keymint: Clarify usage of certificate tags with importWrappedKey
Bug: 292534977
Test: atest android.keystore.cts.ImportWrappedKeyTest
Change-Id: I2cb65bc27e4f6b64c331bae4e4a8242ff1d91e43
diff --git a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
index d401247..36f0106 100644
--- a/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
+++ b/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl
@@ -971,7 +971,9 @@
* Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
* time in milliseconds. This value is used when generating attestation or self signed
* certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if
- * this tag is not provided to generateKey or importKey.
+ * this tag is not provided to generateKey or importKey. For importWrappedKey, there is no way
+ * to specify the value of this tag for the wrapped key, so a value of 0 must be used for
+ * certificate generation.
*/
CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008,
@@ -979,7 +981,8 @@
* Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in
* milliseconds. This value is used when generating attestation or self signed certificates.
* ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or
- * importKey.
+ * importKey. For importWrappedKey, there is no way to specify the value of this tag for the
+ * wrapped key, so a value of 253402300799000 is used for certificate generation.
*/
CERTIFICATE_NOT_AFTER = TagType.DATE | 1009,
