1# Security Subsystem Changelog 2 3## cl.security.1 Change of setSeed() from Asynchronous to Synchronous 4 5**Change Impact** 6 7Behavior of released JavaScript APIs will be changed. 8The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 9 10**Key API/Component Changes** 11API before the change: 12setSeed(seed : DataBlob, callback : AsyncCallback\<void>) : void; 13setSeed(seed : DataBlob) : Promise\<void>; 14API after the change: 15setSeed(seed : DataBlob) : void; 16 17**Adaptation Guide** 18See **setSeed()** in the following: 19[Crypto Framework](../../../application-dev/reference/apis/js-apis-cryptoFramework.md) 20 21 22## cl.security.2 Move of DataArray from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 23**Change Impact** 24 25Behavior of released JavaScript APIs will be changed. 26The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 27 28**Key API/Component Changes** 29Moved **DataArray** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 30 31**Adaptation Guide** 32Import and use the new .d.ts file: 33import cryptoCert from '@ohos.security.cert'; 34See the following API reference: 35[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 36 37 38## cl.security.3 Move of EncodingFormat from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 39**Change Impact** 40 41Behavior of released JavaScript APIs will be changed. 42The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 43 44**Key API/Component Changes** 45Moved **EncodingFormat** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 46 47**Adaptation Guide** 48Import and use the new .d.ts file: 49import cryptoCert from '@ohos.security.cert'; 50See the following API reference: 51[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 52 53 54## cl.security.4 Move of EncodingBlob from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 55**Change Impact** 56 57Behavior of released JavaScript APIs will be changed. 58The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 59 60**Key API/Component Changes** 61Moved **EncodingBlob** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 62 63**Adaptation Guide** 64Import and use the new .d.ts file: 65import cryptoCert from '@ohos.security.cert'; 66See the following API reference: 67[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 68 69 70## cl.security.5 Move of CertChainData from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 71**Change Impact** 72 73Behavior of released JavaScript APIs will be changed. 74The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 75 76**Key API/Component Changes** 77Moved **interface CertChainData** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 78 79**Adaptation Guide** 80Import and use the new .d.ts file: 81import cryptoCert from '@ohos.security.cert'; 82See the following API reference: 83[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 84 85 86## cl.security.6 Move of X509Cert from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 87**Change Impact** 88 89Behavior of released JavaScript APIs will be changed. 90The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 91 92**Key API/Component Changes** 93Moved **X509Cert** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 94 95**Adaptation Guide** 96Import and use the new .d.ts file: 97import cryptoCert from '@ohos.security.cert'; 98See the following API reference: 99[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 100 101 102## cl.security.7 Move of createX509Cert from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 103**Change Impact** 104 105Behavior of released JavaScript APIs will be changed. 106The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 107 108**Key API/Component Changes** 109Moved **createX509Cert** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 110 111**Adaptation Guide** 112Import and use the new .d.ts file: 113import cryptoCert from '@ohos.security.cert'; 114See the following API reference: 115[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 116 117 118## cl.security.8 Move of X509CrlEntry from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts. 119**Change Impact** 120 121Behavior of released JavaScript APIs will be changed. 122The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 123 124**Key API/Component Changes** 125Moved **X509CrlEntry** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 126 127**Adaptation Guide** 128Import and use the new .d.ts file: 129import cryptoCert from '@ohos.security.cert'; 130See the following API reference: 131[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 132 133 134## cl.security.9 Move of X509Crl from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 135**Change Impact** 136 137Behavior of released JavaScript APIs will be changed. 138The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 139 140**Key API/Component Changes** 141Moved **X509Crl** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 142 143**Adaptation Guide** 144Import and use the new .d.ts file: 145import cryptoCert from '@ohos.security.cert'; 146See the following API reference: 147[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 148 149 150## cl.security.10 Move of createX509Crl from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 151**Change Impact** 152 153Behavior of released JavaScript APIs will be changed. 154The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 155 156**Key API/Component Changes** 157Moved **createX509Crl** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 158 159**Adaptation Guide** 160Import and use the new .d.ts file: 161import cryptoCert from '@ohos.security.cert'; 162See the following API reference: 163[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 164 165 166## cl.security.11 Move of CertChainValidator from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 167**Change Impact** 168 169Behavior of released JavaScript APIs will be changed. 170The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 171 172**Key API/Component Changes** 173Moved **CertChainValidator** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 174 175**Adaptation Guide** 176Import and use the new .d.ts file: 177import cryptoCert from '@ohos.security.cert'; 178See the following API reference: 179[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 180 181 182## cl.security.12 Move of createCertChainValidator from @ohos.security.cryptoFramework.d.ts to @ohos.security.cert.d.ts 183**Change Impact** 184 185Behavior of released JavaScript APIs will be changed. 186The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 187 188**Key API/Component Changes** 189Moved **createCertChainValidator** from **@ohos.security.cryptoFramework.d.ts** to **@ohos.security.cert.d.ts**. 190 191**Adaptation Guide** 192Import and use the new .d.ts file: 193import cryptoCert from '@ohos.security.cert'; 194See the following API reference: 195[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 196 197 198## cl.security.13 Change of getPublicKey() of X509Cert from Asynchronous to Synchronous 199**Change Impact** 200 201Behavior of released JavaScript APIs will be changed. 202The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 203 204**Key API/Component Changes** 205API before the change: 206getPublicKey(callback : AsyncCallback\<PubKey>) : void; 207getPublicKey() : Promise\<PubKey>; 208API after the change: 209getPublicKey() : cryptoFramework.PubKey; 210 211**Adaptation Guide** 212See the following API reference: 213[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 214 215 216## cl.security.14 Change of checkValidityWithDate of X509Cert from Asynchronous to Synchronous 217**Change Impact** 218 219Behavior of released JavaScript APIs will be changed. 220The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 221 222**Key API/Component Changes** 223API before the change: 224checkValidityWithDate(date: string, callback : AsyncCallback\<void>) : void; 225checkValidityWithDate(date: string) : Promise\<void>; 226API after the change: 227checkValidityWithDate(date: string) : void; 228 229**Adaptation Guide** 230See the following API reference: 231[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 232 233 234## cl.security.15 Change of getCertIssuer of X509CrlEntry from Asynchronous to Synchronous 235**Change Impact** 236 237Behavior of released JavaScript APIs will be changed. 238The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 239 240**Key API/Component Changes** 241API before the change: 242getCertIssuer(callback : AsyncCallback\<DataBlob>) : void; 243getCertIssuer() : Promise\<DataBlob>; 244 245API after the change: 246getCertIssuer() : DataBlob; 247 248**Adaptation Guide** 249See the following API reference: 250[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 251 252 253## cl.security.16 Change of getRevocationDate of X509CrlEntry from Asynchronous to Synchronous 254**Change Impact** 255 256Behavior of released JavaScript APIs will be changed. 257The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 258 259**Key API/Component Changes** 260API before the change: 261getRevocationDate(callback : AsyncCallback\<string>) : void; 262getRevocationDate() : Promise\<string>; 263 264API after the change: 265getRevocationDate() : string; 266 267**Adaptation Guide** 268See the following API reference: 269[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 270 271 272## cl.security.17 Change of isRevoked of X509Crl from Asynchronous to Synchronous 273**Change Impact** 274 275Behavior of released JavaScript APIs will be changed. 276The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 277 278**Key API/Component Changes** 279API before the change: 280isRevoked(cert : X509Cert, callback : AsyncCallback\<boolean>) : void; 281isRevoked(cert : X509Cert) : Promise\<boolean>; 282 283API after the change: 284isRevoked(cert : X509Cert) : boolean; 285 286**Adaptation Guide** 287See the following API reference: 288[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 289 290 291## cl.security.18 Change of getRevokedCert of X509Crl from Asynchronous to Synchronous 292**Change Impact** 293 294Behavior of released JavaScript APIs will be changed. 295The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 296 297**Key API/Component Changes** 298API before the change: 299getRevokedCert(serialNumber : number, callback : AsyncCallback\<X509CrlEntry>) : void; 300getRevokedCert(serialNumber : number) : Promise\<X509CrlEntry>; 301 302API after the change: 303getRevokedCert(serialNumber : number) : X509CrlEntry; 304 305**Adaptation Guide** 306See the following API reference: 307[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 308 309 310## cl.security.19 Change of getRevokedCertWithCert of X509Crl from Asynchronous to Synchronous 311**Change Impact** 312 313Behavior of released JavaScript APIs will be changed. 314The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 315 316**Key API/Component Changes** 317API before the change: 318getRevokedCertWithCert(cert : X509Cert, callback : AsyncCallback\<X509CrlEntry>) : void; 319getRevokedCertWithCert(cert : X509Cert) : Promise\<X509CrlEntry>; 320 321API after the change: 322getRevokedCertWithCert(cert : X509Cert) : X509CrlEntry; 323 324**Adaptation Guide** 325See the following API reference: 326[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 327 328 329## cl.security.20 Change of getTbsInfo of X509Crl from Asynchronous to Synchronous 330**Change Impact** 331 332Behavior of released JavaScript APIs will be changed. 333The application needs to adapt these APIs so that it can be properly compiled in the SDK environment of the new version. 334 335**Key API/Component Changes** 336API before the change: 337getTbsInfo(callback : AsyncCallback\<DataBlob>) : void; 338getTbsInfo() : Promise\<DataBlob>; 339 340API after the change: 341getTbsInfo() : DataBlob; 342 343**Adaptation Guide** 344See the following API reference: 345[Certificate](../../../application-dev/reference/apis/js-apis-cert.md) 346 347## cl.security.21 Support of No-Hash Signing Mode for HUKS 348 349Before the change, the application passes **huks.HuksTag.HUKS_TAG_DIGEST = huks.HuksKeyDigest.HUKS_DIGEST_NONE** and HUKS uses **huks.HuksKeyDigest.HUKS_DIGEST_SHA256** for processing by default. After the change, the application passes **huks.HuksTag.HUKS_TAG_DIGEST = huks.HuksKeyDigest.HUKS_DIGEST_NONE** and HUKS does not generate a digest by default. Instead, the service performs a hash operation on the original data and then passes a hashed digest to HUKS for signing or signature verification. 350 351**Change Impact** 352 353Behavior of released JavaScript APIs will be changed. 354The application needs to adapt these APIs so that the signing or signature verification result can be passed before and after the change. 355 356**Key API/Component Changes** 357 358Released JavaScript APIs remain unchanged, but parameter sets passed to the APIs are changed. 359 360The service uses the No-Hash signing mode, and hashes the original data and then passes a hashed digest to the signing or signature verification API of HUKS. In addition, the **huks.HuksTag.HUKS_TAG_DIGEST** parameter is set to **huks.HuksKeyDigest.HUKS_DIGEST_NONE**. 361 362**Adaptation Guide** 363 364The following uses signing as an example. 365 366```js 367import huks from '@ohos.security.huks'; 368 369let keyAlias = 'rsa_Key'; 370/* Digest value after SHA-256 encryption */ 371let inDataAfterSha256 = new Uint8Array( 372 0x4B, 0x1E, 0x22, 0x64, 0xA9, 0x89, 0x60, 0x1D, 0xEC, 0x78, 0xC0, 0x5D, 0xBE, 0x46, 0xAD, 0xCF, 373 0x1C, 0x35, 0x16, 0x11, 0x34, 0x01, 0x4E, 0x9B, 0x7C, 0x00, 0x66, 0x0E, 0xCA, 0x09, 0xC0, 0xF3, 374); 375/* Signing parameters */ 376let signProperties = new Array(); 377signProperties[0] = { 378 tag: huks.HuksTag.HUKS_TAG_ALGORITHM, 379 value: huks.HuksKeyAlg.HUKS_ALG_RSA, 380} 381signProperties[1] = { 382 tag: huks.HuksTag.HUKS_TAG_PURPOSE, 383 value: 384 huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_SIGN 385} 386signProperties[2] = { 387 tag: huks.HuksTag.HUKS_TAG_KEY_SIZE, 388 value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048, 389} 390signProperties[3] = { 391 tag: huks.HuksTag.HUKS_TAG_DIGEST, 392 value: huks.HuksKeyDigest.HUKS_DIGEST_NONE, // Set digest-none. 393} 394let signOptions = { 395 properties: signProperties, 396 inData: inDataAfterSha256 // Set the value after hashing. 397} 398 399huks.initSession(keyAlias, signOptions); 400``` 401 402For for information about the sample code, see [HUKS Development](../../../application-dev/security/huks-guidelines.md) and [HUKS](../../../application-dev/reference/apis/js-apis-huks.md). 403 404## cl.security.22 Support for Key Calculation Parameter Specifications During Key Usage 405 406Before the change, all parameters for key calculation must be specified when the application generates a key. After the change, only mandatory parameters need to be specified when the application generates a key, and other parameters can be passed in when the key is used. The application can specify key calculation parameters more flexibly. 407 408**Change Impact** 409 410Behavior of released JavaScript APIs will be changed. 411 412The application can specify only mandatory parameters when creating a key and specify other optional parameters when using the key. 413 414**Key API/Component Changes** 415 416Released JavaScript APIs remain unchanged, but parameter sets passed to the APIs are changed and parameters are classified into mandatory parameters and optional parameters. For details, see [HUKS Development](../../../application-dev/security/huks-guidelines.md). 417 418huks.generateKeyItem 419 420huks.importKeyItem 421 422huks.importWrappedKeyItem 423 424huks.initSession 425 426huks.updateSession 427 428huks.finishSession 429 430**Adaptation Guide** 431 432The following uses the key generation process as an example. 433 434```js 435let keyAlias = 'keyAlias'; 436let properties = new Array(); 437// Mandatory parameter. 438properties[0] = { 439 tag: huks.HuksTag.HUKS_TAG_ALGORITHM, 440 value: huks.HuksKeyAlg.HUKS_ALG_RSA 441}; 442// Mandatory parameter. 443properties[1] = { 444 tag: huks.HuksTag.HUKS_TAG_KEY_SIZE, 445 value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048 446}; 447// Mandatory parameter. 448properties[2] = { 449 tag: huks.HuksTag.HUKS_TAG_PURPOSE, 450 value: 451 huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_SIGN | 452 huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY 453}; 454// Optional parameter. If this parameter is not specified when a key is generated, it must be specified when the key is used. 455properties[3] = { 456 tag: huks.HuksTag.HUKS_TAG_DIGEST, 457 value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256 458}; 459let options = { 460 properties: properties 461}; 462try { 463 huks.generateKeyItem(keyAlias, options, function (error, data) { 464 if (error) { 465 console.error(`callback: generateKeyItem failed, code: ${error.code}, msg: ${error.message}`); 466 } else { 467 console.info(`callback: generateKeyItem key success`); 468 } 469 }); 470} catch (error) { 471 console.error(`callback: generateKeyItem input arg invalid, code: ${error.code}, msg: ${error.message}`); 472} 473``` 474 475For for information about the sample code, see [HUKS Development](../../../application-dev/security/huks-guidelines.md) and [HUKS](../../../application-dev/reference/apis/js-apis-huks.md). 476