CN118153024A

CN118153024A - Method, device, equipment and storage medium for detecting risk of server certificate application

Info

Publication number: CN118153024A
Application number: CN202410589504.5A
Authority: CN
Inventors: 张宾; 张宇; 张伟哲; 陈松; 刘鹏辉; 乔延臣; 冯禹铭
Original assignee: Peng Cheng Laboratory
Current assignee: Peng Cheng Laboratory
Priority date: 2024-05-13
Filing date: 2024-05-13
Publication date: 2024-06-07

Abstract

The embodiment of the application provides a method, a device, equipment and a storage medium for detecting server certificate application risk, and relates to the technical field of network security. The method comprises the steps of obtaining a server certificate to be detected and related parameter combinations, determining the detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection, detecting one by one based on the detection sequence, enabling different parameter combinations to correspond to different detection processes, and generating a detection report of the server certificate according to detection results. Different from the detection of the server certificate at the client in the related art, the detection time of the certificate is advanced, the server certificate is detected by being placed at the certificate applicant party, and the server certificate is verified before communication, so that the client can be prevented from using the server certificate with hidden danger, and the security risk caused by the hysteresis of the certificate detection is avoided. And the vulnerability and the security of the certificate are checked, so that the risk condition of the server certificate can be comprehensively detected.

Description

Method, device, equipment and storage medium for detecting risk of server certificate application

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for detecting risk of server certificate application.

Background

The server certificate is used to establish a secure encrypted connection between a client (e.g., a user's browser) and a server. Server certificates typically contain information such as the domain name, organization name, etc. of the website, ensuring that the client is connected to a legitimate server.

In the related art, a client verifies a server certificate, and in the verification process, the client can check whether the server certificate is in a valid period or not and verify whether an issuing authority of the server certificate is correct or not. But this approach is more onesided to the verification of the server certificate and has hysteresis.

Disclosure of Invention

The embodiment of the application mainly aims to provide a method, a device, equipment and a storage medium for detecting the application risk of a server certificate, which are used for comprehensively verifying the server certificate, and simultaneously advancing the verification opportunity of the server certificate and reducing the risk of the certificate.

To achieve the above object, a first aspect of an embodiment of the present application provides a server certificate application risk detection method, including:

Obtaining a server certificate to be detected, and obtaining a fourth parameter set, a second parameter set, a first parameter set and a third parameter set, wherein the first parameter set at least comprises: a certificate validity period and server certificate configuration environment parameters, the second set of parameters comprising at least: a certificate encryption algorithm identification and the server certificate configuration environment parameters, wherein the third parameter set at least comprises: the certificate validity period, the certificate subject identifier and the certificate encryption algorithm identifier, and the fourth parameter set at least comprises: the certificate validity period, the certificate body identifier and the server certificate configuration environment parameter;

Determining a detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection;

And detecting one by one based on the detection sequence to obtain a detection result, detecting the security of the certificate according to the first parameter set, detecting the vulnerability of the certificate according to the second parameter set, detecting the compliance of the certificate according to the third parameter set, detecting the validity of the certificate according to the fourth parameter set, and generating a detection report of the server certificate according to the detection result.

In some embodiments, the server certificate configuration environment parameters include a certificate version, an encryption suite, and a transport protocol parameter, and the certificate security detection according to the first set of parameters includes:

Acquiring a certificate log corresponding to the server certificate, if the server certificate is inquired in the certificate log to apply for issuing to the issuing organization from the certificate applying direction, acquiring an issuing organization signature in the certificate log, if the valid period of the certificate is smaller than or equal to a first time length, when the issuing organization signature at least contains 1 time stamp data, issuing verification passes, if the valid period of the certificate is larger than the first time length and smaller than or equal to a second time length, when the issuing organization signature at least contains 2 time stamp data, issuing verification passes, if the valid period of the certificate is larger than the second time length, when the issuing organization signature at least contains 3 time stamp data, issuing verification passes, otherwise, issuing verification fails;

when the server certificate configuration environment parameters comprise certificate authority authorization records, acquiring a certificate authority entity from the server certificate, and when the certificate authority authorization records are consistent with the certificate authority entity, checking by the authority entity, otherwise, checking by the authority entity;

When the certificate version is at least a preset version, and/or a candidate encryption algorithm is obtained from the encryption suite, wherein the candidate encryption algorithm is not a preset high-risk algorithm, and/or a failure time is obtained from the transmission protocol parameter, and when the failure time is greater than or equal to the preset time, the certificate deployment configuration verification passes, otherwise, the certificate deployment configuration verification does not pass;

And when the issuing institution passes the verification, the issuing verification and the certificate deployment configuration verification, the certificate security detection result of the server certificate is that the detection is passed, otherwise, the detection is not passed.

In some embodiments, the server configuration environment parameter includes a server public key, the certificate encryption algorithm identification includes an issuing authority encryption algorithm identification and a server encryption algorithm identification, the certificate vulnerability detection is performed according to the second parameter set, including:

Acquiring a server public key from the server configuration environment parameters, and calculating the field length of the server public key, wherein if the field length is greater than or equal to a preset length, the first vulnerability test passes, otherwise, the first vulnerability test does not pass;

If the encryption algorithm identification of the issuing institution is consistent with the encryption algorithm identification of the server, a hash function corresponding to the server signature is obtained, if the hash function is consistent with at least one preset hash function, the second vulnerability test is passed, otherwise, the second vulnerability test is not passed;

and when the first vulnerability test passes and the second vulnerability test passes, the certificate vulnerability detection result of the server certificate is that the detection passes, otherwise, the detection does not pass.

In some embodiments, the third set of parameters further comprises: the root issuing authority public key, the issuing authority signature and the plaintext data, and the certificate compliance detection is performed according to the third parameter set, including:

calculating to obtain a message digest according to the plaintext data by using a preset hash function;

decrypting the issuing authority signature by using the root issuing authority public key to obtain a certificate digest;

and comparing the information abstract with the certificate abstract, if the information abstract and the certificate abstract are consistent, detecting that the certificate compliance detection result of the server certificate is passing, otherwise, detecting that the certificate compliance detection result is not passing.

In some embodiments, the fourth parameter set further includes a subject replacement name and a certificate revocation list distribution point, and the certificate validity detection is performed according to the fourth parameter set, including:

If the server certificate is in the valid period of the certificate, and the time length of the valid period of the certificate is smaller than a preset time length, the valid period check is passed, otherwise, the valid period check is not passed;

Obtaining a website domain name based on the certificate main body identifier, and obtaining an application domain name of the certificate applicant from the server certificate configuration environment parameter, if the website domain name and the main body replacement name are consistent with the application domain name, the domain name inspection is passed, otherwise, the domain name inspection is not passed;

Downloading a certificate revocation list according to the certificate revocation list distribution point, sending a serial number query request of the server certificate to a certificate state query server, receiving a response result of the certificate state query server in response to the serial number query request, and if the server certificate does not exist in the certificate revocation list and the response result represents that the state of the server certificate is normal, checking the certificate state, otherwise, checking the certificate state is not passed;

And if the validity period passes, the domain name passes and the certificate state passes, the certificate validity detection result of the server certificate is that the detection passes, and if the validity period passes, the domain name passes and the certificate state passes, the detection result is that the detection does not pass.

In some embodiments, the server certificate further includes at least one intermediate certificate, the fourth parameter set further includes a certificate chain, and the certificate validity detection is performed according to the fourth parameter set, and further includes:

respectively performing intermediate certificate validity period verification, intermediate certificate domain name verification and intermediate certificate state verification on each intermediate certificate, and after the verification is passed, passing the intermediate certificate validity verification, otherwise, failing the intermediate certificate validity verification;

if the number and the position of the certificates of the certificate chain are correct, the certificate chain is checked to pass, otherwise, the certificate chain is checked to not pass;

the validity period test is passed, the domain name test is passed, the certificate status test is passed, the intermediate certificate validity test is passed and the certificate chain test is passed, the certificate validity test result of the server certificate is the test pass, otherwise, the test is not passed.

In some embodiments, the determining a detection order of the certificate security detection, the certificate vulnerability detection, the certificate compliance detection, and the certificate validity detection comprises:

Acquiring a first weight of the certificate security detection, a second weight of the certificate vulnerability detection, a third weight of the certificate compliance detection and a fourth weight of the certificate validity detection, wherein the first weight, the second weight, the third weight and the fourth weight are the same;

Acquiring a security score corresponding to an issuing mechanism corresponding to the server certificate, and increasing a first preset value by the first weight if the security score is lower than a first preset score;

Obtaining a vulnerability score of the certificate applicant, wherein if the vulnerability score is lower than a second preset score, a second preset value is added to the second weight, and the vulnerability score is obtained according to the ratio of the number of times of checking passing to the total number of times of checking of a plurality of server certificates applied by the certificate applicant in the process of checking the vulnerability of the certificate in a preset time;

If the issuing mechanism comprises at least one intermediate certificate issuing mechanism, obtaining an intermediate security score corresponding to the intermediate certificate issuing mechanism, and if the average value of the intermediate security scores is lower than a third preset score, adding a third preset value to the third weight, wherein the intermediate security score is obtained according to the ratio of the passing times of the intermediate certificate issuing mechanism to the total times of the inspection in the history inspection process;

and arranging the first weight, the second weight, the third weight and the fourth weight in the order from big to small to obtain the detection order.

To achieve the above object, a second aspect of an embodiment of the present application provides a server certificate application risk detection apparatus, including:

And a data acquisition module: the method comprises the steps of obtaining a server certificate to be detected, and obtaining a fourth parameter set, a second parameter set, a first parameter set and a third parameter set, wherein the first parameter set at least comprises: a certificate validity period and server certificate configuration environment parameters, the second set of parameters comprising at least: a certificate encryption algorithm identification and the server certificate configuration environment parameters, wherein the third parameter set at least comprises: the certificate validity period, the certificate subject identifier and the certificate encryption algorithm identifier, and the fourth parameter set at least comprises: the certificate validity period, the certificate body identifier and the server certificate configuration environment parameter;

The detection sequence determining module: a detection sequence for determining certificate security detection, certificate vulnerability detection, certificate compliance detection, and certificate validity detection;

And a detection module: the method comprises the steps of detecting one by one based on the detection sequence to obtain a detection result, detecting the security of the certificate according to the first parameter set, detecting the vulnerability of the certificate according to the second parameter set, detecting the compliance of the certificate according to the third parameter set, detecting the validity of the certificate according to the fourth parameter set, and generating a detection report of the server certificate according to the detection result.

To achieve the above object, a third aspect of the embodiments of the present application proposes an electronic device, including a memory storing a computer program and a processor implementing the method according to the first aspect when the processor executes the computer program.

To achieve the above object, a fourth aspect of the embodiments of the present application proposes a storage medium, which is a storage medium storing a computer program that when executed by a processor implements the method described in the first aspect.

The method, the device, the equipment and the storage medium for detecting the application risk of the server certificate, provided by the embodiment of the application, determine the detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection by acquiring the server certificate to be detected and related parameter combinations, detect the server certificate one by one based on the detection sequence, correspond to different detection processes by different parameter combinations, and generate a detection report of the server certificate according to the detection result. The embodiment of the application is different from the detection of the server certificate at the client in the related technology, and the detection time of the certificate is advanced, the server certificate is detected by being put at a certificate applicant party, and the server certificate is verified before communication, so that the client can be prevented from using the server certificate with hidden danger on one hand, and the security risk caused by the hysteresis of the certificate detection is avoided. On the other hand, the client side usually only detects the validity and the source of the certificate, and the detection is incomplete, and on the basis of the detection, the embodiment of the application also detects different aspects such as the vulnerability and the security of the certificate, and can comprehensively detect the risk condition of the server certificate, thereby adopting corresponding countermeasures.

Drawings

Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application.

Fig. 2 is a flowchart of a server certificate application risk detection method provided in an embodiment of the present application.

FIG. 3 is a flow chart of a detection sequence for determining certificate security detection, certificate vulnerability detection, certificate compliance detection, and certificate validity detection provided by an embodiment of the present application.

Fig. 4 is a flowchart of certificate security detection according to a first parameter set provided in an embodiment of the present application.

Fig. 5 is a flowchart of certificate vulnerability detection according to a second parameter set provided by an embodiment of the present application.

Fig. 6 is a flowchart of the certificate compliance detection according to the third parameter set provided in the embodiment of the present application.

Fig. 7 is a flowchart of certificate validity detection according to a fourth parameter set provided in an embodiment of the present application.

Fig. 8 is a flowchart of certificate validity detection according to a fourth parameter set provided in an embodiment of the present application.

Fig. 9 is a block diagram of a server certificate application risk detection apparatus according to still another embodiment of the present application.

Fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application.

Detailed Description

The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.

It should be noted that although functional block division is performed in a device diagram and a logic sequence is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the application only and is not intended to be limiting of the application.

Based on this, the embodiment of the application provides a method, a device, equipment and a storage medium for detecting the application risk of a server certificate, which are different from the detection of the server certificate at a client, and are used for detecting the server certificate by advancing the detection time of the certificate and putting the certificate in a certificate applicant party, and verifying the server certificate before communication. On the other hand, the client side usually only detects the validity and the source of the certificate, and the detection is incomplete, and on the basis of the detection, the embodiment of the application also detects different aspects such as the vulnerability and the security of the certificate, and can comprehensively detect the risk condition of the server certificate, thereby adopting corresponding countermeasures.

The embodiment of the application provides a server certificate application risk detection method, a device, equipment and a storage medium, and specifically, the method is described by the following embodiment.

The embodiment of the application provides a server certificate application risk detection method, and relates to the technical field of network security. First, an application scenario of the embodiment of the present application is described.

Referring to fig. 1, fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. The application scene at least comprises: issuing authorities, certificate applying parties and clients. The certificate applicant can refer to a server, the client can be a browser of a user, and the issuing mechanism refers to a certificate issuing mechanism, can be a root certificate issuing mechanism CA or an intermediate certificate issuing mechanism ICCA. Among these, the root certificate authority is the topmost certificate authority, whose issued certificates are widely trusted and are typically pre-installed in software such as operating systems, browsers, and the like. The intermediate certificate authority is a certificate authority interposed between the root certificate authority and the client.

The server is used as a certificate applying party to apply for a server certificate by an issuing organization, a certificate signature request is created by using a self server private key and is sent to the issuing organization, the issuing organization can check the identity of the server after obtaining the certificate signature request, after checking and verifying, the server certificate is issued by using the self issuing organization private key of the issuing organization, the server certificate contains a server public key, and then the issuing organization sends the server certificate to the server.

After obtaining the server certificate, the server obtains the relevant parameters of the certificate, carries out application risk detection on the certificate, and obtains a risk state according to a detection result, wherein the risk state refers to the risk possibly related to the server in the application process of the server certificate after the server obtains the certificate from the CA or ICAA and deploys and loads the certificate, and the risk can be the risk when the server certificate is deployed and used on the server, or the risk can be the security risk of the server deployment and the environment where the server certificate is set. If the server certificate is not verified but is directly deployed, the server certificate which causes deployment has safety problems in the subsequent application process, and in addition, the server certificate may have security problems of revocation, expiration and the like in the application process after deployment.

The verified server certificate is then configured in the software configuration of the web server. When the client attempts to establish a connection, the server sends a corresponding server certificate as part of the response to the client via a secure transport layer protocol (Transport Layer Security, TLS) handshake. The client thus acts as a certificate relying party to verify the identity of the server on demand and establish an encrypted session.

The process of the security transport layer protocol TLS handshake is as follows: the Client initiates a TLS handshake by sending a "Client Hello" message containing the TSL version supported by the Client and a Client-generated random number that is used to generate the session key, and a list of encryption suites supported by the Client. After receiving the Client Hello message, the Server replies a Server Hello message, selects the transmission parameter version and the encryption suite which are also supported by the Client, and provides the random number generated by the Server and the Server certificate to return to the Client.

The following describes a server certificate application risk detection method in the embodiment of the present application.

Fig. 2 is an alternative flowchart of a server certificate application risk detection method provided in an embodiment of the present application, where the method in fig. 2 may include, but is not limited to, steps 110 to 130. It should be understood that the order of steps 110 to 130 in fig. 2 is not limited in this embodiment, and the order of steps may be adjusted, or some steps may be reduced or added according to actual requirements.

Step 110: and acquiring a server certificate to be detected, and acquiring a fourth parameter set, a second parameter set, a first parameter set and a third parameter set.

In one embodiment, the server certificate is an SSL/TLS certificate directly bound to the server for establishing a secure encrypted connection between the client (e.g., the user's browser) and the server. A server certificate is a certificate issued by an intermediate certificate authority or directly by a root certificate authority. When a user attempts to access a service using HTTPS, the server certificate is sent to the user's browser. The browser will ensure that the server is the correct server based on the server certificate.

In an embodiment, the first set of parameters includes at least: the certificate validity period and the server certificate configuration environment parameters, and the second parameter set at least comprises: the certificate encryption algorithm identifies and server certificate configuration environment parameters, and the third parameter set at least comprises: the certificate validity period, the certificate body identifier, the certificate encryption algorithm identifier, the root issuing authority public key, the issuing authority signature and the plaintext data, and the fourth parameter set at least comprises: certificate validity period, certificate subject identification, subject replacement name, certificate revocation list distribution point, certificate chain and server certificate configuration environment parameters.

In one embodiment, the certificate validity period refers to a valid use time of the server certificate set by the issuing authority, only the server certificate within the time is valid, and before the certificate validity period, the server certificate is not validated, and after the certificate validity period, the server certificate is invalidated.

In one embodiment, the certificate encryption algorithm identifier is an identifier corresponding to an encryption algorithm used by an issuing entity to issue the server certificate, and the certificate encryption algorithm identifier includes an issuing entity encryption algorithm identifier and a server encryption algorithm identifier corresponding to encryption algorithms adopted by the issuing entity and the server, respectively. The certificate main body identifier is used for identifying a server entity corresponding to the public key in the main body public key item, and the website domain name of the corresponding server can be obtained according to the certificate main body identifier.

In one embodiment, the server certificate configuration environment parameters include at least a certificate version, an encryption suite, transport protocol parameters, and a server public key. Where the certificate version refers to a version of the TLS protocol or SSL protocol, the encryption suite includes multiple server-supported candidate encryption algorithms, the transport protocol parameters refer to HSTS parameters, allowing the web server to tell the browser that HTTPS should be used to access the web site, and that HTTP should be automatically converted to HTTPS in all future requests. The HSTS parameter accomplishes this by including a special struct-Transport-Security header field in the server's response header. The server public key is the only key used by the certificate applicant for encrypting data, and the client can use the server public key to safely exchange encrypted data with the server, so that the security of data transmission is ensured. The server signature is a signature obtained by encrypting data by a server utility server private key, and is used for verifying whether the data comes from the server and is not tampered with.

In one embodiment, the plaintext data is information that is not encrypted in the server certificate, such as the issuing authority of the server certificate, the certificate owner, the certificate validity period, etc., the certificate owner being the certificate applicant. The public key data of the issuing organization refers to the public key information of the issuing organization of the server certificate, and the issuing organization can be an intermediate certificate issuing organization or a root certificate issuing organization. The issuing authority signature refers to a digital certificate obtained by encrypting a server public key and some related information by the issuing authority through a private key of the issuing authority.

In an embodiment, the principal replacement name refers to one or more alternative names of the certificate applicant party, and when the issuing authority issues the server certificate, the corresponding principal replacement names may be expanded together on the server certificate, and the corresponding options include an email address, a domain name, an IP address, a uniform resource identifier, and the like. The certificate revocation list distribution point is a designated location disclosed by an issuing authority from which a client can obtain a certificate revocation list of the issuing authority. There are levels between the intermediate certificates, which constitute the chain of certificates.

The corresponding first parameter set, second parameter set, third parameter set and fourth parameter set are obtained through the above process, the server certificate is checked by utilizing the data, the security of the server certificate is known in advance, the checked server certificate is sent to the client, and the negative checking result of the server certificate is avoided to be fed back by the client. In addition, there may be more than one server certificate in the server, at which time a corresponding first parameter set, second parameter set, third parameter set and fourth parameter set are obtained, respectively.

Step 120: determining the detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection.

In one embodiment, the certificate security detection, the certificate vulnerability detection, the certificate compliance detection, and the certificate validity detection may be performed in parallel or may be performed in series. When the serial operation is performed, the detection contents are different in consideration of different detection processes, and the importance degree of different contents is also different, so that the embodiment of the application sets different detection sequences for the detection contents to improve the detection effect. It can be understood that the relevant data of different servers are different, so that the corresponding detection sequence is also different, and thus, each server can be ensured to have a good detection effect due to the detection sequence which is suitable for the specific configuration of the server.

In an embodiment, referring to fig. 3, fig. 3 is a flowchart of determining a detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection according to an embodiment of the present application, and specifically includes steps 310 to 350:

step 310: the method comprises the steps of obtaining a first weight of certificate security detection, a second weight of certificate vulnerability detection, a third weight of certificate compliance detection and a fourth weight of certificate validity detection.

The first weight, the second weight, the third weight and the fourth weight are the same, that is, the same weight is firstly assigned to different detection processes, for example, the first weight, the second weight, the third weight and the fourth weight are all 1.

Step 320: and acquiring a security score corresponding to an issuing organization corresponding to the server certificate, and if the security score is lower than a first preset score, increasing a first preset value by the first weight.

In one embodiment, the security score is derived from the ratio of the number of passes of the test to the total number of tests by the issuing entity during the historical test.

The purpose of the security score is to determine whether the corresponding issuing authority is trustworthy, and specifically the calculation process may be: and selecting the latest time period, such as one month, three months and the like, in the history inspection process, obtaining inspection results corresponding to all server certificates applied from an issuing institution in the time period, calculating the ratio between the passing times and the total times of inspection, and obtaining the corresponding security score of the issuing institution according to the ratio. It will be appreciated that the greater the verification pass ratio of an issuing entity, the higher the security score, and the higher the trust value that the issuing entity can be considered. If the security score is lower than the first preset score, the trust value of the issuing authority may be considered lower, at which point the weight of the certificate security detection associated with the issuing authority may need to be increased, at which point the first preset value may be added to the first weight. For example, the first preset value is 0.5, and the first weight after the increase is 1.5.

Step 330: and obtaining the vulnerability score of the certificate applicant, and if the vulnerability score is lower than a second preset score, increasing a second preset value by the second weight.

In an embodiment, the vulnerability score is obtained according to a ratio of the number of passes of the verification to the total number of passes of the verification in the certificate vulnerability checking process of the plurality of server certificates applied by the certificate applicant within a preset time.

The purpose of the vulnerability score is to determine the encryption process stability of the corresponding server. The specific calculation process can be as follows: and selecting a preset time period, such as one month, three months and the like, obtaining test results corresponding to a plurality of server certificates applied by a certificate applicant in the time period, calculating the ratio between the passing times and the total times of test, and obtaining vulnerability scores corresponding to the encryption algorithm of the server according to the ratio. It will be appreciated that the more the verification passes, the more stable the encryption algorithm of the server will be. If the vulnerability score is lower than the second preset score, the weight of the certificate vulnerability detection related to the server encryption process needs to be increased at this time, and the second preset value can be added to the second weight. For example, the second preset value is 0.5, and the second weight after the increase is 1.5.

Step 340: if the issuing organization comprises at least one intermediate certificate issuing organization, obtaining an intermediate security score corresponding to the intermediate certificate issuing organization, and if the average value of the intermediate security scores is lower than a third preset score, increasing a third preset value by the third weight.

In an embodiment, since the server certificate may be issued by an intermediate certificate authority, it is necessary to judge the trustworthiness of the corresponding intermediate certificate authority. The intermediate security score is derived from the ratio of the number of passes of the test to the total number of tests in the history of the intermediate certificate authority.

The specific calculation of the intermediate security score may be: and selecting the latest time period, such as one month, three months and the like, in the history inspection process, obtaining inspection results corresponding to all server certificates applied by the intermediate certificate issuing organization in the time period, calculating the ratio between the passing times and the total inspection times, and obtaining the intermediate security score corresponding to the intermediate certificate issuing organization according to the ratio. If the number of the intermediate certificate authorities is greater than 1, averaging the intermediate security scores corresponding to each intermediate certificate authority. If the average is below the third preset score, the overall trust value of the intermediate certificate authority associated with the server certificate may be considered low, at which point the weight of the certificate compliance detection associated with the intermediate certificate authority may need to be raised, at which point the third preset value may be added to the third weight. For example, the third preset value is 0.5, and the third weight after the addition is 1.5.

It will be appreciated that the first preset value, the second preset value and the third preset value are all exemplified by 0.5, but these three values may also be different, and the importance of the certificate vulnerability detection, the certificate validity detection and the certificate security detection may be adjusted by adjusting these three values according to the actual requirements.

Step 350: and arranging the first weight, the second weight, the third weight and the fourth weight in the order from large to small to obtain a detection order.

In an embodiment, after updating the weights of different detection processes according to the above processes, the first weight, the second weight, the third weight and the fourth weight are arranged in order from large to small, and if the weights with the same values are arranged, one row is selected at random. And then, correspondingly obtaining the detection sequence of the certificate security detection, the certificate vulnerability detection, the certificate compliance detection and the certificate validity detection according to the obtained sequencing result.

Step 130: and detecting one by one based on the detection sequence to obtain a detection result, detecting the security of the certificate according to the first parameter set, detecting the vulnerability of the certificate according to the second parameter set, detecting the compliance of the certificate according to the third parameter set, and detecting the validity of the certificate according to the fourth parameter set.

In an embodiment, due to the existence of the detection sequence, the detection processes are sequentially executed, if a certain detection process fails, and the corresponding detection result is that the detection fails, the subsequent detection process is not required to be executed, and a detection report of the server certificate is generated according to the detection result corresponding to the executed detection process. For example, the detection sequence is: certificate security detection-certificate validity detection-certificate vulnerability detection-certificate compliance detection, wherein at the moment, the certificate security detection and the certificate validity detection pass, but the certificate vulnerability detection does not pass, and the certificate compliance detection is not needed. And finally, generating a corresponding detection report according to detection results of the certificate security detection, the certificate validity detection and the certificate vulnerability detection. It will be appreciated that the detection report may include: detection results, detection process data, recommended processing measures for detection results that do not pass, and the like.

In an embodiment, the detection may be performed based on a detection order, and then the detection report includes the corresponding detection result regardless of whether the detection result passes or fails, but positions of different detection results in the detection report are adjusted according to the detection order.

Four detection processes are described in detail below.

In an embodiment, referring to fig. 4, fig. 4 is a flowchart of certificate security detection according to a first parameter set according to an embodiment of the present application, and specifically includes steps 410 to 440:

Step 410: obtaining a certificate log corresponding to a server certificate, if the server certificate is inquired in the certificate log to apply for issuing by an issuing organization of a certificate applying direction, obtaining an issuing organization signature in the certificate log, if the valid period of the certificate is smaller than or equal to a first time length, when the issuing organization signature at least contains 1 time stamp data, the issuing inspection passes, if the valid period of the certificate is larger than the first time length and smaller than or equal to a second time length, when the issuing organization signature at least contains 2 time stamp data, the issuing inspection passes, if the valid period of the certificate is larger than the second time length, when the issuing organization signature at least contains 3 time stamp data, the issuing inspection passes, otherwise, the issuing inspection does not pass.

In an embodiment, when an issuing authority issues a server certificate, all issuing actions are recorded in corresponding certificate logs, the certificate logs are stored in a certificate transparency server, and whether the server certificate is issued by other issuing authorities or not can be determined through the certificate transparency server, so that the illegal issued trusted certificate is prevented from being abused by other people, and the certificates which are not recorded in the certificate transparency server can be considered to have the risk that the certificate cannot be publicly checked, and are easily issued by malicious issuing authorities. The embodiment of the application applies the certificate log to the certificate transparency server, and if the certificate log records that the server certificate is applied and issued for the issuing organization of the certificate applying direction, the server certificate is not a malicious certificate and is a legal issuing organization method. And then acquiring an issuing authority signature in the certificate log, judging whether the issuing authority signature at least contains 1 time stamp data or not if the current certificate validity period is smaller than or equal to a first time length, such as 90 days, and if so, checking whether the issuing authority signature passes. If the certificate validity period is greater than the first time period and less than or equal to the second time period, such as 180 days, judging whether the issuing authority signature at least contains 2 time stamp data, and if so, checking to pass the issuing. If the validity period of the certificate is larger than the second time period, when the issuing authority signature at least contains 3 time stamp data, the issuing verification passes, otherwise, the issuing verification does not pass. The time stamp data is used to verify whether the process of issuing the server certificate is sufficiently transparent.

It is considered that the server certificate should be approved by the relying party and therefore should not be an untrusted certificate, a certificate not recorded in the certificate transparency server, and a maliciously issued certificate. An untrusted certificate refers to a server certificate as an untrusted issuing authority, and the certificate is easy to impersonate and suffer from man-in-the-middle attacks and does not conform to the certificate security specifications. When an issuing organization issues a certificate, the issuing actions of all the certificates need to be recorded in a certificate log of a certificate transparency server, and through the certificate transparency server, related personnel can confirm whether own certificates are issued by other issuing organizations, so that the illegal issued trusted certificates are prevented from being abused by other people, and the certificates which are not recorded in the certificate transparency server have the risk that the certificates cannot be publicly checked, and are easy to be issued by malicious issuing organizations. A maliciously issued certificate refers to that the server certificate is not issued after the certificate applicant agrees to apply, and may also assist in verification through a certificate transparency server.

Step 420: when the server certificate configuration environment parameters comprise certificate authority authorization records, a certificate issuing entity is obtained from the server certificate, when the certificate authority authorization records are consistent with the certificate issuing entity, the certificate issuing entity checks to pass, otherwise, the certificate issuing entity checks to not pass.

In one embodiment, certificate authority authorization (Certification Authority Authorization, CAA) record refers to a domain name owner issuing a certificate for its domain name by authorizing a designated portion of the issuing authority in the CAA field of its domain name DNS record, the domain name owner designating the allowed trusted issuing authority to conduct certificate issuance by configuring the CAA record value, the trusted issuing authority only performing subsequent steps in the certificate issuing process if CAA verification passes, and the server certificate issuing process. The certificate issuing authority authorization can be said to be the authority of the server to the issuing authority, and the issuing authority authorized by the server can only perform the process of issuing the server certificate to the server, and the validity of the issuing authority can be confirmed through the certificate issuing authority authorization.

Therefore, the embodiment of the application inquires the server certificate configuration environment parameters, judges whether the valid certificate issuing authority authorization record exists, acquires the certificate issuing entity related to the issuing authority from the server certificate when the valid CAA record exists, and only when the certificate issuing authority authorization record is consistent with the certificate issuing entity, the issuing authority passes the verification, otherwise, the issuing authority fails the verification.

Step 430: and when the certificate version is at least a preset version, and/or the candidate encryption algorithm is obtained from the encryption suite, wherein the candidate encryption algorithm is not a preset high-risk algorithm, and/or the expiration time is obtained from the transmission protocol parameter, and when the expiration time is greater than or equal to the preset time, the certificate deployment configuration verification passes, otherwise, the certificate deployment configuration verification does not pass.

In one embodiment, if an unsafe version of the protocol or encryption suite is used in the deployment process, security of the private key may be compromised, e.g., using certificates that support DH public key parameter reuse may risk a heart-rate site vulnerability. Therefore, in the embodiment of the application, at least verification of the certificate version, the encryption suite or the transmission protocol parameters is needed when the certificate deployment configuration is carried out.

Specifically, whether the certificate version is a secure version or not is determined, for example, the security risk of the certificate versions SSL2.0 and SSL3.0 is higher, the security risk of the certificate versions TLS1.0 and TLS1.1 is generally, the security risk of the certificate versions TLS1.2 and TLS1.3 is lowest, and the relevant certificate version with the generally and lowest security risk can be set as the secure version, so this step needs to determine whether the certificate version is at least a preset version.

In an embodiment, it is further required to obtain candidate encryption algorithms from the encryption suite, and determine that none of the candidate encryption algorithms is a preset high risk algorithm. Wherein the candidate encryption algorithm is all the encryption algorithms supported in the encryption suite. The preset high risk algorithm may be one or more of an RSA encryption algorithm, a DH encryption algorithm, an ECDH encryption algorithm, a DSA encryption algorithm, an RC4 encryption algorithm, a CBC encryption algorithm, or a SHA1 encryption algorithm.

In an embodiment, it is further required to obtain the failure time from the transport protocol parameter, and determine whether the failure time is greater than or equal to the preset time. Wherein, the content format of the transmission protocol parameter is expressed as follows: strict-Transport-Security: max-age= expireTime [; includeSubDomains ]; preload ]; wherein includeSubDomains is an optional parameter, if this parameter is specified, all sub-domains of the domain name corresponding to this server must be accessed through HTTPS protocol, preload is an optional parameter, which indicates that the HTTPS protocol is also forced to be used for the first access, and max-age indicates the expiration time. From which the dead time is obtained, and whether it is greater than or equal to a preset time, for example 15768000 seconds, is determined.

And if at least one of the three conditions is met, the certificate deployment configuration verification is considered to pass, otherwise, the certificate deployment configuration verification is not passed.

Step 440: and when the issuing institution passes the verification, the issuing verification and the certificate deployment configuration verification, the certificate security detection result of the server certificate is that the detection is passed, otherwise, the detection is not passed.

And the certificate security detection result of the server certificate is considered to be detection passing only when the issuing institution inspection, the issuing inspection and the certificate deployment configuration inspection are all passed, otherwise, the detection is not passed.

In an embodiment, referring to fig. 5, fig. 5 is a flowchart of performing certificate vulnerability detection according to a second parameter set according to an embodiment of the present application, and specifically includes steps 510 to 530:

Step 510: and acquiring a server public key from the server configuration environment parameters, and calculating the field length of the server public key, wherein if the field length is greater than or equal to the preset length, the first vulnerability test passes, otherwise, the first vulnerability test does not pass.

In one embodiment, the purpose of vulnerability verification is to determine encryption process stability of the corresponding server. The encryption stability is related to the encryption algorithm, and the encryption algorithm affects the length of the server public key, for example, the length of the server public key corresponding to the RSA encryption algorithm is at least 2048, the length of the server public key corresponding to the ecdsa encryption algorithm and the length of the server public key corresponding to the SM2 encryption algorithm are at least 256, and the too short server public key is easy to crack. Specifically, the field in the server certificate related to the server Public key is the Public-key field in Subject Public Key Info.

Step 520: if the issuing institution encryption algorithm identification is consistent with the server encryption algorithm identification, a hash function corresponding to the server signature is obtained, if the hash function is consistent with at least one preset hash function, the second vulnerability test passes, and otherwise, the second vulnerability test does not pass.

In an embodiment, firstly, if the encryption algorithm identification of the issuing institution and the encryption algorithm identification of the server are consistent, the two are explained to use the same encryption algorithm, and secondly, the security intensity of the encryption algorithm is judged. And therefore, obtaining a hash function corresponding to the server signature, if the hash function is consistent with at least one preset hash function, indicating that the strength of the hash function is too close, and if the strength of the hash function is too close, passing the second vulnerability test, otherwise, failing the second vulnerability test. The preset hash function may be set to a hash function with better strength, for example, SHA256 hash function has higher strength than MD5 hash function. Specifically, the hash function is checked by checking the Signature Algorithm field in the server certificate, and if it is below SHA256, the second vulnerability check is deemed to be weak.

Step 530: and when the first vulnerability test passes and the second vulnerability test passes, the certificate vulnerability test result of the server certificate is that the test passes, otherwise, the test does not pass.

In an embodiment, the certificate vulnerability detection result of the server certificate is considered to be detection passing only when the first vulnerability detection and the second vulnerability detection are both passed, otherwise, the detection is not passed.

In an embodiment, the purpose of the certificate compliance detection is to determine that the contents of the server certificate have not been tampered with, wherein the issuer public key data includes a root issuer public key. Referring to fig. 6, fig. 6 is a flowchart of the certificate compliance detection according to the third parameter set according to an embodiment of the present application, and specifically includes steps 610 to 630:

Step 610: and calculating to obtain the information abstract according to the plaintext data by using a preset hash function.

In one embodiment, the predetermined hash function is a hash function agreed upon by the server and the issuing authority, and the hash value is calculated on the plaintext data as the information digest.

Step 620: and decrypting the issuing authority signature by using the public key of the root issuing authority to obtain a certificate digest.

In an embodiment, the issuer signature is signed by the issuer against the information digest of the certificate using its own private key, thus processing the issuer signature using a preset hash function. The signature is then verified using the corresponding root authority public key, which may be obtained directly from the authority by the server, to obtain the corresponding certificate digest.

Step 630: and comparing the information abstract with the certificate abstract, if the information abstract and the certificate abstract are consistent, detecting that the certificate compliance detection result of the server certificate is passing, otherwise, detecting that the detection result is not passing.

And comparing the information abstract with the certificate abstract, if the information abstract and the certificate abstract are consistent, the server certificate is issued by a trusted issuing organization and is not tampered within the valid period of the certificate, and the public key of the root issuing organization in the server certificate is legal, and the verification is passed at the moment, so that the source of the server certificate is legal. If the two are not identical, the test is not passed.

It will be appreciated that if an intermediate certificate exists, the intermediate certificate also needs to be verified step by step until being verified by a globally trusted root certificate, if the public key of the root issuing authority cannot verify the signature, a condition that the globally untrusted root certificate is used (such as a self-visa) may be possible, and if the information abstract is inconsistent during the verification process, a condition that the certificate is tampered may be possible.

In an embodiment, referring to fig. 7, fig. 7 is a flowchart of performing certificate validity detection according to a fourth parameter set according to an embodiment of the present application, and specifically includes steps 710 to 740:

Step 710: if the server certificate is in the valid period of the certificate and the valid period of the certificate is less than the preset time, the valid period check is passed, otherwise, the valid period check is not passed.

Considering that the server certificate can only be used in the valid period of the certificate, and that the overlong certificate possibly causes the key to be broken, the overlong valid period of the certificate also brings corresponding risks, therefore, the embodiment of the application checks the valid period of the certificate, if the server certificate is in the valid period of the certificate, and the time of the valid period of the certificate is smaller than the preset time, for example, 90 days, the valid period check is considered to be passed, otherwise, the valid period check is not passed. For example, the validity field information of the server certificate is checked to see whether the current date is within the validity period of the server certificate, and the validity period of the certificate is analyzed.

Step 720: obtaining a website domain name based on the certificate main body identifier, and obtaining an application domain name of a certificate applicant from the server certificate configuration environment parameter, if the website domain name and the main body replacement name are consistent with the application domain name, the domain name is checked and passed, otherwise, the domain name is checked and not passed.

In an embodiment, the website domain name is obtained according to the certificate Subject identifier, where the website domain name is the domain name issued by the issuing authority, and then the application domain name of the certificate applicant is obtained from the server certificate configuration environment parameter, and if the Subject ALTERNATIVE NAME field has a Subject replacement name, the Subject replacement name is also required to be obtained. At this time, it is necessary to determine whether the website domain name is consistent with the server, that is, whether the application domain name applied by the certificate applicant is consistent with the application domain name, if the website domain name and the main body replacement name are consistent with the application domain name, the domain name inspection is considered to pass at this time, otherwise, the domain name inspection is not passed. For example, a field in the X509v3 Subject ALTERNATIVE NAME of the server certificate is checked to obtain a corresponding website domain name, and whether the website domain name in the field is an expected application domain name is determined.

Step 730: and downloading a certificate revocation list according to a certificate revocation list distribution point, sending a serial number query request of a server certificate to a certificate state query server, receiving a response result of the certificate state query server in response to the serial number query request, and if the server certificate does not exist in the certificate revocation list and the response result represents that the state of the server certificate is normal, checking the certificate state, otherwise, checking the certificate state is failed.

In one embodiment, if the issuing authority revokes an issued certificate, at which point the certificate will expire, the encryption service of the corresponding server will disappear, and the encryption service between the server's domain name website and the client will be interrupted, thus requiring a check as to whether the server certificate is revoked. The certificate revocation list distribution point is a designated position disclosed by an issuing organization, and a client can acquire the certificate revocation list of the issuing organization. When a certificate needs to be revoked, the certificate's issuing authority will update information in its certificate revocation list, which the client can check to verify if a certificate has been revoked. Therefore, in the embodiment of the present application, the URL of the CRL field or the OCSP field of Authority Information Access is extracted and checked to obtain at least one certificate revocation list distribution point, the certificate revocation list is downloaded from the certificate revocation list distribution point, and whether the server certificate exists in the certificate revocation list is determined, if so, the server certificate is proved to be the revoked certificate. And simultaneously, a serial number inquiry request of the server certificate is sent to a certificate status inquiry server, and the certificate status inquiry server can inquire the status of the certificate in real time to determine whether a specific SSL certificate is still valid. Therefore, the embodiment of the application also receives a response result of the certificate status query server responding to the serial number query request, when the server certificate does not exist in the certificate revocation list and the state of the server certificate is represented to be normal by the response result, the certificate status check is passed, otherwise, the certificate status check is not passed.

Step 740: and if the validity period passes, the domain name passes and the certificate state passes, the certificate validity detection result of the server certificate is that the detection passes, and if the validity period passes, the domain name passes and the certificate state passes, the detection result is that the detection does not pass.

In one embodiment, the certificate validity detection result is considered to be detection passing only after the validity period detection passes, the domain name detection passes and the certificate status detection passes, otherwise, the detection is not passed.

In an embodiment, considering that some server certificates are issued by an intermediate certificate authority, at this time, the server certificate further includes at least one intermediate certificate, referring to fig. 8, fig. 8 is a flowchart of performing certificate validity detection according to the fourth parameter set according to an embodiment of the present application, and specifically includes steps 810 to 830:

Step 810: and respectively carrying out intermediate certificate validity period test, intermediate certificate domain name test and intermediate certificate state test on each intermediate certificate, wherein after the intermediate certificate validity test passes the test, the intermediate certificate validity test passes, otherwise, the intermediate certificate validity test does not pass.

In an embodiment, the number of the intermediate certificates may be more than one, so that the intermediate certificate validity period test, the intermediate certificate domain name test and the intermediate certificate status test are respectively performed on each intermediate certificate according to the corresponding validity test mode in fig. 5, and after the tests are all passed, the intermediate certificate validity test is passed, otherwise, the intermediate certificate validity test is not passed.

Step 820: the number and the position of the certificates of the certificate chain are correct, the certificate chain passes the inspection, otherwise, the certificate chain does not pass the inspection.

In an embodiment, there are hierarchies among the intermediate certificates, and these hierarchies form a certificate chain, at this time, whether the number of the certificates in the certificate chain is consistent with the expected number, whether the intermediate certificate at the corresponding position is the expected intermediate certificate or not needs to be checked, if the number and the position of the certificates are correct, the certificate chain checks to pass, otherwise, the certificate chain checks to not pass.

Step 830: the validity period checking is passed, the domain name checking is passed, the certificate state checking is passed, the intermediate certificate validity checking is passed and the certificate chain checking is passed, the certificate validity checking result of the server certificate is the checking pass, otherwise, the checking is not passed.

In one embodiment, in conjunction with fig. 7, only if the five tests of validity period test, domain name test, certificate status test, intermediate certificate validity test, and certificate chain test are all passed, the result of the certificate validity test of the server certificate is considered to be that the test is passed, otherwise, the test is not passed.

After the detection process, a detection report can be generated according to the detection result and other related data. Referring to table 1 below, one possible detection report is provided for an embodiment of the present application.

Table 1 provides one possible detection report for embodiments of the present application

It will be appreciated that table 1 is merely illustrative, and is not representative of limiting the detection report of the server certificate, and that items therein may be added, subtracted, or altered.

The above process details the detailed procedures of certificate security detection, certificate vulnerability detection, certificate compliance detection, and certificate validity detection of the embodiments of the present application. According to the detection sequence, the corresponding detection process is executed, so that the risk condition of the server certificate can be comprehensively detected.

According to the technical scheme provided by the embodiment of the application, the detection sequence of the certificate security detection, the certificate vulnerability detection, the certificate compliance detection and the certificate validity detection is determined by acquiring the server certificate to be detected and related parameter combinations, the detection is carried out one by one based on the detection sequence, different parameter combinations correspond to different detection processes, and then a detection report of the server certificate is generated according to the detection result. The embodiment of the application is different from the detection of the server certificate at the client in the related technology, and the detection time of the certificate is advanced, the server certificate is detected by being put at a certificate applicant party, and the server certificate is verified before communication, so that the client can be prevented from using the server certificate with hidden danger on one hand, and the security risk caused by the hysteresis of the certificate detection is avoided. On the other hand, the client side usually only detects the validity and the source of the certificate, and the detection is incomplete, and on the basis of the detection, the embodiment of the application also detects different aspects such as the vulnerability and the security of the certificate, and can comprehensively detect the risk condition of the server certificate, thereby adopting corresponding countermeasures.

The embodiment of the application also provides a server certificate application risk detection device, which can realize the server certificate application risk detection method, and referring to fig. 9, the device comprises:

Acquisition data module 910: the method comprises the steps of obtaining a server certificate to be detected, and obtaining a fourth parameter set, a second parameter set, a first parameter set and a third parameter set, wherein the first parameter set at least comprises: a certificate validity period and server certificate configuration environment parameters, the second set of parameters comprising at least: a certificate encryption algorithm identification and the server certificate configuration environment parameters, wherein the third parameter set at least comprises: the certificate validity period, the certificate subject identifier and the certificate encryption algorithm identifier, and the fourth parameter set at least comprises: the certificate validity period, the certificate body identification and the server certificate configuration environment parameters.

The detection order determination module 920: the method comprises the steps of determining a detection sequence of certificate security detection, certificate vulnerability detection, certificate compliance detection and certificate validity detection.

Detection module 930: the method comprises the steps of detecting one by one based on a detection sequence to obtain a detection result, detecting certificate security according to a first parameter set, detecting certificate vulnerability according to a second parameter set, detecting certificate compliance according to a third parameter set, detecting certificate validity according to a fourth parameter set, and generating a detection report of a server certificate according to the detection result.

The specific implementation manner of the server certificate application risk detection device in this embodiment is substantially identical to the specific implementation manner of the server certificate application risk detection method described above, and will not be described herein.

The embodiment of the application also provides electronic equipment, which comprises:

At least one memory;

At least one processor;

At least one program;

The program is stored in the memory, and the processor executes the at least one program to implement the server certificate application risk detection method described above. The electronic device may be any intelligent terminal including a mobile phone, a tablet computer, a Personal digital assistant (Personal DIGITAL ASSISTANT, PDA), a vehicle-mounted computer, and the like.

Referring to fig. 10, fig. 10 illustrates a hardware structure of an electronic device according to another embodiment, the electronic device includes:

The processor 1001 may be implemented by a general purpose central processing unit (CentralProcessingUnit, CPU), a microprocessor, an application specific integrated circuit (ApplicationSpecificIntegratedCircuit, ASIC), or one or more integrated circuits, etc. for executing related programs to implement the technical solutions provided by the embodiments of the present application;

memory 1002 may be implemented in the form of read-only memory (ReadOnlyMemory, ROM), static storage, dynamic storage, or random access memory (RandomAccessMemory, RAM). The memory 1002 may store an operating system and other application programs, and when the technical solutions provided in the embodiments of the present disclosure are implemented by software or firmware, relevant program codes are stored in the memory 1002, and the processor 1001 invokes a server certificate application risk detection method for executing the embodiments of the present disclosure;

An input/output interface 1003 for implementing information input and output;

The communication interface 1004 is configured to implement communication interaction between the present device and other devices, and may implement communication in a wired manner (e.g. USB, network cable, etc.), or may implement communication in a wireless manner (e.g. mobile network, WIFI, bluetooth, etc.); and

A bus 1005 for transferring information between the various components of the device (e.g., the processor 1001, memory 1002, input/output interface 1003, and communication interface 1004);

Wherein the processor 1001, the memory 1002, the input/output interface 1003, and the communication interface 1004 realize communication connection between each other inside the device through the bus 1005.

The embodiment of the application also provides a storage medium, which is a storage medium storing a computer program, and the computer program realizes the server certificate application risk detection method when being executed by a processor.

The memory, as a non-transitory storage medium, may be used to store non-transitory software programs as well as non-transitory computer-executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The embodiments described in the embodiments of the present application are for more clearly describing the technical solutions of the embodiments of the present application, and do not constitute a limitation on the technical solutions provided by the embodiments of the present application, and those skilled in the art can know that, with the evolution of technology and the appearance of new application scenarios, the technical solutions provided by the embodiments of the present application are equally applicable to similar technical problems.

It will be appreciated by persons skilled in the art that the embodiments of the application are not limited by the illustrations, and that more or fewer steps than those shown may be included, or certain steps may be combined, or different steps may be included.

The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Those of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.

The terms "first," "second," "third," "fourth," and the like in the description of the application and in the above figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that in the present application, "at least one (item)" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.

In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the above-described division of units is merely a logical function division, and there may be another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.

The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including multiple instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the various embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, an optical disk, or other various media capable of storing a program.

The preferred embodiments of the present application have been described above with reference to the accompanying drawings, and are not thereby limiting the scope of the claims of the embodiments of the present application. Any modifications, equivalent substitutions and improvements made by those skilled in the art without departing from the scope and spirit of the embodiments of the present application shall fall within the scope of the claims of the embodiments of the present application.

Claims

1. A method for detecting risk of application of a server certificate, which is applied to a certificate applicant, the method comprising:

2. The server certificate application risk detection method of claim 1, wherein the server certificate configuration environment parameters include a certificate version, an encryption suite, and a transport protocol parameter, the certificate security detection according to the first set of parameters comprising:

Acquiring a certificate log corresponding to the server certificate, if the server certificate is inquired in the certificate log to apply for issuing to an issuing mechanism of the certificate applying direction, acquiring an issuing mechanism signature in the certificate log, if the valid period of the certificate is smaller than or equal to a first time length, when the issuing mechanism signature at least contains 1 time stamp data, issuing verification passes, if the valid period of the certificate is larger than the first time length and smaller than or equal to a second time length, when the issuing mechanism signature at least contains 2 time stamp data, issuing verification passes, if the valid period of the certificate is larger than the second time length, when the issuing mechanism signature at least contains 3 time stamp data, issuing verification passes, otherwise, issuing verification does not pass;

3. The server certificate application risk detection method of claim 1, wherein the server configuration environment parameters include a server public key, the certificate encryption algorithm identification includes an issuing authority encryption algorithm identification and a server encryption algorithm identification, the certificate vulnerability detection is performed according to the second parameter set, and the method comprises:

4. The server certificate application risk detection method of claim 1, wherein the third set of parameters further comprises: the root issuing authority public key, the issuing authority signature and the plaintext data, and the certificate compliance detection is performed according to the third parameter set, including:

5. The server certificate application risk detection method of claim 1, wherein the fourth set of parameters further includes a subject replacement name and a certificate revocation list distribution point, the certificate validity detection being performed according to the fourth set of parameters, comprising:

6. The method for detecting risk of application of server certificate according to claim 5, wherein the server certificate further includes at least one intermediate certificate, the fourth parameter set further includes a certificate chain, and the detecting of validity of the certificate is performed according to the fourth parameter set, further includes:

7. The server certificate application risk detection method according to any one of claims 1 to 6, wherein said determining a detection order of certificate security detection, certificate vulnerability detection, certificate compliance detection, and certificate validity detection includes:

8. A server certificate application risk detection apparatus, comprising:

9. An electronic device comprising a memory storing a computer program and a processor implementing the server certificate application risk detection method of any one of claims 1 to 7 when the computer program is executed by the processor.

10. A storage medium storing a computer program, wherein the computer program when executed by a processor implements the server certificate application risk detection method of any one of claims 1 to 7.