• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Application Certificate Development
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @chaceli-->
6<!--Designer: @chande-->
7<!--Tester: @zhangzhi1995-->
8<!--Adviser: @zengyawen-->
9
10> **NOTE**
11>
12> The SDK of API version 11 or later must be used.
13
14## Scenarios
15
161. Typical scenarios:
17
18   - Install an application certificate.
19   - Obtain an application certificate.
20   - Use an application certificate to sign or verify data.
21   - Uninstall an application certificate.
22
232. Before installation, you need to know the algorithm types and the combinations of the signing and signature verification parameters supported by certificate management.
24
25   - Certificate management depends on the [Universal Keystore Kit](../UniversalKeystoreKit/huks-overview.md) (HUKS) to install certificates and use the keys in the certificates for signing and signature verification.
26   - The algorithms supported by certificate management are a subset of HUKS cipher algorithm specifications. Currently, only the private certificates using the RSA, ECC, and SM2 algorithms can be installed and used.
27   - For details about the parameter combinations supported by signing and signature verification, see the description of RSA, ECC, and SM2 in [Signing and Signature Verification Overview and Algorithm Specifications](../UniversalKeystoreKit/huks-signing-signature-verification-overview.md).
28
29## Available APIs
30
31For details about the APIs, see [Certificate Management](../../reference/apis-device-certificate-kit/js-apis-certManager.md).
32
33The following table describes the commonly used APIs.
34
35| Instance         | API                                                      | Description                                        |
36| --------------- | ------------------------------------------------------------ | -------------------------------------------- |
37| certificateManager        | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string, callback: AsyncCallback\<CMResult>) : void  | Installs an application certificate. This API uses an asynchronous callback to return the result.       |
38| certificateManager        | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string) : Promise\<CMResult> | Installs an application certificate. This API uses a promise to return the result.              |
39| certificateManager        | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string, level: AuthStorageLevel) : Promise\<CMResult><sup>18+</sup> | Installs an application certificate and specifies the certificate storage level. This API uses a promise to return the result.|
40| certificateManager        | getPrivateCertificate(keyUri: string, callback: AsyncCallback\<CMResult>) : void    | Obtains an application certificate. This API uses an asynchronous callback to return the result.      |
41| certificateManager        | getPrivateCertificate(keyUri: string) : Promise\<CMResult>                         | Obtains an application certificate. This API uses a promise to return the result.       |
42| certificateManager        | uninstallPrivateCertificate(keyUri: string, callback: AsyncCallback\<void>) : void  | Uninstalls an application certificate. This API uses an asynchronous callback to return the result.     |
43| certificateManager        | uninstallPrivateCertificate(keyUri: string) : Promise\<void> | Uninstalls an application certificate. This API uses a promise to return the result.|
44| certificateManager | init(authUri: string, spec: CMSignatureSpec, callback: AsyncCallback\<CMHandle>) : void | Initializes the signing or signature verification operation. This API uses an asynchronous callback to return the result.|
45| certificateManager | init(authUri: string, spec: CMSignatureSpec) : Promise\<CMHandle>  | Initializes the signing or signature verification operation. This API uses a promise to return the result.|
46| certificateManager        | update(handle: Uint8Array, data: Uint8Array, callback: AsyncCallback\<void>) : void         | Updates the data to be signed or verified. This API uses an asynchronous callback to return the result.       |
47| certificateManager        | update(handle: Uint8Array, data: Uint8Array) : Promise\<void> | Updates the data to be signed or verified. This API uses a promise to return the result.|
48| certificateManager        | finish(handle: Uint8Array, callback: AsyncCallback\<CMResult>) : void         | Finishes the signing operation. This API uses an asynchronous callback to return the result.       |
49| certificateManager        | finish(handle: Uint8Array, signature: Uint8Array, callback: AsyncCallback\<CMResult>) : void     | Finishes the signing operation. This API uses an asynchronous callback to return the result.       |
50| certificateManager        | finish(handle: Uint8Array, signature?: Uint8Array) : Promise\<CMResult> | Finishes the signing or signature verification operation. This API uses a promise to return the result.|
51| certificateManager        | abort(handle: Uint8Array, callback: AsyncCallback\<void>) : void         | Aborts the signing or signature verification operation. This API uses an asynchronous callback to return the result.       |
52| certificateManager        | abort(handle: Uint8Array) : Promise\<void> | Aborts the signing or signature verification operation. This API uses a promise to return the result.|
53
54## How to Develop
55
561. Request and declare permissions.
57
58   Required permission: **ohos.permission.ACCESS_CERT_MANAGER**
59
60   For details about how to request permissions, see [Workflow for Requesting Permissions](../AccessToken/determine-application-mode.md).
61
62   For details about how to declare permissions, see [Declaring Permissions](../AccessToken/declare-permissions.md).
63
642. Import the required module.
65
66   ```ts
67   import { certificateManager } from '@kit.DeviceCertificateKit';
68   ```
69
703. Install an application certificate, obtain the certificate, use it to sign and verify data. Then, uninstall the certificate.
71
72   ```ts
73   async function privateCredSample() {
74     /* The data of the certificate to be installed must be assigned based on the service. The data in this example is not the real certificate data. */
75     let keystore: Uint8Array = new Uint8Array([
76       0x30, 0x82, 0x04, 0x6a, 0x02, 0x01, 0x03, 0x30, 0x82, 0x04, 0x30, 0x06, 0x09,
77     ]);
78
79     /* Keystore password of the certificate to be installed. */
80     let keystorePwd: string = '123456';
81     let appKeyUri: string = '';
82     try {
83       /* Install an application certificate. */
84       const res: certificateManager.CMResult = await certificateManager.installPrivateCertificate(keystore, keystorePwd, "testPriCredential");
85       appKeyUri = (res.uri != undefined) ? res.uri : '';
86     } catch (err) {
87       console.error(`Failed to install private certificate. Code: ${err.code}, message: ${err.message}`);
88     }
89
90     try {
91       /* Obtain the application certificate. */
92       let res: certificateManager.CMResult = await certificateManager.getPrivateCertificate(appKeyUri);
93       if (res === undefined || res.credential == undefined) {
94         console.error('The result of getting private certificate is undefined.');
95       } else {
96         let credential = res.credential;
97         console.info('Succeeded in getting private certificate.');
98       }
99     } catch (err) {
100       console.error(`Failed to get private certificate. Code: ${err.code}, message: ${err.message}`);
101    }
102
103     try {
104       /* srcData is the data to be signed and verified. */
105       let srcData: Uint8Array = new Uint8Array([
106         0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01,
107       ]);
108
109       /* Construct the parameters used for signing. */
110       const signSpec: certificateManager.CMSignatureSpec = {
111         purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_SIGN,
112         padding: certificateManager.CmKeyPadding.CM_PADDING_PSS,
113         digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256
114       };
115
116       /* Generate a signature. */
117       const signHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, signSpec);
118       await certificateManager.update(signHandle.handle, srcData);
119       const signResult: certificateManager.CMResult = await certificateManager.finish(signHandle.handle);
120
121       /* Construct the parameters for signature verification. */
122       const verifySpec: certificateManager.CMSignatureSpec = {
123         purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_VERIFY,
124         padding: certificateManager.CmKeyPadding.CM_PADDING_PSS,
125         digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256
126       };
127
128       /** Verify the signature. */
129       const verifyHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, verifySpec);
130       await certificateManager.update(verifyHandle.handle, srcData);
131       const verifyResult = await certificateManager.finish(verifyHandle.handle, signResult.outData);
132       console.info('Succeeded in signing and verifying.');
133     } catch (err) {
134       console.error(`Failed to sign or verify. Code: ${err.code}, message: ${err.message}`);
135     }
136
137     try {
138       /* Uninstall the application certificate. */
139       await certificateManager.uninstallPrivateCertificate(appKeyUri);
140     } catch (err) {
141       console.error(`Failed to uninstall private certificate. Code: ${err.code}, message: ${err.message}`);
142     }
143   }
144   ```
145