diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl index 594844a736..a35b46ca28 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/ErrorCode.aidl @@ -111,6 +111,8 @@ enum ErrorCode { STORAGE_KEY_UNSUPPORTED = -77, INCOMPATIBLE_MGF_DIGEST = -78, UNSUPPORTED_MGF_DIGEST = -79, + MISSING_NOT_BEFORE = -80, + MISSING_NOT_AFTER = -81, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, UNKNOWN_ERROR = -1000, diff --git a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl index b924a13266..03982e3621 100644 --- a/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/aidl_api/android.hardware.security.keymint/current/android/hardware/security/keymint/Tag.aidl @@ -94,4 +94,8 @@ enum Tag { MAC_LENGTH = 805307371, RESET_SINCE_ID_ROTATION = 1879049196, CONFIRMATION_TOKEN = -1879047187, + CERTIFICATE_SERIAL = -2147482642, + CERTIFICATE_SUBJECT = -1879047185, + CERTIFICATE_NOT_BEFORE = 1610613744, + CERTIFICATE_NOT_AFTER = 1610613745, } diff --git a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl index b20601d4a1..35e3827bd8 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/ErrorCode.aidl @@ -42,7 +42,7 @@ enum ErrorCode { INVALID_AUTHORIZATION_TIMEOUT = -16, UNSUPPORTED_KEY_FORMAT = -17, INCOMPATIBLE_KEY_FORMAT = -18, - UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */ + UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /** For PKCS8 & PKCS12 */ UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /** For PKCS8 & PKCS12 */ INVALID_INPUT_LENGTH = -21, KEY_EXPORT_OPTIONS_INVALID = -22, @@ -101,6 +101,8 @@ enum ErrorCode { STORAGE_KEY_UNSUPPORTED = -77, INCOMPATIBLE_MGF_DIGEST = -78, UNSUPPORTED_MGF_DIGEST = -79, + MISSING_NOT_BEFORE = -80, + MISSING_NOT_AFTER = -81, UNIMPLEMENTED = -100, VERSION_MISMATCH = -101, diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl index f52e32b96a..4f58cbeb76 100644 --- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl @@ -933,4 +933,35 @@ enum Tag { * Must never appear in KeyCharacteristics. */ CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005, + + /** + * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the + * attestation certificate to be generated for the given key. This parameter should only + * be passed to keyMint in the attestation parameters during generateKey() and importKey(). + */ + CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006, + + /** + * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME. + * This value is used when generating a self signed certificates. This tag may be specified + * during generateKey and importKey. If not provided the subject name shall default to + * . + */ + CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007, + + /** + * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch + * time in seconds. This value is used when generating attestation or self signed certificates. + * ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if this tag is + * not provided to generateKey or importKey. + */ + CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008, + + /** + * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch + * time in seconds. This value is used when generating attestation or self signed certificates. + * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey + * or importKey. + */ + CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009, } diff --git a/security/keymint/support/include/keymint_support/keymint_tags.h b/security/keymint/support/include/keymint_support/keymint_tags.h index 43cfb63a2f..479a11d137 100644 --- a/security/keymint/support/include/keymint_support/keymint_tags.h +++ b/security/keymint/support/include/keymint_support/keymint_tags.h @@ -126,6 +126,10 @@ DECLARE_TYPED_TAG(USER_ID); DECLARE_TYPED_TAG(USER_SECURE_ID); DECLARE_TYPED_TAG(VENDOR_PATCHLEVEL); DECLARE_TYPED_TAG(RSA_OAEP_MGF_DIGEST); +DECLARE_TYPED_TAG(CERTIFICATE_SERIAL); +DECLARE_TYPED_TAG(CERTIFICATE_SUBJECT); +DECLARE_TYPED_TAG(CERTIFICATE_NOT_BEFORE); +DECLARE_TYPED_TAG(CERTIFICATE_NOT_AFTER); #undef DECLARE_TYPED_TAG