FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Signing using CCB

SAMINA
Associate II

‎2025-11-11 8:29 AM - edited ‎2025-11-11 8:36 AM

Hi

I am implementing the ECDSA-P256 signing for a payload.

I have checked the example code  https://github.com/STMicroelectronics/STM32CubeU3/tree/main/Projects/NUCLEO-U385RG-Q/Examples/CCB/CCB_Protected_ECDSA_Signature

The example code shows that the software has an access to the private-key. Would it be possible to generate a private key using RNG which software/processor can not see and which can be used by the CCB to compute a signature. The same key can be used to get public-key.  can I use this API   HAL_CCB_ECDSA_GenerateWrapPrivateKey(). Would this key be persistence across reboot or do I need to store the wrapped key?

 

Labels:
0 Kudos
4 REPLIES 4
Jocelyn RICARD
ST Employee

‎2025-11-12 10:06 AM

Hello @SAMINA ,

I guess you are looking for this example:

STM32CubeU3/Projects/NUCLEO-U385RG-Q/Applications/MbedTLS_HW_KWE/ECC_ECDSA_GenerateWrappedKey_KWE at main · STMicroelectronics/STM32CubeU3 · GitHub

It is using  HAL_CCB_ECDSA_GenerateWrapPrivateKey(). (behind mbedTLS PSA API)

This give you an example how this is connected to flash storage through storage_interface.c implementing psa storage api.

This is very simple example, you will need to adapt it to your needs

Best regards

Jocelyn

 

SAMINA
Associate II

‎2025-11-14 4:38 AM - edited ‎2025-11-14 7:00 AM

@Jocelyn RICARD 
Thanks for the input. I am evaluating the use of Zephyr OS for the selected STM32U385 processor. 

I have the similar requirements to
1. Get a public key from the wrapped private key. 

2. Sign the payload with the private key. 

I would like to use hardware crypto from STM323U3 to do so.

I have created a sample that uses mbedTLS software driver for performing ECDSA signature. I would like to use STM32's hardware crypto backend to perform the signing. How can I do that? Please find the attached example. 
I am using Zephyr version v4.3.0-rc1-160-g0f5e03f1fcba.
zephyrproject/modules/hal/stm32 points to the commit 55e159704b02ec4e7b4f0a88735044bee92c25c2 from https://github.com/zephyrproject-rtos/hal_stm32

One can compile the code using following command 

# assumed that ENV is sourced. if not source <PATH_TO_ZEPHYR_PROJECT_DIR>/venv/bin/activate
cd <PATH_TO_ZEPHYR_PROJECT_DIR>/zephyr
#compile 
west build --pristine   --board nucleo_u385rg_q --build-dir ./build_st   <PATH_TO_THE_SAMPLE_CODE>
#to flash 
west flash --build-dir ./build_st/

 

mbed_tls_sample.zip
0 Kudos
SAMINA
Associate II

‎2025-11-17 11:04 PM

@Jocelyn RICARD any inputs on above question?

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-11-24 9:22 AM

Hello @SAMINA ,

Sorry, I can't help you on Zephyr part. I'm not used to it and have not enough time to learn this.

You may log a ticket.

Best regards

Jocelyn

0 Kudos
Top