Smart Energy Security#

This file describes functionality for Certificate Based Key Exchange (CBKE). This is used by Smart Energy devices to generate and store ephemeral ECC keys, derive the SMACs for the Key establishment protocol, and sign messages using their private key for the Demand Response Load Control client cluster.

See cbke-crypto-engine.h for source code.

Functions#

sl_status_t
sl_zigbee_get_certificate(sl_zigbee_certificate_data_t *result)

Retrieve the implicit certificate stored in the MFG tokens of the device.

sl_status_t
sl_zigbee_generate_cbke_keys(void)

Begin the process of generating an ephemeral public/private ECC key pair.

sl_status_t
sl_zigbee_calculate_smacs(bool amInitiator, sl_zigbee_certificate_data_t *partnerCert, sl_zigbee_public_key_data_t *partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

sl_status_t
sl_zigbee_clear_temporary_data_maybe_store_link_key(bool storeLinkKey)

Call when all CBKE operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys() or sl_zigbee_calculate_smacs() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

sl_status_t
sl_zigbee_dsa_sign(sli_buffer_manager_buffer_t messageToSign)
void
sl_zigbee_generate_cbke_keys_handler(sl_status_t status, sl_zigbee_public_key_data_t *ephemeralPublicKey)
void
sl_zigbee_calculate_smacs_handler(sl_status_t status, sl_zigbee_smac_data_t *initiatorSmac, sl_zigbee_smac_data_t *responderSmac)
void
sl_zigbee_dsa_sign_handler(sl_status_t status, uint8_t messageLength, uint8_t *messageContents)

Application callback that must be defined when using CBKE. This callback is provided to the application to let it know that the ECC operations have completed and the radio has been turned back on. When using the sign-and-send option of the sl_zigbee_aps_frame_t, SL_ZIGBEE_APS_OPTION_DSA_SIGN, the handler will NOT return the complete signed message. This callback is merely informative. If sl_zigbee_dsa_sign() has been called, the message plus signature will be returned to the caller and it must be sent separately by one of the message send primitives (such as sl_zigbee_send_unicast()).

sl_status_t
sl_zigbee_set_preinstalled_cbke_data(sl_zigbee_public_key_data_t *caPublic, sl_zigbee_certificate_data_t *myCert, sl_zigbee_private_key_data_t *myKey)
bool
sl_zigbee_get_stack_certificate_eui64(sl_802154_long_addr_t certEui64)
sl_status_t
sl_zigbee_dsa_verify(sl_zigbee_message_digest_t *digest, sl_zigbee_certificate_data_t *signerCertificate, sl_zigbee_signature_data_t *receivedSig)
void
sl_zigbee_dsa_verify_handler(sl_status_t status)
sl_status_t
sl_zigbee_get_certificate_283k1(sl_zigbee_certificate_283k1_data_t *result)

Retrieves the implicit certificate stored in the MFG tokens of the device.

sl_status_t
sl_zigbee_generate_cbke_keys_283k1(void)

Begin the process of generating an ephemeral public/private ECC key pair.

sl_status_t
sl_zigbee_calculate_smacs_283k1(bool amInitiator, sl_zigbee_certificate_283k1_data_t *partnerCert, sl_zigbee_public_key_283k1_data_t *partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

sl_status_t
sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1(bool storeLinkKey)

Call when all CBKE 283k1 operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys_283k1() or sl_zigbee_calculate_smacs_283k1() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

void
sl_zigbee_generate_cbke_keys_283k1_handler(sl_status_t status, sl_zigbee_public_key_283k1_data_t *ephemeralPublicKey)
void
sl_zigbee_calculate_smacs_283k1_handler(sl_status_t status, sl_zigbee_smac_data_t *initiatorSmac, sl_zigbee_smac_data_t *responderSmac)
sl_status_t
sl_zigbee_set_preinstalled_cbke_data_283k1(const sl_zigbee_public_key_283k1_data_t *caPublic, const sl_zigbee_certificate_283k1_data_t *myCert, const sl_zigbee_private_key_283k1_data_t *myKey)
sl_status_t
sl_zigbee_dsa_verify_283k1(const sl_zigbee_message_digest_t *digest, const sl_zigbee_certificate_283k1_data_t *signerCertificate, const sl_zigbee_signature_283k1_data_t *receivedSig)

Function Documentation#

sl_zigbee_get_certificate#

sl_status_t sl_zigbee_get_certificate (sl_zigbee_certificate_data_t * result)

Retrieve the implicit certificate stored in the MFG tokens of the device.

Parameters
TypeDirectionArgument NameDescription
sl_zigbee_certificate_data_t *N/Aresult

A pointer to an sl_zigbee_certificate_data_t structure where the retrieved certificate will be stored.

Returns

  • ::SL_STATUS_OK if the certificate was successfully retrieved. ::SL_STATUS_FAIL if the token contains uninitialized data.


sl_zigbee_generate_cbke_keys#

sl_status_t sl_zigbee_generate_cbke_keys (void )

Begin the process of generating an ephemeral public/private ECC key pair.

Parameters
TypeDirectionArgument NameDescription
voidN/A

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until the key generation is complete. This may take up to 1 second.

The generated results of the key generation is returned via sl_zigbee_generate_cbke_keys_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


sl_zigbee_calculate_smacs#

sl_status_t sl_zigbee_calculate_smacs (bool amInitiator, sl_zigbee_certificate_data_t * partnerCert, sl_zigbee_public_key_data_t * partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

Parameters
TypeDirectionArgument NameDescription
boolN/AamInitiator

This bool indicates whether or not the device is the one that initiated the CBKE with the remote device, or whether it was the responder to the exchange.

sl_zigbee_certificate_data_t *N/ApartnerCert

A pointer to an sl_zigbee_certificate_data_t structure that contains the CBKE partner's implicit certificate.

sl_zigbee_public_key_data_t *N/ApartnerEphemeralPublicKey

A pointer to an sl_zigbee_public_key_data_t structure that contains the CBKE partner's ephemeral public key.

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until SMACs calculations are complete. This may take up to 3.5 seconds.

The calculated SMACS are returned via sl_zigbee_calculate_smacs_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


sl_zigbee_clear_temporary_data_maybe_store_link_key#

sl_status_t sl_zigbee_clear_temporary_data_maybe_store_link_key (bool storeLinkKey)

Call when all CBKE operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys() or sl_zigbee_calculate_smacs() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

Parameters
TypeDirectionArgument NameDescription
boolN/AstoreLinkKey

This tells the stack whether to store the newly generated link key, or discard it.

Returns

  • If storeLinkkey is false, this function returns ::SL_STATUS_FAIL always. If storeLinkKey is true, then this function returns the results of whether or not the link key was stored. ::SL_STATUS_OK is returned when key was stored successfully.


sl_zigbee_dsa_sign#

sl_status_t sl_zigbee_dsa_sign (sli_buffer_manager_buffer_t messageToSign)
Parameters
TypeDirectionArgument NameDescription
sli_buffer_manager_buffer_tN/AmessageToSign

sl_zigbee_generate_cbke_keys_handler#

void sl_zigbee_generate_cbke_keys_handler (sl_status_t status, sl_zigbee_public_key_data_t * ephemeralPublicKey)
Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus
sl_zigbee_public_key_data_t *N/AephemeralPublicKey

sl_zigbee_calculate_smacs_handler#

void sl_zigbee_calculate_smacs_handler (sl_status_t status, sl_zigbee_smac_data_t * initiatorSmac, sl_zigbee_smac_data_t * responderSmac)
Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus
sl_zigbee_smac_data_t *N/AinitiatorSmac
sl_zigbee_smac_data_t *N/AresponderSmac

sl_zigbee_dsa_sign_handler#

void sl_zigbee_dsa_sign_handler (sl_status_t status, uint8_t messageLength, uint8_t * messageContents)

Application callback that must be defined when using CBKE. This callback is provided to the application to let it know that the ECC operations have completed and the radio has been turned back on. When using the sign-and-send option of the sl_zigbee_aps_frame_t, SL_ZIGBEE_APS_OPTION_DSA_SIGN, the handler will NOT return the complete signed message. This callback is merely informative. If sl_zigbee_dsa_sign() has been called, the message plus signature will be returned to the caller and it must be sent separately by one of the message send primitives (such as sl_zigbee_send_unicast()).

Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus

This is the ::sl_status_t value indicating the success or failure of the operation.

uint8_tN/AmessageLength

Length of the newly signed message, if sl_zigbee_dsa_sign() was called.

uint8_t *N/AmessageContents

This is the newly signed message, if sl_zigbee_dsa_sign() was called. If message was signed using SL_ZIGBEE_APS_OPTION_DSA_SIGN then this will be NULL.


sl_zigbee_set_preinstalled_cbke_data#

sl_status_t sl_zigbee_set_preinstalled_cbke_data (sl_zigbee_public_key_data_t * caPublic, sl_zigbee_certificate_data_t * myCert, sl_zigbee_private_key_data_t * myKey)
Parameters
TypeDirectionArgument NameDescription
sl_zigbee_public_key_data_t *N/AcaPublic
sl_zigbee_certificate_data_t *N/AmyCert
sl_zigbee_private_key_data_t *N/AmyKey

sl_zigbee_get_stack_certificate_eui64#

bool sl_zigbee_get_stack_certificate_eui64 (sl_802154_long_addr_t certEui64)
Parameters
TypeDirectionArgument NameDescription
sl_802154_long_addr_tN/AcertEui64

sl_zigbee_dsa_verify#

sl_status_t sl_zigbee_dsa_verify (sl_zigbee_message_digest_t * digest, sl_zigbee_certificate_data_t * signerCertificate, sl_zigbee_signature_data_t * receivedSig)
Parameters
TypeDirectionArgument NameDescription
sl_zigbee_message_digest_t *N/Adigest
sl_zigbee_certificate_data_t *N/AsignerCertificate
sl_zigbee_signature_data_t *N/AreceivedSig

sl_zigbee_dsa_verify_handler#

void sl_zigbee_dsa_verify_handler (sl_status_t status)
Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus

sl_zigbee_get_certificate_283k1#

sl_status_t sl_zigbee_get_certificate_283k1 (sl_zigbee_certificate_283k1_data_t * result)

Retrieves the implicit certificate stored in the MFG tokens of the device.

Parameters
TypeDirectionArgument NameDescription
sl_zigbee_certificate_283k1_data_t *N/Aresult

A pointer to an sl_zigbee_certificate_283k1_data_t structure where the retrieved certificate will be stored.

Returns

  • ::SL_STATUS_OK if the certificate was successfully retrieved. ::SL_STATUS_FAIL if the token contains uninitialized data.


sl_zigbee_generate_cbke_keys_283k1#

sl_status_t sl_zigbee_generate_cbke_keys_283k1 (void )

Begin the process of generating an ephemeral public/private ECC key pair.

Parameters
TypeDirectionArgument NameDescription
voidN/A

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until the key generation is complete. This may take up to 1 second.

The generated results of the key generation is returned via sl_zigbee_generate_cbke_keys_283k1_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


sl_zigbee_calculate_smacs_283k1#

sl_status_t sl_zigbee_calculate_smacs_283k1 (bool amInitiator, sl_zigbee_certificate_283k1_data_t * partnerCert, sl_zigbee_public_key_283k1_data_t * partnerEphemeralPublicKey)

Begin the process of generating the shared secret, the new link key, and the Secured Message Authentication Code (SMAC).

Parameters
TypeDirectionArgument NameDescription
boolN/AamInitiator

This bool indicates whether or not the device is the one that initiated the CBKE with the remote device, or whether it was the responder to the exchange.

sl_zigbee_certificate_283k1_data_t *N/ApartnerCert

A pointer to an sl_zigbee_certificate_283k1_data_t structure that contains the CBKE partner's implicit certificate.

sl_zigbee_public_key_283k1_data_t *N/ApartnerEphemeralPublicKey

A pointer to an sl_zigbee_public_key_283k1_data_t structure that contains the CBKE partner's ephemeral public key.

If no other ECC operation is going on, it will immediately return with ::SL_STATUS_IN_PROGRESS. It will delay a period of time to let APS retries take place, but then it will shutdown the radio and consume the CPU processing until SMACs calculations are complete. This may take up to 3.5 seconds.

The calculated SMACS are returned via sl_zigbee_calculate_smacs_handler().

Returns

  • ::SL_STATUS_IN_PROGRESS if the stack has queued up the operation for execution.


sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1#

sl_status_t sl_zigbee_clear_temporary_data_maybe_store_link_key_283k1 (bool storeLinkKey)

Call when all CBKE 283k1 operations are done. Any temporary data created during calls to sl_zigbee_generate_cbke_keys_283k1() or sl_zigbee_calculate_smacs_283k1() is wiped out. If the local device has validated that the partner device has generated the same SMACS as itself, it should set 'storeLinkKey' to true. Otherwise it should pass in false.

Parameters
TypeDirectionArgument NameDescription
boolN/AstoreLinkKey

This tells the stack whether to store the newly generated link key, or discard it.

Returns

  • If storeLinkkey is false, this function returns ::SL_STATUS_FAIL always. If storeLinkKey is true, then this function returns the results of whether or not the link key was stored. ::SL_STATUS_OK is returned when key was stored successfully.


sl_zigbee_generate_cbke_keys_283k1_handler#

void sl_zigbee_generate_cbke_keys_283k1_handler (sl_status_t status, sl_zigbee_public_key_283k1_data_t * ephemeralPublicKey)
Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus
sl_zigbee_public_key_283k1_data_t *N/AephemeralPublicKey

sl_zigbee_calculate_smacs_283k1_handler#

void sl_zigbee_calculate_smacs_283k1_handler (sl_status_t status, sl_zigbee_smac_data_t * initiatorSmac, sl_zigbee_smac_data_t * responderSmac)
Parameters
TypeDirectionArgument NameDescription
sl_status_tN/Astatus
sl_zigbee_smac_data_t *N/AinitiatorSmac
sl_zigbee_smac_data_t *N/AresponderSmac

sl_zigbee_set_preinstalled_cbke_data_283k1#

sl_status_t sl_zigbee_set_preinstalled_cbke_data_283k1 (const sl_zigbee_public_key_283k1_data_t * caPublic, const sl_zigbee_certificate_283k1_data_t * myCert, const sl_zigbee_private_key_283k1_data_t * myKey)
Parameters
TypeDirectionArgument NameDescription
const sl_zigbee_public_key_283k1_data_t *N/AcaPublic
const sl_zigbee_certificate_283k1_data_t *N/AmyCert
const sl_zigbee_private_key_283k1_data_t *N/AmyKey

sl_zigbee_dsa_verify_283k1#

sl_status_t sl_zigbee_dsa_verify_283k1 (const sl_zigbee_message_digest_t * digest, const sl_zigbee_certificate_283k1_data_t * signerCertificate, const sl_zigbee_signature_283k1_data_t * receivedSig)
Parameters
TypeDirectionArgument NameDescription
const sl_zigbee_message_digest_t *N/Adigest
const sl_zigbee_certificate_283k1_data_t *N/AsignerCertificate
const sl_zigbee_signature_283k1_data_t *N/AreceivedSig