# 通用密钥库设备开å‘指导
## 概述
### 功能简介
OpenHarmony通用密钥库系统(英文全称:Open**H**armony **U**niversal **K**ey**S**tore,以下简称HUKS)是OpenHarmonyæ供的系统级的密钥管ç†ç³»ç»ŸæœåŠ¡ï¼Œæ供密钥的全生命周期管ç†èƒ½åŠ›ï¼ŒåŒ…括密钥生æˆã€å¯†é’¥å˜å‚¨ã€å¯†é’¥ä½¿ç”¨ã€å¯†é’¥é”€æ¯ç‰åŠŸèƒ½ï¼Œä»¥åŠå¯¹å˜å‚¨åœ¨HUKSä¸çš„密钥æä¾›åˆæ³•æ€§è¯æ˜Žã€‚在HUKS的分层架构ä¸ï¼Œå¤„于最底层的HUKSæ ¸å¿ƒå±‚ï¼ˆHUKS Core)承载ç€å¯†é’¥ç®¡ç†æ ¸å¿ƒåŠŸèƒ½ï¼Œä¸€èˆ¬è¿è¡Œåœ¨è®¾å¤‡ç¡¬ä»¶å®‰å…¨çŽ¯å¢ƒä¸ï¼ˆæ¯”如TEEã€å®‰å…¨èŠ¯ç‰‡ç‰ï¼‰ã€‚由于ä¸åŒåŽ‚商硬件安全环境ä¸åŒï¼ŒHUKSæ ¸å¿ƒå±‚çš„å®žçŽ°æ–¹å¼ä¹Ÿä¸å°½ç›¸åŒï¼Œä¸ºäº†ä¿è¯æœåŠ¡å±‚åŠåº”用层架构和接å£çš„一致性,HUKSæ ¸å¿ƒå±‚å®šä¹‰äº†ä¸€å¥—HDI接å£ï¼ˆç¡¬ä»¶è®¾å¤‡ç»Ÿä¸€æŽ¥å£ï¼‰ï¼Œä»¥ä¿è¯HUKSæœåŠ¡å±‚调用HUKSæ ¸å¿ƒå±‚çš„å…¼å®¹ã€‚æœ¬æ–‡åŸºäºŽHUKS HDI接å£ï¼Œæä¾›HUKSæ ¸å¿ƒå±‚åŠŸèƒ½çš„å¼€å‘指导。
HUKSæ ¸å¿ƒå±‚éœ€è¦æ”¯æŒä»¥ä¸‹åŠŸèƒ½ï¼š
1. 生æˆå¯†é’¥
2. 外部导入密钥
3. 密钥æ“ä½œï¼ˆåŠ å¯†è§£å¯†ã€ç¾å验ç¾ã€å¯†é’¥æ´¾ç”Ÿã€å¯†é’¥å商ã€æ¶ˆæ¯è®¤è¯ç ç‰ï¼‰
4. 密钥访问控制
5. 密钥è¯æ˜Ž
6. 芯片平å°å…¬é’¥å¯¼å‡º
### 基本概念
- **HUKS Core**
HUKSæ ¸å¿ƒç»„ä»¶ï¼Œæ‰¿è½½HUKSçš„æ ¸å¿ƒåŠŸèƒ½ï¼ŒåŒ…æ‹¬å¯†é’¥çš„å¯†ç å¦è¿ç®—ã€æ˜Žæ–‡å¯†é’¥çš„åŠ è§£å¯†ã€å¯†é’¥è®¿é—®æŽ§åˆ¶ç‰ã€‚一般è¿è¡Œåœ¨è®¾å¤‡çš„安全环境ä¸ï¼ˆå¦‚TEEã€å®‰å…¨èŠ¯ç‰‡ç‰ï¼Œä¸åŒçš„厂商有所ä¸åŒï¼‰ï¼Œä¿è¯å¯†é’¥æ˜Žæ–‡ä¸å‡ºHUKS Core。
- **密钥会è¯**
应用通过指定密钥别å,给当å‰æ“作的密钥建立一个会è¯ï¼ŒHUKS为æ¯ä¸ªä¼šè¯ç”Ÿæˆä¸€ä¸ªå…¨å±€å”¯ä¸€çš„å¥æŸ„值æ¥ç´¢å¼•è¯¥ä¼šè¯ã€‚它的作用是缓å˜å¯†é’¥ä½¿ç”¨æœŸé—´çš„ä¿¡æ¯ï¼ŒåŒ…括æ“作数æ®ã€å¯†é’¥ä¿¡æ¯ã€è®¿é—®æŽ§åˆ¶å±žæ€§ç‰ã€‚密钥æ“作一般需è¦ç»è¿‡**建立会è¯ã€ä¼ 入数æ®å’Œå‚æ•°ã€ç»“æŸä¼šè¯ï¼ˆä¸æ¢ä¼šè¯ï¼‰** 三个阶段。
- **å¯ä¿¡æ‰§è¡ŒçŽ¯å¢ƒï¼ˆTrusted Execution Environment)**
通过划分软件和硬件资æºçš„方法构建一个安全区域,使得安全区域内部的程åºå’Œæ•°æ®å¾—到ä¿æŠ¤ã€‚è¿™ç§åˆ’分会分隔出两个执行环境——å¯ä¿¡æ‰§è¡ŒçŽ¯å¢ƒå’Œæ™®é€šæ‰§è¡ŒçŽ¯å¢ƒã€‚æ¯ä¸ªæ‰§è¡ŒçŽ¯å¢ƒæœ‰ç‹¬ç«‹çš„内部数æ®é€šè·¯å’Œè®¡ç®—所需å˜å‚¨ç©ºé—´ï¼Œä¿è¯å¯ä¿¡æ‰§è¡ŒçŽ¯å¢ƒé‡Œçš„ä¿¡æ¯ä¸ä¼šå‘外泄露。普通执行环境的应用ä¸èƒ½è®¿é—®å¯ä¿¡æ‰§è¡ŒçŽ¯å¢ƒçš„资æºï¼Œå¯ä¿¡æ‰§è¡ŒçŽ¯å¢ƒä¸çš„应用在没有授æƒçš„æƒ…å†µä¸‹ä¹Ÿæ— æ³•ç›¸äº’è®¿é—®ã€‚
## 实现原ç†
HUKS采用分层架构,包å«åº”用层ã€æœåŠ¡å±‚ã€æ ¸å¿ƒå±‚(领域层),其ä¸åº”用层主è¦å¯¹åº”用æ供接å£ï¼ŒæœåŠ¡å±‚处ç†åº”用的密钥管ç†è¯·æ±‚,进行密钥的密文管ç†ã€èº«ä»½æ ¡éªŒã€å¯†é’¥ä¼šè¯ç®¡ç†ç‰ï¼Œæ ¸å¿ƒå±‚æ供密钥生æˆã€å¯†é’¥æ“作ã€å¯†é’¥è®¿é—®æŽ§åˆ¶å’Œå¯†é’¥è¯æ˜Žç‰æ ¸å¿ƒåŠŸèƒ½ã€‚
**图1** HUKS分层架构图
## 约æŸä¸Žé™åˆ¶
- **密钥ä¸å‡ºå®‰å…¨çŽ¯å¢ƒ**
HUKSçš„æ ¸å¿ƒç‰¹ç‚¹æ˜¯å¯†é’¥å…¨ç”Ÿå‘½å‘¨æœŸæ˜Žæ–‡ä¸å‡ºHUKS Core,在有硬件æ¡ä»¶çš„设备上,如有TEE(Trusted Execution Environment)或安全芯片的设备,HUKS Coreè¿è¡Œåœ¨ç¡¬ä»¶å®‰å…¨çŽ¯å¢ƒä¸ã€‚å³ä½¿REE(Rich Execution Environmentï¼‰çŽ¯å¢ƒè¢«æ”»ç ´ï¼Œä¹Ÿèƒ½ç¡®ä¿å¯†é’¥æ˜Žæ–‡ä¹Ÿä¸ä¼šæ³„éœ²ã€‚å› æ¤ï¼ŒHUKS直通å¼HDI API所有函数接å£å¯†é’¥æ料数æ®åªèƒ½æ˜¯å¯†æ–‡æ ¼å¼ã€‚
- **ç³»ç»Ÿçº§å®‰å…¨åŠ å¯†å˜å‚¨**
å¿…é¡»åŸºäºŽè®¾å¤‡æ ¹å¯†é’¥åŠ å¯†ä¸šåŠ¡å¯†é’¥ï¼Œåœ¨æœ‰æ¡ä»¶çš„设备上,å åŠ ç”¨æˆ·å£ä»¤åŠ 密ä¿æŠ¤å¯†é’¥ã€‚
- **ä¸¥æ ¼çš„è®¿é—®æŽ§åˆ¶**
åªæœ‰åˆæ³•çš„业务æ‰æœ‰æƒè®¿é—®å¯†é’¥ï¼ŒåŒæ—¶æ”¯æŒç”¨æˆ·èº«ä»½è®¤è¯è®¿é—®æŽ§åˆ¶ä»¥æ”¯æŒä¸šåŠ¡çš„高安æ•æ„Ÿåœºæ™¯ä¸‹å®‰å…¨è®¿é—®å¯†é’¥çš„诉求。
- **密钥的åˆæ³•æ€§è¯æ˜Ž**
业务æ供硬件厂商级别的密钥的åˆæ³•æ€§è¯æ˜Žï¼Œè¯æ˜Žå¯†é’¥æ²¡æœ‰è¢«ç¯¡æ”¹ï¼Œå¹¶ç¡®å®žå˜åœ¨äºŽæœ‰ç¡¬ä»¶ä¿æŠ¤çš„HUKS Coreä¸ï¼Œä»¥åŠæ‹¥æœ‰æ£ç¡®çš„密钥属性。
- **密钥ææ–™æ ¼å¼**
导入/导出密钥时(包括密钥对ã€å…¬é’¥ã€ç§é’¥ï¼‰ï¼Œå¯†é’¥æ料的数æ®æ ¼å¼å¿…须满足HUKSè¦æ±‚çš„æ ¼å¼ï¼Œå…·ä½“å„个密ç 算法密钥ææ–™è§[密钥ææ–™æ ¼å¼](../../application-dev/security/huks-appendix.md#密钥ææ–™æ ¼å¼)。
- **è¯ä¹¦é“¾æ ¼å¼**
AttestKey返回的è¯ä¹¦é“¾åº”该按照业务è¯ä¹¦ã€è®¾å¤‡è¯ä¹¦ã€CAè¯ä¹¦å’Œæ ¹è¯ä¹¦çš„顺åºç»„装,在æ¯é¡¹è¯ä¹¦ä¹‹å‰è¿˜éœ€è¦åŠ 上è¯ä¹¦çš„长度。è¯ä¹¦é“¾ç»„装完æˆåŽæ·»åŠ 整个è¯ä¹¦é“¾çš„长度组装æˆBlobæ ¼å¼ã€‚è¯ä¹¦çš„å…·ä½“æ ¼å¼å¦‚è¦è‡ªå·±å®žçŽ°åº”与æœåŠ¡å™¨ä¾§è§£æžçš„æ ¼å¼ç›¸å¯¹åº”。
- **KeyBlobæ ¼å¼**
接å£è¿”回的密钥必须按照密钥å˜å‚¨æ€ç»„装æˆKeyBlob,哪些接å£éœ€è¦éµå¾ªè¯¥é™åˆ¶è¯·è§[接å£è¯´æ˜Ž](#接å£è¯´æ˜Ž)。
## å¼€å‘指导
### 场景介ç»
HUKS Core作为å‘应用æ供密钥库能力的基础,包括密钥管ç†åŠå¯†é’¥çš„密ç å¦æ“作ç‰åŠŸèƒ½ã€‚如果想è¦ä½¿ç”¨è‡ªå·±çš„实现替æ¢HUKS Core,需è¦å®žçŽ°ä»¥ä¸‹æŽ¥å£ã€‚
### 接å£è¯´æ˜Ž
**表1** 接å£åŠŸèƒ½ä»‹ç»
| 接å£å | åŠŸèƒ½ä»‹ç» | 约æŸä¸Žé™åˆ¶ | 对应的jsæŽ¥å£ |
| ------------------------------------------------------------ | ---------------------------------------- | ----------------------------- | ------------------------------------------------------------ |
| [ModuleInit()](#moduleinit) | HUKS Coreçš„åˆå§‹åŒ–。 | æ— | æ— |
| [ModuleDestroy()](#moduledestroy) | HUKS Core的销æ¯ã€‚ | æ— | æ— |æ— | æ— |
| [GenerateKey()](#generatekey) | æ ¹æ®å¯†ç 算法å‚数,生æˆå¯†é’¥ï¼Œå¹¶è¿”回密文æ料。 | 出å‚è¦éµå¾ªKeyBlobæ ¼å¼ |generateKey(keyAlias: string, options: HuksOptions)|
| [ImportKey()](#importkey) | 导入明文密钥,并返回密文æ料。 | 出å‚è¦éµå¾ªKeyBlobæ ¼å¼ | importKey(keyAlias: string, options: HuksOptions)|
| [ImportWrappedKey()](#importwrappedkey) |å¯¼å…¥åŠ å¯†å¯†é’¥ï¼Œå¹¶è¿”å›žå¯†æ–‡æ料。 | 出å‚è¦éµå¾ªKeyBlobæ ¼å¼ | importWrappedKey(keyAlias: string, wrappingKeyAlias: string, options: HuksOptions)|
| [ExportPublicKey()](#exportpublickey) | 导出密钥对ä¸çš„公钥。 |æ— | exportKey(keyAlias: string, options: HuksOptions) |
| [Init()](#init) | åˆå§‹åŒ–密钥会è¯çš„接å£ï¼Œè¿”回密钥会è¯å¥æŸ„和令牌(å¯é€‰ï¼‰ã€‚ |æ— | init(keyAlias: string, options: HuksOptions) |
| [Update()](#update) | è¿½åŠ å¯†é’¥æ“作数æ®ã€‚ |ç¾å验ç¾æ—¶å…¥å‚æ˜¯åŽŸå§‹æ•°æ® | update(handle: number, token?: Uint8Array, options: HuksOptions) |
| [Finish()](#finish) | 结æŸå¯†é’¥ä¼šè¯ |ç¾å验ç¾æ—¶å…¥å‚是ç¾ååŽæ•°æ® | finish(handle: number, options: HuksOptions) |
| [Abort()](#abort) | å–æ¶ˆå¯†é’¥ä¼šè¯ |æ— | abort(handle: number, options: HuksOptions) |
| [CheckKeyValidity()](#checkkeyvalidity) | æ ¡éªŒå¯†é’¥æ料(密文)的完整性 |æ— | æ— |
| [AttestKey()](#attestkey) | 获å–密钥è¯ä¹¦ã€‚ |出å‚è¦éµå¾ªå¯†é’¥è¯ä¹¦é“¾æ ¼å¼ | attestKey(keyAlias: string, options: HuksOptions)|
| [ExportChipsetPlatformPublicKey()](#exportchipsetplatformpublickey) | 导出芯片平å°çº§å¯†é’¥å¯¹çš„公钥。 | 出å‚为ECC P256çš„x y轴值裸数æ®ï¼Œå„32å—节 | æ— |
| [UpgradeKey()](#upgradekey) | å‡çº§å¯†é’¥æ–‡ä»¶ã€‚ | æ— | æ— |
| [GenerateRandom()](#generaterandom) | 生æˆå®‰å…¨éšæœºæ•° | æ— | æ— |
| [Encrypt()](#encrypt) | åŠ å¯† | æ— | æ— |
| [Decrypt()](#decrypt) | 解密 | æ— | æ— |
| [Sign()](#sign) | ç¾å | æ— | æ— |
| [Verify()](#verify) | éªŒç¾ | æ— | æ— |
| [AgreeKey()](#agreekey) | 密钥å商 | æ— | æ— |
| [DeriveKey()](#derivekey) | 密钥派生 | æ— | æ— |
| [Mac()](#mac) | 消æ¯è®¤è¯ç | æ— | æ— |
- - -
#### ModuleInit
**接å£æè¿°**
HUKS Coreçš„åˆå§‹åŒ–,一般用于åˆå§‹åŒ–全局å˜é‡ï¼Œæ¯”如全局线程é”,算法库,用于访问控制的AuthToken Keyå’Œæ ¹å¯†é’¥ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t ModuleInit(struct IHuks *self);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
</pre>
</details>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸï¼Œå€¼ä¸º0,下åŒ
- 其他:失败,值为负数,具体å‚考<a href="https://gitee.com/openharmony/security_huks/blob/master/interfaces/inner_api/huks_standard/main/include/hks_type.h">HksErrorCode枚举值定义</a>,下åŒ
</details>
- - -
#### ModuleDestroy
**接å£æè¿°**
HUKS Core的销æ¯ï¼Œä¸€èˆ¬ç”¨äºŽé‡Šæ”¾å…¨å±€å˜é‡ï¼ŒåŒ…括é”,销æ¯å†…å˜ä¸çš„AuthToken Keyå’Œæ ¹å¯†é’¥ç‰ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t ModuleDestroy(struct IHuks *self);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
</pre>
</details>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### GenerateKey
**接å£æè¿°**
æ ¹æ®å¯†é’¥å±žæ€§paramSet生æˆå¯†é’¥ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t GenerateKey(struct IHuks *self, const struct HuksBlob *keyAlias, const struct HuksParamSet *paramSet,
const struct HuksBlob *keyIn, struct HuksBlob *encKeyOut);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *keyAlias</strong>
å°†è¦ç”Ÿæˆçš„密钥的别å,è¦æ±‚:
1. keyAlias != null
2. keyAlias -> data != null
3. keyAlias -> dataLen != 0
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
è¦ç”Ÿæˆå¯†é’¥çš„å‚æ•°
<br></br>
<strong>const struct HuksBlob *keyIn</strong>
å¯é€‰ï¼Œé€šè¿‡å¯†é’¥å商或密钥派生生æˆå¯†é’¥æ—¶ï¼Œä¼ 原密钥ææ–™
<br></br>
<strong>struct HuksBlob *encKeyOut</strong>
出å‚,密钥密文æ料,将密钥属性paramset和生æˆçš„密钥密文å˜æ”¾åœ¨è¿™é‡Œï¼Œæ ¼å¼å‚考KeyBlob
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 请在接å£å†…检查上述å‚数是å¦ç¬¦åˆè¦æ±‚,如是å¦æ˜¯ç©ºæŒ‡é’ˆã€å¯†é’¥ç®—法是å¦æ”¯æŒç‰ã€‚
2. keyOut请å‚ç…§KeyBlob的结构。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### ImportKey
**接å£æè¿°**
导入明文密钥。
**接å£åŽŸåž‹**
<pre><code>int32_t ImportKey(struct IHuks *self, const struct HuksBlob *keyAlias, const struct HuksBlob *key,
const struct HuksParamSet *paramSet, struct HuksBlob *encKeyOut);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *keyAlias</strong>
待导入的密钥的别å,è¦æ±‚:
1. keyAlias != null
2. keyAlias -> data != null
3. keyAlias -> dataLen != 0
<br></br>
<strong>const struct HuksBlob *key</strong>
待导入的密钥明文æ料,密钥ææ–™æ ¼å¼è§<a href="https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/huks-appendix.md#%E5%AF%86%E9%92%A5%E6%9D%90%E6%96%99%E6%A0%BC%E5%BC%8F">密钥ææ–™æ ¼å¼</a>,è¦æ±‚:
1. key != null
2. key -> data != null
3. key -> dataLen != 0
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
待导入密钥的å‚æ•°
<br></br>
<strong>struct HuksBlob *encKeyOut</strong>
出å‚,密钥密文æ料,将密钥属性paramset和生æˆçš„密钥密文å˜æ”¾åœ¨è¿™é‡Œï¼Œæ ¼å¼å‚考KeyBlob
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 请在接å£å†…检查上述å‚数是å¦ç¬¦åˆè¦æ±‚,如是å¦æ˜¯ç©ºæŒ‡é’ˆã€å¯†é’¥ç®—法是å¦æ”¯æŒç‰ã€‚
2. encKeyOut请å‚ç…§KeyBlob的结构。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### ImportWrappedKey
**接å£æè¿°**
å¯¼å…¥åŠ å¯†å¯†é’¥ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t ImportWrappedKey(struct IHuks *self, const struct HuksBlob *wrappingKeyAlias,
const struct HuksBlob *wrappingEncKey, const struct HuksBlob *wrappedKeyData, const struct HuksParamSet *paramSet,
struct HuksBlob *encKeyOut);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *wrappingKeyAlias</strong>
用于åšåŠ 密导入的密钥的别å(éžå¯¼å…¥å¯†é’¥æœ¬èº«çš„别å),è¦æ±‚:
1. wrappingKeyAlias != null
2. wrappingKeyAlias -> data != null
3. wrappingKeyAlias -> dataLen != 0
<br></br>
<strong>const struct HuksBlob *wrappingEncKey</strong>
è¦å¯¼å…¥çš„密钥数æ®è¢«åŠ 密时使用的密钥,è¦æ±‚:
1. wrappingEncKey != null
2. wrappingEncKey -> data != null
3. wrappingEncKey -> dataLen != 0
<br></br>
<strong>const struct HuksBlob *wrappedKeyData</strong>
è¦å¯¼å…¥çš„密钥的密钥æ料数æ®ï¼Œæ ¼å¼å‚考<a href="https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/huks-guidelines.md#%E5%8A%A0%E5%AF%86%E5%AF%BC%E5%85%A5">åŠ å¯†å¯¼å…¥ææ–™æ ¼å¼</a>,è¦æ±‚:
1. wrappedKeyData != null
2. wrappedKeyData -> data != null
3. wrappedKeyData -> dataLen != 0
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
待导入密钥的密钥属性
<br></br>
<strong>struct HuksBlob *encKeyOut</strong>
导入密钥的密文æ料,å‚考KeyBlobæ ¼å¼
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 请在接å£å†…检查上述å‚数是å¦ç¬¦åˆè¦æ±‚,如是å¦æ˜¯ç©ºæŒ‡é’ˆã€å¯†é’¥ç®—法是å¦æ”¯æŒç‰ã€‚
2. encKeyOut请å‚ç…§KeyBlob的结构。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### ExportPublicKey
**接å£æè¿°**
导出密钥对的公钥。
**接å£åŽŸåž‹**
<pre><code>int32_t ExportPublicKey(struct IHuks *self, const struct HuksBlob *encKey,
const struct HuksParamSet *paramSet, struct HuksBlob *keyOut);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
与è¦å¯¼å‡ºçš„公钥的密钥对æ料,è¦æ±‚:
1. encKey != null
2. encKey -> data != null
3. encKey -> dataLen != 0
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
导出公钥的所需è¦çš„å‚数,默认为空
<br></br>
<strong>struct HuksBlob *keyOut</strong>
出å‚,å˜æ”¾å¯¼å‡ºçš„公钥
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Init
**接å£æè¿°**
åˆå§‹åŒ–密钥会è¯çš„接å£ï¼Œä¼ 入密钥æ料密文,在HUKS Core进行解密,并生æˆå¯†é’¥ä¼šè¯å¥æŸ„和令牌(按需)
**接å£åŽŸåž‹**
<pre><code>int32_t Init(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
struct HuksBlob *handle, struct HuksBlob *token);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
å¾…æ“作密钥的密文æ料,è¦æ±‚:
1. encKey != null
2. encKey -> data != null
3. encKey -> dataLen != 0
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
åˆå§‹åŒ–密钥会è¯çš„å‚æ•°
<br></br>
<strong>struct HuksBlob *handle</strong>
出å‚,密钥会è¯çš„å¥æŸ„,作为Updateã€Finishå’ŒAbortçš„å…¥å‚,用于索引密钥会è¯
<br></br>
<strong>struct HuksBlob *token</strong>
出å‚,å˜æ”¾å¯†é’¥è®¿é—®æŽ§åˆ¶çš„认è¯ä»¤ç‰Œï¼ˆæŒ‰éœ€ï¼‰
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 密钥会è¯æ“作函数,业务é…åˆUpdateã€Finishã€Abort使用
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Update
**接å£æè¿°**
è¿½åŠ å¯†é’¥æ“作数æ®ï¼Œå¦‚密ç 算法的è¦æ±‚需è¦å¯¹æ•°æ®è¿›è¡Œåˆ†æ®µæ“作。
**接å£åŽŸåž‹**
<pre><code>int32_t Update(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet,
const struct HuksBlob *inData, struct HuksBlob *outData);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *handle</strong>
密钥会è¯çš„å¥æŸ„
<br></br>
<strong> const struct HuksParamSet *paramSet</strong>
è¿½åŠ æ“作的å‚æ•°
<br></br>
<strong> const struct HuksBlob *inData</strong>
è¿½åŠ æ“作的输入
<br></br>
<strong> struct HuksBlob *outData</strong>
è¿½åŠ æ“作的结果
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 密钥会è¯æ“作函数,业务é…åˆInitã€Finishã€Abort使用。
2. 在进行ç¾å验ç¾æ—¶inDataè¦ä¼ 入原文数æ®ã€‚
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Finish
**接å£æè¿°**
结æŸå¯†é’¥ä¼šè¯ï¼Œæ“作最åŽä¸€æ®µæ•°æ®å¹¶ç»“æŸå¯†é’¥ä¼šè¯ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t Finish(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet,
const struct HuksBlob *inData, struct HuksBlob *outData);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *handle</strong>
密钥会è¯çš„å¥æŸ„
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
最åŽä¸€æ®µæ“作的å‚æ•°
<br></br>
<strong>const struct HuksBlob *inData</strong>
最åŽä¸€æ®µæ“作的输入
<br></br>
<strong>struct HuksBlob *outData</strong>
密钥æ“作的结果
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 密钥会è¯æ“作函数,业务é…åˆInitã€Updateã€Abort使用。
2. 在进行验ç¾æ—¶inDataè¦ä¼ 入需è¦éªŒè¯çš„ç¾åæ•°æ®ï¼Œé€šè¿‡è¿”回结果表示验ç¾æ˜¯å¦æˆåŠŸã€‚
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Abort
**接å£æè¿°**
å–消密钥会è¯ã€‚当Init,Updateå’ŒFinishæ“作ä¸çš„任一阶段å‘生错误时,都è¦è°ƒç”¨abortæ¥ç»ˆæ¢å¯†é’¥ä¼šè¯ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t Abort(struct IHuks *self, const struct HuksBlob *handle, const struct HuksParamSet *paramSet);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *handle</strong>
密钥会è¯çš„å¥æŸ„
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
Abortæ“作的å‚æ•°
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. 密钥会è¯æ“作函数,业务é…åˆInitã€Updateã€Finish使用。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### CheckKeyValidity
**接å£æè¿°**
获å–密钥属性。
**接å£åŽŸåž‹**
<pre><code>int32_t CheckKeyValidity(struct IHuks *self, const struct HuksParamSet *paramSet,
const struct HuksBlob *encKey);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
ç”¨äºŽæ ¡éªŒå¯†é’¥å®Œæ•´æ€§æŽ¥å£çš„å‚æ•°ï¼Œé»˜è®¤ä¼ ç©º
<br></br>
<strong>const struct HuksBlob *encKey</strong>
å¾…æ ¡éªŒå¯†é’¥å®Œæ•´æ€§çš„å¯†é’¥æ料(密文)
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### AttestKey
**接å£æè¿°**
获å–密钥è¯ä¹¦ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t AttestKey(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
struct HuksBlob *certChain);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
è¦èŽ·å–è¯ä¹¦çš„密钥对æ料密文
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
获å–密钥è¯ä¹¦æ“作的å‚数,如challengeç‰
<br></br>
<strong>struct HuksBlob *certChain</strong>
出å‚,å˜æ”¾è¯ä¹¦é“¾ï¼Œæ ¼å¼å‚考上述è¯ä¹¦é“¾æ ¼å¼
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. certChainçš„æ ¼å¼éœ€éµå¾ª[约æŸä¸Žé™åˆ¶ç¬¬äºŒç‚¹](#约æŸä¸Žé™åˆ¶)。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### ExportChipsetPlatformPublicKey
**接å£æè¿°**
导出芯片平å°çº§å¯†é’¥å¯¹çš„公钥。
**接å£åŽŸåž‹**
<pre><code>int32_t ExportChipsetPlatformPublicKey(struct IHuks *self, const struct HuksBlob *salt,
enum HuksChipsetPlatformDecryptScene scene, struct HuksBlob *publicKey);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *salt</strong>
用æ¥æ´¾ç”ŸèŠ¯ç‰‡å¹³å°å¯†é’¥å¯¹æ—¶çš„æ´¾ç”Ÿå› å
<br></br>
<strong>enum HuksChipsetPlatformDecryptScene scene</strong>
业务预期进行芯片平å°è§£å¯†çš„场景
<br></br>
<strong>struct HuksBlob *publicKey</strong>
出å‚为ECC P256çš„x y轴值裸数æ®ï¼Œå„32å—节
</pre>
</details>
<br></br>
<details>
<summary><strong>约æŸä¸Žé™åˆ¶</strong></summary>
1. å…¥å‚`salt`长度必须为16å—节,且最åŽä¸€ä¸ªå—节的内容会被忽略,将由hukså†…éƒ¨æ ¹æ®å…¥å‚`scene`进行修改填充。<br>
当å‰huks的芯片平å°çº§å¯†é’¥å¯¹ä¸ºè½¯å®žçŽ°ï¼Œç¡¬ç¼–ç 了一对ECC-P256密钥对到代ç ä¸ï¼Œ`salt`值被忽略,å³æ— è®ºä¼ å…¥ä»€ä¹ˆ`salt`ï¼Œæ´¾ç”Ÿå‡ºçš„å¯†é’¥éƒ½æ˜¯ä¸€æ ·çš„ã€‚åœ¨çœŸæ£åŸºäºŽç¡¬ä»¶çš„芯片平å°çº§å¯†é’¥å®žçŽ°ä¸ï¼Œ`salt`为用æ¥æ´¾ç”Ÿå¯†é’¥çš„æ´¾ç”Ÿå› åï¼Œä¼ å…¥ä¸åŒçš„`salt`会得到ä¸åŒçš„密钥对。
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### UpgradeKey
**接å£æè¿°**
å‡çº§å¯†é’¥æ–‡ä»¶ã€‚当密钥文件版本å·å°äºŽæœ€æ–°ç‰ˆæœ¬å·æ—¶ï¼Œè§¦å‘该å‡çº§èƒ½åŠ›ã€‚
**接å£åŽŸåž‹**
<pre><code>int32_t UpgradeKey(struct IHuks *self, const struct HuksBlob *encOldKey, const struct HuksParamSet *paramSet,
struct HuksBlob *encNewKey);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encOldKey</strong>
å¾…å‡çº§çš„密钥文件数æ®
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
å‡çº§å¯†é’¥æ–‡ä»¶æ•°æ®çš„å‚æ•°
<br></br>
<strong>struct HuksBlob *newKey</strong>
出å‚,å‡çº§åŽçš„密钥文件数æ®
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### GenerateRandom
**接å£æè¿°**
生æˆå®‰å…¨éšæœºæ•°
**接å£åŽŸåž‹**
<pre><code>int32_t GenerateRandom(struct IHuks *self, const struct HuksParamSet *paramSet, struct HuksBlob *random);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
待生æˆå®‰å…¨éšæœºæ•°çš„å‚数,如长度
<br></br>
<strong>struct HuksBlob *random</strong>
出å‚,éšæœºæ•°
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Sign
**接å£æè¿°**
对数æ®è¿›è¡Œç¾å
**接å£åŽŸåž‹**
<pre><code>int32_t Sign(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
const struct HuksBlob *srcData, struct HuksBlob *signature);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
用于ç¾å的密钥对æ料(密文)
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于ç¾åçš„å‚数,如摘è¦æ¨¡å¼
<br></br>
<strong>const struct HuksBlob *srcData</strong>
用于ç¾åçš„æ•°æ®
<br></br>
<strong>struct HuksBlob *signature</strong>
出å‚,数æ®ç¾å
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Verify
**接å£æè¿°**
对数æ®ç¾å进行验ç¾
**接å£åŽŸåž‹**
<pre><code>int32_t Verify(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
const struct HuksBlob *srcData, const struct HuksBlob *signature);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
用于验ç¾çš„密钥对æ料(密文)
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于验ç¾çš„å‚数,如摘è¦æ¨¡å¼
<br></br>
<strong>const struct HuksBlob *srcData</strong>
待验ç¾çš„æ•°æ®
<br></br>
<strong>const struct HuksBlob *signature</strong>
用于验ç¾çš„ç¾å
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Encrypt
**接å£æè¿°**
对数æ®è¿›è¡Œå•æ¬¡åŠ 密,相比密钥会è¯æŽ¥å£ï¼Œè¯¥æŽ¥å£éœ€æ»¡è¶³ä¸€æ¬¡è°ƒç”¨å³å¯å®ŒæˆåŠ 密æ“作
**接å£åŽŸåž‹**
<pre><code>int32_t Encrypt(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
const struct HuksBlob *plainText, struct HuksBlob *cipherText);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
ç”¨äºŽåŠ å¯†çš„å¯†é’¥æ料(密文)
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
ç”¨äºŽåŠ å¯†çš„å¯†é’¥å‚数,如密钥工作模å¼ã€å¡«å……模å¼ç‰
<br></br>
<strong>const struct HuksBlob *plainText</strong>
å¾…åŠ å¯†çš„æ•°æ®æ˜Žæ–‡
<br></br>
<strong>const struct HuksBlob *cipherText</strong>
åŠ å¯†åŽçš„æ•°æ®å¯†æ–‡
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Decrypt
**接å£æè¿°**
对数æ®è¿›è¡Œå•æ¬¡è§£å¯†ï¼Œç›¸æ¯”密钥会è¯æŽ¥å£ï¼Œè¯¥æŽ¥å£éœ€è¦æ»¡è¶³ä¸€æ¬¡è°ƒç”¨å®Œæˆè§£å¯†æ“作
**接å£åŽŸåž‹**
<pre><code>int32_t Decrypt(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
const struct HuksBlob *cipherText, struct HuksBlob *plainText);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
用于解密的密钥æ料(密文)
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于解密的密钥å‚数,如密钥工作模å¼ã€å¡«å……模å¼ç‰
<br></br>
<strong>const struct HuksBlob *cipherText</strong>
待解密的数æ®å¯†æ–‡
<br></br>
<strong>const struct HuksBlob *plainText</strong>
解密åŽçš„æ•°æ®æ˜Žæ–‡
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### AgreeKey
**接å£æè¿°**
对密钥进行å商,相比密钥会è¯æŽ¥å£ï¼Œè¯¥æŽ¥å£éœ€è¦æ»¡è¶³ä¸€æ¬¡è°ƒç”¨å®Œæˆå¯†é’¥å商æ“作
**接å£åŽŸåž‹**
<pre><code>int32_t AgreeKey(struct IHuks *self, const struct HuksParamSet *paramSet,
const struct HuksBlob *encPrivateKey, const struct HuksBlob *peerPublicKey, struct HuksBlob *agreedKey);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于å商的å‚数,如å商密钥的长度
<br></br>
<strong>const struct HuksBlob *encPrivateKey</strong>
用于å商的密钥对æ料(密文)
<br></br>
<strong>const struct HuksBlob *peerPublicKey</strong>
用于å商密钥对公钥(明文)
<br></br>
<strong>struct HuksBlob *agreedKey</strong>
出å‚,å商出的密钥明文
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### DeriveKey
**接å£æè¿°**
对密钥进行派生,相比密钥会è¯æŽ¥å£ï¼Œè¯¥æŽ¥å£éœ€è¦æ»¡è¶³ä¸€æ¬¡è°ƒç”¨å®Œæˆå¯†é’¥æ´¾ç”Ÿæ“作
**接å£åŽŸåž‹**
<pre><code>int32_t DeriveKey(struct IHuks *self, const struct HuksParamSet *paramSet, const struct HuksBlob *encKdfKey,
struct HuksBlob *derivedKey);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于密钥派生的å‚数,如派生密钥的长度
<br></br>
<strong>const struct HuksBlob *encKdfKey</strong>
用于派生的密钥æ料(密文)
<br></br>
<strong>struct HuksBlob *derivedKey</strong>
出å‚,派生出的密钥(明文)
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
#### Mac
**接å£æè¿°**
æ ¹æ®å¯†é’¥ç”Ÿæˆæ¶ˆæ¯è®¤è¯ç
**接å£åŽŸåž‹**
<pre><code>int32_t Mac(struct IHuks *self, const struct HuksBlob *encKey, const struct HuksParamSet *paramSet,
const struct HuksBlob *srcData, struct HuksBlob *mac);</code></pre>
<details>
<summary><strong>å‚数说明</strong></summary>
<pre>
<strong>struct IHuks *self</strong>
HUKS HDI函数指针结构体指针
<br></br>
<strong>const struct HuksBlob *encKey</strong>
用于生æˆæ¶ˆæ¯è®¤è¯ç 的密钥æ料(密文)
<br></br>
<strong>const struct HuksParamSet *paramSet</strong>
用于生æˆæ¶ˆæ¯è®¤è¯ç çš„å‚æ•°
<br></br>
<strong>const struct HuksBlob *srcData</strong>
消æ¯æ•°æ®
<br></br>
<strong>struct HuksBlob *mac</strong>
出å‚,消æ¯è®¤è¯ç
</pre>
</details>
<br></br>
<details>
<summary><strong>返回值</strong></summary>
- HKS_SUCCESS:æˆåŠŸ
- 其他:失败
</details>
- - -
### å¼€å‘æ¥éª¤
#### 代ç 目录
1. HDI接å£çš„适é…在以下目录ä¸ï¼š
```undefined
//drivers_peripheral/huks
├── BUILD.gn # 编译脚本
├── hdi_service # 实现ä¾èµ–,通过dloppenæ–¹å¼å¼•ç”¨libhuks_engine_core_standard.z.so(软实现的HUKS Core,仅用于å‚考)
├── huks_sa_type.h # HUKSæœåŠ¡å±‚çš„æ•°æ®ç»“构定义
├── huks_sa_hdi_struct.h # libhuks_engine_core_standard.z.soä¸å‡½æ•°æŒ‡é’ˆç»“构体的定义
├── huks_hdi_template.h # HUKSæœåŠ¡å±‚å’ŒHDI接å£æ•°æ®ç»“构的转化适é…
├── huks_hdi_service.c # HUKS直通å¼HDIæœåŠ¡å±‚的接å£å®žçŽ°
└── huks_hdi_passthrough_adapter.c # HUKS直通å¼HDIæœåŠ¡å±‚到软实现HUKS Core的适é…层
└── test # HUKS HDI接å£unittestå’Œfuzztest
├── BUILD.gn # 编译脚本
├── fuzztest # fuzz测试
└── unittest # å•å…ƒæµ‹è¯•
```
2. HUKS Core软实现的代ç 在以下目录ä¸ï¼š
```undefined
//base/security/huks/services/huks_standard/huks_engine
├── BUILD.gn # 编译脚本
├── core_dependency # HUKS Coreä¾èµ–
└── core # HUKS Core层的软实现
├── BUILD.gn # 编译脚本
├── include
└── src
├── hks_core_interfaces.c # HDI到HUKS Core的适é…层
└── hks_core_service.c # HUKS Core详细实现
└── ... #其他功能代ç
```
**注æ„事项!!!**
<summary><strong>HUKS Core软实现ä¸å˜åœ¨ç¡¬ç¼–ç 相关æ•æ„Ÿæ•°æ®ï¼ŒåŒ…æ‹¬æ ¹å¯†é’¥ã€è®¿é—®æŽ§åˆ¶ç”¨çš„AuthToken密钥ã€åŠ 密AuthToken用的密钥ã€è¯ä¹¦ç›¸å…³ç‰ï¼Œå¦‚设备开å‘者使用了相关代ç ,一定è¦æ›¿æ¢æˆè‡ªæœ‰å®žçŽ°</strong></summary>
- **æ ¹å¯†é’¥**
ç”¨äºŽåŠ å¯†HUKSä¸šåŠ¡å¯†é’¥ï¼Œä¸€èˆ¬ç”±è®¾å¤‡æ ¹å¯†é’¥æ´¾ç”Ÿè€Œæ¥ï¼ŒHUKS Core软实现ä¸ç¡¬ç¼–ç 在代ç ä¸ï¼Œè¯¦ç»†ä»£ç è§<a href="https://gitee.com/openharmony/security_huks/blob/master/frameworks/huks_standard/main/crypto_engine/openssl/src/hks_openssl_get_main_key.c">hks_openssl_get_main_key.c</a>
- **访问控制用于对AuthTokenåšHMAC的密钥**
用于UserIAM对AuthToken进行HMAC,HUKS Core软实现ä¸ç¡¬ç¼–ç 在代ç ä¸ï¼Œå€¼ä¸º"huks_default_user_auth_token_key",详细代ç è§<a href="https://gitee.com/openharmony/security_huks/blob/master/services/huks_standard/huks_engine/main/core/src/hks_keyblob.c">hks_keyblob.c</a>
- **访问控制用于对AuthTokenæ•æ„Ÿå—æ®µåŠ å¯†çš„å¯†é’¥**
用于UserIAM对AuthTokenæ•æ„Ÿå—æ®µè¿›è¡ŒåŠ å¯†çš„å¯†é’¥ï¼ŒHUKS Core软实现ä¸ç¡¬ç¼–ç 在代ç ä¸ï¼Œå€¼ä¸º"huks_default_user_auth_token_key",详细代ç è§<a href="https://gitee.com/openharmony/security_huks/blob/master/services/huks_standard/huks_engine/main/core/src/hks_keyblob.c">hks_keyblob.c</a>
- **æ ¹è¯ä¹¦ã€è®¾å¤‡CAã€è®¾å¤‡è¯ä¹¦**
用于密钥è¯æ˜Žï¼Œä¸€èˆ¬ç”±è®¾å¤‡è¯ä¹¦ç®¡ç†æ¨¡å—预置在硬件设备安全å˜å‚¨å½“ä¸ï¼ŒHUKS Core软实现ä¸ç¡¬ç¼–ç 在代ç ä¸ï¼Œè¯¦ç»†ä»£ç è§<a href="https://gitee.com/openharmony/security_huks/blob/master/services/huks_standard/huks_engine/main/device_cert_manager/include/dcm_certs_and_key.h">dcm_certs_and_key.h</a>
#### 适é…æ ·ä¾‹
下文以HUKS Coreä¸çš„密钥会è¯Init\Update\Finish接å£é€‚é…ä½œä¸ºä¸€ä¸ªæ ·ä¾‹ï¼Œä»‹ç»åŸºæœ¬æµç¨‹ï¼Œä»…ä¾›å‚考ä¸å¯å®žé™…è¿è¡Œï¼Œå®žé™…å¯è¿è¡Œä»£ç å‚考[HUKSæºç 目录](https://gitee.com/openharmony/security_huks)
1. 创建一个å¥æŸ„,通过这个å¥æŸ„在sessionä¸å˜å‚¨å¯†é’¥æ“作相关的信æ¯ï¼Œä½¿å¾—外部å¯ä»¥é€šè¿‡è¿™ä¸ªå¥æŸ„分多次进行åŒä¸€å¯†é’¥æ“作。
```c
//密钥会è¯Init接å£
int32_t HksCoreInit(const struct HuksBlob *key, const struct HuksParamSet *paramSet, struct HuksBlob *handle,
struct HuksBlob *token)
{
HKS_LOG_D("HksCoreInit in Core start");
uint32_t pur = 0;
uint32_t alg = 0;
//检查å‚æ•°
if (key == NULL || paramSet == NULL || handle == NULL || token == NULL) {
HKS_LOG_E("the pointer param entered is invalid");
return HKS_FAILURE;
}
if (handle->size < sizeof(uint64_t)) {
HKS_LOG_E("handle size is too small, size : %u", handle->size);
return HKS_ERROR_INSUFFICIENT_MEMORY;
}
//解密密钥文件
struct HuksKeyNode *keyNode = HksCreateKeyNode(key, paramSet);
if (keyNode == NULL || handle == NULL) {
HKS_LOG_E("the pointer param entered is invalid");
return HKS_ERROR_BAD_STATE;
}
//通过handleå‘sessionä¸å˜å‚¨ä¿¡æ¯ï¼Œä¾›Update/Finish使用。使得外部å¯ä»¥é€šè¿‡åŒä¸ªhandle分多次进行åŒä¸€å¯†é’¥æ“作。
handle->size = sizeof(uint64_t);
(void)memcpy_s(handle->data, handle->size, &(keyNode->handle), handle->size);
//从å‚æ•°ä¸æå–出算法
int32_t ret = GetPurposeAndAlgorithm(paramSet, &pur, &alg);
if (ret != HKS_SUCCESS) {
HksDeleteKeyNode(keyNode->handle);
return ret;
}
//检查密钥å‚æ•°
ret = HksCoreSecureAccessInitParams(keyNode, paramSet, token);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("init secure access params failed");
HksDeleteKeyNode(keyNode->handle);
return ret;
}
//通过密钥使用目的获å–对应的算法库处ç†å‡½æ•°
uint32_t i;
uint32_t size = HKS_ARRAY_SIZE(g_hksCoreInitHandler);
for (i = 0; i < size; i++) {
if (g_hksCoreInitHandler[i].pur == pur) {
HKS_LOG_E("Core HksCoreInit [pur] = %d, pur = %d", g_hksCoreInitHandler[i].pur, pur);
ret = g_hksCoreInitHandler[i].handler(keyNode, paramSet, alg);
break;
}
}
//异常结果检查
if (ret != HKS_SUCCESS) {
HksDeleteKeyNode(keyNode->handle);
HKS_LOG_E("CoreInit failed, ret : %d", ret);
return ret;
}
if (i == size) {
HksDeleteKeyNode(keyNode->handle);
HKS_LOG_E("don't found purpose, pur : %u", pur);
return HKS_FAILURE;
}
HKS_LOG_D("HksCoreInit in Core end");
return ret;
}
```
2. 在执行密钥æ“作å‰é€šè¿‡å¥æŸ„获得上下文信æ¯ï¼Œæ‰§è¡Œå¯†é’¥æ“作时放入分片数æ®å¹¶å–回密钥æ“ä½œç»“æžœæˆ–è€…è¿½åŠ æ•°æ®ã€‚
```c
//密钥会è¯Update接å£
int32_t HksCoreUpdate(const struct HuksBlob *handle, const struct HuksParamSet *paramSet, const struct HuksBlob *inData,
struct HuksBlob *outData)
{
HKS_LOG_D("HksCoreUpdate in Core start");
uint32_t pur = 0;
uint32_t alg = 0;
//检查å‚æ•°
if (handle == NULL || paramSet == NULL || inData == NULL) {
HKS_LOG_E("the pointer param entered is invalid");
return HKS_FAILURE;
}
uint64_t sessionId;
struct HuksKeyNode *keyNode = NULL;
//æ ¹æ®handle获å–本次密钥会è¯æ“作需è¦çš„上下文
int32_t ret = GetParamsForUpdateAndFinish(handle, &sessionId, &keyNode, &pur, &alg);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("GetParamsForCoreUpdate failed");
return ret;
}
//æ ¡éªŒå¯†é’¥å‚æ•°
ret = HksCoreSecureAccessVerifyParams(keyNode, paramSet);
if (ret != HKS_SUCCESS) {
HksDeleteKeyNode(sessionId);
HKS_LOG_E("HksCoreUpdate secure access verify failed");
return ret;
}
//调用对应的算法库密钥处ç†å‡½æ•°
uint32_t i;
uint32_t size = HKS_ARRAY_SIZE(g_hksCoreUpdateHandler);
for (i = 0; i < size; i++) {
if (g_hksCoreUpdateHandler[i].pur == pur) {
struct HuksBlob appendInData = { 0, NULL };
ret = HksCoreAppendAuthInfoBeforeUpdate(keyNode, pur, paramSet, inData, &appendInData);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("before update: append auth info failed");
break;
}
ret = g_hksCoreUpdateHandler[i].handler(keyNode, paramSet,
appendInData.data == NULL ? inData : &appendInData, outData, alg);
if (appendInData.data != NULL) {
HKS_FREE_BLOB(appendInData);
}
break;
}
}
//异常结果检查
if (ret != HKS_SUCCESS) {
HksDeleteKeyNode(keyNode->handle);
HKS_LOG_E("CoreUpdate failed, ret : %d", ret);
return ret;
}
if (i == size) {
HksDeleteKeyNode(sessionId);
HKS_LOG_E("don't found purpose, pur : %u", pur);
return HKS_FAILURE;
}
return ret;
}
```
3. 结æŸå¯†é’¥æ“作并å–回结果,销æ¯å¥æŸ„。
```c
//密钥会è¯Finish接å£
int32_t HksCoreFinish(const struct HuksBlob *handle, const struct HuksParamSet *paramSet, const struct HuksBlob *inData,
struct HuksBlob *outData)
{
HKS_LOG_D("HksCoreFinish in Core start");
uint32_t pur = 0;
uint32_t alg = 0;
//检查å‚æ•°
if (handle == NULL || paramSet == NULL || inData == NULL) {
HKS_LOG_E("the pointer param entered is invalid");
return HKS_FAILURE;
}
uint64_t sessionId;
struct HuksKeyNode *keyNode = NULL;
//æ ¹æ®handle获å–本次密钥会è¯æ“作需è¦çš„上下文
int32_t ret = GetParamsForUpdateAndFinish(handle, &sessionId, &keyNode, &pur, &alg);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("GetParamsForCoreUpdate failed");
return ret;
}
//æ ¡éªŒå¯†é’¥å‚æ•°
ret = HksCoreSecureAccessVerifyParams(keyNode, paramSet);
if (ret != HKS_SUCCESS) {
HksDeleteKeyNode(sessionId);
HKS_LOG_E("HksCoreFinish secure access verify failed");
return ret;
}
//调用对应的算法库密钥处ç†å‡½æ•°
uint32_t i;
uint32_t size = HKS_ARRAY_SIZE(g_hksCoreFinishHandler);
for (i = 0; i < size; i++) {
if (g_hksCoreFinishHandler[i].pur == pur) {
uint32_t outDataBufferSize = (outData == NULL) ? 0 : outData->size;
struct HuksBlob appendInData = { 0, NULL };
ret = HksCoreAppendAuthInfoBeforeFinish(keyNode, pur, paramSet, inData, &appendInData);
if (ret != HKS_SUCCESS) {
HKS_LOG_E("before finish: append auth info failed");
break;
}
ret = g_hksCoreFinishHandler[i].handler(keyNode, paramSet,
appendInData.data == NULL ? inData : &appendInData, outData, alg);
if (appendInData.data != NULL) {
HKS_FREE_BLOB(appendInData);
}
if (ret != HKS_SUCCESS) {
break;
}
//æ·»åŠ å¯†é’¥æ“作结æŸæ ‡ç¾
ret = HksCoreAppendAuthInfoAfterFinish(keyNode, pur, paramSet, outDataBufferSize, outData);
break;
}
}
if (i == size) {
HKS_LOG_E("don't found purpose, pur : %d", pur);
ret = HKS_FAILURE;
}
//åˆ é™¤å¯¹åº”çš„session
HksDeleteKeyNode(sessionId);
HKS_LOG_D("HksCoreFinish in Core end");
return ret;
}
```
### 调测验è¯
å¼€å‘完æˆåŽï¼Œé€šè¿‡[HUKS JS接å£](https://gitee.com/openharmony/security_huks/blob/master/interfaces/kits/js/@ohos.security.huks.d.ts)å¼€å‘JS应用æ¥éªŒè¯èƒ½åŠ›æ˜¯å¦å®Œå¤‡ã€‚
对于æ¯ä¸ªHDI接å£ï¼Œ[接å£è¯´æ˜Ž](#接å£è¯´æ˜Ž)都æ供了对应的JS接å£ã€‚å¯ä»¥é€šè¿‡è°ƒç”¨JS接å£ç»„åˆæ¥éªŒè¯å¯¹åº”çš„HDI接å£çš„能力,也å¯ä»¥é€šè¿‡å®Œæ•´çš„密钥æ“作æ¥éªŒè¯æŽ¥å£çš„能力。
JS测试代ç 示例如下(仅供å‚考),如果整个æµç¨‹èƒ½å¤Ÿæ£å¸¸è¿è¡Œï¼Œä»£è¡¨HDI接å£èƒ½åŠ›æ£å¸¸ã€‚更多的密钥æ“ä½œç±»åž‹å’Œå®Œæ•´æ ·ä¾‹è¯·è§[huks-guidelines.md](../../application-dev/security/huks-guidelines.md)。
**AES生æˆå¯†é’¥å’ŒåŠ 密**
1. 引入HUKS模å—
```ts
import huks from '@ohos.security.huks'
```
2. 使用generateKey接å£ç”Ÿæˆå¯†é’¥ã€‚
```ts
import { BusinessError } from '@ohos.base';
let aesKeyAlias = 'test_aesKeyAlias';
let handle = 0;
let IV = '001122334455';
class HuksProperties {
tag: huks.HuksTag = huks.HuksTag.HUKS_TAG_ALGORITHM;
value: huks.HuksKeyAlg | huks.HuksKeySize | huks.HuksKeyPurpose = huks.HuksKeyAlg.HUKS_ALG_ECC;
}
class HuksProperties1 {
tag: huks.HuksTag = huks.HuksTag.HUKS_TAG_ALGORITHM;
value: huks.HuksKeyAlg | huks.HuksKeySize | huks.HuksKeyPurpose | huks.HuksKeyPadding | huks.HuksCipherMode | Uint8Array = huks.HuksKeyAlg.HUKS_ALG_ECC;
}
function GetAesGenerateProperties() {
let properties: HuksProperties[] = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_128
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT |
huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_DECRYPT
}
];
return properties;
}
async function GenerateAesKey() {
let genProperties = GetAesGenerateProperties();
let options: huks.HuksOptions = {
properties: genProperties
}
await huks.generateKeyItem(aesKeyAlias, options).then((data) => {
console.log("generateKeyItem success");
}).catch((error: BusinessError) => {
console.log("generateKeyItem failed");
})
}
```
3. 使用huks.initSession,huks.finishSessionè¿›è¡ŒåŠ å¯†ã€‚
```ts
let plainText = '123456';
function StringToUint8Array(str: string) {
let arr: number[] = [];
for (let i = 0, j = str.length; i < j; ++i) {
arr.push(str.charCodeAt(i));
}
return new Uint8Array(arr);
}
function GetAesEncryptProperties() {
let properties: HuksProperties1[] = [
{
tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
value: huks.HuksKeyAlg.HUKS_ALG_AES
},
{
tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
value: huks.HuksKeySize.HUKS_AES_KEY_SIZE_128
},
{
tag: huks.HuksTag.HUKS_TAG_PURPOSE,
value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_ENCRYPT
},
{
tag: huks.HuksTag.HUKS_TAG_PADDING,
value: huks.HuksKeyPadding.HUKS_PADDING_PKCS7
},
{
tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
value: huks.HuksCipherMode.HUKS_MODE_CBC
},
{
tag: huks.HuksTag.HUKS_TAG_IV,
value: StringToUint8Array(IV)
}
]
return properties;
}
async function EncryptData() {
let encryptProperties = GetAesEncryptProperties();
let options: huks.HuksOptions = {
properties: encryptProperties,
inData: StringToUint8Array(plainText)
}
await huks.initSession(aesKeyAlias, options).then((data) => {
handle = data.handle;
}).catch((error: BusinessError) => {
console.log("initSession failed");
})
await huks.finishSession(handle, options).then((data) => {
console.log("finishSession success");
}).catch((error: BusinessError) => {
console.log("finishSession failed");
})
}
```