keymint: Clarify usage of certificate tags with importWrappedKey

Bug: 292534977 Test: atest android.keystore.cts.ImportWrappedKeyTest Change-Id: I2cb65bc27e4f6b64c331bae4e4a8242ff1d91e43
2026-02-01 11:36:00 +00:00 · 2023-08-03 17:23:38 -04:00
parent 49e6433617
commit 77f4bced2e
1 changed files with 5 additions and 2 deletions
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -971,7 +971,9 @@ enum Tag {
     * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
     * time in milliseconds.  This value is used when generating attestation or self signed
     * certificates.  ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if
-     * this tag is not provided to generateKey or importKey.
+     * this tag is not provided to generateKey or importKey.  For importWrappedKey, there is no way
+     * to specify the value of this tag for the wrapped key, so a value of 0 must be used for
+     * certificate generation.
     */
    CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008,

@@ -979,7 +981,8 @@ enum Tag {
     * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in
     * milliseconds.  This value is used when generating attestation or self signed certificates.
     * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or
-     * importKey.
+     * importKey.  For importWrappedKey, there is no way to specify the value of this tag for the
+     * wrapped key, so a value of 253402300799000 is used for certificate generation.
     */
    CERTIFICATE_NOT_AFTER = TagType.DATE | 1009,