Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 26caefda authored by Eran Messeri's avatar Eran Messeri Committed by Automerger Merge Worker
Browse files

Merge "Use TagType constants" am: 1e6730ac am: b2178bc9 am: a40b84b4 am: fc318723

Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/1737653

Change-Id: Id581468fde750587ecd5e2c2336d46cc5a5af87d
parents cc6843a4 fc318723
Loading
Loading
Loading
Loading
+65 −69
Original line number Diff line number Diff line
@@ -18,10 +18,6 @@ package android.hardware.security.keymint;

import android.hardware.security.keymint.TagType;

// TODO(seleneh) : note aidl currently does not support double nested enum definitions such as
// ROOT_OF_TRUST = TagType:BYTES | 704.  So we are forced to write definitions as
// ROOT_OF_TRUST = (9 << 28) for now.  Will need to flip this back later when aidl support is added.

/**
 * Tag specifies various kinds of tags that can be set in KeyParameter to identify what kind of
 * data are stored in KeyParameter.
@@ -33,7 +29,7 @@ enum Tag {
    /**
     * Tag::INVALID should never be set.  It means you hit an error.
     */
    INVALID = (0 << 28) | 0,
    INVALID = 0,

    /**
     * Tag::PURPOSE specifies the set of purposes for which the key may be used.  Possible values
@@ -47,7 +43,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1,
    PURPOSE = TagType.ENUM_REP | 1,

    /**
     * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used.  This tag
@@ -56,7 +52,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2,
    ALGORITHM = TagType.ENUM | 2,

    /**
     * Tag::KEY_SIZE specifies the size, in bits, of the key, measuring in the normal way for the
@@ -68,7 +64,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3,
    KEY_SIZE = TagType.UINT | 3,

    /**
     * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used.  This tag
@@ -81,7 +77,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4,
    BLOCK_MODE = TagType.ENUM_REP | 4,

    /**
     * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing
@@ -95,7 +91,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5,
    DIGEST = TagType.ENUM_REP | 5,

    /**
     * Tag::PADDING specifies the padding modes that may be used with the key.  This tag is relevant
@@ -123,7 +119,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6,
    PADDING = TagType.ENUM_REP | 6,

    /**
     * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring
@@ -136,7 +132,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7,
    CALLER_NONCE = TagType.BOOL | 7,

    /**
     * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified
@@ -149,7 +145,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8,
    MIN_MAC_LENGTH = TagType.UINT | 8,

    // Tag 9 reserved

@@ -159,7 +155,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10,
    EC_CURVE = TagType.ENUM | 10,

    /**
     * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair.
@@ -173,7 +169,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200,
    RSA_PUBLIC_EXPONENT = TagType.ULONG | 200,

    // Tag 201 reserved

@@ -184,7 +180,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202,
    INCLUDE_UNIQUE_ID = TagType.BOOL | 202,

    /**
     * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with RSA
@@ -197,7 +193,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203,
    RSA_OAEP_MGF_DIGEST = TagType.ENUM_REP | 203,

    // Tag 301 reserved

@@ -209,7 +205,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302,
    BOOTLOADER_ONLY = TagType.BOOL | 302,

    /**
     * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when
@@ -224,10 +220,10 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303,
    ROLLBACK_RESISTANCE = TagType.BOOL | 303,

    // Reserved for future use.
    HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304,
    HARDWARE_TYPE = TagType.ENUM | 304,

    /**
     * Keys tagged with EARLY_BOOT_ONLY may only be used during early boot, until
@@ -236,7 +232,7 @@ enum Tag {
     * provided to IKeyMintDevice::importKey, the import must fail with
     * ErrorCode::EARLY_BOOT_ENDED.
     */
    EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305,
    EARLY_BOOT_ONLY = TagType.BOOL | 305,

    /**
     * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in
@@ -245,7 +241,7 @@ enum Tag {
     *
     * Need not be hardware-enforced.
     */
    ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400,
    ACTIVE_DATETIME = TagType.DATE | 400,

    /**
     * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for
@@ -257,7 +253,7 @@ enum Tag {
     *
     * Need not be hardware-enforced.
     */
    ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401,
    ORIGINATION_EXPIRE_DATETIME = TagType.DATE | 401,

    /**
     * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for
@@ -269,7 +265,7 @@ enum Tag {
     *
     * Need not be hardware-enforced.
     */
    USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402,
    USAGE_EXPIRE_DATETIME = TagType.DATE | 402,

    /**
     * TODO(seleneh) this tag need to be deleted.
@@ -294,7 +290,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403,
    MIN_SECONDS_BETWEEN_OPS = TagType.UINT | 403,

    /**
     * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between
@@ -314,7 +310,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404,
    MAX_USES_PER_BOOT = TagType.UINT | 404,

    /**
     * Tag::USAGE_COUNT_LIMIT specifies the number of times that a key may be used. This can be
@@ -343,14 +339,14 @@ enum Tag {
     * record. This tag must have the same SecurityLevel as the tag that is added to the key
     * characteristics.
     */
    USAGE_COUNT_LIMIT = (3 << 28) | 405, /* TagType:UINT */
    USAGE_COUNT_LIMIT = TagType.UINT | 405,

    /**
     * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key.
     *
     * Must not be hardware-enforced.
     */
    USER_ID = (3 << 28) /* TagType:UINT */ | 501,
    USER_ID = TagType.UINT | 501,

    /**
     * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user
@@ -383,7 +379,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502,
    USER_SECURE_ID = TagType.ULONG_REP | 502,

    /**
     * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key.  This tag
@@ -391,7 +387,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503,
    NO_AUTH_REQUIRED = TagType.BOOL | 503,

    /**
     * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize
@@ -410,7 +406,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504,
    USER_AUTH_TYPE = TagType.ENUM | 504,

    /**
     * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use,
@@ -424,7 +420,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505,
    AUTH_TIMEOUT = TagType.UINT | 505,

    /**
     * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if
@@ -432,7 +428,7 @@ enum Tag {
     *
     * Cannot be hardware-enforced.
     */
    ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506,
    ALLOW_WHILE_ON_BODY = TagType.BOOL | 506,

    /**
     * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be
@@ -479,7 +475,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507,
    TRUSTED_USER_PRESENCE_REQUIRED = TagType.BOOL | 507,

    /**
     * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and
@@ -493,7 +489,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508,
    TRUSTED_CONFIRMATION_REQUIRED = TagType.BOOL | 508,

    /**
     * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is
@@ -501,7 +497,7 @@ enum Tag {
     *
     * Must be software-enforced.
     */
    UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509,
    UNLOCKED_DEVICE_REQUIRED = TagType.BOOL | 509,

    /**
     * Tag::APPLICATION_ID.  When provided to generateKey or importKey, this tag specifies data
@@ -517,7 +513,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601,
    APPLICATION_ID = TagType.BYTES | 601,

    /*
     * Semantically unenforceable tags, either because they have no specific meaning or because
@@ -538,7 +534,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700,
    APPLICATION_DATA = TagType.BYTES | 700,

    /**
     * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since
@@ -546,7 +542,7 @@ enum Tag {
     *
     * Must be in the software-enforced list, if provided.
     */
    CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701,
    CREATION_DATETIME = TagType.DATE | 701,

    /**
     * Tag::ORIGIN specifies where the key was created, if known.  This tag must not be specified
@@ -555,7 +551,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    ORIGIN = (1 << 28) /* TagType:ENUM */ | 702,
    ORIGIN = TagType.ENUM | 702,

    // 703 is unused.

@@ -567,7 +563,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704,
    ROOT_OF_TRUST = TagType.BYTES | 704,

    /**
     * Tag::OS_VERSION specifies the system OS version with which the key may be used.  This tag is
@@ -590,7 +586,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    OS_VERSION = (3 << 28) /* TagType:UINT */ | 705,
    OS_VERSION = TagType.UINT | 705,

    /**
     * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used.
@@ -611,7 +607,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706,
    OS_PATCHLEVEL = TagType.UINT | 706,

    /**
     * Tag::UNIQUE_ID specifies a unique, time-based identifier.  This tag is never provided to or
@@ -646,7 +642,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707,
    UNIQUE_ID = TagType.BYTES | 707,

    /**
     * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attested key
@@ -655,7 +651,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708,
    ATTESTATION_CHALLENGE = TagType.BYTES | 708,

    /**
     * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used
@@ -681,7 +677,7 @@ enum Tag {
     *
     * Cannot be hardware-enforced.
     */
    ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709,
    ATTESTATION_APPLICATION_ID = TagType.BYTES | 709,

    /**
     * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in
@@ -694,7 +690,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710,
    ATTESTATION_ID_BRAND = TagType.BYTES | 710,

    /**
     * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in
@@ -707,7 +703,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711,
    ATTESTATION_ID_DEVICE = TagType.BYTES | 711,

    /**
     * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT
@@ -720,7 +716,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712,
    ATTESTATION_ID_PRODUCT = TagType.BYTES | 712,

    /**
     * Tag::ATTESTATION_ID_SERIAL the device's serial number.  This field must be set only when
@@ -732,7 +728,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713,
    ATTESTATION_ID_SERIAL = TagType.BYTES | 713,

    /**
     * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key
@@ -745,7 +741,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714,
    ATTESTATION_ID_IMEI = TagType.BYTES | 714,

    /**
     * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attested key
@@ -758,7 +754,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715,
    ATTESTATION_ID_MEID = TagType.BYTES | 715,

    /**
     * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by
@@ -771,7 +767,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716,
    ATTESTATION_ID_MANUFACTURER = TagType.BYTES | 716,

    /**
     * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in
@@ -784,7 +780,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717,
    ATTESTATION_ID_MODEL = TagType.BYTES | 717,

    /**
     * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may
@@ -806,7 +802,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718,
    VENDOR_PATCHLEVEL = TagType.UINT | 718,

    /**
     * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the
@@ -826,7 +822,7 @@ enum Tag {
     *
     * Must be hardware-enforced.
     */
    BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719,
    BOOT_PATCHLEVEL = TagType.UINT | 719,

    /**
     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import
@@ -852,7 +848,7 @@ enum Tag {
     * IKeyMintDevice implementations that support device-unique attestation MUST add the
     * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.
     */
    DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720,
    DEVICE_UNIQUE_ATTESTATION = TagType.BOOL | 720,

    /**
     * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key
@@ -860,7 +856,7 @@ enum Tag {
     * attestation.  It is used in attestations produced by the IIdentityCredential HAL when that
     * HAL attests to Credential Keys.  IIdentityCredential produces KeyMint-style attestations.
     */
    IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721,
    IDENTITY_CREDENTIAL_KEY = TagType.BOOL | 721,

    /**
     * To prevent keys from being compromised if an attacker acquires read access to system / kernel
@@ -877,12 +873,12 @@ enum Tag {
     * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to
     * begin().
     */
    STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722,
    STORAGE_KEY = TagType.BOOL | 722,

    /**
     * TODO: Delete when keystore1 is deleted.
     */
    ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000,
    ASSOCIATED_DATA = TagType.BYTES | 1000,

    /**
     * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM,
@@ -897,7 +893,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    NONCE = (9 << 28) /* TagType:BYTES */ | 1001,
    NONCE = TagType.BYTES | 1001,

    /**
     * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits.
@@ -908,7 +904,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003,
    MAC_LENGTH = TagType.UINT | 1003,

    /**
     * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the
@@ -916,7 +912,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004,
    RESET_SINCE_ID_ROTATION = TagType.BOOL | 1004,

    /**
     * Tag::CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user
@@ -925,7 +921,7 @@ enum Tag {
     *
     * Must never appear in KeyCharacteristics.
     */
    CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,
    CONFIRMATION_TOKEN = TagType.BYTES | 1005,

    /**
     * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the attestation
@@ -933,7 +929,7 @@ enum Tag {
     * keyMint in the attestation parameters during generateKey() and importKey().  If not provided,
     * the serial shall default to 1.
     */
    CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006,
    CERTIFICATE_SERIAL = TagType.BIGNUM | 1006,

    /**
     * Tag::CERTIFICATE_SUBJECT the certificate subject.  The value is a DER encoded X509 NAME.
@@ -941,7 +937,7 @@ enum Tag {
     * during generateKey and importKey. If not provided the subject name shall default to
     * CN="Android Keystore Key".
     */
    CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007,
    CERTIFICATE_SUBJECT = TagType.BYTES | 1007,

    /**
     * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch
@@ -949,7 +945,7 @@ enum Tag {
     * certificates.  ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if
     * this tag is not provided to generateKey or importKey.
     */
    CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008,
    CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008,

    /**
     * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in
@@ -957,7 +953,7 @@ enum Tag {
     * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or
     * importKey.
     */
    CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009,
    CERTIFICATE_NOT_AFTER = TagType.DATE | 1009,

    /**
     * Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function.
@@ -968,5 +964,5 @@ enum Tag {
     *
     * Cannot be hardware enforced in this version.
     */
    MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ | 1010,
    MAX_BOOT_LEVEL = TagType.UINT | 1010,
}