diff options
| author | Eran Messeri <eranm@google.com> | 2017-12-21 20:50:54 +0000 |
|---|---|---|
| committer | Eran Messeri <eranm@google.com> | 2018-01-02 23:36:15 +0000 |
| commit | 94d56761249a8e8c073867c17bba59b4a898f113 (patch) | |
| tree | a5d48db4ef71a6e105810d282ea3c8af32e42697 /keystore/java/android/security/IKeyChainService.aidl | |
| parent | ea713a3882d11675ca067ad63ab01a664d012f3b (diff) | |
DPM: Implement Device ID attestation
Enable requesting inclusion of device identifiers in the attestation
record issued for keys generated by generateKeyPair.
This is done by passing an array of flags with values indicating which
identifiers should be included.
Since the attestation record will include sensitive identifiers, it can
only be requested by the DPC in Device Owner mode or by the Delegated
Cert Installer in Device Owner mode.
Design note:
DevicePolicyManager defines its own set of constants for the different
identifier types (ID_TYPE_*) and prior to calling
DevicePolicyManagerService it translates them to the values defined by
AttestationUtils (which is not a public class).
The reason is to allow re-use of code in AttestationUtils for preparing
the attestation arguments.
In theory, these constants could be moved from AttestationUtils to
DevicePolicyManager, however that would create a dependency on DPM from
Keystore, which logically does not make sense as Keystore is independent
of the DPM (and in a lower level of the system, conceptually).
Bug: 63388672
Test: cts-tradefed run commandAndExit cts-dev -a armeabi-v7a -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement; runtest frameworks-services -c com.android.server.devicepolicy.DevicePolicyManagerTest#testTranslationOfIdAttestationFlag
Change-Id: Ifb42e8e813fa812a08203b4a81d15b1f91152354
Diffstat (limited to 'keystore/java/android/security/IKeyChainService.aidl')
| -rw-r--r-- | keystore/java/android/security/IKeyChainService.aidl | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/keystore/java/android/security/IKeyChainService.aidl b/keystore/java/android/security/IKeyChainService.aidl index 7c7417dfaaac..5a8fa0700328 100644 --- a/keystore/java/android/security/IKeyChainService.aidl +++ b/keystore/java/android/security/IKeyChainService.aidl @@ -34,7 +34,8 @@ interface IKeyChainService { void setUserSelectable(String alias, boolean isUserSelectable); boolean generateKeyPair(in String algorithm, in ParcelableKeyGenParameterSpec spec); - boolean attestKey(in String alias, in byte[] challenge, out KeymasterCertificateChain chain); + boolean attestKey(in String alias, in byte[] challenge, in int[] idAttestationFlags, + out KeymasterCertificateChain chain); boolean setKeyPairCertificate(String alias, in byte[] userCert, in byte[] certChain); // APIs used by CertInstaller and DevicePolicyManager |