Merge "KeyMint HAL: clarify leaf cert requirements"

2026-02-01 16:50:18 +00:00 · 2022-07-15 13:37:19 +00:00
parent 96ed41b2e2 9daf7c70a8
commit 824c5d8f60
1 changed files with 3 additions and 3 deletions
--- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl
@@ -99,8 +99,7 @@ parcelable KeyCreationResult {
     * X.509 certificates ordered such that each certificate is signed by the subsequent one, up to
     * the root which must be self-signed (or contain a fake signature in the case of case 4 above).
     * The first certificate in the chain signs the public key info of the newly-generated or
-     * newly-imported key pair.  In the attestation cases (1 and 2 above), the first certificate
-     * must also satisfy some other requirements:
+     * newly-imported key pair.  The first certificate must also satisfy some other requirements:
     *
     * o It must have the serial number provided in Tag::CERTIFICATE_SERIAL, or default to 1 if the
     *   tag is not provided.
@@ -119,7 +118,8 @@ parcelable KeyCreationResult {
     *    - the keyAgreement bit set iff the attested key has KeyPurpose::AGREE_KEY, and
     *    - the keyCertSignBit set iff the attested key has KeyPurpose::ATTEST_KEY.
     *
-     * o it must contain a KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17.
+     * In the attestation cases (1 and 2 above), the first certificate must contain a
+     * KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17.
     *
     * The KeyDescription content is defined by the following ASN.1 schema, which is mostly a
     * straightforward translation of the KeyMint tag/value parameter lists to ASN.1.