Smart Energy Security#

This file describes functionality for Certificate Based Key Exchange (CBKE). This is used by Smart Energy devices to generate and store ephemeral ECC keys, derive the SMACs for the Key establishment protocol, and sign messages using their private key for the Demand Response Load Control client cluster.

See cbke-crypto-engine.h for source code.

Functions#

sl_status_t
sl_zigbee_get_certificate(sl_zigbee_certificate_data_t *result)

Retrieve the implicit certificate stored in the MFG tokens of the device.

sl_status_t
sl_zigbee_generate_cbke_keys(void)

Begin the process of generating an ephemeral public/private ECC key pair.

sl_status_t
sl_zigbee_calculate_smacs(bool amInitiator, sl_zigbee_certificate_data_t *partnerCert, sl_zigbee_public_key_data_t *partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

sl_status_t
sl_zigbee_clear_temporary_data_maybe_store_link_key(bool storeLinkKey)

Call when all CBKE operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys() or sl_zigbee_calculate_smacs() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

sl_status_t
sl_zigbee_dsa_sign(sli_buffer_manager_buffer_t messageToSign)
void
sl_zigbee_generate_cbke_keys_handler(sl_status_t status, sl_zigbee_public_key_data_t *ephemeralPublicKey)
void
sl_zigbee_calculate_smacs_handler(sl_status_t status, sl_zigbee_smac_data_t *initiatorSmac, sl_zigbee_smac_data_t *responderSmac)
void
sl_zigbee_dsa_sign_handler(sl_status_t status, uint8_t messageLength, uint8_t *messageContents)

Application callback that must be defined when using CBKE. This callback is provided to the application to let it know that the ECC operations have completed and the radio has been turned back on. When using the sign-and-send option of the sl_zigbee_aps_frame_t, SL_ZIGBEE_APS_OPTION_DSA_SIGN, the handler will NOT return the complete signed message. This callback is merely informative. If sl_zigbee_dsa_sign() has been called, the message plus signature will be returned to the caller and it must be sent separately by one of the message send primitives (such as sl_zigbee_send_unicast()).

sl_status_t
sl_zigbee_set_preinstalled_cbke_data(sl_zigbee_public_key_data_t *caPublic, sl_zigbee_certificate_data_t *myCert, sl_zigbee_private_key_data_t *myKey)
bool
sl_zigbee_get_stack_certificate_eui64(sl_802154_long_addr_t certEui64)
sl_status_t
sl_zigbee_dsa_verify(sl_zigbee_message_digest_t *digest, sl_zigbee_certificate_data_t *signerCertificate, sl_zigbee_signature_data_t *receivedSig)
void
sl_zigbee_dsa_verify_handler(sl_status_t status)
sl_status_t
sl_zigbee_get_certificate_283k1(sl_zigbee_certificate_283k1_data_t *result)

Retrieves the implicit certificate stored in the MFG tokens of the device.

sl_status_t
sl_zigbee_generate_cbke_keys_283k1(void)

Begin the process of generating an ephemeral public/private ECC key pair.

sl_status_t
sl_zigbee_calculate_smacs_283k1(bool amInitiator, sl_zigbee_certificate_283k1_data_t *partnerCert, sl_zigbee_public_key_283k1_data_t *partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

sl_status_t
sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1(bool storeLinkKey)

Call when all CBKE 283k1 operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys_283k1() or sl_zigbee_calculate_smacs_283k1() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

void
sl_zigbee_generate_cbke_keys_283k1_handler(sl_status_t status, sl_zigbee_public_key_283k1_data_t *ephemeralPublicKey)
void
sl_zigbee_calculate_smacs_283k1_handler(sl_status_t status, sl_zigbee_smac_data_t *initiatorSmac, sl_zigbee_smac_data_t *responderSmac)
sl_status_t
sl_zigbee_set_preinstalled_cbke_data_283k1(const sl_zigbee_public_key_283k1_data_t *caPublic, const sl_zigbee_certificate_283k1_data_t *myCert, const sl_zigbee_private_key_283k1_data_t *myKey)
sl_status_t
sl_zigbee_dsa_verify_283k1(const sl_zigbee_message_digest_t *digest, const sl_zigbee_certificate_283k1_data_t *signerCertificate, const sl_zigbee_signature_283k1_data_t *receivedSig)

Function Documentation#

sl_zigbee_get_certificate#

sl_status_t sl_zigbee_get_certificate (sl_zigbee_certificate_data_t * result)

Retrieve the implicit certificate stored in the MFG tokens of the device.

Parameters
N/Aresult

A pointer to an sl_zigbee_certificate_data_t structure where the retrieved certificate will be stored.

Returns

  • ::SL_STATUS_OK if the certificate was successfully retrieved. ::SL_STATUS_FAIL if the token contains uninitialized data.


Definition at line 48 of file stack/include/cbke-crypto-engine.h

sl_zigbee_generate_cbke_keys#

sl_status_t sl_zigbee_generate_cbke_keys (void )

Begin the process of generating an ephemeral public/private ECC key pair.

Parameters
N/A

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until the key generation is complete. This may take up to 1 second.

The generated results of the key generation is returned via sl_zigbee_generate_cbke_keys_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


Definition at line 65 of file stack/include/cbke-crypto-engine.h

sl_zigbee_calculate_smacs#

sl_status_t sl_zigbee_calculate_smacs (bool amInitiator, sl_zigbee_certificate_data_t * partnerCert, sl_zigbee_public_key_data_t * partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

Parameters
N/AamInitiator

This bool indicates whether or not the device is the one that initiated the CBKE with the remote device, or whether it was the responder to the exchange.

N/ApartnerCert

A pointer to an sl_zigbee_certificate_data_t structure that contains the CBKE partner's implicit certificate.

N/ApartnerEphemeralPublicKey

A pointer to an sl_zigbee_public_key_data_t structure that contains the CBKE partner's ephemeral public key.

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until SMACs calculations are complete. This may take up to 3.5 seconds.

The calculated SMACS are returned via sl_zigbee_calculate_smacs_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


Definition at line 89 of file stack/include/cbke-crypto-engine.h

sl_zigbee_clear_temporary_data_maybe_store_link_key#

sl_status_t sl_zigbee_clear_temporary_data_maybe_store_link_key (bool storeLinkKey)

Call when all CBKE operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys() or sl_zigbee_calculate_smacs() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

Parameters
N/AstoreLinkKey

This tells the stack whether to store the newly generated link key, or discard it.

Returns

  • If storeLinkkey is false, this function returns ::SL_STATUS_FAIL always. If storeLinkKey is true, then this function returns the results of whether or not the link key was stored. ::SL_STATUS_OK is returned when key was stored successfully.


Definition at line 107 of file stack/include/cbke-crypto-engine.h

sl_zigbee_dsa_sign#

sl_status_t sl_zigbee_dsa_sign (sli_buffer_manager_buffer_t messageToSign)
Parameters
N/AmessageToSign

Definition at line 147 of file stack/include/cbke-crypto-engine.h

sl_zigbee_generate_cbke_keys_handler#

void sl_zigbee_generate_cbke_keys_handler (sl_status_t status, sl_zigbee_public_key_data_t * ephemeralPublicKey)
Parameters
N/Astatus
N/AephemeralPublicKey

Definition at line 161 of file stack/include/cbke-crypto-engine.h

sl_zigbee_calculate_smacs_handler#

void sl_zigbee_calculate_smacs_handler (sl_status_t status, sl_zigbee_smac_data_t * initiatorSmac, sl_zigbee_smac_data_t * responderSmac)
Parameters
N/Astatus
N/AinitiatorSmac
N/AresponderSmac

Definition at line 178 of file stack/include/cbke-crypto-engine.h

sl_zigbee_dsa_sign_handler#

void sl_zigbee_dsa_sign_handler (sl_status_t status, uint8_t messageLength, uint8_t * messageContents)

Application callback that must be defined when using CBKE. This callback is provided to the application to let it know that the ECC operations have completed and the radio has been turned back on. When using the sign-and-send option of the sl_zigbee_aps_frame_t, SL_ZIGBEE_APS_OPTION_DSA_SIGN, the handler will NOT return the complete signed message. This callback is merely informative. If sl_zigbee_dsa_sign() has been called, the message plus signature will be returned to the caller and it must be sent separately by one of the message send primitives (such as sl_zigbee_send_unicast()).

Parameters
N/Astatus

This is the ::sl_status_t value indicating the success or failure of the operation.

N/AmessageLength

Length of the newly signed message, if sl_zigbee_dsa_sign() was called.

N/AmessageContents

This is the newly signed message, if sl_zigbee_dsa_sign() was called. If message was signed using SL_ZIGBEE_APS_OPTION_DSA_SIGN then this will be NULL.


Definition at line 200 of file stack/include/cbke-crypto-engine.h

sl_zigbee_set_preinstalled_cbke_data#

sl_status_t sl_zigbee_set_preinstalled_cbke_data (sl_zigbee_public_key_data_t * caPublic, sl_zigbee_certificate_data_t * myCert, sl_zigbee_private_key_data_t * myKey)
Parameters
N/AcaPublic
N/AmyCert
N/AmyKey

Definition at line 254 of file stack/include/cbke-crypto-engine.h

sl_zigbee_get_stack_certificate_eui64#

bool sl_zigbee_get_stack_certificate_eui64 (sl_802154_long_addr_t certEui64)
Parameters
N/AcertEui64

Definition at line 269 of file stack/include/cbke-crypto-engine.h

sl_zigbee_dsa_verify#

sl_status_t sl_zigbee_dsa_verify (sl_zigbee_message_digest_t * digest, sl_zigbee_certificate_data_t * signerCertificate, sl_zigbee_signature_data_t * receivedSig)
Parameters
N/Adigest
N/AsignerCertificate
N/AreceivedSig

Definition at line 277 of file stack/include/cbke-crypto-engine.h

sl_zigbee_dsa_verify_handler#

void sl_zigbee_dsa_verify_handler (sl_status_t status)
Parameters
N/Astatus

Definition at line 287 of file stack/include/cbke-crypto-engine.h

sl_zigbee_get_certificate_283k1#

sl_status_t sl_zigbee_get_certificate_283k1 (sl_zigbee_certificate_283k1_data_t * result)

Retrieves the implicit certificate stored in the MFG tokens of the device.

Parameters
N/Aresult

A pointer to an sl_zigbee_certificate_283k1_data_t structure where the retrieved certificate will be stored.

Returns

  • ::SL_STATUS_OK if the certificate was successfully retrieved. ::SL_STATUS_FAIL if the token contains uninitialized data.


Definition at line 302 of file stack/include/cbke-crypto-engine.h

sl_zigbee_generate_cbke_keys_283k1#

sl_status_t sl_zigbee_generate_cbke_keys_283k1 (void )

Begin the process of generating an ephemeral public/private ECC key pair.

Parameters
N/A

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until the key generation is complete. This may take up to 1 second.

The generated results of the key generation is returned via sl_zigbee_generate_cbke_keys_283k1_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


Definition at line 319 of file stack/include/cbke-crypto-engine.h

sl_zigbee_calculate_smacs_283k1#

sl_status_t sl_zigbee_calculate_smacs_283k1 (bool amInitiator, sl_zigbee_certificate_283k1_data_t * partnerCert, sl_zigbee_public_key_283k1_data_t * partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

Parameters
N/AamInitiator

This bool indicates whether or not the device is the one that initiated the CBKE with the remote device, or whether it was the responder to the exchange.

N/ApartnerCert

A pointer to an sl_zigbee_certificate_283k1_data_t structure that contains the CBKE partner's implicit certificate.

N/ApartnerEphemeralPublicKey

A pointer to an sl_zigbee_public_key_283k1_data_t structure that contains the CBKE partner's ephemeral public key.

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until SMACs calculations are complete. This may take up to 3.5 seconds.

The calculated SMACS are returned via sl_zigbee_calculate_smacs_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


Definition at line 343 of file stack/include/cbke-crypto-engine.h

sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1#

sl_status_t sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1 (bool storeLinkKey)

Call when all CBKE 283k1 operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys_283k1() or sl_zigbee_calculate_smacs_283k1() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

Parameters
N/AstoreLinkKey

This tells the stack whether to store the newly generated link key, or discard it.

Returns

  • If storeLinkkey is false, this function returns ::SL_STATUS_FAIL always. If storeLinkKey is true, then this function returns the results of whether or not the link key was stored. ::SL_STATUS_OK is returned when key was stored successfully.


Definition at line 361 of file stack/include/cbke-crypto-engine.h

sl_zigbee_generate_cbke_keys_283k1_handler#

void sl_zigbee_generate_cbke_keys_283k1_handler (sl_status_t status, sl_zigbee_public_key_283k1_data_t * ephemeralPublicKey)
Parameters
N/Astatus
N/AephemeralPublicKey

Definition at line 375 of file stack/include/cbke-crypto-engine.h

sl_zigbee_calculate_smacs_283k1_handler#

void sl_zigbee_calculate_smacs_283k1_handler (sl_status_t status, sl_zigbee_smac_data_t * initiatorSmac, sl_zigbee_smac_data_t * responderSmac)
Parameters
N/Astatus
N/AinitiatorSmac
N/AresponderSmac

Definition at line 392 of file stack/include/cbke-crypto-engine.h

sl_zigbee_set_preinstalled_cbke_data_283k1#

sl_status_t sl_zigbee_set_preinstalled_cbke_data_283k1 (const sl_zigbee_public_key_283k1_data_t * caPublic, const sl_zigbee_certificate_283k1_data_t * myCert, const sl_zigbee_private_key_283k1_data_t * myKey)
Parameters
N/AcaPublic
N/AmyCert
N/AmyKey

Definition at line 424 of file stack/include/cbke-crypto-engine.h

sl_zigbee_dsa_verify_283k1#

sl_status_t sl_zigbee_dsa_verify_283k1 (const sl_zigbee_message_digest_t * digest, const sl_zigbee_certificate_283k1_data_t * signerCertificate, const sl_zigbee_signature_283k1_data_t * receivedSig)
Parameters
N/Adigest
N/AsignerCertificate
N/AreceivedSig

Definition at line 434 of file stack/include/cbke-crypto-engine.h