keymaster_defs.h revision 0e5fca1ca4777f5f5d5fa8bd0de139e42077881b
1/* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#ifndef ANDROID_HARDWARE_KEYMASTER_DEFS_H 18#define ANDROID_HARDWARE_KEYMASTER_DEFS_H 19 20#include <stdint.h> 21#include <stdlib.h> 22#include <string.h> 23 24#if defined(__cplusplus) 25extern "C" { 26#endif // defined(__cplusplus) 27 28/*! 29 * \deprecated Flags for keymaster_device::flags 30 * 31 * keymaster_device::flags is deprecated and will be removed in the 32 * next version of the API in favor of the more detailed information 33 * available from TODO: 34 */ 35enum { 36 /* 37 * Indicates this keymaster implementation does not have hardware that 38 * keeps private keys out of user space. 39 * 40 * This should not be implemented on anything other than the default 41 * implementation. 42 */ 43 KEYMASTER_SOFTWARE_ONLY = 1 << 0, 44 45 /* 46 * This indicates that the key blobs returned via all the primitives 47 * are sufficient to operate on their own without the trusted OS 48 * querying userspace to retrieve some other data. Key blobs of 49 * this type are normally returned encrypted with a 50 * Key Encryption Key (KEK). 51 * 52 * This is currently used by "vold" to know whether the whole disk 53 * encryption secret can be unwrapped without having some external 54 * service started up beforehand since the "/data" partition will 55 * be unavailable at that point. 56 */ 57 KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1, 58 59 /* 60 * Indicates that the keymaster module supports DSA keys. 61 */ 62 KEYMASTER_SUPPORTS_DSA = 1 << 2, 63 64 /* 65 * Indicates that the keymaster module supports EC keys. 66 */ 67 KEYMASTER_SUPPORTS_EC = 1 << 3, 68}; 69 70/** 71 * \deprecated Asymmetric key pair types. 72 */ 73typedef enum { 74 TYPE_RSA = 1, 75 TYPE_DSA = 2, 76 TYPE_EC = 3, 77} keymaster_keypair_t; 78 79/** 80 * Authorization tags each have an associated type. This enumeration facilitates tagging each with 81 * a type, by using the high four bits (of an implied 32-bit unsigned enum value) to specify up to 82 * 16 data types. These values are ORed with tag IDs to generate the final tag ID values. 83 */ 84typedef enum { 85 KM_INVALID = 0 << 28, /* Invalid type, used to designate a tag as uninitialized */ 86 KM_ENUM = 1 << 28, 87 KM_ENUM_REP = 2 << 28, /* Repeatable enumeration value. */ 88 KM_INT = 3 << 28, 89 KM_INT_REP = 4 << 28, /* Repeatable integer value */ 90 KM_LONG = 5 << 28, 91 KM_DATE = 6 << 28, 92 KM_BOOL = 7 << 28, 93 KM_BIGNUM = 8 << 28, 94 KM_BYTES = 9 << 28, 95} keymaster_tag_type_t; 96 97typedef enum { 98 KM_TAG_INVALID = KM_INVALID | 0, 99 100 /* 101 * Tags that must be semantically enforced by hardware and software implementations. 102 */ 103 104 /* Crypto parameters */ 105 KM_TAG_PURPOSE = KM_ENUM_REP | 1, /* keymaster_purpose_t. */ 106 KM_TAG_ALGORITHM = KM_ENUM | 2, /* keymaster_algorithm_t. */ 107 KM_TAG_KEY_SIZE = KM_INT | 3, /* Key size in bits. */ 108 KM_TAG_BLOCK_MODE = KM_ENUM | 4, /* keymaster_block_mode_t. */ 109 KM_TAG_DIGEST = KM_ENUM | 5, /* keymaster_digest_t. */ 110 KM_TAG_MAC_LENGTH = KM_INT | 6, /* MAC length in bits. */ 111 KM_TAG_PADDING = KM_ENUM | 7, /* keymaster_padding_t. */ 112 KM_TAG_RETURN_UNAUTHED = KM_BOOL | 8, /* Allow AEAD decryption to return plaintext before it has 113 been authenticated. WARNING: Not recommended. */ 114 KM_TAG_CALLER_NONCE = KM_BOOL | 9, /* Allow caller to specify nonce or IV. */ 115 116 /* Other hardware-enforced. */ 117 KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101, /* Tags authorized for addition via rescoping. */ 118 KM_TAG_RESCOPING_DEL = KM_ENUM_REP | 102, /* Tags authorized for removal via rescoping. */ 119 KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 705, /* keymaster_key_blob_usage_requirements_t */ 120 121 /* Algorithm-specific. */ 122 KM_TAG_RSA_PUBLIC_EXPONENT = KM_LONG | 200, /* Defaults to 2^16+1 */ 123 KM_TAG_DSA_GENERATOR = KM_BIGNUM | 201, 124 KM_TAG_DSA_P = KM_BIGNUM | 202, 125 KM_TAG_DSA_Q = KM_BIGNUM | 203, 126 /* Note there are no EC-specific params. Field size is defined by KM_TAG_KEY_SIZE, and the 127 curve is chosen from NIST recommendations for field size */ 128 129 /* 130 * Tags that should be semantically enforced by hardware if possible and will otherwise be 131 * enforced by software (keystore). 132 */ 133 134 /* Key validity period */ 135 KM_TAG_ACTIVE_DATETIME = KM_DATE | 400, /* Start of validity */ 136 KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401, /* Date when new "messages" should no 137 longer be created. */ 138 KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402, /* Date when existing "messages" should no 139 longer be trusted. */ 140 KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_INT | 403, /* Minimum elapsed time between 141 cryptographic operations with the key. */ 142 KM_TAG_MAX_USES_PER_BOOT = KM_INT | 404, /* Number of times the key can be used per 143 boot. */ 144 145 /* User authentication */ 146 KM_TAG_ALL_USERS = KM_BOOL | 500, /* If key is usable by all users. */ 147 KM_TAG_USER_ID = KM_INT | 501, /* ID of authorized user. Disallowed if 148 KM_TAG_ALL_USERS is present. */ 149 KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 502, /* If key is usable without authentication. */ 150 KM_TAG_USER_AUTH_ID = KM_INT_REP | 503, /* ID of the authenticator to use (e.g. password, 151 fingerprint, etc.). Repeatable to support 152 multi-factor auth. Disallowed if 153 KM_TAG_NO_AUTH_REQUIRED is present. */ 154 KM_TAG_AUTH_TIMEOUT = KM_INT | 504, /* Required freshness of user authentication for 155 private/secret key operations, in seconds. 156 Public key operations require no authentication. 157 If absent, authentication is required for every 158 use. Authentication state is lost when the 159 device is powered off. */ 160 161 /* Application access control */ 162 KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* If key is usable by all applications. */ 163 KM_TAG_APPLICATION_ID = KM_BYTES | 601, /* ID of authorized application. Disallowed if 164 KM_TAG_ALL_APPLICATIONS is present. */ 165 166 /* 167 * Semantically unenforceable tags, either because they have no specific meaning or because 168 * they're informational only. 169 */ 170 KM_TAG_APPLICATION_DATA = KM_BYTES | 700, /* Data provided by authorized application. */ 171 KM_TAG_CREATION_DATETIME = KM_DATE | 701, /* Key creation time */ 172 KM_TAG_ORIGIN = KM_ENUM | 702, /* keymaster_key_origin_t. */ 173 KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703, /* Whether key is rollback-resistant. */ 174 KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704, /* Root of trust ID. Empty array means usable by all 175 roots. */ 176 177 /* Tags used only to provide data to or receive data from operations */ 178 KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000, /* Used to provide associated data for AEAD modes. */ 179 KM_TAG_NONCE = KM_BYTES | 1001, /* Nonce or Initialization Vector */ 180 KM_TAG_CHUNK_LENGTH = KM_INT | 1002, /* AEAD mode chunk size, in bytes. 0 means no limit, 181 which requires KM_TAG_RETURN_UNAUTHED. */ 182} keymaster_tag_t; 183 184/** 185 * Algorithms that may be provided by keymaster implementations. Those that must be provided by all 186 * implementations are tagged as "required". Note that where the values in this enumeration overlap 187 * with the values for the deprecated keymaster_keypair_t, the same algorithm must be 188 * specified. This type is new in 0_4 and replaces the deprecated keymaster_keypair_t. 189 */ 190typedef enum { 191 /* Asymmetric algorithms. */ 192 KM_ALGORITHM_RSA = 1, /* required */ 193 KM_ALGORITHM_DSA = 2, 194 KM_ALGORITHM_ECDSA = 3, /* required */ 195 KM_ALGORITHM_ECIES = 4, 196 /* FIPS Approved Ciphers */ 197 KM_ALGORITHM_AES = 32, /* required */ 198 KM_ALGORITHM_3DES = 33, 199 KM_ALGORITHM_SKIPJACK = 34, 200 /* AES Finalists */ 201 KM_ALGORITHM_MARS = 48, 202 KM_ALGORITHM_RC6 = 49, 203 KM_ALGORITHM_SERPENT = 50, 204 KM_ALGORITHM_TWOFISH = 51, 205 /* Other common block ciphers */ 206 KM_ALGORITHM_IDEA = 52, 207 KM_ALGORITHM_RC5 = 53, 208 KM_ALGORITHM_CAST5 = 54, 209 KM_ALGORITHM_BLOWFISH = 55, 210 /* Common stream ciphers */ 211 KM_ALGORITHM_RC4 = 64, 212 KM_ALGORITHM_CHACHA20 = 65, 213 /* MAC algorithms */ 214 KM_ALGORITHM_HMAC = 128, /* required */ 215} keymaster_algorithm_t; 216 217/** 218 * Symmetric block cipher modes that may be provided by keymaster implementations. Those that must 219 * be provided by all implementations are tagged as "required". This type is new in 0_4. 220 * 221 * KM_MODE_FIRST_UNAUTHENTICATED, KM_MODE_FIRST_AUTHENTICATED and KM_MODE_FIRST_MAC are not modes, 222 * but markers used to separate the available modes into classes. 223 */ 224typedef enum { 225 /* Unauthenticated modes, usable only for encryption/decryption and not generally recommended 226 * except for compatibility with existing other protocols. */ 227 KM_MODE_FIRST_UNAUTHENTICATED = 1, 228 KM_MODE_ECB = KM_MODE_FIRST_UNAUTHENTICATED, /* required */ 229 KM_MODE_CBC = 2, /* required */ 230 KM_MODE_CBC_CTS = 3, /* recommended */ 231 KM_MODE_CTR = 4, /* recommended */ 232 KM_MODE_OFB = 5, 233 KM_MODE_CFB = 6, 234 KM_MODE_XTS = 7, /* Note: requires double-length keys */ 235 /* Authenticated modes, usable for encryption/decryption and signing/verification. Recommended 236 * over unauthenticated modes for all purposes. One of KM_MODE_GCM and KM_MODE_OCB is 237 * required. */ 238 KM_MODE_FIRST_AUTHENTICATED = 32, 239 KM_MODE_GCM = KM_MODE_FIRST_AUTHENTICATED, 240 KM_MODE_OCB = 33, 241 KM_MODE_CCM = 34, 242 /* MAC modes -- only for signing/verification */ 243 KM_MODE_FIRST_MAC = 128, 244 KM_MODE_CMAC = KM_MODE_FIRST_MAC, 245 KM_MODE_POLY1305 = 129, 246} keymaster_block_mode_t; 247 248/** 249 * Padding modes that may be applied to plaintext for encryption operations. This list includes 250 * padding modes for both symmetric and asymmetric algorithms. Note that implementations should not 251 * provide all possible combinations of algorithm and padding, only the 252 * cryptographically-appropriate pairs. 253 */ 254typedef enum { 255 KM_PAD_NONE = 1, /* required, deprecated */ 256 KM_PAD_RSA_OAEP = 2, /* required */ 257 KM_PAD_RSA_PSS = 3, /* required */ 258 KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4, 259 KM_PAD_RSA_PKCS1_1_5_SIGN = 5, 260 KM_PAD_ANSI_X923 = 32, 261 KM_PAD_ISO_10126 = 33, 262 KM_PAD_ZERO = 64, /* required */ 263 KM_PAD_PKCS7 = 65, /* required */ 264 KM_PAD_ISO_7816_4 = 66, 265} keymaster_padding_t; 266 267/** 268 * Digests that may be provided by keymaster implementations. Those that must be provided by all 269 * implementations are tagged as "required". Those that have been added since version 0_2 of the 270 * API are tagged as "new". 271 */ 272typedef enum { 273 KM_DIGEST_NONE = 0, /* new, required */ 274 DIGEST_NONE = KM_DIGEST_NONE, /* For 0_2 compatibility */ 275 KM_DIGEST_MD5 = 1, /* new, for compatibility with old protocols only */ 276 KM_DIGEST_SHA1 = 2, /* new */ 277 KM_DIGEST_SHA_2_224 = 3, /* new */ 278 KM_DIGEST_SHA_2_256 = 4, /* new, required */ 279 KM_DIGEST_SHA_2_384 = 5, /* new, recommended */ 280 KM_DIGEST_SHA_2_512 = 6, /* new, recommended */ 281 KM_DIGEST_SHA_3_256 = 7, /* new */ 282 KM_DIGEST_SHA_3_384 = 8, /* new */ 283 KM_DIGEST_SHA_3_512 = 9, /* new */ 284} keymaster_digest_t; 285 286/** 287 * The origin of a key (or pair), i.e. where it was generated. Origin and can be used together to 288 * determine whether a key may have existed outside of secure hardware. This type is new in 0_4. 289 */ 290typedef enum { 291 KM_ORIGIN_HARDWARE = 0, /* Generated in secure hardware */ 292 KM_ORIGIN_SOFTWARE = 1, /* Generated in non-secure software */ 293 KM_ORIGIN_IMPORTED = 2, /* Imported, origin unknown */ 294} keymaster_key_origin_t; 295 296/** 297 * Usability requirements of key blobs. This defines what system functionality must be available 298 * for the key to function. For example, key "blobs" which are actually handles referencing 299 * encrypted key material stored in the file system cannot be used until the file system is 300 * available, and should have BLOB_REQUIRES_FILE_SYSTEM. Other requirements entries will be added 301 * as needed for implementations. This type is new in 0_4. 302 */ 303typedef enum { 304 KM_BLOB_STANDALONE = 0, 305 KM_BLOB_REQUIRES_FILE_SYSTEM = 1, 306} keymaster_key_blob_usage_requirements_t; 307 308/** 309 * Possible purposes of a key (or pair). This type is new in 0_4. 310 */ 311typedef enum { 312 KM_PURPOSE_ENCRYPT = 0, 313 KM_PURPOSE_DECRYPT = 1, 314 KM_PURPOSE_SIGN = 2, 315 KM_PURPOSE_VERIFY = 3, 316} keymaster_purpose_t; 317 318typedef struct { 319 const uint8_t* data; 320 size_t data_length; 321} keymaster_blob_t; 322 323typedef struct { 324 keymaster_tag_t tag; 325 union { 326 uint32_t enumerated; /* KM_ENUM and KM_ENUM_REP */ 327 bool boolean; /* KM_BOOL */ 328 uint32_t integer; /* KM_INT and KM_INT_REP */ 329 uint64_t long_integer; /* KM_LONG */ 330 uint64_t date_time; /* KM_DATE */ 331 keymaster_blob_t blob; /* KM_BIGNUM and KM_BYTES*/ 332 }; 333} keymaster_key_param_t; 334 335typedef struct { 336 keymaster_key_param_t* params; /* may be NULL if length == 0 */ 337 size_t length; 338} keymaster_key_param_set_t; 339 340/** 341 * Parameters that define a key's characteristics, including authorized modes of usage and access 342 * control restrictions. The parameters are divided into two categories, those that are enforced by 343 * secure hardware, and those that are not. For a software-only keymaster implementation the 344 * enforced array must NULL. Hardware implementations must enforce everything in the enforced 345 * array. 346 */ 347typedef struct { 348 keymaster_key_param_set_t hw_enforced; 349 keymaster_key_param_set_t sw_enforced; 350} keymaster_key_characteristics_t; 351 352typedef struct { 353 const uint8_t* key_material; 354 size_t key_material_size; 355} keymaster_key_blob_t; 356 357/** 358 * Formats for key import and export. At present, only asymmetric key import/export is supported. 359 * In the future this list will expand greatly to accommodate asymmetric key import/export. 360 */ 361typedef enum { 362 KM_KEY_FORMAT_X509 = 0, /* for public key export, required */ 363 KM_KEY_FORMAT_PKCS8 = 1, /* for asymmetric key pair import, required */ 364 KM_KEY_FORMAT_PKCS12 = 2, /* for asymmetric key pair import, not required */ 365 KM_KEY_FORMAT_RAW = 3, /* for symmetric key import, required */ 366} keymaster_key_format_t; 367 368/** 369 * The keymaster operation API consists of begin, update, finish and abort. This is the type of the 370 * handle used to tie the sequence of calls together. A 64-bit value is used because it's important 371 * that handles not be predictable. Implementations must use strong random numbers for handle 372 * values. 373 */ 374typedef uint64_t keymaster_operation_handle_t; 375 376typedef enum { 377 KM_ERROR_OK = 0, 378 KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1, 379 KM_ERROR_UNSUPPORTED_PURPOSE = -2, 380 KM_ERROR_INCOMPATIBLE_PURPOSE = -3, 381 KM_ERROR_UNSUPPORTED_ALGORITHM = -4, 382 KM_ERROR_INCOMPATIBLE_ALGORITHM = -5, 383 KM_ERROR_UNSUPPORTED_KEY_SIZE = -6, 384 KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7, 385 KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8, 386 KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9, 387 KM_ERROR_UNSUPPORTED_PADDING_MODE = -10, 388 KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11, 389 KM_ERROR_UNSUPPORTED_DIGEST = -12, 390 KM_ERROR_INCOMPATIBLE_DIGEST = -13, 391 KM_ERROR_INVALID_EXPIRATION_TIME = -14, 392 KM_ERROR_INVALID_USER_ID = -15, 393 KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16, 394 KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17, 395 KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18, 396 KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19, /* For PKCS8 & PKCS12 */ 397 KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /* For PKCS8 & PKCS12 */ 398 KM_ERROR_INVALID_INPUT_LENGTH = -21, 399 KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22, 400 KM_ERROR_DELEGATION_NOT_ALLOWED = -23, 401 KM_ERROR_KEY_NOT_YET_VALID = -24, 402 KM_ERROR_KEY_EXPIRED = -25, 403 KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26, 404 KM_ERROR_OUTPUT_PARAMETER_NULL = -27, 405 KM_ERROR_INVALID_OPERATION_HANDLE = -28, 406 KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29, 407 KM_ERROR_VERIFICATION_FAILED = -30, 408 KM_ERROR_TOO_MANY_OPERATIONS = -31, 409 KM_ERROR_UNEXPECTED_NULL_POINTER = -32, 410 KM_ERROR_INVALID_KEY_BLOB = -33, 411 KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34, 412 KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35, 413 KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36, 414 KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37, 415 KM_ERROR_INVALID_ARGUMENT = -38, 416 KM_ERROR_UNSUPPORTED_TAG = -39, 417 KM_ERROR_INVALID_TAG = -40, 418 KM_ERROR_MEMORY_ALLOCATION_FAILED = -41, 419 KM_ERROR_INVALID_RESCOPING = -42, 420 KM_ERROR_INVALID_DSA_PARAMS = -43, 421 KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44, 422 KM_ERROR_SECURE_HW_ACCESS_DENIED = -45, 423 KM_ERROR_OPERATION_CANCELLED = -46, 424 KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47, 425 KM_ERROR_SECURE_HW_BUSY = -48, 426 KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49, 427 KM_ERROR_UNSUPPORTED_EC_FIELD = -50, 428 KM_ERROR_UNIMPLEMENTED = -100, 429 KM_ERROR_VERSION_MISMATCH = -101, 430 431 /* Additional error codes may be added by implementations, but implementers should coordinate 432 * with Google to avoid code collision. */ 433 KM_ERROR_UNKNOWN_ERROR = -1000, 434} keymaster_error_t; 435 436/** 437 * \deprecated Parameters needed to generate an RSA key. 438 */ 439typedef struct { 440 uint32_t modulus_size; /* bits */ 441 uint64_t public_exponent; 442} keymaster_rsa_keygen_params_t; 443 444/** 445 * \deprecated Parameters needed to generate a DSA key. 446 */ 447typedef struct { 448 uint32_t key_size; /* bits */ 449 uint32_t generator_len; 450 uint32_t prime_p_len; 451 uint32_t prime_q_len; 452 const uint8_t* generator; 453 const uint8_t* prime_p; 454 const uint8_t* prime_q; 455} keymaster_dsa_keygen_params_t; 456 457/** 458 * \deprecated Parameters needed to generate an EC key. 459 * 460 * Field size is the only parameter in version 4. The sizes correspond to these required curves: 461 * 462 * 192 = NIST P-192 463 * 224 = NIST P-224 464 * 256 = NIST P-256 465 * 384 = NIST P-384 466 * 521 = NIST P-521 467 * 468 * The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf 469 * in Chapter 4. 470 */ 471typedef struct { uint32_t field_size; /* bits */ } keymaster_ec_keygen_params_t; 472 473/** 474 * \deprecated Type of padding used for RSA operations. 475 */ 476typedef enum { 477 PADDING_NONE, 478} keymaster_rsa_padding_t; 479 480/** 481 * \deprecated 482 */ 483typedef struct { keymaster_digest_t digest_type; } keymaster_dsa_sign_params_t; 484 485/** 486 * \deprecated 487 */ 488typedef struct { keymaster_digest_t digest_type; } keymaster_ec_sign_params_t; 489 490/** 491 *\deprecated 492 */ 493typedef struct { 494 keymaster_digest_t digest_type; 495 keymaster_rsa_padding_t padding_type; 496} keymaster_rsa_sign_params_t; 497 498/* Convenience functions for manipulating keymaster tag types */ 499 500static inline keymaster_tag_type_t keymaster_tag_get_type(keymaster_tag_t tag) { 501 return (keymaster_tag_type_t)(tag & (0xF << 28)); 502} 503 504static inline uint32_t keymaster_tag_mask_type(keymaster_tag_t tag) { 505 return tag & 0x0FFFFFFF; 506} 507 508static inline bool keymaster_tag_type_repeatable(keymaster_tag_type_t type) { 509 switch (type) { 510 case KM_INT_REP: 511 case KM_ENUM_REP: 512 return true; 513 default: 514 return false; 515 } 516} 517 518static inline bool keymaster_tag_repeatable(keymaster_tag_t tag) { 519 return keymaster_tag_type_repeatable(keymaster_tag_get_type(tag)); 520} 521 522/* Convenience functions for manipulating keymaster_key_param_t structs */ 523 524inline keymaster_key_param_t keymaster_param_enum(keymaster_tag_t tag, uint32_t value) { 525 // assert(keymaster_tag_get_type(tag) == KM_ENUM || keymaster_tag_get_type(tag) == KM_ENUM_REP); 526 keymaster_key_param_t param; 527 memset(¶m, 0, sizeof(param)); 528 param.tag = tag; 529 param.enumerated = value; 530 return param; 531} 532 533inline keymaster_key_param_t keymaster_param_int(keymaster_tag_t tag, uint32_t value) { 534 // assert(keymaster_tag_get_type(tag) == KM_INT || keymaster_tag_get_type(tag) == KM_INT_REP); 535 keymaster_key_param_t param; 536 memset(¶m, 0, sizeof(param)); 537 param.tag = tag; 538 param.integer = value; 539 return param; 540} 541 542inline keymaster_key_param_t keymaster_param_long(keymaster_tag_t tag, uint64_t value) { 543 // assert(keymaster_tag_get_type(tag) == KM_LONG); 544 keymaster_key_param_t param; 545 memset(¶m, 0, sizeof(param)); 546 param.tag = tag; 547 param.long_integer = value; 548 return param; 549} 550 551inline keymaster_key_param_t keymaster_param_blob(keymaster_tag_t tag, const uint8_t* bytes, 552 size_t bytes_len) { 553 // assert(keymaster_tag_get_type(tag) == KM_BYTES || keymaster_tag_get_type(tag) == KM_BIGNUM); 554 keymaster_key_param_t param; 555 memset(¶m, 0, sizeof(param)); 556 param.tag = tag; 557 param.blob.data = (uint8_t*)bytes; 558 param.blob.data_length = bytes_len; 559 return param; 560} 561 562inline keymaster_key_param_t keymaster_param_bool(keymaster_tag_t tag) { 563 // assert(keymaster_tag_get_type(tag) == KM_BOOL); 564 keymaster_key_param_t param; 565 memset(¶m, 0, sizeof(param)); 566 param.tag = tag; 567 param.boolean = true; 568 return param; 569} 570 571inline keymaster_key_param_t keymaster_param_date(keymaster_tag_t tag, uint64_t value) { 572 // assert(keymaster_tag_get_type(tag) == KM_DATE); 573 keymaster_key_param_t param; 574 memset(¶m, 0, sizeof(param)); 575 param.tag = tag; 576 param.date_time = value; 577 return param; 578} 579 580inline void keymaster_free_param_values(keymaster_key_param_t* param, size_t param_count) { 581 while (param_count-- > 0) { 582 switch (keymaster_tag_get_type(param->tag)) { 583 case KM_BIGNUM: 584 case KM_BYTES: 585 free((void*)param->blob.data); 586 param->blob.data = NULL; 587 break; 588 default: 589 // NOP 590 break; 591 } 592 ++param; 593 } 594} 595 596inline void keymaster_free_param_set(keymaster_key_param_set_t* set) { 597 if (set) { 598 keymaster_free_param_values(set->params, set->length); 599 free(set->params); 600 set->params = NULL; 601 } 602} 603 604inline void keymaster_free_characteristics(keymaster_key_characteristics_t* characteristics) { 605 if (characteristics) { 606 keymaster_free_param_set(&characteristics->hw_enforced); 607 keymaster_free_param_set(&characteristics->sw_enforced); 608 } 609} 610 611#if defined(__cplusplus) 612} // extern "C" 613#endif // defined(__cplusplus) 614 615#endif // ANDROID_HARDWARE_KEYMASTER_DEFS_H 616