wolfCrypt Now Supported in ST’s STSAFE SDK (STSELib)

    • The STMicroelectronics STSELib now includes built-in wolfCrypt support for the STSAFE-A120 secure element.

    Download wolfSSL →

    What is the STSAFE-A120?

    The STSAFE-A120 is ST’s latest secure element running on a CC EAL5+ certified platform. Key features include:

    • Authentication with X.509 certificates (Qi 2.0, Matter compatible)
    • TLS 1.2/1.3 handshake support
    • ECC curves: NIST P-256/P-384/P-521, Brainpool, Ed25519, Curve25519
    • AES-128/256 symmetric cryptography (CCM, ECB, GCM, CMAC, HKDF)
    • 16KB secure NVM for data storage
    • Hardware TRNG
    • I2C interface

    The Integration

    A merged PR (STSELib#54) adds wolfCrypt as a cryptographic platform option in STSELib. This allows the SDK’s internal crypto operations to use wolfCrypt instead of requiring a separate crypto library.

    wolfSSL Support

    Corresponding changes in wolfSSL (wolfssl#9614) add STSAFE-A120 support via WOLFSSL_STSAFEA120. Features include:

    • Hardware RNG seeding – TRNG feeds wolfSSL’s RNG
    • ECC key generation – P-256/P-384 keys generated in secure element
    • ECDSA sign/verify – Hardware-accelerated operations
    • ECDH key exchange – Shared secret computation
    • Crypto callbacks – Full WOLF_CRYPTO_CB integration
    • Device certificate access – Read X.509 certs from secure storage

    Configuration

    #define WOLFSSL_STSAFEA120
#define USE_STSAFE_RNG_SEED    /* Optional: TRNG seeding */
#define WOLF_CRYPTO_CB         /* Optional: crypto callbacks */

    Performance (Raspberry Pi 5)

    Operation Time
    P-256 KeyGen ~40 ms
    P-256 Sign ~51 ms
    P-256 Verify ~79 ms
    RNG 256 bytes <1 ms

    Getting Started

      1. Clone STSELib with wolfCrypt platform support
    • Configure stse_conf.h for your target curves
    • Build wolfSSL with WOLFSSL_STSAFEA120
    • Implement the I2C platform abstraction layer

    Example code and tests: wolfssl-examples#553

    Why This Matters

    Previously, integrating STSAFE with wolfSSL required custom glue code and separate crypto library dependencies. The SDK-level integration simplifies deployment for:

    • Secure boot implementations
    • TLS client authentication with hardware-protected keys
    • IoT device provisioning
    • Accessory/consumable authentication

    The wolfCrypt FIPS 140-3 module (Certificate #4718) combined with STSAFE-A120’s CC EAL5+ certification provides a strong security foundation for embedded systems requiring compliance.

    Resources

    If you have questions about any of the above, please contact us at facts@wolfssl.com or call us at +1 425 245 8247.

    Download wolfSSL Now