Merge "Move tag type comments where they belong." am: dd9d98c3 am: 482d670f am: da30da4f

     *

     * Must be hardware-enforced.

     */

    PURPOSE = (2 << 28) | 1, /* TagType:ENUM_REP */

    PURPOSE = (2 << 28) /* TagType:ENUM_REP */ | 1,

    /**

     * Tag::ALGORITHM specifies the cryptographic algorithm with which the key is used.  This tag

     *

     * Must be hardware-enforced.

     */

    ALGORITHM = (1 << 28) | 2, /* TagType:ENUM */

    ALGORITHM = (1 << 28) /* TagType:ENUM */ | 2,

    /**

     * Tag::KEY_SIZE pecifies the size, in bits, of the key, measuring in the normal way for the

     *

     * Must be hardware-enforced.

     */

    KEY_SIZE = (3 << 28) | 3, /* TagType:UINT */

    KEY_SIZE = (3 << 28) /* TagType:UINT */ | 3,

    /**

     * Tag::BLOCK_MODE specifies the block cipher mode(s) with which the key may be used.  This tag

     *

     * Must be hardware-enforced.

     */

    BLOCK_MODE = (2 << 28) | 4,

    /* BlockMode. */ /* TagType:ENUM_REP */

    BLOCK_MODE = (2 << 28) /* TagType:ENUM_REP */ | 4,

    /**

     * Tag::DIGEST specifies the digest algorithms that may be used with the key to perform signing

     *

     * Must be hardware-enforced.

     */

    DIGEST = (2 << 28) | 5, /* TagType:ENUM_REP */

    DIGEST = (2 << 28) /* TagType:ENUM_REP */ | 5,

    /**

     * Tag::PADDING specifies the padding modes that may be used with the key.  This tag is relevant

     *

     * Must be hardware-enforced.

     */

    PADDING = (2 << 28) | 6, /* TagType:ENUM_REP */

    PADDING = (2 << 28) /* TagType:ENUM_REP */ | 6,

    /**

     * Tag::CALLER_NONCE specifies that the caller can provide a nonce for nonce-requiring

     *

     * Must be hardware-enforced.

     */

    CALLER_NONCE = (7 << 28) | 7, /* TagType:BOOL */

    CALLER_NONCE = (7 << 28) /* TagType:BOOL */ | 7,

    /**

     * Tag::MIN_MAC_LENGTH specifies the minimum length of MAC that can be requested or verified

     *

     * Must be hardware-enforced.

     */

    MIN_MAC_LENGTH = (3 << 28) | 8, /* TagType:UINT */

    MIN_MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 8,

    // Tag 9 reserved

     *

     * Must be hardware-enforced.

     */

    EC_CURVE = (1 << 28) | 10, /* TagType:ENUM */

    EC_CURVE = (1 << 28) /* TagType:ENUM */ | 10,

    /**

     * Tag::RSA_PUBLIC_EXPONENT specifies the value of the public exponent for an RSA key pair.

     *

     * Must be hardware-enforced.

     */

    RSA_PUBLIC_EXPONENT = (5 << 28) | 200, /* TagType:ULONG */

    RSA_PUBLIC_EXPONENT = (5 << 28) /* TagType:ULONG */ | 200,

    // Tag 201 reserved

     *

     * Must be hardware-enforced.

     */

    INCLUDE_UNIQUE_ID = (7 << 28) | 202, /* TagType:BOOL */

    INCLUDE_UNIQUE_ID = (7 << 28) /* TagType:BOOL */ | 202,

    /**

     * TODO(seleneh) this tag needs to be deleted from all codes.

     *

     * Must be hardware-enforced.

     */

    BLOB_USAGE_REQUIREMENTS = (1 << 28) | 301, /* TagType:ENUM */

    BLOB_USAGE_REQUIREMENTS = (1 << 28) /* TagType:ENUM */ | 301,

    /**

     * Tag::BOOTLOADER_ONLY specifies only the bootloader can use the key.

     *

     * Must be hardware-enforced.

     */

    BOOTLOADER_ONLY = (7 << 28) | 302, /* TagType:BOOL */

    BOOTLOADER_ONLY = (7 << 28) /* TagType:BOOL */ | 302,

    /**

     * Tag::ROLLBACK_RESISTANCE specifies that the key has rollback resistance, meaning that when

     *

     * Must be hardwared-enforced.

     */

    ROLLBACK_RESISTANCE = (7 << 28) | 303, /* TagType:BOOL */

    ROLLBACK_RESISTANCE = (7 << 28) /* TagType:BOOL */ | 303,

    // Reserved for future use.

    HARDWARE_TYPE = (1 << 28) | 304, /* TagType:ENUM */

    HARDWARE_TYPE = (1 << 28) /* TagType:ENUM */ | 304,

    /**

     * Keys tagged with EARLY_BOOT_ONLY may only be used, or created, during early boot, until

     * IKeyMintDevice::earlyBootEnded() is called.

     */

    EARLY_BOOT_ONLY = (7 << 28) | 305, /* TagType:BOOL */

    EARLY_BOOT_ONLY = (7 << 28) /* TagType:BOOL */ | 305,

    /**

     * Tag::ACTIVE_DATETIME specifies the date and time at which the key becomes active, in

     *

     * Need not be hardware-enforced.

     */

    ACTIVE_DATETIME = (6 << 28) | 400,

    /* Start of validity. */ /* TagType:DATE */

    ACTIVE_DATETIME = (6 << 28) /* TagType:DATE */ | 400,

    /**

     * Tag::ORIGINATION_EXPIRE_DATETIME specifies the date and time at which the key expires for

     *

     * Need not be hardware-enforced.

     */

    ORIGINATION_EXPIRE_DATETIME = (6 << 28) | 401, /* TagType:DATE */

    ORIGINATION_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 401,

    /**

     * Tag::USAGE_EXPIRE_DATETIME specifies the date and time at which the key expires for

     *

     * Need not be hardware-enforced.

     */

    USAGE_EXPIRE_DATETIME = (6 << 28) | 402, /* TagType:DATE */

    USAGE_EXPIRE_DATETIME = (6 << 28) /* TagType:DATE */ | 402,

    /**

     * TODO(seleneh) this tag need to be deleted.

     *

     * Must be hardware-enforced.

     */

    MIN_SECONDS_BETWEEN_OPS = (3 << 28) | 403, /* TagType:UINT */

    MIN_SECONDS_BETWEEN_OPS = (3 << 28) /* TagType:UINT */ | 403,

    /**

     * Tag::MAX_USES_PER_BOOT specifies the maximum number of times that a key may be used between

     *

     * Must be hardware-enforced.

     */

    MAX_USES_PER_BOOT = (3 << 28) | 404, /* TagType:UINT */

    MAX_USES_PER_BOOT = (3 << 28) /* TagType:UINT */ | 404,

    /**

     * Tag::USER_ID specifies the ID of the Android user that is permitted to use the key.

     *

     * Must not be hardware-enforced.

     */

    USER_ID = (3 << 28) | 501, /* TagType:UINT */

    USER_ID = (3 << 28) /* TagType:UINT */ | 501,

    /**

     * Tag::USER_SECURE_ID specifies that a key may only be used under a particular secure user

     *

     * Must be hardware-enforced.

     */

    USER_SECURE_ID = (10 << 28) | 502, /* TagType:ULONG_REP */

    USER_SECURE_ID = (10 << 28) /* TagType:ULONG_REP */ | 502,

    /**

     * Tag::NO_AUTH_REQUIRED specifies that no authentication is required to use this key.  This tag

     *

     * Must be hardware-enforced.

     */

    NO_AUTH_REQUIRED = (7 << 28) | 503, /* TagType:BOOL */

    NO_AUTH_REQUIRED = (7 << 28) /* TagType:BOOL */ | 503,

    /**

     * Tag::USER_AUTH_TYPE specifies the types of user authenticators that may be used to authorize

     *

     * Must be hardware-enforced.

     */

    USER_AUTH_TYPE = (1 << 28) | 504, /* TagType:ENUM */

    USER_AUTH_TYPE = (1 << 28) /* TagType:ENUM */ | 504,

    /**

     * Tag::AUTH_TIMEOUT specifies the time in seconds for which the key is authorized for use,

     *

     * Must be hardware-enforced.

     */

    AUTH_TIMEOUT = (3 << 28) | 505, /* TagType:UINT */

    AUTH_TIMEOUT = (3 << 28) /* TagType:UINT */ | 505,

    /**

     * Tag::ALLOW_WHILE_ON_BODY specifies that the key may be used after authentication timeout if

     *

     * Cannot be hardware-enforced.

     */

    ALLOW_WHILE_ON_BODY = (7 << 28) | 506, /* TagType:BOOL */

    ALLOW_WHILE_ON_BODY = (7 << 28) /* TagType:BOOL */ | 506,

    /**

     * TRUSTED_USER_PRESENCE_REQUIRED is an optional feature that specifies that this key must be

     *

     * Must be hardware-enforced.

     */

    TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) | 507, /* TagType:BOOL */

    TRUSTED_USER_PRESENCE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 507,

    /** Tag::TRUSTED_CONFIRMATION_REQUIRED is only applicable to keys with KeyPurpose SIGN, and

     *  specifies that this key must not be usable unless the user provides confirmation of the data

     *

     * Must be hardware-enforced.

     */

    TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) | 508, /* TagType:BOOL */

    TRUSTED_CONFIRMATION_REQUIRED = (7 << 28) /* TagType:BOOL */ | 508,

    /**

     * Tag::UNLOCKED_DEVICE_REQUIRED specifies that the key may only be used when the device is

     *

     * Must be software-enforced.

     */

    UNLOCKED_DEVICE_REQUIRED = (7 << 28) | 509, /* TagType:BOOL */

    UNLOCKED_DEVICE_REQUIRED = (7 << 28) /* TagType:BOOL */ | 509,

    /**

     * Tag::APPLICATION_ID.  When provided to generateKey or importKey, this tag specifies data

     *

     * Must never appear in KeyCharacteristics.

     */

    APPLICATION_ID = (9 << 28) | 601, /* TagType:BYTES */

    APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 601,

    /*

     * Semantically unenforceable tags, either because they have no specific meaning or because

     *

     * Must never appear in KeyCharacteristics.

     */

    APPLICATION_DATA = (9 << 28) | 700, /* TagType:BYTES */

    APPLICATION_DATA = (9 << 28) /* TagType:BYTES */ | 700,

    /**

     * Tag::CREATION_DATETIME specifies the date and time the key was created, in milliseconds since

     * Tag::CREATED is informational only, and not enforced by anything.  Must be in the

     * software-enforced list, if provided.

     */

    CREATION_DATETIME = (6 << 28) | 701, /* TagType:DATE */

    CREATION_DATETIME = (6 << 28) /* TagType:DATE */ | 701,

    /**

     * Tag::ORIGIN specifies where the key was created, if known.  This tag must not be specified

     *

     * Must be hardware-enforced.

     */

    ORIGIN = (1 << 28) | 702, /* TagType:ENUM */

    ORIGIN = (1 << 28) /* TagType:ENUM */ | 702,

    // 703 is unused.

     *

     * Must never appear in KeyCharacteristics.

     */

    ROOT_OF_TRUST = (9 << 28) | 704, /* TagType:BYTES */

    ROOT_OF_TRUST = (9 << 28) /* TagType:BYTES */ | 704,

    /**

     * Tag::OS_VERSION specifies the system OS version with which the key may be used.  This tag is

     *

     * Must be hardware-enforced.

     */

    OS_VERSION = (3 << 28) | 705, /* TagType:UINT */

    OS_VERSION = (3 << 28) /* TagType:UINT */ | 705,

    /**

     * Tag::OS_PATCHLEVEL specifies the system security patch level with which the key may be used.

     *

     * Must be hardware-enforced.

     */

    OS_PATCHLEVEL = (3 << 28) | 706, /* TagType:UINT */

    OS_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 706,

    /**

     * Tag::UNIQUE_ID specifies a unique, time-based identifier.  This tag is never provided to or

     *

     * Must be hardware-enforced.

     */

    UNIQUE_ID = (9 << 28) | 707, /* TagType:BYTES */

    UNIQUE_ID = (9 << 28) /* TagType:BYTES */ | 707,

    /**

     * Tag::ATTESTATION_CHALLENGE is used to deliver a "challenge" value to the attestKey() method,

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_CHALLENGE = (9 << 28) | 708, /* TagType:BYTES */

    ATTESTATION_CHALLENGE = (9 << 28) /* TagType:BYTES */ | 708,

    /**

     * Tag::ATTESTATION_APPLICATION_ID identifies the set of applications which may use a key, used

     *

     * Cannot be hardware-enforced.

     */

    ATTESTATION_APPLICATION_ID = (9 << 28) | 709, /* TagType:BYTES */

    ATTESTATION_APPLICATION_ID = (9 << 28) /* TagType:BYTES */ | 709,

    /**

     * Tag::ATTESTATION_ID_BRAND provides the device's brand name, as returned by Build.BRAND in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_BRAND = (9 << 28) | 710, /* TagType:BYTES */

    ATTESTATION_ID_BRAND = (9 << 28) /* TagType:BYTES */ | 710,

    /**

     * Tag::ATTESTATION_ID_DEVICE provides the device's device name, as returned by Build.DEVICE in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_DEVICE = (9 << 28) | 711, /* TagType:BYTES */

    ATTESTATION_ID_DEVICE = (9 << 28) /* TagType:BYTES */ | 711,

    /**

     * Tag::ATTESTATION_ID_PRODUCT provides the device's product name, as returned by Build.PRODUCT

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_PRODUCT = (9 << 28) | 712, /* TagType:BYTES */

    ATTESTATION_ID_PRODUCT = (9 << 28) /* TagType:BYTES */ | 712,

    /**

     * Tag::ATTESTATION_ID_SERIAL the device's serial number.  This field must be set only when

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_SERIAL = (9 << 28) | 713, /* TagType:BYTES */

    ATTESTATION_ID_SERIAL = (9 << 28) /* TagType:BYTES */ | 713,

    /**

     * Tag::ATTESTATION_ID_IMEI provides the IMEIs for all radios on the device to attestKey().

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_IMEI = (9 << 28) | 714, /* TagType:BYTES */

    ATTESTATION_ID_IMEI = (9 << 28) /* TagType:BYTES */ | 714,

    /**

     * Tag::ATTESTATION_ID_MEID provides the MEIDs for all radios on the device to attestKey().

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MEID = (9 << 28) | 715, /* TagType:BYTES */

    ATTESTATION_ID_MEID = (9 << 28) /* TagType:BYTES */ | 715,

    /**

     * Tag::ATTESTATION_ID_MANUFACTURER provides the device's manufacturer name, as returned by

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MANUFACTURER = (9 << 28) | 716, /* TagType:BYTES */

    ATTESTATION_ID_MANUFACTURER = (9 << 28) /* TagType:BYTES */ | 716,

    /**

     * Tag::ATTESTATION_ID_MODEL provides the device's model name, as returned by Build.MODEL in

     *

     * Must never appear in KeyCharacteristics.

     */

    ATTESTATION_ID_MODEL = (9 << 28) | 717, /* TagType:BYTES */

    ATTESTATION_ID_MODEL = (9 << 28) /* TagType:BYTES */ | 717,

    /**

     * Tag::VENDOR_PATCHLEVEL specifies the vendor image security patch level with which the key may

     *

     * Must be hardware-enforced.

     */

    VENDOR_PATCHLEVEL = (3 << 28) | 718, /* TagType:UINT */

    VENDOR_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 718,

    /**

     * Tag::BOOT_PATCHLEVEL specifies the boot image (kernel) security patch level with which the

     *

     * Must be hardware-enforced.

     */

    BOOT_PATCHLEVEL = (3 << 28) | 719, /* TagType:UINT */

    BOOT_PATCHLEVEL = (3 << 28) /* TagType:UINT */ | 719,

    /**

     * DEVICE_UNIQUE_ATTESTATION is an argument to IKeyMintDevice::attestKey().  It indicates that

     * IKeyMintDevice implementations that support device-unique attestation MUST add the

     * DEVICE_UNIQUE_ATTESTATION tag to device-unique attestations.

     */

    DEVICE_UNIQUE_ATTESTATION = (7 << 28) | 720, /* TagType:BOOL */

    DEVICE_UNIQUE_ATTESTATION = (7 << 28) /* TagType:BOOL */ | 720,

    /**

     * IDENTITY_CREDENTIAL_KEY is never used by IKeyMintDevice, is not a valid argument to key

     * attestation.  It is used in attestations produced by the IIdentityCredential HAL when that

     * HAL attests to Credential Keys.  IIdentityCredential produces KeyMint-style attestations.

     */

    IDENTITY_CREDENTIAL_KEY = (7 << 28) | 721, /* TagType:BOOL */

    IDENTITY_CREDENTIAL_KEY = (7 << 28) /* TagType:BOOL */ | 721,

    /**

     * To prevent keys from being compromised if an attacker acquires read access to system / kernel

     * ErrorCode::INVALID_OPERATION is returned when a key with Tag::STORAGE_KEY is provided to

     * begin().

     */

    STORAGE_KEY = (7 << 28) | 722, /* TagType:BOOL */

    STORAGE_KEY = (7 << 28) /* TagType:BOOL */ | 722,

    /**

     * Tag::ASSOCIATED_DATA Provides "associated data" for AES-GCM encryption or decryption.  This

     *

     * Must never appear KeyCharacteristics.

     */

    ASSOCIATED_DATA = (9 << 28) | 1000, /* TagType:BYTES */

    ASSOCIATED_DATA = (9 << 28) /* TagType:BYTES */ | 1000,

    /**

     * Tag::NONCE is used to provide or return a nonce or Initialization Vector (IV) for AES-GCM,

     *

     * Must never appear in KeyCharacteristics.

     */

    NONCE = (9 << 28) | 1001, /* TagType:BYTES */

    NONCE = (9 << 28) /* TagType:BYTES */ | 1001,

    /**

     * Tag::MAC_LENGTH provides the requested length of a MAC or GCM authentication tag, in bits.

     *

     * Must never appear in KeyCharacteristics.

     */

    MAC_LENGTH = (3 << 28) | 1003, /* TagType:UINT */

    MAC_LENGTH = (3 << 28) /* TagType:UINT */ | 1003,

    /**

     * Tag::RESET_SINCE_ID_ROTATION specifies whether the device has been factory reset since the

     *

     * Must never appear in KeyCharacteristics.

     */

    RESET_SINCE_ID_ROTATION = (7 << 28) | 1004, /* TagType:BOOL */

    RESET_SINCE_ID_ROTATION = (7 << 28) /* TagType:BOOL */ | 1004,

    /**

     * Tag::CONFIRMATION_TOKEN is used to deliver a cryptographic token proving that the user

     *

     * Must never appear in KeyCharacteristics.

     */

    CONFIRMATION_TOKEN = (9 << 28) | 1005, /* TagType:BYTES */

    CONFIRMATION_TOKEN = (9 << 28) /* TagType:BYTES */ | 1005,

}