Without atecc608b

main/efuse_ecdsa.h

@@ -0,0 +1,48 @@
+#ifndef EFUSE_ECDSA_H
+#define EFUSE_ECDSA_H
+
+#include <stdbool.h>
+#include <stdint.h>
+
+/**
+ * Check whether an ECDSA P-256 key has already been provisioned in eFuse.
+ */
+bool efuse_ecdsa_key_provisioned(void);
+
+/**
+ * Write a 32-byte ECDSA P-256 private key into the eFuse key block.
+ * The key must be in **little-endian** byte order (as required by the
+ * ESP32-C5 ECDSA peripheral).
+ *
+ * This is a ONE-TIME, IRREVERSIBLE operation.  After burning, the key
+ * block is read-protected so software can never read the private key
+ * back — only the hardware ECDSA peripheral can use it.
+ *
+ * @param key  32 bytes of private-key material (little-endian).
+ * @return true on success.
+ */
+bool efuse_ecdsa_provision_key(const uint8_t key[32]);
+
+/**
+ * Export the public key that corresponds to the eFuse private key.
+ * Uses the hardware ECDSA peripheral to derive Q = d·G without ever
+ * exposing the private key to software.
+ *
+ * @param pub_x  Output buffer for the X coordinate (32 bytes, big-endian).
+ * @param pub_y  Output buffer for the Y coordinate (32 bytes, big-endian).
+ * @return true on success.
+ */
+bool efuse_ecdsa_get_pubkey(uint8_t pub_x[32], uint8_t pub_y[32]);
+
+/**
+ * Sign a SHA-256 digest with the eFuse ECDSA key.
+ *
+ * @param digest  32-byte SHA-256 hash to sign.
+ * @param r_out   Output: R component of the signature (32 bytes, big-endian).
+ * @param s_out   Output: S component of the signature (32 bytes, big-endian).
+ * @return true on success.
+ */
+bool efuse_ecdsa_sign(const uint8_t digest[32],
+                      uint8_t r_out[32], uint8_t s_out[32]);
+
+#endif /* EFUSE_ECDSA_H */