keymaster_defs.h revision 4c19a3af3535eb3442ff7cc4235420baf16322b7 
1/*
2 * Copyright (C) 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ANDROID_HARDWARE_KEYMASTER_DEFS_H
18#define ANDROID_HARDWARE_KEYMASTER_DEFS_H
19
20#include <stdint.h>
21#include <stdlib.h>
22#include <string.h>
23
24#ifndef __cplusplus
25extern "C" {
26#endif  // __cplusplus
27
28/**
29 * Authorization tags each have an associated type.  This enumeration facilitates tagging each with
30 * a type, by using the high four bits (of an implied 32-bit unsigned enum value) to specify up to
31 * 16 data types.  These values are ORed with tag IDs to generate the final tag ID values.
32 */
33typedef enum {
34    KM_INVALID = 0 << 28, /* Invalid type, used to designate a tag as uninitialized */
35    KM_ENUM = 1 << 28,
36    KM_ENUM_REP = 2 << 28, /* Repeatable enumeration value. */
37    KM_INT = 3 << 28,
38    KM_INT_REP = 4 << 28, /* Repeatable integer value */
39    KM_LONG = 5 << 28,
40    KM_DATE = 6 << 28,
41    KM_BOOL = 7 << 28,
42    KM_BIGNUM = 8 << 28,
43    KM_BYTES = 9 << 28,
44    KM_LONG_REP = 10 << 28, /* Repeatable long value */
45} keymaster_tag_type_t;
46
47typedef enum {
48    KM_TAG_INVALID = KM_INVALID | 0,
49
50    /*
51     * Tags that must be semantically enforced by hardware and software implementations.
52     */
53
54    /* Crypto parameters */
55    KM_TAG_PURPOSE = KM_ENUM_REP | 1,     /* keymaster_purpose_t. */
56    KM_TAG_ALGORITHM = KM_ENUM | 2,       /* keymaster_algorithm_t. */
57    KM_TAG_KEY_SIZE = KM_INT | 3,         /* Key size in bits. */
58    KM_TAG_BLOCK_MODE = KM_ENUM_REP | 4,  /* keymaster_block_mode_t. */
59    KM_TAG_DIGEST = KM_ENUM_REP | 5,      /* keymaster_digest_t. */
60    KM_TAG_PADDING = KM_ENUM_REP | 6,     /* keymaster_padding_t. */
61    KM_TAG_RETURN_UNAUTHED = KM_BOOL | 7, /* Allow AEAD decryption to return plaintext before it has
62                                             been authenticated.  WARNING: Not recommended. */
63    KM_TAG_CALLER_NONCE = KM_BOOL | 8,    /* Allow caller to specify nonce or IV. */
64
65    /* Algorithm-specific. */
66    KM_TAG_RSA_PUBLIC_EXPONENT = KM_LONG | 200, /* Defaults to 2^16+1 */
67
68    /* Other hardware-enforced. */
69    KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 301, /* keymaster_key_blob_usage_requirements_t */
70    KM_TAG_BOOTLOADER_ONLY = KM_BOOL | 302,         /* Usable only by bootloader */
71
72    /*
73     * Tags that should be semantically enforced by hardware if possible and will otherwise be
74     * enforced by software (keystore).
75     */
76
77    /* Key validity period */
78    KM_TAG_ACTIVE_DATETIME = KM_DATE | 400,             /* Start of validity */
79    KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401, /* Date when new "messages" should no
80                                                           longer be created. */
81    KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402,       /* Date when existing "messages" should no
82                                                           longer be trusted. */
83    KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_INT | 403,      /* Minimum elapsed time between
84                                                           cryptographic operations with the key. */
85    KM_TAG_MAX_USES_PER_BOOT = KM_INT | 404,            /* Number of times the key can be used per
86                                                           boot. */
87
88    /* User authentication */
89    KM_TAG_ALL_USERS = KM_BOOL | 500,          /* If key is usable by all users. */
90    KM_TAG_USER_ID = KM_INT | 501,             /* ID of authorized user.  Disallowed if
91                                                  KM_TAG_ALL_USERS is present. */
92    KM_TAG_USER_SECURE_ID = KM_LONG_REP | 502, /* Secure ID of authorized user or authenticator(s).
93                                                  Disallowed if KM_TAG_ALL_USERS or
94                                                  KM_TAG_NO_AUTH_REQUIRED is present. */
95    KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 503,   /* If key is usable without authentication. */
96    KM_TAG_USER_AUTH_TYPE = KM_ENUM | 504,     /* Bitmask of authenticator types allowed when
97                                                * KM_TAG_USER_SECURE_ID contains a secure user ID,
98                                                * rather than a secure authenticator ID.  Defined in
99                                                * hw_authenticator_type_t in hw_auth_token.h. */
100    KM_TAG_AUTH_TIMEOUT = KM_INT | 505,        /* Required freshness of user authentication for
101                                                  private/secret key operations, in seconds.
102                                                  Public key operations require no authentication.
103                                                  If absent, authentication is required for every
104                                                  use.  Authentication state is lost when the
105                                                  device is powered off. */
106
107    /* Application access control */
108    KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600, /* If key is usable by all applications. */
109    KM_TAG_APPLICATION_ID = KM_BYTES | 601,  /* ID of authorized application. Disallowed if
110                                                KM_TAG_ALL_APPLICATIONS is present. */
111
112    /*
113     * Semantically unenforceable tags, either because they have no specific meaning or because
114     * they're informational only.
115     */
116    KM_TAG_APPLICATION_DATA = KM_BYTES | 700,  /* Data provided by authorized application. */
117    KM_TAG_CREATION_DATETIME = KM_DATE | 701,  /* Key creation time */
118    KM_TAG_ORIGIN = KM_ENUM | 702,             /* keymaster_key_origin_t. */
119    KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703, /* Whether key is rollback-resistant. */
120    KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704,     /* Root of trust ID.  Empty array means usable by all
121                                                  roots. */
122
123    /* Tags used only to provide data to or receive data from operations */
124    KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000, /* Used to provide associated data for AEAD modes. */
125    KM_TAG_NONCE = KM_BYTES | 1001,           /* Nonce or Initialization Vector */
126    KM_TAG_CHUNK_LENGTH = KM_INT | 1002,      /* AEAD mode chunk size, in bytes.  0 means no limit,
127                                                 which requires KM_TAG_RETURN_UNAUTHED. */
128    KM_TAG_AUTH_TOKEN = KM_BYTES | 1003,      /* Authentication token that proves secure user
129                                                 authentication has been performed.  Structure
130                                                 defined in hw_auth_token_t in hw_auth_token.h. */
131    KM_TAG_MAC_LENGTH = KM_INT | 1004,        /* MAC or AEAD authentication tag length in bits. */
132} keymaster_tag_t;
133
134/**
135 * Algorithms that may be provided by keymaster implementations.  Those that must be provided by all
136 * implementations are tagged as "required".
137 */
138typedef enum {
139    /* Asymmetric algorithms. */
140    KM_ALGORITHM_RSA = 1,
141    // KM_ALGORITHM_DSA = 2, -- Removed, do not re-use value 2.
142    KM_ALGORITHM_EC = 3,
143
144    /* Block ciphers algorithms */
145    KM_ALGORITHM_AES = 32,
146
147    /* MAC algorithms */
148    KM_ALGORITHM_HMAC = 128,
149} keymaster_algorithm_t;
150
151/**
152 * Symmetric block cipher modes provided by keymaster implementations.
153 */
154typedef enum {
155    /* Unauthenticated modes, usable only for encryption/decryption and not generally recommended
156     * except for compatibility with existing other protocols. */
157    KM_MODE_ECB = 1,
158    KM_MODE_CBC = 2,
159    KM_MODE_CTR = 3,
160
161    /* Authenticated modes, usable for encryption/decryption and signing/verification.  Recommended
162     * over unauthenticated modes for all purposes. */
163    KM_MODE_GCM = 32,
164} keymaster_block_mode_t;
165
166/**
167 * Padding modes that may be applied to plaintext for encryption operations.  This list includes
168 * padding modes for both symmetric and asymmetric algorithms.  Note that implementations should not
169 * provide all possible combinations of algorithm and padding, only the
170 * cryptographically-appropriate pairs.
171 */
172typedef enum {
173    KM_PAD_NONE = 1, /* deprecated */
174    KM_PAD_RSA_OAEP = 2,
175    KM_PAD_RSA_PSS = 3,
176    KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4,
177    KM_PAD_RSA_PKCS1_1_5_SIGN = 5,
178    KM_PAD_PKCS7 = 64,
179} keymaster_padding_t;
180
181/**
182 * Digests provided by keymaster implementations.
183 */
184typedef enum {
185    KM_DIGEST_NONE = 0,
186    KM_DIGEST_MD5 = 1, /* Optional, may not be implemented in hardware, will be handled in software
187                        * if needed. */
188    KM_DIGEST_SHA1 = 2,
189    KM_DIGEST_SHA_2_224 = 3,
190    KM_DIGEST_SHA_2_256 = 4,
191    KM_DIGEST_SHA_2_384 = 5,
192    KM_DIGEST_SHA_2_512 = 6,
193} keymaster_digest_t;
194
195/**
196 * The origin of a key (or pair), i.e. where it was generated.  Note that KM_TAG_ORIGIN can be found
197 * in either the hardware-enforced or software-enforced list for a key, indicating whether the key
198 * is hardware or software-based.  Specifically, a key with KM_ORIGIN_GENERATED in the
199 * hardware-enforced list is guaranteed never to have existed outide the secure hardware.
200 */
201typedef enum {
202    KM_ORIGIN_GENERATED = 0, /* Generated in keymaster */
203    KM_ORIGIN_IMPORTED = 2,  /* Imported, origin unknown */
204    KM_ORIGIN_UNKNOWN = 3,   /* Keymaster did not record origin.  This value can only be seen on
205                              * keys in a keymaster0 implementation.  The keymaster0 adapter uses
206                              * this value to document the fact that it is unkown whether the key
207                              * was generated inside or imported into keymaster. */
208} keymaster_key_origin_t;
209
210/**
211 * Usability requirements of key blobs.  This defines what system functionality must be available
212 * for the key to function.  For example, key "blobs" which are actually handles referencing
213 * encrypted key material stored in the file system cannot be used until the file system is
214 * available, and should have BLOB_REQUIRES_FILE_SYSTEM.  Other requirements entries will be added
215 * as needed for implementations.  This type is new in 0_4.
216 */
217typedef enum {
218    KM_BLOB_STANDALONE = 0,
219    KM_BLOB_REQUIRES_FILE_SYSTEM = 1,
220} keymaster_key_blob_usage_requirements_t;
221
222/**
223 * Possible purposes of a key (or pair). This type is new in 0_4.
224 */
225typedef enum {
226    KM_PURPOSE_ENCRYPT = 0,
227    KM_PURPOSE_DECRYPT = 1,
228    KM_PURPOSE_SIGN = 2,
229    KM_PURPOSE_VERIFY = 3,
230} keymaster_purpose_t;
231
232typedef struct {
233    const uint8_t* data;
234    size_t data_length;
235} keymaster_blob_t;
236
237typedef struct {
238    keymaster_tag_t tag;
239    union {
240        uint32_t enumerated;   /* KM_ENUM and KM_ENUM_REP */
241        bool boolean;          /* KM_BOOL */
242        uint32_t integer;      /* KM_INT and KM_INT_REP */
243        uint64_t long_integer; /* KM_LONG */
244        uint64_t date_time;    /* KM_DATE */
245        keymaster_blob_t blob; /* KM_BIGNUM and KM_BYTES*/
246    };
247} keymaster_key_param_t;
248
249typedef struct {
250    keymaster_key_param_t* params; /* may be NULL if length == 0 */
251    size_t length;
252} keymaster_key_param_set_t;
253
254/**
255 * Parameters that define a key's characteristics, including authorized modes of usage and access
256 * control restrictions.  The parameters are divided into two categories, those that are enforced by
257 * secure hardware, and those that are not.  For a software-only keymaster implementation the
258 * enforced array must NULL.  Hardware implementations must enforce everything in the enforced
259 * array.
260 */
261typedef struct {
262    keymaster_key_param_set_t hw_enforced;
263    keymaster_key_param_set_t sw_enforced;
264} keymaster_key_characteristics_t;
265
266typedef struct {
267    const uint8_t* key_material;
268    size_t key_material_size;
269} keymaster_key_blob_t;
270
271/**
272 * Formats for key import and export.  At present, only asymmetric key import/export is supported.
273 * In the future this list will expand greatly to accommodate asymmetric key import/export.
274 */
275typedef enum {
276    KM_KEY_FORMAT_X509 = 0,  /* for public key export */
277    KM_KEY_FORMAT_PKCS8 = 1, /* for asymmetric key pair import */
278    KM_KEY_FORMAT_RAW = 3,   /* for symmetric key import */
279} keymaster_key_format_t;
280
281/**
282 * The keymaster operation API consists of begin, update, finish and abort. This is the type of the
283 * handle used to tie the sequence of calls together.  A 64-bit value is used because it's important
284 * that handles not be predictable.  Implementations must use strong random numbers for handle
285 * values.
286 */
287typedef uint64_t keymaster_operation_handle_t;
288
289typedef enum {
290    KM_ERROR_OK = 0,
291    KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1,
292    KM_ERROR_UNSUPPORTED_PURPOSE = -2,
293    KM_ERROR_INCOMPATIBLE_PURPOSE = -3,
294    KM_ERROR_UNSUPPORTED_ALGORITHM = -4,
295    KM_ERROR_INCOMPATIBLE_ALGORITHM = -5,
296    KM_ERROR_UNSUPPORTED_KEY_SIZE = -6,
297    KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7,
298    KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8,
299    KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9,
300    KM_ERROR_UNSUPPORTED_PADDING_MODE = -10,
301    KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11,
302    KM_ERROR_UNSUPPORTED_DIGEST = -12,
303    KM_ERROR_INCOMPATIBLE_DIGEST = -13,
304    KM_ERROR_INVALID_EXPIRATION_TIME = -14,
305    KM_ERROR_INVALID_USER_ID = -15,
306    KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16,
307    KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17,
308    KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18,
309    KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19,   /* For PKCS8 & PKCS12 */
310    KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20, /* For PKCS8 & PKCS12 */
311    KM_ERROR_INVALID_INPUT_LENGTH = -21,
312    KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22,
313    KM_ERROR_DELEGATION_NOT_ALLOWED = -23,
314    KM_ERROR_KEY_NOT_YET_VALID = -24,
315    KM_ERROR_KEY_EXPIRED = -25,
316    KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26,
317    KM_ERROR_OUTPUT_PARAMETER_NULL = -27,
318    KM_ERROR_INVALID_OPERATION_HANDLE = -28,
319    KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29,
320    KM_ERROR_VERIFICATION_FAILED = -30,
321    KM_ERROR_TOO_MANY_OPERATIONS = -31,
322    KM_ERROR_UNEXPECTED_NULL_POINTER = -32,
323    KM_ERROR_INVALID_KEY_BLOB = -33,
324    KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34,
325    KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35,
326    KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36,
327    KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37,
328    KM_ERROR_INVALID_ARGUMENT = -38,
329    KM_ERROR_UNSUPPORTED_TAG = -39,
330    KM_ERROR_INVALID_TAG = -40,
331    KM_ERROR_MEMORY_ALLOCATION_FAILED = -41,
332    KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44,
333    KM_ERROR_SECURE_HW_ACCESS_DENIED = -45,
334    KM_ERROR_OPERATION_CANCELLED = -46,
335    KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47,
336    KM_ERROR_SECURE_HW_BUSY = -48,
337    KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49,
338    KM_ERROR_UNSUPPORTED_EC_FIELD = -50,
339    KM_ERROR_MISSING_NONCE = -51,
340    KM_ERROR_INVALID_NONCE = -52,
341    KM_ERROR_UNSUPPORTED_CHUNK_LENGTH = -53,
342    KM_ERROR_CALLER_NONCE_PROHIBITED = -55,
343
344    KM_ERROR_UNIMPLEMENTED = -100,
345    KM_ERROR_VERSION_MISMATCH = -101,
346
347    /* Additional error codes may be added by implementations, but implementers should coordinate
348     * with Google to avoid code collision. */
349    KM_ERROR_UNKNOWN_ERROR = -1000,
350} keymaster_error_t;
351
352/* Convenience functions for manipulating keymaster tag types */
353
354static inline keymaster_tag_type_t keymaster_tag_get_type(keymaster_tag_t tag) {
355    return (keymaster_tag_type_t)(tag & (0xF << 28));
356}
357
358static inline uint32_t keymaster_tag_mask_type(keymaster_tag_t tag) {
359    return tag & 0x0FFFFFFF;
360}
361
362static inline bool keymaster_tag_type_repeatable(keymaster_tag_type_t type) {
363    switch (type) {
364    case KM_INT_REP:
365    case KM_ENUM_REP:
366        return true;
367    default:
368        return false;
369    }
370}
371
372static inline bool keymaster_tag_repeatable(keymaster_tag_t tag) {
373    return keymaster_tag_type_repeatable(keymaster_tag_get_type(tag));
374}
375
376/* Convenience functions for manipulating keymaster_key_param_t structs */
377
378inline keymaster_key_param_t keymaster_param_enum(keymaster_tag_t tag, uint32_t value) {
379    // assert(keymaster_tag_get_type(tag) == KM_ENUM || keymaster_tag_get_type(tag) == KM_ENUM_REP);
380    keymaster_key_param_t param;
381    memset(&param, 0, sizeof(param));
382    param.tag = tag;
383    param.enumerated = value;
384    return param;
385}
386
387inline keymaster_key_param_t keymaster_param_int(keymaster_tag_t tag, uint32_t value) {
388    // assert(keymaster_tag_get_type(tag) == KM_INT || keymaster_tag_get_type(tag) == KM_INT_REP);
389    keymaster_key_param_t param;
390    memset(&param, 0, sizeof(param));
391    param.tag = tag;
392    param.integer = value;
393    return param;
394}
395
396inline keymaster_key_param_t keymaster_param_long(keymaster_tag_t tag, uint64_t value) {
397    // assert(keymaster_tag_get_type(tag) == KM_LONG);
398    keymaster_key_param_t param;
399    memset(&param, 0, sizeof(param));
400    param.tag = tag;
401    param.long_integer = value;
402    return param;
403}
404
405inline keymaster_key_param_t keymaster_param_blob(keymaster_tag_t tag, const uint8_t* bytes,
406                                                  size_t bytes_len) {
407    // assert(keymaster_tag_get_type(tag) == KM_BYTES || keymaster_tag_get_type(tag) == KM_BIGNUM);
408    keymaster_key_param_t param;
409    memset(&param, 0, sizeof(param));
410    param.tag = tag;
411    param.blob.data = (uint8_t*)bytes;
412    param.blob.data_length = bytes_len;
413    return param;
414}
415
416inline keymaster_key_param_t keymaster_param_bool(keymaster_tag_t tag) {
417    // assert(keymaster_tag_get_type(tag) == KM_BOOL);
418    keymaster_key_param_t param;
419    memset(&param, 0, sizeof(param));
420    param.tag = tag;
421    param.boolean = true;
422    return param;
423}
424
425inline keymaster_key_param_t keymaster_param_date(keymaster_tag_t tag, uint64_t value) {
426    // assert(keymaster_tag_get_type(tag) == KM_DATE);
427    keymaster_key_param_t param;
428    memset(&param, 0, sizeof(param));
429    param.tag = tag;
430    param.date_time = value;
431    return param;
432}
433
434#define KEYMASTER_SIMPLE_COMPARE(a, b) (a < b) ? -1 : ((a > b) ? 1 : 0)
435inline int keymaster_param_compare(const keymaster_key_param_t* a, const keymaster_key_param_t* b) {
436    int retval = KEYMASTER_SIMPLE_COMPARE(a->tag, b->tag);
437    if (retval != 0)
438        return retval;
439
440    switch (keymaster_tag_get_type(a->tag)) {
441    case KM_INVALID:
442    case KM_BOOL:
443        return 0;
444    case KM_ENUM:
445    case KM_ENUM_REP:
446        return KEYMASTER_SIMPLE_COMPARE(a->enumerated, b->enumerated);
447    case KM_INT:
448    case KM_INT_REP:
449        return KEYMASTER_SIMPLE_COMPARE(a->integer, b->integer);
450    case KM_LONG:
451    case KM_LONG_REP:
452        return KEYMASTER_SIMPLE_COMPARE(a->long_integer, b->long_integer);
453    case KM_DATE:
454        return KEYMASTER_SIMPLE_COMPARE(a->date_time, b->date_time);
455    case KM_BIGNUM:
456    case KM_BYTES:
457        // Handle the empty cases.
458        if (a->blob.data_length != 0 && b->blob.data_length == 0)
459            return -1;
460        if (a->blob.data_length == 0 && b->blob.data_length == 0)
461            return 0;
462        if (a->blob.data_length == 0 && b->blob.data_length > 0)
463            return 1;
464
465        retval = memcmp(a->blob.data, b->blob.data, a->blob.data_length < b->blob.data_length
466                                                        ? a->blob.data_length
467                                                        : b->blob.data_length);
468        if (retval != 0)
469            return retval;
470        else if (a->blob.data_length != b->blob.data_length) {
471            // Equal up to the common length; longer one is larger.
472            if (a->blob.data_length < b->blob.data_length)
473                return -1;
474            if (a->blob.data_length > b->blob.data_length)
475                return 1;
476        };
477    }
478
479    return 0;
480}
481#undef KEYMASTER_SIMPLE_COMPARE
482
483inline void keymaster_free_param_values(keymaster_key_param_t* param, size_t param_count) {
484    while (param_count-- > 0) {
485        switch (keymaster_tag_get_type(param->tag)) {
486        case KM_BIGNUM:
487        case KM_BYTES:
488            free((void*)param->blob.data);
489            param->blob.data = NULL;
490            break;
491        default:
492            // NOP
493            break;
494        }
495        ++param;
496    }
497}
498
499inline void keymaster_free_param_set(keymaster_key_param_set_t* set) {
500    if (set) {
501        keymaster_free_param_values(set->params, set->length);
502        free(set->params);
503        set->params = NULL;
504    }
505}
506
507inline void keymaster_free_characteristics(keymaster_key_characteristics_t* characteristics) {
508    if (characteristics) {
509        keymaster_free_param_set(&characteristics->hw_enforced);
510        keymaster_free_param_set(&characteristics->sw_enforced);
511    }
512}
513
514#ifndef __cplusplus
515}  // extern "C"
516#endif  // __cplusplus
517
518#endif  // ANDROID_HARDWARE_KEYMASTER_DEFS_H
519