAPI certificate type based on NAME1, the network module in the terminal device can call the certificate storage module to obtain WAPI_USRCERT_NAME1 (user certificate data), WAPI_CACERT_NAME1 (issuer certificate data), and WAPI_USRPKEY_NAME1 (user private key data) based on NAME1.
[0106] It should be noted that if the terminal device detects that the user has triggered an operation to enumerate the installed certificate files, the certificate management module can display the certificate enumeration interface accordingly. The enumerated information in the certificate enumeration interface includes the target certificate names of all certificates stored in the certificate storage module.
[0107] When installing a certificate using the digital certificate installation method provided in this application, the first certificate data from the first certificate file and the second certificate data from the second certificate file can be combined into a set of target certificate data for installation. The user only needs to perform a naming operation on this set of target certificate data once, greatly simplifying the certificate naming operation required by the user. Correspondingly, when connecting to a certificate network, the user can simultaneously call the first and second certificate data from a set of certificate data by selecting its name, also greatly simplifying the certificate selection operation required by the user. Obviously, the concept of this invention is also applicable to scenarios where it is necessary to combine certificate data from more certificate files into a set of target certificate data for installation.
[0108] See Figure 11 , Figure 11 This is a flowchart illustrating the second implementation scheme in the embodiments of this application. For example... Figure 11 As shown, the second implementation scheme includes the following steps:
[0109] Step 1101: The certificate receiving module obtains the first certificate file and the second certificate file to be installed.
[0110] The implementation method of step 1101 and Figure 4 The implementation of step 401 in the illustrated embodiment is the same; for details, please refer to the description of step 401.
[0111] Step 1102: When the certificate receiving module detects that an open operation is triggered for the first certificate file, it generates a first certificate file open request and transmits the first certificate file open request to the certificate management module.
[0112] The implementation method of step 1102 is the same as Figure 4 The implementation of step 402 in the illustrated embodiment is similar; for details, please refer to the relevant description of step 402. The difference between step 402 and step 1102 is that, in Figure 4 In the illustrated embodiment, the certificate receiving module transmits its generated first certificate file open request to the certificate installation module, while... Figure 11 In the illustrated embodiment, the certificate receiving module transmits the request to open the first certificate file it generates to the certificate management module.
[0113] The following example uses Android-based terminal devices, combined with... Figure 12 The operation interface shown provides an exemplary description of the specific implementation method of step 1102 in the second implementation scheme.
[0114] like Figure 12 As shown in interface (a), the terminal device can receive the user certificate file wapi_sta.cer and the issuer certificate file wapi_ca.cer through the communication APP (i.e., the certificate receiving module). If the communication APP detects that the user clicks on the user certificate file wapi_sta.cer, it can determine that the user has triggered an open operation for the user certificate file wapi_sta.cer, and then generate a corresponding certificate file open request and transmit it to the terminal device's operating system. The operating system can find the candidate processing modules that can process the user certificate file wapi_sta.cer based on the data type carried in the certificate file open request, and pop up a display interface listing these candidate processing modules, such as... Figure 12 The interface shown in (b) is as follows. If the operating system detects that the user has selected "WAPI Certificate Management" in interface (b), it will further transmit the request to open the certificate file to the certificate management module.
[0115] Step 1103: Based on the first certificate file open request, the certificate management module obtains the first certificate data from the first certificate file and stores the first certificate data in the private storage area of the certificate management module.
[0116] The implementation method of step 1103 is the same as Figure 4 The implementation of step 403 in the illustrated embodiment is similar; for details, please refer to the relevant description of step 403. The difference between step 403 and step 1103 lies in the module executing this step and the storage location of the first certificate data. Figure 4 In the illustrated embodiment, the certificate installation module obtains the first certificate data from the first certificate file based on the first certificate file open request, and temporarily stores the first certificate data in the certificate installation module's private storage area; while Figure 11 In the embodiment shown, the certificate management module obtains the first certificate data from the first certificate file based on the first certificate file open request, and temporarily stores the first certificate data in the private storage area of the certificate management module.
[0117] Step 1104: When the certificate receiving module detects that an open operation is triggered for the second certificate file, it generates a second certificate file open request and transmits the second certificate file open request to the certificate management module.
[0118] The implementation method of step 1104 and Figure 4 The implementation of step 404 in the illustrated embodiment is similar; for details, please refer to the relevant description of step 404. The difference between step 404 and step 1104 is that, in Figure 4 In the illustrated embodiment, the certificate receiving module transmits its generated second certificate file opening request to the certificate installation module, while... Figure 11 In the illustrated embodiment, the certificate receiving module transmits the request to open the second certificate file it generates to the certificate management module.
[0119] Step 1105: The certificate management module obtains the second certificate data from the second certificate file based on the second certificate file opening request; when it is determined that the second certificate file is a matching certificate file, it reads the first certificate data from the private storage area and combines the first certificate data with the second certificate data to obtain a set of target certificate data.
[0120] The implementation method of step 1105 is the same as Figure 4 The implementation of step 405 in the illustrated embodiment is similar; for details, please refer to the relevant description of step 405. The difference between step 405 and step 1105 is that, in Figure 4 In the illustrated embodiment, the certificate installation module obtains the second certificate data from the second certificate file based on the second certificate file open request, and retrieves the stored first certificate data from the certificate installation module's private storage area to combine with the second certificate data to obtain a set of target certificate data. Furthermore, this set of target certificate data needs to be provided to the certificate management module. Figure 11 In the illustrated embodiment, the certificate management module retrieves the second certificate data from the second certificate file based on the second certificate file open request, and combines the stored first certificate data with the second certificate data from the certificate management module's private storage area to obtain a set of target certificate data. The certificate management module can also generate a default target certificate name according to certain rules. Furthermore, since this step is itself performed by the certificate management module, the operation of providing the target certificate data to the certificate management module can be omitted.
[0121] Step 1106: The certificate management module obtains the target certificate name configured for the target certificate data, and transmits the target certificate data to the certificate storage module based on the target certificate name, and the certificate storage module stores the target certificate data.
[0122] The implementation method of step 1106 and Figure 4 The implementation of step 406 in the illustrated embodiment is the same; for details, please refer to the description of step 406.
[0123] When installing a certificate using the digital certificate installation method provided in this application, the first certificate data in the first certificate file and the second certificate data in the second certificate file can be combined into a set of target certificate data for installation. The user only needs to perform a naming operation on this set of target certificate data once, greatly simplifying the certificate naming operation required by the user. Correspondingly, when connecting to a certificate network, the user can simultaneously call the first and second certificate data in a set of certificate data by selecting its name, also greatly simplifying the certificate selection operation required by the user.
[0124] The design requirements for the system-level processing modules, namely the certificate management module and the certificate storage module, in this application are illustrated below.
[0125] Design requirements for the certificate management module:
[0126] First, the certificate management module can provide a set of certificate management interfaces to the application layer APP, so that the application layer APP can easily use the certificate management function.
[0127] Second, the certificate management module can include an "Install Certificate" interface and a "Enumerate Certificates" interface. The parameters of the "Install Certificate" interface, as shown in Table 2, include user certificate data, issuer certificate data, user private key data, and the alias of this certificate (i.e., the target certificate name mentioned above). For example, the certificate management module can name each part of the certificate data according to the following rules: if the alias of this certificate is NAME1, then the three parts of the certificate data can be named as: WAPI_USRCERT_NAME1 (user certificate data), WAPI_CACERT_NAME1 (issuer certificate data), and WAPI_USRPKEY_NAME1 (user private key data). The certificate management module can call the certificate storage module to store the named certificate data. Calling the "Install Certificate" interface of the certificate management module will correspondingly trigger the certificate management module to store the certificate through the certificate storage module. The parameters of the "Enumerate Certificates" interface, as shown in Table 3, can be used by the certificate management module to enumerate the list of installed certificate aliases through the certificate storage module. In Table 2 below, "Content of User Certificate", "Content of Issuer Certificate", "Content of User Private Key" and "Default Alias of This Certificate" correspond to "User Certificate Data", "Issuer Certificate Data", "User Private Key Data" and "Default Target Certificate Name" in the embodiments of the present invention, respectively.
[0128] Table 2
[0129]
[0130]
[0131] Table 3
[0132]
[0133] Design requirements for the certificate storage module:
[0134] First, the certificate storage module should support storing certificate data in a secure storage area.
[0135] Secondly, the certificate storage module should support retrieving certificate data from the secure storage area for use by specific networking modules (such as the system WLAN module). Other modules should not be able to obtain certificate data through the certificate storage module to ensure the security of the certificate data.
[0136] Thirdly, it must meet the following technical requirements for securely storing certificate data:
[0137] 1. Access Control: Taking the Android system as an example, each module runs under the identity of a certain user. In this invention, each module that can call the certificate storage module runs on the terminal device under the identity of a certain user. The access control rules for the certificate storage module are as follows: Modules running under the identity of the system user can install certificates for WLAN users, and can also delete installed WLAN user certificates, enumerate certificate aliases, etc., but cannot read WLAN user certificate data; modules running under the identity of the WLAN user can read their own certificate data and obtain certificate aliases. In this invention, the certificate management module runs under the identity of the system user. The certificate management module can call the certificate storage module to install certificates for WLAN users, and can also call the certificate storage module to delete WLAN user certificates, enumerate certificate aliases, etc., but cannot call the certificate storage module to read WLAN user certificate data.
[0138] 2. Data encryption: The certificate storage module can encrypt certificate data before storing it. Correspondingly, decryption is required when reading certificate data.
[0139] 3. Storage method: Certificate data cannot be stored in ordinary files, that is, it cannot be scanned by any file management tools such as RE (Root Explorer) file manager, ES File Explorer, etc., nor can it be accessed by application programming interfaces (APIs) related to file operations. User certificate data and issuer certificate data in the certificate data should be stored in a secure storage area within the terminal device. User private key data in the certificate data can be stored in a Trusted Execution Environment (TEE) or a secure storage area.
[0140] The aforementioned secure storage area is a separate system storage area within the terminal device. The system does not provide file operation-related APIs for other tools to access this area. At the same time, file management tools with file scanning capabilities cannot view certificate data through scanning. Therefore, for users, the data stored in this secure storage area is invisible and cannot be copied. The only way to access it is by using a specific interface provided by the system.
[0141] The aforementioned TEE is implemented using a separate chip or operating system independent of the main system. It isolates itself from the rest of the system through hardware and software, protecting the execution environment and data from malicious applications installed by the user or potential vulnerabilities in the main system. Taking the Android system as an example, it supports various TEE implementations, with Trusty TEE being one of them. Trusty is a secure operating system that provides a trusted execution environment for the Android system. The Trusty operating system runs on the same processor as the Android operating system, but Trusty is isolated from the rest of the system through hardware and software, allowing Trusty and Android to run in parallel. Trusty can access all the functions of the main processor and memory in the terminal device, but it is completely isolated. This isolation protects Trusty from malicious applications installed by the user and potential vulnerabilities in the Android system.
[0142] 4. Certificate naming rules for the secure storage area: When other modules call the certificate storage module, they can directly name the certificate data based on the target certificate name configured by the user. When the certificate storage module stores the certificate data in the secure storage area, it can also add the user identifier userid before the certificate data name. This userid is assigned to the user by the system, and different users have different userids.
[0143] This application also provides a device, such as... Figure 13 As shown, the device includes: a certificate receiving module 1301, a certificate installation module 1302, a certificate management module 1303, and a certificate storage module 1304; wherein,
[0144] Certificate receiving module 1301 is used to obtain the first certificate file and the second certificate file to be installed;
[0145] The certificate receiving module 1301 is also used to generate a first certificate file opening request when an opening operation is detected for the first certificate file, and to transmit the first certificate file opening request to the certificate installation module 1302.
[0146] The certificate installation module 1302 is used to obtain first certificate data from the first certificate file based on the first certificate file opening request, and store the first certificate data in the private storage area of the certificate installation module 1302.
[0147] The certificate receiving module 1301 is also used to generate a second certificate file opening request when an opening operation is detected for the second certificate file, and to transmit the second certificate file opening request to the certificate installation module 1302;
[0148] The certificate installation module 1302 is also used to obtain second certificate data from the second certificate file based on the second certificate file opening request; when it is determined that the second certificate file is a matching certificate file, it reads the first certificate data from the private storage area, combines the first certificate data with the second certificate data to obtain a set of target certificate data, and provides the target certificate data to the certificate management module 1303.
[0149] The certificate management module 1303 is used to obtain the target certificate name configured for the target certificate data, and to transfer the target certificate data to the certificate storage module 1304 based on the target certificate name;
[0150] The certificate storage module 1304 is used to store the target certificate data.
[0151] Optionally, the certificate management module 1303 is also used for:
[0152] Verify the matching between the first certificate data and the second certificate data;
[0153] If the verification result is a match, the certificate naming interface is displayed, and the target certificate name is obtained through the certificate naming interface;
[0154] If the verification result is a mismatch, the certificate installation will fail.
[0155] Optionally, the certificate management module 1303 is specifically used for:
[0156] Signature verification is performed based on the first certificate data and the second certificate data; if the signature verification passes, it is determined that the first certificate data and the second certificate data match; if the signature verification fails, it is determined that the first certificate data and the second certificate data do not match.
[0157] Optionally, before performing signature verification based on the first certificate data and the second certificate data, the certificate management module 1303 is further configured to determine whether the first target field in the first certificate data matches the second target field in the second certificate data; if not, it is determined that the first certificate data and the second certificate data do not match; if so, it performs signature verification based on the first certificate data and the second certificate data.
[0158] Optionally, the certificate receiving module 1301 is specifically used for:
[0159] A first certificate file open request is generated based on the first certificate file; the first certificate file open request includes a general resource identifier of the first certificate file and the data type of the first certificate file, wherein the general resource identifier is used to identify the acquisition path of the first certificate file;
[0160] The first certificate file opening request is transmitted to the operating system; the operating system determines the certificate installation module according to the data type of the first certificate file, and transmits the first certificate file opening request to the certificate installation module 1302.
[0161] Optionally, the operating system determines the certificate installation module 1302 based on the data type of the first certificate file in the following manner:
[0162] Based on the data type of the first certificate file, candidate processing modules that can process the first certificate file are determined;
[0163] The candidate processing module is displayed on the display interface;
[0164] The module selected from the candidate processing modules is determined as the certificate installation module 1302.
[0165] Optionally, the certificate installation module 1302 is specifically used for:
[0166] Based on the data type of the first certificate file, determine whether the first certificate file is an encryption certificate;
[0167] If the first certificate file is not an encrypted certificate, then the first certificate data is obtained by reading the first certificate file using the generic resource identifier;
[0168] If the first certificate file is an encrypted certificate, a password input interface is displayed, the target password entered through the password input interface is obtained, the first certificate file is read through the general resource identifier, and the first certificate file is decrypted using the target password to obtain the first certificate data.
[0169] Optionally, the certificate installation module 1302 is specifically used for:
[0170] When the first certificate file is determined to be a user certificate based on the first certificate data, the first certificate data specifically consists of user certificate data and user private key data. The user certificate data and the user private key data are stored in the private storage area of the certificate installation module 1302.
[0171] When the first certificate file is determined to be an issuer certificate based on the first certificate data, the first certificate data is specifically issuer certificate data, and the issuer certificate data is stored in the private storage area of the certificate installation module 1302.
[0172] Optionally, the certificate installation module 1302 is also used for:
[0173] When the first certificate file is determined to be a user certificate based on the first certificate data, a first prompt message is displayed; the first prompt message is used to prompt the user to continue selecting an issuer certificate so that the user certificate and the issuer certificate can be named and installed in the same way.
[0174] When the first certificate file is determined to be the issuer certificate based on the first certificate data, a second prompt message is displayed; the second prompt message is used to prompt the user to continue selecting a user certificate so that the issuer certificate and the user certificate can be named and installed in the same way.
[0175] Optionally, the certificate installation module 1302 is also used for:
[0176] If it is determined that the second certificate file is not the matching certificate file, the first certificate data in the private storage area is replaced with the second certificate data.
[0177] Optionally, the supporting certificate file is determined based on the first certificate data; when the first certificate file is determined to be a user certificate based on the first certificate data, the supporting certificate file is an issuer certificate; when the first certificate file is determined to be an issuer certificate based on the first certificate data, the supporting certificate file is a user certificate.
[0178] Optionally, if the target certificate data includes user certificate data, issuer certificate data, and user private key data, then the certificate management module 1303 is specifically used for:
[0179] The user certificate data, the issuer certificate data, and the user private key data are named according to the target certificate name, and the named user certificate data, the issuer certificate data, and the user private key data are then transmitted to the certificate storage module.
[0180] Optionally, the device further includes: a networking module;
[0181] The networking module is used to call the certificate storage module 1304 to obtain user certificate data, issuer certificate data and user private key data named based on the target certificate name when a network operation based on the target certificate name is detected.
[0182] Optionally, the certificate management module 1303 is also used for:
[0183] When an operation to enumerate installed certificates is detected, a certificate enumeration interface is displayed; the enumerated information in the certificate enumeration interface includes the target certificate names of all certificates stored in the certificate storage module.
[0184] Optionally, the certificate installation module 1302 and the certificate management module 1303 are different modules. The certificate installation module 1302 is a non-system-level application, while the certificate management module 1303 is a system-level application.
[0185] Optionally, the certificate installation module 1302 and the certificate management module 1303 are the same module, which is a system-level application.
[0186] When installing a certificate using the device provided in this application embodiment, the first certificate data in the first certificate file and the second certificate data in the second certificate file can be combined into a set of target certificate data for installation. The user only needs to perform a naming operation on this set of target certificate data once, greatly simplifying the certificate naming operation required by the user. Correspondingly, when connecting to a certificate network, the user can simultaneously call the first and second certificate data in a set of certificate data by selecting its name, also greatly simplifying the certificate selection operation required by the user.
[0187] Furthermore, this application also provides a terminal device, which includes a processor and a memory; wherein the memory is used to store a computer program; and the processor is used to execute the steps of any implementation of the digital certificate installation method provided in this application according to the computer program.
[0188] Furthermore, embodiments of this application also provide a computer-readable storage medium for storing a computer program for executing the steps of any implementation of the digital certificate installation method provided in embodiments of this application.
[0189] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0190] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection between apparatuses or units through some interfaces, and may be electrical, mechanical, or other forms.
[0191] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0192] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0193] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing computer programs, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0194] It should be understood that in this application, "at least one (item)" means one or more, and "more than" means two or more. "And / or" is used to describe the relationship between related objects, indicating that three relationships can exist. For example, "A and / or B" can represent: only A exists, only B exists, and both A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one (item) of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one (item) of a, b, or c can represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.
[0195] The above-described embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. A method for installing a digital certificate, characterized in that, The method includes: The certificate receiving module obtains the first and second certificate files to be installed. When the certificate receiving module detects that an open operation is triggered for the first certificate file, it generates a first certificate file open request and transmits the first certificate file open request to the certificate installation module. The certificate installation module obtains the first certificate data from the first certificate file based on the first certificate file open request, and stores the first certificate data in the private storage area of the certificate installation module. When the certificate receiving module detects that an open operation has been triggered for the second certificate file, it generates a second certificate file open request and transmits the second certificate file open request to the certificate installation module. The certificate installation module obtains the second certificate data from the second certificate file based on the second certificate file opening request; when it is determined that the second certificate file is a matching certificate file, it reads the first certificate data from the private storage area, combines the first certificate data with the second certificate data to obtain a set of target certificate data, and provides the target certificate data to the certificate management module. The certificate management module obtains the target certificate name configured for the target certificate data, and transmits the target certificate data to the certificate storage module based on the target certificate name, and the certificate storage module stores the target certificate data.
2. The method according to claim 1, characterized in that, Before the certificate management module obtains the target certificate name configured for the target certificate data, the method further includes: The certificate management module verifies the matching between the first certificate data and the second certificate data; If the verification result is a match, the certificate naming interface is displayed, and the target certificate name is obtained through the certificate naming interface; If the verification result is a mismatch, the certificate installation will fail.
3. The method according to claim 2, characterized in that, The certificate management module verifies the matching between the first certificate data and the second certificate data, including: Signature verification is performed based on the first certificate data and the second certificate data; if the signature verification passes, it is determined that the first certificate data and the second certificate data match; if the signature verification fails, it is determined that the first certificate data and the second certificate data do not match.
4. The method according to claim 3, characterized in that, Before performing signature verification based on the first certificate data and the second certificate data, the certificate management module is further configured to determine whether the first target field in the first certificate data matches the second target field in the second certificate data; if not, it is determined that the first certificate data and the second certificate data do not match. If so, then signature verification is performed based on the first certificate data and the second certificate data.
5. The method according to claim 1, characterized in that, The step of generating a first certificate file open request and transmitting the first certificate file open request to the certificate installation module includes: The certificate receiving module generates a first certificate file opening request based on the first certificate file; the first certificate file opening request includes a general resource identifier of the first certificate file and the data type of the first certificate file, wherein the general resource identifier is used to identify the acquisition path of the first certificate file; The certificate receiving module transmits the first certificate file open request to the operating system; The operating system determines the certificate installation module based on the data type of the first certificate file and transmits the first certificate file open request to the certificate installation module.
6. The method according to claim 5, characterized in that, The operating system determines the certificate installation module based on the data type of the first certificate file, including: The operating system determines candidate processing modules that can process the first certificate file based on the data type of the first certificate file. The candidate processing module is displayed on the display interface; The module selected from the candidate processing modules is determined as the certificate installation module.
7. The method according to claim 5, characterized in that, The certificate installation module obtains first certificate data from the first certificate file based on the first certificate file open request, including: The certificate installation module determines whether the first certificate file is an encryption certificate based on the data type of the first certificate file. If the first certificate file is not an encryption certificate, the certificate installation module obtains the first certificate data by reading the first certificate file through the generic resource identifier; If the first certificate file is an encrypted certificate, a password input interface is displayed. The certificate installation module obtains the target password entered through the password input interface, reads the first certificate file through the general resource identifier, and decrypts the first certificate file using the target password to obtain the first certificate data.
8. The method according to claim 1, characterized in that, The step of storing the first certificate data in the private storage area of the certificate installation module includes: When the first certificate file is determined to be a user certificate based on the first certificate data, the first certificate data specifically consists of user certificate data and user private key data, and the user certificate data and the user private key data are stored in the private storage area of the certificate installation module. When the first certificate file is determined to be an issuer certificate based on the first certificate data, the first certificate data is specifically issuer certificate data, and the issuer certificate data is stored in the private storage area of the certificate installation module.
9. The method according to claim 1, characterized in that, After storing the first certificate data in the private storage area of the certificate installation module, the method further includes: When the first certificate file is determined to be a user certificate based on the first certificate data, a first prompt message is displayed; the first prompt message is used to prompt the user to continue selecting an issuer certificate so that the user certificate and the issuer certificate can be named and installed in the same way. When the first certificate file is determined to be the issuer certificate based on the first certificate data, a second prompt message is displayed; the second prompt message is used to prompt the user to continue selecting a user certificate so that the issuer certificate and the user certificate can be named and installed in the same way.
10. The method according to claim 1, characterized in that, The method further includes: If the certificate installation module determines that the second certificate file is not the matching certificate file, it replaces the first certificate data in the private storage area with the second certificate data.
11. The method according to claim 1, characterized in that, The accompanying certificate file is determined based on the first certificate data; when the first certificate file is determined to be a user certificate based on the first certificate data, the accompanying certificate file is an issuer certificate. When the first certificate file is determined to be an issuer certificate based on the first certificate data, the accompanying certificate file is a user certificate.
12. The method according to claim 1, characterized in that, The target certificate data includes user certificate data, issuer certificate data, and user private key data. The step of transmitting the target certificate data to the certificate storage module based on the target certificate name includes: The user certificate data, the issuer certificate data, and the user private key data are named according to the target certificate name, and the named user certificate data, the issuer certificate data, and the user private key data are then transmitted to the certificate storage module.
13. The method according to claim 12, characterized in that, The method further includes: When a network operation based on the target certificate name is detected, the network module calls the certificate storage module to obtain user certificate data, issuer certificate data, and user private key data named based on the target certificate name.
14. The method according to claim 1, characterized in that, The method further includes: When an operation to enumerate installed certificates is detected, the certificate management module displays a certificate enumeration interface; the enumerated information in the certificate enumeration interface includes the target certificate names of all certificates stored in the certificate storage module.
15. The method according to any one of claims 1 to 14, characterized in that, The certificate installation module and the certificate management module are different modules. The certificate installation module is a non-system-level application, while the certificate management module is a system-level application.
16. The method according to any one of claims 1 to 14, characterized in that, The certificate installation module and the certificate management module are the same module, which is a system-level application.
17. A device, characterized in that, The device includes: a certificate receiving module, a certificate installation module, a certificate management module, and a certificate storage module; The certificate receiving module is used to obtain the first certificate file and the second certificate file to be installed; The certificate receiving module is further configured to generate a first certificate file opening request when an open operation is detected for the first certificate file, and transmit the first certificate file opening request to the certificate installation module; The certificate installation module is used to obtain first certificate data from the first certificate file based on the first certificate file open request, and store the first certificate data in the private storage area of the certificate installation module. The certificate receiving module is further configured to generate a second certificate file opening request when an opening operation is detected for the second certificate file, and transmit the second certificate file opening request to the certificate installation module; The certificate installation module is further configured to obtain second certificate data from the second certificate file based on the second certificate file opening request; when it is determined that the second certificate file is a matching certificate file, read the first certificate data from the private storage area, combine the first certificate data and the second certificate data to obtain a set of target certificate data, and provide the target certificate data to the certificate management module; The certificate management module is used to obtain the target certificate name configured for the target certificate data, and to transfer the target certificate data to the certificate storage module based on the target certificate name; The certificate storage module is used to store the target certificate data.
18. The device according to claim 17, characterized in that, The certificate management module is also used for: Verify the matching between the first certificate data and the second certificate data; If the verification result is a match, the certificate naming interface is displayed, and the target certificate name is obtained through the certificate naming interface; If the verification result is a mismatch, the certificate installation will fail.
19. The device according to claim 18, characterized in that, The certificate management module is specifically used for: Signature verification is performed based on the first certificate data and the second certificate data; if the signature verification passes, it is determined that the first certificate data and the second certificate data match; if the signature verification fails, it is determined that the first certificate data and the second certificate data do not match.
20. The device according to claim 19, characterized in that, Before performing signature verification based on the first certificate data and the second certificate data, the certificate management module is also used to determine whether the first target field in the first certificate data matches the second target field in the second certificate data; if not, it is determined that the first certificate data and the second certificate data do not match. If so, then signature verification is performed based on the first certificate data and the second certificate data.
21. The device according to claim 17, characterized in that, The certificate receiving module is specifically used for: A first certificate file open request is generated based on the first certificate file; the first certificate file open request includes a general resource identifier of the first certificate file and the data type of the first certificate file, wherein the general resource identifier is used to identify the acquisition path of the first certificate file; The first certificate file open request is transmitted to the operating system, which then determines the certificate installation module based on the data type of the first certificate file and transmits the first certificate file open request to the certificate installation module.
22. The device according to claim 21, characterized in that, The operating system determines the certificate installation module based on the data type of the first certificate file in the following manner: Based on the data type of the first certificate file, candidate processing modules that can process the first certificate file are determined; The candidate processing module is displayed on the display interface; The module selected from the candidate processing modules is determined as the certificate installation module.
23. The device according to claim 21, characterized in that, The certificate installation module is specifically used for: Based on the data type of the first certificate file, determine whether the first certificate file is an encryption certificate; If the first certificate file is not an encrypted certificate, then the first certificate data is obtained by reading the first certificate file using the generic resource identifier; If the first certificate file is an encrypted certificate, a password input interface is displayed, the target password entered through the password input interface is obtained, the first certificate file is read through the general resource identifier, and the first certificate file is decrypted using the target password to obtain the first certificate data.
24. The device according to claim 17, characterized in that, The certificate installation module is specifically used for: When the first certificate file is determined to be a user certificate based on the first certificate data, the first certificate data specifically consists of user certificate data and user private key data, and the user certificate data and the user private key data are stored in the private storage area of the certificate installation module. When the first certificate file is determined to be an issuer certificate based on the first certificate data, the first certificate data is specifically issuer certificate data, and the issuer certificate data is stored in the private storage area of the certificate installation module.
25. The device according to claim 17, characterized in that, The certificate installation module is also used for: When the first certificate file is determined to be a user certificate based on the first certificate data, a first prompt message is displayed; the first prompt message is used to prompt the user to continue selecting an issuer certificate so that the user certificate and the issuer certificate can be named and installed in the same way. When the first certificate file is determined to be the issuer's certificate based on the first certificate data, a second prompt message is displayed; The second prompt message is used to prompt the user to continue selecting a user certificate so that the issuer certificate and the user certificate can be installed with the same name.
26. The device according to claim 17, characterized in that, The certificate installation module is also used for: If it is determined that the second certificate file is not the matching certificate file, the first certificate data in the private storage area is replaced with the second certificate data.
27. The device according to claim 17, characterized in that, The accompanying certificate file is determined based on the first certificate data; when the first certificate file is determined to be a user certificate based on the first certificate data, the accompanying certificate file is an issuer certificate. When the first certificate file is determined to be an issuer certificate based on the first certificate data, the accompanying certificate file is a user certificate.
28. The device according to claim 17, characterized in that, The target certificate data includes user certificate data, issuer certificate data, and user private key data. The certificate management module is specifically used for: The user certificate data, the issuer certificate data, and the user private key data are named according to the target certificate name, and the named user certificate data, the issuer certificate data, and the user private key data are then transmitted to the certificate storage module.
29. The device according to claim 28, characterized in that, The device also includes: a network module; The networking module is used to call the certificate storage module to obtain user certificate data, issuer certificate data and user private key data named based on the target certificate name when a network operation based on the target certificate name is detected.
30. The device according to claim 17, characterized in that, The certificate management module is also used for: When an operation to enumerate installed certificates is detected, a certificate enumeration interface is displayed; the enumerated information in the certificate enumeration interface includes the target certificate names of all certificates stored in the certificate storage module.
31. The device according to any one of claims 17 to 30, characterized in that, The certificate installation module and the certificate management module are different modules. The certificate installation module is a non-system-level application, while the certificate management module is a system-level application.
32. The device according to any one of claims 17 to 30, characterized in that, The certificate installation module and the certificate management module are the same module, which is a system-level application.
33. A device, characterized in that, The device includes a processor and a memory; The memory is used to store computer programs; The processor is configured to execute the digital certificate installation method according to any one of claims 1 to 16 according to the computer program.
34. A computer-readable storage medium, characterized in that, The computer-readable storage medium is used to store a computer program for executing the digital certificate installation method according to any one of claims 1 to 16.