Merge "Use TagType constants" am: 1e6730ac am: b2178bc9 am: a40b84b4 am: fc318723

import android.hardware.security.keymint.TagType;

// TODO(seleneh) : note aidl currently does not support double nested enum definitions such as

// ROOT_OF_TRUST = TagType:BYTES | 704.  So we are forced to write definitions as

// ROOT_OF_TRUST = (9 << 28) for now.  Will need to flip this back later when aidl support is added.

/**

 * Tag specifies various kinds of tags that can be set in KeyParameter to identify what kind of

 * data are stored in KeyParameter.

    /**

     * Tag::INVALID should never be set.  It means you hit an error.

     */

    INVALID = (0 << 28) | 0,

    INVALID = 0,

    /**

     * Tag::PURPOSE specifies the set of purposes for which the key may be used.  Possible values

     *

     * Must be hardware-enforced.

     */

    PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1,

    PURPOSE = TagType.ENUM_REP | 1,

    /**

     * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used.  This tag

     *

     * Must be hardware-enforced.

     */

    ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2,

    ALGORITHM = TagType.ENUM | 2,

    /**

     * Tag::KEY_SIZE specifies the size, in bits, of the key, measuring in the normal way for the

     *

     * Must be hardware-enforced.

     */

    KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3,

    KEY_SIZE = TagType.UINT | 3,

    /**

     * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used.  This tag

     *

     * Must be hardware-enforced.

     */

    BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4,

    BLOCK_MODE = TagType.ENUM_REP | 4,

    /**

     * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing

     *

     * Must be hardware-enforced.

     */

    DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5,

    DIGEST = TagType.ENUM_REP | 5,

    /**

     * Tag::PADDING specifies the padding modes that may be used with the key.  This tag is relevant

     *

     * Must be hardware-enforced.

     */

    PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6,

    PADDING = TagType.ENUM_REP | 6,

    /**

     * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring

     *

     * Must be hardware-enforced.

     */

    CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7,

    CALLER_NONCE = TagType.BOOL | 7,

    /**

     * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified

     *

     * Must be hardware-enforced.

     */

    MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8,

    MIN_MAC_LENGTH = TagType.UINT | 8,

    // Tag 9 reserved

     *

     * Must be hardware-enforced.

     */

    EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10,

    EC_CURVE = TagType.ENUM | 10,

    /**

     * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair.

     *

     * Must be hardware-enforced.

     */

    RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200,

    RSA_PUBLIC_EXPONENT = TagType.ULONG | 200,

    // Tag 201 reserved

     *

     * Must be hardware-enforced.

     */

    INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202,

    INCLUDE_UNIQUE_ID = TagType.BOOL | 202,

    /**

     * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with RSA

     *

     * Must be hardware-enforced.

     */

    RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203,

    RSA_OAEP_MGF_DIGEST = TagType.ENUM_REP | 203,

    // Tag 301 reserved

     *

     * Must be hardware-enforced.

     */

    BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302,

    BOOTLOADER_ONLY = TagType.BOOL | 302,

    /**

     * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when

     *

     * Must be hardware-enforced.

     */

    ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303,

    ROLLBACK_RESISTANCE = TagType.BOOL | 303,

    // Reserved for future use.

    HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304,

    HARDWARE_TYPE = TagType.ENUM | 304,

    /**

     * Keys tagged with EARLY_BOOT_ONLY may only be used during early boot, until

     * provided to IKeyMintDevice::importKey, the import must fail with

     * ErrorCode::EARLY_BOOT_ENDED.

     */

    EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305,

    EARLY_BOOT_ONLY = TagType.BOOL | 305,

    /**

     * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in

     *

     * Need not be hardware-enforced.

     */

    ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400,

    ACTIVE_DATETIME = TagType.DATE | 400,

    /**

     * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for

     *

     * Need not be hardware-enforced.

     */

    ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401,

    ORIGINATION_EXPIRE_DATETIME = TagType.DATE | 401,

    /**

     * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for

     *

     * Need not be hardware-enforced.

     */

    USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402,

    USAGE_EXPIRE_DATETIME = TagType.DATE | 402,

    /**

     * TODO(seleneh) this tag need to be deleted.

     *

     * Must be hardware-enforced.

     */

    MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403,

    MIN_SECONDS_BETWEEN_OPS = TagType.UINT | 403,

    /**

     * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between

     *

     * Must be hardware-enforced.

     */

    MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404,

    MAX_USES_PER_BOOT = TagType.UINT | 404,

    /**

     * Tag::USAGE_COUNT_LIMIT specifies the number of times that a key may be used. This can be

     * record. This tag must have the same SecurityLevel as the tag that is added to the key

     * characteristics.

     */

    USAGE_COUNT_LIMIT = (3 << 28) | 405, /* TagType:UINT */

    USAGE_COUNT_LIMIT = TagType.UINT | 405,

    /**

     * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key.

     *

     * Must not be hardware-enforced.

     */

    USER_ID = (3 << 28) /* TagType:UINT */ | 501,

    USER_ID = TagType.UINT | 501,

    /**

     * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user

     *

     * Must be hardware-enforced.

     */

    USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502,

    USER_SECURE_ID = TagType.ULONG_REP | 502,

    /**

     * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key.  This tag

     *

     * Must be hardware-enforced.

     */

    NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503,

    NO_AUTH_REQUIRED = TagType.BOOL | 503,

    /**

     * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize

     *

     * Must be hardware-enforced.

     */

    USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504,

    USER_AUTH_TYPE = TagType.ENUM | 504,

    /**

     * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use,

     *

     * Must be hardware-enforced.

     */

    AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505,

    AUTH_TIMEOUT = TagType.UINT | 505,

    /**

     * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if

     *

     * Cannot be hardware-enforced.

     */

    ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506,

    ALLOW_WHILE_ON_BODY = TagType.BOOL | 506,

    /**

     * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be

     *

     * Must be hardware-enforced.

     */

    TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507,

    TRUSTED_USER_PRESENCE_REQUIRED = TagType.BOOL | 507,

    /**

     * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and

     *

     * Must be hardware-enforced.

     */

    TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508,

    TRUSTED_CONFIRMATION_REQUIRED = TagType.BOOL | 508,

    /**

     * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is

     *

     * Must be software-enforced.

     */

    UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509,

    UNLOCKED_DEVICE_REQUIRED = TagType.BOOL | 509,

    /**

     * Tag::APPLICATION_ID.  When provided to generateKey or importKey, this tag specifies data

     *

     * Must never appear in KeyCharacteristics.

     */

    APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601,

    APPLICATION_ID = TagType.BYTES | 601,

    /*

     * Semantically unenforceable tags, either because they have no specific meaning or because

     *

     * Must never appear in KeyCharacteristics.

     */

    APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700,

    APPLICATION_DATA = TagType.BYTES | 700,

    /**

     * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since

     *

     * Must be in the software-enforced list, if provided.

     */

    CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701,

    CREATION_DATETIME = TagType.DATE | 701,

    /**

     * Tag::ORIGIN specifies where the key was created, if known.  This tag must not be specified

     *

     * Must be hardware-enforced.

     */

    ORIGIN = (1 << 28) /* TagType:ENUM */ | 702,

    ORIGIN = TagType.ENUM | 702,

    // 703 is unused.

     *

     * Must never appear in KeyCharacteristics.

     */

    ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704,

    ROOT_OF_TRUST = TagType.BYTES | 704,

    /**

     * Tag::OS_VERSION specifies the system OS version with which the key may be used.  This tag is

     *

     * Must be hardware-enforced.

     */

    OS_VERSION = (3 << 28) /* TagType:UINT */ | 705,

    OS_VERSION = TagType.UINT | 705,

    /**

     * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used.

     *

     * Must be hardware-enforced.

     */

    OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706,

    OS_PATCHLEVEL = TagType.UINT | 706,

    /**

     * Tag::UNIQUE_ID specifies a unique, time-based identifier.  This tag is never provided to or

     *

     * Must be hardware-enforced.

     */

    UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707,

    UNIQUE_ID = TagType.BYTES | 707,

    /**

     * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attested key

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708,

    ATTESTATION_CHALLENGE = TagType.BYTES | 708,

    /**

     * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used

     *

     * Cannot be hardware-enforced.

     */

    ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709,

    ATTESTATION_APPLICATION_ID = TagType.BYTES | 709,

    /**

     * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710,

    ATTESTATION_ID_BRAND = TagType.BYTES | 710,

    /**

     * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711,

    ATTESTATION_ID_DEVICE = TagType.BYTES | 711,

    /**

     * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712,

    ATTESTATION_ID_PRODUCT = TagType.BYTES | 712,

    /**

     * Tag::ATTESTATION_ID_SERIAL the device's serial number.  This field must be set only when

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713,

    ATTESTATION_ID_SERIAL = TagType.BYTES | 713,

    /**

     * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714,

    ATTESTATION_ID_IMEI = TagType.BYTES | 714,

    /**

     * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attested key

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715,

    ATTESTATION_ID_MEID = TagType.BYTES | 715,

    /**

     * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716,

    ATTESTATION_ID_MANUFACTURER = TagType.BYTES | 716,

    /**

     * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717,

    ATTESTATION_ID_MODEL = TagType.BYTES | 717,

    /**

     * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may

     *

     * Must be hardware-enforced.

     */

    VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718,

    VENDOR_PATCHLEVEL = TagType.UINT | 718,

    /**

     * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the

     *

     * Must be hardware-enforced.

     */

    BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719,

    BOOT_PATCHLEVEL = TagType.UINT | 719,

    /**

     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import

     * IKeyMintDevice implementations that support device-unique attestation MUST add the

     * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.

     */

    DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720,

    DEVICE_UNIQUE_ATTESTATION = TagType.BOOL | 720,

    /**

     * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key

     * attestation.  It is used in attestations produced by the IIdentityCredential HAL when that

     * HAL attests to Credential Keys.  IIdentityCredential produces KeyMint-style attestations.

     */

    IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721,

    IDENTITY_CREDENTIAL_KEY = TagType.BOOL | 721,

    /**

     * To prevent keys from being compromised if an attacker acquires read access to system / kernel

     * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to

     * begin().

     */

    STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722,

    STORAGE_KEY = TagType.BOOL | 722,

    /**

     * TODO: Delete when keystore1 is deleted.

     */

    ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000,

    ASSOCIATED_DATA = TagType.BYTES | 1000,

    /**

     * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM,

     *

     * Must never appear in KeyCharacteristics.

     */

    NONCE = (9 << 28) /* TagType:BYTES */ | 1001,

    NONCE = TagType.BYTES | 1001,

    /**

     * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits.

     *

     * Must never appear in KeyCharacteristics.

     */

    MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003,

    MAC_LENGTH = TagType.UINT | 1003,

    /**

     * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the

     *

     * Must never appear in KeyCharacteristics.

     */

    RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004,

    RESET_SINCE_ID_ROTATION = TagType.BOOL | 1004,

    /**

     * Tag::CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user

     *

     * Must never appear in KeyCharacteristics.

     */

    CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,

    CONFIRMATION_TOKEN = TagType.BYTES | 1005,

    /**

     * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the attestation

     * keyMint in the attestation parameters during generateKey() and importKey().  If not provided,

     * the serial shall default to 1.

     */

    CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006,

    CERTIFICATE_SERIAL = TagType.BIGNUM | 1006,

    /**

     * Tag::CERTIFICATE_SUBJECT the certificate subject.  The value is a DER encoded X509 NAME.

     * during generateKey and importKey. If not provided the subject name shall default to

     * CN="Android Keystore Key".

     */

    CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007,

    CERTIFICATE_SUBJECT = TagType.BYTES | 1007,

    /**

     * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch

     * certificates.  ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if

     * this tag is not provided to generateKey or importKey.

     */

    CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008,

    CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008,

    /**

     * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in

     * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or

     * importKey.

     */

    CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009,

    CERTIFICATE_NOT_AFTER = TagType.DATE | 1009,

    /**

     * Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function.

     *

     * Cannot be hardware enforced in this version.

     */

    MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ | 1010,

    MAX_BOOT_LEVEL = TagType.UINT | 1010,

}