Fix asymmetric secure key import am: 77ec0e4279tmp_amf_298295554

Original change: https://android-review.googlesource.com/c/platform/system/keymaster/+/2748557

Change-Id: Ia1ea2078755198d5a916113a11196df40ac63e9a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

1 files changed, 7 insertions, 5 deletions

diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index c2bf15c..b28e3c9 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -954,16 +954,18 @@ void AndroidKeymaster::ImportWrappedKey(const ImportWrappedKeyRequest& request,
         if (sids & HW_AUTH_FINGERPRINT) {
             key_description.push_back(TAG_USER_SECURE_ID, request.biometric_sid);
         }
-
-        if (context_->GetKmVersion() >= KmVersion::KEYMINT_1) {
-            key_description.push_back(TAG_CERTIFICATE_NOT_BEFORE, 0);
-            key_description.push_back(TAG_CERTIFICATE_NOT_AFTER, kUndefinedExpirationDateTime);
-        }
     }
 
     const KeyFactory* factory = get_key_factory(key_description, *context_, &response->error);
     if (!factory) return;
 
+    // There is no way for clients to pass CERTIFICATE_NOT_BEFORE and CERTIFICATE_NOT_AFTER.
+    // importWrappedKey must use validity with no well-defined expiration date.
+    if (context_->GetKmVersion() >= KmVersion::KEYMINT_1) {
+        key_description.push_back(TAG_CERTIFICATE_NOT_BEFORE, 0);
+        key_description.push_back(TAG_CERTIFICATE_NOT_AFTER, kUndefinedExpirationDateTime);
+    }
+
     response->error = factory->ImportKey(key_description,          //
                                          key_format,               //
                                          secret_key,               //