en/security/keystore/implementer-ref.html

<html devsite>
  <head>
    <title>Keymaster Functions</title>
    <meta name="project_path" value="/_project.yaml" />
    <meta name="book_path" value="/_book.yaml" />
  </head>
<body>
  <!--
      Copyright 2017 The Android Open Source Project

      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at

          http://www.apache.org/licenses/LICENSE-2.0

      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  -->
<p>This page provides details to assist implementers of Keymaster 
Hardware Abstraction Layers (HALs). It covers each function in the
API and which Keymaster version that function is available in and
describes the default implementation. For tags, see the
<a href="/security/keystore/tags">Keymaster Tags</a> page.</p>

<p class="note">To support Keymaster 3's transition from the old-style
C-structure HAL to the C++ HAL interface generated from a definition in the new
Hardware Interface Definition Language (HIDL), function names have changed in
Android 8.0. To support this, functions are now in camel case. For example,
<code>get_key_characteristics</code> is now <code>getKeyCharacteristics</code>.
</p>

<h2 id="general_implementation_guidelines">General implementation guidelines</h2>

<p>The following guidelines apply to all functions in the API.</p>

<h3 id="input_pointer_parameters">Input pointer parameters</h3>

<p><strong>Version</strong>: 1, 2</p>

<p>Input pointer parameters that are not used for a given call may be <code>NULL</code>.
The caller is not required to provide placeholders. For example, some key
types and modes may not use any values from the <code>inParams</code> argument
to <a href="#begin">begin</a>, so the caller may set <code>inParams</code>
to <code>NULL</code> or provide an empty parameter set. Callers can also
provide unused parameters, and Keymaster methods should not issue errors.</p>

<p>If a required input parameter is NULL, Keymaster methods should return
<code>ErrorCode::UNEXPECTED_NULL_POINTER</code>.</p>

<p>Starting in Keymaster 3, there are no pointer parameters. All parameters
are passed by value or const references.</p>


<h3 id="output_pointer_parameters">Output pointer parameters</h3>

<p><strong>Version</strong>: 1, 2</p>

<p>Similar to input pointer parameters, unused output pointer parameters
may be <code>NULL</code>. If a method needs to return data in an output
parameter found to be <code>NULL</code>, it should return
<code>ErrorCode::OUTPUT_PARAMETER_NULL</code>.</p>
<p>Starting in Keymaster 3, there are no pointer parameters. All parameters
are passed by value or const references.</p>


<h3 id="api_misuse">API misuse</h3>

<p><strong>Version</strong>: 1, 2, 3</p>

<p>There are many ways that callers can make requests that don't make sense or are
foolish but not technically wrong. Keymaster implementations are not required
to fail in such cases or issue a diagnostic. Use of too-small keys,
specification of irrelevant input parameters, reuse of IVs or nonces,
generation of keys with no purposes (hence useless) and the like should not be
diagnosed by implementations. Omission of required parameters, specification of
invalid required parameters, and similar errors must be diagnosed.</p>

<p>It is the responsibility of apps, the framework, and Android keystore to ensure
that the calls to Keymaster modules are sensible and useful.</p>

<p class="caution">Keymaster implementations should attempt to diagnose
serious errors, such as omission of required parameters, specification of invalid
required parameters, and similar errors that compromise the integrity of the
Keymaster implementation.</p>

<h2 id="functions">Functions</h2>

<h3 id="get_hardware_features">getHardwareFeatures</h3>
<p><strong>Version</strong>: 3</p>

<p>
The new <code>getHardwareFeatures</code> method exposes to clients some important
characteristics of the underlying secure hardware. The method takes no arguments
and returns four values, all booleans:
</p>
<ul>
  <li><code>isSecure</code> is <code>true</code> if keys are stored in
  secure hardware (TEE, etc.) and never leave it.</li>
  <li><code>supportsEllipticCurve</code> is <code>true</code> if the
  hardware supports Elliptic Curve cryptography with the NIST curves (P-224,
  P-256, P-384, and P-521).</li>
  <li><code>supportsSymmetricCryptography</code> is <code>true</code>
  if the hardware supports symmetric cryptography, including AES and HMAC.</li>
  <li><code>supportsAttestation</code> is <code>true</code> if the
  hardware supports generation of Keymaster public key attestation certificates,
  signed with a key injected in a secure environment.</li>
</ul>
<p>
The only error codes this method may return are <code>ErrorCode:OK</code>,
<code>ErrorCode::KEYMASTER_NOT_CONFIGURED</code> or one of the error codes
indicating a failure to communicate with the secure hardware.
</p>
<pre class="devsite-click-to-copy">
getHardwareFeatures()
    generates(bool isSecure, bool supportsEllipticCurve, bool supportsSymmetricCryptography,
              bool supportsAttestation, bool supportsAllDigests, string keymasterName,
              string keymasterAuthorName);</pre>

<h3 id="configure">configure</h3>
<p><strong>Version</strong>: 2</p>
<p>This function was introduced in Keymaster 2 and deprecated in Keymaster
3, as this information is available in system properties files, and manufacturer
implementations read those files during startup.</p>

<p>Configures keymaster. This method is called once after the device is opened and before
it is used. It's used to provide
<a href="/security/keystore/tags#os_version">KM_TAG_OS_VERSION</a> and
<a href="/security/keystore/tags#os_patchlevel">KM_TAG_OS_PATCHLEVEL</a> to keymaster.
Until this method is called, all other methods return
<code>KM_ERROR_KEYMASTER_NOT_CONFIGURED</code>. The values provided by this
method are only accepted by keymaster once per boot. Subsequent
calls return <code>KM_ERROR_OK</code>, but do nothing.</p>
<p>
If the keymaster implementation is in secure hardware and the OS version and patch level
values provided do not match the values provided to the secure hardware by the bootloader (or
if the bootloader did not provide values), then this method returns
<code>KM_ERROR_INVALID_ARGUMENT</code>, and all other methods continue returning
<code>KM_ERROR_KEYMASTER_NOT_CONFIGURED</code>.</p>
<pre class="devsite-click-to-copy">
keymaster_error_t (*configure)(const struct keymaster2_device* dev,
                               const keymaster_key_param_set_t* params);</pre>

<h3 id="add_rng_entropy">addRngEntropy</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>add_rng_entropy</code>
and renamed in Keymaster 3.</p>

<p>Adds caller-provided entropy to the pool used by the Keymaster 1 implementation
for generating random numbers, for keys, IVs, etc.</p>

<p>Keymaster implementations need to securely mix the provided
entropy into their pool, which also must contain
internally-generated entropy from a hardware random number generator.
Mixing should be handled so that an attacker who has complete control
of either the <code>addRngEntropy</code>-provided bits or the hardware-generated bits,
but not both, has no non-neglible advantage in predicting the bits generated
from the entropy pool.</p>

<p>Keymaster implementations that attempt to estimate the entropy in their
internal pool assume that data provided by
<code>addRngEntropy</code> contains no entropy. Keymaster implementations may
return <code>ErrorCode::INVALID_INPUT_LENGTH</code> if they're given more than 2
KiB of data in a single call.</p>


<h3 id="generate_key">generateKey</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>generate_key</code>
and renamed in Keymaster 3.</p>

<p>Generates a new cryptographic key, specifying associated authorizations, which
are permanently bound to the key. Keymaster implementations make it
impossible to use a key in any way inconsistent with the authorizations
specified at generation time. With respect to authorizations that the secure
hardware cannot enforce, the secure hardware's obligation is limited to
ensuring that the unenforceable authorizations associated with the key cannot
be modified, so that every call to
<a href="#get_key_characteristics">getKeyCharacteristics</a>
returns the original value. In addition, the characteristics returned by
<code>generateKey</code> allocates authorizations correctly between the
hardware-enforced and software-enforced lists. See
<a href="#get_key_characteristics">getKeyCharacteristics</a> for more details.</p>

<p>The parameters provided to <code>generateKey</code> depend on the type of key
being generated. This section summarizes the necessary and optional tags for each
type of key. <a href="/security/keystore/tags#algorithm">Tag::ALGORITHM</a>
is always necessary, to specify the type.</p>

<h4 id="generate_key_rsa_keys">RSA keys</h4>

<p>The following parameters are necessary to generate an RSA key.</p>

<ul>
  <li><a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a>
  specifies the size of the public modulus, in bits. If omitted,
  the method returns <code>ErrorCode::UNSUPPORTED_KEY_SIZE</code>.
  Supported values are 1024, 2048, 3072 and 4096. Recommended values
  are all key sizes that are a multiple of 8.</li>
  <li><a href="/security/keystore/tags#rsa_public_exponent">Tag::RSA_PUBLIC_EXPONENT</a>
  specifies the RSA public exponent value. If omitted, the method
  returns <code>ErrorCode::INVALID_ARGUMENT</code>.
  Supported values are 3 and 65537. Recommended values are
  all prime values up to 2^64.</li>
</ul>

<p>The following parameters are not necessary to generate an RSA key, but creating
an RSA key without them produces a key that is unusable. However, the
<code>generateKey</code> function doesn't return an error if these parameters are omitted.</p>

<ul>
  <li><a href="/security/keystore/tags#purpose">Tag::PURPOSE</a> specifies allowed purposes.
  All purposes need to be supported for RSA keys, in
  any combination.</li>
  <li><a href="/security/keystore/tags#digest">Tag::DIGEST</a> specifies
  digest algorithms that may be used with the new key. Implementations
  that do not support all digest algorithms need to accept key generation requests
  that include unsupported digests. The unsupported digests should be placed in
  the "software-enforced" list in the returned key characteristics. This is
  because the key is usable with those other digests, but digesting is
  performed in software. Then hardware is called to perform the operation
  with <code>Digest::NONE</code>.</li>
  <li><a href="/security/keystore/tags#padding">Tag::PADDING</a> specifies the padding modes
  that may be used with the new key. Implementations
  that do not support all digest algorithms need to place <code>PaddingMode::RSA_PSS</code>
  and <code>PaddingMode::RSA_OAEP</code> in the software-enforced list of the key
  characteristics if any unsupported digest algorithms are specified.</li>
</ul>

<h4 id="generate_key_ecdsa_keys">ECDSA keys</h4>

<p>Only <a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a> is
necessary to generate an ECDSA key. It is used to select the EC group.
Supported values are 224, 256, 384 and 521, which indicate the
NIST p-224, p-256, p-384 and p521 curves, respectively.</p>

<p><a href="/security/keystore/tags#digest">Tag::DIGEST</a>
 is also necessary for a useful ECDSA key,
 but is not required for generation.</p>

<h4 id="generate_key_aes_keys">AES keys</h4>

<p>Only <a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a>
 is necessary to generate an AES key. If omitted, the method returns
 <code>ErrorCode::UNSUPPORTED_KEY_SIZE</code>. Supported values are
 128 and 256, with optional support for 192-bit AES keys.</p>

<p>The following parameters are particularly relevant for AES keys, but not
necessary to generate one:</p>

<ul>
  <li><code>Tag::BLOCK_MODE</code> specifies the block modes with which
  the new key may be used.</li>
  <li><code>Tag::PADDING</code> specifies the padding modes that may be
  used. This is only relevant for ECB and CBC modes.</li>
</ul>

<p>If the GCM block mode is specified, then provide the
<a href="/security/keystore/tags#min_mac_length">Tag::MIN_MAC_LENGTH</a>.
If omitted, the method returns <code>ErrorCode::MISSING_MIN_MAC_LENGTH</code>.
The tag's value is a multiple of 8 and between 96 and 128.</p>

<h4 id="generate_key_hmac_keys">HMAC keys</h4>

<p>The following parameters are required for HMAC key generation:</p>

<ul>
  <li><a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a>
  specifies the key size in bits. Values smaller than 64
  and values that are not multiples of 8 are not supported. All
  multiples of 8, from 64 to 512, are supported. Larger values may be supported.</li>
  <li><a href="/security/keystore/tags#min_mac_length">Tag::MIN_MAC_LENGTH</a>
  specifies the minimum length of
  MACs that can be generated or verified with this key. The value is a multiple of
  8 and at least 64.</li>
  <li><a href="/security/keystore/tags#digest">Tag::DIGEST</a>
  specifies the digest algorithm for the key. Exactly
  one digest is specified, otherwise return <code>ErrorCode::UNSUPPORTED_DIGEST</code>.
  If the digest is not supported by the trustlet, return
  <code>ErrorCode::UNSUPPORTED_DIGEST</code>.</li>
</ul>

<h4 id="key_characteristics">Key characteristics</h4>

<p>If the characteristics argument is non-NULL,
<code>generateKey</code> returns the newly-generated
key's characteristics divided appropriately
into hardware-enforced and software-enforced lists.
See <a href="#get_key_characteristics">getKeyCharacteristics</a>
for a description of which characteristics go in which list. The returned
characteristics include all of the parameters specified to key generation,
except <a href="/security/keystore/tags#application_id">Tag::APPLICATION_ID</a> and
<a href="/security/keystore/tags#application_data">Tag::APPLICATION_DATA</a>.
If these tags were included in the key parameters, they are removed from
the returned characteristics so that it is not be possible to find their values by
examining the returned key blob. However, they are cryptographically bound
to the key blob, so that if the correct values are not provided when the key is
used, usage fails. Similarly,
<a href="/security/keystore/tags#root_of_trust">Tag::ROOT_OF_TRUST</a> is
cryptographically bound to the key, but it may not be specified during
key creation or import and is never returned.</p>

<p>In addition to the provided tags, the trustlet also
adds <a href="/security/keystore/tags#origin">Tag::ORIGIN</a>,
with the value <code>KeyOrigin::GENERATED</code>,
and if the key is rollback resistant,
<a href="/security/keystore/tags#rollback_resistant">Tag::ROLLBACK_RESISTANT</a>.</p>

<h4 id="rollback_resistance">Rollback resistance</h4>

<p>Rollback resistance means that once a key is deleted with
<a href="#delete_key">deleteKey</a> or <a href="#delete_all_keys">deleteAllKeys</a>,
it is guaranteed by secure hardware never to be usable again. Implementations
without rollback resistance typically return generated or imported key
material to the caller as a key blob, an encrypted and authenticated form. When
keystore deletes the key blob, the key is gone, but an attacker who has
previously managed to retrieve the key material can potentially restore it to
the device.</p>

<p>A key is rollback resistant if the secure hardware guarantees that deleted keys
cannot be restored later. This is generally done by storing additional key
metadata in a trusted location that cannot be manipulated by an attacker. On
mobile devices, the mechanism used for this is usually Replay Protected Memory
Blocks (RPMB). Because the number of keys that may be created is essentially
unbounded and the trusted storage used for rollback resistance may be limited
in size, this method needs to succeed even if rollback resistance
cannot be provided for the new key. In that case,
<a href="/security/keystore/tags#rollback_resistant">Tag::ROLLBACK_RESISTANT</a>
should not be added to the key characteristics.</p>

<h3 id="get_key_characteristics">getKeyCharacteristics</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>get_key_characteristics</code>
and renamed in Keymaster 3.</p>

<p>Returns parameters and authorizations associated with the provided key, divided
into two sets: hardware-enforced and software-enforced. The description here
applies equally to the key characteristics lists returned
by <a href="#generate_key">generateKey</a> and <a href="#import_key">importKey</a>.</p>

<p>If <code>Tag::APPLICATION_ID</code> was provided during key generation
or import, the same value is provided to
this method in the <code>clientId</code> argument. Otherwise, the
method returns <code>ErrorCode::INVALID_KEY_BLOB</code>. Similarly,
if <code>Tag::APPLICATION_DATA</code> was provided during generation
or import, the same value is provided to
this method in the <code>appData</code> argument.</p>

<p>The characteristics returned by this method completely describe the type and
usage of the specified key.</p>

<p>The general rule for deciding whether a given tag belongs in the
hardware-enforced or software-enforced list is that if the meaning of the tag
is fully assured by secure hardware, it is hardware enforced. Otherwise, it's
software enforced. Below is a list of specific tags whose correct allocation
may be unclear:</p>

<ul>
  <li><a href="/security/keystore/tags#algorithm">Tag::ALGORITHM</a>,
   <a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a>,
  and <a href="/security/keystore/tags#rsa_public_exponent">Tag::RSA_PUBLIC_EXPONENT</a>
  are intrinsic properties of the key. For any key that is secured by hardware,
  these tags will be in the hardware-enforced list.</li>
  <li><a href="/security/keystore/tags#digest">Tag::DIGEST</a> values
  that are supported by the secure hardware are placed in the
  hardware-supported list. Unsupported digests go in the software-supported list.</li>
  <li><a href="/security/keystore/tags#padding">Tag::PADDING</a> values
  generally go in the hardware-supported list, unlessthere is a
  possibility that a specific padding mode may have to be performed by software.
  In that case, they go in the software-enforced list. Such a possibility
  arises for RSA keys that permit PSS or OAEP padding with digest algorithms
  that are not supported by the secure hardware.</li>
  <li><a href="/security/keystore/tags#user_secure_id">Tag::USER_SECURE_ID</a>
  and <a href="/security/keystore/tags#mac_length">Tag::USER_AUTH_TYPE</a>
  are hardware-enforced only if user authentication is hardware enforced. To
  accomplish this, the Keymaster trustlet and the relevant authentication
  trustlet both have to be secure and share a secret HMAC key used to sign and
  validate authentication tokens. See the
  <a href="/security/authentication/">Authentication</a> page for details.</li>
  <li><a href="/security/keystore/tags#active_datetime">Tag::ACTIVE_DATETIME</a>,
  <a href="/security/keystore/tags#origination_expire_datetime">Tag::ORIGINATION_EXPIRE_DATETIME</a>,
  and <a href="/security/keystore/tags#usage_expire_datetime">Tag::USAGE_EXPIRE_DATETIME</a> tags
  require access to a verifiably correct wall clock. Most secure hardware
  only has access to time information provided by the non-secure OS, which
  means the tags are software enforced.</li>
  <li><a href="/security/keystore/tags#origin">Tag::ORIGIN</a> is
  always in the hardware list for hardware-bound keys. Its presence in that
  list is the way higher layers determine that a key is hardware-backed.</li>
</ul>

<h3 id="import_key">importKey</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>import_key</code>
and renamed in Keymaster 3.</p>

<p>Imports key material into Keymaster hardware. Key definition parameters and
output characteristics are handled the same as for <code>generateKey</code>,
with the following exceptions:</p>

<ul>
  <li><a href="/security/keystore/tags#key_size">Tag::KEY_SIZE</a> and
  <a href="/security/keystore/tags#rsa_public_exponent">Tag::RSA_PUBLIC_EXPONENT</a>
  (for RSA keys only) are not necessary in the input parameters. If not provided,
  the trustlet deduces the values from the provided key material and adds
  appropriate tags and values to the key characteristics. If the parameters are
  provided, the trustlet validates them against the key material. In the
  event of a mismatch, the method returns <code>ErrorCode::IMPORT_PARAMETER_MISMATCH</code>.</li>
  <li>The returned <a href="/security/keystore/tags#origin">Tag::ORIGIN</a> has the
  same value as <code>KeyOrigin::IMPORTED</code>.</li>
</ul>

<h3 id="export_key">exportKey</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>export_key</code>
and renamed in Keymaster 3.</p>

<p>Exports a public key from a Keymaster RSA or EC key pair.</p>

<p>If <code>Tag::APPLICATION_ID</code> was provided during key generation or import,
the same value is provided to this method in the
<code>clientId</code> argument. Otherwise, the method returns
<code>ErrorCode::INVALID_KEY_BLOB</code>. Similarly, if
<code>Tag::APPLICATION_DATA</code>
was provided during generation or import, the same value is provided to
this method in the <code>appData</code> argument.</p>

<h3 id="delete_key">deleteKey</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>delete_key</code>
and renamed in Keymaster 3.</p>

<p>Deletes the provided key. This method is optional, and is only
implemented by Keymaster modules that provide rollback resistance.</p>

<h3 id="delete_all_keys">deleteAllKeys</h3>

<p><strong>Version</strong>: 1, 2, 3</p>
<p>This function was introduced in Keymaster 1 as <code>delete_all_keys</code>
and renamed in Keymaster 3.</p>

<p>Deletes all keys. This method is optional, and is only implemented
by Keymaster modules that provide rollback resistance.</p>


<h3 id="destroy_attestation_ids">destroyAttestationIds</h3>
<p><strong>Version</strong>: 3</p>
<p>
The <code>destroyAttestationIds()</code> method is used to permanently
disable the new (optional, but highly recommended)
<a href="/security/keystore/attestation#id-attestation">ID attestation</a>
feature. If the TEE has no way to ensure that ID attestation is permanently
disabled after this method is called, then ID attestation must not be
implemented at all, in which case this method does nothing and
returns <code>ErrorCode::UNIMPLEMENTED</code>. If ID attestation is
supported, this method needs to be implemented and must permanently disable
all future ID attestation attempts. The method may be called any number of
times. If ID attestation is permanently disabled already, the method does
nothing and returns <code>ErrorCode::OK</code>.
</p>
<p>
The only error codes this method may return are
<code>ErrorCode::UNIMPLEMENTED</code> (if ID attestation is not supported),
<code>ErrorCode:OK</code>, <code>ErrorCode::KEYMASTER_NOT_CONFIGURED</code> or
one of the error codes indicating a failure to communicate with the secure
hardware.
</p>

<h3 id="begin">begin</h3>

<p><strong>Version</strong>: 1, 2, 3</p>

<p>Begins a cryptographic operation, using the specified key, for the specified
purpose, with the specified parameters (as appropriate), and returns an
operation handle that is used with <a href="#update">update</a> and <a
href="#finish">finish</a> to complete the operation. The operation handle is
also used as the "challenge" token in authenticated operations, and for such
operations is included in the <code>challenge</code> field of the
authentication token.</p>

<p>A Keymaster implementation supports at least 16 concurrent
operations. Keystore uses up to 15, leaving one for vold to use for password
encryption. When Keystore has 15 operations in progress (<code>begin</code> has
been called, but <code>finish</code> or <code>abort</code> have not yet been
called) and it receives a request to begin a 16th, it calls
<code>abort</code> on the least-recently used operation to reduce the number of
active operations to 14 before calling <code>begin</code> to start the
newly-requested operation.</p>

<p>If <a href="/security/keystore/tags#application_id">Tag::APPLICATION_ID</a>
or <a href="#application_data">Tag::APPLICATION_DATA</a> were specified
during key generation or import, calls to <code>begin</code> include those
tags with the originally-specified values in the <code>inParams</code> argument
to this method.</p>

<h4 id="begin_authorization_enforcement">Authorization enforcement</h4>

<p>During this method, the following key authorizations are enforced by the
trustlet if the implementation placed them in the "hardware-enforced"
characteristics and if the operation is not a public key operation. Public key
operations, meaning <code>KeyPurpose::ENCRYPT</code> and <code>KeyPurpose::VERIFY</code>,
with RSA or EC keys, are allowed to succeed even if authorization
requirements are not met.</p>

<ul>
  <li><a href="/security/keystore/tags#purpose">Tag::PURPOSE</a>: The purpose
   specified in the <code>begin()</code> call has to match one of the purposes
   in the key authorizations, unless the requested operation is a public key
   operation. If the specified purpose does not match and the operation is not
   a public key operation, <code>begin</code> will return
   <code>ErrorCode::UNSUPPORTED_PURPOSE</code>. Public key operations are
   asymmetric encryption or verification operations.</li>
  <li><a href="/security/keystore/tags#active_datetime">Tag::ACTIVE_DATETIME</a>
  can only be enforced if a trusted UTC time source is available. If the
  current date and time is prior to the tag value, the method returns
  <code>ErrorCode::KEY_NOT_YET_VALID</code>.</li>
  <li><a href="/security/keystore/tags#origination_expire_datetime">Tag::ORIGINATION_EXPIRE_DATETIME</a>
  can only be enforced if a trusted UTC time source is available. If the
  current date and time is later than the tag value and the purpose is
  <code>KeyPurpose::ENCRYPT</code> or <code>KeyPurpose::SIGN</code>, the method
  returns <code>ErrorCode::KEY_EXPIRED</code>.</li>
  <li><a href="/security/keystore/tags#usage_expire_datetime">Tag::USAGE_EXPIRE_DATETIME</a>
  can only be enforced if a trusted UTC time source is available. If the
  current date and time is later than the tag value and the purpose is
  <code>KeyPurpose::DECRYPT</code> or <code>KeyPurpose::VERIFY</code>, the method
  returns <code>ErrorCode::KEY_EXPIRED</code>.</li>
  <li><a href="/security/keystore/tags#min_seconds_between_ops">Tag::MIN_SECONDS_BETWEEN_OPS</a>
  is compared with a trusted relative timer indicating the last use of
  the key. If the last use time plus the tag value is less than the current time,
  the method returns <code>ErrorCode::KEY_RATE_LIMIT_EXCEEDED</code>. See the
  <a href="/security/keystore/tags#min_seconds_between_ops">tag description</a>
  for important implementation details.</li>
  <li><a href="/security/keystore/tags#max_uses_per_boot">Tag::MAX_USES_PER_BOOT</a>
  is compared against a secure counter that tracks the uses of the key
  since boot time. If the count of previous uses exceeds the tag value, the
  method returns <code>ErrorCode::KEY_MAX_OPS_EXCEEDED</code>.</li>
  <li><a href="/security/keystore/tags#user_secure_id">Tag::USER_SECURE_ID</a>
  is enforced by this method only if the key also has
  <a href="/security/keystore/tags#auth_timeout">Tag::AUTH_TIMEOUT</a>.
  If the key has both, then this method must receive a valid
  <a href="/security/keystore/tags#auth_token">Tag::AUTH_TOKEN</a> in
  <code>inParams</code>. For the auth token to be valid, all of the following
  has to be true:
   <ul>
     <li>The HMAC field validates correctly.</li>
     <li>At least one of the
     <a href="/security/keystore/tags#user_secure_id">Tag::USER_SECURE_ID</a>
     values from the key matches at least one of the secure ID values in the
     token.</li>
     <li>The key has a
     <a href="/security/keystore/tags#mac_length">Tag::USER_AUTH_TYPE</a>
     that matches the auth type in the token.</li>
   </ul>
  <p>If any of these conditions aren't met, the method returns
  <code>ErrorCode::KEY_USER_NOT_AUTHENTICATED</code>.</p></li>
  <li><a href="/security/keystore/tags#caller_nonce">Tag::CALLER_NONCE</a>
  allows the caller to specify a nonce or initialization vector (IV). If the key
  doesn't have this tag, but the caller provided
  <a href="/security/keystore/tags#nonce">Tag::NONCE</a> to this method,
  <code>ErrorCode::CALLER_NONCE_PROHIBITED</code> is returned.</li>
  <li><a href="/security/keystore/tags#bootloader_only">Tag::BOOTLOADER_ONLY</a>
   specifies that only the bootloader may use the key. If this method is
   called with a bootloader-only key after the bootloader has finished executing,
   it returns <code>ErrorCode::INVALID_KEY_BLOB</code>.</li>
</ul>

<h4 id="begin_rsa_keys">RSA keys</h4>

<p>All RSA key operations specify exactly one padding mode in <code>inParams</code>.
If unspecified or specified more than once, the method returns
<code>ErrorCode::UNSUPPORTED_PADDING_MODE</code>.</p>

<p>RSA signing and verification operations need a digest, as do RSA encryption
and decryption operations with OAEP padding mode. For those cases, the caller
specifies exactly one digest in <code>inParams</code>. If unspecified or specified
more than once, the method returns <code>ErrorCode::UNSUPPORTED_DIGEST</code>.</p>

<p>Private key operations (<code>KeyPurpose::DECYPT</code> and <code>KeyPurpose::SIGN</code>)
need authorization of digest and padding, which means that the key authorizations
need to contain the specified values. If not, the method returns
<code>ErrorCode::INCOMPATIBLE_DIGEST</code>
or <code>ErrorCode::INCOMPATIBLE_PADDING</code>, as appropriate. Public key operations
(<code>KeyPurpose::ENCRYPT</code> and <code>KeyPurpose::VERIFY</code>) are permitted with
unauthorized digest or padding.</p>

<p>With the exception of <code>PaddingMode::NONE</code>, all RSA padding modes are
applicable only to certain purposes. Specifically,
<code>PaddingMode::RSA_PKCS1_1_5_SIGN</code> and <code>PaddingMode::RSA_PSS</code>
only support signing and verification, while <code>PaddingMode::RSA_PKCS1_1_1_5_ENCRYPT</code>
and <code>PaddingMode::RSA_OAEP</code> only support encryption and decryption.
The method returns <code>ErrorCode::UNSUPPORTED_PADDING_MODE</code> if the
specified mode does not support the specified purpose.</p>

<p>There are some important interactions between padding modes and digests:</p>

<ul>

  <li><code>PaddingMode::NONE</code> indicates that a "raw" RSA operation is
  performed. If signing or verifying, <code>Digest::NONE</code> is
  specified for the digest. No digest is necessary for unpadded encryption or
  decryption.</li>
  <li><code>PaddingMode::RSA_PKCS1_1_5_SIGN</code> padding requires a digest. The
  digest may be <code>Digest::NONE</code>, in which case the Keymaster
  implementation cannot build a proper PKCS#1 v1.5 signature structure, because
  it cannot add the DigestInfo structure. Instead, the implementation
  constructs <code>0x00 || 0x01 || PS || 0x00 || M</code>, where M is the
  provided message and PS is the padding string. The size of the RSA key has to
  be at least 11 bytes larger than the message, otherwise the method returns
  <code>ErrorCode::INVALID_INPUT_LENGTH</code>.</li>
  <li><code>PaddingMode::RSA_PKCS1_1_1_5_ENCRYPT</code> padding does not require a digest.</li>
  <li><code>PaddingMode::RSA_PSS</code> padding requires a digest, which may not be
  <code>Digest::NONE</code>. If <code>Digest::NONE</code> is specified, the
  method returns <code>ErrorCode::INCOMPATIBLE_DIGEST</code>. In addition, the
  size of the RSA key has to be at least 2 + D bytes larger than the output
  size of the digest, where D is the size of the digest, in bytes. Otherwise
  the method returns <code>ErrorCode::INCOMPATIBLE_DIGEST</code>. The salt size
  is D.</li>
  <li><code>PaddingMode::RSA_OAEP</code> padding requires a digest, which may not be
  <code>Digest::NONE</code>. If <code>Digest::NONE</code> is specified, the
  method returns <code>ErrorCode::INCOMPATIBLE_DIGEST</code>.</li>
</ul>

<h4 id="begin_ec_keys">EC keys</h4>

<p>EC key operations specify exactly one padding mode in <code>inParams</code>.
If unspecified or specified more than once, the method
returns <code>ErrorCode::UNSUPPORTED_PADDING_MODE</code>.</p>

<p>Private key operations (<code>KeyPurpose::SIGN</code>) need authorization
of digest and padding, which means that the key authorizations
need to contain the specified values. If not, return
<code>ErrorCode::INCOMPATIBLE_DIGEST</code>. Public key operations
(<code>KeyPurpose::VERIFY</code>) are permitted with unauthorized digest or padding.</p>

<h4 id="begin_aes_keys">AES keys</h4>

<p>AES key operations specify exactly one block mode and one padding mode
in <code>inParams</code>. If either value is unspecified or specified more
than once, return <code>ErrorCode::UNSUPPORTED_BLOCK_MODE</code> or
<code>ErrorCode::UNSUPPORTED_PADDING_MODE</code>. The specified modes have to be
authorized by the key, otherwise the method returns
<code>ErrorCode::INCOMPATIBLE_BLOCK_MODE</code> or
<code>ErrorCode::INCOMPATIBLE_PADDING_MODE</code>.</p>

<p>If the block mode is <code>BlockMode::GCM</code>, <code>inParams</code>
specifies <code>Tag::MAC_LENGTH</code>, and the
specified value is a multiple of 8 that is not greater than 128
or less than the value of <code>Tag::MIN_MAC_LENGTH</code> in the
key authorizations. For MAC lengths greater than 128 or non-multiples of
8, return <code>ErrorCode::UNSUPPORTED_MAC_LENGTH</code>. For values less
than the key's minimum length, return <code>ErrorCode::INVALID_MAC_LENGTH</code>.</p>

<p>If the block mode is <code>BlockMode::GCM</code> or <code>BlockMode::CTR</code>,
the specified padding mode has to be <code>PaddingMode::NONE</code>.
For <code>BlockMode::ECB</code> or <code>BlockMode::CBC</code>, the mode may be
<code>PaddingMode::NONE</code> or <code>PaddingMode::PKCS7</code>. If the padding mode
doesn't meet these conditions, return <code>ErrorCode::INCOMPATIBLE_PADDING_MODE</code>.</p>

<p>If the block mode is <code>BlockMode::CBC</code>, <code>BlockMode::CTR</code>,
or <code>BlockMode::GCM</code>, an initialization vector or nonce is needed.
In most cases, callers shouldn't provide an IV or nonce. In that case, the
Keymaster implementation generates a random IV or nonce and returns it via
<a href="/security/keystore/tags#nonce">Tag::NONCE</a> in <code>outParams</code>.
CBC and CTR IVs are 16 bytes. GCM nonces are 12 bytes. If the key
authorizations contain
<a href="/security/keystore/tags#caller_nonce">Tag::CALLER_NONCE</a>,
then the caller may provide an IV/nonce with
<a href="/security/keystore/tags#nonce">Tag::NONCE</a>
in <code>inParams</code>. If a nonce is provided when
<a href="/security/keystore/tags#caller_nonce">Tag::CALLER_NONCE</a>
is not authorized, return <code>ErrorCode::CALLER_NONCE_PROHIBITED</code>.
If a nonce is not provided when
<a href="/security/keystore/tags#caller_nonce">Tag::CALLER_NONCE</a>
is authorized, generate a random IV/nonce.</p>

<h4 id="begin_hmac_keys">HMAC keys</h4>

<p>HMAC key operations specify <code>Tag::MAC_LENGTH</code> in <code>inParams</code>.
The specified value must be a multiple of 8 that is not greater than the
digest length or less than the value of <code>Tag::MIN_MAC_LENGTH</code>
in the key authorizations. For MAC lengths greater than the digest length or
non-multiples of 8, return <code>ErrorCode::UNSUPPORTED_MAC_LENGTH</code>.
For values less than the key's minimum length, return
<code>ErrorCode::INVALID_MAC_LENGTH</code>.</p>

<h3 id="update">update</h3>

<p><strong>Version</strong>: 1, 2, 3</p>

<p>Provides data to process in an ongoing operation started with <a href="#begin">begin</a>.
The operation is specified by the <code>operationHandle</code> parameter.</p>

<p>To provide more flexibility for buffer handling, implementations of this method
have the option of consuming less data than was provided. The caller is
responsible for looping to feed the rest of the data in subsequent calls. The
amount of input consumed is returned in the <code>inputConsumed</code> parameter.
Implementations always consume at least one byte, unless the
operation cannot accept any more; if more than zero bytes are provided and zero
bytes are consumed, callers consider this an error and abort the operation.</p>

<p>Implementations may also choose how much data to return, as a result of the
update. This is only relevant for encryption and decryption operations, because
signing and verification return no data until <a href="#finish">finish</a>.
Return data as early as possible, rather than buffer it.</p>

<h4 id="error_handling">Error handling</h4>

<p>If this method returns an error code other than <code>ErrorCode::OK</code>,
the operation is aborted and the operation handle is invalidated. Any
future use of the handle, with this method,
<a href="#finish">finish</a>, or <a href="#abort">abort</a>,
returns <code>ErrorCode::INVALID_OPERATION_HANDLE</code>.</p>

<h4 id="update_authorization_enforcement">Authorization enforcement</h4>

<p>Key authorization enforcement is performed primarily in <a href="#begin">begin</a>.
The one exception is the case where the key has:</p>

<ul>
  <li>One or more <a href="/security/keystore/tags#user_secure_id">Tag::USER_SECURE_IDs</a>, and</li>
  <li>Does not have a <a href="/security/keystore/tags#auth_timeout">Tag::AUTH_TIMEOUT</a></li>
</ul>

<p>In this case, the key requires an authorization per operation, and the update
method receives a <a href="/security/keystore/tags#auth_token">Tag::AUTH_TOKEN</a>
in the <code>inParams</code> argument. HMAC verifies that the token is valid and contains
a matching secure user ID, matches the key's
<a href="/security/keystore/tags#mac_length">Tag::USER_AUTH_TYPE</a>,
and contains the operation handle of the current operation in the
challenge field. If these conditions aren't met, return
<code>ErrorCode::KEY_USER_NOT_AUTHENTICATED</code>.</p>

<p>The caller provides the authentication token to every call to <a href="#update">update</a> and
<a href="#finish">finish</a>. The implementation need only validate the token once if it prefers.</p>

<h4 id="update_rsa_keys">RSA keys</h4>

<p>For signing and verification operations with <code>Digest::NONE</code>,
this method accepts the entire block to be signed or verified in a single
update. It may not consume only a portion of the block. However, if the caller
chooses to provide the data in multiple updates, this method accepts it.
If the caller provides more data to sign than can be used (length of
data exceeds RSA key size), return <code>ErrorCode::INVALID_INPUT_LENGTH</code>.</p>

<h4 id="update_ecdsa_keys">ECDSA keys</h4>

<p>For signing and verification operations with <code>Digest::NONE</code>,
this method accepts the entire block to be signed or verified in a single
update. This method may not consume only a portion of the block.</p>

<p>However, if the caller chooses to provide the data in multiple updates,
this method accepts it. If the caller provides more data to sign
than can be used, the data is silently truncated. (This differs from the
handling of excess data provided in similar RSA operations. The reason for this
is compatibility with legacy clients.)</p>

<h4 id="update_aes_keys">AES keys</h4>

<p>AES GCM mode supports "associated authentication data," provided via the
<a href="/security/keystore/tags#associated_data">Tag::ASSOCIATED_DATA</a>
tag in the <code>inParams</code> argument.
The associated data may be provided in repeated calls (important if
the data is too large to send in a single block) but always precedes data
to be encrypted or decrypted. An update call may receive both associated data
and data to encrypt/decrypt, but subsequent updates may not include associated
data. If the caller provides associated data to an update call after a call
that includes data to encrypt/decrypt, return <code>ErrorCode::INVALID_TAG</code>.</p>

<p>For GCM encryption, the tag is appended to the ciphertext by
<a href="#finish">finish</a>. During decryption, the last
<code>Tag::MAC_LENGTH</code> bytes of the data provided to the last
update call is the tag. Since a given invocation of
<a href="#update">update</a> cannot know if it's the last invocation,
it processes all but the tag length and buffer the possible tag data
during <a href="#finish">finish</a>.</p>

<h3 id="finish">finish</h3>

<p><strong>Version</strong>: 1, 2, 3</p>

<p>Finishes an ongoing operation started with <a href="#begin">begin</a>,
processing all of the as-yet-unprocessed data provided by
<a href="#update">update</a>(s).</p>

<p>This method is the last one called in an operation, so all
processed data is returned.</p>

<p>Whether it completes successfully or returns an error, this method finalizes
the operation and therefore invalidates the provided operation handle. Any
future use of the handle, with this method or <a href="#update">update</a> or
<a href="#abort">abort</a>, returns <code>ErrorCode::INVALID_OPERATION_HANDLE</code>.</p>

<p>Signing operations return the signature as the output. Verification operations
accept the signature in the <code>signature</code> parameter, and return no output.</p>

<h4 id="finish_authorization_enforcement">Authorization enforcement</h4>

<p>Key authorization enforcement is performed primarily in
<a href="#begin">begin</a>. The one exception is the case where the key has:</p>

<ul>
  <li>One or more
  <a href="/security/keystore/tags#user_secure_id">Tag::USER_SECURE_IDs</a>, and</li>
  <li>Does not have a
  <a href="/security/keystore/tags#auth_timeout">Tag::AUTH_TIMEOUT</a></li>
</ul>

<p>In this case, the key requires an authorization per operation, and the update
method receives a <a href="/security/keystore/tags#auth_token">Tag::AUTH_TOKEN</a>
in the <code>inParams</code> argument. HMAC verifies that the token
is valid and contains a matching secure user ID, matches the key's
<a href="/security/keystore/tags#mac_length">Tag::USER_AUTH_TYPE</a>, and
contains the operation handle of the current operation in the
challenge field. If these conditions aren't met, return
<code>ErrorCode::KEY_USER_NOT_AUTHENTICATED</code>.</p>

<p>The caller provides the authentication token to every call to
<a href="#update">update</a> and <a href="#finish">finish</a>.
The implementation need only validate the token once if it prefers.</p>

<h4 id="finish_rsa_keys">RSA keys</h4>

<p>Some additional requirements, depending on the padding mode:</p>

<ul>
  <li><code>PaddingMode::NONE</code>. For unpadded signing and encryption operations,
  if the provided data is shorter than the key, the data is be zero-padded on
  the left before signing/encryption. If the data is the same length as the key,
  but numerically larger, return <code>ErrorCode::INVALID_ARGUMENT</code>. For
  verification and decryption operations, the data must be exactly as long
  as the key. Otherwise, return <code>ErrorCode::INVALID_INPUT_LENGTH.</code></li>
  <li><code>PaddingMode::RSA_PSS</code>. For PSS-padded signature operations,
  the PSS salt is at least 20 bytes in length and randomly-generated.
  The salt may be longer; the reference implementation uses maximally-sized salt.
  The digest specified with <a href="/security/keystore/tags#digest">Tag::DIGEST</a>
  in <code>inputParams</code> on <a href="#begin">begin</a> is used as the PSS digest
  algorithm, and SHA1 is used as the MGF1 digest algorithm.</li>
  <li><code>PaddingMode::RSA_OAEP</code>. The digest specified with
  <a href="/security/keystore/tags#digest">Tag::DIGEST</a> in
  <code>inputParams</code> on <a href="#begin">begin</a> is used as the OAEP
  digest algorithm, and SHA1 is used as the MGF1 digest algorithm.</li>
</ul>

<h4 id="finish_ecdsa_keys">ECDSA keys</h4>

<p>If the data provided for unpadded signing or verification is too long, truncate
it.</p>

<h4 id="finish_aes_keys">AES keys</h4>

<p>Some additional conditions, depending on block mode:</p>

<ul>
  <li><code>BlockMode::ECB</code> or <code>BlockMode::CBC</code>.
  If padding is <code>PaddingMode::NONE</code> and the
  data length is not a multiple of the AES block size, return
  <code>ErrorCode::INVALID_INPUT_LENGTH</code>. If padding is
  <code>PaddingMode::PKCS7</code>, pad the data per the PKCS#7 specification.
  Note that PKCS#7 recommends adding an additional padding block
  if the data is a multiple of the block length.</li>
  <li><code>BlockMode::GCM</code>. During encryption, after processing
  all plaintext, compute the tag
  (<a href="/security/keystore/tags#mac_length">Tag::MAC_LENGTH</a> bytes)
  and append it to the returned ciphertext. During decryption, process
  the last <a href="/security/keystore/tags#mac_length">Tag::MAC_LENGTH</a>
  bytes as the tag. If tag verification fails, return
  <code>ErrorCode::VERIFICATION_FAILED</code>.</li>
</ul>

<h3 id="abort">abort</h3>

<p><strong>Version</strong>: 1, 2, 3</p>

<p>Aborts the in-progress operation. After the call to abort, return
<code>ErrorCode::INVALID_OPERATION_HANDLE</code> for
any subsequent use of the provided operation handle with <a href="#update">update</a>,
<a href="#finish">finish</a>, or <a href="#abort">abort</a>.</p>

<h3 id="get_supported_algorithms">get_supported_algorithms</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of algorithms supported by the Keymaster hardware
implementation. A software implementation returns an empty list; a hybrid
implementation returns a list containing only the algorithms that are
supported by hardware.</p>

<p>Keymaster 1 implementations support RSA, EC, AES and HMAC.</p>


<h3 id="get_supported_block_modes">get_supported_block_modes</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of AES block modes supported by the Keymaster hardware
implementation for a specified algorithm and purpose.</p>

<p>For RSA, EC and HMAC, which are not block ciphers, the method returns an
empty list for all valid purposes. Invalid purposes should cause the method to
return <code>ErrorCode::INVALID_PURPOSE</code>.</p>

<p>Keymaster 1 implementations support ECB, CBC, CTR and GCM for AES
encryption and decryption.</p>


<h3 id="get_supported_padding_modes">get_supported_padding_modes</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of padding modes supported by the Keymaster hardware
implementation for a specified algorithm and purpose.</p>

<p>HMAC and EC have no notion of padding so the method returns an empty list
for all valid purposes. Invalid purposes should cause the method to return
<code>ErrorCode::INVALID_PURPOSE</code>.</p>

<p>For RSA, Keymaster 1 implementations support:</p>

<ul>
  <li>Unpadded encryption, decryption, signing and verification. For unpadded
encryption and signing, if the message is shorter than the public modulus,
implementations must left-pad it with zeros. For unpadded decryption and
verification, the input length must match the public modulus size.</li>
  <li>PKCS#1 v1.5 encryption and signing padding modes</li>
  <li>PSS with a minimum salt length of 20</li>
  <li>OAEP</li>
</ul>

<p>For AES in ECB and CBC modes, Keymaster 1 implementations support no
padding and PKCS#7-padding. CTR and GCM modes support only no padding.</p>


<h3 id="get_supported_digests">get_supported_digests</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of digest modes supported by the Keymaster hardware
implementation for a specified algorithm and purpose.</p>

<p>No AES modes support or require digesting, so the method returns an empty
list for valid purposes.</p>

<p>Keymaster 1 implementations can implement a subset of the defined
digests. Implementations provide SHA-256 and can provide MD5, SHA1, SHA-224,
SHA-256, SHA384 and SHA512 (the full set of defined digests).</p>

<h3 id="get_supported_import_formats">get_supported_import_formats</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of import formats supported by the Keymaster hardware
implementation of a specified algorithm.</p>

<p>Keymaster 1 implementations support the PKCS#8 format (without password
protection) for importing RSA and EC key pairs, and support RAW import of
AES and HMAC key material.</p>

<h3 id="get_supported_export_formats">get_supported_export_formats</h3>

<p><strong>Version</strong>: 1</p>

<p>Returns the list of export formats supported by the Keymaster hardware
implementation of a specified algorithm.</p>

<p>Keymaster1 implementations support the X.509 format for exporting RSA and
EC public keys. Export of private keys or asymmetric keys is not supported.</p>


<h2 id="historical-functions">Historical functions</h2>

<h3 id="km0">Keymaster 0</h3>
<p>
The following functions belong to the original Keymaster 0 definition. They
were present in Keymaster 1 struct keymaster1_device_t. However, in Keymaster
1.0 they were not implemented, and their function pointers were set to NULL.
</p>
<ul>
<li><code>generate_keypair</code></li>
<li><code>import_keypair</code></li>
<li><code>get_keypair_public</code></li>
<li><code>delete_keypair</code></li>
<li><code>delete_all</code></li>
<li><code>sign_data</code></li>
<li><code>Verify_data</code></li>
</ul>

<h3 id="km1">Keymaster 1</h3>
<p>The following functions belong to the Keymaster 1 definition, but were
removed in Keymaster 2, along with the Keymaster 0 functions listed above.
</p>
<ul>
  <li><code>get_supported_algorithms</code></li>
  <li><code>get_supported_block_modes</code></li>
  <li><code>get_supported_padding_modes</code></li>
  <li><code>get_supported_digests</code></li>
  <li><code> get_supported_import_formats</code></li>
  <li><code>get_supported_export_formats</code></li>
</ul>

<h3 id="km2">Keymaster 2</h3>
<p>The following functions belong to the Keymaster 2 definition, but were
removed in Keymaster 3, along with the Keymaster 1 functions listed above.
</p>
<ul>
  <li><code>configure</code></li>
</ul>
  </body>
</html>