1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 package android.hardware.macsec;
17 
18 /**
19  * MACSEC (IEEE 802.1AE) pre-shared key plugin for wpa_supplicant
20  *
21  * The goal of this service is to provide function for using the MACSEC CAK
22  *
23  */
24 @VintfStability
25 interface IMacsecPskPlugin {
26     /**
27      * For xTS test only inject a key to verify implementation correctness, not called in production
28      *
29      * @param keyId is key id to add
30      * @param Connectivity Association Keys (CAK) to set
31      * @param Connectivity Association Key Name (CKN) to set
32      *
33      */
addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN)34     void addTestKey(in byte[] keyId, in byte[] CAK, in byte[] CKN);
35 
36     /**
37      * Use ICV key do AES CMAC
38      * same as ieee802_1x_icv_aes_cmac in wpa_supplicant
39      *
40      * @param keyId is key id to be used for AES CMAC
41      * @param data, a data pointer to the buffer for calculate the ICV
42      *
43      * @return Integrity check value (ICV).
44      */
calcIcv(in byte[] keyId, in byte[] data)45     byte[] calcIcv(in byte[] keyId, in byte[] data);
46 
47     /**
48      * KDF with CAK key to generate Secure Association Key (SAK)
49      * same as ieee802_1x_sak_aes_cmac in wpa_supplicant
50      *
51      * @param keyId is key id to be used for KDF
52      * @param data is key seed (random number)
53      * @param sakLength generated SAK length (16 or 32)
54      *
55      * @return Secure Association Key (SAK).
56      */
generateSak(in byte[] keyId, in byte[] data, in int sakLength)57     byte[] generateSak(in byte[] keyId, in byte[] data, in int sakLength);
58 
59     /**
60      * Encrypt using KEK key, this is same as aes_wrap with kek.key in wpa_supplicant
61      * which used to wrap a SAK key
62      *
63      * @param keyId is key id to be used for encryption
64      * @param sak is the SAK key (16 or 32 bytes) to be wrapped.
65      *
66      * @return wrapped data using Key Encrypting Key (KEK).
67      */
wrapSak(in byte[] keyId, in byte[] sak)68     byte[] wrapSak(in byte[] keyId, in byte[] sak);
69 
70     /**
71      * Decrypt using KEK key, this is same as aes_unwrap with kek.key in wpa_supplicant
72      * which used to unwrap a SAK key
73      *
74      * @param keyId is key id to be used for decryption
75      * @param sak is wrapped SAK key.
76      *
77      * @return unwrapped data using KEK key.
78      */
unwrapSak(in byte[] keyId, in byte[] sak)79     byte[] unwrapSak(in byte[] keyId, in byte[] sak);
80 }
81