Loading security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +26 −19 Original line number Diff line number Diff line Loading @@ -60,29 +60,36 @@ parcelable KeyCreationResult { * `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in * the non-attestaion case, whether the key can self-sign. * * 1. Attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided and the * `attestationKey` parameter on the generate/import call is null, the returned certificate * chain must contain an attestation certificate signed with a factory-provisioned * attestation key, and the full certificate chain for that factory-provisioned attestation * key. * 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided * and the `attestationKey` parameter on the generate/import call is null, the returned * certificate chain must contain an attestation certificate signed with a factory- * provisioned attestation key, and the full certificate chain for that factory-provisioned * attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the * ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be * returned. * * 2. Attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is provided and the * `attestationKey` parameter on the generat/import call is non-null and contains the key * blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain * only an attestation certificate signed with the specified key. The caller must know the * certificate chain for the provided key. * 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is * provided and the `attestationKey` parameter on the generat/import call is non-null and * contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate * chain must contain only an attestation certificate signed with the specified key. The * caller must know the certificate chain for the provided key. Tag:: * ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is * provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned. * * 3. Non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not provided and the * generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must * contain only a single self-signed certificate with no attestation extension. * 3. Asymmetric key non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not * provided and the generated/imported key has KeyPurpose::SIGN, then the returned * certificate chain must contain only a single self-signed certificate with no attestation * extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if provided. * * 4. Non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is not provided and * the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate * chain must contain only a single certificate with an empty signature and no attestation * extension. * 4. Asymmetric key non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is * not provided and the generated/imported key does not have KeyPurpose::SIGN, then the * returned certificate chain must contain only a single certificate with an empty signature * and no attestation extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if * provided. * * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must be * empty. * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must * return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs, * if provided, are ignored. */ Certificate[] certificateChain; } Loading
security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +26 −19 Original line number Diff line number Diff line Loading @@ -60,29 +60,36 @@ parcelable KeyCreationResult { * `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in * the non-attestaion case, whether the key can self-sign. * * 1. Attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided and the * `attestationKey` parameter on the generate/import call is null, the returned certificate * chain must contain an attestation certificate signed with a factory-provisioned * attestation key, and the full certificate chain for that factory-provisioned attestation * key. * 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided * and the `attestationKey` parameter on the generate/import call is null, the returned * certificate chain must contain an attestation certificate signed with a factory- * provisioned attestation key, and the full certificate chain for that factory-provisioned * attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the * ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be * returned. * * 2. Attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is provided and the * `attestationKey` parameter on the generat/import call is non-null and contains the key * blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain * only an attestation certificate signed with the specified key. The caller must know the * certificate chain for the provided key. * 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is * provided and the `attestationKey` parameter on the generat/import call is non-null and * contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate * chain must contain only an attestation certificate signed with the specified key. The * caller must know the certificate chain for the provided key. Tag:: * ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is * provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned. * * 3. Non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not provided and the * generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must * contain only a single self-signed certificate with no attestation extension. * 3. Asymmetric key non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not * provided and the generated/imported key has KeyPurpose::SIGN, then the returned * certificate chain must contain only a single self-signed certificate with no attestation * extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if provided. * * 4. Non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is not provided and * the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate * chain must contain only a single certificate with an empty signature and no attestation * extension. * 4. Asymmetric key non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is * not provided and the generated/imported key does not have KeyPurpose::SIGN, then the * returned certificate chain must contain only a single certificate with an empty signature * and no attestation extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if * provided. * * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must be * empty. * 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must * return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs, * if provided, are ignored. */ Certificate[] certificateChain; }
