Lines Matching refs:o
30 * o Key generation
31 * o Import and export (public only) of asymmetric keys
32 * o Import of raw symmetric keys
33 * o Asymmetric encryption and decryption with appropriate padding modes
34 * o Asymmetric signing and verification with digesting and appropriate padding modes
35 * o Symmetric encryption and decryption in appropriate modes, including an AEAD mode
36 * o Generation and verification of symmetric message authentication codes
37 * o Attestation to the presence and configuration of asymmetric keys.
69 * o RSA
80 * o ECDSA
87 * o AES
97 * o 3DES
106 * o HMAC
129 * o Tag::OS_VERSION, must be hardware-enforced.
130 * o Tag::OS_PATCHLEVEL, must be hardware-enforced.
131 * o Tag::VENDOR_PATCHLEVEL, must be hardware-enforced.
132 * o Tag::BOOT_PATCHLEVEL, must be hardware-enforced.
133 * o Tag::CREATION_DATETIME, must be software-enforced, unless the IKeymasterDevice has access to
135 * o Tag::ORIGIN, must be hardware-enforced.
399 * o Tag::ORIGIN with the value KeyOrigin::GENERATED.
401 * o Tag::BLOB_USAGE_REQUIREMENTS with the appropriate value (see KeyBlobUsageRequirements in
404 * o Tag::CREATION_DATETIME with the appropriate value. Note that it is expected that this will
408 * o Tag::OS_VERSION, Tag::OS_PATCHLEVEL, Tag::VENDOR_PATCHLEVEL and Tag::BOOT_PATCHLEVEL with
419 * o Tag::Key_SIZE specifies the size of the public modulus, in bits. If omitted, generateKey
424 * o Tag::RSA_PUBLIC_EXPONENT specifies the RSA public exponent value. If omitted, generateKey
432 * o Tag::PURPOSE specifies allowed purposes. All KeyPurpose values (see types.hal) must be
435 * o Tag::DIGEST specifies digest algorithms that may be used with the new key. TEE
439 * o Tag::PADDING specifies the padding modes that may be used with the new
479 * o Tag::KEY_SIZE is not necessary in the input parameters. If not provided, the
485 * o Tag::RSA_PUBLIC_EXPONENT (for RSA keys only) is not necessary in the input parameters. If
491 * o Tag::ORIGIN (returned in keyCharacteristics) must have the value KeyOrigin::IMPORTED.
533 * o keyFormat is an integer from the KeyFormat enum, defining the format of the plaintext
535 * o keyParams is the characteristics of the key to be imported (as with generateKey or
540 * o encryptedTransportKey is a 256-bit AES key, XORed with a masking key and then encrypted
542 * o keyDescription is a KeyDescription, above.
543 * o encryptedKey is the key material of the key to be imported, in format keyFormat, and
546 * o tag is the tag produced by the AES-GCM encryption of encryptedKey.
656 * o version -- with value 2
658 * o serialNumber -- with value 1 (same value for all keys)
660 * o signature -- contains an the AlgorithmIdentifier of the algorithm used to sign, must be
663 * o issuer -- must contain the same value as the Subject field of the next certificate.
665 * o validity -- SEQUENCE of two dates, containing the values of Tag::ACTIVE_DATETIME and
672 * o subject -- CN="Android Keystore Key" (same value for all keys)
674 * o subjectPublicKeyInfo -- X.509 SubjectPublicKeyInfo containing the attested public key.
676 * o Key Usage extension -- digitalSignature bit must be set iff the attested key has
762 * o TagType::ENUM, TagType::UINT, TagType::ULONG and TagType::DATE tags are represented as
765 * o TagType::ENUM_REP, TagType::UINT_REP and TagType::ULONG_REP tags are represented as ASN.1
768 * o TagType::BOOL tags are represented as ASN.1 NULL. All entries in AuthorizationList are
771 * o TagType::BYTES tags are represented as ASN.1 OCTET_STRING.
902 * o Tag::PURPOSE: The purpose specified in the begin() call must match one of the purposes in
906 * o Tag::ACTIVE_DATETIME can only be enforced if a trusted UTC time source is available. If
910 * o Tag::ORIGINATION_EXPIRE_DATETIME can only be enforced if a trusted UTC time source is
914 * o Tag::USAGE_EXPIRE_DATETIME can only be enforced if a trusted UTC time source is
918 * o Tag::MIN_SECONDS_BETWEEN_OPS must be compared with a trusted relative timer indicating the
923 * o Tag::MAX_USES_PER_BOOT must be compared against a secure counter that tracks the uses of
927 * o Tag::USER_SECURE_ID must be enforced by this method if and only if the key also has
933 * o The HMAC field must validate correctly.
935 * o At least one of the Tag::USER_SECURE_ID values from the key must match at least one of
938 * o The key must have a Tag::USER_AUTH_TYPE that matches the auth type in the token.
940 * o The timestamp in the auth token plus the value of the Tag::AUTH_TIMEOUT must be less than
947 * o Tag::CALLER_NONCE allows the caller to specify a nonce or initialization vector (IV). If
951 * o Tag::BOOTLOADER_ONLY specifies that only the bootloader may use the key. If this method is
981 * o PaddingMode::NONE indicates that a "raw" RSA operation is performed. If signing or
985 * o PaddingMode::RSA_PKCS1_1_5_SIGN padding requires a digest. The digest may be Digest::NONE,
993 * o PaddingMode::RSA_PKCS1_1_1_5_ENCRYPT padding does not require a digest.
995 * o PaddingMode::RSA_PSS padding requires a digest, which may not be Digest::NONE. If
1001 * o PaddingMode::RSA_OAEP padding requires a digest, which may not be Digest::NONE. If
1108 * o One or more Tag::USER_SECURE_IDs, and
1110 * o Does not have a Tag::AUTH_TIMEOUT
1116 * o The HMAC field must validate correctly.
1118 * o At least one of the Tag::USER_SECURE_ID values from the key must match at least one of
1121 * o The key must have a Tag::USER_AUTH_TYPE that matches the auth type in the token.
1123 * o The challenge field in the auth token must contain the operationHandle
1221 * o The HMAC field must validate correctly.
1223 * o At least one of the Tag::USER_SECURE_ID values from the key must match at least one of
1226 * o The key must have a Tag::USER_AUTH_TYPE that matches the auth type in the token.
1228 * o The challenge field in the auth token must contain the operationHandle
1247 * o PaddingMode::NONE. For unpadded signing and encryption operations, if the provided data is
1254 * o PaddingMode::RSA_PSS. For PSS-padded signature operations, the PSS salt length must match
1259 * o PaddingMode::RSA_OAEP. The digest specified with Tag::DIGEST in inputParams on begin is
1271 * o BlockMode::ECB or BlockMode::CBC. If padding is PaddingMode::NONE and the data length is
1277 * o BlockMode::GCM. During encryption, after processing all plaintext, compute the tag