Updated the description for APPLICATION_ID and APPLICATION_DATA As the signature of the getKeyCharacteristics() does not use Tag Mechanism for app_id and app_data, there is no way to distinguish between appId / appData values that are absent, vs values that are present but of zero length. Due to this limitation a key with a zero-length app_id / app_data cannot have its key characteristics retrieved using getKeyCharacteristics() Test: VtsAidlKeyMintTarget Change-Id: I145dcba878171c174d48ad42fadeb49e045b5c55

commit: 5083a851412dd0dbb48d40a1dd174206dce22e50 [log] [tgz]
author: Subrahmanyaman <subrahmanyaman@google.com> Mon Apr 25 18:03:44 2022 +0000
committer: Subrahmanyaman <subrahmanyaman@google.com> Mon May 02 23:28:12 2022 +0000
tree: 5aa39d142bdf603267a7d73a82a6d896a60c7ad6
parent: 1b7abc43b633b47612d48c01cb995262fcc1107b [diff]
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index b28ebcb..42dfad5 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl

@@ -504,7 +504,9 @@
      * that is necessary during all uses of the key.  In particular, calls to exportKey() and
      * getKeyCharacteristics() must provide the same value to the clientId parameter, and calls to
      * begin() must provide this tag and the same associated data as part of the inParams set.  If
-     * the correct data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.
+     * the correct data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.  Note
+     * that a key with a zero-length APPLICATION_ID cannot have its key characteristics retrieved
+     * using getKeyCharacteristics() due to a historical limitation of the API.
      *
      * The content of this tag must be bound to the key cryptographically, meaning it must not be
      * possible for an adversary who has access to all of the secure world secrets but does not have
@@ -525,7 +527,9 @@
      * that is necessary during all uses of the key.  In particular, calls to begin() and
      * exportKey() must provide the same value to the appData parameter, and calls to begin must
      * provide this tag and the same associated data as part of the inParams set.  If the correct
-     * data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.
+     * data is not provided, the method must return ErrorCode::INVALID_KEY_BLOB.  Note that a key
+     * with a zero-length APPLICATION_DATA cannot have its key characteristics retrieved using
+     * getKeyCharacteristics() due to a historical limitation of the API.
      *
      * The content of this tag must be bound to the key cryptographically, meaning it must not be
      * possible for an adversary who has access to all of the secure world secrets but does not have
commit	5083a851412dd0dbb48d40a1dd174206dce22e50	[log] [tgz]
author	Subrahmanyaman <subrahmanyaman@google.com>	Mon Apr 25 18:03:44 2022 +0000
committer	Subrahmanyaman <subrahmanyaman@google.com>	Mon May 02 23:28:12 2022 +0000
tree	5aa39d142bdf603267a7d73a82a6d896a60c7ad6
parent	1b7abc43b633b47612d48c01cb995262fcc1107b [diff]