1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.security.keymaster; 18 19 import java.util.HashMap; 20 import java.util.Map; 21 22 /** 23 * Class tracking all the keymaster enum values needed for the binder API to keystore. 24 * This must be kept in sync with hardware/libhardware/include/hardware/keymaster_defs.h 25 * See keymaster_defs.h for detailed descriptions of each constant. 26 * @hide 27 */ 28 public final class KeymasterDefs { 29 KeymasterDefs()30 private KeymasterDefs() {} 31 32 // Tag types. 33 public static final int KM_INVALID = 0 << 28; 34 public static final int KM_ENUM = 1 << 28; 35 public static final int KM_ENUM_REP = 2 << 28; 36 public static final int KM_UINT = 3 << 28; 37 public static final int KM_UINT_REP = 4 << 28; 38 public static final int KM_ULONG = 5 << 28; 39 public static final int KM_DATE = 6 << 28; 40 public static final int KM_BOOL = 7 << 28; 41 public static final int KM_BIGNUM = 8 << 28; 42 public static final int KM_BYTES = 9 << 28; 43 public static final int KM_ULONG_REP = 10 << 28; 44 45 // Tag values. 46 public static final int KM_TAG_INVALID = KM_INVALID | 0; 47 public static final int KM_TAG_PURPOSE = KM_ENUM_REP | 1; 48 public static final int KM_TAG_ALGORITHM = KM_ENUM | 2; 49 public static final int KM_TAG_KEY_SIZE = KM_UINT | 3; 50 public static final int KM_TAG_BLOCK_MODE = KM_ENUM_REP | 4; 51 public static final int KM_TAG_DIGEST = KM_ENUM_REP | 5; 52 public static final int KM_TAG_PADDING = KM_ENUM_REP | 6; 53 public static final int KM_TAG_CALLER_NONCE = KM_BOOL | 7; 54 public static final int KM_TAG_MIN_MAC_LENGTH = KM_UINT | 8; 55 56 public static final int KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101; 57 public static final int KM_TAG_RESCOPING_DEL = KM_ENUM_REP | 102; 58 public static final int KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 705; 59 60 public static final int KM_TAG_RSA_PUBLIC_EXPONENT = KM_ULONG | 200; 61 public static final int KM_TAG_INCLUDE_UNIQUE_ID = KM_BOOL | 202; 62 63 public static final int KM_TAG_ACTIVE_DATETIME = KM_DATE | 400; 64 public static final int KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401; 65 public static final int KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402; 66 public static final int KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_UINT | 403; 67 public static final int KM_TAG_MAX_USES_PER_BOOT = KM_UINT | 404; 68 69 public static final int KM_TAG_ALL_USERS = KM_BOOL | 500; 70 public static final int KM_TAG_USER_ID = KM_UINT | 501; 71 public static final int KM_TAG_USER_SECURE_ID = KM_ULONG_REP | 502; 72 public static final int KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 503; 73 public static final int KM_TAG_USER_AUTH_TYPE = KM_ENUM | 504; 74 public static final int KM_TAG_AUTH_TIMEOUT = KM_UINT | 505; 75 public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506; 76 public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507; 77 public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508; 78 public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509; 79 80 public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600; 81 public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601; 82 83 public static final int KM_TAG_CREATION_DATETIME = KM_DATE | 701; 84 public static final int KM_TAG_ORIGIN = KM_ENUM | 702; 85 public static final int KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703; 86 public static final int KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704; 87 public static final int KM_TAG_UNIQUE_ID = KM_BYTES | 707; 88 public static final int KM_TAG_ATTESTATION_CHALLENGE = KM_BYTES | 708; 89 public static final int KM_TAG_ATTESTATION_ID_BRAND = KM_BYTES | 710; 90 public static final int KM_TAG_ATTESTATION_ID_DEVICE = KM_BYTES | 711; 91 public static final int KM_TAG_ATTESTATION_ID_PRODUCT = KM_BYTES | 712; 92 public static final int KM_TAG_ATTESTATION_ID_SERIAL = KM_BYTES | 713; 93 public static final int KM_TAG_ATTESTATION_ID_IMEI = KM_BYTES | 714; 94 public static final int KM_TAG_ATTESTATION_ID_MEID = KM_BYTES | 715; 95 public static final int KM_TAG_ATTESTATION_ID_MANUFACTURER = KM_BYTES | 716; 96 public static final int KM_TAG_ATTESTATION_ID_MODEL = KM_BYTES | 717; 97 public static final int KM_TAG_DEVICE_UNIQUE_ATTESTATION = KM_BOOL | 720; 98 99 public static final int KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000; 100 public static final int KM_TAG_NONCE = KM_BYTES | 1001; 101 public static final int KM_TAG_AUTH_TOKEN = KM_BYTES | 1002; 102 public static final int KM_TAG_MAC_LENGTH = KM_UINT | 1003; 103 104 // Algorithm values. 105 public static final int KM_ALGORITHM_RSA = 1; 106 public static final int KM_ALGORITHM_EC = 3; 107 public static final int KM_ALGORITHM_AES = 32; 108 public static final int KM_ALGORITHM_3DES = 33; 109 public static final int KM_ALGORITHM_HMAC = 128; 110 111 // Block modes. 112 public static final int KM_MODE_ECB = 1; 113 public static final int KM_MODE_CBC = 2; 114 public static final int KM_MODE_CTR = 3; 115 public static final int KM_MODE_GCM = 32; 116 117 // Padding modes. 118 public static final int KM_PAD_NONE = 1; 119 public static final int KM_PAD_RSA_OAEP = 2; 120 public static final int KM_PAD_RSA_PSS = 3; 121 public static final int KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4; 122 public static final int KM_PAD_RSA_PKCS1_1_5_SIGN = 5; 123 public static final int KM_PAD_PKCS7 = 64; 124 125 // Digest modes. 126 public static final int KM_DIGEST_NONE = 0; 127 public static final int KM_DIGEST_MD5 = 1; 128 public static final int KM_DIGEST_SHA1 = 2; 129 public static final int KM_DIGEST_SHA_2_224 = 3; 130 public static final int KM_DIGEST_SHA_2_256 = 4; 131 public static final int KM_DIGEST_SHA_2_384 = 5; 132 public static final int KM_DIGEST_SHA_2_512 = 6; 133 134 // Key origins. 135 public static final int KM_ORIGIN_GENERATED = 0; 136 public static final int KM_ORIGIN_IMPORTED = 2; 137 public static final int KM_ORIGIN_UNKNOWN = 3; 138 public static final int KM_ORIGIN_SECURELY_IMPORTED = 4; 139 140 // Key usability requirements. 141 public static final int KM_BLOB_STANDALONE = 0; 142 public static final int KM_BLOB_REQUIRES_FILE_SYSTEM = 1; 143 144 // Operation Purposes. 145 public static final int KM_PURPOSE_ENCRYPT = 0; 146 public static final int KM_PURPOSE_DECRYPT = 1; 147 public static final int KM_PURPOSE_SIGN = 2; 148 public static final int KM_PURPOSE_VERIFY = 3; 149 public static final int KM_PURPOSE_WRAP = 5; 150 151 // Key formats. 152 public static final int KM_KEY_FORMAT_X509 = 0; 153 public static final int KM_KEY_FORMAT_PKCS8 = 1; 154 public static final int KM_KEY_FORMAT_RAW = 3; 155 156 // User authenticators. 157 public static final int HW_AUTH_PASSWORD = 1 << 0; 158 public static final int HW_AUTH_BIOMETRIC = 1 << 1; 159 160 // Error codes. 161 public static final int KM_ERROR_OK = 0; 162 public static final int KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1; 163 public static final int KM_ERROR_UNSUPPORTED_PURPOSE = -2; 164 public static final int KM_ERROR_INCOMPATIBLE_PURPOSE = -3; 165 public static final int KM_ERROR_UNSUPPORTED_ALGORITHM = -4; 166 public static final int KM_ERROR_INCOMPATIBLE_ALGORITHM = -5; 167 public static final int KM_ERROR_UNSUPPORTED_KEY_SIZE = -6; 168 public static final int KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7; 169 public static final int KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8; 170 public static final int KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9; 171 public static final int KM_ERROR_UNSUPPORTED_PADDING_MODE = -10; 172 public static final int KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11; 173 public static final int KM_ERROR_UNSUPPORTED_DIGEST = -12; 174 public static final int KM_ERROR_INCOMPATIBLE_DIGEST = -13; 175 public static final int KM_ERROR_INVALID_EXPIRATION_TIME = -14; 176 public static final int KM_ERROR_INVALID_USER_ID = -15; 177 public static final int KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16; 178 public static final int KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17; 179 public static final int KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18; 180 public static final int KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19; 181 public static final int KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20; 182 public static final int KM_ERROR_INVALID_INPUT_LENGTH = -21; 183 public static final int KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22; 184 public static final int KM_ERROR_DELEGATION_NOT_ALLOWED = -23; 185 public static final int KM_ERROR_KEY_NOT_YET_VALID = -24; 186 public static final int KM_ERROR_KEY_EXPIRED = -25; 187 public static final int KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26; 188 public static final int KM_ERROR_OUTPUT_PARAMETER_NULL = -27; 189 public static final int KM_ERROR_INVALID_OPERATION_HANDLE = -28; 190 public static final int KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29; 191 public static final int KM_ERROR_VERIFICATION_FAILED = -30; 192 public static final int KM_ERROR_TOO_MANY_OPERATIONS = -31; 193 public static final int KM_ERROR_UNEXPECTED_NULL_POINTER = -32; 194 public static final int KM_ERROR_INVALID_KEY_BLOB = -33; 195 public static final int KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34; 196 public static final int KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35; 197 public static final int KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36; 198 public static final int KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37; 199 public static final int KM_ERROR_INVALID_ARGUMENT = -38; 200 public static final int KM_ERROR_UNSUPPORTED_TAG = -39; 201 public static final int KM_ERROR_INVALID_TAG = -40; 202 public static final int KM_ERROR_MEMORY_ALLOCATION_FAILED = -41; 203 public static final int KM_ERROR_INVALID_RESCOPING = -42; 204 public static final int KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44; 205 public static final int KM_ERROR_SECURE_HW_ACCESS_DENIED = -45; 206 public static final int KM_ERROR_OPERATION_CANCELLED = -46; 207 public static final int KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47; 208 public static final int KM_ERROR_SECURE_HW_BUSY = -48; 209 public static final int KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49; 210 public static final int KM_ERROR_UNSUPPORTED_EC_FIELD = -50; 211 public static final int KM_ERROR_MISSING_NONCE = -51; 212 public static final int KM_ERROR_INVALID_NONCE = -52; 213 public static final int KM_ERROR_MISSING_MAC_LENGTH = -53; 214 public static final int KM_ERROR_KEY_RATE_LIMIT_EXCEEDED = -54; 215 public static final int KM_ERROR_CALLER_NONCE_PROHIBITED = -55; 216 public static final int KM_ERROR_KEY_MAX_OPS_EXCEEDED = -56; 217 public static final int KM_ERROR_INVALID_MAC_LENGTH = -57; 218 public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58; 219 public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59; 220 public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66; 221 public static final int KM_ERROR_DEVICE_LOCKED = -72; 222 public static final int KM_ERROR_UNIMPLEMENTED = -100; 223 public static final int KM_ERROR_VERSION_MISMATCH = -101; 224 public static final int KM_ERROR_UNKNOWN_ERROR = -1000; 225 226 public static final Map<Integer, String> sErrorCodeToString = new HashMap<Integer, String>(); 227 static { sErrorCodeToString.put(KM_ERROR_OK, "OK")228 sErrorCodeToString.put(KM_ERROR_OK, "OK"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PURPOSE, "Unsupported purpose")229 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PURPOSE, "Unsupported purpose"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PURPOSE, "Incompatible purpose")230 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PURPOSE, "Incompatible purpose"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_ALGORITHM, "Unsupported algorithm")231 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_ALGORITHM, "Unsupported algorithm"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_ALGORITHM, "Incompatible algorithm")232 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_ALGORITHM, "Incompatible algorithm"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_SIZE, "Unsupported key size")233 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_SIZE, "Unsupported key size"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_BLOCK_MODE, "Unsupported block mode")234 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_BLOCK_MODE, "Unsupported block mode"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, "Incompatible block mode")235 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, "Incompatible block mode"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_MAC_LENGTH, "Unsupported MAC or authentication tag length")236 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_MAC_LENGTH, 237 "Unsupported MAC or authentication tag length"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PADDING_MODE, "Unsupported padding mode")238 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PADDING_MODE, "Unsupported padding mode"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PADDING_MODE, "Incompatible padding mode")239 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PADDING_MODE, "Incompatible padding mode"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_DIGEST, "Unsupported digest")240 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_DIGEST, "Unsupported digest"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_DIGEST, "Incompatible digest")241 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_DIGEST, "Incompatible digest"); sErrorCodeToString.put(KM_ERROR_INVALID_EXPIRATION_TIME, "Invalid expiration time")242 sErrorCodeToString.put(KM_ERROR_INVALID_EXPIRATION_TIME, "Invalid expiration time"); sErrorCodeToString.put(KM_ERROR_INVALID_USER_ID, "Invalid user ID")243 sErrorCodeToString.put(KM_ERROR_INVALID_USER_ID, "Invalid user ID"); sErrorCodeToString.put(KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT, "Invalid user authorization timeout")244 sErrorCodeToString.put(KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT, 245 "Invalid user authorization timeout"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_FORMAT, "Unsupported key format")246 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_FORMAT, "Unsupported key format"); sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_KEY_FORMAT, "Incompatible key format")247 sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_KEY_FORMAT, "Incompatible key format"); sErrorCodeToString.put(KM_ERROR_INVALID_INPUT_LENGTH, "Invalid input length")248 sErrorCodeToString.put(KM_ERROR_INVALID_INPUT_LENGTH, "Invalid input length"); sErrorCodeToString.put(KM_ERROR_KEY_NOT_YET_VALID, "Key not yet valid")249 sErrorCodeToString.put(KM_ERROR_KEY_NOT_YET_VALID, "Key not yet valid"); sErrorCodeToString.put(KM_ERROR_KEY_EXPIRED, "Key expired")250 sErrorCodeToString.put(KM_ERROR_KEY_EXPIRED, "Key expired"); sErrorCodeToString.put(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, "Key user not authenticated")251 sErrorCodeToString.put(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, "Key user not authenticated"); sErrorCodeToString.put(KM_ERROR_INVALID_OPERATION_HANDLE, "Invalid operation handle")252 sErrorCodeToString.put(KM_ERROR_INVALID_OPERATION_HANDLE, "Invalid operation handle"); sErrorCodeToString.put(KM_ERROR_VERIFICATION_FAILED, "Signature/MAC verification failed")253 sErrorCodeToString.put(KM_ERROR_VERIFICATION_FAILED, "Signature/MAC verification failed"); sErrorCodeToString.put(KM_ERROR_TOO_MANY_OPERATIONS, "Too many operations")254 sErrorCodeToString.put(KM_ERROR_TOO_MANY_OPERATIONS, "Too many operations"); sErrorCodeToString.put(KM_ERROR_INVALID_KEY_BLOB, "Invalid key blob")255 sErrorCodeToString.put(KM_ERROR_INVALID_KEY_BLOB, "Invalid key blob"); sErrorCodeToString.put(KM_ERROR_INVALID_ARGUMENT, "Invalid argument")256 sErrorCodeToString.put(KM_ERROR_INVALID_ARGUMENT, "Invalid argument"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_TAG, "Unsupported tag")257 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_TAG, "Unsupported tag"); sErrorCodeToString.put(KM_ERROR_INVALID_TAG, "Invalid tag")258 sErrorCodeToString.put(KM_ERROR_INVALID_TAG, "Invalid tag"); sErrorCodeToString.put(KM_ERROR_MEMORY_ALLOCATION_FAILED, "Memory allocation failed")259 sErrorCodeToString.put(KM_ERROR_MEMORY_ALLOCATION_FAILED, "Memory allocation failed"); sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_EC_FIELD, "Unsupported EC field")260 sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_EC_FIELD, "Unsupported EC field"); sErrorCodeToString.put(KM_ERROR_MISSING_NONCE, "Required IV missing")261 sErrorCodeToString.put(KM_ERROR_MISSING_NONCE, "Required IV missing"); sErrorCodeToString.put(KM_ERROR_INVALID_NONCE, "Invalid IV")262 sErrorCodeToString.put(KM_ERROR_INVALID_NONCE, "Invalid IV"); sErrorCodeToString.put(KM_ERROR_CALLER_NONCE_PROHIBITED, "Caller-provided IV not permitted")263 sErrorCodeToString.put(KM_ERROR_CALLER_NONCE_PROHIBITED, 264 "Caller-provided IV not permitted"); sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH, "Invalid MAC or authentication tag length")265 sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH, 266 "Invalid MAC or authentication tag length"); sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids")267 sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids"); sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked")268 sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked"); sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented")269 sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented"); sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error")270 sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error"); 271 } 272 getTagType(int tag)273 public static int getTagType(int tag) { 274 return tag & (0xF << 28); 275 } 276 getErrorMessage(int errorCode)277 public static String getErrorMessage(int errorCode) { 278 String result = sErrorCodeToString.get(errorCode); 279 if (result != null) { 280 return result; 281 } 282 return String.valueOf(errorCode); 283 } 284 } 285