1# HUKS Changelog
2
3OpenHarmony 4.0.6.1 has the following changes.
4
5## cl.huks.1 Change of the Permission for Using attestKeyItem
6
7The **attestKeyItem** interface attests a key using a public key encapsulated based on the device certificate chain. Any arbitrary export of the device certificate increases the risks on user privacy. Therefore, certain permissions are required for using this interface.
8
9**Change Impact**
10
11Applications without the **ohos.permission.ACCESS_IDS** permission or the system_basic or system_core permission cannot call **attestKeyItem()**.
12
13**Key API/Component Changes**
14
15- Involved APIs:
16
17  attestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback\<HuksReturnResult\>): void;
18  attestKeyItem(keyAlias: string, options: HuksOptions): Promise\<HuksReturnResult\>;
19
20- Before change:
21
22  The AccessToken permission is verified only for the applications that pass in a tag related to **ATTESTATION_ID**.
23
24
25- After change:
26
27  **attestKeyItem()** can be called only by a system application with the system_basic or system_core permission or an application with the **ohos.permission.ACCESS_IDS** permission.
28
29**Adaptation Guide**
30
31Applications with the system_basic or system_core permission can call **attestKeyItem()**. If an application with the normal permission needs to call **attestKeyItem()**, it must have the **ohos.permission.ACCESS_IDS** permission. For details about how to apply for the permission, see [ACL](../../../application-dev/security/accesstoken-overview.md#acl).
32
33## cl.huks.2 Resolved the Issues in Storage or Export of Derived or Agreed Keys
34
35Before the change, the HUKS supports storage and export of derived keys and agreed keys, which poses security risks.
36
37After the change, the application needs to pass in **HuksKeyStorageType** for key derivation or key agreement. Only storage or export is allowed at a time. If this parameter is not passed in, both storage and export are supported by default, which poses security risks and is not recommended.
38
39**Change Impact**
40
41Behaviors of released JavaScript APIs have been changed.
42
43**Key API/Component Changes**
44
45Released JavaScript APIs remain unchanged, but the parameter set passed to the APIs are changed.
46
47**Adaptation Guide**
48
49For more information, see [HUKS Development](../../../application-dev/security/huks-guidelines.md) and [HUKS](../../../application-dev/reference/apis/js-apis-huks.md).
50