@spec build_csr(binary(), binary()) :: binary()

Build a minimal PKCS#10 Certificate Signing Request (CSR) in DER format.

Used during commissioning when chip-tool sends CSRRequest. The CSR contains the EC public key and is signed with the private key.

@spec der_signature_to_raw(binary()) :: binary()

Convert a DER-encoded ECDSA signature to raw P1363 format (r || s).

For P-256, the output is always exactly 64 bytes.

@spec ecdh(binary(), binary()) :: binary()

Compute ECDH shared secret (P-256 x-coordinate, 32 bytes).

@spec generate_keypair() :: {binary(), binary()}

Generate a new P-256 keypair.

Returns {public_key, private_key} where:

• public_key is a 65-byte SEC1 uncompressed point (0x04 || x || y)
• private_key is a 32-byte scalar

@spec pubkey_from_csr(binary()) :: binary()

Extract the EC public key from a PKCS#10 CSR DER.

Returns the 65-byte uncompressed SEC1 point (0x04 || x || y).

@spec raw_signature_to_der(binary()) :: binary()

Convert a raw P1363 signature (r || s, 64 bytes) to DER format.

@spec self_signed_der(binary(), binary(), String.t()) :: binary()

Build a minimal self-signed X.509 DER certificate.

Used during commissioning when chip-tool requests PAI/DAC certificates. With --bypass-attestation-verifier, chip-tool won't validate the content.

@spec sign(binary(), binary()) :: binary()

Sign a message with ECDSA-SHA256 over P-256.

Returns the DER-encoded signature.

@spec sign_raw(binary(), binary()) :: binary()

Sign a message with ECDSA-SHA256 over P-256.

Returns the raw P1363 format signature (r || s, 64 bytes). Matter uses this format for attestation and NOCSR signatures.

@spec verify(binary(), binary(), binary()) :: boolean()

Verify an ECDSA-SHA256 signature over P-256 (DER-encoded signature).

@spec verify_raw(binary(), binary(), binary()) :: boolean()

Verify an ECDSA-SHA256 signature in raw P1363 format (r || s, 64 bytes).

Matter CASE uses raw format. Converts to DER for Erlang's crypto module.