Loading security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +65 −69 Original line number Diff line number Diff line Loading @@ -18,10 +18,6 @@ package android.hardware.security.keymint; import android.hardware.security.keymint.TagType; // TODO(seleneh) : note aidl currently does not support double nested enum definitions such as // ROOT_OF_TRUST = TagType:BYTES | 704. So we are forced to write definitions as // ROOT_OF_TRUST = (9 << 28) for now. Will need to flip this back later when aidl support is added. /** * Tag specifies various kinds of tags that can be set in KeyParameter to identify what kind of * data are stored in KeyParameter. Loading @@ -33,7 +29,7 @@ enum Tag { /** * Tag::INVALID should never be set. It means you hit an error. */ INVALID = (0 << 28) | 0, INVALID = 0, /** * Tag::PURPOSE specifies the set of purposes for which the key may be used. Possible values Loading @@ -47,7 +43,7 @@ enum Tag { * * Must be hardware-enforced. */ PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1, PURPOSE = TagType.ENUM_REP | 1, /** * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used. This tag Loading @@ -56,7 +52,7 @@ enum Tag { * * Must be hardware-enforced. */ ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2, ALGORITHM = TagType.ENUM | 2, /** * Tag::KEY_SIZE specifies the size, in bits, of the key, measuring in the normal way for the Loading @@ -68,7 +64,7 @@ enum Tag { * * Must be hardware-enforced. */ KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3, KEY_SIZE = TagType.UINT | 3, /** * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used. This tag Loading @@ -81,7 +77,7 @@ enum Tag { * * Must be hardware-enforced. */ BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4, BLOCK_MODE = TagType.ENUM_REP | 4, /** * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing Loading @@ -95,7 +91,7 @@ enum Tag { * * Must be hardware-enforced. */ DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5, DIGEST = TagType.ENUM_REP | 5, /** * Tag::PADDING specifies the padding modes that may be used with the key. This tag is relevant Loading Loading @@ -123,7 +119,7 @@ enum Tag { * * Must be hardware-enforced. */ PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6, PADDING = TagType.ENUM_REP | 6, /** * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring Loading @@ -136,7 +132,7 @@ enum Tag { * * Must be hardware-enforced. */ CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7, CALLER_NONCE = TagType.BOOL | 7, /** * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified Loading @@ -149,7 +145,7 @@ enum Tag { * * Must be hardware-enforced. */ MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8, MIN_MAC_LENGTH = TagType.UINT | 8, // Tag 9 reserved Loading @@ -159,7 +155,7 @@ enum Tag { * * Must be hardware-enforced. */ EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10, EC_CURVE = TagType.ENUM | 10, /** * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair. Loading @@ -173,7 +169,7 @@ enum Tag { * * Must be hardware-enforced. */ RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200, RSA_PUBLIC_EXPONENT = TagType.ULONG | 200, // Tag 201 reserved Loading @@ -184,7 +180,7 @@ enum Tag { * * Must be hardware-enforced. */ INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202, INCLUDE_UNIQUE_ID = TagType.BOOL | 202, /** * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with RSA Loading @@ -197,7 +193,7 @@ enum Tag { * * Must be hardware-enforced. */ RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203, RSA_OAEP_MGF_DIGEST = TagType.ENUM_REP | 203, // Tag 301 reserved Loading @@ -209,7 +205,7 @@ enum Tag { * * Must be hardware-enforced. */ BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302, BOOTLOADER_ONLY = TagType.BOOL | 302, /** * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when Loading @@ -224,10 +220,10 @@ enum Tag { * * Must be hardware-enforced. */ ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303, ROLLBACK_RESISTANCE = TagType.BOOL | 303, // Reserved for future use. HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304, HARDWARE_TYPE = TagType.ENUM | 304, /** * Keys tagged with EARLY_BOOT_ONLY may only be used during early boot, until Loading @@ -236,7 +232,7 @@ enum Tag { * provided to IKeyMintDevice::importKey, the import must fail with * ErrorCode::EARLY_BOOT_ENDED. */ EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305, EARLY_BOOT_ONLY = TagType.BOOL | 305, /** * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in Loading @@ -245,7 +241,7 @@ enum Tag { * * Need not be hardware-enforced. */ ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400, ACTIVE_DATETIME = TagType.DATE | 400, /** * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for Loading @@ -257,7 +253,7 @@ enum Tag { * * Need not be hardware-enforced. */ ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401, ORIGINATION_EXPIRE_DATETIME = TagType.DATE | 401, /** * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for Loading @@ -269,7 +265,7 @@ enum Tag { * * Need not be hardware-enforced. */ USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402, USAGE_EXPIRE_DATETIME = TagType.DATE | 402, /** * TODO(seleneh) this tag need to be deleted. Loading @@ -296,7 +292,7 @@ enum Tag { * * TODO(b/191738660): Remove in KeyMint V2. Currently only used for FDE. */ MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403, MIN_SECONDS_BETWEEN_OPS = TagType.UINT | 403, /** * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between Loading @@ -316,7 +312,7 @@ enum Tag { * * Must be hardware-enforced. */ MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404, MAX_USES_PER_BOOT = TagType.UINT | 404, /** * Tag::USAGE_COUNT_LIMIT specifies the number of times that a key may be used. This can be Loading Loading @@ -345,14 +341,14 @@ enum Tag { * record. This tag must have the same SecurityLevel as the tag that is added to the key * characteristics. */ USAGE_COUNT_LIMIT = (3 << 28) | 405, /* TagType:UINT */ USAGE_COUNT_LIMIT = TagType.UINT | 405, /** * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key. * * Must not be hardware-enforced. */ USER_ID = (3 << 28) /* TagType:UINT */ | 501, USER_ID = TagType.UINT | 501, /** * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user Loading Loading @@ -385,7 +381,7 @@ enum Tag { * * Must be hardware-enforced. */ USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502, USER_SECURE_ID = TagType.ULONG_REP | 502, /** * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key. This tag Loading @@ -393,7 +389,7 @@ enum Tag { * * Must be hardware-enforced. */ NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503, NO_AUTH_REQUIRED = TagType.BOOL | 503, /** * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize Loading @@ -412,7 +408,7 @@ enum Tag { * * Must be hardware-enforced. */ USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504, USER_AUTH_TYPE = TagType.ENUM | 504, /** * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use, Loading @@ -426,7 +422,7 @@ enum Tag { * * Must be hardware-enforced. */ AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505, AUTH_TIMEOUT = TagType.UINT | 505, /** * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if Loading @@ -434,7 +430,7 @@ enum Tag { * * Cannot be hardware-enforced. */ ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506, ALLOW_WHILE_ON_BODY = TagType.BOOL | 506, /** * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be Loading Loading @@ -481,7 +477,7 @@ enum Tag { * * Must be hardware-enforced. */ TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507, TRUSTED_USER_PRESENCE_REQUIRED = TagType.BOOL | 507, /** * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and Loading @@ -495,7 +491,7 @@ enum Tag { * * Must be hardware-enforced. */ TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508, TRUSTED_CONFIRMATION_REQUIRED = TagType.BOOL | 508, /** * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is Loading @@ -505,7 +501,7 @@ enum Tag { * Must be hardware-enforced (but is also keystore-enforced on a per-user basis: see the * deviceLocked() documentation). */ UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509, UNLOCKED_DEVICE_REQUIRED = TagType.BOOL | 509, /** * Tag::APPLICATION_ID. When provided to generateKey or importKey, this tag specifies data Loading @@ -521,7 +517,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601, APPLICATION_ID = TagType.BYTES | 601, /* * Semantically unenforceable tags, either because they have no specific meaning or because Loading @@ -542,7 +538,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700, APPLICATION_DATA = TagType.BYTES | 700, /** * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since Loading @@ -550,7 +546,7 @@ enum Tag { * * Must be in the software-enforced list, if provided. */ CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701, CREATION_DATETIME = TagType.DATE | 701, /** * Tag::ORIGIN specifies where the key was created, if known. This tag must not be specified Loading @@ -559,7 +555,7 @@ enum Tag { * * Must be hardware-enforced. */ ORIGIN = (1 << 28) /* TagType:ENUM */ | 702, ORIGIN = TagType.ENUM | 702, // 703 is unused. Loading @@ -571,7 +567,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704, ROOT_OF_TRUST = TagType.BYTES | 704, /** * Tag::OS_VERSION specifies the system OS version with which the key may be used. This tag is Loading @@ -594,7 +590,7 @@ enum Tag { * * Must be hardware-enforced. */ OS_VERSION = (3 << 28) /* TagType:UINT */ | 705, OS_VERSION = TagType.UINT | 705, /** * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used. Loading @@ -615,7 +611,7 @@ enum Tag { * * Must be hardware-enforced. */ OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706, OS_PATCHLEVEL = TagType.UINT | 706, /** * Tag::UNIQUE_ID specifies a unique, time-based identifier. This tag is never provided to or Loading Loading @@ -650,7 +646,7 @@ enum Tag { * * Must be hardware-enforced. */ UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707, UNIQUE_ID = TagType.BYTES | 707, /** * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attested key Loading @@ -659,7 +655,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708, ATTESTATION_CHALLENGE = TagType.BYTES | 708, /** * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used Loading @@ -685,7 +681,7 @@ enum Tag { * * Cannot be hardware-enforced. */ ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709, ATTESTATION_APPLICATION_ID = TagType.BYTES | 709, /** * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in Loading @@ -698,7 +694,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710, ATTESTATION_ID_BRAND = TagType.BYTES | 710, /** * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in Loading @@ -711,7 +707,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711, ATTESTATION_ID_DEVICE = TagType.BYTES | 711, /** * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT Loading @@ -724,7 +720,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712, ATTESTATION_ID_PRODUCT = TagType.BYTES | 712, /** * Tag::ATTESTATION_ID_SERIAL the device's serial number. This field must be set only when Loading @@ -736,7 +732,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713, ATTESTATION_ID_SERIAL = TagType.BYTES | 713, /** * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key Loading @@ -749,7 +745,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714, ATTESTATION_ID_IMEI = TagType.BYTES | 714, /** * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attested key Loading @@ -762,7 +758,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715, ATTESTATION_ID_MEID = TagType.BYTES | 715, /** * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by Loading @@ -775,7 +771,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716, ATTESTATION_ID_MANUFACTURER = TagType.BYTES | 716, /** * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in Loading @@ -788,7 +784,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717, ATTESTATION_ID_MODEL = TagType.BYTES | 717, /** * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may Loading @@ -810,7 +806,7 @@ enum Tag { * * Must be hardware-enforced. */ VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718, VENDOR_PATCHLEVEL = TagType.UINT | 718, /** * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the Loading @@ -830,7 +826,7 @@ enum Tag { * * Must be hardware-enforced. */ BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719, BOOT_PATCHLEVEL = TagType.UINT | 719, /** * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import Loading @@ -856,7 +852,7 @@ enum Tag { * IKeyMintDevice implementations that support device-unique attestation MUST add the * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations. */ DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720, DEVICE_UNIQUE_ATTESTATION = TagType.BOOL | 720, /** * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key Loading @@ -864,7 +860,7 @@ enum Tag { * attestation. It is used in attestations produced by the IIdentityCredential HAL when that * HAL attests to Credential Keys. IIdentityCredential produces KeyMint-style attestations. */ IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721, IDENTITY_CREDENTIAL_KEY = TagType.BOOL | 721, /** * To prevent keys from being compromised if an attacker acquires read access to system / kernel Loading @@ -882,13 +878,13 @@ enum Tag { * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to * begin(). */ STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722, STORAGE_KEY = TagType.BOOL | 722, /** * OBSOLETE: Do not use. See IKeyMintOperation.updateAad instead. * TODO(b/191738660): Remove in KeyMint v2. */ ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000, ASSOCIATED_DATA = TagType.BYTES | 1000, /** * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM, Loading @@ -903,7 +899,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ NONCE = (9 << 28) /* TagType:BYTES */ | 1001, NONCE = TagType.BYTES | 1001, /** * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits. Loading @@ -914,7 +910,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003, MAC_LENGTH = TagType.UINT | 1003, /** * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the Loading @@ -922,7 +918,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004, RESET_SINCE_ID_ROTATION = TagType.BOOL | 1004, /** * OBSOLETE: Do not use. See the authToken parameter for IKeyMintDevice::begin and for Loading @@ -930,7 +926,7 @@ enum Tag { * * TODO(b/191738660): Delete when keystore1 is deleted. */ CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005, CONFIRMATION_TOKEN = TagType.BYTES | 1005, /** * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the attestation Loading @@ -938,7 +934,7 @@ enum Tag { * keyMint in the attestation parameters during generateKey() and importKey(). If not provided, * the serial shall default to 1. */ CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006, CERTIFICATE_SERIAL = TagType.BIGNUM | 1006, /** * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME. Loading @@ -946,7 +942,7 @@ enum Tag { * during generateKey and importKey. If not provided the subject name shall default to * CN="Android Keystore Key". */ CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007, CERTIFICATE_SUBJECT = TagType.BYTES | 1007, /** * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch Loading @@ -954,7 +950,7 @@ enum Tag { * certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if * this tag is not provided to generateKey or importKey. */ CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008, CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008, /** * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in Loading @@ -962,7 +958,7 @@ enum Tag { * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or * importKey. */ CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009, CERTIFICATE_NOT_AFTER = TagType.DATE | 1009, /** * Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function. Loading @@ -973,5 +969,5 @@ enum Tag { * * Cannot be hardware enforced in this version. */ MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ | 1010, MAX_BOOT_LEVEL = TagType.UINT | 1010, } Loading
security/keymint/aidl/android/hardware/security/keymint/Tag.aidl +65 −69 Original line number Diff line number Diff line Loading @@ -18,10 +18,6 @@ package android.hardware.security.keymint; import android.hardware.security.keymint.TagType; // TODO(seleneh) : note aidl currently does not support double nested enum definitions such as // ROOT_OF_TRUST = TagType:BYTES | 704. So we are forced to write definitions as // ROOT_OF_TRUST = (9 << 28) for now. Will need to flip this back later when aidl support is added. /** * Tag specifies various kinds of tags that can be set in KeyParameter to identify what kind of * data are stored in KeyParameter. Loading @@ -33,7 +29,7 @@ enum Tag { /** * Tag::INVALID should never be set. It means you hit an error. */ INVALID = (0 << 28) | 0, INVALID = 0, /** * Tag::PURPOSE specifies the set of purposes for which the key may be used. Possible values Loading @@ -47,7 +43,7 @@ enum Tag { * * Must be hardware-enforced. */ PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1, PURPOSE = TagType.ENUM_REP | 1, /** * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used. This tag Loading @@ -56,7 +52,7 @@ enum Tag { * * Must be hardware-enforced. */ ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2, ALGORITHM = TagType.ENUM | 2, /** * Tag::KEY_SIZE specifies the size, in bits, of the key, measuring in the normal way for the Loading @@ -68,7 +64,7 @@ enum Tag { * * Must be hardware-enforced. */ KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3, KEY_SIZE = TagType.UINT | 3, /** * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used. This tag Loading @@ -81,7 +77,7 @@ enum Tag { * * Must be hardware-enforced. */ BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4, BLOCK_MODE = TagType.ENUM_REP | 4, /** * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing Loading @@ -95,7 +91,7 @@ enum Tag { * * Must be hardware-enforced. */ DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5, DIGEST = TagType.ENUM_REP | 5, /** * Tag::PADDING specifies the padding modes that may be used with the key. This tag is relevant Loading Loading @@ -123,7 +119,7 @@ enum Tag { * * Must be hardware-enforced. */ PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6, PADDING = TagType.ENUM_REP | 6, /** * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring Loading @@ -136,7 +132,7 @@ enum Tag { * * Must be hardware-enforced. */ CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7, CALLER_NONCE = TagType.BOOL | 7, /** * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified Loading @@ -149,7 +145,7 @@ enum Tag { * * Must be hardware-enforced. */ MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8, MIN_MAC_LENGTH = TagType.UINT | 8, // Tag 9 reserved Loading @@ -159,7 +155,7 @@ enum Tag { * * Must be hardware-enforced. */ EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10, EC_CURVE = TagType.ENUM | 10, /** * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair. Loading @@ -173,7 +169,7 @@ enum Tag { * * Must be hardware-enforced. */ RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200, RSA_PUBLIC_EXPONENT = TagType.ULONG | 200, // Tag 201 reserved Loading @@ -184,7 +180,7 @@ enum Tag { * * Must be hardware-enforced. */ INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202, INCLUDE_UNIQUE_ID = TagType.BOOL | 202, /** * Tag::RSA_OAEP_MGF_DIGEST specifies the MGF1 digest algorithms that may be used with RSA Loading @@ -197,7 +193,7 @@ enum Tag { * * Must be hardware-enforced. */ RSA_OAEP_MGF_DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 203, RSA_OAEP_MGF_DIGEST = TagType.ENUM_REP | 203, // Tag 301 reserved Loading @@ -209,7 +205,7 @@ enum Tag { * * Must be hardware-enforced. */ BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302, BOOTLOADER_ONLY = TagType.BOOL | 302, /** * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when Loading @@ -224,10 +220,10 @@ enum Tag { * * Must be hardware-enforced. */ ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303, ROLLBACK_RESISTANCE = TagType.BOOL | 303, // Reserved for future use. HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304, HARDWARE_TYPE = TagType.ENUM | 304, /** * Keys tagged with EARLY_BOOT_ONLY may only be used during early boot, until Loading @@ -236,7 +232,7 @@ enum Tag { * provided to IKeyMintDevice::importKey, the import must fail with * ErrorCode::EARLY_BOOT_ENDED. */ EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305, EARLY_BOOT_ONLY = TagType.BOOL | 305, /** * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in Loading @@ -245,7 +241,7 @@ enum Tag { * * Need not be hardware-enforced. */ ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400, ACTIVE_DATETIME = TagType.DATE | 400, /** * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for Loading @@ -257,7 +253,7 @@ enum Tag { * * Need not be hardware-enforced. */ ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401, ORIGINATION_EXPIRE_DATETIME = TagType.DATE | 401, /** * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for Loading @@ -269,7 +265,7 @@ enum Tag { * * Need not be hardware-enforced. */ USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402, USAGE_EXPIRE_DATETIME = TagType.DATE | 402, /** * TODO(seleneh) this tag need to be deleted. Loading @@ -296,7 +292,7 @@ enum Tag { * * TODO(b/191738660): Remove in KeyMint V2. Currently only used for FDE. */ MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403, MIN_SECONDS_BETWEEN_OPS = TagType.UINT | 403, /** * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between Loading @@ -316,7 +312,7 @@ enum Tag { * * Must be hardware-enforced. */ MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404, MAX_USES_PER_BOOT = TagType.UINT | 404, /** * Tag::USAGE_COUNT_LIMIT specifies the number of times that a key may be used. This can be Loading Loading @@ -345,14 +341,14 @@ enum Tag { * record. This tag must have the same SecurityLevel as the tag that is added to the key * characteristics. */ USAGE_COUNT_LIMIT = (3 << 28) | 405, /* TagType:UINT */ USAGE_COUNT_LIMIT = TagType.UINT | 405, /** * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key. * * Must not be hardware-enforced. */ USER_ID = (3 << 28) /* TagType:UINT */ | 501, USER_ID = TagType.UINT | 501, /** * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user Loading Loading @@ -385,7 +381,7 @@ enum Tag { * * Must be hardware-enforced. */ USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502, USER_SECURE_ID = TagType.ULONG_REP | 502, /** * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key. This tag Loading @@ -393,7 +389,7 @@ enum Tag { * * Must be hardware-enforced. */ NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503, NO_AUTH_REQUIRED = TagType.BOOL | 503, /** * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize Loading @@ -412,7 +408,7 @@ enum Tag { * * Must be hardware-enforced. */ USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504, USER_AUTH_TYPE = TagType.ENUM | 504, /** * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use, Loading @@ -426,7 +422,7 @@ enum Tag { * * Must be hardware-enforced. */ AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505, AUTH_TIMEOUT = TagType.UINT | 505, /** * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if Loading @@ -434,7 +430,7 @@ enum Tag { * * Cannot be hardware-enforced. */ ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506, ALLOW_WHILE_ON_BODY = TagType.BOOL | 506, /** * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be Loading Loading @@ -481,7 +477,7 @@ enum Tag { * * Must be hardware-enforced. */ TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507, TRUSTED_USER_PRESENCE_REQUIRED = TagType.BOOL | 507, /** * Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and Loading @@ -495,7 +491,7 @@ enum Tag { * * Must be hardware-enforced. */ TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508, TRUSTED_CONFIRMATION_REQUIRED = TagType.BOOL | 508, /** * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is Loading @@ -505,7 +501,7 @@ enum Tag { * Must be hardware-enforced (but is also keystore-enforced on a per-user basis: see the * deviceLocked() documentation). */ UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509, UNLOCKED_DEVICE_REQUIRED = TagType.BOOL | 509, /** * Tag::APPLICATION_ID. When provided to generateKey or importKey, this tag specifies data Loading @@ -521,7 +517,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601, APPLICATION_ID = TagType.BYTES | 601, /* * Semantically unenforceable tags, either because they have no specific meaning or because Loading @@ -542,7 +538,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700, APPLICATION_DATA = TagType.BYTES | 700, /** * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since Loading @@ -550,7 +546,7 @@ enum Tag { * * Must be in the software-enforced list, if provided. */ CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701, CREATION_DATETIME = TagType.DATE | 701, /** * Tag::ORIGIN specifies where the key was created, if known. This tag must not be specified Loading @@ -559,7 +555,7 @@ enum Tag { * * Must be hardware-enforced. */ ORIGIN = (1 << 28) /* TagType:ENUM */ | 702, ORIGIN = TagType.ENUM | 702, // 703 is unused. Loading @@ -571,7 +567,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704, ROOT_OF_TRUST = TagType.BYTES | 704, /** * Tag::OS_VERSION specifies the system OS version with which the key may be used. This tag is Loading @@ -594,7 +590,7 @@ enum Tag { * * Must be hardware-enforced. */ OS_VERSION = (3 << 28) /* TagType:UINT */ | 705, OS_VERSION = TagType.UINT | 705, /** * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used. Loading @@ -615,7 +611,7 @@ enum Tag { * * Must be hardware-enforced. */ OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706, OS_PATCHLEVEL = TagType.UINT | 706, /** * Tag::UNIQUE_ID specifies a unique, time-based identifier. This tag is never provided to or Loading Loading @@ -650,7 +646,7 @@ enum Tag { * * Must be hardware-enforced. */ UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707, UNIQUE_ID = TagType.BYTES | 707, /** * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attested key Loading @@ -659,7 +655,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708, ATTESTATION_CHALLENGE = TagType.BYTES | 708, /** * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used Loading @@ -685,7 +681,7 @@ enum Tag { * * Cannot be hardware-enforced. */ ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709, ATTESTATION_APPLICATION_ID = TagType.BYTES | 709, /** * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in Loading @@ -698,7 +694,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710, ATTESTATION_ID_BRAND = TagType.BYTES | 710, /** * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in Loading @@ -711,7 +707,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711, ATTESTATION_ID_DEVICE = TagType.BYTES | 711, /** * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT Loading @@ -724,7 +720,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712, ATTESTATION_ID_PRODUCT = TagType.BYTES | 712, /** * Tag::ATTESTATION_ID_SERIAL the device's serial number. This field must be set only when Loading @@ -736,7 +732,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713, ATTESTATION_ID_SERIAL = TagType.BYTES | 713, /** * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attested key Loading @@ -749,7 +745,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714, ATTESTATION_ID_IMEI = TagType.BYTES | 714, /** * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attested key Loading @@ -762,7 +758,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715, ATTESTATION_ID_MEID = TagType.BYTES | 715, /** * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by Loading @@ -775,7 +771,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716, ATTESTATION_ID_MANUFACTURER = TagType.BYTES | 716, /** * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in Loading @@ -788,7 +784,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717, ATTESTATION_ID_MODEL = TagType.BYTES | 717, /** * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may Loading @@ -810,7 +806,7 @@ enum Tag { * * Must be hardware-enforced. */ VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718, VENDOR_PATCHLEVEL = TagType.UINT | 718, /** * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the Loading @@ -830,7 +826,7 @@ enum Tag { * * Must be hardware-enforced. */ BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719, BOOT_PATCHLEVEL = TagType.UINT | 719, /** * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attested key generation/import Loading @@ -856,7 +852,7 @@ enum Tag { * IKeyMintDevice implementations that support device-unique attestation MUST add the * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations. */ DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720, DEVICE_UNIQUE_ATTESTATION = TagType.BOOL | 720, /** * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key Loading @@ -864,7 +860,7 @@ enum Tag { * attestation. It is used in attestations produced by the IIdentityCredential HAL when that * HAL attests to Credential Keys. IIdentityCredential produces KeyMint-style attestations. */ IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721, IDENTITY_CREDENTIAL_KEY = TagType.BOOL | 721, /** * To prevent keys from being compromised if an attacker acquires read access to system / kernel Loading @@ -882,13 +878,13 @@ enum Tag { * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to * begin(). */ STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722, STORAGE_KEY = TagType.BOOL | 722, /** * OBSOLETE: Do not use. See IKeyMintOperation.updateAad instead. * TODO(b/191738660): Remove in KeyMint v2. */ ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000, ASSOCIATED_DATA = TagType.BYTES | 1000, /** * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM, Loading @@ -903,7 +899,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ NONCE = (9 << 28) /* TagType:BYTES */ | 1001, NONCE = TagType.BYTES | 1001, /** * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits. Loading @@ -914,7 +910,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003, MAC_LENGTH = TagType.UINT | 1003, /** * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the Loading @@ -922,7 +918,7 @@ enum Tag { * * Must never appear in KeyCharacteristics. */ RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004, RESET_SINCE_ID_ROTATION = TagType.BOOL | 1004, /** * OBSOLETE: Do not use. See the authToken parameter for IKeyMintDevice::begin and for Loading @@ -930,7 +926,7 @@ enum Tag { * * TODO(b/191738660): Delete when keystore1 is deleted. */ CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005, CONFIRMATION_TOKEN = TagType.BYTES | 1005, /** * Tag::CERTIFICATE_SERIAL specifies the serial number to be assigned to the attestation Loading @@ -938,7 +934,7 @@ enum Tag { * keyMint in the attestation parameters during generateKey() and importKey(). If not provided, * the serial shall default to 1. */ CERTIFICATE_SERIAL = (8 << 28) /* TagType:BIGNUM */ | 1006, CERTIFICATE_SERIAL = TagType.BIGNUM | 1006, /** * Tag::CERTIFICATE_SUBJECT the certificate subject. The value is a DER encoded X509 NAME. Loading @@ -946,7 +942,7 @@ enum Tag { * during generateKey and importKey. If not provided the subject name shall default to * CN="Android Keystore Key". */ CERTIFICATE_SUBJECT = (9 << 28) /* TagType:BYTES */ | 1007, CERTIFICATE_SUBJECT = TagType.BYTES | 1007, /** * Tag::CERTIFICATE_NOT_BEFORE the beginning of the validity of the certificate in UNIX epoch Loading @@ -954,7 +950,7 @@ enum Tag { * certificates. ErrorCode::MISSING_NOT_BEFORE must be returned if this tag is not provided if * this tag is not provided to generateKey or importKey. */ CERTIFICATE_NOT_BEFORE = (6 << 28) /* TagType:DATE */ | 1008, CERTIFICATE_NOT_BEFORE = TagType.DATE | 1008, /** * Tag::CERTIFICATE_NOT_AFTER the end of the validity of the certificate in UNIX epoch time in Loading @@ -962,7 +958,7 @@ enum Tag { * ErrorCode::MISSING_NOT_AFTER must be returned if this tag is not provided to generateKey or * importKey. */ CERTIFICATE_NOT_AFTER = (6 << 28) /* TagType:DATE */ | 1009, CERTIFICATE_NOT_AFTER = TagType.DATE | 1009, /** * Tag::MAX_BOOT_LEVEL specifies a maximum boot level at which a key should function. Loading @@ -973,5 +969,5 @@ enum Tag { * * Cannot be hardware enforced in this version. */ MAX_BOOT_LEVEL = (3 << 28) /* TagType:UINT */ | 1010, MAX_BOOT_LEVEL = TagType.UINT | 1010, }
