KeymasterDefs.java revision 36716eb4709503f2ef370c6f67273440cd91d18c 
1/*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package android.security.keymaster;
18
19import java.util.HashMap;
20import java.util.Map;
21
22/**
23 * Class tracking all the keymaster enum values needed for the binder API to keystore.
24 * This must be kept in sync with hardware/libhardware/include/hardware/keymaster_defs.h
25 * See keymaster_defs.h for detailed descriptions of each constant.
26 * @hide
27 */
28public final class KeymasterDefs {
29
30    private KeymasterDefs() {}
31
32    // Tag types.
33    public static final int KM_INVALID = 0 << 28;
34    public static final int KM_ENUM = 1 << 28;
35    public static final int KM_ENUM_REP = 2 << 28;
36    public static final int KM_UINT = 3 << 28;
37    public static final int KM_UINT_REP = 4 << 28;
38    public static final int KM_ULONG = 5 << 28;
39    public static final int KM_DATE = 6 << 28;
40    public static final int KM_BOOL = 7 << 28;
41    public static final int KM_BIGNUM = 8 << 28;
42    public static final int KM_BYTES = 9 << 28;
43    public static final int KM_ULONG_REP = 10 << 28;
44
45    // Tag values.
46    public static final int KM_TAG_INVALID = KM_INVALID | 0;
47    public static final int KM_TAG_PURPOSE = KM_ENUM_REP | 1;
48    public static final int KM_TAG_ALGORITHM = KM_ENUM | 2;
49    public static final int KM_TAG_KEY_SIZE = KM_UINT | 3;
50    public static final int KM_TAG_BLOCK_MODE = KM_ENUM_REP | 4;
51    public static final int KM_TAG_DIGEST = KM_ENUM_REP | 5;
52    public static final int KM_TAG_PADDING = KM_ENUM_REP | 6;
53    public static final int KM_TAG_CALLER_NONCE = KM_BOOL | 7;
54    public static final int KM_TAG_MIN_MAC_LENGTH = KM_UINT | 8;
55
56    public static final int KM_TAG_RESCOPING_ADD = KM_ENUM_REP | 101;
57    public static final int KM_TAG_RESCOPING_DEL = KM_ENUM_REP | 102;
58    public static final int KM_TAG_BLOB_USAGE_REQUIREMENTS = KM_ENUM | 705;
59
60    public static final int KM_TAG_RSA_PUBLIC_EXPONENT = KM_ULONG | 200;
61    public static final int KM_TAG_INCLUDE_UNIQUE_ID = KM_BOOL | 202;
62
63    public static final int KM_TAG_ACTIVE_DATETIME = KM_DATE | 400;
64    public static final int KM_TAG_ORIGINATION_EXPIRE_DATETIME = KM_DATE | 401;
65    public static final int KM_TAG_USAGE_EXPIRE_DATETIME = KM_DATE | 402;
66    public static final int KM_TAG_MIN_SECONDS_BETWEEN_OPS = KM_UINT | 403;
67    public static final int KM_TAG_MAX_USES_PER_BOOT = KM_UINT | 404;
68
69    public static final int KM_TAG_ALL_USERS = KM_BOOL | 500;
70    public static final int KM_TAG_USER_ID = KM_UINT | 501;
71    public static final int KM_TAG_USER_SECURE_ID = KM_ULONG_REP | 502;
72    public static final int KM_TAG_NO_AUTH_REQUIRED = KM_BOOL | 503;
73    public static final int KM_TAG_USER_AUTH_TYPE = KM_ENUM | 504;
74    public static final int KM_TAG_AUTH_TIMEOUT = KM_UINT | 505;
75    public static final int KM_TAG_ALLOW_WHILE_ON_BODY = KM_BOOL | 506;
76    public static final int KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED = KM_BOOL | 507;
77    public static final int KM_TAG_TRUSTED_CONFIRMATION_REQUIRED = KM_BOOL | 508;
78    public static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = KM_BOOL | 509;
79
80    public static final int KM_TAG_ALL_APPLICATIONS = KM_BOOL | 600;
81    public static final int KM_TAG_APPLICATION_ID = KM_BYTES | 601;
82
83    public static final int KM_TAG_CREATION_DATETIME = KM_DATE | 701;
84    public static final int KM_TAG_ORIGIN = KM_ENUM | 702;
85    public static final int KM_TAG_ROLLBACK_RESISTANT = KM_BOOL | 703;
86    public static final int KM_TAG_ROOT_OF_TRUST = KM_BYTES | 704;
87    public static final int KM_TAG_UNIQUE_ID = KM_BYTES | 707;
88    public static final int KM_TAG_ATTESTATION_CHALLENGE = KM_BYTES | 708;
89    public static final int KM_TAG_ATTESTATION_ID_BRAND = KM_BYTES | 710;
90    public static final int KM_TAG_ATTESTATION_ID_DEVICE = KM_BYTES | 711;
91    public static final int KM_TAG_ATTESTATION_ID_PRODUCT = KM_BYTES | 712;
92    public static final int KM_TAG_ATTESTATION_ID_SERIAL = KM_BYTES | 713;
93    public static final int KM_TAG_ATTESTATION_ID_IMEI = KM_BYTES | 714;
94    public static final int KM_TAG_ATTESTATION_ID_MEID = KM_BYTES | 715;
95    public static final int KM_TAG_ATTESTATION_ID_MANUFACTURER = KM_BYTES | 716;
96    public static final int KM_TAG_ATTESTATION_ID_MODEL = KM_BYTES | 717;
97
98    public static final int KM_TAG_ASSOCIATED_DATA = KM_BYTES | 1000;
99    public static final int KM_TAG_NONCE = KM_BYTES | 1001;
100    public static final int KM_TAG_AUTH_TOKEN = KM_BYTES | 1002;
101    public static final int KM_TAG_MAC_LENGTH = KM_UINT | 1003;
102
103    // Algorithm values.
104    public static final int KM_ALGORITHM_RSA = 1;
105    public static final int KM_ALGORITHM_EC = 3;
106    public static final int KM_ALGORITHM_AES = 32;
107    public static final int KM_ALGORITHM_3DES = 33;
108    public static final int KM_ALGORITHM_HMAC = 128;
109
110    // Block modes.
111    public static final int KM_MODE_ECB = 1;
112    public static final int KM_MODE_CBC = 2;
113    public static final int KM_MODE_CTR = 3;
114    public static final int KM_MODE_GCM = 32;
115
116    // Padding modes.
117    public static final int KM_PAD_NONE = 1;
118    public static final int KM_PAD_RSA_OAEP = 2;
119    public static final int KM_PAD_RSA_PSS = 3;
120    public static final int KM_PAD_RSA_PKCS1_1_5_ENCRYPT = 4;
121    public static final int KM_PAD_RSA_PKCS1_1_5_SIGN = 5;
122    public static final int KM_PAD_PKCS7 = 64;
123
124    // Digest modes.
125    public static final int KM_DIGEST_NONE = 0;
126    public static final int KM_DIGEST_MD5 = 1;
127    public static final int KM_DIGEST_SHA1 = 2;
128    public static final int KM_DIGEST_SHA_2_224 = 3;
129    public static final int KM_DIGEST_SHA_2_256 = 4;
130    public static final int KM_DIGEST_SHA_2_384 = 5;
131    public static final int KM_DIGEST_SHA_2_512 = 6;
132
133    // Key origins.
134    public static final int KM_ORIGIN_GENERATED = 0;
135    public static final int KM_ORIGIN_IMPORTED = 2;
136    public static final int KM_ORIGIN_UNKNOWN = 3;
137    public static final int KM_ORIGIN_SECURELY_IMPORTED = 4;
138
139    // Key usability requirements.
140    public static final int KM_BLOB_STANDALONE = 0;
141    public static final int KM_BLOB_REQUIRES_FILE_SYSTEM = 1;
142
143    // Operation Purposes.
144    public static final int KM_PURPOSE_ENCRYPT = 0;
145    public static final int KM_PURPOSE_DECRYPT = 1;
146    public static final int KM_PURPOSE_SIGN = 2;
147    public static final int KM_PURPOSE_VERIFY = 3;
148    public static final int KM_PURPOSE_WRAP = 5;
149
150    // Key formats.
151    public static final int KM_KEY_FORMAT_X509 = 0;
152    public static final int KM_KEY_FORMAT_PKCS8 = 1;
153    public static final int KM_KEY_FORMAT_RAW = 3;
154
155    // User authenticators.
156    public static final int HW_AUTH_PASSWORD = 1 << 0;
157    public static final int HW_AUTH_FINGERPRINT = 1 << 1;
158
159    // Error codes.
160    public static final int KM_ERROR_OK = 0;
161    public static final int KM_ERROR_ROOT_OF_TRUST_ALREADY_SET = -1;
162    public static final int KM_ERROR_UNSUPPORTED_PURPOSE = -2;
163    public static final int KM_ERROR_INCOMPATIBLE_PURPOSE = -3;
164    public static final int KM_ERROR_UNSUPPORTED_ALGORITHM = -4;
165    public static final int KM_ERROR_INCOMPATIBLE_ALGORITHM = -5;
166    public static final int KM_ERROR_UNSUPPORTED_KEY_SIZE = -6;
167    public static final int KM_ERROR_UNSUPPORTED_BLOCK_MODE = -7;
168    public static final int KM_ERROR_INCOMPATIBLE_BLOCK_MODE = -8;
169    public static final int KM_ERROR_UNSUPPORTED_MAC_LENGTH = -9;
170    public static final int KM_ERROR_UNSUPPORTED_PADDING_MODE = -10;
171    public static final int KM_ERROR_INCOMPATIBLE_PADDING_MODE = -11;
172    public static final int KM_ERROR_UNSUPPORTED_DIGEST = -12;
173    public static final int KM_ERROR_INCOMPATIBLE_DIGEST = -13;
174    public static final int KM_ERROR_INVALID_EXPIRATION_TIME = -14;
175    public static final int KM_ERROR_INVALID_USER_ID = -15;
176    public static final int KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT = -16;
177    public static final int KM_ERROR_UNSUPPORTED_KEY_FORMAT = -17;
178    public static final int KM_ERROR_INCOMPATIBLE_KEY_FORMAT = -18;
179    public static final int KM_ERROR_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM = -19;
180    public static final int KM_ERROR_UNSUPPORTED_KEY_VERIFICATION_ALGORITHM = -20;
181    public static final int KM_ERROR_INVALID_INPUT_LENGTH = -21;
182    public static final int KM_ERROR_KEY_EXPORT_OPTIONS_INVALID = -22;
183    public static final int KM_ERROR_DELEGATION_NOT_ALLOWED = -23;
184    public static final int KM_ERROR_KEY_NOT_YET_VALID = -24;
185    public static final int KM_ERROR_KEY_EXPIRED = -25;
186    public static final int KM_ERROR_KEY_USER_NOT_AUTHENTICATED = -26;
187    public static final int KM_ERROR_OUTPUT_PARAMETER_NULL = -27;
188    public static final int KM_ERROR_INVALID_OPERATION_HANDLE = -28;
189    public static final int KM_ERROR_INSUFFICIENT_BUFFER_SPACE = -29;
190    public static final int KM_ERROR_VERIFICATION_FAILED = -30;
191    public static final int KM_ERROR_TOO_MANY_OPERATIONS = -31;
192    public static final int KM_ERROR_UNEXPECTED_NULL_POINTER = -32;
193    public static final int KM_ERROR_INVALID_KEY_BLOB = -33;
194    public static final int KM_ERROR_IMPORTED_KEY_NOT_ENCRYPTED = -34;
195    public static final int KM_ERROR_IMPORTED_KEY_DECRYPTION_FAILED = -35;
196    public static final int KM_ERROR_IMPORTED_KEY_NOT_SIGNED = -36;
197    public static final int KM_ERROR_IMPORTED_KEY_VERIFICATION_FAILED = -37;
198    public static final int KM_ERROR_INVALID_ARGUMENT = -38;
199    public static final int KM_ERROR_UNSUPPORTED_TAG = -39;
200    public static final int KM_ERROR_INVALID_TAG = -40;
201    public static final int KM_ERROR_MEMORY_ALLOCATION_FAILED = -41;
202    public static final int KM_ERROR_INVALID_RESCOPING = -42;
203    public static final int KM_ERROR_IMPORT_PARAMETER_MISMATCH = -44;
204    public static final int KM_ERROR_SECURE_HW_ACCESS_DENIED = -45;
205    public static final int KM_ERROR_OPERATION_CANCELLED = -46;
206    public static final int KM_ERROR_CONCURRENT_ACCESS_CONFLICT = -47;
207    public static final int KM_ERROR_SECURE_HW_BUSY = -48;
208    public static final int KM_ERROR_SECURE_HW_COMMUNICATION_FAILED = -49;
209    public static final int KM_ERROR_UNSUPPORTED_EC_FIELD = -50;
210    public static final int KM_ERROR_MISSING_NONCE = -51;
211    public static final int KM_ERROR_INVALID_NONCE = -52;
212    public static final int KM_ERROR_MISSING_MAC_LENGTH = -53;
213    public static final int KM_ERROR_KEY_RATE_LIMIT_EXCEEDED = -54;
214    public static final int KM_ERROR_CALLER_NONCE_PROHIBITED = -55;
215    public static final int KM_ERROR_KEY_MAX_OPS_EXCEEDED = -56;
216    public static final int KM_ERROR_INVALID_MAC_LENGTH = -57;
217    public static final int KM_ERROR_MISSING_MIN_MAC_LENGTH = -58;
218    public static final int KM_ERROR_UNSUPPORTED_MIN_MAC_LENGTH = -59;
219    public static final int KM_ERROR_CANNOT_ATTEST_IDS = -66;
220    public static final int KM_ERROR_DEVICE_LOCKED = -72;
221    public static final int KM_ERROR_UNIMPLEMENTED = -100;
222    public static final int KM_ERROR_VERSION_MISMATCH = -101;
223    public static final int KM_ERROR_UNKNOWN_ERROR = -1000;
224
225    public static final Map<Integer, String> sErrorCodeToString = new HashMap<Integer, String>();
226    static {
227        sErrorCodeToString.put(KM_ERROR_OK, "OK");
228        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PURPOSE, "Unsupported purpose");
229        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PURPOSE, "Incompatible purpose");
230        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_ALGORITHM, "Unsupported algorithm");
231        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_ALGORITHM, "Incompatible algorithm");
232        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_SIZE, "Unsupported key size");
233        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_BLOCK_MODE, "Unsupported block mode");
234        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_BLOCK_MODE, "Incompatible block mode");
235        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_MAC_LENGTH,
236                "Unsupported MAC or authentication tag length");
237        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_PADDING_MODE, "Unsupported padding mode");
238        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_PADDING_MODE, "Incompatible padding mode");
239        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_DIGEST, "Unsupported digest");
240        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_DIGEST, "Incompatible digest");
241        sErrorCodeToString.put(KM_ERROR_INVALID_EXPIRATION_TIME, "Invalid expiration time");
242        sErrorCodeToString.put(KM_ERROR_INVALID_USER_ID, "Invalid user ID");
243        sErrorCodeToString.put(KM_ERROR_INVALID_AUTHORIZATION_TIMEOUT,
244                "Invalid user authorization timeout");
245        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_KEY_FORMAT, "Unsupported key format");
246        sErrorCodeToString.put(KM_ERROR_INCOMPATIBLE_KEY_FORMAT, "Incompatible key format");
247        sErrorCodeToString.put(KM_ERROR_INVALID_INPUT_LENGTH, "Invalid input length");
248        sErrorCodeToString.put(KM_ERROR_KEY_NOT_YET_VALID, "Key not yet valid");
249        sErrorCodeToString.put(KM_ERROR_KEY_EXPIRED, "Key expired");
250        sErrorCodeToString.put(KM_ERROR_KEY_USER_NOT_AUTHENTICATED, "Key user not authenticated");
251        sErrorCodeToString.put(KM_ERROR_INVALID_OPERATION_HANDLE, "Invalid operation handle");
252        sErrorCodeToString.put(KM_ERROR_VERIFICATION_FAILED, "Signature/MAC verification failed");
253        sErrorCodeToString.put(KM_ERROR_TOO_MANY_OPERATIONS, "Too many operations");
254        sErrorCodeToString.put(KM_ERROR_INVALID_KEY_BLOB, "Invalid key blob");
255        sErrorCodeToString.put(KM_ERROR_INVALID_ARGUMENT, "Invalid argument");
256        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_TAG, "Unsupported tag");
257        sErrorCodeToString.put(KM_ERROR_INVALID_TAG, "Invalid tag");
258        sErrorCodeToString.put(KM_ERROR_MEMORY_ALLOCATION_FAILED, "Memory allocation failed");
259        sErrorCodeToString.put(KM_ERROR_UNSUPPORTED_EC_FIELD, "Unsupported EC field");
260        sErrorCodeToString.put(KM_ERROR_MISSING_NONCE, "Required IV missing");
261        sErrorCodeToString.put(KM_ERROR_INVALID_NONCE, "Invalid IV");
262        sErrorCodeToString.put(KM_ERROR_CALLER_NONCE_PROHIBITED,
263                "Caller-provided IV not permitted");
264        sErrorCodeToString.put(KM_ERROR_INVALID_MAC_LENGTH,
265                "Invalid MAC or authentication tag length");
266        sErrorCodeToString.put(KM_ERROR_CANNOT_ATTEST_IDS, "Unable to attest device ids");
267        sErrorCodeToString.put(KM_ERROR_DEVICE_LOCKED, "Device locked");
268        sErrorCodeToString.put(KM_ERROR_UNIMPLEMENTED, "Not implemented");
269        sErrorCodeToString.put(KM_ERROR_UNKNOWN_ERROR, "Unknown error");
270    }
271
272    public static int getTagType(int tag) {
273        return tag & (0xF << 28);
274    }
275
276    public static String getErrorMessage(int errorCode) {
277        String result = sErrorCodeToString.get(errorCode);
278        if (result != null) {
279            return result;
280        }
281        return String.valueOf(errorCode);
282    }
283}
284