Add KeyPurpose::ATTEST_KEY. am: 7c130397

optional<vector<vector<uint8_t>>> createAttestation(

        const EVP_PKEY* key, const vector<uint8_t>& applicationId, const vector<uint8_t>& challenge,

        uint64_t activeTimeMilliSeconds, uint64_t expireTimeMilliSeconds, bool isTestCredential) {

    // Pretend to be implemented in a trusted environment just so we can pass

    // the VTS tests. Of course, this is a pretend-only game since hopefully no

    // relying party is ever going to trust our batch key and those keys above

    // it.

    ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMASTER_4_1,

                                                  KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);

    keymaster_error_t error;

    ::keymaster::CertificateChain attestation_chain =

            ::keymaster::getAttestationChain(KM_ALGORITHM_EC, &error);

            context.GetAttestationChain(KM_ALGORITHM_EC, &error);

    if (KM_ERROR_OK != error) {

        LOG(ERROR) << "Error getting attestation chain " << error;

        return {};

        }

        expireTimeMilliSeconds = bcNotAfter * 1000;

    }

    const keymaster_key_blob_t* attestation_signing_key =

            ::keymaster::getAttestationKey(KM_ALGORITHM_EC, nullptr);

    if (attestation_signing_key == nullptr) {

        LOG(ERROR) << "Error getting attestation key";

        return {};

    }

    ::keymaster::X509_NAME_Ptr subjectName;

    if (KM_ERROR_OK !=

    }

    ::keymaster::AuthorizationSet hwEnforced(hwEnforcedBuilder);

    // Pretend to be implemented in a trusted environment just so we can pass

    // the VTS tests. Of course, this is a pretend-only game since hopefully no

    // relying party is ever going to trust our batch key and those keys above

    // it.

    ::keymaster::PureSoftKeymasterContext context(::keymaster::KmVersion::KEYMINT_1,

                                                  KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT);

    ::keymaster::CertificateChain cert_chain_out = generate_attestation_from_EVP(

            key, swEnforced, hwEnforced, auth_set, context, move(attestation_chain),

            *attestation_signing_key, &error);

    ::keymaster::CertificateChain cert_chain_out = generate_attestation(

            key, swEnforced, hwEnforced, auth_set, {} /* attest_key */, context, &error);

    if (KM_ERROR_OK != error) {

        LOG(ERROR) << "Error generating attestation from EVP key: " << error;

/*

 * Copyright (C) 2021 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 *////////////////////////////////////////////////////////////////////////////////

// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE.                          //

///////////////////////////////////////////////////////////////////////////////

// This file is a snapshot of an AIDL file. Do not edit it manually. There are

// two cases:

// 1). this is a frozen version file - do not edit this in any case.

// 2). this is a 'current' file. If you make a backwards compatible change to

//     the interface (from the latest frozen version), the build system will

//     prompt you to update this file with `m <name>-update-api`.

//

// You must not make a backward incompatible change to any AIDL file built

// with the aidl_interface module type with versions property set. The module

// type is used to build AIDL files in a way that they can be used across

// independently updatable components of the system. If a device is shipped

// with such a backward incompatible change, it has a high risk of breaking

// later when a module using the interface is updated, e.g., Mainline modules.

package android.hardware.security.keymint;

@RustDerive(Clone=true, Eq=true, Hash=true, Ord=true, PartialEq=true, PartialOrd=true) @VintfStability

parcelable AttestationKey {

  byte[] keyBlob;

  android.hardware.security.keymint.KeyParameter[] attestKeyParams;

  byte[] issuerSubjectName;

}

  UNSUPPORTED_MGF_DIGEST = -79,

  MISSING_NOT_BEFORE = -80,

  MISSING_NOT_AFTER = -81,

  MISSING_ISSUER_SUBJECT = -82,

  INVALID_ISSUER_SUBJECT = -83,

  UNIMPLEMENTED = -100,

  VERSION_MISMATCH = -101,

  UNKNOWN_ERROR = -1000,

interface IKeyMintDevice {

  android.hardware.security.keymint.KeyMintHardwareInfo getHardwareInfo();

  void addRngEntropy(in byte[] data);

  android.hardware.security.keymint.KeyCreationResult generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams);

  android.hardware.security.keymint.KeyCreationResult importKey(in android.hardware.security.keymint.KeyParameter[] keyParams, in android.hardware.security.keymint.KeyFormat keyFormat, in byte[] keyData);

  android.hardware.security.keymint.KeyCreationResult generateKey(in android.hardware.security.keymint.KeyParameter[] keyParams, in @nullable android.hardware.security.keymint.AttestationKey attestationKey);

  android.hardware.security.keymint.KeyCreationResult importKey(in android.hardware.security.keymint.KeyParameter[] keyParams, in android.hardware.security.keymint.KeyFormat keyFormat, in byte[] keyData, in @nullable android.hardware.security.keymint.AttestationKey attestationKey);

  android.hardware.security.keymint.KeyCreationResult importWrappedKey(in byte[] wrappedKeyData, in byte[] wrappingKeyBlob, in byte[] maskingKey, in android.hardware.security.keymint.KeyParameter[] unwrappingParams, in long passwordSid, in long biometricSid);

  byte[] upgradeKey(in byte[] inKeyBlobToUpgrade, in android.hardware.security.keymint.KeyParameter[] inUpgradeParams);

  void deleteKey(in byte[] inKeyBlob);

  byte[] upgradeKey(in byte[] keyBlobToUpgrade, in android.hardware.security.keymint.KeyParameter[] upgradeParams);

  void deleteKey(in byte[] keyBlob);

  void deleteAllKeys();

  void destroyAttestationIds();

  android.hardware.security.keymint.BeginResult begin(in android.hardware.security.keymint.KeyPurpose inPurpose, in byte[] inKeyBlob, in android.hardware.security.keymint.KeyParameter[] inParams, in android.hardware.security.keymint.HardwareAuthToken inAuthToken);

  android.hardware.security.keymint.BeginResult begin(in android.hardware.security.keymint.KeyPurpose purpose, in byte[] keyBlob, in android.hardware.security.keymint.KeyParameter[] params, in android.hardware.security.keymint.HardwareAuthToken authToken);

  void deviceLocked(in boolean passwordOnly, in @nullable android.hardware.security.secureclock.TimeStampToken timestampToken);

  void earlyBootEnded();

  const int AUTH_TOKEN_MAC_LENGTH = 32;

  VERIFY = 3,

  WRAP_KEY = 5,

  AGREE_KEY = 6,

  ATTEST_KEY = 7,

}