1 /*
2  * Copyright (C) 2009 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef __KEYSTORE_H__
18 #define __KEYSTORE_H__
19 
20 #include <stdint.h>
21 
22 // note state values overlap with ResponseCode for the purposes of the state() API
23 enum State {
24     STATE_NO_ERROR      = 1,
25     STATE_LOCKED        = 2,
26     STATE_UNINITIALIZED = 3,
27 };
28 
29 // must be in sync with KeyStore.java,
30 enum class ResponseCode : int32_t {
31     NO_ERROR = STATE_NO_ERROR,            // 1
32     LOCKED = STATE_LOCKED,                // 2
33     UNINITIALIZED = STATE_UNINITIALIZED,  // 3
34     SYSTEM_ERROR = 4,
35     PROTOCOL_ERROR = 5,
36     PERMISSION_DENIED = 6,
37     KEY_NOT_FOUND = 7,
38     VALUE_CORRUPTED = 8,
39     UNDEFINED_ACTION = 9,
40     WRONG_PASSWORD_0 = 10,
41     WRONG_PASSWORD_1 = 11,
42     WRONG_PASSWORD_2 = 12,
43     WRONG_PASSWORD_3 = 13,  // MAX_RETRY = 4
44     SIGNATURE_INVALID = 14,
45     OP_AUTH_NEEDED = 15,  // Auth is needed for this operation before it can be used.
46     KEY_ALREADY_EXISTS = 16,
47     KEY_PERMANENTLY_INVALIDATED = 17,
48 };
49 
50 /*
51  * All the flags for import and insert calls.
52  */
53 enum KeyStoreFlag : uint8_t {
54     KEYSTORE_FLAG_NONE = 0,
55     KEYSTORE_FLAG_ENCRYPTED = 1 << 0,
56     KEYSTORE_FLAG_FALLBACK = 1 << 1,
57     // KEYSTORE_FLAG_SUPER_ENCRYPTED is for blobs that are already encrypted by keymaster but have
58     // an additional layer of password-based encryption applied.  The same encryption scheme is used
59     // as KEYSTORE_FLAG_ENCRYPTED, but it's safe to remove super-encryption when the password is
60     // cleared, rather than deleting blobs, and the error returned when attempting to use a
61     // super-encrypted blob while keystore is locked is different.
62     KEYSTORE_FLAG_SUPER_ENCRYPTED = 1 << 2,
63     // KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION is for blobs that are part of device encryption
64     // flow so it receives special treatment from keystore. For example this blob will not be super
65     // encrypted, and it will be stored separately under an unique UID instead. This flag should
66     // only be available to system uid.
67     KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3,
68     KEYSTORE_FLAG_STRONGBOX = 1 << 4,
69 };
70 
71 #endif
72