diff --git a/README.md b/README.md
index 7af11747eb90c665fbd0f33c01e225a62bb7963b..8619920f458611757d0703b00346f5e5745705b2 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,11 @@
- 证书安装。使用者可以通过安装接口,传入证书文件或密钥库文件,实现证书的安装。
- 证书存储。证书管理模块将用户传入的证书、或设备端生成的证书,存储在/data/service/el1/public/cert_manager_service/certificates目录下,并使用UserID和UID对证书进行隔离。对应的密钥会存储在HUKS模块中。
- 证书使用。通过查询对应的证书,使用者可获取到证书文件进行业务相关操作。
-- 证书销毁。删除接口允许使用者,批量或单张销毁存储在证书管理中的证书,相对应的密钥也会在HUKS模块中被删除
+- 证书销毁。删除接口允许使用者,批量或单张销毁存储在证书管理中的证书,相对应的密钥也会在HUKS模块中被删除。
+
+通过使用方式,可以将证书分为如下两类:
+- CA证书。只含有公钥,适用于验签或认证对端身份。
+- 业务证书。含有公钥、私钥,适用于业务场景的签名和验签。
## 目录
@@ -24,7 +28,7 @@
base/security/certificate_manager/
├── config # 系统根证书文件
├── frameworks # 框架代码, 作为基础功能目录, 被interfaces和services使用
-├── interfaces # 接口API代码
+├── interfaces # 接口代码
│ └── innerkits # c接口代码
│ └── kits # napi代码
├── services # 服务层代码
diff --git a/figures/zh-cn_certificate_manager_architecture.png b/figures/zh-cn_certificate_manager_architecture.png
index a360f067b314677492c5faddb77d2efd84a88742..914545ecb44d5b2c420c8ff618439d38759433d1 100644
Binary files a/figures/zh-cn_certificate_manager_architecture.png and b/figures/zh-cn_certificate_manager_architecture.png differ
diff --git a/interfaces/kits/js/@ohos.security.certManager.d.ts b/interfaces/kits/js/@ohos.security.certManager.d.ts
index dc80ab842de24e44f5e6d6972604fa6d32f672a3..adf24c4a0a3c5ffe5033e03cee686bf5204e1eea 100644
--- a/interfaces/kits/js/@ohos.security.certManager.d.ts
+++ b/interfaces/kits/js/@ohos.security.certManager.d.ts
@@ -16,16 +16,16 @@
import {AsyncCallback} from './basic';
/**
- * OpenHarmony Universal CertManager
+ * OpenHarmony Universal CertificateManager
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission N/A
*/
-declare namespace certManager {
+declare namespace CertificateManager {
/**
* Get a list of system root certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param context Indicates the context of the calling interface application.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
@@ -35,7 +35,7 @@ declare namespace certManager {
/**
* Get the detail of system root certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param context Indicates the context of the calling interface application.
* @param certUri Indicates the certificate's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
@@ -46,7 +46,7 @@ declare namespace certManager {
/**
* Set the status of root certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param context Indicates the context of the calling interface application.
* @param certUri Indicates the certificate's name.
* @param store Indicates the type of certificate.
@@ -54,13 +54,13 @@ declare namespace certManager {
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function setCertificateStatus(context: CMContext, certUri: string, store: number, status: boolean, callback: AsyncCallback) : void;
- function setCertificateStatus(context: CMContext, certUri: string, store: number, status: boolean) : Promise;
+ function setCertificateStatus(context: CMContext, certUri: string, store: number, status: boolean, callback: AsyncCallback) : void;
+ function setCertificateStatus(context: CMContext, certUri: string, store: number, status: boolean) : Promise;
/**
* Install the user root certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param certificate Indicates the certificate file.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
@@ -71,28 +71,28 @@ declare namespace certManager {
/**
* Uninstall all user root certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function uninstallAllUserTrustedCertificate(callback: AsyncCallback) : void;
- function uninstallAllUserTrustedCertificate() : Promise;
+ function uninstallAllUserTrustedCertificate(callback: AsyncCallback) : void;
+ function uninstallAllUserTrustedCertificate() : Promise;
/**
* Uninstall the specified user root certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param certUri Indicates the certificate's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function uninstallUserTrustedCertificate(certUri: string, callback: AsyncCallback) : void;
- function uninstallUserTrustedCertificate(certUri: string) : Promise;
+ function uninstallUserTrustedCertificate(certUri: string, callback: AsyncCallback) : void;
+ function uninstallUserTrustedCertificate(certUri: string) : Promise;
/**
* Get a list of user root certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
function getUserTrustedCertificateList(callback: AsyncCallback) : void;
@@ -101,7 +101,7 @@ declare namespace certManager {
/**
* Get the detail of user root certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param certUri Indicates the certificate's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
@@ -111,7 +111,7 @@ declare namespace certManager {
/**
* Install normal application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keystore Indicates the keystore file with key pair and certificate.
* @param keystorePwd Indicates the password of keystore file.
* @param certAlias Indicates the certificate name inputted by the user.
@@ -124,7 +124,7 @@ declare namespace certManager {
/**
* Install private application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keystore Indicates the keystore file with key pair and certificate.
* @param keystorePwd Indicates the password of keystore file.
* @param certAlias Indicates the certificate name inputted by the user.
@@ -136,7 +136,7 @@ declare namespace certManager {
/**
* Generate private application certificate locally.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyAlias Indicates the key alias inputted by the user.
* @param keyProperties Indicates the properties of keys in keystore file.
* @permission ohos.permission.ACCESS_CERT_MANAGER
@@ -147,50 +147,50 @@ declare namespace certManager {
/**
* Update private application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param type Indicates the type of the certificate used.
* @param keyUri Indicates key's name.
* @param certificate Indicates the certificate file.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function updatePrivateCertificate(type: string, keyUri: string, certificate: CertBlob, callback: AsyncCallback) : void;
- function updatePrivateCertificate(type: string, keyUri: string, certificate: CertBlob) : Promise;
+ function updatePrivateCertificate(type: string, keyUri: string, certificate: CertBlob, callback: AsyncCallback) : void;
+ function updatePrivateCertificate(type: string, keyUri: string, certificate: CertBlob) : Promise;
/**
* Uninstall all application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function uninstallAllAppCertificate(callback: AsyncCallback) : void;
- function uninstallAllAppCertificate() : Promise;
+ function uninstallAllAppCertificate(callback: AsyncCallback) : void;
+ function uninstallAllAppCertificate() : Promise;
/**
* Uninstall the specified normal application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function uninstallAppCertificate(keyUri: string, callback: AsyncCallback) : void;
- function uninstallAppCertificate(keyUri: string) : Promise;
+ function uninstallAppCertificate(keyUri: string, callback: AsyncCallback) : void;
+ function uninstallAppCertificate(keyUri: string) : Promise;
/**
* Uninstall the specified normal application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function uninstallPrivateCertificate(keyUri: string, callback: AsyncCallback) : void;
- function uninstallPrivateCertificate(keyUri: string) : Promise;
+ function uninstallPrivateCertificate(keyUri: string, callback: AsyncCallback) : void;
+ function uninstallPrivateCertificate(keyUri: string) : Promise;
/**
* Get a list of normal application certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
@@ -200,7 +200,7 @@ declare namespace certManager {
/**
* Get a list of private application certificates.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
@@ -210,7 +210,7 @@ declare namespace certManager {
/**
* Get the detail of normal application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
@@ -220,7 +220,7 @@ declare namespace certManager {
/**
* Get the detail of private application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
@@ -230,7 +230,7 @@ declare namespace certManager {
/**
* Authorize the specified application certificate for the specified application.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @param clientAppUid Indicates the uid of the authorized application.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
@@ -242,17 +242,17 @@ declare namespace certManager {
/**
* Whether the current application is authorized by the specified application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function isAuthorizedApp(keyUri: string, callback: AsyncCallback) : void;
- function isAuthorizedApp(keyUri: string) : Promise;
+ function isAuthorizedApp(keyUri: string, callback: AsyncCallback) : void;
+ function isAuthorizedApp(keyUri: string) : Promise;
/**
* Get the list of applications authorized by the specified certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
@@ -263,62 +263,60 @@ declare namespace certManager {
/**
* Deauthorize the specified application from the specified application certificate.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param keyUri Indicates key's name.
* @param clientAppUid Indicates the uid of the deauthorized application.
* @permission ohos.permission.ACCESS_CERT_MANAGER_INTERNAL
* @systemapi Hide this for inner system use
*/
- function removeGrantedAppCertificate(keyUri: string, clientAppUid: string, callback: AsyncCallback) : void;
- function removeGrantedAppCertificate(keyUri: string, clientAppUid: string) : Promise;
+ function removeGrantedAppCertificate(keyUri: string, clientAppUid: string, callback: AsyncCallback) : void;
+ function removeGrantedAppCertificate(keyUri: string, clientAppUid: string) : Promise;
/**
* Init operation for signing and verifying etc.
* @since 9
- * @syscap SystemCapability.Security.CertManager
+ * @syscap SystemCapability.Security.CertificateManager
* @param authUri Indicates the authorization relationship between application and application certificate.
* @param spec Indicates the properties of the signature and verification..
* @return The handle of the init Operation.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function init(authUri: string, spec: CMSignatureSpec, callback: AsyncCallback) : void;
+ function init(authUri: string, spec: CMSignatureSpec, callback: AsyncCallback) : void;
function init(authUri: string, spec: CMSignatureSpec) : Promise;
/**
* Update operation for signing and verifying etc.
* @since 9
- * @syscap SystemCapability.Security.Huks
+ * @syscap SystemCapability.Security.CertificateManager
* @param handle Indicates the handle of the init operation.
* @param data Indicates the input value.
* @param token Indicates the value of token.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function update(handle: number, data: Uint8Array, callback: AsyncCallback) : void;
- function update(handle: number, data: Uint8Array, token: Uint8Array, callback: AsyncCallback) : void;
- function update(handle: number, data: Uint8Array, token?: Uint8Array) : Promise;
-
+ function update(handle: Uint8Array, data: Uint8Array, callback: AsyncCallback) : void;
+ function update(handle: Uint8Array, data: Uint8Array) : Promise;
/**
* Finish operation for signing and verifying etc.
* @since 9
- * @syscap SystemCapability.Security.Huks
+ * @syscap SystemCapability.Security.CertificateManager
* @param handle Indicates the handle of the init operation.
* @param signature Indicates the sign data.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function finish(handle: number, callback: AsyncCallback) : void;
- function finish(handle: number, signature: Uint8Array, callback: AsyncCallback) : void;
- function finish(handle: number, signature?: Uint8Array) : Promise;
+ function finish(handle: Uint8Array, callback: AsyncCallback) : void;
+ function finish(handle: Uint8Array, signature: Uint8Array, callback: AsyncCallback) : void;
+ function finish(handle: Uint8Array, signature?: Uint8Array) : Promise;
/**
* Abort operation for signing and verifying etc.
* @since 9
- * @syscap SystemCapability.Security.Huks
+ * @syscap SystemCapability.Security.CertificateManager
* @param handle Indicates the handle of the init operation.
* @permission ohos.permission.ACCESS_CERT_MANAGER
*/
- function abort(handle: number, callback: AsyncCallback) : void;
- function abort(handle: number) : Promise;
+ function abort(handle: Uint8Array, callback: AsyncCallback) : void;
+ function abort(handle: Uint8Array) : Promise;
export interface CMContext {
userId: string;
@@ -367,13 +365,12 @@ declare namespace certManager {
}
export interface CMResult {
- errorCode: number;
certList?: Array;
certInfo?: CertInfo;
credentialList?: Array;
credential?: Credential;
appUidList?: Array;
- authUri?: string;
+ uri?: string;
outData?: Uint8Array;
isAuth?: boolean;
}
@@ -389,17 +386,17 @@ declare namespace certManager {
authTimeout: string;
}
+ export enum CmKeyPurpose {
+ CM_KEY_PURPOSE_SIGN = 4,
+ CM_KEY_PURPOSE_VERIFY = 8,
+ }
+
export interface CMSignatureSpec {
- alg: string;
- padding: string;
- digest: string;
- authToken: Uint8Array;
+ purpose: CmKeyPurpose;
}
export interface CMHandle {
- errorCode: number;
- handle: number;
- token?: Uint8Array;
+ handle: Uint8Array;
}
export enum CMErrorCode {
@@ -411,4 +408,4 @@ declare namespace certManager {
}
}
-export default certManager;
+export default CertificateManager;