Topic: ECDSA using STM32WB55's PKA

Hi there,

I'm trying to use the STM32WB55's PKA to generate and verify signatures in wolfCrypt 4.7. Whenever I call wc_ecc_verify_hash(), res is set to 0, as returned by HAL_PKA_ECDSAVerif_IsValidSignature() in stm32.c. If I turn PKA support off, res is set to 1.

In my example below, I'm hashing the input, generating a signature, and verifying it. wolfCrypt is configured to use static memory with a buffer size of 16KB. I have also attached the configuration file generated by STM32CubeIDE.

Due to timing and energy constraints, I need to use the PKA. Is there something that I'm missing to get the PKA to work?

Example:
    ecc_key key;
    uint32_t keysize = wc_ecc_get_curve_size_from_id(ECC_SECP256R1);
    WC_RNG rng;

    byte test[] = "sunny days!", sig[72];
    memset(sig, 0, sizeof(sig));
    uint32_t sigLen = sizeof(sig);

    uint8_t hash[WC_SHA256_DIGEST_SIZE];
    memset(hash, 0, sizeof(hash));
    uint32_t hash_len = WC_SHA256_DIGEST_SIZE;

    int32_t isVerified = 0;

    HAL_PKA_Init(&hpka);

    wc_ret =  wc_InitRng_ex(&rng, _wcHeapHint, INVALID_DEVID);
    wc_ret |= wc_ecc_init_ex(&key, _wcHeapHint, INVALID_DEVID);
    wc_ret |= wc_ecc_make_key_ex(&rng, keysize, &key, ECC_SECP256R1);


    // Produce a hash of the input data
    wc_ret = wc_Hash(WC_HASH_TYPE_SHA256, test, sizeof(test), hash, hash_len);
    wc_ret |= wc_ecc_sign_hash(hash, hash_len, sig, (word32*)&sigLen, &rng, &key);
    wc_ret |= wc_ecc_verify_hash(sig, sigLen, hash, hash_len, (int*)&isVerified, &key);

Post's attachments

wolfSSL.I-CUBE-wolfSSL_conf.h 17.2 kb, 3 downloads since 2021-05-24 

You don't have the permssions to download the attachments of this post.

Share

Re: ECDSA using STM32WB55's PKA

Hi Keeperp,

Thanks for your question and interest in using the STM32WB55 PKA. I have the same STM32 hardware here to try this on.

At first glance this example should work. However you are using the private key to verify, so that could be why the hardware is confused.

If you exported the public key and imported it into a new ecc_key struct it might work better. Something like `wc_ecc_export_x963` and `wc_ecc_import_x963` would do the job.

Thanks,
David Garske, wolfSSL

Share

Re: ECDSA using STM32WB55's PKA

Hi Keeperp,

At first I ran this test on my STM32WB55 and it worked, but realized you were using math = 1 (fast math) and I was using SP math.

#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/ecc.h>
#include <wolfssl/wolfcrypt/random.h>
#include <wolfssl/wolfcrypt/sha256.h>
#include <wolfssl/wolfcrypt/hash.h>
void custom_test(void)
{
    void* _wcHeapHint = NULL;
    int wc_ret;
    ecc_key key;
    uint32_t keysize = wc_ecc_get_curve_size_from_id(ECC_SECP256R1);
    WC_RNG rng;
    byte test[] = "sunny days!", sig[72];
    memset(sig, 0, sizeof(sig));
    uint32_t sigLen = sizeof(sig);
    uint8_t hash[WC_SHA256_DIGEST_SIZE];
    memset(hash, 0, sizeof(hash));
    uint32_t hash_len = WC_SHA256_DIGEST_SIZE;
    int32_t isVerified = 0;
    //HAL_PKA_Init(&hpka);
    wc_ret =  wc_InitRng_ex(&rng, _wcHeapHint, INVALID_DEVID);
    wc_ret |= wc_ecc_init_ex(&key, _wcHeapHint, INVALID_DEVID);
    wc_ret |= wc_ecc_make_key_ex(&rng, keysize, &key, ECC_SECP256R1);
    printf("Make Key %d\n", wc_ret);

    // Produce a hash of the input data
    wc_ret = wc_Hash(WC_HASH_TYPE_SHA256, test, sizeof(test), hash, hash_len);
    printf("HASH %d\n", wc_ret);
    wc_ret = wc_ecc_sign_hash(hash, hash_len, sig, (word32*)&sigLen, &rng, &key);
    printf("SIGN %d\n", wc_ret);
    wc_ret = wc_ecc_verify_hash(sig, sigLen, hash, hash_len, (int*)&isVerified, &key);
    printf("VERIFY %d, %d\n", wc_ret, isVerified);
}

Results:

Make Key 0
HASH 0
SIGN 0
VERIFY 0, 1

I am debugging the fast math case and should have a fix shortly.

Thanks,
David Garske, wolfSSL

Share

Re: ECDSA using STM32WB55's PKA

Hi Keeperp,

I located the issue. Fixes have been pushed here:
https://github.com/wolfSSL/wolfssl/pull/4066

The ecc_map_ex should not be used with PKA, since it is handled in hardware. The tests are all passing now.

Thanks,
David Garske, wolfSSL

Share