How to properly invoke KeyAgreement

By enemy235, 1 April, 2026
Forums
Gurux DLMS for Java

Hello,
I'm trying for past few days to use keyAgreement method from SecuritySetup to agree on keys on multiple meters from different vendors.

So far all my attempts resulted in error: Other reason.

I also tried multiple small changes to the library itself. I think I found out, that currently keyAgreement in security setup does ignore the Security Suite and uses only P256. The keyagreement method should be working with P256 and also P384 automatically, so it probably needs to be adjusted and also the GXSecure.getEphemeralPublicKey methods, to create the signature corectly.

I understand all keyagreement related code, except the signature byte buffer creation in GXSecure.getEphemeralPublicKeySignature()


This is what I do when trying to invoke the method:
I have open working connection even authenticated using HLS-ECDSA, so signing certificates are correct.

//Generate Ephemeral Keys, I tried both P256 and P384:
ciphering.setEphemeralKeyPair(GXEcdsa.generateKeyPair(Ecc.P384));

//Setup again the signing keys, to be sure:
ciphering.setSigningKeyPair(new KeyPair(
                   getServerSigning().getPublicKey(),
                   getClientSigning().getPrivate()));
                    
//create the message:
message = securitySetup.keyAgreement(getClient(), keyType);

//send the message:
GXReplyData reply = new GXReplyData();
reader.readDataBlock(message, reply);

Currently it ends up with other reason. I would like to also know: when everything is correct, do I need to do something with the keyAgreement when response is recieved? Or it will be handled automatically in the reader and "readDLMSPacket" method, which calls dlms.getData().


Thank you for the response.

Kurumi

1 week 4 days ago

Hi,

You must use the ECDSA key that meter defines. If security suite is 1 then use P256. If Security Suite is 2, you need to use P384.

Java KeyAgreement method only sends the generated key. It doesn't use the security suite, but you are correct about getEphemeralPublicKeySignature(). It supports only SHA256. I'll add P384 support to the work list.

BR,
Mikko

enemy235

1 week 4 days ago

Hi,
I used the signing keys, that I used to connect to the meter using HLS-7-ECDSA. So keys should be correct. I think, currently the issue is that meter expects the P384 signature and that is why it is not working.

Hopefully it will start working, once P384 support is made.

Thanks.

Kurumi

1 week 4 days ago

Hi,

getEphemeralPublicKeySignature was improved to version 4.0.91 and it now supports P384.

Update to the latest version.

BR,
Mikko

enemy235

1 week 2 days ago

Hi Mikko,
thanks for the quick implementation. Sadly it was not enough to get it fully working.
You were missing a lot more steps to fully support the P256/384 changes.

I did a lot of implementation and I pushed a pull request to the repository. I hope it will help and you will be able to merge most (hopefully all) of the new changes.

I verified the implementation only for a client side with real meter. That is working.

Here is the PR: https://github.com/Gurux/gurux.dlms.java/pull/46

Thanks,
David