mirror of
https://gitee.com/openharmony/security_asset
synced 2024-11-23 07:49:41 +00:00
commit
c0b972d74e
69
README.md
Normal file
69
README.md
Normal file
@ -0,0 +1,69 @@
|
||||
# ASSET
|
||||
|
||||
## Introduction
|
||||
|
||||
The asset store service (ASSET) provides secure storage and management of sensitive data less than 1024 bytes in size, including passwords, app tokens, and other critical data (such as bank card numbers).
|
||||
|
||||
The following figure shows the ASSET architecture.
|
||||
|
||||
![ASSET Architecture](figures/asset-architecture-en.png)
|
||||
|
||||
An application can perform the following operations using ASSET:
|
||||
|
||||
- Adding an asset: ASSET generates a unique key for the application, uses the key to encrypt the asset, and stores the encrypted asset in the database.
|
||||
- Updating an asset: ASSET encrypts the new asset using the unique key of the application and updates the data in the database.
|
||||
- Querying an asset: ASSET obtains the asset ciphertext from the database based on the query conditions specified, verifies the access permission of the application, uses the unique key of the application to decrypt the asset ciphertext, and returns the plaintext to the application.
|
||||
- Removing an asset: ASSET removes the asset that matches the specified conditions.
|
||||
|
||||
The secure storage of assets depends on the underlying HUKS. Specifically, HUKS implements the asset encryption, decryption, and access control in a secure environment (such as a TEE). The sensitive user data will never be disclosed even if the system is attacked.
|
||||
|
||||
For the scenarios demanding higher security, ASSET allows access to assets only after a successful user identity authentication. Before accessing assets that require identity access control, an application needs to launch a user prompt for user identity authentication (PIN, fingerprint, or facial authentication). After the application sends the user authentication result to ASSET, ASSET invokes HUKS to verify the authentication result. If the verification is successful, HUKS decrypts the asset in a secure environment and returns the plaintext.
|
||||
|
||||
With the APIs provided by ASSET, you can quickly integrate system-wide encrypted storage and access control mechanisms for short sensitive data.
|
||||
|
||||
## Directory Structure
|
||||
|
||||
```bash
|
||||
├── frameworks # Framework code
|
||||
│ ├── definition # Definitions of common data types
|
||||
│ ├── ipc # IPC APIs
|
||||
│ ├── js # Code for interaction between JS and C/C++
|
||||
│ ├── os_dependency # Adaptation of universal system capabilities
|
||||
│ └── utils # Utility APIs
|
||||
├── interfaces # APIs exposed externally
|
||||
│ ├── inner_api # APIs for system abilities (SAs)
|
||||
│ └── kits # APIs for user applications
|
||||
├── sa_profile # SA profiles
|
||||
└── services # Service layer code
|
||||
├── constants # Constants of the service layer
|
||||
├── core_service # Core service module
|
||||
├── crypto_manager # Data encryption/decryption module
|
||||
├── db_operator # Data management module
|
||||
└── os_dependency # System capability adaptation module
|
||||
```
|
||||
|
||||
## Build
|
||||
|
||||
The following uses rk3568 as an example.
|
||||
|
||||
```bash
|
||||
# Build the source code of the module.
|
||||
./build.sh --product-name rk3568 --ccache --build-target asset
|
||||
|
||||
# Build the test code of the module.
|
||||
./build.sh --product-name rk3568 --ccache --build-target asset_bin_test
|
||||
```
|
||||
|
||||
## Usage
|
||||
### Available APIs
|
||||
|
||||
[API reference](https://gitee.com/openharmony/docs/blob/master/en/application-dev/reference/apis-asset-store-kit/Readme-EN.md)
|
||||
|
||||
### Development Guide
|
||||
|
||||
[Development guide](https://gitee.com/openharmony/docs/blob/master/en/application-dev/security/AssetStoreKit/Readme-EN.md)
|
||||
|
||||
## Repositories Involved
|
||||
**[HUKS](https://gitee.com/openharmony/security_huks)**
|
||||
|
||||
**[UserIAM](https://gitee.com/openharmony/useriam_user_auth_framework)**
|
18
README_zh.md
18
README_zh.md
@ -11,8 +11,8 @@
|
||||
应用接入关键资产存储服务后,可以进行如下操作:
|
||||
|
||||
- 新增关键资产,ASSET 首先为应用生成独属于它的密钥,然后使用该密钥对关键资产进行加密,最后将关键资产密文存储到数据库。
|
||||
- 更新关键资产,ASSET 使用新增阶段生成的密钥,对新的关键资产进行加密,并覆盖数据库中的相应记录。
|
||||
- 查询关键资产,ASSET 首先根据应用指定的查询条件,从数据库中读取关键资产密文,然后校验应用的访问控制权限,验证通过后,使用新增阶段生成的密钥,对关键资产密文进行解密,最后将明文数据返回给应用。
|
||||
- 更新关键资产,ASSET 使用独属于该应用的密钥,对新的关键资产进行加密,并覆盖数据库中的相应记录。
|
||||
- 查询关键资产,ASSET 首先根据应用指定的查询条件,从数据库中读取关键资产密文,然后校验应用的访问控制权限,验证通过后,使用独属于该应用的密钥,对关键资产密文进行解密,最后将明文数据返回给应用。
|
||||
- 删除关键资产,ASSET 根据应用指定的删除条件,从数据库中查找并删除符合条件的关键资产记录。
|
||||
|
||||
关键资产的安全存储,依赖底层的通用密钥库系统。具体来说,关键资产的加/解密操作以及访问控制校验,都由通用密钥库系统在安全环境(如可信执行环境)中完成,即使系统被攻破,也能保证用户敏感数据不发生泄露。
|
||||
@ -46,20 +46,22 @@
|
||||
|
||||
以rk3568为例,编译命令如下:
|
||||
|
||||
```
|
||||
./build.sh --product-name rk3568 --build-target asset --ccache
|
||||
```bash
|
||||
# 本模块源码编译命令
|
||||
./build.sh --product-name rk3568 --ccache --build-target asset
|
||||
|
||||
# 本模块测试代码编译命令
|
||||
./build.sh --product-name rk3568 --ccache --build-target asset_bin_test
|
||||
```
|
||||
|
||||
## 说明
|
||||
### 接口说明
|
||||
|
||||
[JS API说明文档](./docs/reference/apis/js-apis-asset.md)
|
||||
|
||||
[C/C++ API说明文档](./docs/reference/native-apis/Readme-CN.md)
|
||||
[接口文档](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/reference/apis-asset-store-kit/Readme-CN.md)
|
||||
|
||||
### 使用说明
|
||||
|
||||
[开发指导](./docs/security/Readme-CN.md)
|
||||
[开发指导](https://gitee.com/openharmony/docs/blob/master/zh-cn/application-dev/security/AssetStoreKit/Readme-CN.md)
|
||||
|
||||
## 相关仓
|
||||
**[通用密钥库系统(HUKS)](https://gitee.com/openharmony/security_huks)**
|
||||
|
BIN
figures/asset-architecture-en.png
Normal file
BIN
figures/asset-architecture-en.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 56 KiB |
Binary file not shown.
Before Width: | Height: | Size: 232 KiB After Width: | Height: | Size: 58 KiB |
Loading…
Reference in New Issue
Block a user