Merge "Update Keymint documentation in aidl." am: 0a8dd959a4 am: 38e3dc200a

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1673780 Change-Id: I371a30817aa762773eef2f52d9c4ef4514775073
2021-04-14 22:48:06 +00:00 · 2021-04-14 22:48:06 +00:00 · da0bd640f1
commit da0bd640f1
parent 7d32a5135a 38e3dc200a
1 changed files with 26 additions and 19 deletions
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@ -60,29 +60,36 @@ parcelable KeyCreationResult {
     * `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in
     * the non-attestaion case, whether the key can self-sign.
     *
-     * 1.  Attestation with factory key.  If Tag::ATTESTATION_CHALLENGE is provided and the
-     *     `attestationKey` parameter on the generate/import call is null, the returned certificate
-     *     chain must contain an attestation certificate signed with a factory-provisioned
-     *     attestation key, and the full certificate chain for that factory-provisioned attestation
-     *     key.
+     * 1.  Asymmetric key attestation with factory key.  If Tag::ATTESTATION_CHALLENGE is provided
+     *     and the `attestationKey` parameter on the generate/import call is null, the returned
+     *     certificate chain must contain an attestation certificate signed with a factory-
+     *     provisioned attestation key, and the full certificate chain for that factory-provisioned
+     *     attestation key.  Tag::ATTESTATION_APPLICATION_ID must also be provided when the
+     *     ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
+     *     returned.
     *
-     * 2.  Attestation with caller-provided key.  If Tag::ATTESTATION_CHALLENGE is provided and the
-     *     `attestationKey` parameter on the generat/import call is non-null and contains the key
-     *     blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain
-     *     only an attestation certificate signed with the specified key.  The caller must know the
-     *     certificate chain for the provided key.
+     * 2.  Asymmetric key attestation with caller-provided key.  If Tag::ATTESTATION_CHALLENGE is
+     *     provided and the `attestationKey` parameter on the generat/import call is non-null and
+     *     contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate
+     *     chain must contain only an attestation certificate signed with the specified key.  The
+     *     caller must know the certificate chain for the provided key.  Tag::
+     *     ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is
+     *     provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
     *
-     * 3.  Non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not provided and the
-     *     generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must
-     *     contain only a single self-signed certificate with no attestation extension.
+     * 3.  Asymmetric key non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not
+     *     provided and the generated/imported key has KeyPurpose::SIGN, then the returned
+     *     certificate chain must contain only a single self-signed certificate with no attestation
+     *     extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
     *
-     * 4.  Non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is not provided and
-     *     the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate
-     *     chain must contain only a single certificate with an empty signature and no attestation
-     *     extension.
+     * 4.  Asymmetric key non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is
+     *     not provided and the generated/imported key does not have KeyPurpose::SIGN, then the
+     *     returned certificate chain must contain only a single certificate with an empty signature
+     *     and no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
+     *     provided.
     *
-     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must be
-     *     empty.
+     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must
+     *     return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,
+     *     if provided, are ignored.
     */
    Certificate[] certificateChain;
 }