CN114205086A

CN114205086A - Block chain-based digital certificate processing method and device

Info

Publication number: CN114205086A
Application number: CN202010899006.2A
Authority: CN
Inventors: 王东晖; 陈晶; 加梦
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2020-08-31
Filing date: 2020-08-31
Publication date: 2022-03-18

Abstract

The application provides a block chain-based digital certificate processing method and a processing device, wherein the processing method comprises the following steps: receiving an inquiry request of a digital certificate from a user, wherein the inquiry request comprises address information of issuing operation of the digital certificate, and the address information of the issuing operation is used for indicating an address for storing data of the issuing operation in a block chain; acquiring data of an issuing operation of the digital certificate in a block chain according to address information of the issuing operation, wherein the data of the issuing operation is stored in a target block in the block chain, the target block comprises first address information, and the first address information is used for indicating an address for storing data processed by a next operation of the issuing operation in the block chain; acquiring the current state of the digital certificate according to the first address information; the current state of the digital certificate is sent to the user. Based on the technical scheme of the application, the blocks storing the data processed by the digital certificate operation are associated with each other, so that the certificate state verification efficiency can be improved.

Description

Block chain-based digital certificate processing method and device

Technical Field

The present application relates to the field of information technology, and in particular, to a method and an apparatus for processing a digital certificate based on a block chain.

Background

Public Key Infrastructure (PKI) is a set of infrastructures consisting of hardware, software, participants, management policies and procedures aimed at creating, managing, distributing, using, storing and revoking digital certificates. The essence is to standardize the management of the asymmetric key and the mapping relation between the identity and the public key; the emergence of public key cryptography marks that cryptography enters a new era, and the application of cryptography develops from simple secret communication to identity authentication.

The PKI includes a Certificate Authority (CA), and the CA signs a certificate for a certificate applicant through its own private key signature, and provides a trusted digital identity, thereby ensuring the authentication identity of a user in a communication process and protecting the confidentiality and integrity of transmitted information. In general, the validity of the user identity can be judged by verifying whether the digital certificate of the user is legal or not; currently, a Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) is generally adopted to verify the status of a certificate; however, since the CRL mechanism is limited to the update period, the OCSP mechanism is limited to an increase in the number of certificates and the number of inquiry requests, thereby causing a problem of delay in certificate status verification.

Therefore, how to improve the efficiency of the digital certificate status verification becomes an urgent problem to be solved.

Disclosure of Invention

The application provides a digital certificate processing method and device based on a block chain, and the efficiency of digital certificate state verification can be improved by recording an operation log of a digital certificate in the block chain.

In a first aspect, a block chain-based digital certificate processing method is provided, including: receiving an inquiry request of a digital certificate from a user, wherein the inquiry request comprises address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used for indicating an address for storing data of the issuing operation in the block chain; acquiring data of an issuing operation of the digital certificate in the block chain according to address information of the issuing operation, wherein the data of the issuing operation is stored in a target block in the block chain, and the target block comprises first address information which is used for indicating an address for storing data processed by a next operation of the issuing operation in the block chain; acquiring the current state of the digital certificate according to the first address information; sending the current state of the digital certificate to the user.

It should be understood that the blockchain is used for storing data processed by the digital certificate authority CA for at least one operation on the digital certificate, which includes the issuing operation, in the blockchain in association with each other through address information of the block.

The methods of the present application may be performed by a computing device or may be performed by a smart chip in one or more computing devices. The computing device may be any device having the functionality to maintain and manage a blockchain. For example, any device known in the art may be included; alternatively, the computing device may also refer to a chip having the function of maintaining and managing the blockchain.

It should be understood that the blockchain may be used to store an operation log record of the digital certificate by the CA, in which data processed by at least one operation is associated with each other; for example, data of operation data in at least one operation process may be queried about data of an operation process (e.g., a previous operation process or a next operation process) related to the any operation process.

It should also be understood that the current state of the digital certificate refers to the state of the digital certificate after the last operation of the digital certificate by the CA.

In an embodiment of the present application, by storing data processed by at least one operation on a digital certificate by a CA in a blockchain, the data processed by the at least one operation are associated with each other in the blockchain by address information of a block; furthermore, when the user inquires the current state of the digital certificate, the address information of the issuing operation of the digital certificate can be sent to the blockchain; the block chain can acquire the current state of the digital certificate according to the address information of the issuing operation of the digital certificate, namely, the subsequent life cycle of the digital certificate can be inquired in the block chain according to the address information of the issuing operation of the digital certificate, so that the state of inquiring the digital certificate in the block chain is realized; therefore, the problem of delay caused by the fact that a user needs to intensively inquire the current state of the digital certificate in the server is avoided, and the efficiency of digital certificate state verification can be improved.

In a possible implementation manner, the blockchain receives an inquiry request of a digital certificate sent by a user, the inquiry request includes address information of issuing operation of the digital certificate, the blockchain can inquire one by one through the address information of the issuing operation to obtain address information of data processed by the latest operation in the blockchain, and the data processed by the latest operation is returned to the user.

In a possible implementation manner, the blockchain receives a query request of a digital certificate sent by a user, the query request includes address information of issuing operation of the digital certificate, the blockchain can query one by one through the address information of the issuing operation, and when data processed by operation stored in one address information is acquired, the blockchain can return one by one to the user; until the data processed by the latest operation is returned to the user.

In a possible implementation manner, the user may directly perform information interaction with the blockchain, and then the user may locally query the state of the digital certificate, or the user may directly send a query request of the digital certificate to a node of the user management and maintenance blockchain.

In a possible implementation manner, a user cannot directly perform information interaction with a block chain, and the user needs to forward information through an bookkeeper in the block chain; that is, the user can send a query request for a digital certificate to the blockchain through an accounting node in the blockchain.

With reference to the first aspect, in certain implementations of the first aspect, the target block further includes second address information, where the second address information is used to indicate an address in the block chain at which data processed by a previous operation of the issue operation is stored.

In a possible implementation manner, the block chain may include a first block, and the first block may refer to any one block in the block chain; the first block may be used to store data of a first operation process, where the first operation process may be any one of an issue operation, a cancel operation, a freeze operation, a unfreeze operation, a rollback operation, or an update operation, and the first block may include two pieces of address information; wherein one of the address information is for indicating an address for storing data processed by a previous operation processed by the first operation in the blockchain, and the other address information is for indicating an address for storing data processed by a next operation processed by the first operation in the blockchain.

In the embodiment of the present application, the data structure in any block in the block chain may include an address of a previous operation (link a previous operation) and an address of a next operation (modify the field to implement backward linking), so as to implement uplink of data processed by the CA on the operation of the digital certificate; the data processed by all operations can be associated by the address information of the block.

With reference to the first aspect, in certain implementations of the first aspect, the method further includes:

receiving a first transaction from the CA, where the first transaction is used to store data processed by a first operation in the block chain, where the first transaction carries target address information, and the target address information is used for the block chain to determine an address of data processed by a previous operation processed by the first operation, where the first operation processing includes any one of the issuing operation, the cancelling operation, the freezing operation, the unfreezing operation, the rolling-back operation, or the updating operation; and sending address information of a first block to the CA, wherein the first block is used for storing the data processed by the first operation.

With reference to the first aspect, in certain implementations of the first aspect, when the first operation processing is the issue operation, the target address information refers to the second address information.

It should be understood that the issue operation may refer to an operation used by a CA for digital certificate issuance. A revocation operation may refer to an operation in which a CA terminates a certificate life of a digital certificate. The freeze operation may include a temporary freeze, rather than a permanent revocation, of the digital certificate by the CA. The unfreezing operation may refer to a revocation of the digital certificate by the CA of the freeze operation. Rollback operations may include false revocation of digital certificates by a CA, false freezing, revocation of unmodified certificate operations. The updating operation refers to the updating of the certificate content of the digital certificate by the CA; such as an extended trial period, etc.

With reference to the first aspect, in certain implementations of the first aspect, the second address information is a preconfigured initialization address.

In one possible implementation, the preconfigured initialization address may be "0 x 00", or the preconfigured initialization address may be null.

With reference to the first aspect, in certain implementations of the first aspect, when the first operation processing is not the issue operation, the target address information refers to address information of data processed by a previous operation processed by the first operation stored in the block chain, or the target address information refers to address information of the issue operation.

With reference to the first aspect, in certain implementations of the first aspect, the block chain further includes a second block, and further includes:

and modifying address information of next operation processing included in the second block according to the address information of the first block, wherein the second block is a block in the block chain, which stores data processed by a previous operation processed by the first operation processing.

and verifying that the current state of the digital certificate is in a legal state according to the address information of the issuing operation.

In the embodiment of the application, when the first operation processing is not the issuing operation of the CA on the digital certificate, the current state of the digital certificate may also be obtained, and the subsequent operation on the digital certificate is continued under the condition that the digital certificate is determined to be in the legal state.

With reference to the first aspect, in certain implementations of the first aspect, the obtaining the current state of the digital certificate according to the first address information includes:

determining the target block in the block chain according to the address information of the issuing operation, wherein the target block is a block in the block chain, which stores the data of the issuing operation;

and when the first address information is null or a preset field, acquiring the data of the issuing operation of the digital certificate.

In the embodiment of the application, when the first address information included in the target block is null, or a preset field or other pre-configured fields, it is described that if the issuing operation is the last operation of the CA on the digital certificate, the data of the issuing operation of the digital certificate is acquired in the target block; i.e., the issuance operation of the digital certificate, i.e., the current state of the digital certificate.

With reference to the first aspect, in certain implementations of the first aspect, in a case that the issuing operation is not a last operation process of the digital certificate by the CA, the method further includes:

inquiring address information of the last operation processing of the digital certificate in the block chain according to address information of a next operation included in the target block;

and acquiring data of the last operation processing of the digital certificate in the block chain according to the address information of the last operation processing.

In the embodiment of the application, if the issuing operation is determined as the last operation of the CA on the digital certificate, the current state of the digital certificate can be determined according to the data of the issuing operation. If it is determined that the issuing operation is not the last operation of the CA on the digital certificate, the address information processed by the last operation of the digital certificate may be queried in the block chain according to the address information of the next operation included in the target block, and then the data processed by the last operation of the digital certificate, that is, the current state of the digital certificate may be acquired.

With reference to the first aspect, in certain implementations of the first aspect, the query request further includes an identification of the digital certificate.

In an embodiment of the present application, a target digital certificate corresponding to the query request may be determined from a plurality of digital certificates included in the target block by the identification of the digital certificate.

With reference to the first aspect, in certain implementations of the first aspect, the first address information and target address information included in the first block are not used for hash calculation of the first block.

In an embodiment of the present application, the address of the last operation and the address of the next operation included in any one block in the block chain are not used for hash calculation of the block.

In a second aspect, a block chain-based digital certificate processing method is provided, including:

sending an inquiry request of a digital certificate to a blockchain, wherein the inquiry request comprises address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used for indicating an address for storing data of the issuing operation in the blockchain;

receiving a current state of the digital certificate from the block chain, wherein the current state of the digital certificate is acquired in the block chain according to first address information, data of the issuing operation is stored in a target block in the block chain, the target block comprises the first address information, and the first address information is used for indicating an address for storing data processed by a next operation of the issuing operation in the block chain.

The method of the present application may be performed by a terminal device or may be performed by a smart chip in one or more terminal devices. The terminal device may be any terminal device having the capability to interact with the computing device that maintains and manages the blockchain.

With reference to the second aspect, in some implementations of the second aspect, the target block further includes second address information, where the second address information is used to indicate an address in the block chain at which data processed by a previous operation of the issue operation is stored.

With reference to the second aspect, in some implementations of the second aspect, when the first operation processing is the issue operation, the method further includes:

and sending an application request of the digital certificate to the CA, wherein the application request comprises the identity information of the user.

With reference to the second aspect, in certain implementations of the second aspect, the first address information and the second address information are pre-configured initialization addresses.

With reference to the second aspect, in some implementations of the second aspect, when the first operation processing is not the issue operation, the second address information is obtained according to address information of a previous operation processing of the first operation processing, and the first address information is a preconfigured initialization address.

With reference to the second aspect, in some implementations of the second aspect, the first operation processing refers to any one of the following operations of the CA on the digital certificate:

an issue operation, an undo operation, a freeze operation, a thaw operation, a rollback operation, or an update operation.

With reference to the second aspect, in some implementations of the second aspect, the first address information and the target address information included in the first block are not used for hash calculation of the first block.

In a third aspect, a block chain-based digital certificate processing method is provided, including:

sending a first transaction to a blockchain, wherein the first transaction is used for storing data of first operation processing of a digital Certificate Authority (CA) on a digital certificate in the blockchain, the first transaction carries target address information, and the target address information is used for determining, by the blockchain, an address for storing the data of last operation processing of the first operation processing;

receiving address information of a first block from the block chain, wherein the first block refers to a block in the block chain for storing the data processed by the first operation.

The methods of the present application may be performed by a server or may be performed by a smart chip in one or more servers. The server may be any device having the function of maintaining and managing digital certificates. For example, any device known in the art may be included; alternatively, the computing device may also refer to a chip having the function of maintaining and managing the blockchain. For example, a server may refer to a server of a certificate authority.

It should be understood that in the embodiment of the present application, the CA may uplink, i.e., store in the blockchain, the data that handles the operation of the digital certificate by sending the transaction to the blockchain.

With reference to the third aspect, in certain implementations of the third aspect, when the first operation processing is the digital certificate issuing operation, the target address information refers to an address at which data processed by an operation immediately preceding the issuing operation is stored in the block chain.

With reference to the third aspect, in certain implementations of the third aspect, the target address information is a preconfigured initialization address.

With reference to the third aspect, in some implementations of the third aspect, the method further includes:

and receiving an application request of the digital certificate from a user, wherein the application request comprises the identity information of the user.

With reference to the third aspect, in certain implementations of the third aspect, when the first operation processing is not the digital certificate issuing operation, the target address information refers to an address at which data processed by a last operation processed by the first operation is stored in a blockchain, or the target address information refers to an address at which data processed by the digital certificate issuing operation is stored in a blockchain.

With reference to the third aspect, in certain implementations of the third aspect, the first block includes third address information and fourth address information, where the third address information is used to indicate an address of storing, in the block chain, data processed by a previous operation processed by the first operation, and the fourth address information is used to indicate an address of storing, in the block chain, data processed by a next operation processed by the first operation.

With reference to the third aspect, in certain implementations of the third aspect, the fourth address information is obtained by the block chain according to address information of a third block, where the third block is a block in the block chain, where data processed by a next operation processed by the first operation is stored.

With reference to the third aspect, in certain implementations of the third aspect, the first operation processing refers to any one of the following operations of the CA on the digital certificate:

In a fourth aspect, a block chain-based digital certificate processing method is provided, including:

receiving a first transaction from a digital Certificate Authority (CA), wherein the first transaction is used for storing data of first operation processing of a digital certificate on the CA in the block chain, the first transaction carries target address information, and the target address information is used for determining an address for storing the data of last operation processing of the first operation processing by the block chain;

and sending address information of a first block to the CA, wherein the first block refers to a block in the block chain for storing the data processed by the first operation.

The methods of the present application may be performed by a computing device or may be performed by a smart chip in one or more computing devices. The computing device may be any device that has the functionality that the computing device may be a device having the functionality to maintain and manage a blockchain. For example, any device known in the art may be included; alternatively, the computing device may also refer to a chip having the function of maintaining and managing the blockchain.

With reference to the fourth aspect, in some implementations of the fourth aspect, when the first operation processing is the digital certificate issuing operation, the target address information refers to an address at which data processed by an operation immediately preceding the issuing operation is stored in the block chain.

With reference to the fourth aspect, in some implementations of the fourth aspect, the target address information is a preconfigured initialization address.

With reference to the fourth aspect, in some implementations of the fourth aspect, when the first operation process is not the digital certificate issuing operation, the target address information refers to an address at which data processed by a last operation of the first operation process is stored in the blockchain, or the target address information refers to an address at which data processed by the issuing operation of the digital certificate is stored in the blockchain.

With reference to the fourth aspect, in some implementations of the fourth aspect, the first block includes third address information and fourth address information, the third address information is used to indicate an address of storing data processed by a previous operation processed by the first operation in the block chain, and the fourth address information is used to indicate an address of storing data processed by a next operation processed by the first operation in the block chain.

With reference to the fourth aspect, in some implementations of the fourth aspect, the fourth address information is obtained by the block chain according to address information of a third block, where the third block is a block in the block chain that stores data processed by a next operation processed by the first operation.

With reference to the fourth aspect, in some implementations of the fourth aspect, the first operation processing refers to any one of the following operations of the CA on the digital certificate:

In a fifth aspect, a block chain-based digital certificate processing apparatus is provided, including: a receiving and sending unit, configured to receive an inquiry request of a digital certificate from a user, where the inquiry request includes address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used to indicate an address where data of the issuing operation is stored in the block chain; the processing unit is used for acquiring data of an issuing operation of the digital certificate in the block chain according to address information of the issuing operation, the data of the issuing operation is stored in a target block in the block chain, the target block comprises first address information, and the first address information is used for indicating an address for storing data processed by a next operation of the issuing operation in the block chain; acquiring the current state of the digital certificate according to the first address information; the transceiving unit is further configured to send the current status of the digital certificate to the user.

In a possible implementation manner, the above-mentioned digital certificate processing apparatus includes a functional unit/module, and is further configured to execute the digital certificate processing method in any implementation manner of the first aspect and the first aspect.

It will be appreciated that extensions, definitions, explanations and explanations of relevant content in the above-described first aspect also apply to the same content in the fifth aspect.

In a sixth aspect, a block chain-based digital certificate processing apparatus is provided, including: a sending unit, configured to send an inquiry request of a digital certificate to a blockchain, where the inquiry request includes address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used to indicate an address where data of the issuing operation is stored in the blockchain; a receiving unit, configured to receive a current state of the digital certificate from the block chain, where the current state of the digital certificate is obtained in the block chain according to first address information, and data of the issuing operation is stored in a target block in the block chain, where the target block includes the first address information, and the first address information is used to indicate an address in the block chain at which data processed by a next operation of the issuing operation is stored.

In a possible implementation manner, the above-mentioned digital certificate processing apparatus includes functional units/modules, and is further configured to execute the digital certificate processing method in any implementation manner of the second aspect and the second aspect.

It will be appreciated that extensions, definitions, explanations and explanations of relevant matters in the above second aspect also apply to the same matters in the sixth aspect.

In a seventh aspect, a block chain-based digital certificate processing apparatus is provided, including: a sending unit, configured to send a first transaction to a blockchain, where the first transaction is used to store data of a first operation process on a digital certificate by a digital certificate authority CA in the blockchain, where the first transaction carries target address information, and the target address information is used for the blockchain to determine an address where data of a last operation process of the first operation process is stored; a receiving unit, configured to receive address information of a first block from the block chain, where the first block is a block in the block chain that stores the data processed by the first operation.

In a possible implementation manner, the above-mentioned digital certificate processing apparatus includes a functional unit/module, and is further configured to execute the digital certificate processing method in any one implementation manner of the third aspect and the third aspect.

It will be appreciated that extensions, definitions, explanations and explanations of relevant content in the third aspect above also apply to the same content in the seventh aspect.

In an eighth aspect, there is provided a block chain-based digital certificate processing apparatus, including: a receiving unit, configured to receive a first transaction from a digital certificate authority CA, where the first transaction is used to store data of a first operation process on a digital certificate by the digital certificate authority CA in the block chain, where the first transaction carries target address information, and the target address information is used by the block chain to determine an address where data of a last operation process of the first operation process is stored; a sending unit, configured to send, to the CA, address information of a first block, where the first block is a block in the block chain that stores the data processed by the first operation.

In a possible implementation manner, the functional unit/module included in the digital certificate processing apparatus is further configured to execute the digital certificate processing method in any one implementation manner of the fourth aspect and the fourth aspect.

It is to be understood that extensions, definitions, explanations and explanations of relevant content in the fourth aspect above also apply to the same content in the seventh aspect.

In a ninth aspect, a block chain-based digital certificate processing apparatus is provided, including: including input output interfaces, processors, and memory. The processor is configured to control the input/output interface to send and receive information, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the training apparatus executes the digital certificate processing method in any one of the implementations of the first aspect and the first aspect.

In a tenth aspect, there is provided a block chain-based digital certificate processing apparatus, including: including input output interfaces, processors, and memory. The processor is configured to control the input/output interface to send and receive information, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the training apparatus executes the digital certificate processing method in any implementation manner of the second aspect and the second aspect.

In an eleventh aspect, there is provided a block chain-based digital certificate processing apparatus, including: including input output interfaces, processors, and memory. The processor is configured to control the input/output interface to send and receive information, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the training apparatus executes the digital certificate processing method in any one implementation manner of the third aspect and the third aspect.

In a twelfth aspect, a block chain-based digital certificate processing apparatus is provided, including: including input output interfaces, processors, and memory. The processor is configured to control the input/output interface to send and receive information, the memory is configured to store a computer program, and the processor is configured to call and run the computer program from the memory, so that the training apparatus executes the digital certificate processing method in any one implementation manner of the fourth aspect and the fourth aspect.

In a thirteenth aspect, a computer-readable medium is provided, which stores program code for execution by a device, the program code including instructions for performing the digital certificate processing method in any one of the implementations of the first to fourth aspects and the first to fourth aspects.

In a fourteenth aspect, a computer program product containing instructions is provided, which when run on a computer causes the computer to execute the digital certificate processing method in any one of the implementations of the first to fourth aspects and the first to fourth aspects.

In a fifteenth aspect, a chip is provided, where the chip includes a processor and a data interface, and the processor reads instructions stored in a memory through the data interface, and performs the digital certificate processing method in any one implementation manner of the first to fourth aspects and the first to fourth aspects.

Optionally, as an implementation manner, the chip may further include a memory, where instructions are stored in the memory, and the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the processor is configured to execute the digital certificate processing method in any one implementation manner of the first to fourth aspects and the first to fourth aspects.

Drawings

Fig. 1 is a schematic diagram of an architecture of a PKI system provided by an embodiment of the present application;

FIG. 2 is a schematic flow chart diagram of a digital certificate processing method provided by an embodiment of the present application;

fig. 3 is a schematic diagram of a block chain-based digital certificate processing method provided in an embodiment of the present application;

FIG. 4 is a diagram illustrating a data structure for transactions in a blockchain, provided by an embodiment of the present application;

FIG. 5 is a schematic flow chart diagram of a digital certificate processing method provided by an embodiment of the present application;

FIG. 6 is a schematic flow chart of the chain of certificate issuing transactions provided by an embodiment of the present application;

FIG. 7 is a schematic flow chart of the chain of certificate revocation transactions provided by an embodiment of the present application;

FIG. 8 is a schematic flow chart of a chain of certificate modification transactions provided by an embodiment of the present application;

FIG. 9 is a schematic flow chart diagram of a certificate status verification method provided by an embodiment of the present application;

FIG. 10 is a schematic flow chart diagram of a certificate status verification method provided by an embodiment of the present application;

FIG. 11 is a schematic block diagram of a digital certificate processing apparatus as provided herein;

FIG. 12 is a schematic block diagram of a digital certificate processing apparatus as provided herein;

FIG. 13 is a schematic block diagram of a digital certificate processing apparatus as provided herein;

FIG. 14 is a schematic block diagram of a digital certificate processing apparatus as provided herein;

fig. 15 is a schematic diagram of a hardware structure of a digital certificate processing apparatus according to the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

First, the concepts related to the embodiments of the present application will be briefly described.

1. Public Key Infrastructure (PKI)

Public key infrastructure is a set of infrastructures consisting of hardware, software, participants, administrative policies and procedures aimed at creating, managing, distributing, using, storing and revoking digital certificates. Cryptographically, the public key infrastructure links the user's personal identity to the public key by means of a digital certificate authority.

Fig. 1 shows a schematic architecture of a PKI system. The PKI100 may include a user 110, a security server 120, a Registration Authority (RA) server 130, a Lightweight Directory Access Protocol (LDAP) server 140, a Certificate Authority (CA) 150, and a data server 160.

Illustratively, the security server 120 is oriented to a general user, and is used for providing security services such as certificate application, browsing, certificate revocation list, and certificate downloading; the user needs to first get the certificate of the secure server (which is issued by the CA).

RA server 130 plays a roll-off role in the CA architecture; on the one hand, the certificate application request transmitted from the security server may be forwarded to the CA, and on the other hand, the digital certificate and the Certificate Revocation List (CRL) issued by the CA may be forwarded to the LDAP server 140 and the security server 120.

The LDAP server 140 is used for providing a directory browsing service and is responsible for adding the user information and the digital certificate transmitted from the RA server 130 to the server; a user can obtain digital certificates for other users by accessing the LDAP server 140.

The CA150 is the core of the entire certificate authority and is responsible for the issuance of certificates. The CA firstly generates a private key and a public key of the CA, then generates a digital certificate, and normally transmits the number to the security server; the CA is also responsible for generating digital certificates for the security server, the RA server.

The database server 160 is a core part of the CA, and is used for storing and managing data (such as keys and user information) in the CA, logs, and statistical information.

2. Block chaining techniques

In a narrow sense, the block chain is a chain data formed by combining data blocks in a sequential connection mode according to a time sequence, and is a distributed account book which is guaranteed to be not forged in a cryptographic mode; broadly speaking, the blockchain technique is a completely new distributed infrastructure and computing paradigm that utilizes blockchain data structures to verify and store data, utilizes distributed node consensus algorithms to generate and update data, cryptographically secures data transmission and access security, and utilizes intelligent contracts composed of automated script code to program and manipulate data.

The block chain technology realizes a chain data structure formed by connecting data and information blocks in sequence according to time sequence, and distributed storage which is ensured in a cryptology mode and cannot be tampered and forged is realized. Data and information in a blockchain are generally referred to as "transactions".

The CA mechanism signs and issues a certificate for a certificate applicant through a private key signature of the CA mechanism, and a trusted digital identity is provided, so that the identity authentication of a user in the communication process is guaranteed, and the confidentiality and the integrity of transmitted information are protected. The validity of the user identity can be effectively judged through the certificate state verification of the user; currently, state verification of certificates (e.g., whether a certificate is revoked or updated) requires additional means to resolve; for example: the CRL technology or the OCSP technology is adopted, wherein the CRL technology is used for judging the current state of the certificate through a certificate revocation list which is periodically updated and issued by a CA, and the CRL comprises information such as the serial number and the revocation time of the revoked certificate; the OCSP technology is that a user sends a query request to an OCSP server, the server encrypts a query result and returns the encrypted query result to the user, and the user decrypts information by using a server public key to obtain a certificate state verification result. For the CRL technology, the certificate state verification has the problem of delay because the state of the certificate is limited by the CRL release period; for the OCSP technology, since the OCSP is a real-time query and the client can only query the OCSP server corresponding to the certificate, the response speed of the server will become slow with the increase of the number of certificates and the query request amount, resulting in a delay problem in the certificate status verification.

In view of this, an embodiment of the present application provides a method for processing a digital certificate based on a blockchain, where data obtained after processing each operation on the digital certificate by a CA is deployed in the blockchain, and each operation is associated by address information of the data obtained after processing each operation and deployed in the blockchain, so that a current state of the digital certificate can be queried in the blockchain under a condition that address information of an issuing operation of the digital certificate and an identifier of the digital certificate are obtained; by the digital certificate processing method in the embodiment of the application, the operation processing data of the CA on the digital certificate can be inquired in the corresponding block in the block chain through the address information of the operation processing, so that the certificate state verification efficiency can be improved.

The following describes in detail a method for processing a digital certificate according to an embodiment of the present application with reference to fig. 2 to 10.

Fig. 2 is a schematic flowchart of a digital certificate processing method provided in an embodiment of the present application. The method 200 shown in fig. 2 includes steps S210 to S240, and the steps S210 to S240 are described in detail below.

It should be understood that the digital certificate processing method shown in fig. 2 may refer to a processing method in which a user verifies the status of a digital certificate; before the user verifies the status of the digital certificate, the CA may deploy operation processing data on the digital certificate in the blockchain, i.e., the digital certificate processing methods shown in fig. 4 to 10 may be further included before the method shown in fig. 2 is executed.

S210, the block chain receives a query request of the digital certificate from the user.

The inquiry request comprises address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used for indicating an address for storing data of the issuing operation in the block chain.

In other words, in embodiments of the present application, a user may send a query request for a digital certificate to the blockchain, which may include address information for an issue operation of the digital certificate.

Optionally, in an example, the query request may further include an identification of the digital certificate.

For example, the data of the issuing operation of the digital certificate can be acquired in the target block in the block chain through the address information of the issuing operation of the digital certificate.

For example, the target digital certificate corresponding to the query request may be determined among a plurality of digital certificates included in the target block by the identification of the digital certificate.

Illustratively, the user may comprise a Web server vendor, or a digital certificate application user, or the like.

In one example, if the user can directly interact with the blockchain for information, the user can locally verify the status of the digital certificate, or the user can directly send a query request of the digital certificate to the blockchain; that is, the node may receive a query request for a digital certificate sent by a user, and the node may be used to maintain and manage the blockchain.

In another example, if the user cannot directly interact with the blockchain, the user may forward the information through an bookkeeper in the blockchain; for example, a user may send a query request for a digital certificate to the blockchain through a billing node in the blockchain.

It should be understood that the bookkeeper of the blockchain may also be referred to as a miner, each miner having a copy of their own blockchain information stored on their local computer, the blockchain being run by the respective miner to reach consensus and create the block.

And S220, acquiring the data of the issuing operation of the digital certificate in the block chain according to the address information of the issuing operation.

Wherein the data of the issuing operation is stored in a target block in the block chain, and the target block comprises first address information which is used for indicating an address for storing the data processed by the next operation of the issuing operation in the block chain.

In the embodiment of the application, data processed by a plurality of operations of the digital certificate by the CA can be uplink through a block chain; i.e., data processed by each of a plurality of operations of the digital certificate by the CA may be stored in a block of the blockchain.

And S230, acquiring the current state of the digital certificate according to the first address information.

In one example, obtaining the current state of the digital certificate according to the first address information includes:

and when the first address information is empty or a preset field, acquiring data of the issuing operation of the digital certificate.

In another example, obtaining the current state of the digital certificate from the first address information includes:

acquiring address information of data processed by the next operation of the issuing operation according to the first address information, and determining a block in a block chain for storing the data processed by the next operation of the issuing operation according to the address information;

and when the next operation processing of the issuing operation is the last operation processing of the CA on the digital certificate, acquiring the data of the next operation processing of the issuing operation, namely the current state of the digital certificate.

It should be noted that, in the case that the next operation processing of the issuing operation is not the last operation processing of the digital certificate by the CA, the address information of the operation processing may be obtained hop by hop according to the associated address information in the block; and then the current state of the data processed by the last operation of the digital certificate by the CA, namely the digital certificate, is obtained.

And S240, sending the current state of the digital certificate to the user.

In other words, in embodiments of the present application, a user may receive a current state of a digital certificate from a blockchain.

Illustratively, with the current state of the digital certificate, the user can determine the legitimacy of the digital certificate; and then the validity of the user identity corresponding to the digital certificate is effectively judged. In one example, the blockchain may store data of one operation process of the digital certificate; for example, the block chain stores data of the issuing operation of the digital certificate; the block storing the data of the issue operation may include address information processed by a previous operation and address information of a next operation, where the address information processed by the previous operation and the first information of the next operation may be pre-configured initialization addresses; the user may determine that the digital certificate is currently in an issuing state by querying the state of the digital certificate in the blockchain.

In another example, data of a plurality of operation processes of the digital certificate may be stored in the blockchain; the address information of a plurality of operation processes in the block chain is related, so that the data processed by the last operation of the current digital certificate can be inquired according to the address information of the issuing operation of the digital certificate; in turn, the current state of the digital certificate is determined.

It should be understood that the data of the plurality of operation processes are related to each other, which means that the data processed by any one of the plurality of operation processes can be queried about the data corresponding to the operation process related to the any one operation process; for example, if a plurality of operations of the CA on the digital certificate are processed as issuing operation, updating operation, and canceling operation, the address information of the data storing the updating operation in the blockchain may be queried in the blockchain according to the address information of the issuing operation of the CA on the digital certificate; the address information of the data storing the undo operation in the blockchain may be queried according to the address information of the update operation.

Optionally, the target block further includes second address information, where the second address information is used to indicate an address for storing data processed by a previous operation of the issuing operation in the block chain.

In a possible implementation manner, the block chain may include a first block, and the first block may refer to any one block in the block chain; the first block may be used to store data of a first operation process, where the first operation process may be any one of an issue operation, a cancel operation, a freeze operation, a unfreeze operation, a rollback operation, or an update operation, and the first block may include two pieces of address information; wherein one of the address information is for indicating an address for storing data processed by a previous operation processed by the first operation in the blockchain, and the other address information is for indicating an address for storing data processed by a next operation processed by the first operation in the blockchain. In the embodiment of the present application, the data structure in any block in the block chain may include an address of a previous operation (link a previous operation) and an address of a next operation (modify the field to implement backward linking), so as to implement uplink of data processed by the CA on the operation of the digital certificate; the data processed by all operations can be associated by the address information of the block. Specifically, the data structure included in the first block may be referred to in the following schematic diagram of the data structure shown in fig. 4.

For example, the first operation processing may refer to an issuing operation of the CA on the digital certificate, and the CA may issue information such as a hash of the digital certificate, a serial number of the digital certificate, a signature of the CA, and the like into the block chain, while carrying address information of a previous operation and a next operation of the issuing operation. The specific process can be seen in the following fig. 6.

For example, the first operation processing may refer to a revocation operation of the CA on the digital certificate, and the CA may issue information such as a hash of the digital certificate, a serial number of the digital certificate, a revocation reason, a CA signature, and the like to the blockchain while carrying address information of a previous operation and a next operation of the revocation operation. The specific process can be seen in the following fig. 7.

Optionally, in a possible implementation manner, the first operation process is any one of the following operation processes:

the issuing operation, the canceling operation, the freezing operation, the unfreezing operation, the rollback operation or the updating operation.

It should be noted that the issuing operation may refer to an operation that the CA uses for issuing a digital certificate; the revocation operation may refer to an operation in which the certificate life of the digital certificate is terminated by the CA; the freeze operation may include a temporary freeze, rather than a permanent revocation, of the digital certificate by the CA; the unfreezing operation may refer to the revocation of the digital certificate by the CA to the freezing operation; rollback operations may include false revocation of digital certificates by a CA, false freezing, revocation of unmodified certificate operations; the updating operation refers to the updating of the certificate content of the digital certificate by the CA; such as an extended trial period, etc.

Optionally, in a possible implementation manner, the method further includes: receiving a first transaction from the CA, wherein the first transaction is used for storing the data processed by the first operation in the block chain, the first transaction carries target address information, and the target address information is used for determining the address of the data processed by the last operation processed by the first operation in the block chain; sending address information of the first block to the CA.

For example, in an embodiment of the present application, a CA may uplink data that is processed for operation of a digital certificate by issuing a transaction to a blockchain. The specific flow can be seen in the following fig. 6 to 10.

In one example, when the first operation process is the issue operation, the target address information refers to the second address information.

In the embodiment of the present application, when the first operation processing is an issuing operation of a digital certificate, the destination address information carried in the first transaction is used to indicate address information processed by an operation immediately preceding the issuing operation.

Optionally, in a possible implementation, the second address information is a pre-configured initialization address.

For example, the preconfigured initialization address may be "0 x 00", or the preconfigured initialization address may be null.

In one example, when the first operation processing is not the issue operation, and when the first operation processing is not the issue operation, the target address information refers to address information of data processed by a previous operation processed by the first operation processing, which is stored in the block chain, or the target address information refers to address information of the issue operation.

In an embodiment of the present application, when the first operation processing is not an issuing operation of a digital certificate, the destination address information carried in the first transaction may be used to indicate address information of a last operation processing of the first operation processing; alternatively, the destination address information may be address information of an issuing operation of a digital certificate.

Further, the blockchain may also modify address information for the next operation process included in the block.

Optionally, in a possible implementation manner, the block chain further includes a second block, and further includes:

In the embodiment of the present application, when the CA links up the operation processing data of the digital certificate, the CA may also carry address information of a next operation, and the address information of the next operation may be pre-configured address information; subsequently, the blockchain may modify the pre-configured address information according to the address information of the block returned by the blockchain, where the next operation processing data is stored in the blockchain.

Optionally, in a possible implementation manner, the method further includes: and verifying that the current state of the digital certificate is in a legal state according to the address information of the issuing operation.

In one example, the current state of the digital certificate may be obtained in the blockchain according to address information of the issuing operation, including:

determining a target block in the block chain according to the address information of the issuing operation, wherein the target block is a block in the block chain, which stores the data of the issuing operation;

in a case where the issuing operation is the last operation of the digital certificate by the CA, data of the issuing operation is acquired in the target block.

Optionally, in a possible implementation manner, in a case that the issuing operation is not the last operation processing of the digital certificate by the CA, the method further includes:

It should be noted that the above process of obtaining the current state of the digital certificate may be repeatedly executed one or more times until the last operation of the CA on the digital certificate is queried to process the corresponding data; and processing corresponding data according to the last operation of the CA on the digital certificate so as to acquire the current state of the digital certificate. The specific process can be seen in the following fig. 9 or fig. 10.

In one example, the blockchain receives an inquiry request of a digital certificate sent by a user, the inquiry request includes address information of issuing operation of the digital certificate, the blockchain can inquire one by one through the address information of the issuing operation, address information of data processed by the latest operation in the blockchain is obtained, and the data processed by the latest operation is returned to the user.

In one example, the blockchain receives a query request of a digital certificate sent by a user, the query request includes address information of issuing operation of the digital certificate, the blockchain can query one by one through the address information of the issuing operation, and the blockchain can return one by one to the user when data processed by operation stored in one address information is acquired; until the data processed by the latest operation is returned to the user.

In an embodiment of the present application, by storing data processed by at least one operation of a CA on a digital certificate in a blockchain, the data processed by at least one operation are associated with each other in the blockchain by address information of a block; furthermore, when the user inquires the current state of the digital certificate, the address information of the issuing operation of the digital certificate can be sent to the blockchain; the block chain can acquire the current state of the digital certificate according to the address information of the issuing operation of the digital certificate, namely, the subsequent life cycle of the digital certificate can be inquired in the block chain according to the address information of the issuing operation of the digital certificate, so that the state of inquiring the digital certificate in the block chain is realized; therefore, the problem of delay caused by the fact that a user needs to intensively inquire the current state of the digital certificate in the server is avoided, and the efficiency of digital certificate state verification can be improved.

Exemplarily, fig. 3 is a schematic diagram of a block chain-based digital certificate processing method provided in an embodiment of the present application. As shown in fig. 3, the certificate authority CA may issue operations on the certificate status to the blockchain; the operation on the certificate status can be divided into three types, namely issuing transaction, canceling transaction and modifying transaction.

Illustratively, the issuance transaction is used to deploy data of the issuing operation of the CA on the digital certificate in the blockchain.

For example, after the CA issues a certificate for the user a, information such as certificate hash, serial number, CA signature, etc. is issued to the block chain; simultaneously, carrying the last operation address/the next operation address of the issued transaction; for example, the last operation address/next operation address may be initialized to 0x 00; the blockchain address obtained after the trade uplink is issued may be 0x 12345678.

Illustratively, a revocation transaction is used to deploy data of a revocation operation or a freeze operation of a CA on a digital certificate in a blockchain.

For example, when the CA revokes (including freezes) the certificate of user a, the CA issues information such as certificate hash, serial number, revocation reason, CA signature, last operation address (e.g., 0x12345678), etc. to the blockchain; after obtaining the address of the block chain corresponding to the current undo operation (e.g., 0x23456789), and K block chains (to avoid forking), the "next operation address" field in the block corresponding to the issue operation may be modified to 0x23456789 according to the previous operation address (e.g., 0x 12345678).

Illustratively, the modification transaction is used to deploy data of operations such as revocation, defreezing, or renewal operations of the digital certificate by the CA in the blockchain.

Similar to certificate revocation transactions, the CA may issue unfrozen certificate transactions to the blockchain; meanwhile, the 'next operation address' of the last transaction is modified, the certificate updating is the modification of certificate contents (information such as a main body and a valid period), and although the hash value of the certificate changes, the certificate life cycles of the organizations can be connected by modifying the transaction.

It should be understood that, by linking the operation address information in the block chain corresponding to different operations through the above-mentioned certificate state management and verification based on the editable block chain, the user B can request the block chain node to track and verify the latest state of the user a certificate through the certificate hash and the address of the block chain corresponding to the issuing operation.

In the embodiment of the application, a certificate state and a verification method based on an editable block chain are provided, operations on the certificate are issued to the block chain through a CA, the operations of the certificate are associated by operating the address of the corresponding block chain and the previous operation address or the next operation address, and the current state of the certificate can be inquired through the address in the block chain.

Fig. 4 is a schematic diagram of a data structure of transactions in a blockchain according to an embodiment of the present disclosure.

In the embodiment of the present application, the life cycle of the certificate is connected through transactions on the blockchain, and the main data structure is shown in fig. 4; fig. 4 illustrates the ether house data, and the types of transactions are divided into three types, an issue transaction, an undo transaction, and a modify transaction. The additional data of the transaction comprises the hash of the certificate, the serial number of the certificate (issuing transaction) or the operation reason, such as the reason for canceling the transaction or modifying the transaction; the data is based on (CA signature, there may be a phenomenon of multi-CA joint issuing of certificates), the address of the previous operation (linking the previous operation) and the address of the next operation (modifying this field to enable backward linking). The necessary information for certificate verification can be recorded through the data structure of the transaction, which facilitates management of the certificate status and use in verifying the certificate status.

It should be noted that the blockchain itself has a non-tamper-able property, because the next block includes the hash value of the previous block; in embodiments of the present application, different operations on the certificate can be correlated in a blockchain by modifying the address of the next operation in the additional data of the transaction. For example, the initial value of the next operation address is 0x00, and the next operation address is linked to the following transaction after modification; since the editable blockchain modifies part of the information in the transaction, which may affect the integrity of the blockchain and the blockchain, when verifying the blockchain, if the data segment is modified, the integrity of the blockchain may be restored to 0x00, and then the security of the modified value is verified through the address-linked transaction.

Fig. 5 is a schematic flowchart of a digital certificate processing method provided in an embodiment of the present application. The method 300 shown in fig. 5 includes steps S310 to S320, and the steps S310 to S320 are described in detail below.

It should be understood that the digital certificate processing method shown in fig. 2 may refer to a processing method in which a user verifies the status of a digital certificate; before the user verifies the status of the digital certificate, the CA may deploy data handling operations on the digital certificate in the blockchain by the method shown in fig. 5.

S310, sending a first transaction to the blockchain.

In other words, in embodiments of the present application the blockchain may receive the first transaction from the CA.

The first transaction is used for storing data of first operation processing of a digital Certificate Authority (CA) on a digital certificate in the block chain, and the first transaction carries target address information which is used for determining an address of the block chain for storing the data of last operation processing of the first operation processing.

For example, in an embodiment of the present application, a CA may uplink data that is processed for operation of a digital certificate by issuing a transaction to a blockchain.

S320, receiving the address information of the first block from the block chain.

The first block is a block in the block chain storing data processed by the first operation.

In other words, the block chain may send the address information of the first block to the CA in embodiments of the present application.

In an embodiment of the present application, after the blockchain uplinks the first operation, the blockchain may send address information to the CA so that the CA performs subsequent information management on the digital certificate.

Optionally, in a possible implementation manner, when the first operation processing is an issuing operation of the digital certificate, the target address information refers to an address in the block chain at which data processed by an operation immediately preceding the issuing operation is stored.

In the embodiment of the present application, when the first operation process is an issuing operation of a digital certificate, the destination address information carried in the first transaction may be address information processed by an operation immediately preceding the issuing operation.

Optionally, in a possible implementation manner, the first address information is a preconfigured initialization address.

Optionally, in a possible implementation manner, when the first operation process is not an issuing operation of a digital certificate by a digital authorization center CA, the first address information may be obtained from address information of a last operation process of the first operation process, and the target address information is an initialization address that may be preconfigured.

For example, when the first operation process is not an issuing operation of a digital certificate by the CA, the CA may acquire address information of an operation process immediately preceding the first operation process transmitted by the block chain, thereby obtaining the first address information.

Optionally, in a possible implementation manner, the method further includes:

For example, after the CA may receive an application request of a digital certificate sent by a user, the CA may audit the identity of an application object of the digital certificate; the application request includes identity information of the digital certificate application object, for example, the identity information of the digital certificate application object may refer to information such as a domain name of the digital certificate application object, a public key of the digital certificate application object, and a validity period.

Optionally, in a possible implementation manner, when the first operation process is not the digital certificate issuing operation, the target address information refers to an address at which data of a last operation process of the first operation process is stored in the block chain, or the target address information refers to an address at which data of an issuing operation of the digital certificate is stored in the block chain.

Optionally, in a possible implementation manner, the first block includes third address information and fourth address information, where the third address information is used to indicate that an address of data processed by a previous operation processed by the first operation is stored in the block chain, and the fourth address information is used to indicate that an address of data processed by a next operation processed by the first operation is stored in the block chain.

Optionally, in a possible implementation manner, the fourth address information is obtained by the block chain according to address information of a third block, where the third block is a block in the block chain that stores data processed by a next operation processed by the first operation.

In the embodiment of the application, by storing data corresponding to the operation processing of the digital certificate by the CA in the blockchain, the data corresponding to a plurality of operation processing are correlated with each other in the blockchain through address information; further, according to the address information of the issuing operation of the digital certificate, the subsequent life cycle of the digital certificate can be inquired in the block chain, and the condition that the digital certificate is inquired in the block chain is realized; therefore, the problem of delay caused by the fact that the current state of the digital certificate is inquired to the server in a centralized mode is solved, and the efficiency of digital certificate state verification can be improved.

The flow of the certificate issuing transaction, the revocation transaction, the modification transaction, and the certificate verification will be described in detail below with reference to fig. 6 to 10, respectively.

Fig. 6 is a schematic flow chart of the chain of certificate issuing transactions according to the embodiment of the present application. The method 400 shown in fig. 6 includes steps S410 to S460, and the steps S410 to S460 are described in detail below.

S410, the CA receives a certificate application request from a user.

The user may include a Web server manufacturer, or a digital certificate application user, etc.

And S420, the CA verifies the request information and confirms whether to issue the certificate.

And S430, if the CA determines to issue the certificate, the CA sends the certificate to the blockchain to issue the transaction.

It should be understood that issuing a transaction may refer to a CA that may deploy data of an issuing operation on a digital certificate in the form of a transaction in a blockchain.

For example, the CA may package one or more issuance operations into a transaction and then chain the issuance transaction.

For example, when performing uplink blockchain for an issued transaction, the data sent to the blockchain may further include, but is not limited to: certificate hash value, certificate serial number, CA signature, address information of the previous operation, and address information of the next operation.

S440, the CA acquires the block chain address information of the certificate issuing transaction.

For example, after the chain of issued transactions is completed, a corresponding blockchain address can be obtained, and the corresponding issued transactions can be quickly located through the blockchain address.

S450, the CA verifies whether the issuing transaction of the certificate exists in the acquired blockchain address.

And S460, sending the digital certificate to the user.

Further, the CA may also send the user address information in the blockchain of data for the digital certificate issuing operation.

For example, after the CA verifies the received blockchain address information of the issued transaction, the CA may send the user a certificate and blockchain address information corresponding to the issued transaction.

In the process of chain transmission of the signing transaction of the certificate, the state of the certificate in the blockchain can be inquired through the blockchain address information, and the certificate state can be updated only by modifying the operation after the certificate is signed. Audit information of the certificate is stored in the block chain, so that the transparency of certificate operation is realized; through the block chain address of the issuing transaction, the malicious modification of the certificate by the user can be effectively prevented, and the subsequent certificate state verification is facilitated; and the user can verify the status of the certificate through any blockchain node without the need for a server of a particular CA.

Fig. 7 is a schematic flow chart of the chain of certificate revocation transactions provided by an embodiment of the present application. The method 500 shown in fig. 7 includes steps S510 to S550, and the steps S510 to S550 are described in detail below.

S510, the CA inquires the block chain address information of the certificate issuing transaction.

For example, the block address information corresponding to the issued transaction may be looked up in the block chain according to the identification of the certificate (e.g., the ID of the certificate).

S520, verifying the certificate state according to the address information of the issuing operation.

Exemplarily, the state of the certificate can be verified secondarily through the address information CA of the issuing operation, and if the digital certificate is in a legal state currently, the subsequent operation can be performed; if the digital certificate is currently in an illegal state (e.g., the certificate is revoked or unknown), the revocation operation may not be performed.

It should be understood that S520 is an optional step, and S530 may be directly executed after S510 is executed.

S530, the CA sends a certificate revocation transaction to the blockchain.

It should be understood that revoking a transaction may mean that the CA may deploy revocation operation data for the digital certificate in the form of a transaction in the blockchain.

For example, the CA may package one or more undo operations into an undo transaction and then chain the undo transaction.

Illustratively, the revocation operation may include, but is not limited to, the following data: certificate hash value, certificate serial number, revocation or modification reason, CA signature, address information of the previous operation, and address information of the next operation.

And S540, verifying and canceling the transaction by the blocks in the block chain, and modifying the transaction address.

For example, when a block contains a revocation transaction, each node verifies information such as a certificate hash value and an operator in the transaction, and confirms whether to modify a corresponding issuance transaction, and the issuance transaction can be located by the "address of the previous operation" and the certificate hash in the revocation transaction.

Alternatively, the issuance transaction may be modified after setting K blocks of the block corresponding to the issuance transaction.

S550, the CA receives the blockchain address information of the certificate revocation transaction.

Illustratively, the blockchain returns the address of the revoked transaction to the CA, facilitating local identity information management by the CA.

It should be understood that the above-mentioned revocation transaction is mainly the revocation or freezing of a certificate, and the revocation is distinguished from the freezing operation in that the freezing operation is short-term and may be unfrozen; and considering the possible false revocation operation, the revocation operation and the freezing operation are uniformly attributed to the revocation transaction, and the reason of the revocation (or the freezing) is recorded in the revocation transaction.

Fig. 8 is a schematic flow chart of the chain of certificate modification transactions provided by an embodiment of the present application. The method 600 shown in fig. 8 includes steps S610 to S650, and the steps S610 to S650 are described in detail below.

S610, CA inquires the block chain address information corresponding to the certificate issuing transaction or the transaction canceling transaction.

For example, the block address information corresponding to the issued transaction may be looked up in the block chain according to the hash value of the certificate.

And S620, verifying the certificate state according to the address information of the issuing operation.

It should be understood that S620 is an optional step, and S630 may be directly executed after S610 is executed.

S630, the CA sends the certificate modification transaction to the blockchain.

It should be understood that modifying the transaction may mean that the CA may deploy the modification operation data on the digital certificate in the form of a transaction in the blockchain.

And S640, verifying and modifying the transaction by the blocks in the block chain, and modifying the transaction address.

S650, the CA receives the block chain address information of the certificate modification transaction.

In one possible implementation, in the certificate modification transaction, in addition to unfreezing and modifying the log, an operation of updating the certificate may be implemented; for example, the validity period of the certificate, the domain name range of the certificate, etc. are modified, and the change of the hash value of the certificate caused by the modification of the certificate is recorded.

Furthermore, when the certificate is verified, the next operation can be positioned directly through the operation of updating the certificate, and the updating operation can record the information change of the organization or the user, so that the state update of the whole life cycle of the certificate is realized.

It should be noted that, the CA already verifies the correspondence between the certificate and the blockchain address when issuing the certificate, so the issuing operation generally does not need to be modified; when the revocation operation is verified, the audit information is consistent with the forward information, otherwise, the chain cannot be linked.

In embodiments of the present application, the primary purpose of the certificate modification transaction is to roll back the state of the certificate, i.e., to handle false revocations and defreezing of the certificate; for example, if a CA misuses a certificate, the revocation operation may be deleted by modifying the transaction.

An exemplary flowchart of a certificate status verification method provided in the embodiment of the present application is described below with reference to fig. 9 and fig. 10.

Fig. 9 is a schematic flowchart of a certificate status verification method provided in an embodiment of the present application. The method 700 shown in fig. 9 includes steps S710 to S750, and the steps S710 to S730 are described in detail below.

It should be understood that in the verification method of the certificate status shown in fig. 9, the operation log of the certificate is recorded in the blockchain, and the user can locally verify the certificate status by querying the transaction, or directly request the status of the certificate from the node.

S710, the user sends a verification request of the digital certificate to the blockchain.

The verification request may include address information of the issuing operation of the digital certificate.

Optionally, in an embodiment of the present application, the authentication request may further include an identifier of the digital certificate; for example, the identification of the digital certificate may refer to a hash value of the digital certificate.

Illustratively, a user may refer to a digital certificate application object; for example, the digital certificate application object may comprise a Web server manufacturer, or a digital certificate application user.

In one example, the authentication request in step S710 may refer to a query request of the digital certificate shown in fig. 2.

And S720, the blockchain sends the operation data of the CA on the digital certificate to the user.

For example, the blockchain may query the data of the issuing operation of the digital certificate in the blockchain according to the address information of the issuing operation of the digital certificate; since data of at least one operation of the CA on the digital certificate are associated with each other by address information in the blockchain, address information of a next operation of the issuing operation is also included in a block storing the data of the issuing operation; in turn, the blockchain may further query the status of the digital certificate.

It should be understood that the above S720 and S730 may be performed multiple times; the user can inquire in the block chain according to the block chain address information corresponding to different transactions; until the last operation of the certificate, i.e. the current state of the certificate, is queried.

And S730, determining the current state of the digital certificate by the user according to the operation information in the block chain.

For example, the user may determine the current status of the digital certificate according to the operation data of the digital certificate obtained in the previous step.

Fig. 10 is a schematic flowchart of a certificate status verification method provided in an embodiment of the present application. The method 800 shown in fig. 10 includes steps S810 to S850, and the steps S810 to S850 are described in detail below.

It should be understood that in the verification method for the certificate status shown in fig. 10, the client needs to send the blockchain address information corresponding to the operation to the bookkeeper in the blockchain, the bookkeeper obtains a series of transactions corresponding to the certificate by operating the corresponding blockchain address information, and through these transactions, the final status of the certificate can be confirmed, and the query for the certificate status is completed by the blockchain link point and the query result is returned to the client.

It should be understood that the biller of the blockchain, which may also be referred to as the miner; each miner has a copy of his own blockchain information stored on their local computer, and the blockchain runs the blockchain program by each miner to reach consensus and create the block.

S810, the user sends a verification request of the digital certificate to the biller.

The verification request may include address information of the issuing operation of the digital certificate. Optionally, in an embodiment of the present application, the authentication request may further include an identifier of the digital certificate; for example, the identification of the digital certificate may refer to a hash value of the digital certificate.

The biller may send address information of the issuing operation of the digital certificate to the blockchain S820.

Optionally, the biller may also send an identification of the digital certificate to the blockchain; such as a hash value of a digital certificate.

S830, the blockchain sends the operation data of the CA on the digital certificate to the bookkeeper.

It should be understood that the above S820 and S830 may be performed multiple times; inquiring in the block chain according to the block chain address information corresponding to different transactions; until the last operation of the certificate, i.e. the current state of the certificate, is queried.

And S840, the biller determines the current state of the digital certificate according to the operation data in the block chain. Illustratively, the biller may verify the status of the certificate based on the certificate operation obtained in the previous step.

S850 the biller sends the current status of the digital certificate to the user.

In the embodiment of the application, the blockchain is used for storing data processed by at least one operation of a digital Certificate Authority (CA) on a digital certificate, and the data processed by the at least one operation is deployed in the address information of the blockchain to be associated, so that the current state of the digital certificate can be inquired in the blockchain under the condition of acquiring the address information of the issuing operation of the digital certificate; by the digital certificate processing method in the embodiment of the application, the current state of the digital certificate can be inquired in the blockchain by operating the processed address information, so that the certificate state verification efficiency can be improved.

It is to be understood that the above description is intended to assist those skilled in the art in understanding the embodiments of the present application and is not intended to limit the embodiments of the present application to the particular values or particular scenarios illustrated. It will be apparent to those skilled in the art from the foregoing description that various equivalent modifications or changes may be made, and such modifications or changes are intended to fall within the scope of the embodiments of the present application.

The block chain based digital certificate processing method provided by the embodiment of the present application is described in detail above with reference to fig. 1 to 10; the device embodiment of the present application will be described in detail below with reference to fig. 11 to 15. It should be understood that the digital certificate processing apparatus based on the blockchain in the embodiment of the present application may perform the foregoing various methods in the embodiment of the present application, that is, the following specific working processes of various products, and reference may be made to corresponding processes in the foregoing method embodiments.

Fig. 11 is a schematic block diagram of a block chain-based digital certificate processing apparatus provided in an embodiment of the present application.

It should be understood that the digital certificate processing apparatus shown in fig. 11 may perform all or part of the operations in any one of the digital certificate processing methods shown in fig. 2, 9 and 10; the digital certificate processing apparatus 900 includes: a transceiving unit 910 and a processing unit 920.

It should be noted that the digital certificate processing apparatus 900 may refer to a computing device or a chip configured in the computing device.

Wherein the computing device may be a device having the functionality of maintaining and managing blockchains, e.g., may include any device known in the art; alternatively, the computing device may also refer to a chip having the function of maintaining and managing the blockchain. The computing device may include a memory and a processor therein; the memory may be configured to store program code, and the processor may be configured to invoke the program code stored by the memory to implement the corresponding functionality of the computing device. The processor and the memory included in the computing device may be implemented by a chip, and are not particularly limited herein.

The transceiving unit 910 is configured to receive an inquiry request of a digital certificate from a user, where the inquiry request includes address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used to indicate an address where data of the issuing operation is stored in the blockchain; the processing unit 920 is configured to obtain data of an issuing operation of the digital certificate in the block chain according to address information of the issuing operation, where the data of the issuing operation is stored in a target block in the block chain, and the target block includes first address information, where the first address information is used to indicate an address in the block chain at which data processed by a next operation of the issuing operation is stored; acquiring the current state of the digital certificate according to the first address information; the transceiving unit 910 is further configured to send the current status of the digital certificate to the user.

Optionally, as an embodiment, the target block further includes second address information, where the second address information is used to indicate an address for storing data processed by a previous operation of the issuing operation in the block chain.

Optionally, as an embodiment, the transceiver unit 910 is configured to:

receiving a first transaction from the CA, where the first transaction is used to store data processed by the first operation in the block chain, where the first transaction carries target address information, and the target address information is used for the block chain to determine an address for storing data processed by a previous operation processed by the first operation, where the first operation processing includes any one of the issuing operation, the cancelling operation, the freezing operation, the unfreezing operation, the rolling-back operation, or the updating operation; and sending address information of a first block to the CA, wherein the first block is used for storing the data processed by the first operation.

Optionally, as an embodiment, when the first operation processing is the issuing operation, the target address information refers to the second address information.

Optionally, as an embodiment, the second address information is a preconfigured initialization address.

Optionally, as an embodiment, when the first operation processing is not the issue operation, the target address information refers to address information for storing data processed by a previous operation processed by the first operation processing in the block chain, or the target address information refers to address information of the issue operation.

Optionally, as an embodiment, the block chain further includes a second block, and the processing unit 920 is further configured to:

Optionally, as an embodiment, the processing unit 920 is further configured to:

Optionally, as an embodiment, the query request further includes an identifier of the digital certificate.

In one example, the digital certificate processing apparatus 900 may be configured to perform all or part of the operations of any one of the digital certificate processing methods shown in fig. 2, 9, and 10. For example, the transceiver unit 910 may be configured to perform all or part of operations S210, S240, S630, S650, S710, and S720; the processing unit 920 may be configured to perform all or part of the operations in S220 and S230.

Fig. 12 is a schematic block diagram of a block chain-based digital certificate processing apparatus provided in an embodiment of the present application.

It should be understood that the digital certificate processing apparatus shown in fig. 12 may perform the digital certificate processing methods shown in fig. 2, 9, and 10; the digital certificate processing apparatus 1000 includes: a transmitting unit 1010 and a receiving unit 1020.

It should be noted that the digital certificate processing apparatus 1000 may refer to a terminal device or a chip configured in the terminal device, and a user may perform information interaction with the blockchain through the terminal device.

The sending unit 1010 is configured to send an inquiry request of a digital certificate to a blockchain, where the inquiry request includes address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used to indicate an address where data of the issuing operation is stored in the blockchain; the receiving unit 1020 is configured to receive a current state of the digital certificate from the block chain, where the current state of the digital certificate is obtained in the block chain according to first address information, and data of the issuing operation is stored in a target block in the block chain, where the target block includes the first address information, and the first address information is used to indicate an address in the block chain where data processed by a next operation of the issuing operation is stored.

Optionally, as an embodiment, when the first operation processing is the issuing operation, the sending unit 1010 is further configured to:

Optionally, as an embodiment, the second address information and the target address information are pre-configured initialization addresses.

In one example, the digital certificate processing apparatus 1000 may be configured to perform all or part of the operations in the digital certificate processing method shown in any one of fig. 2, 9, and 10. For example, the receiving unit 1010 may be configured to perform all or part of the operations of S240, S720, S830, and S850; the sending unit 1020 may be configured to perform all or part of the operations in S210, S710, and S810.

It should be understood that the digital certificate processing apparatus 1000 may include other units besides the receiving unit 1010 and the sending unit 1020; for example, the processing unit may control the receiving unit and the receiving unit to perform the above operations.

Fig. 13 is a schematic block diagram of a block chain-based digital certificate processing apparatus provided in an embodiment of the present application.

It should be understood that the digital certificate processing apparatus shown in fig. 13 may perform all or part of the operations in the digital certificate processing method shown in any one of fig. 5 to 8; the digital certificate processing apparatus 1100 includes: a transmitting unit 1110 and a receiving unit 1120.

It should be noted that the digital certificate processing apparatus 1100 may be a server or a chip configured in a server; the server may refer to a server of a certificate authority.

The sending unit 1110 is configured to send a first transaction to a blockchain, where the first transaction is used to store data of a first operation process on a digital certificate by a digital certificate authority CA in the blockchain, where the first transaction carries target address information, and the target address information is used for the blockchain to determine an address where data of a last operation process of the first operation process is stored; the receiving unit 1120 is configured to receive address information of a first block from the block chain, where the first block is a block in the block chain that stores data processed by the first operation.

Optionally, as an embodiment, when the first operation processing is an issuing operation of the digital certificate, the destination address information refers to an address in the block chain at which data processed by an operation immediately preceding the issuing operation is stored.

Optionally, as an embodiment, the target address information is a preconfigured initialization address.

Optionally, as an embodiment, the receiving unit 1120 is further configured to:

Optionally, as an embodiment, when the first operation process is not the digital certificate issuing operation, the destination address information refers to an address at which data processed by an operation immediately preceding the first operation process is stored in the blockchain, or the destination address information refers to an address at which data processed by an issuing operation of the digital certificate is stored in the blockchain.

Optionally, as an embodiment, the first block includes third address information and fourth address information, where the third address information is used to indicate that an address of data processed by a previous operation processed by the first operation is stored in the block chain, and the fourth address information is used to indicate that an address of data processed by a next operation processed by the first operation is stored in the block chain.

Optionally, as an embodiment, the fourth address information is obtained by the block chain according to address information of a third block, where the third block is a block in the block chain that stores data processed by a next operation processed by the first operation.

Optionally, as an embodiment, the first operation processing refers to any one of the following operations of the CA on the digital certificate:

In one example, the digital certificate processing apparatus 1100 may be configured to perform all or part of the operations of the digital certificate processing method shown in any one of fig. 5 to 8. For example, the sending unit 1110 may be configured to perform all or part of operations in S310, S430, S460, S530, and S630; the receiving unit 1120 may be configured to perform all or part of the operations of S320, S440, S550, and S650.

It should be understood that the digital certificate processing apparatus 1100 may include other units in addition to the receiving unit 1110 and the transmitting unit 1120 described above; for example, the processing unit may control the receiving unit and the receiving unit to perform the above operations.

Fig. 14 is a schematic block diagram of a block chain-based digital certificate processing apparatus provided in an embodiment of the present application.

It should be understood that the digital certificate processing apparatus shown in fig. 13 may perform all or part of the operations in the digital certificate processing method shown in any one of fig. 5 to 8; the digital certificate processing apparatus 1200 includes: a receiving unit 1210 and a transmitting unit 1220.

It should be noted that the digital certificate processing apparatus 1200 may refer to a computing device or a chip configured in the computing device.

The receiving unit 1210 is configured to receive a first transaction from a digital certificate authority CA, where the first transaction is used to store data of a first operation process on a digital certificate by the digital certificate authority CA in the blockchain, where the first transaction carries target address information, and the target address information is used for the blockchain to determine an address where data of a last operation process of the first operation process is stored; the sending unit 1220 is configured to send, to the CA, address information of a first block, where the first block is a block in the block chain that stores data processed by the first operation.

In one example, the digital certificate processing apparatus 1200 may be configured to perform all or part of the operations in the digital certificate processing method illustrated in any one of fig. 5 to 8. For example, the receiving unit 1210 may be configured to perform all or part of operations in S310, S430, S530, and S630; the sending unit 1220 may be configured to perform all or part of the operations of S320, S440, S550, and S650.

It should be understood that the digital certificate processing apparatus 1200 may include other units in addition to the receiving unit 1210 and the transmitting unit 1220 described above; for example, the processing unit may control the receiving unit and the receiving unit to perform the above operations.

The digital certificate processing apparatus 900, the digital certificate processing apparatus 1000, the digital certificate processing apparatus 1100, and the digital certificate processing apparatus 1200 are implemented as functional units. The term "unit" herein may be implemented in software and/or hardware, and is not particularly limited thereto.

For example, a "unit" may be a software program, a hardware circuit, or a combination of both that implement the above-described functions. The hardware circuitry may include an Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (e.g., a shared processor, a dedicated processor, or a group of processors) and memory that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that support the described functionality.

Accordingly, the units of the respective examples described in the embodiments of the present application can be realized in electronic hardware, or a combination of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

Fig. 15 is a schematic hardware configuration diagram of a digital certificate processing apparatus according to an embodiment of the present application.

The digital certificate processing apparatus 1300 shown in fig. 15 includes a memory 1310, a processor 1320, a communication interface 1330, and a bus 1340. The memory 1310, the processor 1320, and the communication interface 1330 are communicatively coupled to each other via the bus 1340.

Memory 1310 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 1310 may store a program, and the processor 1320 is configured to perform the steps of the digital certificate processing method according to the embodiment of the present application when the program stored in the memory 1310 is executed by the processor 1320.

In an example, the digital certificate processing apparatus 1300 may refer to a terminal device, or a chip configured in the terminal device, through which a user may perform information interaction with a blockchain; the digital certificate processing method as shown in any one of fig. 2, 9 and 10 may be performed.

In another example, the digital certificate processing apparatus 1300 may be a server or a chip configured in a server; the server may refer to a server of a certificate authority; all or part of the operations in the digital certificate processing method shown in any one of fig. 2 to 7 are performed.

In another example, the digital certificate processing apparatus 1300 may refer to a computing device or a chip configured in a computing device; all or part of the operations in the digital certificate processing method shown in any one of fig. 2 to 9 are performed.

For example, the memory may be used to store program instructions related to the digital certificate processing method provided in the embodiments of the present application, and the processor may be used to call the program instructions related to the digital certificate processing method stored in the memory.

The processor 1320 may be a general Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits, and is configured to execute related programs to implement the digital certificate processing method according to the embodiment of the present application.

Processor 1320 may also be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the hyper-parametric search method of the present application may be implemented by instructions in the form of hardware, integrated logic circuits, or software in the processor 1320.

The processor 1320 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 1310, and the processor 1320 reads information in the memory 1310, and completes functions required to be performed by units included in the digital certificate processing apparatus shown in fig. 11 to 14 in the application implementation, or performs the digital certificate processing method shown in fig. 2 to 10 in an embodiment of the method in the application, in combination with hardware thereof.

Communication interface 1330 enables communication between digital certificate processing apparatus 1300 and other devices or communication networks using transceiver means, such as, but not limited to, a transceiver.

Bus 1340 may include a pathway to transfer information between various components of digital certificate processing apparatus 1300 (e.g., memory 1310, processor 1320, communication interface 1330).

It should be noted that although the digital certificate processing apparatus 1300 described above only shows memories, processors, and communication interfaces, in a specific implementation, those skilled in the art will appreciate that the digital certificate processing apparatus 1300 may also include other devices necessary for normal operation. Meanwhile, it will be understood by those skilled in the art that the digital certificate processing apparatus 1300 may also include hardware components for implementing other additional functions according to specific needs. Furthermore, those skilled in the art will appreciate that the digital certificate processing apparatus 1300 described above may also include only the components necessary to implement the embodiments of the present application, and need not include all of the components shown in fig. 15.

Illustratively, the embodiment of the present application further provides a chip, which includes a transceiver unit and a processing unit. The transceiver unit can be an input/output circuit and a communication interface; the processing unit is a processor or a microprocessor or an integrated circuit integrated on the chip; the chip can execute the digital certificate processing method in the above method embodiment.

Illustratively, the present application further provides a computer-readable storage medium, on which instructions are stored, and when executed, the instructions perform the digital certificate processing method in the above method embodiment.

Illustratively, the present application further provides a computer program product containing instructions, which when executed, perform the digital certificate processing method in the above method embodiments.

It should be understood that the processor in the embodiments of the present application may be a Central Processing Unit (CPU), and the processor may also be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of Random Access Memory (RAM) are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DR RAM).

The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in this document generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, which may be understood with particular reference to the former and latter text.

In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A block chain-based digital certificate processing method is characterized by comprising the following steps:

receiving an inquiry request of a digital certificate from a user, wherein the inquiry request comprises address information of an issuing operation of the digital certificate, and the address information of the issuing operation is used for indicating an address for storing data of the issuing operation in the block chain;

acquiring data of an issuing operation of the digital certificate in the block chain according to address information of the issuing operation, wherein the data of the issuing operation is stored in a target block in the block chain, and the target block comprises first address information which is used for indicating an address for storing data processed by a next operation of the issuing operation in the block chain;

acquiring the current state of the digital certificate according to the first address information;

sending the current state of the digital certificate to the user.

2. The method of claim 1, wherein the target block further comprises second address information for indicating an address in the block chain at which data processed by a previous operation of the issue operation is stored.

3. The method as claimed in claim 1 or 2, further comprising:

receiving a first transaction from the CA, where the first transaction is used to store data processed by a first operation in the block chain, where the first transaction carries target address information, and the target address information is used for the block chain to determine an address of data processed by a previous operation processed by the first operation, where the first operation processing includes any one of the issuing operation, the cancelling operation, the freezing operation, the unfreezing operation, the rolling-back operation, or the updating operation;

and sending address information of a first block to the CA, wherein the first block is used for storing the data processed by the first operation.

4. The method of claim 3, wherein the target address information refers to the second address information when the first operation process is the issue operation.

5. The method of claim 4, wherein the second address information is a pre-configured initialization address.

6. The method of claim 3, wherein when the first operation process is not the issue operation, the target address information is address information for storing data processed by a previous operation processed by the first operation in the block chain, or the target address information is address information for the issue operation.

7. The method of any of claims 3 to 6, wherein the block chain further comprises a second block, further comprising:

8. The method of claim 6 or 7, further comprising:

9. The method of any of claims 1-8, wherein an identification of the digital certificate is further included in the query request.

10. A block chain-based digital certificate processing method is characterized by comprising the following steps:

11. The method of claim 10, wherein the target block further comprises second address information indicating an address in the block chain at which data processed by a previous operation of the issue operation is stored.

12. The method of claim 10 or 11, further comprising:

13. The method of any of claims 10 to 12, wherein the first address information and the second address information are pre-configured initialization addresses.

14. A block chain-based digital certificate processing method is characterized by comprising the following steps:

15. The method according to claim 14, wherein when the first operation processing is an issuing operation of the digital certificate, the destination address information refers to an address at which data of an operation processing immediately preceding the issuing operation is stored in the block chain.

16. The method of claim 15, wherein the target address information is a pre-configured initialization address.

17. The method of claim 15 or 16, further comprising:

18. The method according to claim 14, wherein when the first operation process is not the digital certificate issuance operation, the destination address information refers to an address at which data of an operation process immediately preceding the first operation process is stored in the blockchain, or the destination address information refers to an address at which data of an issuance operation of the digital certificate is stored in the blockchain.

19. The method according to any one of claims 14 to 18, wherein third address information for indicating an address at which data processed by a previous operation processed by the first operation is stored in the block chain and fourth address information for indicating an address at which data processed by a next operation processed by the first operation is stored in the block chain are included in the first block.

20. The method according to any one of claims 14 to 19, wherein the first operation processing refers to any one of the following operations of the CA on the digital certificate:

21. A block chain-based digital certificate processing method is characterized by comprising the following steps:

22. The method of claim 21, wherein when the first operation process is the digital certificate issuance operation, the destination address information refers to address information that stores data of an operation process immediately preceding the issuance operation in the block chain.

23. The method of claim 22, wherein the target address information is a pre-configured initialization address.

24. The method of claim 21, wherein when the first operation process is not the digital certificate issuance operation, the destination address information refers to the address at which data of a last operation process of the first operation process is stored in the blockchain, or the destination address information refers to the address at which data of an issuance operation of the digital certificate is stored in the blockchain.

25. The method according to any one of claims 21 to 24, wherein a third address information for indicating an address for storing data processed by a previous operation processed by the first operation in the block chain and a fourth address information for indicating an address for storing data processed by a next operation processed by the first operation in the block chain are included in the first block.

26. The method according to any one of claims 21 to 25, wherein the first operation processing refers to any one of the following operations of the CA on the digital certificate:

27. A blockchain-based digital certificate processing apparatus, comprising means for performing the digital certificate processing method of any one of claims 1 to 9, claims 10 to 13, claims 14 to 20, or claims 21 to 26.

28. A blockchain-based digital certificate processing apparatus, comprising:

a memory for storing a program;

a processor for executing the memory-stored program, the processor being configured to perform the digital certificate processing method of any of claims 1 to 9, claims 10 to 13, claims 14 to 20 or claims 21 to 26 when the memory-stored program is executed.

29. A computer storage medium characterized in that the computer storage medium stores a program code including instructions for executing the digital certificate processing method according to any one of claims 1 to 9, claims 10 to 13, claims 14 to 20, or claims 21 to 26.