From 9daf7c70a8de86582cf660ec0c4b1c017c638f96 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Thu, 14 Jul 2022 17:37:01 +0100 Subject: [PATCH] KeyMint HAL: clarify leaf cert requirements Bug: 237624131 Bug: 238037309 Test: None, comment change Change-Id: I7426deda8b0735f1ca34a22fc21ec0121a0fcca8 --- .../hardware/security/keymint/KeyCreationResult.aidl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl index 57285a35d8..ae755791f6 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/KeyCreationResult.aidl @@ -99,8 +99,7 @@ parcelable KeyCreationResult { * X.509 certificates ordered such that each certificate is signed by the subsequent one, up to * the root which must be self-signed (or contain a fake signature in the case of case 4 above). * The first certificate in the chain signs the public key info of the newly-generated or - * newly-imported key pair. In the attestation cases (1 and 2 above), the first certificate - * must also satisfy some other requirements: + * newly-imported key pair. The first certificate must also satisfy some other requirements: * * o It must have the serial number provided in Tag::CERTIFICATE_SERIAL, or default to 1 if the * tag is not provided. @@ -119,7 +118,8 @@ parcelable KeyCreationResult { * - the keyAgreement bit set iff the attested key has KeyPurpose::AGREE_KEY, and * - the keyCertSignBit set iff the attested key has KeyPurpose::ATTEST_KEY. * - * o it must contain a KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17. + * In the attestation cases (1 and 2 above), the first certificate must contain a + * KeyDescription attestation extension with OID 1.3.6.1.4.1.11129.2.1.17. * * The KeyDescription content is defined by the following ASN.1 schema, which is mostly a * straightforward translation of the KeyMint tag/value parameter lists to ASN.1.