Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support generating ECDSA keys in a trusted execution environment #2281

Merged
merged 1 commit into from
Dec 6, 2023

Conversation

cpetrov
Copy link
Member

@cpetrov cpetrov commented Nov 28, 2023

This adds support for generating ECDSA keys in a trusted execution
environment (TEE) that can be used for signing and verification. Such
keys are generated in the TEE and never leave it.

Because the keys are generated in the TEE, the keys themselves cannot be
exported. Instead, a handle to the key is exported. The handle can be
used to import the key and use it for signing and verification, but not
to extract the key itself.

A new options parameter is added to crypto.subtle.generateKey(). It
has two optional properties: inTee and usageRequiresAuth. inTee is
a boolean that indicates whether the key should be generated in a TEE.
usageRequiresAuth is also a boolean that indicates whether the key can
only be used when the user has authenticated.

An example of how to generate and use a key in a TEE is added to the
crypto-sign snippet. The snippet now contains two examples: one for
generating and using keys in the normal way, and one for generating and
using keys in a TEE. The crypto-sign snippets now also demonstrate
exporting and importing keys.

@cpetrov cpetrov force-pushed the mr-secure-signing-keys branch 2 times, most recently from 9550f81 to d9a59b8 Compare November 28, 2023 17:00
snippets/crypto-sign.ts Outdated Show resolved Hide resolved
@cpetrov cpetrov force-pushed the pr-subtle-sign branch 2 times, most recently from e04f112 to 18aa66b Compare December 6, 2023 16:41
Base automatically changed from pr-subtle-sign to master December 6, 2023 16:41
@cpetrov cpetrov force-pushed the mr-secure-signing-keys branch 2 times, most recently from 6db1570 to e0142aa Compare December 6, 2023 16:46
This adds support for generating ECDSA keys in a trusted execution
environment (TEE) that can be used for signing and verification. Such
keys are generated in the TEE and never leave it.

Because the keys are generated in the TEE, the keys themselves cannot be
exported. Instead, a handle to the key is exported. The handle can be
used to import the key and use it for signing and verification, but not
to extract the key itself.

A new `options` parameter is added to `crypto.subtle.generateKey()`. It
has two optional properties: `inTee` and `usageRequiresAuth`. `inTee` is
a boolean that indicates whether the key should be generated in a TEE.
`usageRequiresAuth` is also a boolean that indicates whether the key can
only be used when the user has authenticated.

An example of how to generate and use a key in a TEE is added to the
`crypto-sign` snippet. The snippet now contains two examples: one for
generating and using keys in the normal way, and one for generating and
using keys in a TEE. The `crypto-sign` snippets now also demonstrate
exporting and importing keys.
@cpetrov cpetrov force-pushed the mr-secure-signing-keys branch from e0142aa to d43e7d3 Compare December 6, 2023 16:54
@cpetrov cpetrov merged commit 4d97efe into master Dec 6, 2023
1 check passed
@cpetrov cpetrov deleted the mr-secure-signing-keys branch December 6, 2023 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants