Merge "Align KeyMint AIDL with usage"

  void deleteKey(in byte[] keyBlob);

  void deleteAllKeys();

  void destroyAttestationIds();

  android.hardware.security.keymint.BeginResult begin(in android.hardware.security.keymint.KeyPurpose purpose, in byte[] keyBlob, in android.hardware.security.keymint.KeyParameter[] params, in android.hardware.security.keymint.HardwareAuthToken authToken);

  android.hardware.security.keymint.BeginResult begin(in android.hardware.security.keymint.KeyPurpose purpose, in byte[] keyBlob, in android.hardware.security.keymint.KeyParameter[] params, in @nullable android.hardware.security.keymint.HardwareAuthToken authToken);

  void deviceLocked(in boolean passwordOnly, in @nullable android.hardware.security.secureclock.TimeStampToken timestampToken);

  void earlyBootEnded();

  byte[] convertStorageKeyToEphemeral(in byte[] storageKeyBlob);

  byte[] performOperation(in byte[] request);

  const int AUTH_TOKEN_MAC_LENGTH = 32;

}

  RSA_PUBLIC_EXPONENT = 1342177480,

  INCLUDE_UNIQUE_ID = 1879048394,

  RSA_OAEP_MGF_DIGEST = 536871115,

  BLOB_USAGE_REQUIREMENTS = 268435757,

  BOOTLOADER_ONLY = 1879048494,

  ROLLBACK_RESISTANCE = 1879048495,

  HARDWARE_TYPE = 268435760,

     *

     * o Tag::ORIGIN with the value KeyOrigin::GENERATED.

     *

     * o Tag::BLOB_USAGE_REQUIREMENTS with the appropriate value (see KeyBlobUsageRequirements in

     *   Tag.aidl).

     *

     * o Tag::OS_VERSION, Tag::OS_PATCHLEVEL, Tag::VENDOR_PATCHLEVEL and Tag::BOOT_PATCHLEVEL with

     *   appropriate values.

     *

     *        contain a tag Tag::NONCE.  If Tag::NONCE is provided for a key without

     *        Tag:CALLER_NONCE, ErrorCode::CALLER_NONCE_PROHIBITED must be returned.

     *

     * @param inAuthToken Authentication token.  Callers that provide no token must set all numeric

     *        fields to zero and the MAC must be an empty vector.  TODO: make this field nullable.

     *        b/173483024.

     * @param inAuthToken Authentication token.

     *

     * @return BeginResult as output, which contains the challenge, KeyParameters which haves

     *         additional data from the operation initialization, notably to return the IV or nonce

     *         which is used to perform update(), finish() or abort() operations.

     */

    BeginResult begin(in KeyPurpose purpose, in byte[] keyBlob, in KeyParameter[] params,

            in HardwareAuthToken authToken);

            in @nullable HardwareAuthToken authToken);

    /**

     * Called by client to notify the IKeyMintDevice that the device is now locked, and keys with

     *         place of the input storageKeyBlob

     */

    byte[] convertStorageKeyToEphemeral(in byte[] storageKeyBlob);

    /**

     * Called by the client to perform a KeyMint operation.

     *

     *  This method is added primarily as a placeholder.  Details will be fleshed before the KeyMint

     *  V1 interface is frozen.  Until then, implementations must return ErrorCode::UNIMPLEMENTED.

     *

     * @param request is an encrypted buffer containing a description of the operation the client

     *        wishes to perform.  Structure, content and encryption are TBD.

     *

     * @return an encrypted buffer containing the result of the operation.  Structure, content and

     *         encryption are TBD.

     */

    byte[] performOperation(in byte[] request);

}

     */

    RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203,

    /**

     * TODO(seleneh) this tag needs to be deleted from all codes.

     *

     * Tag::BLOB_USAGE_REQUIREMENTS specifies the necessary system environment conditions for the

     * generated key to be used.  Possible values are defined by the KeyBlobUsageRequirements enum.

     *

     * This tag is specified by the caller during key generation or import to require that the key

     * is usable in the specified condition.  If the caller specifies Tag::BLOB_USAGE_REQUIREMENTS

     * with value KeyBlobUsageRequirements::STANDALONE the IKeyMintDevice must return a key blob

     * that can be used without file system support.  This is critical for devices with encrypted

     * disks, where the file system may not be available until after a KeyMint key is used to

     * decrypt the disk.

     *

     * Must be hardware-enforced.

     */

    BLOB_USAGE_REQUIREMENTS = (1 << 28) /* TagType:ENUM */ | 301,

    // Tag 301 reserved

    /**

     * Tag::BOOTLOADER_ONLY specifies only the bootloader can use the key.

// Attestations don't contain everything in key authorization lists, so we need to filter the key

// lists to produce the lists that we expect to match the attestations.

auto kTagsToFilter = {

        Tag::BLOB_USAGE_REQUIREMENTS,  //

        Tag::CREATION_DATETIME,        //

        Tag::EC_CURVE,

        Tag::HARDWARE_TYPE,

    SCOPED_TRACE("Begin");

    Status result;

    BeginResult out;

    result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);

    result = keymint_->begin(purpose, key_blob, in_params.vector_data(), std::nullopt, &out);

    if (result.isOk()) {

        *out_params = out.params;

    Status result;

    BeginResult out;

    result = keymint_->begin(purpose, key_blob, in_params.vector_data(), HardwareAuthToken(), &out);

    result = keymint_->begin(purpose, key_blob, in_params.vector_data(), std::nullopt, &out);

    if (result.isOk()) {

        *out_params = out.params;