1 /* 2 * Copyright (C) 2009 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef __KEYSTORE_H__ 18 #define __KEYSTORE_H__ 19 20 #include <stdint.h> 21 22 // note state values overlap with ResponseCode for the purposes of the state() API 23 enum State { 24 STATE_NO_ERROR = 1, 25 STATE_LOCKED = 2, 26 STATE_UNINITIALIZED = 3, 27 }; 28 29 // must be in sync with KeyStore.java, 30 enum class ResponseCode: int32_t { 31 NO_ERROR = STATE_NO_ERROR, // 1 32 LOCKED = STATE_LOCKED, // 2 33 UNINITIALIZED = STATE_UNINITIALIZED, // 3 34 SYSTEM_ERROR = 4, 35 PROTOCOL_ERROR = 5, 36 PERMISSION_DENIED = 6, 37 KEY_NOT_FOUND = 7, 38 VALUE_CORRUPTED = 8, 39 UNDEFINED_ACTION = 9, 40 WRONG_PASSWORD_0 = 10, 41 WRONG_PASSWORD_1 = 11, 42 WRONG_PASSWORD_2 = 12, 43 WRONG_PASSWORD_3 = 13, // MAX_RETRY = 4 44 SIGNATURE_INVALID = 14, 45 OP_AUTH_NEEDED = 15, // Auth is needed for this operation before it can be used. 46 }; 47 48 /* 49 * All the flags for import and insert calls. 50 */ 51 enum KeyStoreFlag : uint8_t { 52 KEYSTORE_FLAG_NONE = 0, 53 KEYSTORE_FLAG_ENCRYPTED = 1 << 0, 54 KEYSTORE_FLAG_FALLBACK = 1 << 1, 55 // KEYSTORE_FLAG_SUPER_ENCRYPTED is for blobs that are already encrypted by keymaster but have 56 // an additional layer of password-based encryption applied. The same encryption scheme is used 57 // as KEYSTORE_FLAG_ENCRYPTED, but it's safe to remove super-encryption when the password is 58 // cleared, rather than deleting blobs, and the error returned when attempting to use a 59 // super-encrypted blob while keystore is locked is different. 60 KEYSTORE_FLAG_SUPER_ENCRYPTED = 1 << 2, 61 // KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION is for blobs that are part of device encryption 62 // flow so it receives special treatment from keystore. For example this blob will not be super 63 // encrypted, and it will be stored separately under an unique UID instead. This flag should 64 // only be available to system uid. 65 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3, 66 KEYSTORE_FLAG_STRONGBOX = 1 << 4, 67 }; 68 69 #endif 70