rdkcentral · Ulrond · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/cryptoengine/current/CMakeLists.txt b/cryptoengine/current/CMakeLists.txt
@@ -0,0 +1,31 @@
+cmake_minimum_required(VERSION 3.8)
+project(CryptoEngine LANGUAGES NONE VERSION 1.0)
+
+if (NOT COMMAND compile_aidl)
+    message(FATAL_ERROR "Do not invoke module level CMake directly!\nInvoke CMake at root level instead!")
+endif()
+
+set(SRC_DIR com/rdk/hal/cryptoengine)
+
+set(SRC
+    ${SRC_DIR}/ICryptoEngine.aidl
+    ${SRC_DIR}/ICryptoEngineController.aidl
+    ${SRC_DIR}/ICryptoOperation.aidl
+    ${SRC_DIR}/CryptoConfig.aidl
+    ${SRC_DIR}/EngineCapabilities.aidl
+    ${SRC_DIR}/Algorithm.aidl
+    ${SRC_DIR}/BlockMode.aidl
+    ${SRC_DIR}/Digest.aidl
+    ${SRC_DIR}/EcCurve.aidl
+    ${SRC_DIR}/KeyDerivation.aidl
+    ${SRC_DIR}/KeyPurpose.aidl
+    ${SRC_DIR}/KeyType.aidl
+    ${SRC_DIR}/PaddingMode.aidl
+    ${SRC_DIR}/SecurityLevel.aidl
+)
+
+set(INCLUDE_DIRECTORY
+    .
+)
+
+compile_aidl(${SRC} INCLUDE_DIRECTORY ${INCLUDE_DIRECTORY})
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/Algorithm.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/Algorithm.aidl
@@ -0,0 +1,42 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+/**
+ * @brief Cryptographic algorithms.
+ *
+ * Based on PRD Firebolt Cryptography Capabilities requirements and
+ * W3C WebCrypto algorithm registry.
+ */
+@VintfStability
+@Backing(type="int")
+enum Algorithm {
+    /** Not configured. Must be explicitly set by the caller. */
+    UNSET = -1,
+    /** AES symmetric cipher (128, 192, 256-bit). */
+    AES = 0,
+    /** Elliptic Curve (ECDSA sign/verify, ECDH key agreement, Ed25519). */
+    EC = 1,
+    /** HMAC message authentication code. */
+    HMAC = 2,
+    /** RSA asymmetric cipher (RSA-OAEP, RSA-PSS, RSASSA-PKCS1-v1_5). */
+    RSA = 3,
+    /** ChaCha20-Poly1305 authenticated encryption. */
+    CHACHA20_POLY1305 = 4,
+}
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/BlockMode.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/BlockMode.aidl
@@ -0,0 +1,39 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+/**
+ * @brief Block cipher modes.
+ */
+@VintfStability
+@Backing(type="int")
+enum BlockMode {
+    /** Not configured. Must be explicitly set by the caller. */
+    UNSET = -1,
+    /** Cipher Block Chaining. */
+    CBC = 0,
+    /** Counter mode. */
+    CTR = 1,
+    /** Galois/Counter Mode (authenticated encryption). */
+    GCM = 2,
+    /** Electronic Codebook (not recommended for general use). */
+    ECB = 3,
+    /** AES Key Wrap (RFC 3394). */
+    KW = 4,
+}
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/CryptoConfig.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/CryptoConfig.aidl
@@ -0,0 +1,112 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+import com.rdk.hal.cryptoengine.Algorithm;
+import com.rdk.hal.cryptoengine.BlockMode;
+import com.rdk.hal.cryptoengine.Digest;
+import com.rdk.hal.cryptoengine.EcCurve;
+import com.rdk.hal.cryptoengine.KeyDerivation;
+import com.rdk.hal.cryptoengine.PaddingMode;
+
+/**
+ * @brief Configuration for a crypto operation.
+ *
+ * Used with ICryptoEngineController.begin() when operating on
+ * caller-provided key material (not vault-managed keys).
+ *
+ * Describes the full set of parameters needed for any supported
+ * crypto operation. Callers must explicitly set all fields relevant
+ * to the requested operation. Fields default to UNSET and the
+ * implementation must reject operations with unconfigured required fields.
+ */
+@VintfStability
+parcelable CryptoConfig {
+
+    // -- Algorithm selection --
+
+    /** Algorithm to use (AES, EC, HMAC, RSA, ChaCha20-Poly1305). Must be set. */
+    Algorithm algorithm = Algorithm.UNSET;
+
+    // -- Symmetric cipher parameters --
+
+    /** Block mode for AES operations (CBC, CTR, GCM, ECB, KW). */
+    BlockMode blockMode = BlockMode.UNSET;
+    /** Padding mode (NONE, PKCS7 for AES; RSA_OAEP, RSA_PSS for RSA). */
+    PaddingMode paddingMode = PaddingMode.UNSET;
+    /** Key size in bits (128, 192, 256 for AES; 2048, 3072, 4096 for RSA). 0 = not set. */
+    int keySizeBits = 0;
+    /** Raw key material for standalone operations. Empty when using vault-managed keys. */
+    byte[] keyData = {};
+
+    /** Initialization vector or nonce.
+     *
+     *  If null, the engine auto-generates a random IV using the hardware RNG
+     *  and prepends it to the ciphertext output. On decrypt, the engine reads
+     *  the IV from the first bytes of the ciphertext input.
+     *
+     *  If provided, the engine uses the given IV as-is and does NOT prepend it
+     *  to the output. The caller is responsible for storing and providing the
+     *  IV on decrypt.
+     *
+     *  Sizes: AES-CBC/CTR: 16 bytes. AES-GCM: 12 bytes. ChaCha20: 12 bytes. */
+    @nullable byte[] iv;
+
+    // -- Authenticated encryption parameters (GCM, ChaCha20-Poly1305) --
+
+    /** Additional authenticated data. Authenticated but not encrypted. */
+    @nullable byte[] aad;
+    /** Authentication tag length in bits (GCM: 96, 104, 112, 120, 128). 0 = not set. */
+    int macLengthBits = 0;
+
+    // -- Digest / HMAC parameters --
+
+    /** Digest algorithm for HMAC, sign/verify, and KDF operations. */
+    Digest digest = Digest.UNSET;
+
+    // -- Elliptic curve parameters --
+
+    /** EC curve for key generation or agreement (P-256, P-384, Ed25519, X25519). */
+    EcCurve ecCurve = EcCurve.UNSET;
+
+    // -- Key derivation parameters --
+
+    /** Key derivation function (HKDF, PBKDF2, NFLX-DH, DH). */
+    KeyDerivation kdf = KeyDerivation.UNSET;
+    /** Salt for HKDF or PBKDF2. Null for unsalted derivation.
+     *  HKDF: recommended HashLen bytes (e.g. 32 for SHA-256), any length valid.
+     *  PBKDF2: minimum 16 bytes (NIST SP 800-132). */
+    @nullable byte[] salt;
+    /** Info/context string for HKDF. */
+    @nullable byte[] info;
+    /** Iteration count for PBKDF2. 0 = not set. */
+    int pbkdf2Iterations = 0;
+    /** Desired output key length in bits for key derivation. 0 = not set. */
+    int derivedKeyLengthBits = 0;
+
+    // -- RSA parameters --
+
+    /** RSA public exponent. Only used for RSA key generation. 0 = not set. */
+    long rsaPublicExponent = 0;
+
+    // -- Key wrapping --
+
+    /** Wrapped key data for unwrap operations. */
+    @nullable byte[] wrappedKeyData;
+}
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/Digest.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/Digest.aidl
@@ -0,0 +1,39 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+/**
+ * @brief Digest algorithms.
+ *
+ * Aligned with W3C WebCrypto digest algorithms.
+ */
+@VintfStability
+@Backing(type="int")
+enum Digest {
+    /** Not configured. Must be explicitly set by the caller. */
+    UNSET = -1,
+    NONE = 0,
+    SHA_2_224 = 2,
+    SHA_2_256 = 3,
+    SHA_2_384 = 4,
+    SHA_2_512 = 5,
+    SHA_3_256 = 6,
+    SHA_3_384 = 7,
+    SHA_3_512 = 8,
+}
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/EcCurve.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/EcCurve.aidl
@@ -0,0 +1,41 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+/**
+ * @brief Elliptic curve identifiers.
+ *
+ * Aligned with W3C WebCrypto named curves.
+ */
+@VintfStability
+@Backing(type="int")
+enum EcCurve {
+    /** Not configured. Must be explicitly set by the caller. */
+    UNSET = -1,
+    /** NIST P-256 (secp256r1). Used by ECDSA and ECDH. */
+    P_256 = 0,
+    /** NIST P-384 (secp384r1). */
+    P_384 = 1,
+    /** NIST P-521 (secp521r1). */
+    P_521 = 2,
+    /** Curve25519 for Ed25519 signing. */
+    ED25519 = 3,
+    /** Curve25519 for X25519 key agreement. */
+    X25519 = 4,
+}
diff --git a/cryptoengine/current/com/rdk/hal/cryptoengine/EngineCapabilities.aidl b/cryptoengine/current/com/rdk/hal/cryptoengine/EngineCapabilities.aidl
@@ -0,0 +1,50 @@
+/*
+ * If not stated otherwise in this file or this component's LICENSE file the
+ * following copyright and licenses apply:
+ *
+ * Copyright 2026 RDK Management
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.rdk.hal.cryptoengine;
+
+import com.rdk.hal.cryptoengine.Algorithm;
+import com.rdk.hal.cryptoengine.BlockMode;
+import com.rdk.hal.cryptoengine.Digest;
+import com.rdk.hal.cryptoengine.SecurityLevel;
+
+/**
+ * @brief Capabilities of a crypto engine instance.
+ *
+ * Returned by ICryptoEngine.getCapabilities() to allow callers to
+ * introspect what the engine supports on this platform.
+ */
+@VintfStability
+parcelable EngineCapabilities {
+    /** HAL version string. */
+    @utf8InCpp String halVersion;
+    /** Security level of this engine (SOFTWARE or TEE). */
+    SecurityLevel securityLevel = SecurityLevel.SOFTWARE;
+    /** Supported algorithms. */
+    Algorithm[] algorithms = {};
+    /** Supported block modes. */
+    BlockMode[] blockModes = {};
+    /** Supported digests. */
+    Digest[] digests = {};
+    /** Supported key sizes in bits. */
+    int[] keySizes = {};
+    /** Maximum concurrent operations. */
+    int maxConcurrentOperations = 0;
+    /** Whether hardware crypto acceleration is available. */
+    boolean hardwareAccelerated = false;
+}