KeyMint HAL: clarify leaf cert requirements
Bug: 237624131
Bug: 238037309
Test: None, comment change
Change-Id: I7426deda8b0735f1ca34a22fc21ec0121a0fcca8
diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
index 57285a3..ae75579 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -99,8 +99,7 @@
* X.509 certificates ordered such that each certificate is signed by the subsequent one, up to
* the root which must be self-signed (or contain a fake signature in the case of case 4 above).
* The first certificate in the chain signs the public key info of the newly-generated or
- * newly-imported key pair. In the attestation cases (1 and 2 above), the first certificate
- * must also satisfy some other requirements:
+ * newly-imported key pair. The first certificate must also satisfy some other requirements:
*
* o It must have the serial number provided in Tag::CERTIFICATE_SERIAL, or default to 1 if the
* tag is not provided.
@@ -119,7 +118,8 @@
* - the keyAgreement bit set iff the attested key has KeyPurpose::AGREE_KEY, and
* - the keyCertSignBit set iff the attested key has KeyPurpose::ATTEST_KEY.
*
- * o it must contain a KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17.
+ * In the attestation cases (1 and 2 above), the first certificate must contain a
+ * KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17.
*
* The KeyDescription content is defined by the following ASN.1 schema, which is mostly a
* straightforward translation of the KeyMint tag/value parameter lists to ASN.1.