Wire individual attestation

Properly define the constant for requesting the use of device individual attestation certificate and use it in AttestationUtils. This lets callers to DevicePolicyManager.generateKeyPair request the use of device-unique attestation certificate, on Keymaster implementations that support this. Bug: 140193672 Bug: 136494773 Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement Change-Id: I74de89e4c121a27b0495dcb99b0775445c3d4eaf
2019-12-06 11:25:12 +00:00
parent 985479534a
commit c54507664b
2 changed files with 2 additions and 4 deletions
--- a/core/java/android/security/keymaster/KeymasterDefs.java
+++ b/core/java/android/security/keymaster/KeymasterDefs.java
@@ -94,6 +94,7 @@ public final class KeymasterDefs {
    public static final int KM_TAG_ATTESTATION_ID_MEID = KM_BYTES | 715;
    public static final int KM_TAG_ATTESTATION_ID_MANUFACTURER = KM_BYTES | 716;
    public static final int KM_TAG_ATTESTATION_ID_MODEL = KM_BYTES | 717;
+    public static final int KM_TAG_DEVICE_UNIQUE_ATTESTATION = KM_BOOL | 720;

    public static final int KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000;
    public static final int KM_TAG_NONCE = KM_BYTES | 1001;
--- a/keystore/java/android/security/keystore/AttestationUtils.java
+++ b/keystore/java/android/security/keystore/AttestationUtils.java
@@ -204,10 +204,7 @@ public abstract class AttestationUtils {
                    break;
                }
                case USE_INDIVIDUAL_ATTESTATION: {
-                    //TODO: Add the Keymaster tag for requesting the use of individual
-                    //attestation certificate, which should be
-                    //KeymasterDefs.KM_TAG_DEVICE_UNIQUE_ATTESTATION
-                    attestArgs.addBoolean(720);
+                    attestArgs.addBoolean(KeymasterDefs.KM_TAG_DEVICE_UNIQUE_ATTESTATION);
                    break;
                }
                default: