Keymint: Add CERTIFICATE_* tags required for certificate generation.
Also fixes some formatting.
Test: N/A
Change-Id: I27e9dcfa638b544ab49befa208b294e55a04f2c1
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
index 594844a..a35b46c 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl
@@ -111,6 +111,8 @@
STORAGE_KEY_UNSUPPORTED = -77,
INCOMPATIBLE_MGF_DIGEST = -78,
UNSUPPORTED_MGF_DIGEST = -79,
+ MISSING_NOT_BEFORE = -80,
+ MISSING_NOT_AFTER = -81,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,
UNKNOWN_ERROR = -1000,
diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
index b924a13..03982e3 100644
--- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl
@@ -94,4 +94,8 @@
MAC_LENGTH = 805307371,
RESET_SINCE_ID_ROTATION = 1879049196,
CONFIRMATION_TOKEN = -1879047187,
+ CERTIFICATE_SERIAL = -2147482642,
+ CERTIFICATE_SUBJECT = -1879047185,
+ CERTIFICATE_NOT_BEFORE = 1610613744,
+ CERTIFICATE_NOT_AFTER = 1610613745,
}
diff --git a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
index b20601d..35e3827 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl
@@ -42,7 +42,7 @@
INVALID_AUTHORIZATION_TIMEOUT = -16,
UNSUPPORTED_KEY_FORMAT = -17,
INCOMPATIBLE_KEY_FORMAT = -18,
- UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */
+ UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */
UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /** For PKCS8 & PKCS12 */
INVALID_INPUT_LENGTH = -21,
KEY_EXPORT_OPTIONS_INVALID = -22,
@@ -101,6 +101,8 @@
STORAGE_KEY_UNSUPPORTED = -77,
INCOMPATIBLE_MGF_DIGEST = -78,
UNSUPPORTED_MGF_DIGEST = -79,
+ MISSING_NOT_BEFORE = -80,
+ MISSING_NOT_AFTER = -81,
UNIMPLEMENTED = -100,
VERSION_MISMATCH = -101,
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index bc07235..3704780 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -27,7 +27,7 @@
* data are stored in KeyParameter.
*/
@VintfStability
-@Backing(type = "int")
+@Backing(type="int")
enum Tag {
/**
* Tag::INVALID should never be set. It means you hit an error.
@@ -82,7 +82,6 @@
*/
BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4,
-
/**
* Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing
* and verification operations. This tag is relevant to RSA, ECDSA and HMAC keys. Possible
@@ -187,21 +186,21 @@
*/
INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202,
- /**
- * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with
- * RSA encryption/decryption with OAEP padding. If the key characteristics supports OAEP
- * and this tag is absent then SHA1 digest is selected by default for MGF1.
- *
- * This tag is repeatable for key generation/import. If this tag is present in the key
- * characteristics with one or more values from @4.0::Digest, then for RSA cipher
- * operations with OAEP Padding, the caller must specify a digest in the additionalParams
- * argument of begin operation. If this tag is missing or the specified digest is not in
- * the digests associated with the key then begin operation must fail with
- * ErrorCode::INCOMPATIBLE_MGF_DIGEST.
- *
- * Must be hardware-enforced.
- */
- RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203,
+ /**
+ * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with
+ * RSA encryption/decryption with OAEP padding. If the key characteristics supports OAEP
+ * and this tag is absent then SHA1 digest is selected by default for MGF1.
+ *
+ * This tag is repeatable for key generation/import. If this tag is present in the key
+ * characteristics with one or more values from @4.0::Digest, then for RSA cipher
+ * operations with OAEP Padding, the caller must specify a digest in the additionalParams
+ * argument of begin operation. If this tag is missing or the specified digest is not in
+ * the digests associated with the key then begin operation must fail with
+ * ErrorCode::INCOMPATIBLE_MGF_DIGEST.
+ *
+ * Must be hardware-enforced.
+ */
+ RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203,
/**
* TODO(seleneh) this tag needs to be deleted from all codes.
@@ -497,7 +496,8 @@
*/
TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507,
- /** Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and
+ /**
+ * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and
* specifies that this key must not be usable unless the user provides confirmation of the data
* to be signed. Confirmation is proven to keyMint via an approval token. See
* CONFIRMATION_TOKEN, as well as the ConfirmatinUI HAL.
@@ -933,4 +933,35 @@
* Must never appear in KeyCharacteristics.
*/
CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,
+
+ /**
+ * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the
+ * attestation certificate to be generated for the given key. This parameter should only
+ * be passed to keyMint in the attestation parameters during generateKey() and importKey().
+ */
+ CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006,
+
+ /**
+ * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME.
+ * This value is used when generating a self signed certificates. This tag may be specified
+ * during generateKey and importKey. If not provided the subject name shall default to
+ * <TODO default subject here>.
+ */
+ CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007,
+
+ /**
+ * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
+ * time in seconds. This value is used when generating attestation or self signed certificates.
+ * ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if this tag is
+ * not provided to generateKey or importKey.
+ */
+ CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008,
+
+ /**
+ * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch
+ * time in seconds. This value is used when generating attestation or self signed certificates.
+ * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey
+ * or importKey.
+ */
+ CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009,
}
diff --git a/security/keymint/support/include/keymint_support/keymint_tags.h b/security/keymint/support/include/keymint_support/keymint_tags.h
index 43cfb63..479a11d 100644
--- a/security/keymint/support/include/keymint_support/keymint_tags.h
+++ b/security/keymint/support/include/keymint_support/keymint_tags.h
@@ -126,6 +126,10 @@
DECLARE_TYPED_TAG(USER_SECURE_ID);
DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL);
DECLARE_TYPED_TAG(RSA_OAEP_MGF_DIGEST);
+DECLARE_TYPED_TAG(CERTIFICATE_SERIAL);
+DECLARE_TYPED_TAG(CERTIFICATE_SUBJECT);
+DECLARE_TYPED_TAG(CERTIFICATE_NOT_BEFORE);
+DECLARE_TYPED_TAG(CERTIFICATE_NOT_AFTER);
#undef DECLARE_TYPED_TAG