1# Certificate Management Development 2 3> **NOTE** 4> 5> The SDK of API version 11 or later must be used. 6 7## Scenarios 8 91. During the development, you may need to: 10 11 - Install an application certificate and its private credential. 12 13 - Obtain the application certificate and private credential. 14 15 - Perform signing and signature verification using an application certificate and its private credential. 16 17 - Uninstall an application certificate and its private credential. 18 192. Before you get started, you need to know the combinations of the algorithm and the signing/signature verification parameters supported by certificate management. 20 21 The credential installation, signing, and signature verification in certificate management depends on [HUKS](../UniversalKeystoreKit/huks-overview.md). The algorithms supported by certificate management are a subset of HUKS. Currently, only private credentials using the RSA or ECC algorithm can be installed and used. For details about the parameter combinations supported by signing and signature verification, see the description of RSA and ECC in [Signing and Signature Verification Overview and Algorithm Specifications](../UniversalKeystoreKit/huks-signing-signature-verification-overview.md). 22 23 24## Available APIs 25 26The following table describes the APIs used in the typical scenarios mentioned above. For details about the APIs, see [Certificate Management](../../reference/apis-device-certificate-kit/js-apis-certManager.md). 27 28| Instance | API | Description | 29| --------------- | ------------------------------------------------------------ | -------------------------------------------- | 30| certificateManager | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string, callback: AsyncCallback\<CMResult>) : void | Installs a private credential. This API uses an asynchronous callback to return the result. | 31| certificateManager | installPrivateCertificate(keystore: Uint8Array, keystorePwd: string, certAlias: string) : Promise\<CMResult> | Installs a private credential. This API uses a promise to return the result. | 32| certificateManager | getPrivateCertificate(keyUri: string, callback: AsyncCallback\<CMResult>) : void | Obtains a private credential. This API uses an asynchronous callback to return the result. | 33| certificateManager | getPrivateCertificate(keyUri: string) : Promise\<CMResult> | Obtains a private credential. This API uses a promise to return the result. | 34| certificateManager | uninstallPrivateCertificate(keyUri: string, callback: AsyncCallback\<void>) : void | Uninstalls a private credential. This API uses an asynchronous callback to return the result. | 35| certificateManager | uninstallPrivateCertificate(keyUri: string) : Promise\<void> | Uninstalls a private credential. This API uses a promise to return the result.| 36| certificateManager | init(authUri: string, spec: CMSignatureSpec, callback: AsyncCallback\<CMHandle>) : void | Initializes the signing or signature verification operation. This API uses an asynchronous callback to return the result.| 37| certificateManager | init(authUri: string, spec: CMSignatureSpec) : Promise\<CMHandle> | Initializes the signing or signature verification operation. This API uses a promise to return the result. | 38| certificateManager | update(handle: Uint8Array, data: Uint8Array, callback: AsyncCallback\<void>) : void | Updates the data to be signed or verified. This API uses an asynchronous callback to return the result. | 39| certificateManager | update(handle: Uint8Array, data: Uint8Array) : Promise\<void> | Updates the data to be signed or verified. This API uses a promise to return the result.| 40| certificateManager | finish(handle: Uint8Array, callback: AsyncCallback\<CMResult>) : void | Finishes the signing operation. This API uses an asynchronous callback to return the result. | 41| certificateManager | finish(handle: Uint8Array, signature: Uint8Array, callback: AsyncCallback\<CMResult>) : void | Finishes the signing operation. This API uses an asynchronous callback to return the result. | 42| certificateManager | finish(handle: Uint8Array, signature?: Uint8Array) : Promise\<CMResult> | Finishes the signing or signature verification operation. This API uses a promise to return the result.| 43| certificateManager | abort(handle: Uint8Array, callback: AsyncCallback\<void>) : void | Aborts the signing or signature verification operation. This API uses an asynchronous callback to return the result. | 44| certificateManager | abort(handle: Uint8Array) : Promise\<void> | Aborts the signing or signature verification operation. This API uses a promise to return the result.| 45 46## How to Develop 47 481. Request permissions. 49 50 Before calling **certManager** APIs, declare the ohos.permission.ACCESS_CERT_MANAGER permission in the **requestPermissions** field in the **module.json5** file. For more information, see [module.json5](../../quick-start/module-configuration-file.md). 51 522. Import modules. 53 54 ```ts 55 import { certificateManager } from '@kit.DeviceCertificateKit'; 56 import { BusinessError } from '@kit.BasicServicesKit'; 57 ``` 58 593. Install a private credential, obtain the private credential, use it to sign and verify data. Then, uninstall the private credential. 60 61 ```ts 62 async function certificateManagerSample() { 63 /* The data of the credential to be installed must be assigned based on the service. The data in this example is not the real credential data. */ 64 let keystore: Uint8Array = new Uint8Array([ 65 0x30, 0x82, 0x04, 0x6a, 0x02, 0x01, 66 ]); 67 68 /* Keystore password of the credential to be installed. */ 69 let keystorePwd: string = '123456'; 70 let appKeyUri: string = ''; 71 try { 72 /* Install a private credential. */ 73 const res: certificateManager.CMResult = await certificateManager.installPrivateCertificate(keystore, keystorePwd, "testPriCredential"); 74 appKeyUri = (res.uri != undefined) ? res.uri : ''; 75 } catch (err) { 76 let e: BusinessError = err as BusinessError; 77 console.error(`Failed to install private certificate. Code: ${e.code}, message: ${e.message}`); 78 } 79 80 try { 81 /* srcData is the data to be signed and verified. */ 82 let srcData: Uint8Array = new Uint8Array([ 83 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 84 ]); 85 86 /* Construct the parameters used for signing. */ 87 const signSpec: certificateManager.CMSignatureSpec = { 88 purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_SIGN, 89 padding: certificateManager.CmKeyPadding.CM_PADDING_PSS, 90 digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256 91 }; 92 93 /* Generate a signature. */ 94 const signHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, signSpec); 95 await certificateManager.update(signHandle.handle, srcData); 96 const signResult: certificateManager.CMResult = await certificateManager.finish(signHandle.handle); 97 98 /* Construct the parameters for signature verification. */ 99 const verifySpec: certificateManager.CMSignatureSpec = { 100 purpose: certificateManager.CmKeyPurpose.CM_KEY_PURPOSE_VERIFY, 101 padding: certificateManager.CmKeyPadding.CM_PADDING_PSS, 102 digest: certificateManager.CmKeyDigest.CM_DIGEST_SHA256 103 }; 104 105 /** Verify the signature. */ 106 const verifyHandle: certificateManager.CMHandle = await certificateManager.init(appKeyUri, verifySpec); 107 await certificateManager.update(verifyHandle.handle, srcData); 108 const verifyResult = await certificateManager.finish(verifyHandle.handle, signResult.outData); 109 console.info('Succeeded in signing and verifying.'); 110 } catch (err) { 111 let e: BusinessError = err as BusinessError; 112 console.error(`Failed to sign or verify. Code: ${e.code}, message: ${e.message}`); 113 } 114 115 try { 116 /* Uninstall a private credential. */ 117 await certificateManager.uninstallPrivateCertificate(appKeyUri); 118 } catch (err) { 119 let e: BusinessError = err as BusinessError; 120 console.error(`Failed to uninstall private certificate. Code: ${e.code}, message: ${e.message}`); 121 } 122 } 123 ``` 124