Using the Prebuilt CA Certificate to Validate a Certificate Chain
Since API version 20, you can use the prebuilt CA certificate to validate a certificate chain.
To do so, you need to create a certificate chain object first.
How to Develop
-
Import the cert module.
import { cert } from '@kit.DeviceCertificateKit'; -
Use cert.createX509CertChain to create an X.509 certificate chain (X509CertChain) object and return the result.
-
Call x509CertChain.validate to set trustSystemCa to true and use the prebuilt CA certificate to validate the certificate chain and return the result.
import { cert } from '@kit.DeviceCertificateKit';
import { BusinessError } from '@kit.BasicServicesKit';
import { util } from '@kit.ArkTS';
// ...
async function sample() {
let textEncoder = new util.TextEncoder();
// Binary data of the certificate chain, which needs to be assigned by the service.
const encodingBlob: cert.EncodingBlob = {
data: textEncoder.encodeInto(certChainData),
// Assign a value based on the encodingData format. FORMAT_PEM, FORMAT_DER, and FORMAT_PKCS7 are supported.
encodingFormat: cert.EncodingFormat.FORMAT_PEM
};
let x509CertChain: cert.X509CertChain = {} as cert.X509CertChain;
try {
x509CertChain = await cert.createX509CertChain(encodingBlob);
} catch (err) {
let e: BusinessError = err as BusinessError;
console.error(`createX509CertChain failed, errCode: ${e.code}, errMsg: ${e.message}`);
}
// Certificate chain verification data, which needs to be assigned by the service.
const param: cert.CertChainValidationParameters = {
date: '20250623163000Z',
trustAnchors: [{}],
trustSystemCa: true,
};
try {
const validationRes = await x509CertChain.validate(param);
console.info('X509CertChain validate result: success.');
} catch (err) {
let e: BusinessError = err as BusinessError;
console.error(`X509CertChain validate failed, errCode: ${e.code}, errMsg: ${e.message}`);
}
}