Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bbbc2783 authored by David Drysdale's avatar David Drysdale Committed by Automerger Merge Worker
Browse files

Merge "KeyMint HAL: clarify ATTEST_KEY is like SIGN" am: afa73442

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/2033928

Change-Id: I2519c3a8525d4196b8a3969d6bdb0a0d73df3f8d
parents 9257a657 afa73442
Loading
Loading
Loading
Loading
+8 −7
Original line number Original line Diff line number Diff line
@@ -78,15 +78,16 @@ parcelable KeyCreationResult {
     *     provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
     *     provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
     *
     *
     * 3.  Asymmetric key non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not
     * 3.  Asymmetric key non-attestation with signing key.  If Tag::ATTESTATION_CHALLENGE is not
     *     provided and the generated/imported key has KeyPurpose::SIGN, then the returned
     *     provided and the generated/imported key has KeyPurpose::SIGN or KeyPurpose::ATTEST_KEY,
     *     certificate chain must contain only a single self-signed certificate with no attestation
     *     then the returned certificate chain must contain only a single self-signed certificate
     *     extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
     *     with no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
     *     provided.
     *
     *
     * 4.  Asymmetric key non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is
     * 4.  Asymmetric key non-attestation with non-signing key.  If TAG::ATTESTATION_CHALLENGE is
     *     not provided and the generated/imported key does not have KeyPurpose::SIGN, then the
     *     not provided and the generated/imported key does not have KeyPurpose::SIGN nor
     *     returned certificate chain must contain only a single certificate with an empty signature
     *     KeyPurpose::ATTEST_KEY, then the returned certificate chain must contain only a single
     *     and no attestation extension.  Tag::ATTESTATION_APPLICATION_ID will be ignored if
     *     certificate with an empty signature and no attestation extension.
     *     provided.
     *     Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
     *
     *
     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must
     * 5.  Symmetric key.  If the generated/imported key is symmetric, the certificate chain must
     *     return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,
     *     return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,