From 77f4bced2efa3fdcba2accd647e9d937ab8d6dc8 Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Thu, 3 Aug 2023 17:23:38 -0400 Subject: [PATCH] keymint: Clarify usage of certificate tags with importWrappedKey Bug: 292534977 Test: atest android.keystore.cts.ImportWrappedKeyTest Change-Id: I2cb65bc27e4f6b64c331bae4e4a8242ff1d91e43 --- .../aidl/android/hardware/security/keymint/Tag.aidl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl index d401247407..36f01064b2 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl @@ -971,7 +971,9 @@ enum Tag { * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch * time in milliseconds. This value is used when generating attestation or self signed * certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if - * this tag is not provided to generateKey or importKey. + * this tag is not provided to generateKey or importKey. For importWrappedKey, there is no way + * to specify the value of this tag for the wrapped key, so a value of 0 must be used for + * certificate generation. */ CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008, @@ -979,7 +981,8 @@ enum Tag { * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in * milliseconds. This value is used when generating attestation or self signed certificates. * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or - * importKey. + * importKey. For importWrappedKey, there is no way to specify the value of this tag for the + * wrapped key, so a value of 253402300799000 is used for certificate generation. */ CERTIFICATE_NOT_AFTER = TagType.DATE | 1009,