1# 非匿名密钥证明(C/C++) 2 3<!--Kit: Universal Keystore Kit--> 4<!--Subsystem: Security--> 5<!--Owner: @wutiantian-gitee--> 6<!--Designer: @HighLowWorld--> 7<!--Tester: @wxy1234564846--> 8<!--Adviser: @zengyawen--> 9 10在使用本功能前,需申请权限:[ohos.permission.ATTEST_KEY](../AccessToken/permissions-for-system-apps.md#ohospermissionattest_key)。请开发者根据应用的APL等级,参考具体的操作路径[权限申请](../AccessToken/determine-application-mode.md)。 11 12## 在CMake脚本中链接相关动态库 13```txt 14target_link_libraries(entry PUBLIC libhuks_ndk.z.so) 15``` 16 17## 开发步骤 18 191. 指定密钥别名,密钥别名命名规范参考[密钥生成介绍及算法规格](huks-key-generation-overview.md)。 20 212. 初始化参数集:通过[OH_Huks_InitParamSet](../../reference/apis-universal-keystore-kit/capi-native-huks-param-h.md#oh_huks_initparamset)、[OH_Huks_AddParams](../../reference/apis-universal-keystore-kit/capi-native-huks-param-h.md#oh_huks_addparams)、[OH_Huks_BuildParamSet](../../reference/apis-universal-keystore-kit/capi-native-huks-param-h.md#oh_huks_buildparamset)构造参数集paramSet,通过[OH_HUKS_TAG_ALGORITHM](../../reference/apis-universal-keystore-kit/capi-native-huks-type-h.md#oh_huks_keyalg)、[OH_HUKS_TAG_KEY_SIZE](../../reference/apis-universal-keystore-kit/capi-native-huks-type-h.md#oh_huks_keysize)、[OH_HUKS_TAG_PURPOSE](../../reference/apis-universal-keystore-kit/capi-native-huks-type-h.md#oh_huks_keypurpose)分别指定算法、密钥大小、密钥用途属性。 22 233. 生成非对称密钥,具体请参考[密钥生成](huks-key-generation-ndk.md)。 24 254. 将密钥别名与参数集作为参数传入[OH_Huks_AttestKeyItem](../../reference/apis-universal-keystore-kit/capi-native-huks-api-h.md#oh_huks_attestkeyitem)方法中,即可证明密钥。 26 27```c++ 28#include "huks/native_huks_api.h" 29#include "huks/native_huks_param.h" 30#include "napi/native_api.h" 31#include <string.h> 32 33OH_Huks_Result InitParamSet( 34 struct OH_Huks_ParamSet **paramSet, 35 const struct OH_Huks_Param *params, 36 uint32_t paramCount) 37{ 38 OH_Huks_Result ret = OH_Huks_InitParamSet(paramSet); 39 if (ret.errorCode != OH_HUKS_SUCCESS) { 40 return ret; 41 } 42 ret = OH_Huks_AddParams(*paramSet, params, paramCount); 43 if (ret.errorCode != OH_HUKS_SUCCESS) { 44 OH_Huks_FreeParamSet(paramSet); 45 return ret; 46 } 47 ret = OH_Huks_BuildParamSet(paramSet); 48 if (ret.errorCode != OH_HUKS_SUCCESS) { 49 OH_Huks_FreeParamSet(paramSet); 50 return ret; 51 } 52 return ret; 53} 54 55static uint32_t g_size = 4096; 56static uint32_t CERT_COUNT = 4; 57void FreeCertChain(struct OH_Huks_CertChain *certChain, const uint32_t pos) 58{ 59 if (certChain == nullptr || certChain->certs == nullptr) { 60 return; 61 } 62 for (uint32_t j = 0; j < pos; j++) { 63 if (certChain->certs[j].data != nullptr) { 64 free(certChain->certs[j].data); 65 certChain->certs[j].data = nullptr; 66 } 67 } 68 if (certChain->certs != nullptr) { 69 free(certChain->certs); 70 certChain->certs = nullptr; 71 } 72} 73 74int32_t ConstructDataToCertChain(struct OH_Huks_CertChain *certChain) 75{ 76 if (certChain == nullptr) { 77 return OH_HUKS_ERR_CODE_ILLEGAL_ARGUMENT; 78 } 79 certChain->certsCount = CERT_COUNT; 80 81 certChain->certs = (struct OH_Huks_Blob *)malloc(sizeof(struct OH_Huks_Blob) * (certChain->certsCount)); 82 if (certChain->certs == nullptr) { 83 return OH_HUKS_ERR_CODE_INTERNAL_ERROR; 84 } 85 for (uint32_t i = 0; i < certChain->certsCount; i++) { 86 certChain->certs[i].size = g_size; 87 certChain->certs[i].data = (uint8_t *)malloc(certChain->certs[i].size); 88 if (certChain->certs[i].data == nullptr) { 89 FreeCertChain(certChain, i); 90 return OH_HUKS_ERR_CODE_INTERNAL_ERROR; 91 } 92 } 93 return 0; 94} 95 96static struct OH_Huks_Param g_genAttestParams[] = { 97 { .tag = OH_HUKS_TAG_ALGORITHM, .uint32Param = OH_HUKS_ALG_RSA }, 98 { .tag = OH_HUKS_TAG_KEY_SIZE, .uint32Param = OH_HUKS_RSA_KEY_SIZE_2048 }, 99 { .tag = OH_HUKS_TAG_PURPOSE, .uint32Param = OH_HUKS_KEY_PURPOSE_VERIFY }, 100 { .tag = OH_HUKS_TAG_DIGEST, .uint32Param = OH_HUKS_DIGEST_SHA256 }, 101 { .tag = OH_HUKS_TAG_PADDING, .uint32Param = OH_HUKS_PADDING_PSS }, 102 { .tag = OH_HUKS_TAG_BLOCK_MODE, .uint32Param = OH_HUKS_MODE_ECB }, 103}; 104#define CHALLENGE_DATA "hi_challenge_data" 105static struct OH_Huks_Blob g_challenge = { sizeof(CHALLENGE_DATA), (uint8_t *)CHALLENGE_DATA }; 106static napi_value AttestKey(napi_env env, napi_callback_info info) 107{ 108 /* 1.确定密钥别名 */ 109 struct OH_Huks_Blob genAlias = { 110 (uint32_t)strlen("test_attest"), 111 (uint8_t *)"test_attest" 112 }; 113 static struct OH_Huks_Param g_attestParams[] = { 114 { .tag = OH_HUKS_TAG_ATTESTATION_CHALLENGE, .blob = g_challenge }, 115 { .tag = OH_HUKS_TAG_ATTESTATION_ID_ALIAS, .blob = genAlias }, 116 }; 117 struct OH_Huks_ParamSet *genParamSet = nullptr; 118 struct OH_Huks_ParamSet *attestParamSet = nullptr; 119 OH_Huks_Result ohResult; 120 OH_Huks_Blob certs = { 0 }; 121 OH_Huks_CertChain certChain = { &certs, 0 }; 122 do { 123 /* 2.初始化密钥参数集 */ 124 ohResult = InitParamSet(&genParamSet, g_genAttestParams, sizeof(g_genAttestParams) / sizeof(OH_Huks_Param)); 125 if (ohResult.errorCode != OH_HUKS_SUCCESS) { 126 break; 127 } 128 ohResult = InitParamSet(&attestParamSet, g_attestParams, sizeof(g_attestParams) / sizeof(OH_Huks_Param)); 129 if (ohResult.errorCode != OH_HUKS_SUCCESS) { 130 break; 131 } 132 ohResult = OH_Huks_GenerateKeyItem(&genAlias, genParamSet, nullptr); 133 if (ohResult.errorCode != OH_HUKS_SUCCESS) { 134 break; 135 } 136 137 ohResult.errorCode = ConstructDataToCertChain(&certChain); 138 if (ohResult.errorCode != OH_HUKS_SUCCESS) { 139 break; 140 } 141 /* 3.证明密钥 */ 142 ohResult = OH_Huks_AttestKeyItem(&genAlias, attestParamSet, &certChain); 143 } while (0); 144 FreeCertChain(&certChain, CERT_COUNT); 145 OH_Huks_FreeParamSet(&genParamSet); 146 OH_Huks_FreeParamSet(&attestParamSet); 147 (void)OH_Huks_DeleteKeyItem(&genAlias, NULL); 148 149 napi_value ret; 150 napi_create_int32(env, ohResult.errorCode, &ret); 151 return ret; 152} 153```