From 2027a9b597793a3643a7cba05f9e1d48fc4eeb74 Mon Sep 17 00:00:00 2001 From: Tommy Chiu Date: Mon, 5 Aug 2024 11:28:13 +0000 Subject: [PATCH] Update the UdsCertChain comment to reflect the latest recommendation. Bug: 331136391 Test: comment update only Change-Id: I72f45c85d106d87fcd4c56d4c4fa86eb1af8f5a7 --- .../security/keymint/generateCertificateRequestV2.cddl | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl index 3c43238381..40cf68583d 100644 --- a/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl +++ b/security/rkp/aidl/android/hardware/security/keymint/generateCertificateRequestV2.cddl @@ -62,9 +62,13 @@ UdsCerts = { SignerName = tstr UdsCertChain = [ - 2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed - ; cert, "Leaf" contains UDS_Public. There may also be - ; intermediate certificates between Root and Leaf. + + X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed + ; cert, "Leaf" contains UDS_Public. It's recommended to + ; have at least 3 certificates in the chain. + ; The Root certificate is recommended to be generated in an air-gapped, + ; HSM-based secure environment. The intermediate signing keys may be + ; online, and should be rotated regularly (e.g. annually). Additionally, + ; the intermediate certificates may contain product family identifiers. ] ; A bstr containing a DER-encoded X.509 certificate (RSA, NIST P-curve, or EdDSA)