DEV Community

SameX
SameX

Posted on

鸿蒙HarmonyOS深入Device Certificate Kit API:从集成到实战

本文旨在深入探讨华为鸿蒙HarmonyOS Next系统(截止目前API12)的技术细节,基于实际开发实践进行总结。主要作为技术分享与交流载体,难免错漏,欢迎各位同仁提出宝贵意见和问题,以便共同进步。本文为原创内容,任何形式的转载必须注明出处及原作者。

在鸿蒙系统的开发之旅中,Device Certificate Kit的API就像是一把把神奇的钥匙,能够帮助开发者打开设备安全的大门。今天,咱们就深入研究一下这些API,看看如何巧妙地调用和集成它们,让我们的应用更加安全可靠。

首先,咱们来认识一下Device Certificate Kit的一些核心API。比如说,在证书管理方面,有installPrivateCertificate用于安装私有凭据,它需要传入凭据数据(keystore)、密码(keystorePwd)以及证书别名(certAlias)等参数。这就好比你要把一个重要文件放进保险柜,需要提供文件本身、保险柜密码以及给文件起个容易识别的名字。调用示例如下:

import { certificateManager } from '@kit.DeviceCertificateKit';
import { BusinessError } from '@kit.BasicServicesKit';

// 假设的凭据数据
let keystore: Uint8Array = new Uint8Array([0x30, 0x82, 0x04, 0x6a, 0x02, 0x01]);
let keystorePwd: string = '123456';
let appKeyUri: string = '';

try {
    const res: certificateManager.CMResult = await certificateManager.installPrivateCertificate(keystore, keystorePwd, "testPriCredential");
    appKeyUri = (res.uri!= undefined)? res.uri : '';
} catch (err) {
    let e: BusinessError = err as BusinessError;
    console.error(`Failed to install private certificate. Code: ${e.code}, message: ${e.message}`);
}
Enter fullscreen mode Exit fullscreen mode

再比如getPrivateCertificate用于获取私有凭据,通过传入证书的标识(keyUri)来获取相应的证书信息。这就像是你在图书馆根据图书编号查找特定的书籍一样。

在证书验证方面,有verify方法。以X509证书验证为例,需要先获取证书中的公钥,然后使用verify方法传入公钥和相关数据进行验证。就像你在验证一个人的身份时,需要查看他的身份证(公钥)是否真实有效。

下面是一个更完整的设备证书API调用示例,涵盖了初始化、管理、验证等一系列操作。假设我们要创建一个证书链并进行验证:

import { cert } from '@kit.DeviceCertificateKit';
import { BusinessError } from '@kit.BasicServicesKit';
import { util } from '@kit.ArkTS';

// 证书链数据(示例,需根据实际情况替换)
let certChainData = "-----BEGIN CERTIFICATE-----\n" +
"MIID6jCCAtKgAwIBAgIIIM2q/TmRoLcwDQYJKoZIhvcNAQELBQAwWjELMAkGA1\n" +
"UEBhMCRU4xEDAOBgNVBAgTB0VuZ2xhbmQxDzANBgNVBAcTBkxvbmRvbjEMMA\n" +
"oGA1UEChMDdHMyMQwwCgYDVQQLEwN0czIxDDAKBgNVBAMTA3RzMjAeFw0yMzEy\n" +
"MDUwNzM5MDBaFw0yNDEwMzEyMzU5MDBaMGExCzAJBgNVBAYTAkNOMRAwDgYDVQQI\n" +
"EwdKaWFuZ3N1MRAwDgYDVQQHEwdOYW5qaW5nMQwwCgYDVQQKEwN0czMxDDAKBg\n" +
"NVBAsTA3RzMzESMBAGA1UEAxMJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n" +
"MIIBCgKCAQEAtt+2QxUevbolYLp51QGcUpageI4fwGLIqv4fj4aoVnHFOOBqVOVpfCLR\n" +
"p26LFV/F8ebwPyo8YEBKSwXzMD1573rMSbaH9BalscH5lZYAbetXoio6YRvzlcmc\n" +
"rVvLBNMeVnxY86xHpo0MTNyP7W024rZsxWO98xFQVdoiaBC+7+midlisx2Y+7u0\n" +
"zT9GjeUP6JLdLFUZJKUPSTK3jVzw9v1eZQZKYoNfU6vFMd6ndtwW6qEnwpzmmX\n" +
"/UT+p5ThAMH593zszlz330nTSXBjIsGkyvOz9gSB0Z0LAuJj06XUNhGL5xKJYKbdI3\n" +
"8MFQFJKvRHfgTAvVsvAvpBUM2DuBKwIDAQABo4GsMIGpMAkGA1UdEwQCMAA\n" +
"wHQYDVR0OBBYEFDfsHTMZwoA6eaDFlBUyDpka+sYtMAsGA1UdDwQEAwID+DAnBgN\n" +
"VHSUEIDAeBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMEMBQGA1UdEQQNM\n" +
"AuCCTEyNy4wLjAuMTARBglghkgBhvhCAQEEBAMCBkAwHgYJYIZIAYb4QgENBBEWD3hj\n" +
"YSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAp5vTvXrt8ZpgRJVtzv9ss0lJ\n" +
"izp1fJf+ft5cDXrs7TSD5oHrSW2vk/ZieIMhexU4LFwhs4OE7jK6pgI48Dseqxx7\n" +
"B/KktxhVMJUmVXd9Ayjp6f+BtZlIk0cArPuoXToXjsV8caTGBXHRdzxpAk/w9syc\n" +
"GYrbH9TrdNMuTizOb+k268oKXUageZNxHmd7YvOXkcNgrd29jzwXKDYYiUa1DI\n" +
"SzDnYaJOgPt0B/5izhoWNK7GhJDy9KEuLURcTSWFysbbnljwO9INPT9MmlS83PdAg\n" +
"NiS8VXF4pce1W9U5jH7d7k0JDVSXybebe1iPFphsZpYM/NE+jap+mPy1nTCbf9g==\n" +
"-----END CERTIFICATE-----\n" +
"-----BEGIN CERTIFICATE-----\n" +
"MIIC0zCCAoWgAwIBAgIIXpLoPpQVWnkwBQYDK2VwMFoxCzAJBgNVBAYTAkV\n" +
"OMRAwDgYDVQQIEwdFbmdsYW5kMQ8wDQYDVQQHEwZMb25kb24xDDAKBgNVBAoT\n" +
"A3RzMTEMMAoGA1UECxMDdHMxMQwwCgYDVQQDEwN0czEwHhcNMjMxMjA1MDczNzA\n" +
"wWhcNMjQwOTAxMjM1OTAwWjBaMQswCQYDVQQGEwJFTjEQMA4GA1UECBMHRW5nbGFu\n" +
"ZDEPMA0GA1UEBxMGTG9uZG9uMQwwCgYDVQQKEwN0czIxDDAKBgNVBAsTA3RzMjEMM\n" +
"AoGA1UEAxMDdHMyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtt+2QxUev\n" +
"bolYLp51QGcUpageI4fwGLIqv4fj4aoVnHFOOBqVOVpfCLRp26LFV/F8ebwPyo8YEBK\n" +
"SwXzMD1573rMSbaH9BalscH5lZYAbetXoio6YRvzlcmcrVvLBNMeVnxY86xHpo0\n" +
"MNTyP7W024rZsxWO98xFQVdoiaBC+7+midlisx2Y+7u0jzT9GjeUP6JLdLFUZJKUP\n" +
"STK3jVzw9v1eZQZKYoNfU6vFMd6ndtwW6qEnwpzmmX/UT+p5ThAMH593zszlz\n" +
"330nTSXBjIsGkyvOz9gSB0Z0LAuJj06XUNhGL5xKJYKbdI38MFQFJKvRHfgTAvVsvAv\n" +
"pBUM2DuBKwIDAQABo28wbTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBQ3\n" +
"7B0zGcKAOnmgxZQVMg6ZGvrGLTALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAg\n" +
"AHMB4GCGCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNhdGUwBQYDK2VwA0EAuasLBe\n" +
"55YgvFb4wmHeohylc9r8cFGS1LNQ5UcSn3sGqMYf6ehnef16NLuCW6upHCs8Sui4iAMvs\n" +
"uKPWR9dKBA==\n" +
"-----END CERTIFICATE-----\n" +
"-----BEGIN CERTIFICATE-----\n" +
"MIIB3zCCAZGgAwIBAgIIWQvOEDl+ya4wBQYDK2VwMFoxCzAJBgNVBAYTAkVO\n" +
"MRAwDgYDVQQIEwdFbmdsYW5kMQ8wDQYDVQQHEwZMb25kb24xDDAKBgNVBAoT\n" +
"A3RzMTEMMAoGA1UECxMDdHMxMQwwCgYDVQQDEwN0czEwHhcNMjMxMjA1MDAwMD\n" +
"AwWhcNMjQxMjA0MjM1OTU5WjBaMQswCQYDVQQGEwJFTjEQMA4GA1UECBMHRW5nbGFuZ\n" +
"DEPMA0GA1UEBxMGTG9uZG9uMQwwCgYDVQQKEwN0czExDDAKBgNVBAsTA3RzMTEM\n" +
"AoGA1UEAxMDdHMxMCowBQYDK2VwAyEAuxadj1ww0LqPN24zr28jcSOlSWAe0QdLyRF+Z\n" +
"gG6klKjdTBzMBIGA1UdEwEB/wQIMAYBAf8CARQwHQYDVR0OBBYEFNSgpoQvfxR8\n" +
"A1Y4St8NjOHkRpm4MAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAAcwHgYJ\n" +
"YIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZpY2F0ZTAFBgMrZXADQQAblBgoa72X/K13W\n" +
"OvcKW0fqBgFKvLy85hWD6Ufi61k4ProQiZzMK+0+y9jReKelPx/zRdCCgSbQroAR2mV\n" +
"xjoE\n" +
"-----END CERTIFICATE-----\n";

// 证书链校验数据(示例,需根据实际情况替换)
const param: cert.CertChainValidationParameters = {
    date: '20231212080000Z',
    trustAnchors: [{
        CAPubKey: new Uint8Array([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70,
            0x03, 0x21, 0x00, 0xbb, 0x16, 0x9d, 0x8f, 0x5c, 0x30, 0xd0, 0xba, 0x8f, 0x37, 0x6e,
            0x33, 0xaf, 0x6f, 0x23, 0x71, 0x23, 0xa5, 0x49, 0x60, 0x1e, 0xd1, 0x07, 0x4b, 0xc9,
            0x11, 0x7e, 0x66, 0x01, 0xba, 0x92, 0x52]),
        CASubject: new Uint8Array([0x30, 0x5a, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
            0x04, 0x06, 0x13, 0x02, 0x45, 0x4e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04,
            0x08, 0x13, 0x07, 0x45, 0x6e, 0x67, 0x6c, 0x61, 0x6e, 0x64, 0x31, 0x0f, 0x30, 0x0d,
            0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x06, 0x4c, 0x6f, 0x6e, 0x64, 0x6f, 0x6e, 0x31,
            0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x03, 0x74, 0x73, 0x31, 0x31,
            0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x03, 0x74, 0x73, 0x31, 0x31,
            0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x03, 0x74, 0x73, 0x31])
    }]
};

let textEncoder = new util.TextEncoder();
const encodingBlob: cert.EncodingBlob = {
    data: textEncoder.encodeInto(certChainData),
    encodingFormat: cert.EncodingFormat.FORMAT_PEM
};

let x509CertChain: cert.X509CertChain = {} as cert.X509CertChain;

try {
    x509CertChain = await cert.createX509CertChain(encodingBlob);
} catch (err) {
    let e: BusinessError = err as BusinessError;
    console.error(`createX509CertChain failed, errCode: ${e.code}, errMsg: ${e.message}`);
}

try {
    let certList = x509CertChain.getCertList();
} catch (err) {
    let e: BusinessError = err as BusinessError;
    console.error(`X509CertChain getCertList failed, errCode: ${e.code}, errMsg: ${e.message}`);
}
try {
    const validationRes = await x509CertChain.validate(param);
    console.log('X509CertChain validate success');
} catch (err) {
    console.error('X509CertChain validate failed');
}
Enter fullscreen mode Exit fullscreen mode

在使用这些API的过程中,我们可能会遇到一些常见错误。比如,参数传递错误,可能会导致API调用失败。就像你给一个函数传入了错误类型的参数,函数当然不知道该怎么处理啦。这时,我们需要仔细检查参数的类型、格式以及取值范围是否符合API的要求。另外,权限不足也可能是一个问题。如果没有正确配置相关权限,API调用可能会被系统拒绝。这就好比你没有钥匙却想打开一扇门,那肯定是不行的。我们需要确保在module.json5文件中正确配置了ohos.permission.ACCESS_CERT_MANAGER权限等相关权限。

为了让大家更方便地了解Device Certificate Kit的常用API,下面是一个API列表和功能说明表格:

API名称 功能说明 参数说明
installPrivateCertificate 安装私有凭据 keystore(凭据数据)、keystorePwd(密码)、certAlias(证书别名)
getPrivateCertificate 获取私有凭据 keyUri(证书标识)
createX509CertChain 创建X509证书链对象 证书链数据(encodingBlob
getCertList 获取证书链中的证书列表 无(针对已创建的证书链对象)
validate 校验证书链 校验参数(param,包含日期、信任锚等信息)

总之,掌握Device Certificate Kit的API调用和集成是构建安全可靠鸿蒙应用的关键一步。通过合理使用这些API,我们能够有效地管理证书,保障设备之间的通信安全。就像熟练的工匠使用各种工具打造出精美的作品一样,开发者们也可以利用这些API打造出安全稳定的鸿蒙应用。希望大家在实际开发中多实践、多探索,如果遇到问题,不要轻易放弃,参考文档、仔细排查,相信你一定能够顺利解决问题,让你的应用在鸿蒙生态中绽放光彩。加油哦,各位开发者小伙伴们!

Top comments (0)