49 lines
1.6 KiB
C
49 lines
1.6 KiB
C
#ifndef EFUSE_ECDSA_H
|
|
#define EFUSE_ECDSA_H
|
|
|
|
#include <stdbool.h>
|
|
#include <stdint.h>
|
|
|
|
/**
|
|
* Check whether an ECDSA P-256 key has already been provisioned in eFuse.
|
|
*/
|
|
bool efuse_ecdsa_key_provisioned(void);
|
|
|
|
/**
|
|
* Write a 32-byte ECDSA P-256 private key into the eFuse key block.
|
|
* The key must be in **little-endian** byte order (as required by the
|
|
* ESP32-C5 ECDSA peripheral).
|
|
*
|
|
* This is a ONE-TIME, IRREVERSIBLE operation. After burning, the key
|
|
* block is read-protected so software can never read the private key
|
|
* back — only the hardware ECDSA peripheral can use it.
|
|
*
|
|
* @param key 32 bytes of private-key material (little-endian).
|
|
* @return true on success.
|
|
*/
|
|
bool efuse_ecdsa_provision_key(const uint8_t key[32]);
|
|
|
|
/**
|
|
* Export the public key that corresponds to the eFuse private key.
|
|
* Uses the hardware ECDSA peripheral to derive Q = d·G without ever
|
|
* exposing the private key to software.
|
|
*
|
|
* @param pub_x Output buffer for the X coordinate (32 bytes, big-endian).
|
|
* @param pub_y Output buffer for the Y coordinate (32 bytes, big-endian).
|
|
* @return true on success.
|
|
*/
|
|
bool efuse_ecdsa_get_pubkey(uint8_t pub_x[32], uint8_t pub_y[32]);
|
|
|
|
/**
|
|
* Sign a SHA-256 digest with the eFuse ECDSA key.
|
|
*
|
|
* @param digest 32-byte SHA-256 hash to sign.
|
|
* @param r_out Output: R component of the signature (32 bytes, big-endian).
|
|
* @param s_out Output: S component of the signature (32 bytes, big-endian).
|
|
* @return true on success.
|
|
*/
|
|
bool efuse_ecdsa_sign(const uint8_t digest[32],
|
|
uint8_t r_out[32], uint8_t s_out[32]);
|
|
|
|
#endif /* EFUSE_ECDSA_H */
|