1# 非匿名密钥证明(ArkTS)
2
3在使用本功能前,需申请权限:[ohos.permission.ATTEST_KEY](../AccessToken/permissions-for-system-apps.md#ohospermissionattest_key)。请开发者根据应用的APL等级,参考具体的操作路径[权限申请](../AccessToken/determine-application-mode.md)。
4
5## 开发步骤
6
71. 确定密钥别名keyAlias,密钥别名最大长度为128字节。
8
92. 初始化参数集。
10   [HuksOptions](../../reference/apis-universal-keystore-kit/js-apis-huks.md#huksoptions)中的properties字段中的参数必须包含[HUKS_TAG_ATTESTATION_CHALLENGE](../../reference/apis-universal-keystore-kit/js-apis-huks.md#hukstag)属性,可选参数包含[HUKS_TAG_ATTESTATION_ID_VERSION_INFO](../../reference/apis-universal-keystore-kit/js-apis-huks.md#hukstag),[HUKS_TAG_ATTESTATION_ID_ALIAS](../../reference/apis-universal-keystore-kit/js-apis-huks.md#hukstag)属性。
11
123. 生成非对称密钥,具体请参考[密钥生成](huks-key-generation-overview.md)。
13
144. 将密钥别名与参数集作为参数传入[huks.attestKeyItem](../../reference/apis-universal-keystore-kit/js-apis-huks.md#huksattestkeyitem9)方法中,即可证明密钥。
15
16```ts
17/*
18 * 以下以attestKey的Promise接口操作验证为例
19 */
20import { huks } from '@kit.UniversalKeystoreKit';
21
22/* 1.确定密钥别名 */
23let keyAliasString = "key attest";
24let aliasString = keyAliasString;
25let aliasUint8 = StringToUint8Array(keyAliasString);
26let securityLevel = StringToUint8Array('sec_level');
27let challenge = StringToUint8Array('challenge_data');
28let versionInfo = StringToUint8Array('version_info');
29let attestCertChain: Array<string>;
30
31class throwObject {
32  isThrow: boolean = false;
33}
34
35/* 封装生成时的密钥参数集 */
36let genKeyProperties: Array<huks.HuksParam> = [
37  {
38    tag: huks.HuksTag.HUKS_TAG_ALGORITHM,
39    value: huks.HuksKeyAlg.HUKS_ALG_RSA
40  },
41  {
42    tag: huks.HuksTag.HUKS_TAG_KEY_SIZE,
43    value: huks.HuksKeySize.HUKS_RSA_KEY_SIZE_2048
44  },
45  {
46    tag: huks.HuksTag.HUKS_TAG_PURPOSE,
47    value: huks.HuksKeyPurpose.HUKS_KEY_PURPOSE_VERIFY
48  },
49  {
50    tag: huks.HuksTag.HUKS_TAG_DIGEST,
51    value: huks.HuksKeyDigest.HUKS_DIGEST_SHA256
52  },
53  {
54    tag: huks.HuksTag.HUKS_TAG_PADDING,
55    value: huks.HuksKeyPadding.HUKS_PADDING_PSS
56  },
57  {
58    tag: huks.HuksTag.HUKS_TAG_KEY_GENERATE_TYPE,
59    value: huks.HuksKeyGenerateType.HUKS_KEY_GENERATE_TYPE_DEFAULT
60  },
61  {
62    tag: huks.HuksTag.HUKS_TAG_BLOCK_MODE,
63    value: huks.HuksCipherMode.HUKS_MODE_ECB
64  }
65]
66let genOptions: huks.HuksOptions = {
67  properties: genKeyProperties
68};
69
70/* 2.封装证明密钥的参数集 */
71let attestKeyproperties: Array<huks.HuksParam> = [
72  {
73    tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_SEC_LEVEL_INFO,
74    value: securityLevel
75  },
76  {
77    tag: huks.HuksTag.HUKS_TAG_ATTESTATION_CHALLENGE,
78    value: challenge
79  },
80  {
81    tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_VERSION_INFO,
82    value: versionInfo
83  },
84  {
85    tag: huks.HuksTag.HUKS_TAG_ATTESTATION_ID_ALIAS,
86    value: aliasUint8
87  }
88]
89let huksOptions: huks.HuksOptions = {
90  properties: attestKeyproperties
91};
92
93function StringToUint8Array(str: string) {
94  let arr: number[] = [];
95  for (let i = 0, j = str.length; i < j; ++i) {
96    arr.push(str.charCodeAt(i));
97  }
98  return new Uint8Array(arr);
99}
100
101function generateKeyItem(keyAlias: string, huksOptions: huks.HuksOptions, throwObject: throwObject) {
102  return new Promise<void>((resolve, reject) => {
103    try {
104      huks.generateKeyItem(keyAlias, huksOptions, (error, data) => {
105        if (error) {
106          reject(error);
107        } else {
108          resolve(data);
109        }
110      });
111    } catch (error) {
112      throwObject.isThrow = true;
113      throw (error as Error);
114    }
115  });
116}
117
118/* 3.生成密钥 */
119async function publicGenKeyFunc(keyAlias: string, huksOptions: huks.HuksOptions) {
120  console.info(`enter promise generateKeyItem`);
121  let throwObject: throwObject = { isThrow: false };
122  try {
123    await generateKeyItem(keyAlias, huksOptions, throwObject)
124      .then((data) => {
125        console.info(`promise: generateKeyItem success, data = ${JSON.stringify(data)}`);
126      })
127      .catch((error: Error) => {
128        if (throwObject.isThrow) {
129          throw (error as Error);
130        } else {
131          console.error(`promise: generateKeyItem failed, ${JSON.stringify(error)}`);
132        }
133      });
134  } catch (error) {
135    console.error(`promise: generateKeyItem input arg invalid, ${JSON.stringify(error)}`);
136  }
137}
138
139/* 4.证明密钥 */
140function attestKeyItem(keyAlias: string, huksOptions: huks.HuksOptions, throwObject: throwObject) {
141  return new Promise<huks.HuksReturnResult>((resolve, reject) => {
142    try {
143      huks.attestKeyItem(keyAlias, huksOptions, (error, data) => {
144        if (error) {
145          reject(error);
146        } else {
147          resolve(data);
148        }
149      });
150    } catch (error) {
151      throwObject.isThrow = true;
152      throw (error as Error);
153    }
154  });
155}
156
157async function publicAttestKey(keyAlias: string, huksOptions: huks.HuksOptions) {
158  console.info(`enter promise attestKeyItem`);
159  let throwObject: throwObject = { isThrow: false };
160  try {
161    await attestKeyItem(keyAlias, huksOptions, throwObject)
162      .then((data) => {
163        console.info(`promise: attestKeyItem success, data = ${JSON.stringify(data)}`);
164        if (data !== null && data.certChains !== null) {
165          attestCertChain = data.certChains as string[];
166        }
167      })
168      .catch((error: Error) => {
169        if (throwObject.isThrow) {
170          throw (error as Error);
171        } else {
172          console.error(`promise: attestKeyItem failed, ${JSON.stringify(error)}`);
173        }
174      });
175  } catch (error) {
176    console.error(`promise: attestKeyItem input arg invalid, ${JSON.stringify(error)}`);
177  }
178}
179
180async function AttestKeyTest() {
181  await publicGenKeyFunc(aliasString, genOptions);
182  await publicAttestKey(aliasString, huksOptions);
183  console.info('attest certChain data: ' + attestCertChain)
184}
185```
186