mirror of
https://gitee.com/openharmony/security_device_security_level
synced 2024-11-27 17:01:05 +00:00
fix: docs opt
Signed-off-by: zhirenx <xuzhiren@huawei.com> Change-Id: I58cf21a2145fab0fd6b49f7d2784ae7f29cb422e
This commit is contained in:
parent
1aa52d3a42
commit
93ee2e0668
16
README_ZH.md
16
README_ZH.md
@ -14,7 +14,7 @@
|
|||||||
|
|
||||||
OpenHarmony的分布式技术可以实现不同设备的资源融合,将多个设备虚拟成一个“超级虚拟终端”。在这个“超级虚拟终端”的内部,处理、流转各类用户数据时,需要确保各个节点不因安全能力薄弱,成为整个“超级虚拟终端”的薄弱点,因此引入设备安全等级管理模块来解决这类问题。
|
OpenHarmony的分布式技术可以实现不同设备的资源融合,将多个设备虚拟成一个“超级虚拟终端”。在这个“超级虚拟终端”的内部,处理、流转各类用户数据时,需要确保各个节点不因安全能力薄弱,成为整个“超级虚拟终端”的薄弱点,因此引入设备安全等级管理模块来解决这类问题。
|
||||||
|
|
||||||
OpenHarmony系统安全能力,根植于硬件实现的三个可信根:启动、存储、计算,以基础安全工程能力为依托,重点围绕设备完整性保护、数据机密性保护、漏洞攻防对抗构建相关的安全技术和能力。
|
OpenHarmony设备的安全等级取决于设备的系统安全能力。OpenHarmony系统安全能力,根植于硬件实现的三个可信根:启动、存储、计算。基于基础安全工程能力,重点围绕以下三点构建相关的安全技术和能力:设备完整性保护、数据机密性保护、漏洞攻防对抗。
|
||||||
|
|
||||||
OpenHarmony系统安全架构如下图所示:
|
OpenHarmony系统安全架构如下图所示:
|
||||||
|
|
||||||
@ -57,7 +57,7 @@ OpenHarmony系统安全架构如下图所示:
|
|||||||
## 约束
|
## 约束
|
||||||
|
|
||||||
- 开发语言:C/C++
|
- 开发语言:C/C++
|
||||||
- OpenHarmony设备的默认安全等级为SL1,设备制造商可以根据设备实际情况定制更高的安全等级。
|
- OpenHarmony设备的默认安全等级为SL1,设备制造商可以根据设备实际情况[定制](https://gitee.com/openharmony/docs/tree/master/zh-cn/device-dev/subsystems/subsys-security-devicesecuritylevel.md#%E8%AE%BE%E5%A4%87%E5%AE%89%E5%85%A8%E7%AD%89%E7%BA%A7%E5%AE%9A%E5%88%B6)更高的安全等级。
|
||||||
|
|
||||||
## 说明
|
## 说明
|
||||||
|
|
||||||
@ -67,10 +67,10 @@ OpenHarmony系统安全架构如下图所示:
|
|||||||
|
|
||||||
| 接口名 | 说明 |
|
| 接口名 | 说明 |
|
||||||
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |
|
| ----------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- |
|
||||||
| int32_t RequestDeviceSecurityInfo(const DeviceIdentify *identify, const RequestOption *option, DeviceSecurityInfo **info); | 请求获取某设备的设备安全等级信息(同步接口) |
|
| int32_t RequestDeviceSecurityInfo(const DeviceIdentify \*identify, const RequestOption \*option, DeviceSecurityInfo **info); | 请求获取某设备的设备安全等级信息(同步接口) |
|
||||||
| int32_t RequestDeviceSecurityInfoAsync(const DeviceIdentify *identify, const RequestOption *option, DeviceSecurityInfoCallback callback); | 请求获取某设备的设备安全等级信息(异步接口) |
|
| int32_t RequestDeviceSecurityInfoAsync(const DeviceIdentify \*identify, const RequestOption \*option, DeviceSecurityInfoCallback callback); | 请求获取某设备的设备安全等级信息(异步接口) |
|
||||||
| void FreeDeviceSecurityInfo(DeviceSecurityInfo *info); | 释放设备安全等级信息 |
|
| void FreeDeviceSecurityInfo(DeviceSecurityInfo \*info); | 释放设备安全等级信息 |
|
||||||
| int32_t GetDeviceSecurityLevelValue(const DeviceSecurityInfo *info, int32_t *level); | 从设备安全等级信息中提取对应的设备安全等级 |
|
| int32_t GetDeviceSecurityLevelValue(const DeviceSecurityInfo \*info, int32_t \*level); | 从设备安全等级信息中提取对应的设备安全等级 |
|
||||||
|
|
||||||
### 使用说明
|
### 使用说明
|
||||||
|
|
||||||
@ -87,8 +87,8 @@ OpenHarmony系统安全架构如下图所示:
|
|||||||
2. 头文件依赖添加
|
2. 头文件依赖添加
|
||||||
|
|
||||||
```cpp
|
```cpp
|
||||||
#include "device_security_defines.h"
|
#include "device_security_defines.h" // 关键数据结构定义头文件
|
||||||
#include "device_security_info.h"
|
#include "device_security_info.h" // 接口函数定义头文件
|
||||||
```
|
```
|
||||||
|
|
||||||
- 接口使用示例
|
- 接口使用示例
|
||||||
|
140
docs/cred.md
140
docs/cred.md
@ -1,140 +0,0 @@
|
|||||||
凭据为4段BASE64编码的字符串,中间用"."链接,示例如下:
|
|
||||||
|
|
||||||
`<base64-head>`.`<base64-payload>`.`<base64-signature>`.`<base64-attestation>`
|
|
||||||
|
|
||||||
|
|
||||||
构造方案如下:
|
|
||||||
|
|
||||||
##### 1. 构造header
|
|
||||||
|
|
||||||
当前header为固定json字符串,如下
|
|
||||||
|
|
||||||
``` json
|
|
||||||
{
|
|
||||||
"typ": "DSL",
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
将header进行BASE64编码,得到`<base64-head>`:
|
|
||||||
|
|
||||||
`ewogICAgInR5cCI6ICJEU0wiLAp9`
|
|
||||||
|
|
||||||
##### 2. 构造payload
|
|
||||||
|
|
||||||
根据设备实际情况构造payload的json字符串,示例如下:
|
|
||||||
``` json
|
|
||||||
{
|
|
||||||
"version":"1.0",
|
|
||||||
"type":"release",
|
|
||||||
"signTime":"20210831214343",
|
|
||||||
"udid":"0070976B63B834FC65E7BBE648155C6D9DD..",
|
|
||||||
"manufacture":"OHOS",
|
|
||||||
"model":"NOH-AL00",
|
|
||||||
"brand":"PHONE",
|
|
||||||
"securityLevel":"SL1",
|
|
||||||
"softwareVersion":"2.0.0.165"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
将payload进行BASE64编码,得到`<base64-payload>`:
|
|
||||||
|
|
||||||
`ewkJCQkJCQoJInZlcnNpb24iOiIxLjAiLAkJCQkKCSJ0eXBlIjoicmVsZWFzZSIsCQkKCSJzaWduVEltZSI6IjIwMjEwODMxMjE0MzQzIiwKCSJ1ZGlkIjoiMDA3MDk3NkI2M0I4MzRGQzY1RTdCQkU2NDgxNTVDNkQ5REQuLiIsCgkibWFudWZhY3R1cmUiOiJIVUFXRUkiLAoJIm1vZGVsIjoiTk9ILUFMMDAiLAoJImJyYW5kIjoiSFVBV0VJIiwKCSJzZWN1cml0eUxldmVsIjoiU0wxIiwKCSJzb2Z0d2FyZVZlcnNpb24iOiIyLjAuMC4xNjUiCn0=`
|
|
||||||
|
|
||||||
##### 3. 构造signature
|
|
||||||
|
|
||||||
###### 3.1 构建待签名的原始数据
|
|
||||||
|
|
||||||
将BASE64编码后的header和payload合并,中间用符号"."连接,得到`<base64-head>`.`<base64-payload>`
|
|
||||||
|
|
||||||
示例如下:
|
|
||||||
|
|
||||||
`ewogICAgInR5cCI6ICJEU0wiLAp9`.`ewkJCQkJCQoJInZlcnNpb24iOiIxLjAiLAkJCQkKCSJ0eXBlIjoicmVsZWFzZSIsCQkKCSJzaWduVEltZSI6IjIwMjEwODMxMjE0MzQzIiwKCSJ1ZGlkIjoiMDA3MDk3NkI2M0I4MzRGQzY1RTdCQkU2NDgxNTVDNkQ5REQuLiIsCgkibWFudWZhY3R1cmUiOiJIVUFXRUkiLAoJIm1vZGVsIjoiTk9ILUFMMDAiLAoJImJyYW5kIjoiSFVBV0VJIiwKCSJzZWN1cml0eUxldmVsIjoiU0wxIiwKCSJzb2Z0d2FyZVZlcnNpb24iOiIyLjAuMC4xNjUiCn0=`
|
|
||||||
|
|
||||||
###### 3.2 生成签名私钥
|
|
||||||
|
|
||||||
**本流程需要在安全可靠的环境中执行,以确保用于签名的密钥不被泄露**
|
|
||||||
|
|
||||||
使用ECC签名算法对原始数据进行签名,生成签名用ECDSA密钥对:`<ecc-l3-pk>`和`<ecc-l3-sk>`
|
|
||||||
|
|
||||||
###### 3.3 对原始数据进行签名
|
|
||||||
|
|
||||||
将`<base64-head>`.`<base64-payload>`作为参数,使用刚刚生成的ECC私钥`<ecc-l3-sk>`对其进行签名,并对签名结果进行BASE64编码,得到返回值`<base64-signature>`
|
|
||||||
|
|
||||||
示例如下:
|
|
||||||
|
|
||||||
`e+PKCRQB1RDzOZz9hipnxe32lgufLRTDml1mt3vLNvmS3hgRgstK86ucRjJXIOfdJYi459hg82be61i6p3DkWg==`
|
|
||||||
|
|
||||||
##### 4. 构造attestation info
|
|
||||||
|
|
||||||
**本流程需要在安全可靠的环境中执行,以确保用于签名的密钥不被泄露**
|
|
||||||
|
|
||||||
**attestation info涉及到的各密钥对不需要每次都重复生成,在确保密钥安全的前提下,后续可以直接复用。**
|
|
||||||
|
|
||||||
###### 4.1 生成三级签名验证信息
|
|
||||||
|
|
||||||
1. 首先生成二级签名用ECDSA密钥对:`<ecc-l2-pk>`和`<ecc-l2-sk>`
|
|
||||||
|
|
||||||
2. 使用`<ecc-l2-sk>` 对3.2章节生成的`<ecc-l3-pk>`进行签名,得到`<ecc-l3-pk-signature>`
|
|
||||||
|
|
||||||
3. 将`<ecc-l3-pk>`和`<ecc-l3-pk-signature>`组合成json字符串示例如下:
|
|
||||||
|
|
||||||
``` json
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-l3-pk>",
|
|
||||||
"signature": "<ecc-l3-pk-signature>"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
###### 4.2 生成二级签名验证信息
|
|
||||||
|
|
||||||
1. 生成一级签名用ECDSA密钥对:`<ecc-root-pk>`和`<ecc-root-sk>`
|
|
||||||
2. 使用`<ecc-root-sk>` 对4.1章节生成的`<ecc-l2-pk>`进行签名,得到`<ecc-l2-pk-signature>`
|
|
||||||
3. 将`<ecc-l3-pk>`和`<ecc-l3-pk-signature>`组合成json字符串示例如下:
|
|
||||||
``` json
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-l2-pk>",
|
|
||||||
"signature": "<ecc-l2-pk-signature>"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
###### 4.3 生成根签名验证信息
|
|
||||||
|
|
||||||
1. 使用`<ecc-root-sk>` 对4.2章节生成的`<ecc-root-pk>`进行签名(即自签名),得到`<ecc-root-pk-self-signature>`
|
|
||||||
2. 将`<ecc-root-pk>`和`<ecc-root-pk-self-signature>`组合成json字符串示例如下:
|
|
||||||
``` json
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-root-pk>",
|
|
||||||
"signature": "<ecc-root-pk-self-signature>"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
###### 4.4 生成合并上述的签名验证信息
|
|
||||||
1. 将上述三组签名信息合并到一个json数组中:
|
|
||||||
```json
|
|
||||||
[
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-l3-pk>",
|
|
||||||
"signature": "<ecc-l3-pk-signature>"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-l2-pk>",
|
|
||||||
"signature": "<ecc-l2-pk-signature>"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"userPublicKey": "<ecc-root-pk>",
|
|
||||||
"signature": "<ecc-root-pk-self-signature>"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
```
|
|
||||||
2.对该数据进行base64编码,得到`<base64-attestation>`
|
|
||||||
|
|
||||||
|
|
||||||
示例如下:
|
|
||||||
`W3sidXNlclB1YmxpY0tleSI6Ik1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWFnOFZIMzN4OUpDOTYwSWsxejNKNmo1cnk0OVJENGt0TTBvQUZGenhiNHdOdS1OckZSbm5XbnZmR3hGTW16VFBMLWYxY1NqWGd2UV9NdU9aenVpclNnIiwiYWxnb3JpdGhtIjoiU0hBMzg0d2l0aEVDRFNBIiwic2lnbmF0dXJlIjoiTUdVQ01DakdwWEZPNlRjb2NtWFdMdHU1SXQ0LVRJNzFoNzhLdDYyYjZ6Mm9tcnNVWElHcnFsMTZXT0ExV2ZfdDdGSU1RZ0l4QVBHMlV5T2d0dk1pbi1hbVR6Wi1DN2ZyMWttVl9jODc4ckFnZVlrUGFxWWdPWWpiSGN0QnFzMkJCV05LMGsxTnJRIn0seyJ1c2VyUHVibGljS2V5IjoiTUhZd0VBWUhLb1pJemowQ0FRWUZLNEVFQUNJRFlnQUVvM0N1Q0VMQzdTaUxhSkNCQ0RkY0NwZXRnSUdraFpMc0ZfYTBkZFUxQ1I3dzU0emppc0NYWkdfdXk2ZGtGZWZrZTNVMW9CaWw0eGk1OU5xeVpOZ1FQbEFISVVHeWtRcVl4cHg1WjBqQUJCSnlBSlVscHRxM0p1Wk5UQTdIOVVLNyIsImFsZ29yaXRobSI6IlNIQTM4NHdpdGhFQ0RTQSIsInNpZ25hdHVyZSI6Ik1HVUNNQ1ZXUWIxdXFLb1E5SUFMaWJiWUlUX1NWSENXem84akcwRG1WNGt6Q0JNQ3pRQU0xZEFaSERGWFdidGUyY0FfWXdJeEFJSXVmaXJHbnN3NlBEV0txRm1mQmQ5Y3BubEFyLXVXV0RqZ2xuenoyRmx2LXNkaVhYRnR3amo3Y1hUTF9FNmJRUSJ9LHsidXNlclB1YmxpY0tleSI6Ik1IWXdFQVlIS29aSXpqMENBUVlGSzRFRUFDSURZZ0FFU09kcnY3eXhEaFoxWmRUdDB3QUxCMnhYc0ZsUGV2TkQ0b1lfWE44QWtFTVllWVVyTXBkX1hTQTdlTHo5eVJaa08yX3RoSEx4bUpURGZrOUJFeTlTa0xxUF9xOGZJdzBhSXNBMHI0SlN0djh4YVo0RWxVTGxPV2QxXzF4YV9fdnIiLCJhbGdvcml0aG0iOiJTSEEzODR3aXRoRUNEU0EiLCJzaWduYXR1cmUiOiJNR1FDTURmODNSNktLdm9tZnZyZVYycHhVSEpXb3RwM3BVOUdBWU5tcU1XUmVGcGp6WHpOVjc5dHNrZTBaa21JTVh3TXNBSXdXNUFiOWk4SnlObEp0WDJZcnpaYzJna3RranZ0U2JiSnYwaWhuUmdxMWNjUHBrVDJOc3F4ekJrZkRqOGhQWllzIn1d`
|
|
||||||
|
|
||||||
##### 5. 构造完整的凭据
|
|
||||||
|
|
||||||
用符号"."连接上述 `<base64-head>`.`<base64-payload>`.`<SIGNATURE>`.`<ATTESTATIONINFO>`
|
|
||||||
|
|
||||||
最终结果示例如下:
|
|
||||||
|
|
||||||
`ewogICAgInR5cCI6ICJEU0wiLAp9`.`ewkJCQkJCQoJInZlcnNpb24iOiIxLjAiLAkJCQkKCSJ0eXBlIjoicmVsZWFzZSIsCQkKCSJzaWduVEltZSI6IjIwMjEwODMxMjE0MzQzIiwKCSJ1ZGlkIjoiMDA3MDk3NkI2M0I4MzRGQzY1RTdCQkU2NDgxNTVDNkQ5REQuLiIsCgkibWFudWZhY3R1cmUiOiJIVUFXRUkiLAoJIm1vZGVsIjoiTk9ILUFMMDAiLAoJImJyYW5kIjoiSFVBV0VJIiwKCSJzZWN1cml0eUxldmVsIjoiU0wxIiwKCSJzb2Z0d2FyZVZlcnNpb24iOiIyLjAuMC4xNjUiCn0=`.`e+PKCRQB1RDzOZz9hipnxe32lgufLRTDml1mt3vLNvmS3hgRgstK86ucRjJXIOfdJYi459hg82be61i6p3DkWg==`.`W3sidXNlclB1YmxpY0tleSI6Ik1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRWFnOFZIMzN4OUpDOTYwSWsxejNKNmo1cnk0OVJENGt0TTBvQUZGenhiNHdOdS1OckZSbm5XbnZmR3hGTW16VFBMLWYxY1NqWGd2UV9NdU9aenVpclNnIiwiYWxnb3JpdGhtIjoiU0hBMzg0d2l0aEVDRFNBIiwic2lnbmF0dXJlIjoiTUdVQ01DakdwWEZPNlRjb2NtWFdMdHU1SXQ0LVRJNzFoNzhLdDYyYjZ6Mm9tcnNVWElHcnFsMTZXT0ExV2ZfdDdGSU1RZ0l4QVBHMlV5T2d0dk1pbi1hbVR6Wi1DN2ZyMWttVl9jODc4ckFnZVlrUGFxWWdPWWpiSGN0QnFzMkJCV05LMGsxTnJRIn0seyJ1c2VyUHVibGljS2V5IjoiTUhZd0VBWUhLb1pJemowQ0FRWUZLNEVFQUNJRFlnQUVvM0N1Q0VMQzdTaUxhSkNCQ0RkY0NwZXRnSUdraFpMc0ZfYTBkZFUxQ1I3dzU0emppc0NYWkdfdXk2ZGtGZWZrZTNVMW9CaWw0eGk1OU5xeVpOZ1FQbEFISVVHeWtRcVl4cHg1WjBqQUJCSnlBSlVscHRxM0p1Wk5UQTdIOVVLNyIsImFsZ29yaXRobSI6IlNIQTM4NHdpdGhFQ0RTQSIsInNpZ25hdHVyZSI6Ik1HVUNNQ1ZXUWIxdXFLb1E5SUFMaWJiWUlUX1NWSENXem84akcwRG1WNGt6Q0JNQ3pRQU0xZEFaSERGWFdidGUyY0FfWXdJeEFJSXVmaXJHbnN3NlBEV0txRm1mQmQ5Y3BubEFyLXVXV0RqZ2xuenoyRmx2LXNkaVhYRnR3amo3Y1hUTF9FNmJRUSJ9LHsidXNlclB1YmxpY0tleSI6Ik1IWXdFQVlIS29aSXpqMENBUVlGSzRFRUFDSURZZ0FFU09kcnY3eXhEaFoxWmRUdDB3QUxCMnhYc0ZsUGV2TkQ0b1lfWE44QWtFTVllWVVyTXBkX1hTQTdlTHo5eVJaa08yX3RoSEx4bUpURGZrOUJFeTlTa0xxUF9xOGZJdzBhSXNBMHI0SlN0djh4YVo0RWxVTGxPV2QxXzF4YV9fdnIiLCJhbGdvcml0aG0iOiJTSEEzODR3aXRoRUNEU0EiLCJzaWduYXR1cmUiOiJNR1FDTURmODNSNktLdm9tZnZyZVYycHhVSEpXb3RwM3BVOUdBWU5tcU1XUmVGcGp6WHpOVjc5dHNrZTBaa21JTVh3TXNBSXdXNUFiOWk4SnlObEp0WDJZcnpaYzJna3RranZ0U2JiSnYwaWhuUmdxMWNjUHBrVDJOc3F4ekJrZkRqOGhQWllzIn1d`
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user