Specifying the User for Key Operations (for System Applications Only)
To implement isolation and access control for key data, HUKS provides APIs with the user ID specified for concurrent key operations initiated by multiple users.
NOTE
The mini-system devices do not support the operation described in this topic.
Constraints
- The range of the caller user ID is 0 to 99, including 0 and 99.
- The APIs are available only for system applications.
Available APIs
APIs with the userId parameter are provided as enhancement to existing APIs.
When using these APIs, observe the following:
-
The user can also include the HUKS_TAG_AUTH_STORAGE_LEVEL tag in the options parameter to specify the DE, CE, or ECE zone of the specified user.
-
If no HUKS_TAG_AUTH_STORAGE_LEVEL tag is passed through the options parameter, the key in the CE storage area with the specified userId is used by default. That is, if the HUKS_TAG_AUTH_STORAGE_LEVEL parameter is not passed, it is equivalent to passing this parameter with the value HUKS_AUTH_STORAGE_LEVEL_CE.
The algorithm specifications and the usage of the APIs are the same as those of the APIs without userId.
| API with userId | Description | API Without userId |
|---|---|---|
| generateKeyItemAsUser | Generates a key. | generateKeyItem |
| deleteKeyItemAsUser | Deletes a key. | deleteKeyItem |
| importKeyItemAsUser | Imports a key in plaintext. | importKeyItem |
| importWrappedKeyItemAsUser | Imports keys in secure mode. | importWrappedKeyItem |
| exportKeyItemAsUser | Exports a key. | exportKeyItem |
| getKeyItemPropertiesAsUser | Obtains key properties. | getKeyItemProperties |
| hasKeyItemAsUser | Checks whether a key exists. | hasKeyItem |
| initSessionAsUser | Initializes a key session. | initSession in encryption and decryption, signing and signature verification, key agreement, and key derivation |
| attestKeyItemAsUser | Performs non-anonymous key attestation. | attestKeyItem |
| anonAttestKeyItemAsUser | Performs anonymous key attestation. | anonAttestKeyItem |