Merge "Update Keymint documentation in aidl." am: 0a8dd959a4 am: 38e3dc200a (da0bd640) · Commits · e / os / android_hardware_interfaces

security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl

+26 −19

Original line number	Diff line number	Diff line
		@@ -60,29 +60,36 @@ parcelable KeyCreationResult {
		* `attestationKey` parameter of `generateKey()`, `importKey()` or `importWrappedKey()`), and in
		* the non-attestaion case, whether the key can self-sign.
		*
		* 1. Attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided and the
		* `attestationKey` parameter on the generate/import call is null, the returned certificate
		* chain must contain an attestation certificate signed with a factory-provisioned
		* attestation key, and the full certificate chain for that factory-provisioned attestation
		* key.
		* 1. Asymmetric key attestation with factory key. If Tag::ATTESTATION_CHALLENGE is provided
		* and the `attestationKey` parameter on the generate/import call is null, the returned
		* certificate chain must contain an attestation certificate signed with a factory-
		* provisioned attestation key, and the full certificate chain for that factory-provisioned
		* attestation key. Tag::ATTESTATION_APPLICATION_ID must also be provided when the
		* ATTESTATION_CHALLENGE is provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be
		* returned.
		*
		* 2. Attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is provided and the
		* `attestationKey` parameter on the generat/import call is non-null and contains the key
		* blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate chain must contain
		* only an attestation certificate signed with the specified key. The caller must know the
		* certificate chain for the provided key.
		* 2. Asymmetric key attestation with caller-provided key. If Tag::ATTESTATION_CHALLENGE is
		* provided and the `attestationKey` parameter on the generat/import call is non-null and
		* contains the key blob of a key with KeyPurpose::ATTEST_KEY, the returned certificate
		* chain must contain only an attestation certificate signed with the specified key. The
		* caller must know the certificate chain for the provided key. Tag::
		* ATTESTATION_APPLICATION_ID must also be provided when the ATTESTATION_CHALLENGE is
		* provided, otherwise ATTESTATION_APPLICATION_ID_MISSING will be returned.
		*
		* 3. Non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not provided and the
		* generated/imported key has KeyPurpose::SIGN, then the returned certificate chain must
		* contain only a single self-signed certificate with no attestation extension.
		* 3. Asymmetric key non-attestation with signing key. If Tag::ATTESTATION_CHALLENGE is not
		* provided and the generated/imported key has KeyPurpose::SIGN, then the returned
		* certificate chain must contain only a single self-signed certificate with no attestation
		* extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if provided.
		*
		* 4. Non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is not provided and
		* the generated/imported key does not have KeyPurpose::SIGN, then the returned certificate
		* chain must contain only a single certificate with an empty signature and no attestation
		* extension.
		* 4. Asymmetric key non-attestation with non-signing key. If TAG::ATTESTATION_CHALLENGE is
		* not provided and the generated/imported key does not have KeyPurpose::SIGN, then the
		* returned certificate chain must contain only a single certificate with an empty signature
		* and no attestation extension. Tag::ATTESTATION_APPLICATION_ID will be ignored if
		* provided.
		*
		* 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must be
		* empty.
		* 5. Symmetric key. If the generated/imported key is symmetric, the certificate chain must
		* return empty, any Tag::ATTESTATION_CHALLENGE or Tag::ATTESTATION_APPLICATION_ID inputs,
		* if provided, are ignored.
		*/
		Certificate[] certificateChain;
		}