• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Certificate Development
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10This topic walks you through on how to create a certificate object, obtain information about the certificate, and check the validity period of the certificate.
11
12## How to Develop
13
141. Import the [certFramework](../../reference/apis-device-certificate-kit/js-apis-cert.md) module.
15   ```ts
16   import { cert } from '@kit.DeviceCertificateKit';
17   ```
18
192. Use [cert.createX509Cert](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatex509cert) to create an **X509Cert** object based on the existing X.509 certificate data.
20
213. Obtain certificate information.<br>
22   Here is an example of obtaining the certificate version, certificate serial number, certificate issuer name, certificate subject name, and string-type data of the certificate object. For more field information, see [@ohos.security.cert (Certificate)](../../reference/apis-device-certificate-kit/js-apis-cert.md#x509cert).
23
244. Use [X509Cert.getPublicKey](../../reference/apis-device-certificate-kit/js-apis-cert.md#getpublickey) to obtain the public key in the certificate and use [X509Cert.verify](../../reference/apis-device-certificate-kit/js-apis-cert.md#verify) to verify the signature. In this example, a self-signed certificate is used. Therefore, the public key in the certificate is obtained. In your app experience, obtain the public key for signature verification based on actual situation.
25
265. Use [X509Cert.checkValidityWithDate](../../reference/apis-device-certificate-kit/js-apis-cert.md#checkvaliditywithdate) to check the certificate validity period. The input parameter **date** is used to check whether the specified date is within the validity period of the X.509 certificate.
27
28```ts
29import { cert } from '@kit.DeviceCertificateKit';
30import { BusinessError } from '@kit.BasicServicesKit';
31import { util } from '@kit.ArkTS';
32
33// The following is an example of the certificate binary data, which varies with the service.
34let certData = '-----BEGIN CERTIFICATE-----\n' +
35  'MIIBLzCB1QIUO/QDVJwZLIpeJyPjyTvE43xvE5cwCgYIKoZIzj0EAwIwGjEYMBYG\n' +
36  'A1UEAwwPRXhhbXBsZSBSb290IENBMB4XDTIzMDkwNDExMjAxOVoXDTI2MDUzMDEx\n' +
37  'MjAxOVowGjEYMBYGA1UEAwwPRXhhbXBsZSBSb290IENBMFkwEwYHKoZIzj0CAQYI\n' +
38  'KoZIzj0DAQcDQgAEHjG74yMIueO7z3T+dyuEIrhxTg2fqgeNB3SGfsIXlsiUfLTa\n' +
39  'tUsU0i/sePnrKglj2H8Abbx9PK0tsW/VgqwDIDAKBggqhkjOPQQDAgNJADBGAiEA\n' +
40  '0ce/fvA4tckNZeB865aOApKXKlBjiRlaiuq5mEEqvNACIQDPD9WyC21MXqPBuRUf\n' +
41  'BetUokslUfjT6+s/X4ByaxycAA==\n' +
42  '-----END CERTIFICATE-----\n';
43
44// Certificate example.
45function certSample(): void {
46  let textEncoder = new util.TextEncoder();
47  let encodingBlob: cert.EncodingBlob = {
48    // Convert the certificate data from a string to a Unit8Array.
49    data: textEncoder.encodeInto(certData),
50    // Certificate format. Only PEM and DER are supported. In this example, the certificate is in PEM format.
51    encodingFormat: cert.EncodingFormat.FORMAT_PEM
52  };
53
54  // Create an X509Cert object.
55  cert.createX509Cert(encodingBlob, (err, x509Cert) => {
56    if (err != null) {
57      // The X509Cert object fails to be created.
58      console.error(`createX509Cert failed, errCode:${err.code}, errMsg:${err.message}`);
59      return;
60    }
61    // The X509Cert object is created.
62    console.log('createX509Cert success');
63
64    // Obtain the certificate version.
65    let version = x509Cert.getVersion();
66    // Obtain the certificate serial number.
67    let serial = x509Cert.getCertSerialNumber();
68    console.log(`X509 version: ${version} , X509 serial:${serial}`);
69
70    // Obtain the certificate issuer name.
71    let issuerName = x509Cert.getIssuerName(cert.EncodingType.ENCODING_UTF8);
72    console.log(`X509 issuerName: ${issuerName}`);
73
74    // Obtain the certificate subject name.
75    let subjectNameBin = x509Cert.getSubjectName(cert.EncodingType.ENCODING_UTF8);
76    let encoder = util.TextDecoder.create();
77    let subjectName = encoder.decodeToString(subjectNameBin.data);
78    console.log(`X509 subjectName: ${subjectName}`);
79
80    // Obtain the string-type data of the certificate object.
81    let certString = x509Cert.toString(cert.EncodingType.ENCODING_UTF8);
82    console.log(`X509 certString: ${certString}`);
83
84    // Use the getPublicKey() method of the upper-level certificate object or the self-signed certificate object to obtain the public key object.
85    try {
86      let pubKey = x509Cert.getPublicKey();
87      // Verify the certificate signature.
88      x509Cert.verify(pubKey, (err, data) => {
89        if (err == null) {
90          // Signature verification is successful.
91          console.log('verify success');
92        } else {
93          // Signature verification fails.
94          console.error(`verify failed, errCode: ${err.code} , errMsg:${err.message}`);
95        }
96      });
97    } catch (error) {
98      let e: BusinessError = error as BusinessError;
99      console.error(`getPublicKey failed, errCode: ${e.code} , errMsg:${e.message}`);
100    }
101
102    // Use a string to represent the date.
103    let date = '20230930000001Z';
104
105    // Check the validity period of the certificate.
106    try {
107      x509Cert.checkValidityWithDate(date);
108    } catch (error) {
109      let e: BusinessError = error as BusinessError;
110      console.error(`checkValidityWithDate failed, errCode: ${e.code}, errMsg:${e.message}`);
111    }
112  });
113}
114```
115