Gitiles
Code Review Sign In
gerrit.omnirom.org / android_hardware_interfaces / 0a8dd959a4e788bb8fbe67734124caa92e6683c1^1..0a8dd959a4e788bb8fbe67734124caa92e6683c1 / .
commit0a8dd959a4e788bb8fbe67734124caa92e6683c1[log] [tgz]
authorSelene Huang <seleneh@google.com>Wed Apr 14 21:43:05 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Apr 14 21:43:05 2021 +0000
tree597a0fb32c34de4289a8d79b1a532350ed92f4c4
parenta546efe5ef24d552025b1f5646c45e7c52e4d59b [diff]
parent6ea762a04b77a151c489bd3c10d5d6b37f895665 [diff]
Merge "Update Keymint documentation in aidl."
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index f3c5477..c2e21b6 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

@@ -60,29 +60,36 @@
      * `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in
      * the non-attestaion case, whether the key can self-sign.
      *
-     * 1.  Attestation with factory key.  If Tag::ATTESTATION_CHALLENGE is provided and the
-     *     `attestationKey` parameter on the generate/import call is null, the returned certificate
-     *     chain must contain an attestation certificate signed with a factory-provisioned
-     *     attestation key, and the full certificate chain for that factory-provisioned attestation
-     *     key.
+     * 1.  Asymmetric key attestation with factory key.  If Tag::ATTESTATION_CHALLENGE is provided
+     *     and the `attestationKey` parameter on the generate/import call is null, the returned
+     *     certificate chain must contain an attestation certificate signed with a factory-
+     *     provisioned attestation key, and the full certificate chain for that factory-provisioned
+     *     attestation key.  Tag::ATTESTATION_APPLICATION_ID must also be provided when the
+     *     ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
+     *     returned.
      *
-     * 2.  Attestation with caller-provided key.  If Tag::ATTESTATION_CHALLENGE is provided and the
-     *     `attestationKey` parameter on the generat/import call is non-null and contains the key
-     *     blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain
-     *     only an attestation certificate signed with the specified key.  The caller must know the
-     *     certificate chain for the provided key.
+     * 2.  Asymmetric key attestation with caller-provided key.  If Tag::ATTESTATION_CHALLENGE is
+     *     provided and the `attestationKey` parameter on the generat/import call is non-null and
+     *     contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate
+     *     chain must contain only an attestation certificate signed with the specified key.  The
+     *     caller must know the certificate chain for the provided key.  Tag::
+     *     ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is
+     *     provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
      *
-     * 3.  Non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not provided and the
-     *     generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must
-     *     contain only a single self-signed certificate with no attestation extension.
+     * 3.  Asymmetric key non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not
+     *     provided and the generated/imported key has KeyPurpose::SIGN, then the returned
+     *     certificate chain must contain only a single self-signed certificate with no attestation
+     *     extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
      *
-     * 4.  Non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is not provided and
-     *     the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate
-     *     chain must contain only a single certificate with an empty signature and no attestation
-     *     extension.
+     * 4.  Asymmetric key non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is
+     *     not provided and the generated/imported key does not have KeyPurpose::SIGN, then the
+     *     returned certificate chain must contain only a single certificate with an empty signature
+     *     and no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
+     *     provided.
      *
-     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must be
-     *     empty.
+     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must
+     *     return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,
+     *     if provided, are ignored.
      */
     Certificate[] certificateChain;
 }