| PKI, as a provider of underlying architecture about Internet security, focuses on the management of digital certificates. RSA is most widely adopted by a certificate internationally, however, with the rapid improvement of computing speed, the length of keys in cryptographic device is increasingly longer. Under the circumstance of providing the same degree of safety, the length of keys needed in ECC is much shorter than that of RSA; meanwhile, based on the theory of Elliptic Curves Cryptography, researchers in our country have independently designed a commercial cryptograph algorithm, named SM2. With the growing importance of information security, its commercial value will have be gradually recognized and certificates adopting algorithms of SM2 will be increasingly popular. Therefore, the revocation and verification of certificates generated by SM2 will be an important task of PKI system.The traditional way to obtain a certificate's validity is CRL(Certificate Revocation List), but it has an intrinsically disadvantage and a pure improvement of CRL is still unable to overcome the deficiencies. With the rapid development of network transactions, CRL has been unable to satisfy the requirements of real-time transactions. At this time, OCSP(Online Certificate Status Protocol) as a real-time certificate status query protocol, has the ability to help the users to obtain the status of the certificates.In this paper, the extension of cryptograph device supporting SM2 is implemented through the open source library Open SSL. Based on this, a certificate status query system is designed and implemented and this system has the characteristics of easy maintenance, reusability, extensibility and generality. This essay has used a module thinking mode and divided the total system into three relative parts, including responder, cryptographic computation module and CRSA(Certificate Revocation Status Administrator). Through this way, an extensibility and reusability of code has been improved.Besides, the responder module is designed using the popular Apache sever. Four aspects of this module has been achieved including the design of OCSP module data structure, the server configuration structure, hooks(incuding content generator hook) and the configuration directives. In this paper, the OCSP sever is built on the mainstream web server in order to meet the massive high concurrent online certificate query requests.The module of cryptographic computation adopts a cryptographic device that supports an SM2 algorithm. This device provides a set of standard interface which meets the national specifications. By means of dynamic engine mechanism of Open SSL, cryptograph device could be called through Open SSL. Open SSL has provided a universal interface in order to improve the independency of computation. When a certificate's query result is obtained from certificate revocation list, common interfaces(EVP) can be invoked to sign the query result.Modules of CRSA, manage the revoked certificates. It has finished mainly four areas such as reading the configuration file, connecting and certifying of LDAP, acquiring CRL from remote URL, building and modifying the time entry and the certificate revocation entry. This module is able to run transparently in relative to the responder, reducing the burden of the server.Finally, some advantages and shortcomings have been discussed. On the basis of this, several aspects of this system have been prospected to improve the system. It is expected further improvement would be made for the system. |
PDF Full Text Request