Merge "Keymint: Add CERTIFICATE_* tags required for certificate generation." am: 2679ad6f24 am: 51c3645c51
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1566353
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ifd705316bcef5ca3e182a4d6e4d2237816641a13
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
index 594844a..a35b46c 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
@@ -111,6 +111,8 @@
STORAGE_KEY_UNSUPPORTED = -77,
INCOMPATIBLE_MGF_DIGEST = -78,
UNSUPPORTED_MGF_DIGEST = -79,
+ MISSING_NOT_BEFORE = -80,
+ MISSING_NOT_AFTER = -81,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,
UNKNOWN_ERROR = -1000,
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
index b924a13..03982e3 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
@@ -94,4 +94,8 @@
MAC_LENGTH = 805307371,
RESET_SINCE_ID_ROTATION = 1879049196,
CONFIRMATION_TOKEN = -1879047187,
+ CERTIFICATE_SERIAL = -2147482642,
+ CERTIFICATE_SUBJECT = -1879047185,
+ CERTIFICATE_NOT_BEFORE = 1610613744,
+ CERTIFICATE_NOT_AFTER = 1610613745,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
index b20601d..35e3827 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
@@ -42,7 +42,7 @@
INVALID_AUTHORIZATION_TIMEOUT = -16,
UNSUPPORTED_KEY_FORMAT = -17,
INCOMPATIBLE_KEY_FORMAT = -18,
- UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */
+ UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */
UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /** For PKCS8 & PKCS12 */
INVALID_INPUT_LENGTH = -21,
KEY_EXPORT_OPTIONS_INVALID = -22,
@@ -101,6 +101,8 @@
STORAGE_KEY_UNSUPPORTED = -77,
INCOMPATIBLE_MGF_DIGEST = -78,
UNSUPPORTED_MGF_DIGEST = -79,
+ MISSING_NOT_BEFORE = -80,
+ MISSING_NOT_AFTER = -81,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index f52e32b..4f58cbe 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -933,4 +933,35 @@
* Must never appear in KeyCharacteristics.
*/
CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,
+
+ /**
+ * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the
+ * attestation certificate to be generated for the given key. This parameter should only
+ * be passed to keyMint in the attestation parameters during generateKey() and importKey().
+ */
+ CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006,
+
+ /**
+ * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME.
+ * This value is used when generating a self signed certificates. This tag may be specified
+ * during generateKey and importKey. If not provided the subject name shall default to
+ * <TODO default subject here>.
+ */
+ CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007,
+
+ /**
+ * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
+ * time in seconds. This value is used when generating attestation or self signed certificates.
+ * ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if this tag is
+ * not provided to generateKey or importKey.
+ */
+ CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008,
+
+ /**
+ * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch
+ * time in seconds. This value is used when generating attestation or self signed certificates.
+ * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey
+ * or importKey.
+ */
+ CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009,
}
diff --git a/security/keymint/support/include/keymint_support/keymint_tags.h b/security/keymint/support/include/keymint_support/keymint_tags.h
index 43cfb63..479a11d 100644
--- a/security/keymint/support/include/keymint_support/keymint_tags.h
+++ b/security/keymint/support/include/keymint_support/keymint_tags.h
@@ -126,6 +126,10 @@
DECLARE_TYPED_TAG(USER_SECURE_ID);
DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL);
DECLARE_TYPED_TAG(RSA_OAEP_MGF_DIGEST);
+DECLARE_TYPED_TAG(CERTIFICATE_SERIAL);
+DECLARE_TYPED_TAG(CERTIFICATE_SUBJECT);
+DECLARE_TYPED_TAG(CERTIFICATE_NOT_BEFORE);
+DECLARE_TYPED_TAG(CERTIFICATE_NOT_AFTER);
#undef DECLARE_TYPED_TAG