鸿蒙开发：Universal Keystore Kit（密钥管理服务）【密钥派生(C/C++)】

密钥派生(C/C++)

以HKDF256密钥为例，完成密钥派生。具体的场景介绍及支持的算法规格，请参考[密钥生成支持的算法]。

在CMake脚本中链接相关动态库

   target_link_libraries(entry PUBLIC libhuks_ndk.z.so)

开发步骤

生成密钥

1. 指定密钥别名。

2. 初始化密钥属性集，可指定参数，OH_HUKS_TAG_DERIVED_AGREED_KEY_STORAGE_FLAG（可选），用于标识基于该密钥派生出的密钥是否由HUKS管理。

   • 当TAG设置为OH_HUKS_STORAGE_ONLY_USED_IN_HUKS时，表示基于该密钥派生出的密钥，由HUKS管理，可保证派生密钥全生命周期不出安全环境。
   • 当TAG设置为OH_HUKS_STORAGE_KEY_EXPORT_ALLOWED时，表示基于该密钥派生出的密钥，返回给调用方管理，由业务自行保证密钥安全。
   • 若业务未设置TAG的具体值，表示基于该密钥派生出的密钥，即可由HUKS管理，也可返回给调用方管理，业务可在后续派生时再选择使用何种方式保护密钥。

3. 调用OH_Huks_GenerateKeyItem生成密钥，具体请参考[密钥生成]。

4. 开发前请熟悉鸿蒙开发指导文档：gitee.com/li-shizhen-skin/harmony-os/blob/master/README.md点击或者复制转到。

除此之外，开发者也可以参考[密钥导入]，导入已有的密钥。

密钥派生

1. 获取密钥别名、指定对应的属性参数HuksOptions。

   可指定参数OH_HUKS_TAG_DERIVED_AGREED_KEY_STORAGE_FLAG（可选），用于标识派生得到的密钥是否由HUKS管理。

   生成	派生	规格
   OH_HUKS_STORAGE_ONLY_USED_IN_HUKS	OH_HUKS_STORAGE_ONLY_USED_IN_HUKS	密钥由HUKS管理
   OH_HUKS_STORAGE_KEY_EXPORT_ALLOWED	OH_HUKS_STORAGE_KEY_EXPORT_ALLOWED	密钥返回给调用方管理
   未指定TAG具体值	OH_HUKS_STORAGE_ONLY_USED_IN_HUKS	密钥由HUKS管理
   未指定TAG具体值	OH_HUKS_STORAGE_KEY_EXPORT_ALLOWED	密钥返回给调用方管理
   未指定TAG具体值	未指定TAG具体值	密钥返回给调用方管理

   注：派生时指定的TAG值，不可与生成时指定的TAG值冲突。表格中仅列举有效的指定方式。

2. 调用[OH_Huks_InitSession]初始化密钥会话，并获取会话的句柄handle。

3. 调用[OH_Huks_UpdateSession]更新密钥会话。

4. 调用[OH_Huks_FinishSession]结束密钥会话，完成派生。

删除密钥

当密钥废弃不用时，需要调用OH_Huks_DeleteKeyItem删除密钥。

#include "huks/native_huks_api.h"
#include "huks/native_huks_param.h"
#include <string.h>
OH_Huks_Result InitParamSet(struct OH_Huks_ParamSet **paramSet,const struct OH_Huks_Param *params,uint32_t paramCount)
{OH_Huks_Result ret = OH_Huks_InitParamSet(paramSet);if (ret.errorCode != OH_HUKS_SUCCESS) {return ret;}ret = OH_Huks_AddParams(*paramSet, params, paramCount);if (ret.errorCode != OH_HUKS_SUCCESS) {OH_Huks_FreeParamSet(paramSet);return ret;}ret = OH_Huks_BuildParamSet(paramSet);if (ret.errorCode != OH_HUKS_SUCCESS) {OH_Huks_FreeParamSet(paramSet);return ret;}return ret;
}
static const uint32_t DERIVE_KEY_SIZE_32 = 32;
static struct OH_Huks_Blob g_deriveKeyAlias = {(uint32_t)strlen("test_derive"),(uint8_t *)"test_derive"
};
static struct OH_Huks_Param g_genDeriveParams[] = {{.tag =  OH_HUKS_TAG_ALGORITHM,.uint32Param = OH_HUKS_ALG_AES}, {.tag =  OH_HUKS_TAG_PURPOSE,.uint32Param = OH_HUKS_KEY_PURPOSE_DERIVE}, {.tag =  OH_HUKS_TAG_DIGEST,.uint32Param = OH_HUKS_DIGEST_SHA256}, {.tag =  OH_HUKS_TAG_KEY_SIZE,.uint32Param = OH_HUKS_AES_KEY_SIZE_256}
};
static struct OH_Huks_Param g_hkdfParams[] = {{.tag =  OH_HUKS_TAG_ALGORITHM,.uint32Param = OH_HUKS_ALG_HKDF}, {.tag =  OH_HUKS_TAG_PURPOSE,.uint32Param = OH_HUKS_KEY_PURPOSE_DERIVE}, {.tag =  OH_HUKS_TAG_DIGEST,.uint32Param = OH_HUKS_DIGEST_SHA256}, {.tag =  OH_HUKS_TAG_DERIVE_KEY_SIZE,.uint32Param = DERIVE_KEY_SIZE_32}
};
static struct OH_Huks_Param g_hkdfFinishParams[] = {{.tag =  OH_HUKS_TAG_DERIVED_AGREED_KEY_STORAGE_FLAG,.uint32Param = OH_HUKS_STORAGE_ONLY_USED_IN_HUKS}, {.tag =  OH_HUKS_TAG_KEY_ALIAS,.blob = g_deriveKeyAlias}, {.tag =  OH_HUKS_TAG_ALGORITHM,.uint32Param = OH_HUKS_ALG_HKDF}, {.tag =  OH_HUKS_TAG_KEY_SIZE,.uint32Param = DERIVE_KEY_SIZE_32}, {.tag =  OH_HUKS_TAG_PURPOSE,.uint32Param = OH_HUKS_KEY_PURPOSE_DERIVE}, {.tag =  OH_HUKS_TAG_DIGEST,.uint32Param = OH_HUKS_DIGEST_SHA256}
};
static const uint32_t COMMON_SIZE = 2048;
static const char *g_deriveInData = "Hks_HKDF_Derive_Test_00000000000000000000000000000000000000000000000000000000000""00000000000000000000000000000000000000000000000000000000000000000000000000000000""0000000000000000000000000000000000000000000000000000000000000000000000000_string";
static napi_value DeriveKey(napi_env env, napi_callback_info info)
{struct OH_Huks_Blob genAlias = {(uint32_t)strlen("test_signVerify"),(uint8_t *)"test_signVerify"};struct OH_Huks_Blob inData = {(uint32_t)strlen(g_deriveInData),(uint8_t *)g_deriveInData};struct OH_Huks_ParamSet *genParamSet = nullptr;struct OH_Huks_ParamSet *hkdfParamSet = nullptr;struct OH_Huks_ParamSet *hkdfFinishParamSet = nullptr;OH_Huks_Result ohResult;do {ohResult = InitParamSet(&genParamSet, g_genDeriveParams, sizeof(g_genDeriveParams) / sizeof(OH_Huks_Param));if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}ohResult = InitParamSet(&hkdfParamSet, g_hkdfParams, sizeof(g_hkdfParams) / sizeof(OH_Huks_Param));if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}// finish paramsetohResult = InitParamSet(&hkdfFinishParamSet, g_hkdfFinishParams, sizeof(g_hkdfFinishParams) / sizeof(OH_Huks_Param));if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}/* 1. Generate Key */ohResult = OH_Huks_GenerateKeyItem(&genAlias, genParamSet, nullptr);if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}/* 2. Derive */// Inituint8_t handleD[sizeof(uint64_t)] = {0};struct OH_Huks_Blob handleDerive = { sizeof(uint64_t), handleD };ohResult = OH_Huks_InitSession(&genAlias, hkdfParamSet, &handleDerive, nullptr);if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}// Updateuint8_t tmpOut[COMMON_SIZE] = {0};struct OH_Huks_Blob outData = { COMMON_SIZE, tmpOut };ohResult = OH_Huks_UpdateSession(&handleDerive, hkdfParamSet, &inData, &outData);if (ohResult.errorCode != OH_HUKS_SUCCESS) {break;}// Finishuint8_t outDataD[COMMON_SIZE] = {0};struct OH_Huks_Blob outDataDerive = { COMMON_SIZE, outDataD };ohResult = OH_Huks_FinishSession(&handleDerive, hkdfFinishParamSet, &inData, &outDataDerive);} while (0);(void)OH_Huks_DeleteKeyItem(&genAlias, nullptr);(void)OH_Huks_DeleteKeyItem(&g_deriveKeyAlias, nullptr);OH_Huks_FreeParamSet(&genParamSet);OH_Huks_FreeParamSet(&hkdfParamSet);OH_Huks_FreeParamSet(&hkdfFinishParamSet);napi_value ret;napi_create_int32(env, ohResult.errorCode, &ret);return ret;
}
```+