Skip to main content
S
SAMINA
Associate II
November 11, 2025
Question

Signing using CCB

  • November 11, 2025
  • 4 replies
  • 247 views

Hi

I am implementing the ECDSA-P256 signing for a payload.

I have checked the example code  https://github.com/STMicroelectronics/STM32CubeU3/tree/main/Projects/NUCLEO-U385RG-Q/Examples/CCB/CCB_Protected_ECDSA_Signature

The example code shows that the software has an access to the private-key. Would it be possible to generate a private key using RNG which software/processor can not see and which can be used by the CCB to compute a signature. The same key can be used to get public-key.  can I use this API   HAL_CCB_ECDSA_GenerateWrapPrivateKey(). Would this key be persistence across reboot or do I need to store the wrapped key?

 

4 replies

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 12, 2025

Hello @SAMINA ,

I guess you are looking for this example:

STM32CubeU3/Projects/NUCLEO-U385RG-Q/Applications/MbedTLS_HW_KWE/ECC_ECDSA_GenerateWrappedKey_KWE at main · STMicroelectronics/STM32CubeU3 · GitHub

It is using  HAL_CCB_ECDSA_GenerateWrapPrivateKey(). (behind mbedTLS PSA API)

This give you an example how this is connected to flash storage through storage_interface.c implementing psa storage api.

This is very simple example, you will need to adapt it to your needs

Best regards

Jocelyn

 

    S
    SAMINAAuthor
    Associate II
    November 14, 2025

    @Jocelyn RICARD 
    Thanks for the input. I am evaluating the use of Zephyr OS for the selected STM32U385 processor. 

    I have the similar requirements to
    1. Get a public key from the wrapped private key. 

    2. Sign the payload with the private key. 

    I would like to use hardware crypto from STM323U3 to do so.

    I have created a sample that uses mbedTLS software driver for performing ECDSA signature. I would like to use STM32's hardware crypto backend to perform the signing. How can I do that? Please find the attached example. 
    I am using Zephyr version v4.3.0-rc1-160-g0f5e03f1fcba.
    zephyrproject/modules/hal/stm32 points to the commit 55e159704b02ec4e7b4f0a88735044bee92c25c2 from https://github.com/zephyrproject-rtos/hal_stm32

    One can compile the code using following command 

    # assumed that ENV is sourced. if not source <PATH_TO_ZEPHYR_PROJECT_DIR>/venv/bin/activate
cd <PATH_TO_ZEPHYR_PROJECT_DIR>/zephyr
#compile 
west build --pristine --board nucleo_u385rg_q --build-dir ./build_st <PATH_TO_THE_SAMPLE_CODE>
#to flash 
west flash --build-dir ./build_st/

     

    S
    SAMINAAuthor
    Associate II
    November 18, 2025

    @Jocelyn RICARD any inputs on above question?

    Jocelyn RICARD
    Jocelyn RICARD
    ST Employee
    November 24, 2025

    Hello @SAMINA ,

    Sorry, I can't help you on Zephyr part. I'm not used to it and have not enough time to learn this.

    You may log a ticket.

    Best regards

    Jocelyn

    Terms & ConditionsAccessibility statement