# @ohos.security.huks (Universal Keystore)
The **HUKS** module provides KeyStore (KS) capabilities, including key management and cryptographic operations, for applications.
The keys managed by OpenHarmony Universal KeyStore (HUKS) can be imported by applications or generated by calling the HUKS APIs.
> **NOTE**
>
> The initial APIs of this module are supported since API version 8. Newly added APIs will be marked with a superscript to indicate their earliest API version.
## Modules to Import
```ts
import { huks } from '@kit.UniversalKeystoreKit';
```
## HuksParam
Defines the **param** field in the **properties** array of **options** used in the APIs.
**System capability**: SystemCapability.Security.Huks.Core
| Name| Type | Mandatory| Description |
| ------ | ----------------------------------- | ---- | ------------ |
| tag | [HuksTag](#hukstag) | Yes | Tag.
**Atomic service API**: This API can be used in atomic services since API version 11. |
| value | boolean\|number\|bigint\|Uint8Array | Yes | Value of the tag.
**Atomic service API**: This API can be used in atomic services since API version 11.|
## HuksOptions
Defines **options** used in the APIs.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Type | Mandatory| Description |
| ---------- | ----------------- | ---- | ------------------------ |
| properties | Array\<[HuksParam](#huksparam)> | No | Properties used to hold the **HuksParam** array.
**Atomic service API**: This API can be used in atomic services since API version 11.|
| inData | Uint8Array | No | Input data.
**Atomic service API**: This API can be used in atomic services since API version 11. |
## HuksSessionHandle9+
Defines the struct for a HUKS handle.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Type | Mandatory| Description |
| --------- | ---------- | ---- | ---------------------------------------------------- |
| handle | number | Yes | Handle of the unsigned integer type.
**Atomic service API**: This API can be used in atomic services since API version 11. |
| challenge | Uint8Array | No | Challenge obtained after the [initSession](#huksinitsession9) operation.
**Atomic service API**: This API can be used in atomic services since API version 11.|
## HuksReturnResult9+
Represents the result returned.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Type | Mandatory| Description |
| ---------- | ------------------------------- | ---- | ---------------- |
| outData | Uint8Array | No | Output data.
**Atomic service API**: This API can be used in atomic services since API version 11. |
| properties | Array\<[HuksParam](#huksparam)> | No | Property information.
**Atomic service API**: This API can be used in atomic services since API version 11. |
| certChains | Array\ | No | Certificate chain information.
**Atomic service API**: This API can be used in atomic services since API version 12.|
## HuksListAliasesReturnResult12+
Represents the result returned.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Type | Mandatory| Description |
| ---------- | ------------------------------- | ---- | ---------------- |
| keyAliases | Array\ | Yes | Array of key aliases.
**Atomic service API**: This API can be used in atomic services since API version 12.|
## huks.generateKeyItem9+
generateKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Generates a key. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for generating the key. The algorithm, key purpose, and key length are mandatory.|
| callback | AsyncCallback\ | Yes | Callback used to return the result.
If the operation is successful, this API does not return the key content because the key is always protected in a TEE.
If an exception occurs in the generation process, an error is captured.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Generate a 256-bit ECC key. */
let keyAlias: string = 'keyAlias';
let properties: Array =[
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_ECC
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_ECC_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_SIGN |
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
];
let options: huks.HuksOptions = {
properties: properties
};
huks.generateKeyItem(keyAlias, options, (error, data) => {
if (error) {
console.error(`callback: generateKeyItem failed`);
} else {
console.info(`callback: generateKeyItem key success`);
}
});
```
## huks.generateKeyItem9+
generateKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Generates a key. This API uses a promise to return the result. Because the key is always protected in a trusted environment (such as a TEE), the promise does not return the key content. It returns only the information indicating whether the API is successfully called.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------ |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for generating the key. The algorithm, key purpose, and key length are mandatory.|
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise\ | Promise that returns no value.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
/* Generate a 256-bit ECC key. */
import { huks } from '@kit.UniversalKeystoreKit';
let keyAlias = 'keyAlias';
let properties: Array =[
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_ECC
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_ECC_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_SIGN |
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
];
let options: huks.HuksOptions = {
properties: properties
};
huks.generateKeyItem(keyAlias, options)
.then((data) => {
console.info(`promise: generateKeyItem success`);
});
```
## huks.deleteKeyItem9+
deleteKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Deletes a key. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the key to delete. It must be the key alias passed in when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute of the key to be deleted. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be deleted,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
| callback | AsyncCallback\ | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.deleteKeyItem(keyAlias, emptyOptions, (error, data) => {
if (error) {
console.error(`callback: deleteKeyItem failed`);
} else {
console.info(`callback: deleteKeyItem key success`);
}
});
```
## huks.deleteKeyItem9+
deleteKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Deletes a key. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ----------------------------------- |
| keyAlias | string | Yes | Alias of the key to delete. It must be the key alias passed in when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Attribute tag of the key to be deleted. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be deleted,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise\ | Promise that returns no value.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.deleteKeyItem(keyAlias, emptyOptions)
.then ((data) => {
console.info(`promise: deleteKeyItem key success`);
});
```
## huks.importKeyItem9+
importKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Imports a key in plaintext. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and key to import. The algorithm, key purpose, and key length are mandatory.|
| callback | AsyncCallback\ | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Import a 256-bit AES key. */
let plainTextSize32 = makeRandomArr(32);
function makeRandomArr(size: number) {
let arr = new Uint8Array(size);
for (let i = 0; i < size; i++) {
arr[i] = Math.floor(Math.random() * 10);
}
return arr;
};
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS7
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let options: huks.HuksOptions = {
properties: properties,
inData: plainTextSize32
};
huks.importKeyItem(keyAlias, options, (error, data) => {
if (error) {
console.error(`callback: importKeyItem failed`);
} else {
console.info(`callback: importKeyItem success`);
}
});
```
## huks.importKeyItem9+
importKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Imports a key in plaintext. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ----------------------------------- |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and key to import. The algorithm, key purpose, and key length are mandatory.|
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise\ | Promise that returns no value.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Import an AES key of 256 bits. */
let plainTextSize32 = makeRandomArr(32);
function makeRandomArr(size: number) {
let arr = new Uint8Array(size);
for (let i = 0; i < size; i++) {
arr[i] = Math.floor(Math.random() * 10);
}
return arr;
};
/* Step 1 Generate a key. */
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS7
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let huksOptions: huks.HuksOptions = {
properties: properties,
inData: plainTextSize32
};
huks.importKeyItem(keyAlias, huksOptions)
.then((data) => {
console.info(`promise: importKeyItem success`);
});
```
## huks.attestKeyItem9+
attestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Obtains the certificate used to attest a key. This API uses an asynchronous callback to return the result.
**Required permissions**: ohos.permission.ATTEST_KEY (available only for system applications)
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the key. The certificate to be obtained stores the key. |
| options | [HuksOptions](#huksoptions) | Yes | Parameters and data required for obtaining the certificate. |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 201 | check permission failed. |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
function stringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
let securityLevel = stringToUint8Array('sec_level');
let challenge = stringToUint8Array('challenge_data');
let versionInfo = stringToUint8Array('version_info');
let keyAliasString = "key attest";
async function generateKeyThenAttestKey() {
let aliasString = keyAliasString;
let aliasUint8 = stringToUint8Array(aliasString);
let generateProperties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PSS
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_GENERATE_TYPE,
value: huks.HuksKeyGenerateType.HUKS_KEY_GENERATE_TYPE_DEFAULT
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let generateOptions: huks.HuksOptions = {
properties: generateProperties
};
let attestProperties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
value: securityLevel
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_CHALLENGE,
value: challenge
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_VERSION_INFO,
value: versionInfo
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_ALIAS,
value: aliasUint8
}
];
let attestOptions: huks.HuksOptions = {
properties: attestProperties
};
huks.generateKeyItem(aliasString, generateOptions, (error, data) => {
if (error) {
console.error(`callback: generateKeyItem failed`);
} else {
console.info(`callback: generateKeyItem success`);
huks.attestKeyItem(aliasString, attestOptions, (error, data) => {
if (error) {
console.error(`callback: attestKeyItem failed`);
} else {
console.info(`callback: attestKeyItem success`);
}
});
}
});
}
```
## huks.attestKeyItem9+
attestKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Obtains the certificate used to verify a key. This API uses a promise to return the result.
**Required permissions**: ohos.permission.ATTEST_KEY (available only for system applications)
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------------------ |
| keyAlias | string | Yes | Alias of the key. The certificate to be obtained stores the key.|
| options | [HuksOptions](#huksoptions) | Yes | Parameters and data required for obtaining the certificate. |
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. When the call is successful, the **certChains** member of **HuksReturnResult** is not empty, and the obtained certificate chain is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 201 | check permission failed. |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
function stringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
let securityLevel = stringToUint8Array('sec_level');
let challenge = stringToUint8Array('challenge_data');
let versionInfo = stringToUint8Array('version_info');
let keyAliasString = "key attest";
async function generateKey(alias: string) {
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PSS
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_GENERATE_TYPE,
value: huks.HuksKeyGenerateType.HUKS_KEY_GENERATE_TYPE_DEFAULT
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let options: huks.HuksOptions = {
properties: properties
};
await huks.generateKeyItem(alias, options)
.then((data) => {
console.info(`promise: generateKeyItem success`);
});
}
async function attestKey() {
let aliasString = keyAliasString;
let aliasUint8 = stringToUint8Array(aliasString);
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
value: securityLevel
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_CHALLENGE,
value: challenge
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_VERSION_INFO,
value: versionInfo
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_ALIAS,
value: aliasUint8
}
];
let options: huks.HuksOptions = {
properties: properties
};
await generateKey(aliasString);
await huks.attestKeyItem(aliasString, options)
.then((data) => {
console.info(`promise: attestKeyItem success`);
});
}
```
## huks.anonAttestKeyItem11+
anonAttestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Obtains the certificate for anonymous attestation. This API uses an asynchronous callback to return the result.
This operation requires Internet access and takes time. If error code 12000012 is returned, the network is abnormal. If the device is not connected to the network, display a message, indicating that the network is not connected. If the network is connected, the failure may be caused by network jitter. Tray again later.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the key. The certificate to be obtained stores the key. |
| options | [HuksOptions](#huksoptions) | Yes | Parameters and data required for obtaining the certificate. |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
function stringToUint8Array(str: string): Uint8Array {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
let securityLevel = stringToUint8Array('sec_level');
let challenge = stringToUint8Array('challenge_data');
let versionInfo = stringToUint8Array('version_info');
let keyAliasString = "key anon attest";
async function generateKeyThenAttestKey(): Promise {
let aliasString = keyAliasString;
let aliasUint8 = stringToUint8Array(aliasString);
let generateProperties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PSS
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_GENERATE_TYPE,
value: huks.HuksKeyGenerateType.HUKS_KEY_GENERATE_TYPE_DEFAULT
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let generateOptions: huks.HuksOptions = {
properties: generateProperties
};
let anonAttestProperties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
value: securityLevel
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_CHALLENGE,
value: challenge
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_VERSION_INFO,
value: versionInfo
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_ALIAS,
value: aliasUint8
}
];
let anonAttestOptions: huks.HuksOptions = {
properties: anonAttestProperties
};
huks.generateKeyItem(aliasString, generateOptions, (error, data) => {
if (error) {
console.error(`callback: generateKeyItem failed`);
} else {
console.info(`callback: generateKeyItem success`);
huks.anonAttestKeyItem(aliasString, anonAttestOptions, (error, data) => {
if (error) {
console.error(`callback: anonAttestKeyItem failed`);
} else {
console.info(`callback: anonAttestKeyItem success`);
}
});
}
});
}
```
## huks.anonAttestKeyItem11+
anonAttestKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Obtains the certificate for anonymous attestation. This API uses a promise to return the result.
This operation requires Internet access and takes time. If error code 12000012 is returned, the network is abnormal. If the device is not connected to the network, display a message, indicating that the network is not connected. If the network is connected, the failure may be caused by network jitter. Tray again later.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------------------ |
| keyAlias | string | Yes | Alias of the key. The certificate to be obtained stores the key.|
| options | [HuksOptions](#huksoptions) | Yes | Parameters and data required for obtaining the certificate. |
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. When the call is successful, the **certChains** member of **HuksReturnResult** is not empty, and the obtained certificate chain is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
function stringToUint8Array(str: string): Uint8Array {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
let securityLevel = stringToUint8Array('sec_level');
let challenge = stringToUint8Array('challenge_data');
let versionInfo = stringToUint8Array('version_info');
let keyAliasString = "key anon attest";
async function generateKey(alias: string): Promise {
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PSS
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_GENERATE_TYPE,
value: huks.HuksKeyGenerateType.HUKS_KEY_GENERATE_TYPE_DEFAULT
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let options: huks.HuksOptions = {
properties: properties
};
await huks.generateKeyItem(alias, options);
}
async function anonAttestKey(): Promise {
let aliasString = keyAliasString;
let aliasUint8 = stringToUint8Array(aliasString);
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
value: securityLevel
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_CHALLENGE,
value: challenge
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_VERSION_INFO,
value: versionInfo
},
{
tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_ALIAS,
value: aliasUint8
}
];
let options: huks.HuksOptions = {
properties: properties
};
await generateKey(aliasString);
await huks.anonAttestKeyItem(aliasString, options);
}
```
## huks.importWrappedKeyItem9+
importWrappedKeyItem(keyAlias: string, wrappingKeyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Imports a wrapped key. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
**Parameters**
| Name | Type | Mandatory| Description |
| ---------------- | --------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the wrapped key to import. |
| wrappingKeyAlias | string | Yes | Alias of the data used to unwrap the key imported. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and the wrapped key to import. The algorithm, key purpose, and key length are mandatory.|
| callback | AsyncCallback\ | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
let alias1 = "importAlias";
let alias2 = "wrappingKeyAlias";
async function TestGenFunc(alias: string, options: huks.HuksOptions) {
await genKey(alias, options)
.then((data) => {
console.info(`callback: generateKeyItem success`);
});
}
function genKey(alias: string, options: huks.HuksOptions) {
return new Promise((resolve, reject) => {
huks.generateKeyItem(alias, options, (error, data) => {
if (error) {
reject(error);
} else {
resolve(data);
}
});
});
}
async function TestExportFunc(alias: string, options: huks.HuksOptions) {
await exportKey(alias, options)
.then((data) => {
console.info(`callback: exportKeyItem success, data = ${JSON.stringify(data)}`);
});
}
function exportKey(alias: string, options: huks.HuksOptions) {
return new Promise((resolve, reject) => {
huks.exportKeyItem(alias, options, (error, data) => {
if (error) {
reject(error);
} else {
resolve(data);
}
});
});
}
async function TestImportWrappedFunc(alias: string, wrappingAlias: string, options: huks.HuksOptions) {
await importWrappedKey(alias, wrappingAlias, options)
.then((data) => {
console.info(`callback: importWrappedKeyItem success`);
});
}
function importWrappedKey(alias: string, wrappingAlias: string, options: huks.HuksOptions) {
return new Promise((resolve, reject) => {
huks.importWrappedKeyItem(alias, wrappingAlias, options, (error, data) => {
if (error) {
reject(error);
} else {
resolve(data);
}
});
});
}
async function TestImportWrappedKeyFunc(
alias: string,
wrappingAlias: string,
genOptions: huks.HuksOptions,
importOptions: huks.HuksOptions
) {
await TestGenFunc(wrappingAlias, genOptions);
await TestExportFunc(wrappingAlias, genOptions);
/*The following operations do not invoke the HUKS APIs, and the specific implementation is not provided here.
* For example, import **keyA**.
* 1. Use ECC to generate a public and private key pair **keyB**. The public key is **keyB_pub**, and the private key is **keyB_pri**.
* 2. Use **keyB_pri** and the public key obtained from **wrappingAlias** to negotiate the shared key **share_key**.
* 3. Randomly generate a key **kek** and use it to encrypt **keyA** with AES-GCM. During the encryption, record **nonce1**, **aad1**, ciphertext **keyA_enc**, and encrypted **tag1**.
* 4. Use **share_key** to encrypt **kek** with AES-GCM. During the encryption, record **nonce2**, **aad2**, ciphertext **kek_enc**, and encrypted **tag2**.
* 5. Generate the **importOptions.inData** field in the following format:
* keyB_pub length (4 bytes) + keyB_pub + aad2 length (4 bytes) + aad2 +
* nonce2 length (4 bytes) + nonce2 + tag2 length (4 bytes) + tag2 +
* kek_enc length (4 bytes) + kek_enc + aad1 length (4 bytes) + aad1 +
* nonce1 length (4 bytes) + nonce1 + tag1 length (4 bytes) + tag1 +
* Memory occupied by the keyA length (4 bytes) + keyA length + keyA_enc length (4 bytes) + keyA_enc
*/
/* The key data imported may be different from the sample code given below. The data structure is described in the preceding comments. */
let inputKey = new Uint8Array([0x02, 0x00, 0x00, 0x00]);
importOptions.inData = inputKey;
await TestImportWrappedFunc(alias, wrappingAlias, importOptions);
}
function makeGenerateOptions() {
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_ECC
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_ECC_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_UNWRAP
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
},
{
tag: huks.HuksTag.HUKS_TAG_IMPORT_KEY_TYPE,
value: huks.HuksImportKeyType.HUKS_KEY_TYPE_KEY_PAIR,
}
];
let options: huks.HuksOptions = {
properties: properties
};
return options;
};
function makeImportOptions() {
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_CBC
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_NONE
},
{
tag: huks.HuksTag.HUKS_TAG_UNWRAP_ALGORITHM_SUITE,
value: huks.HuksUnwrapSuite.HUKS_UNWRAP_SUITE_ECDH_AES_256_GCM_NOPADDING
}
];
let options: huks.HuksOptions = {
properties: properties
};
return options;
};
function huksImportWrappedKey() {
let genOptions = makeGenerateOptions();
let importOptions = makeImportOptions();
TestImportWrappedKeyFunc(
alias1,
alias2,
genOptions,
importOptions
);
}
```
## huks.importWrappedKeyItem9+
importWrappedKeyItem(keyAlias: string, wrappingKeyAlias: string, options: HuksOptions) : Promise\
Imports a wrapped key. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ---------------- | --------------------------- | ---- | --------------------------------------------- |
| keyAlias | string | Yes | Alias of the wrapped key to import. |
| wrappingKeyAlias | string | Yes | Alias of the data used to unwrap the key imported. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and the wrapped key to import. The algorithm, key purpose, and key length are mandatory.|
**Return value**
| Type | Description |
| ---------------------------------------------- | --------------------------------------------- |
| Promise\ | Promise that returns no value.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000013 | queried credential does not exist. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000017 | The key with same alias is already exist. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* The process is similar if a callback is used, except the following: */
/* The key data imported may be different from the sample code given below. The data structure is described in the preceding comments. */
async function TestImportWrappedFunc(alias: string, wrappingAlias: string, options: huks.HuksOptions) {
await huks.importWrappedKeyItem(alias, wrappingAlias, options)
.then ((data) => {
console.info(`promise: importWrappedKeyItem success`);
});
}
```
## huks.exportKeyItem9+
exportKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Exports a key. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute of the key to be imported. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be imported,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned. **outData** contains the public key exported.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.exportKeyItem(keyAlias, emptyOptions, (error, data) => {
if (error) {
console.error(`callback: exportKeyItem failed`);
} else {
console.info(`callback: exportKeyItem success, data = ${JSON.stringify(data)}`);
}
});
```
## huks.exportKeyItem9+
exportKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Exports a key. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | -------------------------------------------- |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty). |
**Return value**
| Type | Description |
| ---------------------------------------------- | ------------------------------------------------------------ |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. If the operation is successful, **outData** in **HuksReturnResult** is the public key exported.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.exportKeyItem(keyAlias, emptyOptions)
.then ((data) => {
console.info(`promise: exportKeyItem success, data = ${JSON.stringify(data)}`);
});
```
## huks.wrapKeyItem20+
wrapKeyItem(keyAlias: string, params: HuksOptions): Promise\
Exports a wrapped key. (This API corresponds to [unwrapKeyItem](#huksunwrapkeyitem20). Add [HUKS_TAG_IS_ALLOWED_WRAP](#hukstag) when generating the key to allow it to be exported.) This API uses a promise to return the result.
This feature is not supported currently.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | -------------------------------------------- |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated.|
| params | [HuksOptions](#huksoptions) | Yes | Encryption type of the key to be exported. |
**Return value**
| Type | Description |
| ---------------------------------------------- | ------------------------------------------------------------ |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. If the operation is successful, **outData** in **HuksReturnResult** is the ciphertext of the key exported.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
| 12000018 | the input parameter is invalid. |
## huks.unwrapKeyItem20+
unwrapKeyItem(keyAlias: string, params: HuksOptions, wrappedKey: Uint8Array): Promise\
Imports a wrapped key, corresponding to [wrapKeyItem](#hukswrapkeyitem20). This API uses a promise to return the result.
This feature is not supported currently.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | -------------------------------------------- |
| keyAlias | string | Yes | Alias of the key to be imported.|
| params | [HuksOptions](#huksoptions) | Yes | Encryption type of the key to be imported. |
| wrappedKey | Uint8Array | Yes | Ciphertext of the key to be imported. |
**Return value**
| Type | Description |
| ---------------------------------------------- | ------------------------------------------------------------ |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
| 12000015 | Failed to obtain the security information via UserIAM. |
| 12000018 | the input parameter is invalid. |
## huks.getKeyItemProperties9+
getKeyItemProperties(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Obtains key properties. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty). |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. If the operation is successful, no **err** value is returned; otherwise, an error code is returned. **properties** returns the parameters required for generating the key.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.getKeyItemProperties(keyAlias, emptyOptions, (error, data) => {
if (error) {
console.error(`callback: getKeyItemProperties failed`);
} else {
console.info(`callback: getKeyItemProperties success, data = ${JSON.stringify(data)}`);
}
});
```
## huks.getKeyItemProperties9+
getKeyItemProperties(keyAlias: string, options: HuksOptions) : Promise\
Obtains key properties. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | -------------------------------------------- |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty). |
**Return value**
| Type | Description |
| ----------------------------------------------- | ------------------------------------------------------------ |
| Promise\<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. If the operation is successful, **properties** in **HuksReturnResult** holds the parameters required for generating the key.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.getKeyItemProperties(keyAlias, emptyOptions)
.then ((data) => {
console.info(`promise: getKeyItemProperties success, data = ${JSON.stringify(data)}`);
});
```
## huks.isKeyItemExist9+
isKeyItemExist(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Checks whether a key exists. This API uses an asynchronous callback to return the result.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- |--------------------------------------------------------|
| keyAlias | string | Yes | Alias of the key to check. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute tag of the key to be checked. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be checked,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
| callback | AsyncCallback\ | Yes | Callback used to return the result. If the key exists, the value of **data** is **true**. If the key does not exist, the error code is stored in **err**.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.isKeyItemExist(keyAlias, emptyOptions, (error, data) => {
if (error) {
console.error(`callback: isKeyItemExist failed`);
} else {
if (data) {
console.info(`keyAlias:${keyAlias} is existed!`)
} else {
console.error(`find key failed`)
}
}
});
```
## huks.isKeyItemExist9+
isKeyItemExist(keyAlias: string, options: HuksOptions) : Promise\
Checks whether a key exists. This API uses a promise to return the result.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------ |
| keyAlias | string | Yes | Alias of the key to check. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute tag of the key to be checked. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be checked,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in.|
**Return value**
| Type | Description |
| ----------------- | --------------------------------------- |
| Promise\ | Promise used to return the result. If the key exists, then() performs subsequent operations. If the key does not exist, error() performs the related service operations.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.isKeyItemExist(keyAlias, emptyOptions).then((data) => {
console.info(`keyAlias:${keyAlias} is existed!`)
});
```
## huks.hasKeyItem11+
hasKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Checks whether a key exists. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- |--------------------------------------------------------|
| keyAlias | string | Yes | Alias of the key to check. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute tag of the key to be checked. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be checked,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
| callback | AsyncCallback\ | Yes | Callback used to return the result. If the key exists, **data** is **true**. Otherwise, **data** is **false**.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.hasKeyItem(keyAlias, emptyOptions, (error, data) => {
if (error) {
console.error(`callback: hasKeyItem failed`);
} else {
if (data) {
console.info(`keyAlias:${keyAlias} is existed!`)
} else {
console.error(`find key failed`)
}
}
});
```
## huks.hasKeyItem11+
hasKeyItem(keyAlias: string, options: HuksOptions) : Promise\
Checks whether a key exists. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------ |
| keyAlias | string | Yes | Alias of the key to check. |
| options | [HuksOptions](#huksoptions) | Yes | Attribute tag of the key to be checked. If [HuksAuthStorageLevel](#huksauthstoragelevel11) is used to specify the security level of the key to be checked,
this parameter can be left empty. If the API version is 12 or later, the default value **CE** is passed in. If the API version is earlier than 12, the default value **DE** is passed in. |
**Return value**
| Type | Description |
| ----------------- | --------------------------------------- |
| Promise\ | Promise used to return the result. If the key exists, **true** is returned. If the key does not exist, **false** is returned.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.hasKeyItem(keyAlias, emptyOptions).then((data) => {
if (data) {
console.info(`keyAlias:${keyAlias} is existed!`)
} else {
console.info(`find key failed!`)
}
});
```
## huks.initSession9+
initSession(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Initializes a session for a key operation. This API uses an asynchronous callback to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ------------------------------------------------------- | ---- | ---------------------------------------------------- |
| keyAlias | string | Yes | Alias of the key involved in the **initSession** operation. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **initSession** operation. |
| callback | AsyncCallback\<[HuksSessionHandle](#hukssessionhandle9)> | Yes | Callback used to return the result. The handle returned by the **initSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000010 | the number of sessions has reached limit. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
## huks.initSession9+
initSession(keyAlias: string, options: HuksOptions) : Promise\
Initializes a session for a key operation. This API uses a promise to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ------------------------------------------------- | ---- | ------------------------------------------------ |
| keyAlias | string | Yes | Alias of the key involved in the **initSession** operation. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **initSession** operation. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksSessionHandle](#hukssessionhandle9)> | Promise used to return the result. The handle returned by the **initSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000010 | the number of sessions has reached limit. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
## huks.updateSession9+
updateSession(handle: number, options: HuksOptions, callback: AsyncCallback\) : void
Updates the key operation by segment. This API uses an asynchronous callback to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **updateSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **updateSession** operation. |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. The result of the **updateSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
## huks.updateSession9+
updateSession(handle: number, options: HuksOptions, token: Uint8Array, callback: AsyncCallback\) : void
Updates the key operation by segment. This API uses an asynchronous callback to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **updateSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **updateSession** operation. |
| token | Uint8Array | Yes | Authentication token for [refined key access control](../../security/UniversalKeystoreKit/huks-identity-authentication-overview.md#refined-key-access-control). |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. The result of the **updateSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
## huks.updateSession9+
updateSession(handle: number, options: HuksOptions, token?: Uint8Array) : Promise\
Updates the key operation by segment. This API uses a promise to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | ---------------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **updateSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **updateSession** operation. |
| token | Uint8Array | No |Authentication token for [refined key access control](../../security/UniversalKeystoreKit/huks-identity-authentication-overview.md#refined-key-access-control). If this parameter is left blank, refined key access control is not performed. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result. The result of the **updateSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
## huks.finishSession9+
finishSession(handle: number, options: HuksOptions, callback: AsyncCallback\) : void
Finishes the key operation. This API uses an asynchronous callback to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **finishSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **finishSession** operation. |
| callback | AsyncCallback<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. The result of the **finishSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
| 12000017 | The key with same alias is already exist. |
## huks.finishSession9+
finishSession(handle: number, options: HuksOptions, token: Uint8Array, callback: AsyncCallback\) : void
Finishes the key operation. This API uses an asynchronous callback to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **finishSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **finishSession** operation. |
| token | Uint8Array | Yes | Authentication token for [refined key access control](../../security/UniversalKeystoreKit/huks-identity-authentication-overview.md#refined-key-access-control). |
| callback | AsyncCallback\<[HuksReturnResult](#huksreturnresult9)> | Yes | Callback used to return the result. The result of the **finishSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
| 12000017 | The key with same alias is already exist. |
## huks.finishSession9+
finishSession(handle: number, options: HuksOptions, token?: Uint8Array) : Promise\
Finishes the key operation. This API uses a promise to return the result. **huks.initSession**, **huks.updateSession**, and **huks.finishSession** must be used together.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | ----------------------------------------------- | ---- | ----------------------------------- |
| handle | number | Yes | Handle of the **finishSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **finishSession** operation. |
| token | Uint8Array | No | Authentication token for [refined key access control](../../security/UniversalKeystoreKit/huks-identity-authentication-overview.md#refined-key-access-control). If this parameter is left blank, refined key access control is not performed. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksReturnResult](#huksreturnresult9)> | Promise used to return the result.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000001 | algorithm mode is not supported. |
| 12000002 | algorithm param is missing. |
| 12000003 | algorithm param is invalid. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000007 | this credential is already invalidated permanently. |
| 12000008 | verify auth token failed. |
| 12000009 | auth token is already timeout. |
| 12000011 | queried entity does not exist. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
| 12000017 | The key with same alias is already exist. |
## huks.abortSession9+
abortSession(handle: number, options: HuksOptions, callback: AsyncCallback\) : void
Aborts a key operation. This API uses an asynchronous callback to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------------------------- |
| handle | number | Yes | Handle of the **abortSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **abortSession** operation. |
| callback | AsyncCallback\ | Yes | Callback used to return the result. The result of the **abortSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* huks.initSession, huks.updateSession, and huks.finishSession must be used together.
* If an error occurs in any of huks.initSession, huks.updateSession,
* and huks.finishSession operations,
* huks.abortSession must be called to terminate the use of the key.
*
* The following uses a 2048-bit RSA key as an example. The callback-based APIs are used.
*/
let keyAlias = "HuksDemoRSA";
let properties: Array = []
let options: huks.HuksOptions = {
properties: properties,
inData: new Uint8Array(0)
};
let handle: number = 0;
async function huksAbort() {
properties[0] = {
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
};
properties[1] = {
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
};
properties[2] = {
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT
};
properties[3] = {
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS1_V1_5
};
properties[4] = {
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
};
properties[5] = {
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB,
}
huks.generateKeyItem(keyAlias, options, (error, data) => {
if (error) {
console.error(`callback: generateKeyItem failed`);
} else {
console.info(`callback: generateKeyItem success`);
huks.initSession(keyAlias, options, (error, data) => { // Use abortSession to abort initSession.
if (error) {
console.error(`callback: initSession failed`);
} else {
console.info(`callback: initSession success, data = ${JSON.stringify(data)}`);
handle = data.handle;
huks.abortSession(handle, options, (error, data) => {
if (error) {
console.error(`callback: abortSession failed`);
} else {
console.info(`callback: abortSession success`);
}
});
}
});
}
});
}
```
## huks.abortSession9+
abortSession(handle: number, options: HuksOptions) : Promise\;
Aborts a key operation. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | --------------------------- | ---- | ------------------------------------------- |
| handle | number | Yes | Handle of the **abortSession** operation, which is of the uint64 type. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **abortSession** operation. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\ | Promise used to return the result. The result of the **abortSession** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 801 | api is not supported. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000006 | error occurred in crypto engine. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* huks.initSession, huks.updateSession, and huks.finishSession must be used together.
* If an error occurs in any of huks.initSession, huks.updateSession,
* and huks.finishSession operations,
* huks.abortSession must be called to terminate the use of the key.
*
* The following uses a 2048-bit RSA key as an example. The promise-based APIs are used.
*/
function stringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
let keyAlias = "HuksDemoRSA";
let properties: Array = []
let options: huks.HuksOptions = {
properties: properties,
inData: new Uint8Array(0)
};
let handle: number = 0;
async function generateKey() {
properties[0] = {
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
};
properties[1] = {
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
};
properties[2] = {
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT
};
properties[3] = {
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS1_V1_5
};
properties[4] = {
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
};
properties[5] = {
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB,
}
await huks.generateKeyItem(keyAlias, options)
.then((data) => {
console.info(`promise: generateKeyItem success`);
});
}
async function huksInit() {
console.info('enter huksInit');
await huks.initSession(keyAlias, options)
.then((data) => {
console.info(`promise: initSession success, data = ${JSON.stringify(data)}`);
handle = data.handle;
});
}
async function huksUpdate() {
console.info('enter huksUpdate');
options.inData = stringToUint8Array("huksHmacTest");
await huks.updateSession(handle, options)
.then((data) => {
console.info(`promise: updateSession success, data = ${JSON.stringify(data)}`);
});
}
async function huksFinish() {
console.info('enter huksFinish');
options.inData = new Uint8Array(0);
await huks.finishSession(handle, options)
.then((data) => {
console.info(`promise: finishSession success, data = ${JSON.stringify(data)}`);
});
}
async function huksAbort() {
console.info('enter huksAbort');
await huks.abortSession(handle, options)
.then((data) => {
console.info(`promise: abortSession success`);
});
}
async function testAbort() {
await generateKey();
await huksInit(); // Use abortSession to abort initSession.
await huksAbort();
}
```
## huks.listAliases12+
listAliases(options: HuksOptions): Promise\;
Lists key aliases. This API uses a promise to return the result.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | --------------------------- | ---- | ------------------------------------------- |
| options | [HuksOptions](#huksoptions) | Yes | Parameters for listing key aliases. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise<[HuksListAliasesReturnResult](#hukslistaliasesreturnresult12)> | Promise used to return the result. The result of the **listAliases** operation is added to the callback.|
**Error codes**
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
| ID| Error Message |
| -------- | ------------- |
| 401 | Parameter error. Possible causes: 1. Mandatory parameters are left unspecified. 2. Incorrect parameter types. 3. Parameter verification failed. |
| 12000004 | operating file failed. |
| 12000005 | IPC communication failed. |
| 12000012 | Device environment or input parameter abnormal. |
| 12000014 | memory is insufficient. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit'
async function testListAliases() {
let queryProperties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_AUTH_STORAGE_LEVEL,
value: huks.HuksAuthStorageLevel.HUKS_AUTH_STORAGE_LEVEL_DE
}
];
let queryOptions: huks.HuksOptions = {
properties: queryProperties
};
let result: huks.HuksListAliasesReturnResult = await huks.listAliases(queryOptions);
console.info(`promise: listAliases success`);
}
```
## HuksExceptionErrCode9+
Enumerates error codes and error details.
For details about the error codes, see [Universal Error Codes](../errorcode-universal.md) and [HUKS Error Codes](errorcode-huks.md).
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value| Description |
| ---------------------------------------------- | -------- |--------------------------- |
| HUKS_ERR_CODE_PERMISSION_FAIL | 201 | Permission verification failed.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_NOT_SYSTEM_APP12+ | 202 | The caller is not a system application and cannot call the system API.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_ILLEGAL_ARGUMENT | 401 | Invalid parameters are detected. Possible causes: 1. Mandatory parameters are left unspecified.2. Incorrect parameter types.3. Parameter verification failed.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_NOT_SUPPORTED_API | 801 | The API is not supported.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_FEATURE_NOT_SUPPORTED | 12000001 | The feature is not supported.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_MISSING_CRYPTO_ALG_ARGUMENT | 12000002 | Key algorithm parameters are missing.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_INVALID_CRYPTO_ALG_ARGUMENT | 12000003 | Invalid key algorithm parameters are detected.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_FILE_OPERATION_FAIL | 12000004 | The file operation failed.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_COMMUNICATION_FAIL | 12000005 | The communication failed.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_CRYPTO_FAIL | 12000006 | Failed to operate the algorithm library.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_KEY_AUTH_PERMANENTLY_INVALIDATED | 12000007 | Failed to access the key because the key has expired.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ERR_CODE_KEY_AUTH_VERIFY_FAILED | 12000008 | Failed to access the key because the authentication has failed.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ERR_CODE_KEY_AUTH_TIME_OUT | 12000009 | Key access timed out.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ERR_CODE_SESSION_LIMIT | 12000010 | The number of key operation sessions has reached the limit.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_ITEM_NOT_EXIST | 12000011 | The target object does not exist.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_EXTERNAL_ERROR | 12000012 | An external error occurs.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_CREDENTIAL_NOT_EXIST | 12000013 | The credential does not exist.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_INSUFFICIENT_MEMORY | 12000014 | The memory is insufficient.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_CALL_SERVICE_FAILED | 12000015 | Failed to call other system services.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_DEVICE_PASSWORD_UNSET11+ | 12000016 | The required lock screen password is not set.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension |
| HUKS_ERR_CODE_KEY_ALREADY_EXIST20+ | 12000017 | A key with the same name already exists.
**Atomic service API**: This API can be used in atomic services since API version 20.
**System capability**: SystemCapability.Security.Huks.Core |
| HUKS_ERR_CODE_INVALID_ARGUMENT20+ | 12000018 | The argument is invalid.
**Atomic service API**: This API can be used in atomic services since API version 20.
**System capability**: SystemCapability.Security.Huks.Core |
## HuksKeyPurpose
Enumerates the key purposes.
A key can be used only for a single purpose. You cannot use the same key for both encryption/decryption and signature verification.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ------------------------ | ---- | -------------------------------- |
| HUKS_KEY_PURPOSE_ENCRYPT | 1 | Used to encrypt the plaintext.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_KEY_PURPOSE_DECRYPT | 2 | Used to decrypt the cipher text.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_KEY_PURPOSE_SIGN | 4 | Used for signing.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_VERIFY | 8 | Used to verify the signature.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_DERIVE | 16 | Used to derive a key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_WRAP | 32 | Used for an encrypted export.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_UNWRAP | 64 | Used for an encrypted import.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_MAC | 128 | Used to generate a message authentication code (MAC).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_KEY_PURPOSE_AGREE | 256 | Used for key agreement.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
## HuksKeyDigest
Enumerates the digest algorithms.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 8 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ---------------------- | ---- | ---------------------------------------- |
| HUKS_DIGEST_NONE | 0 | No digest algorithm
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_MD5 | 1 | MD5
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_SM39+ | 2 | SM3
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_DIGEST_SHA1 | 10 | SHA-1
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_SHA224 | 11 | SHA-224
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_SHA256 | 12 | SHA-256
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_SHA384 | 13 | SHA-384
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DIGEST_SHA512 | 14 | SHA-512
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
## HuksKeyPadding
Enumerates the padding algorithms.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ---------------------- | ---- | ---------------------------------------- |
| HUKS_PADDING_NONE | 0 | No padding algorithm is used.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_PADDING_OAEP | 1 | Optimal Asymmetric Encryption Padding (OAEP).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_PADDING_PSS | 2 | Probabilistic Signature Scheme (PSS).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_PADDING_PKCS1_V1_5 | 3 | Public Key Cryptography Standards (PKCS) #1 v1.5.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_PADDING_PKCS5 | 4 | PKCS #5.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_PADDING_PKCS7 | 5 | PKCS #7.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_PADDING_ISO_IEC_9796_212+ | 6 | ISO_IEC_9796_2 (not supported currently) .
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_PADDING_ISO_IEC_9797_112+ | 7 | ISO_IEC_9797_1 (not supported currently) .
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
## HuksCipherMode
Enumerates the cipher modes.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ------------- | ---- | --------------------- |
| HUKS_MODE_ECB | 1 | Electronic Code Block (ECB) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_MODE_CBC | 2 | Cipher Block Chaining (CBC) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_MODE_CTR | 3 | Counter (CTR) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_MODE_OFB | 4 | Output Feedback (OFB) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_MODE_CFB12+ | 5 | Ciphertext Feedback (CFB) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_MODE_CCM | 31 | Counter with CBC-MAC (CCM) mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_MODE_GCM | 32 | Galois/Counter (GCM) mode.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
## HuksKeySize
Enumerates the key sizes.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ---------------------------------- | ---- | ------------------------------------------ |
| HUKS_RSA_KEY_SIZE_512 | 512 | Rivest-Shamir-Adleman (RSA) key of 512 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_RSA_KEY_SIZE_768 | 768 | RSA key of 768 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_RSA_KEY_SIZE_1024 | 1024 | RSA key of 1024 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_RSA_KEY_SIZE_2048 | 2048 | RSA key of 2048 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_RSA_KEY_SIZE_3072 | 3072 | RSA key of 3072 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_RSA_KEY_SIZE_4096 | 4096 | RSA key of 4096 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ECC_KEY_SIZE_224 | 224 | Elliptic Curve Cryptography (ECC) key of 224 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ECC_KEY_SIZE_256 | 256 | ECC key of 256 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ECC_KEY_SIZE_384 | 384 | ECC key of 384 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ECC_KEY_SIZE_521 | 521 | ECC key of 521 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_AES_KEY_SIZE_128 | 128 | Advanced Encryption Standard (AES) key of 128 bits.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_AES_KEY_SIZE_192 | 192 | AES key of 192 bits.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_AES_KEY_SIZE_256 | 256 | AES key of 256 bits.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_AES_KEY_SIZE_512(deprecated) | 512 | AES key of 512 bits. This API is deprecated since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_CURVE25519_KEY_SIZE_256 | 256 | Curve25519 key of 256 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DH_KEY_SIZE_2048 | 2048 | Diffie-Hellman (DH) key of 2048 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DH_KEY_SIZE_3072 | 3072 | DH key of 3072 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_DH_KEY_SIZE_4096 | 4096 | DH key of 4096 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_SM2_KEY_SIZE_2569+ | 256 | ShangMi2 (SM2) key of 256 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_SM4_KEY_SIZE_1289+ | 128 | ShangMi4 (SM4) key of 128 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_DES_KEY_SIZE_6412+ | 64 | DES key of 64 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_3DES_KEY_SIZE_12812+ | 128 | 3DES key of 128 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_3DES_KEY_SIZE_19212+ | 192 | 3DES key of 192 bits.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
## HuksKeyAlg
Enumerates the key algorithms.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ------------------------- | ---- | --------------------- |
| HUKS_ALG_RSA | 1 | RSA.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_ECC | 2 | ECC.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_DSA | 3 | DSA.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_AES | 20 | AES.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ALG_HMAC | 50 | HMAC.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_HKDF | 51 | HKDF.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_PBKDF2 | 52 | PBKDF2.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_ECDH | 100 | ECDH.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_X25519 | 101 | X25519.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_ED25519 | 102 | Ed25519.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_DH | 103 | DH.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_ALG_SM29+ | 150 | SM2.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_ALG_SM39+ | 151 | SM3.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_ALG_SM49+ | 152 | SM4.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_ALG_DES12+ | 160 | DES (supported for lightweight devices since API version 12; supported for standard devices since API version 18).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ALG_3DES12+ | 161 | 3DES (supported for lightweight devices since API version 12; supported for standard devices since API version 18).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_ALG_CMAC12+ | 162 | CMAC (supported for lightweight devices since API version 12; supported for standard devices since API version 18).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
## HuksKeyGenerateType
Enumerates the key generation types.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 8 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ------------------------------ | ---- | ---------------- |
| HUKS_KEY_GENERATE_TYPE_DEFAULT | 0 | Key generated by default.|
| HUKS_KEY_GENERATE_TYPE_DERIVE | 1 | Derived key.|
| HUKS_KEY_GENERATE_TYPE_AGREE | 2 | Key generated by agreement.|
## HuksKeyFlag
Enumerates the key generation modes.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| -------------------------- | ---- | ------------------------------------ |
| HUKS_KEY_FLAG_IMPORT_KEY | 1 | Import a key using an API. |
| HUKS_KEY_FLAG_GENERATE_KEY | 2 | Generate a key by using an API. |
| HUKS_KEY_FLAG_AGREE_KEY | 3 | Generate a key by using a key agreement API.|
| HUKS_KEY_FLAG_DERIVE_KEY | 4 | Derive a key by using an API.|
## HuksKeyStorageType
Enumerates the key storage modes.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| -------------------------------------------- | ---- | ------------------------------ |
| HUKS_STORAGE_TEMP(deprecated) | 0 | The key is managed locally.
> **NOTE**
This tag is deprecated since API version 10. No substitute is provided because this tag is not used in key management. In key derivation scenarios, use **HUKS_STORAGE_ONLY_USED_IN_HUKS** or **HUKS_STORAGE_KEY_EXPORT_ALLOWED**.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_STORAGE_PERSISTENT(deprecated) | 1 | The key is managed by the HUKS service.
> **NOTE**
This tag is deprecated since API version 10. No substitute is provided because this tag is not used in key management. In key derivation scenarios, use **HUKS_STORAGE_ONLY_USED_IN_HUKS** or **HUKS_STORAGE_KEY_EXPORT_ALLOWED**.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_STORAGE_ONLY_USED_IN_HUKS10+ | 2 | The key derived from the master key is stored in the HUKS and managed by the HUKS.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension10-11|
| HUKS_STORAGE_KEY_EXPORT_ALLOWED10+ | 3 | The key derived from the master key is exported to the service, and not managed by the HUKS.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension10-11|
## HuksSendType
Enumerates the tag transfer modes.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 8 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| -------------------- | ---- | ----------------- |
| HUKS_SEND_TYPE_ASYNC | 0 | The tag is sent asynchronously.|
| HUKS_SEND_TYPE_SYNC | 1 | The tag is sent synchronously.|
## HuksUnwrapSuite9+
Enumerates the algorithm suites that can be used for importing a key in ciphertext.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ---------------------------------------------- | ---- | ----------------------------------------------------- |
| HUKS_UNWRAP_SUITE_X25519_AES_256_GCM_NOPADDING | 1 | Use X25519 for key agreement and then use AES-256 GCM to encrypt the key.|
| HUKS_UNWRAP_SUITE_ECDH_AES_256_GCM_NOPADDING | 2 | Use ECDH for key agreement and then use AES-256 GCM to encrypt the key. |
## HuksImportKeyType9+
Enumerates the types of keys to import. By default, a public key is imported. This field is not required when a symmetric key is imported.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 9 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ------------------------- | ---- | ------------------------------ |
| HUKS_KEY_TYPE_PUBLIC_KEY | 0 | Public key |
| HUKS_KEY_TYPE_PRIVATE_KEY | 1 | Private key |
| HUKS_KEY_TYPE_KEY_PAIR | 2 | Public and private key pair|
## HuksRsaPssSaltLenType10+
Enumerates the **salt_len** types to set when PSS padding is used in RSA signing or signature verification.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API versions 10 to 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ------------------------------------------ | ---- | ---------------------------- |
| HUKS_RSA_PSS_SALT_LEN_DIGEST | 0 | **salt_len** is set to the digest length.|
| HUKS_RSA_PSS_SALT_LEN_MAX | 1 | **salt_len** is set to the maximum length.|
## HuksUserAuthType9+
Enumerates the user authentication types.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| ------------------------------- | ---- | ------------------------- |
| HUKS_USER_AUTH_TYPE_FINGERPRINT | 1 << 0 | Fingerprint authentication.
**Atomic service API**: This API can be used in atomic services since API version 12. |
| HUKS_USER_AUTH_TYPE_FACE | 1 << 1 | Facial authentication.
**Atomic service API**: This API can be used in atomic services since API version 12.|
| HUKS_USER_AUTH_TYPE_PIN | 1 << 2 | PIN authentication.
**Atomic service API**: This API can be used in atomic services since API version 12.|
| HUKS_USER_AUTH_TYPE_TUI_PIN20+ | 1 << 5 | TUI PIN authentication. (not supported currently) |
## HuksUserAuthMode12+
Enumerates the user authentication modes.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| ------------------------------- | ---- | ------------------------- |
| HUKS_USER_AUTH_MODE_LOCAL | 0 | Local authentication. |
| HUKS_USER_AUTH_MODE_COAUTH | 1 | Cross-device collaborative authentication.|
## HuksAuthAccessType9+
Enumerates the access control types.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| --------------------------------------- | ---- | ------------------------------------------------ |
| HUKS_AUTH_ACCESS_INVALID_CLEAR_PASSWORD | 1 << 0 | The key becomes invalid after the password is cleared. |
| HUKS_AUTH_ACCESS_INVALID_NEW_BIO_ENROLL | 1 << 1 | The key becomes invalid after a new biometric feature is added.|
| HUKS_AUTH_ACCESS_ALWAYS_VALID11+ | 1 << 2 | The key is always valid.|
## HuksChallengeType9+
Enumerates the types of the challenges generated when a key is used.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| ------------------------------- | ---- | ------------------------------ |
| HUKS_CHALLENGE_TYPE_NORMAL | 0 | Normal challenge, which is of 32 bytes by default.|
| HUKS_CHALLENGE_TYPE_CUSTOM | 1 | Custom challenge, which supports only one authentication for multiple keys.|
| HUKS_CHALLENGE_TYPE_NONE | 2 | Challenge is not required.|
## HuksChallengePosition9+
Enumerates the positions of the 8-byte valid value in a custom challenge generated.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| ------------------------------- | ---- | ------------------------------ |
| HUKS_CHALLENGE_POS_0 | 0 | Bytes 0 to 7.|
| HUKS_CHALLENGE_POS_1 | 1 | Bytes 8 to 15.|
| HUKS_CHALLENGE_POS_2 | 2 | Bytes 16 to 23.|
| HUKS_CHALLENGE_POS_3 | 3 | Bytes 24 to 31.|
## HuksSecureSignType9+
Enumerates the signature types of the key generated or imported.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension
| Name | Value | Description |
| ------------------------------ | ---- | ------------------------------------------------------------ |
| HUKS_SECURE_SIGN_WITH_AUTHINFO | 1 | The signature carries authentication information. This field is specified when a key is generated or imported. When the key is used for signing, the data will be added with the authentication information and then be signed.
Note: The carried authentication information includes identity information. You need to describe the purpose, retention policy, and destruction method of the identity information in the privacy statement.|
## HuksAuthStorageLevel11+
Enumerates the storage security levels of a key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core
The system capability is **SystemCapability.Security.Huks.Extension** in API version 11, and **SystemCapability.Security.Huks.Core** since API version 12.
| Name | Value | Description |
| ------------------------------ | ---- | ------------------------------------------------------------ |
| HUKS_AUTH_STORAGE_LEVEL_DE | 0 | The key can be accessed only after the device is started.|
| HUKS_AUTH_STORAGE_LEVEL_CE | 1 | The key can be accessed only after the first unlock of the device.|
| HUKS_AUTH_STORAGE_LEVEL_ECE | 2 | The key can be accessed only when the device is unlocked.|
## HuksKeyWrapType20+
Enumerates the key encryption types (exporting or importing keys).
**Atomic service API**: This API can be used in atomic services since API version 20.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ------------------------------ | ---- | ------------------------------------------------------------ |
| HUKS_KEY_WRAP_TYPE_HUK_BASED | 2 | Hardware unique key encryption type. (not supported currently) |
## HuksTagType
Enumerates the tag data types.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| --------------------- | ------- | --------------------------------------- |
| HUKS_TAG_TYPE_INVALID | 0 << 28 | Invalid tag type. |
| HUKS_TAG_TYPE_INT | 1 << 28 | Number of the int type. |
| HUKS_TAG_TYPE_UINT | 2 << 28 | Number of the uint type.|
| HUKS_TAG_TYPE_ULONG | 3 << 28 | BigInt. |
| HUKS_TAG_TYPE_BOOL | 4 << 28 | Boolean. |
| HUKS_TAG_TYPE_BYTES | 5 << 28 | Uint8Array. |
## HuksTag
Enumerates the tags used to invoke parameters.
**System capability**: SystemCapability.Security.Huks.Core
| Name | Value | Description |
| ----------------------------------------------------------- | ---------------------------------------- | ------------------------------------------------------------ |
| HUKS_TAG_INVALID(deprecated) | HuksTagType.HUKS_TAG_TYPE_INVALID \| 0 | Invalid tag. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_ALGORITHM | HuksTagType.HUKS_TAG_TYPE_UINT \| 1 | Algorithm.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_PURPOSE | HuksTagType.HUKS_TAG_TYPE_UINT \| 2 | Purpose of the key.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_KEY_SIZE | HuksTagType.HUKS_TAG_TYPE_UINT \| 3 | Key size.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_DIGEST | HuksTagType.HUKS_TAG_TYPE_UINT \| 4 | Digest algorithm.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_PADDING | HuksTagType.HUKS_TAG_TYPE_UINT \| 5 | Padding mode.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_BLOCK_MODE | HuksTagType.HUKS_TAG_TYPE_UINT \| 6 | Cipher mode.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_KEY_TYPE | HuksTagType.HUKS_TAG_TYPE_UINT \| 7 | Key type.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_ASSOCIATED_DATA | HuksTagType.HUKS_TAG_TYPE_BYTES \| 8 | Associated authentication data.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_NONCE | HuksTagType.HUKS_TAG_TYPE_BYTES \| 9 | Nonce for key encryption and decryption.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IV | HuksTagType.HUKS_TAG_TYPE_BYTES \| 10 | IV.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_INFO | HuksTagType.HUKS_TAG_TYPE_BYTES \| 11 | Information generated during key derivation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_SALT | HuksTagType.HUKS_TAG_TYPE_BYTES \| 12 | Salt value used for key derivation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_PWD(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 13 | Password used for key derivation. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_ITERATION | HuksTagType.HUKS_TAG_TYPE_UINT \| 14 | Number of iterations for key derivation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_KEY_GENERATE_TYPE | HuksTagType.HUKS_TAG_TYPE_UINT \| 15 | Key generation type.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_DERIVE_MAIN_KEY(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 16 | Main key for key derivation. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_DERIVE_FACTOR(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 17 | Factor for key derivation. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_DERIVE_ALG(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 18 | Type of the algorithm used for key derivation. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_AGREE_ALG | HuksTagType.HUKS_TAG_TYPE_UINT \| 19 | Type of the algorithm used for key agreement.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_AGREE_PUBLIC_KEY_IS_KEY_ALIAS | HuksTagType.HUKS_TAG_TYPE_BOOL \| 20 | Public key alias used in key agreement.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_AGREE_PRIVATE_KEY_ALIAS | HuksTagType.HUKS_TAG_TYPE_BYTES \| 21 | Private key alias used in key agreement.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_AGREE_PUBLIC_KEY | HuksTagType.HUKS_TAG_TYPE_BYTES \| 22 | Public key used in key agreement.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_KEY_ALIAS | HuksTagType.HUKS_TAG_TYPE_BYTES \| 23 | Key alias.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_DERIVE_KEY_SIZE | HuksTagType.HUKS_TAG_TYPE_UINT \| 24 | Size of the derived key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_IMPORT_KEY_TYPE9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 25 | Type of the imported key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_TAG_UNWRAP_ALGORITHM_SUITE9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 26 | Algorithm suite required for encrypted imports.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension9-11|
| HUKS_TAG_DERIVED_AGREED_KEY_STORAGE_FLAG10+ | HuksTagType.HUKS_TAG_TYPE_UINT \|29 | Storage type of the derived key or agreed key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension10-11|
| HUKS_TAG_RSA_PSS_SALT_LEN_TYPE10+ | HuksTagType.HUKS_TAG_TYPE_UINT \|30 | Type of the **rsa_pss_salt_length**.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension10-11|
| HUKS_TAG_ACTIVE_DATETIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 201 | Parameter originally reserved for certificate management. It is deprecated because certificate management is no longer implemented in this module.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ORIGINATION_EXPIRE_DATETIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 202 | Parameter originally reserved for certificate management. It is deprecated because certificate management is no longer implemented in this module.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_USAGE_EXPIRE_DATETIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 203 | Parameter originally reserved for certificate management. It is deprecated because certificate management is no longer implemented in this module.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_CREATION_DATETIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 204 | Parameter originally reserved for certificate management. It is deprecated because certificate management is no longer implemented in this module.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_ALL_USERS | HuksTagType.HUKS_TAG_TYPE_BOOL \| 301 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_USER_ID | HuksTagType.HUKS_TAG_TYPE_UINT \| 302 | ID of the user to which the key belongs.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_NO_AUTH_REQUIRED | HuksTagType.HUKS_TAG_TYPE_BOOL \| 303 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_USER_AUTH_TYPE | HuksTagType.HUKS_TAG_TYPE_UINT \| 304 | User authentication type. For details, see [HuksUserAuthType](#huksuserauthtype9). This parameter must be set together with [HuksAuthAccessType](#huksauthaccesstype9). You can set a maximum of two user authentication types at a time. For example, if **HuksAuthAccessType** is **HUKS_AUTH_ACCESS_INVALID_NEW_BIO_ENROLL**, you can set two of **HUKS_USER_AUTH_TYPE_FACE**, **HUKS_USER_AUTH_TYPE_FINGERPRINT**, and **HUKS_USER_AUTH_TYPE_FACE \**| **HUKS_USER_AUTH_TYPE_FINGERPRINT**.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_AUTH_TIMEOUT | HuksTagType.HUKS_TAG_TYPE_UINT \| 305 | One-time validity period of the authentication token.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_AUTH_TOKEN | HuksTagType.HUKS_TAG_TYPE_BYTES \| 306 | Authentication token.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_AUTH_ACCESS_TYPE9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 307 | Access control type. For details, see [HuksAuthAccessType](#huksauthaccesstype9). This parameter must be set together with [HuksUserAuthType](#huksuserauthtype9).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_SECURE_SIGN_TYPE9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 308 | Signature type of the key generated or imported.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_CHALLENGE_TYPE9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 309 | Type of the challenge generated for a key. For details, see [HuksChallengeType](#hukschallengetype9).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_CHALLENGE_POS9+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 310 | Position of the 8-byte valid value in a custom challenge. For details, see [HuksChallengePosition](#hukschallengeposition9).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_AUTH_PURPOSE10+ | HuksTagType.HUKS_TAG_TYPE_UINT \|311 | Key authentication purpose.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_AUTH_STORAGE_LEVEL11+ | HuksTagType.HUKS_TAG_TYPE_UINT \|316 | Key storage security level, which is a value of [HuksAuthStorageLevel](#huksauthstoragelevel11).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_USER_AUTH_MODE12+ | HuksTagType.HUKS_TAG_TYPE_UINT \| 319 | User authentication mode, which is a value of [HuksUserAuthMode](#huksuserauthmode12).
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_CHALLENGE | HuksTagType.HUKS_TAG_TYPE_BYTES \| 501 | Challenge value used in the attestation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_APPLICATION_ID | HuksTagType.HUKS_TAG_TYPE_BYTES \| 502 | Application ID used in the attestation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_BRAND(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 503 | Brand of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_DEVICE(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 504 | ID of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_PRODUCT(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 505 | Product name of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_SERIAL(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 506 | SN of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_IMEI(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 507 | International mobile equipment identity (IMEI) of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_MEID(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 508 | Mobile equipment identity (MEID) of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_MANUFACTURER(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 509 | Manufacturer of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_MODEL(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 510 | Device model. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_ALIAS | HuksTagType.HUKS_TAG_TYPE_BYTES \| 511 | Key alias used in the attestation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_SOCID(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 512 | System-on-a-chip (SoCID) of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_UDID(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 513 | Unique device identifier (UDID) of the device. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO | HuksTagType.HUKS_TAG_TYPE_BYTES \| 514 | Security level used in the attestation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ATTESTATION_ID_VERSION_INFO | HuksTagType.HUKS_TAG_TYPE_BYTES \| 515 | Version information used in the attestation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_OVERRIDE20+ | HuksTagType.HUKS_TAG_TYPE_BOOL \| 520 | Whether to overwrite the key with the same name.
**Atomic service API**: This API can be used in atomic services since API version 20.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IS_KEY_ALIAS | HuksTagType.HUKS_TAG_TYPE_BOOL \| 1001 | Whether to use the alias passed in during key generation.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_KEY_STORAGE_FLAG | HuksTagType.HUKS_TAG_TYPE_UINT \| 1002 | Key storage mode.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IS_ALLOWED_WRAP | HuksTagType.HUKS_TAG_TYPE_BOOL \| 1003 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_KEY_WRAP_TYPE | HuksTagType.HUKS_TAG_TYPE_UINT \| 1004 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_KEY_AUTH_ID | HuksTagType.HUKS_TAG_TYPE_BYTES \| 1005 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_ROLE | HuksTagType.HUKS_TAG_TYPE_UINT \| 1006 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_KEY_FLAG | HuksTagType.HUKS_TAG_TYPE_UINT \| 1007 | Flag of the key.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IS_ASYNCHRONIZED | HuksTagType.HUKS_TAG_TYPE_UINT \| 1008 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_SECURE_KEY_ALIAS(deprecated) | HuksTagType.HUKS_TAG_TYPE_BOOL \| 1009 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_SECURE_KEY_UUID(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 1010 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY_DOMAIN | HuksTagType.HUKS_TAG_TYPE_UINT \| 1011 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IS_DEVICE_PASSWORD_SET11+ | HuksTagType.HUKS_TAG_TYPE_BOOL \| 1012 | Whether the key is accessible only when the user sets a lock screen password.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_PROCESS_NAME(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 10001 | Process name. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_PACKAGE_NAME(deprecated) | HuksTagType.HUKS_TAG_TYPE_BYTES \| 10002 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_ACCESS_TIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10003 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_USES_TIME(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10004 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_CRYPTO_CTX(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 10005 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_KEY | HuksTagType.HUKS_TAG_TYPE_BYTES \| 10006 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_KEY_VERSION(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10007 | Key version. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_PAYLOAD_LEN(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10008 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Extension|
| HUKS_TAG_AE_TAG | HuksTagType.HUKS_TAG_TYPE_BYTES \| 10009 | Used to pass in the AEAD in GCM mode.
**Atomic service API**: This API can be used in atomic services since API version 11.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_IS_KEY_HANDLE(deprecated) | HuksTagType.HUKS_TAG_TYPE_ULONG \| 10010 | Reserved field, which is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_OS_VERSION(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10101 | OS version. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_OS_PATCHLEVEL(deprecated) | HuksTagType.HUKS_TAG_TYPE_UINT \| 10102 | OS patch level. It is deprecated since API version 9.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_SYMMETRIC_KEY_DATA | HuksTagType.HUKS_TAG_TYPE_BYTES \| 20001 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core|
| HUKS_TAG_ASYMMETRIC_PUBLIC_KEY_DATA | HuksTagType.HUKS_TAG_TYPE_BYTES \| 20002 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
| HUKS_TAG_ASYMMETRIC_PRIVATE_KEY_DATA | HuksTagType.HUKS_TAG_TYPE_BYTES \| 20003 | Reserved.
**Atomic service API**: This API can be used in atomic services since API version 12.
**System capability**: SystemCapability.Security.Huks.Core12+
SystemCapability.Security.Huks.Extension8-11|
## huks.getSdkVersion(deprecated)
getSdkVersion(options: HuksOptions) : string
Obtains the SDK version of the current system.
> **NOTE**
>
> This API is deprecated since API version 11.
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | ---------- | ---- | ------------------------- |
| options | [HuksOptions](#huksoptions) | Yes | Empty object, which is used to hold the SDK version.|
**Return value**
| Type | Description |
| ------ | ------------- |
| string | SDK version obtained.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let emptyOptions: huks.HuksOptions = {
properties: []
};
let result = huks.getSdkVersion(emptyOptions);
```
## huks.generateKey(deprecated)
generateKey(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Generates a key. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.generateKeyItem9+](#huksgeneratekeyitem9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for generating the key. |
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code defined in **HuksResult** is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Generate an RSA key of 512 bits. */
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_512
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT |
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_OAEP
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
}
];
let options: huks.HuksOptions = {
properties: properties
};
huks.generateKey(keyAlias, options, (err, data) => {
});
```
## huks.generateKey(deprecated)
generateKey(keyAlias: string, options: HuksOptions) : Promise\
Generates a key. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.generateKeyItem9+](#huksgeneratekeyitem9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | --------------------------- | ---- | ------------------------ |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information. |
| options | [HuksOptions](#huksoptions) | Yes | Tags required for generating the key.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Generate a 256-bit ECC key. */
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_ECC
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_ECC_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_SIGN |
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
},
{
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
}
];
let options: huks.HuksOptions = {
properties: properties
};
let result = huks.generateKey(keyAlias, options);
```
## huks.deleteKey(deprecated)
deleteKey(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Deletes a key. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.deleteKeyItem9+](#huksdeletekeyitem9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------- | ---- |----------------------------------------------------|
| keyAlias | string | Yes | Alias of the key to delete. It must be the key alias passed in when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Options for deleting the key.|
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned. |
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.deleteKey(keyAlias, emptyOptions, (err, data) => {
});
```
## huks.deleteKey(deprecated)
deleteKey(keyAlias: string, options: HuksOptions) : Promise\
Deletes a key. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.deleteKeyItem9+](#huksdeletekeyitem9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------- | ---- | ----------------------------------------------------- |
| keyAlias | string | Yes | Alias of the key to delete. It must be the key alias passed in when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Options for deleting the key.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
let result = huks.deleteKey(keyAlias, emptyOptions);
```
## huks.importKey(deprecated)
importKey(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Imports a key in plaintext. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.importKeyItem9+](#huksimportkeyitem9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ------------------------ | ---- | ------------------------------------------------- |
| keyAlias | string | Yes | Alias of the key.|
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and key to import.|
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Import a 256-bit AES key. */
let plainTextSize32 = makeRandomArr(32);
function makeRandomArr(size: number) {
let arr = new Uint8Array(size);
for (let i = 0; i < size; i++) {
arr[i] = Math.floor(Math.random() * 10);
}
return arr;
};
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_256
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value:
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS7
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let options: huks.HuksOptions = {
properties: properties,
inData: plainTextSize32
};
huks.importKey(keyAlias, options, (err, data) => {
});
```
## huks.importKey(deprecated)
importKey(keyAlias: string, options: HuksOptions) : Promise\
Imports a key in plaintext. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.importKeyItem9+](#huksimportkeyitem9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------- | ---- | ------------------------------------ |
| keyAlias | string | Yes | Alias of the key. The value can contain up to 128 bytes and should not include sensitive data such as personal information.|
| options | [HuksOptions](#huksoptions) | Yes | Tags required for the import and key to import.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Import an AES key of 128 bits. */
let plainTextSize32 = makeRandomArr(32);
function makeRandomArr(size: number) {
let arr = new Uint8Array(size);
for (let i = 0; i < size; i++) {
arr[i] = Math.floor(Math.random() * 10);
}
return arr;
};
/* Step 1 Generate a key. */
let keyAlias = 'keyAlias';
let properties: Array = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_128
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT | huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS7
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_ECB
}
];
let huksOptions: huks.HuksOptions = {
properties: properties,
inData: plainTextSize32
};
let result = huks.importKey(keyAlias, huksOptions);
```
## huks.exportKey(deprecated)
exportKey(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Exports a key. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.exportKeyItem9+](#huksexportkeyitem9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty). |
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned. **outData** contains the public key exported.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.exportKey(keyAlias, emptyOptions, (err, data) => {
});
```
## huks.exportKey(deprecated)
exportKey(keyAlias: string, options: HuksOptions) : Promise\
Exports a key. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.exportKeyItem9+](#huksexportkeyitem9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty).|
**Return value**
| Type | Description |
| ----------------------------------- | ------------------------------------------------------------ |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. If the operation is successful, **HUKS_SUCCESS** is returned. If the operation fails, an error code is returned. **outData** contains the public key exported.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
let result = huks.exportKey(keyAlias, emptyOptions);
```
## huks.getKeyProperties(deprecated)
getKeyProperties(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Obtains key properties. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.getKeyItemProperties9+](#huksgetkeyitemproperties9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated. |
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty). |
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. If the operation is successful, **errorCode** is **HUKS_SUCCESS**; otherwise, an error code is returned.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.getKeyProperties(keyAlias, emptyOptions, (err, data) => {
});
```
## huks.getKeyProperties(deprecated)
getKeyProperties(keyAlias: string, options: HuksOptions) : Promise\
Obtains key properties. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.getKeyItemProperties9+](#huksgetkeyitemproperties9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------- | ---- | ------------------------------------------------------------ |
| keyAlias | string | Yes | Key alias, which must be the same as the alias used when the key was generated.|
| options | [HuksOptions](#huksoptions) | Yes | Empty object (leave this parameter empty).|
**Return value**
| Type | Description |
| ------------------ | ------------------------------------------------------------ |
| Promise\<[HuksResult](#huksoptions)> | Promise used to return the result. If the operation is successful, **errorCode** is **HUKS_SUCCESS** and **properties** returns the parameters required for generating the key.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
let result = huks.getKeyProperties(keyAlias, emptyOptions);
```
## huks.isKeyExist(deprecated)
isKeyExist(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Checks whether a key exists. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.isKeyItemExist9+](#huksiskeyitemexist9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| keyAlias | string | Yes | Alias of the key to check.|
| options | [HuksOptions](#huksoptions) | Yes | Options for checking the key.|
| callback | AsyncCallback\ | Yes | Callback used to return the result. The value **true** means the key exists; the value **false** means the opposite.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
huks.isKeyExist(keyAlias, emptyOptions, (err, data) => {
});
```
## huks.isKeyExist(deprecated)
isKeyExist(keyAlias: string, options: HuksOptions) : Promise\
Checks whether a key exists. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.isKeyItemExist9+](#huksiskeyitemexist9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------- | ---- | -------------------------------- |
| keyAlias | string | Yes | Alias of the key to check.|
| options | [HuksOptions](#huksoptions) | Yes | Options for checking the key.|
**Return value**
| Type | Description |
| ----------------- | --------------------------------------- |
| Promise\ | Promise used to return the result. The value **true** means the key exists; the value **false** means the opposite.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* Set options to emptyOptions. */
let keyAlias = 'keyAlias';
let emptyOptions: huks.HuksOptions = {
properties: []
};
let result = huks.isKeyExist(keyAlias, emptyOptions);
```
## huks.init(deprecated)
init(keyAlias: string, options: HuksOptions, callback: AsyncCallback\) : void
Initializes a session for a key operation. This API uses an asynchronous callback to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.initSession9+](#huksinitsession9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| keyAlias | string | Yes | Alias of the target key.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **init** operation.|
| callback | AsyncCallback\<[HuksHandle](#hukshandledeprecated)> | Yes | Callback used to return the result. The handle returned by the **Init** operation is added to the callback.|
## huks.init(deprecated)
init(keyAlias: string, options: HuksOptions) : Promise\
Initializes a session for a key operation. This API uses a promise to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.initSession9+](#huksinitsession9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| keyAlias | string | Yes | Alias of the target key.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **init** operation.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksHandle](#hukshandledeprecated)> | Promise used to return the result. The handle returned by the **Init** operation is added to the callback.|
## huks.update(deprecated)
update(handle: number, token?: Uint8Array, options: HuksOptions, callback: AsyncCallback\) : void
Updates the key operation by segment. This API uses an asynchronous callback to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.updateSession9+](#huksupdatesession9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ----------------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **update** operation, which is of the uint64 type. |
| token | Uint8Array | No | Token of the **update** operation. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **update** operation. |
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes | Callback used to return the result. The result of the **Update** operation is added to the callback.|
## huks.update(deprecated)
update(handle: number, token?: Uint8Array, options: HuksOptions) : Promise\;
Updates the key operation by segment. This API uses a promise to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.updateSession9+](#huksupdatesession9-2).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| ------- | ----------------------------------- | ---- | -------------------------------------------- |
| handle | number | Yes | Handle of the **update** operation, which is of the uint64 type. |
| token | Uint8Array | No | Token of the **update** operation. |
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **update** operation. |
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. The result of the **Update** operation is added to the callback.|
## huks.finish(deprecated)
finish(handle: number, options: HuksOptions, callback: AsyncCallback\) : void
Finishes the key operation. This API uses an asynchronous callback to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.finishSession9+](#huksfinishsession9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| handle | number | Yes | Handle of the **finish** operation, which is of the uint64 type.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **finish** operation.|
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes| Callback used to return the result. The result of the **Finish** operation is added to the callback.|
## huks.finish(deprecated)
finish(handle: number, options: HuksOptions) : Promise\
Finishes the key operation. This API uses a promise to return the result. **huks.init**, **huks.update**, and **huks.finish** must be used together.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.finishSession9+](#huksfinishsession9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| handle | number | Yes | Handle of the **finish** operation, which is of the uint64 type.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **finish** operation.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result.|
## huks.abort(deprecated)
abort(handle: number, options: HuksOptions, callback: AsyncCallback\) : void
Aborts the use of the key. This API uses an asynchronous callback to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.abortSession9+](#huksabortsession9).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| handle | number | Yes | Handle of the **abort** operation, which is of the uint64 type.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **abort** operation.|
| callback | AsyncCallback\<[HuksResult](#huksresultdeprecated)> | Yes| Callback used to return the result. The result of the **Abort** operation is added to the callback.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* huks.init, huks.update, and huks.finish must be used together.
* If an error occurs in any of them, call huks.abort to terminate the use of the key.
*
* The following uses a 2048-bit RSA key as an example. The callback-based APIs are used.
*/
let keyAlias = "HuksDemoRSA";
let properties: Array = [];
let options: huks.HuksOptions = {
properties: properties,
inData: new Uint8Array(0)
};
let handle: number = 0;
let resultMessage = "";
async function generateKey() {
properties[0] = {
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
};
properties[1] = {
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
};
properties[2] = {
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT
};
properties[3] = {
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_OAEP
};
properties[4] = {
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
};
huks.generateKey(keyAlias, options);
}
function stringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
async function huksInit() {
await huks.init(keyAlias, options).then((data) => {
console.info(`test init data: ${JSON.stringify(data)}`);
handle = data.handle;
});
}
async function huksUpdate() {
options.inData = stringToUint8Array("huksHmacTest");
await huks.update(handle, options.inData, options).then((data) => {
if (data.errorCode === 0) {
resultMessage += "update success!";
} else {
resultMessage += "update fail!";
}
});
console.info(resultMessage);
}
function huksFinish() {
options.inData = stringToUint8Array("HuksDemoHMAC");
huks.finish(handle, options).then((data) => {
if (data.errorCode === 0) {
resultMessage = "finish success!";
console.info(resultMessage);
} else {
resultMessage = "finish fail errorCode: " + data.errorCode;
console.error(resultMessage);
}
});
}
async function huksAbort() {
new Promise((resolve, reject) => {
huks.abort(handle, options, (err, data) => {
console.info(`huksAbort data ${JSON.stringify(data)}`);
console.error(`huksAbort err ${JSON.stringify(err)}`);
});
});
}
```
## huks.abort(deprecated)
abort(handle: number, options: HuksOptions) : Promise\;
Aborts the use of the key. This API uses a promise to return the result.
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [huks.abortSession9+](#huksabortsession9-1).
**System capability**: SystemCapability.Security.Huks.Extension
**Parameters**
| Name | Type | Mandatory| Description |
| -------- | ---------------------- | ---- | ------------------------------------- |
| handle | number | Yes | Handle of the **abort** operation, which is of the uint64 type.|
| options | [HuksOptions](#huksoptions) | Yes | Parameter set used for the **abort** operation.|
**Return value**
| Type | Description |
| ----------------------------------- | -------------------------------------------------- |
| Promise\<[HuksResult](#huksresultdeprecated)> | Promise used to return the result. The result of the **Abort** operation is added to the callback.|
**Example**
```ts
import { huks } from '@kit.UniversalKeystoreKit';
/* huks.init, huks.update, and huks.finish must be used together.
* If an error occurs in any of them, call huks.abort to terminate the use of the key.
*
* The following uses a 2048-bit RSA key as an example. The promise-based APIs are used.
*/
let keyAlias = "HuksDemoRSA";
let properties: Array = [];
let options: huks.HuksOptions = {
properties: properties,
inData: new Uint8Array(0)
};
let handle: number = 0;
let resultMessage = "";
function stringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
let tmpUint8Array = new Uint8Array(arr);
return tmpUint8Array;
}
async function generateKey() {
properties[0] = {
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_RSA
};
properties[1] = {
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
};
properties[2] = {
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT
};
properties[3] = {
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_OAEP
};
properties[4] = {
tag: huks.HuksTag.HUKS_TAG_DIGEST,
value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
};
huks.generateKey(keyAlias, options, (err, data) => {
});
}
async function huksInit() {
return new Promise((resolve, reject) => {
huks.init(keyAlias, options, async (err, data) => {
if (data.errorCode === 0) {
resultMessage = "init success!"
handle = data.handle;
} else {
resultMessage = "init fail errorCode: " + data.errorCode
}
});
});
}
async function huksUpdate() {
options.inData = stringToUint8Array("huksHmacTest");
new Promise((resolve, reject) => {
huks.update(handle, options.inData, options, (err, data) => {
if (data.errorCode === 0) {
resultMessage += "update success!";
console.info(resultMessage);
} else {
resultMessage += "update fail!";
console.error(resultMessage);
}
});
});
}
async function huksFinish() {
options.inData = stringToUint8Array("0");
new Promise((resolve, reject) => {
huks.finish(handle, options, (err, data) => {
if (data.errorCode === 0) {
resultMessage = "finish success!";
} else {
resultMessage = "finish fail errorCode: " + data.errorCode;
}
});
});
}
function huksAbort() {
huks.abort(handle, options).then((data) => {
if (data.errorCode === 0) {
console.info("abort success!");
} else {
console.error("abort fail errorCode: " + data.errorCode);
}
});
}
```
## HuksHandle(deprecated)
Defines the struct for a HUKS handle.
**System capability**: SystemCapability.Security.Huks.Extension
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [HuksSessionHandle9+](#hukssessionhandle9).
| Name | Type | Mandatory| Description |
| ---------- | ---------------- | ---- | -------- |
| errorCode | number | Yes | Error code.|
| handle | number | Yes| Handle of the unsigned integer type.|
| token | Uint8Array | No| Challenge obtained after the [init](#huksinitdeprecated) operation.|
## HuksResult(deprecated)
Represents the result returned.
**System capability**: SystemCapability.Security.Huks.Extension
> **NOTE**
>
> - This API is deprecated since API version 9. You are advised to use [HuksReturnResult9+](#huksreturnresult9).
> - For details about the error codes, see [HUKS Error Codes](errorcode-huks.md).
| Name | Type | Mandatory| Description |
| ---------- | ------------------------------- | ---- | ---------------- |
| errorCode | number | Yes | Error code. |
| outData | Uint8Array | No | Output data. |
| properties | Array\<[HuksParam](#huksparam)> | No | Property information. |
| certChains | Array\ | No | Certificate chain information.|
## HuksErrorCode(deprecated)
Enumerates the error codes.
**System capability**: SystemCapability.Security.Huks.Extension
> **NOTE**
>
> This API is deprecated since API version 9. You are advised to use [HuksExceptionErrCode9+](#huksexceptionerrcode9).
| Name | Value | Description|
| -------------------------- | ----- | ---- |
| HUKS_SUCCESS | 0 |Success.|
| HUKS_FAILURE | -1 |Failure.|
| HUKS_ERROR_BAD_STATE | -2 |Incorrect state.|
| HUKS_ERROR_INVALID_ARGUMENT | -3 |Invalid argument.|
| HUKS_ERROR_NOT_SUPPORTED | -4 |Not supported.|
| HUKS_ERROR_NO_PERMISSION | -5 |No permission.|
| HUKS_ERROR_INSUFFICIENT_DATA | -6 |Insufficient data.|
| HUKS_ERROR_BUFFER_TOO_SMALL | -7 |Insufficient buffer.|
| HUKS_ERROR_INSUFFICIENT_MEMORY | -8 |Insufficient memory.|
| HUKS_ERROR_COMMUNICATION_FAILURE | -9 |Communication failure.|
| HUKS_ERROR_STORAGE_FAILURE | -10 |Insufficient storage space.|
| HUKS_ERROR_HARDWARE_FAILURE | -11 |Hardware fault.|
| HUKS_ERROR_ALREADY_EXISTS | -12 |The object already exists.|
| HUKS_ERROR_NOT_EXIST | -13 |The object does not exist.|
| HUKS_ERROR_NULL_POINTER | -14 |Null pointer.|
| HUKS_ERROR_FILE_SIZE_FAIL | -15 |Incorrect file size.|
| HUKS_ERROR_READ_FILE_FAIL | -16 |Failed to read the file.|
| HUKS_ERROR_INVALID_PUBLIC_KEY | -17 |Invalid public key.|
| HUKS_ERROR_INVALID_PRIVATE_KEY | -18 |Invalid private key.|
| HUKS_ERROR_INVALID_KEY_INFO | -19 |Invalid key information.|
| HUKS_ERROR_HASH_NOT_EQUAL | -20 |The hash values are not equal.|
| HUKS_ERROR_MALLOC_FAIL | -21 |MALLOC failed.|
| HUKS_ERROR_WRITE_FILE_FAIL | -22 |Failed to write the file.|
| HUKS_ERROR_REMOVE_FILE_FAIL | -23 |Failed to delete the file.|
| HUKS_ERROR_OPEN_FILE_FAIL | -24 |Failed to open the file.|
| HUKS_ERROR_CLOSE_FILE_FAIL | -25 |Failed to close the file.|
| HUKS_ERROR_MAKE_DIR_FAIL | -26 |Failed to create the directory.|
| HUKS_ERROR_INVALID_KEY_FILE | -27 |Invalid key file.|
| HUKS_ERROR_IPC_MSG_FAIL | -28 |Incorrect IPC information.|
| HUKS_ERROR_REQUEST_OVERFLOWS | -29 |Request overflows.|
| HUKS_ERROR_PARAM_NOT_EXIST | -30 |The parameter does not exist.|
| HUKS_ERROR_CRYPTO_ENGINE_ERROR | -31 |CRYPTO ENGINE error.|
| HUKS_ERROR_COMMUNICATION_TIMEOUT | -32 |Communication timed out.|
| HUKS_ERROR_IPC_INIT_FAIL | -33 |IPC initialization failed.|
| HUKS_ERROR_IPC_DLOPEN_FAIL | -34 |IPC DLOPEN failed.|
| HUKS_ERROR_EFUSE_READ_FAIL | -35 |Failed to read eFuse.|
| HUKS_ERROR_NEW_ROOT_KEY_MATERIAL_EXIST | -36 |New root key material exists.|
| HUKS_ERROR_UPDATE_ROOT_KEY_MATERIAL_FAIL | -37 |Failed to update the root key material.|
| HUKS_ERROR_VERIFICATION_FAILED | -38 |Failed to verify the certificate chain.|
| HUKS_ERROR_CHECK_GET_ALG_FAIL | -100 |Failed to obtain the ALG. |
| HUKS_ERROR_CHECK_GET_KEY_SIZE_FAIL | -101 |Failed to obtain the key size.|
| HUKS_ERROR_CHECK_GET_PADDING_FAIL | -102 |Failed to obtain the padding algorithm.|
| HUKS_ERROR_CHECK_GET_PURPOSE_FAIL | -103 |Failed to obtain the key purpose.|
| HUKS_ERROR_CHECK_GET_DIGEST_FAIL | -104 |Failed to obtain the digest algorithm.|
| HUKS_ERROR_CHECK_GET_MODE_FAIL | -105 |Failed to obtain the cipher mode.|
| HUKS_ERROR_CHECK_GET_NONCE_FAIL | -106 |Failed to obtain the nonce.|
| HUKS_ERROR_CHECK_GET_AAD_FAIL | -107 |Failed to obtain the AAD.|
| HUKS_ERROR_CHECK_GET_IV_FAIL | -108 |Failed to obtain the initialization vector (IV).|
| HUKS_ERROR_CHECK_GET_AE_TAG_FAIL | -109 |Failed to obtain the AE flag.|
| HUKS_ERROR_CHECK_GET_SALT_FAIL | -110 |Failed to obtain the salt value.|
| HUKS_ERROR_CHECK_GET_ITERATION_FAIL | -111 |Failed to obtain the number of iterations.|
| HUKS_ERROR_INVALID_ALGORITHM | -112 |Invalid algorithm.|
| HUKS_ERROR_INVALID_KEY_SIZE | -113 |Invalid key size.|
| HUKS_ERROR_INVALID_PADDING | -114 |Invalid padding algorithm.|
| HUKS_ERROR_INVALID_PURPOSE | -115 |Invalid key purpose.|
| HUKS_ERROR_INVALID_MODE | -116 |Invalid cipher mode.|
| HUKS_ERROR_INVALID_DIGEST | -117 |Invalid digest algorithm.|
| HUKS_ERROR_INVALID_SIGNATURE_SIZE | -118 |Invalid signature size.|
| HUKS_ERROR_INVALID_IV | -119 |Invalid IV.|
| HUKS_ERROR_INVALID_AAD | -120 |Invalid AAD.|
| HUKS_ERROR_INVALID_NONCE | -121 |Invalid nonce.|
| HUKS_ERROR_INVALID_AE_TAG | -122 |Invalid AE tag.|
| HUKS_ERROR_INVALID_SALT | -123 |Invalid salt value.|
| HUKS_ERROR_INVALID_ITERATION | -124 |Invalid iteration count.|
| HUKS_ERROR_INVALID_OPERATION | -125 |Invalid operation.|
| HUKS_ERROR_INTERNAL_ERROR | -999 |Internal error.|
| HUKS_ERROR_UNKNOWN_ERROR | -1000 |Unknown error.|