1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 package android.security.keymaster;
18 
19 import java.util.HashMap;
20 import java.util.Map;
21 
22 /**
23  * Class tracking all the keymaster enum values needed for the binder API to keystore.
24  * This must be kept in sync with hardware/libhardware/include/hardware/keymaster_defs.h
25  * See keymaster_defs.h for detailed descriptions of each constant.
26  * @hide
27  */
28 public final class KeymasterDefs {
29 
KeymasterDefs()30     private KeymasterDefs() {}
31 
32     // Tag types.
33     public static final int KM_INVALID = 0 << 28;
34     public static final int KM_ENUM = 1 << 28;
35     public static final int KM_ENUM_REP = 2 << 28;
36     public static final int KM_UINT = 3 << 28;
37     public static final int KM_UINT_REP = 4 << 28;
38     public static final int KM_ULONG = 5 << 28;
39     public static final int KM_DATE = 6 << 28;
40     public static final int KM_BOOL = 7 << 28;
41     public static final int KM_BIGNUM = 8 << 28;
42     public static final int KM_BYTES = 9 << 28;
43     public static final int KM_ULONG_REP = 10 << 28;
44 
45     // Tag values.
46     public static final int KM_TAG_INVALID = KM_INVALID | 0;
47     public static final int KM_TAG_PURPOSE = KM_ENUM_REP | 1;
48     public static final int KM_TAG_ALGORITHM = KM_ENUM | 2;
49     public static final int KM_TAG_KEY_SIZE = KM_UINT | 3;
50     public static final int KM_TAG_BLOCK_MODE = KM_ENUM_REP | 4;
51     public static final int KM_TAG_DIGEST = KM_ENUM_REP | 5;
52     public static final int KM_TAG_PADDING = KM_ENUM_REP | 6;
53     public static final int KM_TAG_CALLER_NONCE = KM_BOOL | 7;
54     public static final int KM_TAG_MIN_MAC_LENGTH = KM_UINT | 8;
55 
56     public static final int KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101;
57     public static final int KM_TAG_RESCOPING_DEL = KM_ENUM_REP | 102;
58     public static final int KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 705;
59 
60     public static final int KM_TAG_RSA_PUBLIC_EXPONENT = KM_ULONG | 200;
61     public static final int KM_TAG_INCLUDE_UNIQUE_ID = KM_BOOL | 202;
62 
63     public static final int KM_TAG_ACTIVE_DATETIME = KM_DATE | 400;
64     public static final int KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401;
65     public static final int KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402;
66     public static final int KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_UINT | 403;
67     public static final int KM_TAG_MAX_USES_PER_BOOT = KM_UINT | 404;
68 
69     public static final int KM_TAG_ALL_USERS = KM_BOOL | 500;
70     public static final int KM_TAG_USER_ID = KM_UINT | 501;
71     public static final int KM_TAG_USER_SECURE_ID = KM_ULONG_REP | 502;
72     public static final int KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 503;
73     public static final int KM_TAG_USER_AUTH_TYPE = KM_ENUM | 504;
74     public static final int KM_TAG_AUTH_TIMEOUT = KM_UINT | 505;
75     public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
76 
77     public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
78     public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
79 
80     public static final int KM_TAG_CREATION_DATETIME = KM_DATE | 701;
81     public static final int KM_TAG_ORIGIN = KM_ENUM | 702;
82     public static final int KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703;
83     public static final int KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704;
84     public static final int KM_TAG_UNIQUE_ID = KM_BYTES | 707;
85     public static final int KM_TAG_ATTESTATION_CHALLENGE = KM_BYTES | 708;
86     public static final int KM_TAG_ATTESTATION_ID_BRAND = KM_BYTES | 710;
87     public static final int KM_TAG_ATTESTATION_ID_DEVICE = KM_BYTES | 711;
88     public static final int KM_TAG_ATTESTATION_ID_PRODUCT = KM_BYTES | 712;
89     public static final int KM_TAG_ATTESTATION_ID_SERIAL = KM_BYTES | 713;
90     public static final int KM_TAG_ATTESTATION_ID_IMEI = KM_BYTES | 714;
91     public static final int KM_TAG_ATTESTATION_ID_MEID = KM_BYTES | 715;
92     public static final int KM_TAG_ATTESTATION_ID_MANUFACTURER = KM_BYTES | 716;
93     public static final int KM_TAG_ATTESTATION_ID_MODEL = KM_BYTES | 717;
94 
95     public static final int KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000;
96     public static final int KM_TAG_NONCE = KM_BYTES | 1001;
97     public static final int KM_TAG_AUTH_TOKEN = KM_BYTES | 1002;
98     public static final int KM_TAG_MAC_LENGTH = KM_UINT | 1003;
99 
100     // Algorithm values.
101     public static final int KM_ALGORITHM_RSA = 1;
102     public static final int KM_ALGORITHM_EC = 3;
103     public static final int KM_ALGORITHM_AES = 32;
104     public static final int KM_ALGORITHM_HMAC = 128;
105 
106     // Block modes.
107     public static final int KM_MODE_ECB = 1;
108     public static final int KM_MODE_CBC = 2;
109     public static final int KM_MODE_CTR = 3;
110     public static final int KM_MODE_GCM = 32;
111 
112     // Padding modes.
113     public static final int KM_PAD_NONE = 1;
114     public static final int KM_PAD_RSA_OAEP = 2;
115     public static final int KM_PAD_RSA_PSS = 3;
116     public static final int KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4;
117     public static final int KM_PAD_RSA_PKCS1_1_5_SIGN = 5;
118     public static final int KM_PAD_PKCS7 = 64;
119 
120     // Digest modes.
121     public static final int KM_DIGEST_NONE = 0;
122     public static final int KM_DIGEST_MD5 = 1;
123     public static final int KM_DIGEST_SHA1 = 2;
124     public static final int KM_DIGEST_SHA_2_224 = 3;
125     public static final int KM_DIGEST_SHA_2_256 = 4;
126     public static final int KM_DIGEST_SHA_2_384 = 5;
127     public static final int KM_DIGEST_SHA_2_512 = 6;
128 
129     // Key origins.
130     public static final int KM_ORIGIN_GENERATED = 0;
131     public static final int KM_ORIGIN_IMPORTED = 2;
132     public static final int KM_ORIGIN_UNKNOWN = 3;
133 
134     // Key usability requirements.
135     public static final int KM_BLOB_STANDALONE = 0;
136     public static final int KM_BLOB_REQUIRES_FILE_SYSTEM = 1;
137 
138     // Operation Purposes.
139     public static final int KM_PURPOSE_ENCRYPT = 0;
140     public static final int KM_PURPOSE_DECRYPT = 1;
141     public static final int KM_PURPOSE_SIGN = 2;
142     public static final int KM_PURPOSE_VERIFY = 3;
143 
144     // Key formats.
145     public static final int KM_KEY_FORMAT_X509 = 0;
146     public static final int KM_KEY_FORMAT_PKCS8 = 1;
147     public static final int KM_KEY_FORMAT_RAW = 3;
148 
149     // User authenticators.
150     public static final int HW_AUTH_PASSWORD = 1 << 0;
151     public static final int HW_AUTH_FINGERPRINT = 1 << 1;
152 
153     // Error codes.
154     public static final int KM_ERROR_OK = 0;
155     public static final int KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1;
156     public static final int KM_ERROR_UNSUPPORTED_PURPOSE = -2;
157     public static final int KM_ERROR_INCOMPATIBLE_PURPOSE = -3;
158     public static final int KM_ERROR_UNSUPPORTED_ALGORITHM = -4;
159     public static final int KM_ERROR_INCOMPATIBLE_ALGORITHM = -5;
160     public static final int KM_ERROR_UNSUPPORTED_KEY_SIZE = -6;
161     public static final int KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7;
162     public static final int KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8;
163     public static final int KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9;
164     public static final int KM_ERROR_UNSUPPORTED_PADDING_MODE = -10;
165     public static final int KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11;
166     public static final int KM_ERROR_UNSUPPORTED_DIGEST = -12;
167     public static final int KM_ERROR_INCOMPATIBLE_DIGEST = -13;
168     public static final int KM_ERROR_INVALID_EXPIRATION_TIME = -14;
169     public static final int KM_ERROR_INVALID_USER_ID = -15;
170     public static final int KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16;
171     public static final int KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17;
172     public static final int KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18;
173     public static final int KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19;
174     public static final int KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20;
175     public static final int KM_ERROR_INVALID_INPUT_LENGTH = -21;
176     public static final int KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22;
177     public static final int KM_ERROR_DELEGATION_NOT_ALLOWED = -23;
178     public static final int KM_ERROR_KEY_NOT_YET_VALID = -24;
179     public static final int KM_ERROR_KEY_EXPIRED = -25;
180     public static final int KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26;
181     public static final int KM_ERROR_OUTPUT_PARAMETER_NULL = -27;
182     public static final int KM_ERROR_INVALID_OPERATION_HANDLE = -28;
183     public static final int KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29;
184     public static final int KM_ERROR_VERIFICATION_FAILED = -30;
185     public static final int KM_ERROR_TOO_MANY_OPERATIONS = -31;
186     public static final int KM_ERROR_UNEXPECTED_NULL_POINTER = -32;
187     public static final int KM_ERROR_INVALID_KEY_BLOB = -33;
188     public static final int KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34;
189     public static final int KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35;
190     public static final int KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36;
191     public static final int KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37;
192     public static final int KM_ERROR_INVALID_ARGUMENT = -38;
193     public static final int KM_ERROR_UNSUPPORTED_TAG = -39;
194     public static final int KM_ERROR_INVALID_TAG = -40;
195     public static final int KM_ERROR_MEMORY_ALLOCATION_FAILED = -41;
196     public static final int KM_ERROR_INVALID_RESCOPING = -42;
197     public static final int KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44;
198     public static final int KM_ERROR_SECURE_HW_ACCESS_DENIED = -45;
199     public static final int KM_ERROR_OPERATION_CANCELLED = -46;
200     public static final int KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47;
201     public static final int KM_ERROR_SECURE_HW_BUSY = -48;
202     public static final int KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49;
203     public static final int KM_ERROR_UNSUPPORTED_EC_FIELD = -50;
204     public static final int KM_ERROR_MISSING_NONCE = -51;
205     public static final int KM_ERROR_INVALID_NONCE = -52;
206     public static final int KM_ERROR_MISSING_MAC_LENGTH = -53;
207     public static final int KM_ERROR_KEY_RATE_LIMIT_EXCEEDED = -54;
208     public static final int KM_ERROR_CALLER_NONCE_PROHIBITED = -55;
209     public static final int KM_ERROR_KEY_MAX_OPS_EXCEEDED = -56;
210     public static final int KM_ERROR_INVALID_MAC_LENGTH = -57;
211     public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
212     public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
213     public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
214     public static final int KM_ERROR_UNIMPLEMENTED = -100;
215     public static final int KM_ERROR_VERSION_MISMATCH = -101;
216     public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
217 
218     public static final Map<Integer, String> sErrorCodeToString = new HashMap<Integer, String>();
219     static {
sErrorCodeToString.put(KM_ERROR_OK, "OK")220         sErrorCodeToString.put(KM_ERROR_OK, "OK");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PURPOSE, "Unsupported purpose")221         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PURPOSE, "Unsupported purpose");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PURPOSE, "Incompatible purpose")222         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PURPOSE, "Incompatible purpose");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_ALGORITHM, "Unsupported algorithm")223         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_ALGORITHM, "Unsupported algorithm");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_ALGORITHM, "Incompatible algorithm")224         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_ALGORITHM, "Incompatible algorithm");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_SIZE, "Unsupported key size")225         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_SIZE, "Unsupported key size");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_BLOCK_MODE, "Unsupported block mode")226         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_BLOCK_MODE, "Unsupported block mode");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, "Incompatible block mode")227         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, "Incompatible block mode");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_MAC_LENGTH, "Unsupported MAC or authentication tag length")228         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
229                 "Unsupported MAC or authentication tag length");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PADDING_MODE, "Unsupported padding mode")230         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PADDING_MODE, "Unsupported padding mode");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PADDING_MODE, "Incompatible padding mode")231         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PADDING_MODE, "Incompatible padding mode");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_DIGEST, "Unsupported digest")232         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_DIGEST, "Unsupported digest");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_DIGEST, "Incompatible digest")233         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_DIGEST, "Incompatible digest");
sErrorCodeToString.put(KM_ERROR_INVALID_EXPIRATION_TIME, "Invalid expiration time")234         sErrorCodeToString.put(KM_ERROR_INVALID_EXPIRATION_TIME, "Invalid expiration time");
sErrorCodeToString.put(KM_ERROR_INVALID_USER_ID, "Invalid user ID")235         sErrorCodeToString.put(KM_ERROR_INVALID_USER_ID, "Invalid user ID");
sErrorCodeToString.put(KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT, "Invalid user authorization timeout")236         sErrorCodeToString.put(KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT,
237                 "Invalid user authorization timeout");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_FORMAT, "Unsupported key format")238         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_FORMAT, "Unsupported key format");
sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_KEY_FORMAT, "Incompatible key format")239         sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_KEY_FORMAT, "Incompatible key format");
sErrorCodeToString.put(KM_ERROR_INVALID_INPUT_LENGTH, "Invalid input length")240         sErrorCodeToString.put(KM_ERROR_INVALID_INPUT_LENGTH, "Invalid input length");
sErrorCodeToString.put(KM_ERROR_KEY_NOT_YET_VALID, "Key not yet valid")241         sErrorCodeToString.put(KM_ERROR_KEY_NOT_YET_VALID, "Key not yet valid");
sErrorCodeToString.put(KM_ERROR_KEY_EXPIRED, "Key expired")242         sErrorCodeToString.put(KM_ERROR_KEY_EXPIRED, "Key expired");
sErrorCodeToString.put(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, "Key user not authenticated")243         sErrorCodeToString.put(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, "Key user not authenticated");
sErrorCodeToString.put(KM_ERROR_INVALID_OPERATION_HANDLE, "Invalid operation handle")244         sErrorCodeToString.put(KM_ERROR_INVALID_OPERATION_HANDLE, "Invalid operation handle");
sErrorCodeToString.put(KM_ERROR_VERIFICATION_FAILED, "Signature/MAC verification failed")245         sErrorCodeToString.put(KM_ERROR_VERIFICATION_FAILED, "Signature/MAC verification failed");
sErrorCodeToString.put(KM_ERROR_TOO_MANY_OPERATIONS, "Too many operations")246         sErrorCodeToString.put(KM_ERROR_TOO_MANY_OPERATIONS, "Too many operations");
sErrorCodeToString.put(KM_ERROR_INVALID_KEY_BLOB, "Invalid key blob")247         sErrorCodeToString.put(KM_ERROR_INVALID_KEY_BLOB, "Invalid key blob");
sErrorCodeToString.put(KM_ERROR_INVALID_ARGUMENT, "Invalid argument")248         sErrorCodeToString.put(KM_ERROR_INVALID_ARGUMENT, "Invalid argument");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_TAG, "Unsupported tag")249         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_TAG, "Unsupported tag");
sErrorCodeToString.put(KM_ERROR_INVALID_TAG, "Invalid tag")250         sErrorCodeToString.put(KM_ERROR_INVALID_TAG, "Invalid tag");
sErrorCodeToString.put(KM_ERROR_MEMORY_ALLOCATION_FAILED, "Memory allocation failed")251         sErrorCodeToString.put(KM_ERROR_MEMORY_ALLOCATION_FAILED, "Memory allocation failed");
sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_EC_FIELD, "Unsupported EC field")252         sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_EC_FIELD, "Unsupported EC field");
sErrorCodeToString.put(KM_ERROR_MISSING_NONCE, "Required IV missing")253         sErrorCodeToString.put(KM_ERROR_MISSING_NONCE, "Required IV missing");
sErrorCodeToString.put(KM_ERROR_INVALID_NONCE, "Invalid IV")254         sErrorCodeToString.put(KM_ERROR_INVALID_NONCE, "Invalid IV");
sErrorCodeToString.put(KM_ERROR_CALLER_NONCE_PROHIBITED, "Caller-provided IV not permitted")255         sErrorCodeToString.put(KM_ERROR_CALLER_NONCE_PROHIBITED,
256                 "Caller-provided IV not permitted");
sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH, "Invalid MAC or authentication tag length")257         sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
258                 "Invalid MAC or authentication tag length");
sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids")259         sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented")260         sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error")261         sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
262     }
263 
getTagType(int tag)264     public static int getTagType(int tag) {
265         return tag & (0xF << 28);
266     }
267 
getErrorMessage(int errorCode)268     public static String getErrorMessage(int errorCode) {
269         String result = sErrorCodeToString.get(errorCode);
270         if (result != null) {
271             return result;
272         }
273         return String.valueOf(errorCode);
274     }
275 }
276