#ifndef EFUSE_ECDSA_H
#define EFUSE_ECDSA_H

#include <stdbool.h>
#include <stdint.h>

/**
 * Check whether an ECDSA P-256 key has already been provisioned in eFuse.
 */
bool efuse_ecdsa_key_provisioned(void);

/**
 * Write a 32-byte ECDSA P-256 private key into the eFuse key block.
 * The key must be in **little-endian** byte order (as required by the
 * ESP32-C5 ECDSA peripheral).
 *
 * This is a ONE-TIME, IRREVERSIBLE operation.  After burning, the key
 * block is read-protected so software can never read the private key
 * back — only the hardware ECDSA peripheral can use it.
 *
 * @param key  32 bytes of private-key material (little-endian).
 * @return true on success.
 */
bool efuse_ecdsa_provision_key(const uint8_t key[32]);

/**
 * Export the public key that corresponds to the eFuse private key.
 * Uses the hardware ECDSA peripheral to derive Q = d·G without ever
 * exposing the private key to software.
 *
 * @param pub_x  Output buffer for the X coordinate (32 bytes, big-endian).
 * @param pub_y  Output buffer for the Y coordinate (32 bytes, big-endian).
 * @return true on success.
 */
bool efuse_ecdsa_get_pubkey(uint8_t pub_x[32], uint8_t pub_y[32]);

/**
 * Sign a SHA-256 digest with the eFuse ECDSA key.
 *
 * @param digest  32-byte SHA-256 hash to sign.
 * @param r_out   Output: R component of the signature (32 bytes, big-endian).
 * @param s_out   Output: S component of the signature (32 bytes, big-endian).
 * @return true on success.
 */
bool efuse_ecdsa_sign(const uint8_t digest[32],
                      uint8_t r_out[32], uint8_t s_out[32]);

#endif /* EFUSE_ECDSA_H */