From 6ea762a04b77a151c489bd3c10d5d6b37f895665 Mon Sep 17 00:00:00 2001 From: Selene Huang Date: Wed, 14 Apr 2021 00:37:17 +0000 Subject: [PATCH] Update Keymint documentation in aidl. Change-Id: I8eb73da95d9070c46d61973b26373628a1333e9f Test: n/a --- .../security/keymint/KeyCreationResult.aidl | 45 +++++++++++-------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl index f3c547784e..c2e21b6d37 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -60,29 +60,36 @@ parcelable KeyCreationResult { * `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in * the non-attestaion case, whether the key can self-sign. * - * 1. Attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided and the - * `attestationKey` parameter on the generate/import call is null, the returned certificate - * chain must contain an attestation certificate signed with a factory-provisioned - * attestation key, and the full certificate chain for that factory-provisioned attestation - * key. + * 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided + * and the `attestationKey` parameter on the generate/import call is null, the returned + * certificate chain must contain an attestation certificate signed with a factory- + * provisioned attestation key, and the full certificate chain for that factory-provisioned + * attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the + * ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be + * returned. * - * 2. Attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is provided and the - * `attestationKey` parameter on the generat/import call is non-null and contains the key - * blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain - * only an attestation certificate signed with the specified key. The caller must know the - * certificate chain for the provided key. + * 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is + * provided and the `attestationKey` parameter on the generat/import call is non-null and + * contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate + * chain must contain only an attestation certificate signed with the specified key. The + * caller must know the certificate chain for the provided key. Tag:: + * ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is + * provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned. * - * 3. Non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not provided and the - * generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must - * contain only a single self-signed certificate with no attestation extension. + * 3. Asymmetric key non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not + * provided and the generated/imported key has KeyPurpose::SIGN, then the returned + * certificate chain must contain only a single self-signed certificate with no attestation + * extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if provided. * - * 4. Non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is not provided and - * the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate - * chain must contain only a single certificate with an empty signature and no attestation - * extension. + * 4. Asymmetric key non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is + * not provided and the generated/imported key does not have KeyPurpose::SIGN, then the + * returned certificate chain must contain only a single certificate with an empty signature + * and no attestation extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if + * provided. * - * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must be - * empty. + * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must + * return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs, + * if provided, are ignored. */ Certificate[] certificateChain; }