1e41f4b71Sopenharmony_ci# Security Subsystem - Key Management Service Changelog 2e41f4b71Sopenharmony_ci 3e41f4b71Sopenharmony_ci## cl.security.1 Permission Change on the Key Attestation APIs 4e41f4b71Sopenharmony_ci 5e41f4b71Sopenharmony_ci**Access Level** 6e41f4b71Sopenharmony_ci 7e41f4b71Sopenharmony_ciPublic API 8e41f4b71Sopenharmony_ci 9e41f4b71Sopenharmony_ci**Reason for Change** 10e41f4b71Sopenharmony_ci 11e41f4b71Sopenharmony_ciThe public key of the end-entity certificate (device certificate) in the certificate chain obtained by using the key attestation API can be used as the unique identifier of a device, which imposes privacy leakage risks. For security purposes, a permission is required for calling these APIs. 12e41f4b71Sopenharmony_ci 13e41f4b71Sopenharmony_ci**Change Impact** 14e41f4b71Sopenharmony_ci 15e41f4b71Sopenharmony_ciThis change is a non-compatible change. Adaptation is required. 16e41f4b71Sopenharmony_ci 17e41f4b71Sopenharmony_ci**API level** 18e41f4b71Sopenharmony_ci 19e41f4b71Sopenharmony_ci9 20e41f4b71Sopenharmony_ci 21e41f4b71Sopenharmony_ci**Change Since** 22e41f4b71Sopenharmony_ci 23e41f4b71Sopenharmony_ciOpenHarmony SDK 4.1.5.3 24e41f4b71Sopenharmony_ci 25e41f4b71Sopenharmony_ci**Key API/Component Changes** 26e41f4b71Sopenharmony_ci 27e41f4b71Sopenharmony_ci| Involved APIs| Before the Change| After the Change| 28e41f4b71Sopenharmony_ci| ------- | ----- | ------ | 29e41f4b71Sopenharmony_ci| attestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback<HuksReturnResult>) : void | No permission is required. | The ohos.permission.ATTEST_KEY permission is required.| 30e41f4b71Sopenharmony_ci| attestKeyItem(keyAlias: string, options: HuksOptions) : Promise<HuksReturnResult> | No permission is required. | The ohos.permission.ATTEST_KEY permission is required.| 31e41f4b71Sopenharmony_ci| struct OH_Huks_Result OH_Huks_AttestKeyItem(const struct OH_Huks_Blob *keyAlias, const struct OH_Huks_ParamSet *paramSet, struct OH_Huks_CertChain *certChain) | No permission is required. | The ohos.permission.ATTEST_KEY permission is required.| 32e41f4b71Sopenharmony_ci 33e41f4b71Sopenharmony_ci**Adaptation Guide** 34e41f4b71Sopenharmony_ci 35e41f4b71Sopenharmony_ciMethod 1: Use the following APIs for key attestation. 36e41f4b71Sopenharmony_ci| API| 37e41f4b71Sopenharmony_ci| ------- | 38e41f4b71Sopenharmony_ci| anonAttestKeyItem(keyAlias: string, options: HuksOptions, callback: AsyncCallback<HuksReturnResult>): void; | 39e41f4b71Sopenharmony_ci| anonAttestKeyItem(keyAlias: string, options: HuksOptions): Promise<HuksReturnResult> | 40e41f4b71Sopenharmony_ci| struct OH_Huks_Result OH_Huks_AnonAttestKeyItem(const struct OH_Huks_Blob *keyAlias, const struct OH_Huks_ParamSet *paramSet, struct OH_Huks_CertChain *certChain) | 41e41f4b71Sopenharmony_ci 42e41f4b71Sopenharmony_ciMethod 2: Request the ohos.permission.ATTEST_KEY permission for your application. This permission is available only to system applications. 43e41f4b71Sopenharmony_ci 44