• Home
Name Date Size #Lines LOC

..--

common/12-May-2024-296180

figures/12-May-2024-

frameworks/12-May-2024-1,561994

interfaces/inner_api/12-May-2024-17349

sa_profile/12-May-2024-6458

services/12-May-2024-1,3931,014

test/12-May-2024-3,7052,442

CODEOWNERSD12-May-20241.2 KiB2018

LICENSED12-May-20249.9 KiB177150

OAT.xmlD12-May-2024990 2510

README.mdD12-May-20244.3 KiB7444

README_ZH.mdD12-May-20243.9 KiB8050

bundle.jsonD12-May-20242.1 KiB7675

hisysevent.yamlD12-May-2024880 206

README.md

1# PIN Authentication (pinauth)
2
3
4## Introduction
5
6The PIN authentication (pinauth) module supports the setting, deletion, and authentication of user PINs. Working with the User IAM subsystem framework, the pinauth module supports PIN change.
7
8pinauth is one of the basic user identity authentication executors of OpenHarmony. It registers PIN authentication resource information with the collaborative authentication framework based on the resource registration interface defined by collaborative authentication, and implements PIN setting, deletion, and authentication based on the scheduling of the collaborative authentication framework.
9
10**Figure 1** pinauth architecture
11
12<img src="figures/pinauth_architecture.png" alt="pinauth_architecture" style="zoom:80%;" />
13
14
15
16PINs are core assets in the system. The following security measures are taken in PIN authentication for security purposes:
17
18- The PIN input user interface (currently including the PIN setting and PIN authentication dialog boxes) is provided by system applications (<sup>NOTE 1</sup>). The dialog boxes involved in user settings are provided by the **Settings** application, and the PIN input dialog boxes involved in the screen unlock authentication are provided by the **Lock screen** application.
19- Password data transmission: The raw PIN data is not transmitted across devices. After a user PIN is entered in the PIN input dialog box, the raw PIN data entered is transmitted to the pinauth Service ability only after unidirectional processing in the input model management innerAPI.
20- Secure storage and comparison of PIN data: The pinauth HDI defines the adaptation interfaces for device vendors. Device vendors can implement secure PIN comparison and storage in a TEE. <sup>NOTE 2</sup>
21
22**NOTE 1**: To implement the PIN input dialog box, the application needs to register the PIN input dialog box with the pinauth Service ability through the input dialog box management API. The input box management API requires a high-level access permission and can be invoked only by system users.
23
24**NOTE 2**: The OpenHarmony framework provides pure software implementation of PIN authentication for developers to demonstrate the PIN authentication function. The pure software implementation does not include the secure storage capability.
25
26## Directory Structure
27
28```undefined
29//base/useriam/pin_auth
30├── frameworks		    # Framework code
31├── interfaces		    # APIs exposed externally
32│   └── inner_api		# Header file exposed to internal subsystems for system abilities
33├── sa_profile		    # Service ability profile (configuration)
34├── services		    # Implementation fo the Service ability
35├── unittest		    # Directory for storing test code
36├── bundle.json			# Component description file
37└── pinauth.gni			# Build configuration
38```
39
40
41## Usage
42
43### Available APIs
44
45**Table 1** APIs for managing input dialog boxes
46
47| API | Description                            |
48| ------ | -------------------------------- |
49| function registerInputer(inputer:IInputer) : boolean; | Registers the **inputer** callback with the pinauth Service ability.  |
50| function unregisterInputer():void;                    | Unregisters the **inputer** callback from the pinauth Service ability.|
51
52**Table 2** APIs for transferring data
53
54| API| Description                      |
55| ------ | -------------------------------- |
56| onGetData: (callback:IInputData)=>void | **inputer** callback invoked by the pinauth Service ability to obtain the PIN data. |
57| onSetData: (pinSubType:AuthSubType, data:Uint8Array)=>void | **inputerdata** callback invoked to transfer the PIN data from the PIN input dialog box to the pinauth Service ability. |
58
59### Usage Guidelines
60
61The interfaces defined in **driver\interface\pin_auth\IExecutor.idl** must be implemented in a secure environment (trusted execution environment or security chip) to ensure protection of the highest security level on user PIN information.
62
63## Repositories Involved
64
65[useriam_user_auth_framework](https://gitee.com/openharmony/useriam_user_auth_framework)
66
67[useriam_face_auth](https://gitee.com/openharmony/useriam_face_auth)
68
69**[useriam_pin_auth](https://gitee.com/openharmony/useriam_pin_auth)**
70
71[drivers_peripheral](https://gitee.com/openharmony/drivers_peripheral)
72
73[drivers_interface](https://gitee.com/openharmony/drivers_interface)
74

README_ZH.md

1# 口令认证
2
3- [简介](#简介)
4- [目录](#目录)
5- [说明](#说明)
6  - [接口说明](#接口说明)
7  - [使用说明](#使用说明)
8- [相关仓](#相关仓)
9
10
11## 简介
12
13**口令认证**(pinauth)模块支持用户口令的设置,删除和认证功能。与用户IAM子系统基础框架配合,也可以支持用户口令修改的功能。
14
15口令认证作为OpenHarmony最基础的用户身份认证执行器,按照协同认证定义的资源注册接口,将口令认证相关资源信息注册到协同认证框架,并根据协同认证框架的调度,完成口令的设置,删除和认证功能。
16
17**图1** 口令认证架构图
18
19<img src="figures/口令认证架构图.png" alt="口令认证架构图" style="zoom:80%;" />
20
21
22
23用户口令是系统内的核心资产,在口令认证的处理过程中,我们对用户输入的口令信息实施了如下安全保护措施:
24
251. 口令输入界面(当前分为口令设置界面和口令认证界面)由系统级应用提供<sup>注1</sup>,在用户设置过程中涉及的界面均由设置应用提供,在用户锁屏认证过程中的口令输入界面由锁屏应用提供。
262. 口令数据传输:口令数据原文不跨设备传输,口令输入界面获取用户输入的口令数据原文后,在输入模型管理innerAPI内经过单向处理后才传入口令认证SA。
273. 口令数据安全存储和比对:口令认证HDI中定义了南向厂商适配的接口,南向厂商可以自行在可信执行环境内完成口令数据的安全存储的比对。<sup>注2</sup>
28
29*注1:应用实现口令输入界面,需要通过输入框管理接口,将口令输入界面注册到口令认证SA,输入框管理接口定义较高的访问权限,只允许系统用户调用。*
30
31*注2:OpenHarmony开源框架内提供了口令认证的纯软件实现,供开发者demo口令认证功能,纯软件实现部分未包含安全存储能力。*
32
33## 目录
34
35```undefined
36//base/useriam/pin_auth
37├── frameworks			# 框架代码
38├── interfaces			# 对外接口存放目录
39│   └── inner_api		# 对内部子系统暴露的头文件,供系统服务使用
40├── sa_profile			# Service Ability 配置文件
41├── services			# Service Ability 服务实现
42├── unittest			# 测试代码存入目录
43├── bundle.json			# 组件描述文件
44└── pinauth.gni			# 构建配置
45```
46
47
48## 说明
49
50### 接口说明
51
52**表1** 输入框管理接口
53
54| 接口名  | 描述                             |
55| ------ | -------------------------------- |
56| function registerInputer(inputer:IInputer) : boolean; | 口令输入框注册接口,通过此接口注册inputer回调到口令认证SA   |
57| function unregisterInputer():void;                    | 口令输入框反注册接口,通过此接口从口令认证SA删除inputer回调 |
58
59**表2** 数据获取和传输接口
60
61| 接口名 | 描述                       |
62| ------ | -------------------------------- |
63| onGetData: (callback:IInputData)=>void | inputer回调函数,口令认证SA调用此接口获取口令数据 |
64| onSetData: (pinSubType:AuthSubType, data:Uint8Array)=>void | inputerDate回调函数,口令输入界面通过此接口传输口令数据到口令认证SA |
65
66### 使用说明
67
68- 需在尽可能安全的环境中实现头文件```driver\interface\pin_auth\IExecutor.idl``` 中定义的接口,保证用户口令相关信息的安全保护达到系统内可以提供的最高安全级别(可信执行环境/安全芯片)的保护。
69
70## 相关仓
71
72[useriam_user_auth_framework](https://gitee.com/openharmony/useriam_user_auth_framework)
73
74[useriam_face_auth](https://gitee.com/openharmony/useriam_face_auth)
75
76**[useriam_pin_auth](https://gitee.com/openharmony/useriam_pin_auth)**
77
78[drivers_peripheral](https://gitee.com/openharmony/drivers_peripheral)
79
80[drivers_interface](https://gitee.com/openharmony/drivers_interface)