1 /*
2  * Copyright (C) 2009 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef __KEYSTORE_H__
18 #define __KEYSTORE_H__
19 
20 #include <stdint.h>
21 
22 // note state values overlap with ResponseCode for the purposes of the state() API
23 enum State {
24     STATE_NO_ERROR      = 1,
25     STATE_LOCKED        = 2,
26     STATE_UNINITIALIZED = 3,
27 };
28 
29 enum class ResponseCode: int32_t {
30     NO_ERROR          =  STATE_NO_ERROR, // 1
31     LOCKED            =  STATE_LOCKED, // 2
32     UNINITIALIZED     =  STATE_UNINITIALIZED, // 3
33     SYSTEM_ERROR      =  4,
34     PROTOCOL_ERROR    =  5,
35     PERMISSION_DENIED =  6,
36     KEY_NOT_FOUND     =  7,
37     VALUE_CORRUPTED   =  8,
38     UNDEFINED_ACTION  =  9,
39     WRONG_PASSWORD_0  = 10,
40     WRONG_PASSWORD_1  = 11,
41     WRONG_PASSWORD_2  = 12,
42     WRONG_PASSWORD_3  = 13, // MAX_RETRY = 4
43     SIGNATURE_INVALID = 14,
44     OP_AUTH_NEEDED    = 15, // Auth is needed for this operation before it can be used.
45 };
46 
47 /*
48  * All the flags for import and insert calls.
49  */
50 enum KeyStoreFlag : uint8_t {
51     KEYSTORE_FLAG_NONE = 0,
52     KEYSTORE_FLAG_ENCRYPTED = 1 << 0,
53     KEYSTORE_FLAG_FALLBACK = 1 << 1,
54     // KEYSTORE_FLAG_SUPER_ENCRYPTED is for blobs that are already encrypted by keymaster but have
55     // an additional layer of password-based encryption applied.  The same encryption scheme is used
56     // as KEYSTORE_FLAG_ENCRYPTED, but it's safe to remove super-encryption when the password is
57     // cleared, rather than deleting blobs, and the error returned when attempting to use a
58     // super-encrypted blob while keystore is locked is different.
59     KEYSTORE_FLAG_SUPER_ENCRYPTED = 1 << 2,
60     // KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION is for blobs that are part of device encryption
61     // flow so it receives special treatment from keystore. For example this blob will not be super
62     // encrypted, and it will be stored separately under an unique UID instead. This flag should
63     // only be available to system uid.
64     KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3,
65 };
66 
67 /**
68  * Returns the size of the softkey magic header value for measuring
69  * and allocating purposes.
70  */
71 size_t get_softkey_header_size();
72 
73 /**
74  * Adds the magic softkey header to a key blob.
75  *
76  * Returns NULL if the destination array is too small. Otherwise it
77  * returns the offset directly after the magic value.
78  */
79 uint8_t* add_softkey_header(uint8_t* key_blob, size_t key_blob_length);
80 
81 /**
82  * Returns true if the key blob has a magic softkey header at the beginning.
83  */
84 bool is_softkey(const uint8_t* key_blob, const size_t key_blob_length);
85 
86 #endif
87