1# 用户身份认证访问控制开发指导 2 3 4场景介绍及相关概念说明请参考[用户身份认证访问控制简介](huks-identity-authentication-overview.md)。 5 6 7## 开发步骤 8 91. 生成密钥,指定指纹访问控制类型及相关属性。 10 生成或导入密钥时,在密钥属性集中需指定三个参数:用户认证类型[HuksUserAuthType](../../reference/apis-universal-keystore-kit/js-apis-huks.md#huksuserauthtype9)、授权访问类型[HuksAuthAccessType](../../reference/apis-universal-keystore-kit/js-apis-huks.md#huksauthaccesstype9)、挑战值类型[HuksChallengeType](../../reference/apis-universal-keystore-kit/js-apis-huks.md#hukschallengetype9)。 11 12 ```ts 13 import huks from '@ohos.security.huks'; 14 import { BusinessError } from '@ohos.base'; 15 /* 16 * 确定密钥别名和封装密钥属性参数集 17 */ 18 let keyAlias = 'test_sm4_key_alias'; 19 let properties: Array<huks.HuksParam> = new Array(); 20 properties[0] = { 21 tag: huks.HuksTag.HUKS_TAG_ALGORITHM, 22 value: huks.HuksKeyAlg.HUKS_ALG_SM4, 23 } 24 properties[1] = { 25 tag: huks.HuksTag.HUKS_TAG_PURPOSE, 26 value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT, 27 } 28 properties[2] = { 29 tag: huks.HuksTag.HUKS_TAG_KEY_SIZE, 30 value: huks.HuksKeySize.HUKS_SM4_KEY_SIZE_128, 31 } 32 properties[3] = { 33 tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE, 34 value: huks.HuksCipherMode.HUKS_MODE_CBC, 35 } 36 properties[4] = { 37 tag: huks.HuksTag.HUKS_TAG_PADDING, 38 value: huks.HuksKeyPadding.HUKS_PADDING_NONE, 39 } 40 // 指定密钥身份认证的类型:指纹 41 properties[5] = { 42 tag: huks.HuksTag.HUKS_TAG_USER_AUTH_TYPE, 43 value: huks.HuksUserAuthType.HUKS_USER_AUTH_TYPE_FINGERPRINT 44 } 45 // 指定密钥安全授权的类型(失效类型):新录入生物特征(指纹)后无效 46 properties[6] = { 47 tag: huks.HuksTag.HUKS_TAG_KEY_AUTH_ACCESS_TYPE, 48 value: huks.HuksAuthAccessType.HUKS_AUTH_ACCESS_INVALID_NEW_BIO_ENROLL 49 } 50 // 指定挑战值的类型:默认类型 51 properties[7] = { 52 tag: huks.HuksTag.HUKS_TAG_CHALLENGE_TYPE, 53 value: huks.HuksChallengeType.HUKS_CHALLENGE_TYPE_NORMAL 54 } 55 let huksOptions : huks.HuksOptions = { 56 properties: properties, 57 inData: new Uint8Array(new Array()) 58 } 59 /* 60 * 生成密钥 61 */ 62 class throwObject { 63 isThrow:boolean = false 64 } 65 function generateKeyItem(keyAlias: string, huksOptions: huks.HuksOptions, throwObject: throwObject) { 66 return new Promise<void>((resolve, reject) => { 67 try { 68 huks.generateKeyItem(keyAlias, huksOptions, (error, data) => { 69 if (error) { 70 reject(error); 71 } else { 72 resolve(data); 73 } 74 }); 75 } catch (error) { 76 throwObject.isThrow = true; 77 throw(error as Error); 78 } 79 }); 80 } 81 async function publicGenKeyFunc(keyAlias:string, huksOptions:huks.HuksOptions) { 82 console.info(`enter promise generateKeyItem`); 83 let throwObject : throwObject = {isThrow: false}; 84 try { 85 await generateKeyItem(keyAlias, huksOptions, throwObject) 86 .then((data) => { 87 console.info(`promise: generateKeyItem success, data = ${JSON.stringify(data)}`); 88 }) 89 .catch((error : BusinessError) => { 90 if (throwObject.isThrow) { 91 throw(error as Error); 92 } else { 93 console.error(`promise: generateKeyItem failed` + error); 94 } 95 }); 96 } catch (error) { 97 console.error(`promise: generateKeyItem input arg invalid` + error); 98 } 99 } 100 async function TestGenKeyForFingerprintAccessControl() { 101 await publicGenKeyFunc(keyAlias, huksOptions); 102 } 103 ``` 104 1052. 初始化密钥会话,发起指纹认证获取认证令牌。 106 107 ```ts 108 import huks from '@ohos.security.huks'; 109 import userIAM_userAuth from '@ohos.userIAM.userAuth'; 110 import { BusinessError } from '@ohos.base'; 111 /* 112 * 确定密钥别名和封装密钥属性参数集 113 */ 114 let srcKeyAlias = 'test_sm4_key_alias'; 115 let handle : number; 116 let challenge : Uint8Array; 117 let fingerAuthToken : Uint8Array; 118 let authType = userIAM_userAuth.UserAuthType.FINGERPRINT; 119 let authTrustLevel = userIAM_userAuth.AuthTrustLevel.ATL1; 120 /* 集成生成密钥参数集 & 加密参数集 */ 121 let properties : Array<huks.HuksParam> = new Array(); 122 properties[0] = { 123 tag: huks.HuksTag.HUKS_TAG_ALGORITHM, 124 value: huks.HuksKeyAlg.HUKS_ALG_SM4, 125 } 126 properties[1] = { 127 tag: huks.HuksTag.HUKS_TAG_PURPOSE, 128 value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT, 129 } 130 properties[2] = { 131 tag: huks.HuksTag.HUKS_TAG_KEY_SIZE, 132 value: huks.HuksKeySize.HUKS_SM4_KEY_SIZE_128, 133 } 134 properties[3] = { 135 tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE, 136 value: huks.HuksCipherMode.HUKS_MODE_CBC, 137 } 138 properties[4] = { 139 tag: huks.HuksTag.HUKS_TAG_PADDING, 140 value: huks.HuksKeyPadding.HUKS_PADDING_NONE, 141 } 142 properties[5] = { 143 tag: huks.HuksTag.HUKS_TAG_IV, 144 value: StringToUint8Arry(IV), 145 } 146 let huksOptions : huks.HuksOptions = { 147 properties: properties, 148 inData: new Uint8Array(new Array()) 149 } 150 class throwObject { 151 isThrow:boolean=false 152 } 153 function initSession(keyAlias:string, huksOptions:huks.HuksOptions, throwObject:throwObject) { 154 return new Promise<huks.HuksSessionHandle>((resolve, reject) => { 155 try { 156 huks.initSession(keyAlias, huksOptions, (error, data) =>{ 157 if (error) { 158 reject(error); 159 } else { 160 resolve(data); 161 } 162 }); 163 } catch (error) { 164 throwObject.isThrow = true; 165 throw(error as Error); 166 } 167 }); 168 } 169 async function publicInitFunc(keyAlias:string, huksOptions:huks.HuksOptions) { 170 console.info(`enter promise doInit`); 171 let throwObject : throwObject = {isThrow: false}; 172 try { 173 await initSession(keyAlias, huksOptions, throwObject) 174 .then ((data) => { 175 console.info(`promise: doInit success, data = ${JSON.stringify(data)}`); 176 handle = data.handle; 177 challenge = data.challenge as Uint8Array; 178 }) 179 .catch((error : BusinessError) => { 180 if (throwObject.isThrow) { 181 throw(error as Error); 182 } else { 183 console.error(`promise: doInit failed` + error); 184 } 185 }); 186 } catch (error) { 187 console.error(`promise: doInit input arg invalid` + error); 188 } 189 } 190 function userIAMAuthFinger(huksChallenge:Uint8Array) { 191 // 获取认证对象 192 let authTypeList:userIAM_userAuth.UserAuthType[]= new Array(); 193 authTypeList[0] = authType; 194 const authParam:userIAM_userAuth.AuthParam = { 195 challenge: huksChallenge, 196 authType: authTypeList, 197 authTrustLevel: userIAM_userAuth.AuthTrustLevel.ATL1 198 }; 199 const widgetParam:userIAM_userAuth.WidgetParam = { 200 title: '请输入密码', 201 }; 202 let auth : userIAM_userAuth.UserAuthInstance; 203 try { 204 auth = userIAM_userAuth.getUserAuthInstance(authParam, widgetParam); 205 console.log("get auth instance success"); 206 } catch (error) { 207 console.error("get auth instance failed" + error); 208 return; 209 } 210 // 订阅认证结果 211 try { 212 auth.on("result", { 213 onResult(result) { 214 console.log("[HUKS] -> [IAM] userAuthInstance callback result = " + JSON.stringify(result)); 215 fingerAuthToken = result.token; 216 } 217 }); 218 console.log("subscribe authentication event success"); 219 } catch (error) { 220 console.error("subscribe authentication event failed " + error); 221 } 222 // 开始认证 223 try { 224 auth.start(); 225 console.info("authV9 start auth success"); 226 } catch (error) { 227 console.error("authV9 start auth failed, error = " + error); 228 } 229 } 230 async function testInitAndAuthFinger() { 231 /* 初始化密钥会话获取挑战值 */ 232 await publicInitFunc(srcKeyAlias, huksOptions); 233 /* 调用userIAM进行身份认证 */ 234 userIAMAuthFinger(challenge); 235 } 236 ``` 237 2383. 传入认证令牌进行数据操作。 239 240 ```ts 241 /* 242 * 以下以SM4 128密钥为例 243 */ 244 import huks from '@ohos.security.huks'; 245 import { BusinessError } from '@ohos.base'; 246 /* 247 * 确定封装密钥属性参数集 248 */ 249 let IV = '1234567890123456'; 250 let cipherInData = 'Hks_SM4_Cipher_Test_101010101010101010110_string'; 251 let handle: number; 252 let fingerAuthToken: Uint8Array; 253 let finishOutData: Uint8Array; 254 class throwObject { 255 isThrow: boolean = false; 256 } 257 /* 集成生成密钥参数集 & 加密参数集 */ 258 class propertyEncryptType { 259 tag: huks.HuksTag = huks.HuksTag.HUKS_TAG_ALGORITHM; 260 value: huks.HuksKeyAlg | huks.HuksKeyPurpose | huks.HuksKeySize | huks.HuksKeyPadding | huks.HuksCipherMode 261 | Uint8Array = huks.HuksKeyAlg.HUKS_ALG_SM4; 262 } 263 let propertiesEncrypt: propertyEncryptType[] = [ 264 { 265 tag: huks.HuksTag.HUKS_TAG_ALGORITHM, 266 value: huks.HuksKeyAlg.HUKS_ALG_SM4, 267 }, 268 { 269 tag: huks.HuksTag.HUKS_TAG_PURPOSE, 270 value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT, 271 }, 272 { 273 tag: huks.HuksTag.HUKS_TAG_KEY_SIZE, 274 value: huks.HuksKeySize.HUKS_SM4_KEY_SIZE_128, 275 }, 276 { 277 tag: huks.HuksTag.HUKS_TAG_PADDING, 278 value: huks.HuksKeyPadding.HUKS_PADDING_NONE, 279 }, 280 { 281 tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE, 282 value: huks.HuksCipherMode.HUKS_MODE_CBC, 283 }, 284 { 285 tag: huks.HuksTag.HUKS_TAG_IV, 286 value: StringToUint8Array(IV), 287 } 288 ] 289 let encryptOptions: huks.HuksOptions = { 290 properties: propertiesEncrypt, 291 inData: new Uint8Array(new Array()) 292 } 293 function StringToUint8Array(str: string) { 294 let arr: number[] = []; 295 for (let i = 0, j = str.length; i < j; ++i) { 296 arr.push(str.charCodeAt(i)); 297 } 298 return new Uint8Array(arr); 299 } 300 function updateSession(handle: number, huksOptions: huks.HuksOptions, token: Uint8Array, throwObject: throwObject) { 301 return new Promise<huks.HuksReturnResult>((resolve, reject) => { 302 try { 303 huks.updateSession(handle, huksOptions, token, (error, data) => { 304 if (error) { 305 reject(error); 306 } else { 307 resolve(data); 308 } 309 }); 310 } catch (error) { 311 throwObject.isThrow = true; 312 throw(error as Error); 313 } 314 }); 315 } 316 async function publicUpdateFunc(handle: number, token: Uint8Array, huksOptions: huks.HuksOptions) { 317 console.info(`enter promise doUpdate`); 318 let throwObject: throwObject = {isThrow: false}; 319 try { 320 await updateSession(handle, huksOptions, token, throwObject) 321 .then ((data) => { 322 console.info(`promise: doUpdate success, data = ${JSON.stringify(data)}`); 323 }) 324 .catch((error: BusinessError) => { 325 if (throwObject.isThrow) { 326 throw(error as Error); 327 } else { 328 console.error(`promise: doUpdate failed` + error); 329 } 330 }); 331 } catch (error) { 332 console.error(`promise: doUpdate input arg invalid` + error); 333 } 334 } 335 function finishSession(handle: number, huksOptions: huks.HuksOptions, token: Uint8Array, throwObject: throwObject) { 336 return new Promise<huks.HuksReturnResult>((resolve, reject) => { 337 try { 338 huks.finishSession(handle, huksOptions, token, (error, data) => { 339 if (error) { 340 reject(error); 341 } else { 342 resolve(data); 343 } 344 }); 345 } catch (error) { 346 throwObject.isThrow = true; 347 throw(error as Error); 348 } 349 }); 350 } 351 async function publicFinishFunc(handle: number, token: Uint8Array, huksOptions: huks.HuksOptions) { 352 console.info(`enter promise doFinish`); 353 let throwObject: throwObject = {isThrow: false}; 354 try { 355 await finishSession(handle, huksOptions, token, throwObject) 356 .then ((data) => { 357 finishOutData = data.outData as Uint8Array; 358 console.info(`promise: doFinish success, data = ${JSON.stringify(data)}`); 359 }) 360 .catch((error: BusinessError) => { 361 if (throwObject.isThrow) { 362 throw(error as Error); 363 } else { 364 console.error(`promise: doFinish failed` + error); 365 } 366 }); 367 } catch (error) { 368 console.error(`promise: doFinish input arg invalid` + error); 369 } 370 } 371 async function testSm4Cipher() { 372 encryptOptions.inData = StringToUint8Array(cipherInData); 373 /* 传入认证令牌 */ 374 await publicUpdateFunc(handle, fingerAuthToken, encryptOptions); 375 /* 传入认证令牌 */ 376 await publicFinishFunc(handle, fingerAuthToken, encryptOptions); 377 if (finishOutData === StringToUint8Array(cipherInData)) { 378 console.info('test finish encrypt err '); 379 } else { 380 console.info('test finish encrypt success'); 381 } 382 } 383 ``` 384