• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Certificate Chain Validator Development
2
3<!--Kit: Device Certificate Kit-->
4<!--Subsystem: Security-->
5<!--Owner: @zxz--3-->
6<!--Designer: @lanming-->
7<!--Tester: @PAFT-->
8<!--Adviser: @zengyawen-->
9
10A certificate chain is an ordered list of certificates, in which each certificate is signed by the entity identified by the next certificate in the chain.
11
12As shown in the following figure, the certificate chain consists of three certificates. The root certificate is self-signed by GlobalSign, which signed the intermediate certificate held by GlobalSign RSA OV SSL CA 2018. GlobalSign RSA OV SSL CA 2018 (the holder of the intermediate certificate) signed the end certificate.
13
14![](figures/certificate_chain_example.png)
15
16You can refer to the following example to construct a certificate chain from multiple certificates.
17
18## How to Develop
19
201. Import the [certFramework](../../reference/apis-device-certificate-kit/js-apis-cert.md) module.
21   ```ts
22   import { cert } from '@kit.DeviceCertificateKit';
23   ```
24
252. Use [cert.createCertChainValidator](../../reference/apis-device-certificate-kit/js-apis-cert.md#certcreatecertchainvalidator) to create a certificate chain validator (**CertChainValidator**) object.
26
273. Create a [CertChainData](../../reference/apis-device-certificate-kit/js-apis-cert.md#certchaindata) object.
28
29   The certificate framework provides the **CertChainValidator** object to validate the root of the trust chain. The **CertChainValidator** object to be validated must comply with the data structure definition [CertChainData](../../reference/apis-device-certificate-kit/js-apis-cert.md#certchaindata).
30
314. Use [CertChainValidator.validate](../../reference/apis-device-certificate-kit/js-apis-cert.md#validate) to validate the certificate chain data.
32
33```ts
34import { cert } from '@kit.DeviceCertificateKit';
35import { util } from '@kit.ArkTS';
36
37// CA data, which is only an example.
38let caCertData = '-----BEGIN CERTIFICATE-----\n' +
39  'MIIDgTCCAmmgAwIBAgIGAXKnJjrAMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYT\n' +
40  'AkNOMQ8wDQYDVQQIDAbpmZXopb8xDzANBgNVBAcMBuilv+WuiTEPMA0GA1UECgwG\n' +
41  '5rWL6K+VMRUwEwYDVQQDDAzkuK3mlofmtYvor5UwHhcNMjUwMjIwMDI1NjMxWhcN\n' +
42  'MzUwMjE4MDI1NjMxWjBXMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG6ZmV6KW/MQ8w\n' +
43  'DQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMGA1UEAwwM5Lit5paH\n' +
44  '5rWL6K+VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY30ubE33Zmc\n' +
45  'BBM4OIpD1UuDVKynC4xNBK4v79vnlc4ElmRZD4RjkS612DtpaUzt/yHMZXmJTdqg\n' +
46  '2jq7UG4sQc0G3uNGIXdUpRZpnUYGVftuZMxHaNOb+IgDkZzaO3Dk33piOpH/X/Ke\n' +
47  'OosCbm7eBL+y+wRhUsLSCEasEsIvW3edHuYLrfz3MzwY/9AmnwqDGdRJ5rPayODD\n' +
48  'HH0yw9JuRkdMacN8omVX8jBfJeI8KafcQW8MJz+Y0qyQyiZ6A81AQSVfT+6Sk2U3\n' +
49  'UqeSTmtdIL1u29HfYLwYGHey+1Ro2wxqnMsFKIdKu2dDMDQZx61pER/dFtPYFlS7\n' +
50  '/uh3mi9HUQIDAQABo1MwUTAdBgNVHQ4EFgQUGDykmR825RPNFIEQaFzUqkr+CIow\n' +
51  'HwYDVR0jBBgwFoAUGDykmR825RPNFIEQaFzUqkr+CIowDwYDVR0TAQH/BAUwAwEB\n' +
52  '/zANBgkqhkiG9w0BAQsFAAOCAQEAXjlmYKjBz1ajWywZNlN+LVRXNx7bS4TYtOc2\n' +
53  'ME4N1ls6yjWSLtBe4DdkBqZ2HwrVW4dg5xZdAS/T0v/rRiGbX6iUFRV9WCTdtLZB\n' +
54  'HKNh7vU39F7mgTaaWXQK/+6NeLKMzwJENRRaESI/sXeKE6irfJgYuq3NH8GGFd+w\n' +
55  'HnvVBHRb6WSlY2s5Li7t6lj40UbwOljnqzRQvBeX57rOnzJgVKND3oY9pex/05Oe\n' +
56  '96x+qc2iqZbu54A6NYCTj/65EEKoj5rYxPXMV4FegV42ouaLJJoS+cEEY7w+ixcl\n' +
57  '04TjtjEdhTZiJCmI0RK50H2SWC0t9qkFewM3CCWTHY5ygPtMGA==\n' +
58  '-----END CERTIFICATE-----\n';
59
60// Level-2 CA certificate data, which is only an example.
61let secondCaCertData = '-----BEGIN CERTIFICATE-----\n' +
62  'MIIDgTCCAmmgAwIBAgIGAXKnJjrBMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYT\n' +
63  'AkNOMQ8wDQYDVQQIDAbpmZXopb8xDzANBgNVBAcMBuilv+WuiTEPMA0GA1UECgwG\n' +
64  '5rWL6K+VMRUwEwYDVQQDDAzkuK3mlofmtYvor5UwHhcNMjUwMjIwMDI1NjU3WhcN\n' +
65  'MzUwMjE4MDI1NjU3WjBXMQswCQYDVQQGEwJDTjEPMA0GA1UECAwG6ZmV6KW/MQ8w\n' +
66  'DQYDVQQHDAbopb/lrokxDzANBgNVBAoMBua1i+ivlTEVMBMGA1UEAwwM5Lit5paH\n' +
67  '5rWL6K+VMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxSL5L7fwMaRF\n' +
68  'RiT1l7kpzaAqZe33/3lgexoMfGiIFarIhYyYJsmOJKes2uLSnPeqEtscrXmFQiIG\n' +
69  '0srmwrriGgo3oxDp4/5i1FhCf3FqZUwD/RJhtVmkHT0HoYl4cpt/dJSF/e5vxt/J\n' +
70  '2Z1eRIQOj9DzyqET6+ONQmfVOyzEH6xlpXHZLvykSZ7ytPp25LxULPWjTmpDOPRq\n' +
71  'vkSMaH4H3mPw/Z9r0MVKP7DgAZMl2yVudHp785AMTVD0L9zWGHf3sek25ek5nv2r\n' +
72  'SlB21MTBpvd8GC/iGns4V3Bvf75WAMgpGghAkRRyADeqt5Hw+x9BIb9FcfE+h6n+\n' +
73  '6EF6FPa8GQIDAQABo1MwUTAdBgNVHQ4EFgQUjt2Crk/j6W8WCdHWyz4H+Q2/3PYw\n' +
74  'HwYDVR0jBBgwFoAUGDykmR825RPNFIEQaFzUqkr+CIowDwYDVR0TAQH/BAUwAwEB\n' +
75  '/zANBgkqhkiG9w0BAQsFAAOCAQEAksPHMuVF9e2GMVlaSe1Ao9D1KrJvKNaFZPCI\n' +
76  'lQe2CDsX+Qu7sQj4SML5vvWFLtcAp6ZovqUyEM0PtZWVSjPCRTMJ3ofBPwnXvQ2N\n' +
77  '7J7NCDA227MQabXeN3jMhkcAzlpdO5poTnobPF4xRqb39jM7otnNJsujvzdDab2l\n' +
78  'LiP4eU5TrEaF2lwidBWJX0VoLrRpqzQhiWXGMpCBBugP5U+bFs20wezJBG19WYyc\n' +
79  '2xKKfvyIcxrpmvjLZl8HddS7Ot1CKXyc8U9QZBGAlPwOXu8juppcEtjJyl36EnvF\n' +
80  'YAcwrXOAtCiNpX3UnLUbG8GtpOOWQWCt+x1gKmA6V0jbqQmqcw==\n' +
81  '-----END CERTIFICATE-----\n';
82
83// Certificate chain validator. In this example, it validates a two-level certificate chain.
84function certChainValidatorSample(): void {
85  let textEncoder = new util.TextEncoder();
86  // Certificate chain validator algorithm. Currently, only PKIX is supported.
87  let algorithm = 'PKIX';
88
89  // Create a CertChainValidator object.
90  let validator = cert.createCertChainValidator(algorithm);
91
92  // CA certificate data.
93  let uint8ArrayOfCaCertData = textEncoder.encodeInto(caCertData);
94
95  // Length of the CA certificate data.
96  let uint8ArrayOfCaCertDataLen = new Uint8Array(new Uint16Array([uint8ArrayOfCaCertData.byteLength]).buffer);
97
98  // Level-2 CA certificate data.
99  let uint8ArrayOf2ndCaCertData =  textEncoder.encodeInto(secondCaCertData);
100
101  // Length of the level-2 CA certificate data.
102  let uint8ArrayOf2ndCaCertDataLen = new Uint8Array(new Uint16Array([uint8ArrayOf2ndCaCertData.byteLength]).buffer);
103
104  // Binary data of the certificate chain in L-V format: Length of the level-2 CA certificate data + Level-2 CA certificate data + Length of the CA certificate data + CA certificate data.
105  let encodingData = new Uint8Array(uint8ArrayOf2ndCaCertDataLen.length + uint8ArrayOf2ndCaCertData.length +
106  uint8ArrayOfCaCertDataLen.length + uint8ArrayOfCaCertData.length);
107  for (let i = 0; i < uint8ArrayOf2ndCaCertDataLen.length; i++) {
108    encodingData[i] = uint8ArrayOf2ndCaCertDataLen[i];
109  }
110  for (let i = 0; i < uint8ArrayOf2ndCaCertData.length; i++) {
111    encodingData[uint8ArrayOf2ndCaCertDataLen.length + i] = uint8ArrayOf2ndCaCertData[i];
112  }
113  for (let i = 0; i < uint8ArrayOfCaCertDataLen.length; i++) {
114    encodingData[uint8ArrayOf2ndCaCertDataLen.length + uint8ArrayOf2ndCaCertData.length + i] = uint8ArrayOfCaCertDataLen[i];
115  }
116  for (let i = 0; i < uint8ArrayOfCaCertData.length; i++) {
117    encodingData[uint8ArrayOf2ndCaCertDataLen.length + uint8ArrayOf2ndCaCertData.length +
118    uint8ArrayOfCaCertDataLen.length + i] = uint8ArrayOfCaCertData[i];
119  }
120
121  let certChainData: cert.CertChainData = {
122    // Uint8Array in L-V format (certificate data length-certificate data).
123    data: encodingData,
124    // Number of certificates. In this example, there are two certificates in the certification chain.
125    count: 2,
126    // Certificate format. Only PEM and DER are supported. In this example, the certificate is in PEM format.
127    encodingFormat: cert.EncodingFormat.FORMAT_PEM
128  };
129
130  // Validate the certificate chain.
131  validator.validate(certChainData, (err, data) => {
132    if (err != null) {
133      // Validation failed.
134      console.error(`validate failed, errCode: ${err.code}, errMsg: ${err.message}`);
135    } else {
136      // Validation successful.
137      console.log('validate success');
138    }
139  });
140}
141```
142