1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef __KEYSTORE_H__ 18 #define __KEYSTORE_H__ 19 20 #include <stdint.h> 21 22 // note state values overlap with ResponseCode for the purposes of the state() API 23 enum State { 24 STATE_NO_ERROR = 1, 25 STATE_LOCKED = 2, 26 STATE_UNINITIALIZED = 3, 27 }; 28 29 // must be in sync with KeyStore.java, 30 enum class ResponseCode : int32_t { 31 NO_ERROR = STATE_NO_ERROR, // 1 32 LOCKED = STATE_LOCKED, // 2 33 UNINITIALIZED = STATE_UNINITIALIZED, // 3 34 SYSTEM_ERROR = 4, 35 PROTOCOL_ERROR = 5, 36 PERMISSION_DENIED = 6, 37 KEY_NOT_FOUND = 7, 38 VALUE_CORRUPTED = 8, 39 UNDEFINED_ACTION = 9, 40 WRONG_PASSWORD_0 = 10, 41 WRONG_PASSWORD_1 = 11, 42 WRONG_PASSWORD_2 = 12, 43 WRONG_PASSWORD_3 = 13, // MAX_RETRY = 4 44 SIGNATURE_INVALID = 14, 45 OP_AUTH_NEEDED = 15, // Auth is needed for this operation before it can be used. 46 KEY_ALREADY_EXISTS = 16, 47 KEY_PERMANENTLY_INVALIDATED = 17, 48 49 /** 50 * Following three response codes are for logging purposes only. 51 * The operations are logged at the end of the life cycle of an operation handle, 52 * along with the reason for the end of the operation handle. For the operations 53 * that fail in update and finish, the reason for failure is available with 54 * the above response codes. 55 * For the operations that are aborted in three different ways, the reason 56 * for aborting is not available. The following enum values define the 57 * three ways an operation can get aborted. 58 */ 59 ABORT_CALLED = 18, 60 PRUNED = 19, 61 BINDER_DIED = 20, 62 }; 63 64 /* 65 * All the flags for import and insert calls. 66 */ 67 enum KeyStoreFlag : uint8_t { 68 KEYSTORE_FLAG_NONE = 0, 69 KEYSTORE_FLAG_ENCRYPTED = 1 << 0, 70 KEYSTORE_FLAG_FALLBACK = 1 << 1, 71 // KEYSTORE_FLAG_SUPER_ENCRYPTED is for blobs that are already encrypted by keymaster but have 72 // an additional layer of password-based encryption applied. The same encryption scheme is used 73 // as KEYSTORE_FLAG_ENCRYPTED, but it's safe to remove super-encryption when the password is 74 // cleared, rather than deleting blobs, and the error returned when attempting to use a 75 // super-encrypted blob while keystore is locked is different. 76 KEYSTORE_FLAG_SUPER_ENCRYPTED = 1 << 2, 77 // KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION is for blobs that are part of device encryption 78 // flow so it receives special treatment from keystore. For example this blob will not be super 79 // encrypted, and it will be stored separately under an unique UID instead. This flag should 80 // only be available to system uid. 81 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3, 82 KEYSTORE_FLAG_STRONGBOX = 1 << 4, 83 }; 84 85 #endif 86