This adds support for generating ECDSA keys in a trusted execution
environment (TEE) that can be used for signing and verification. Such
keys are generated in the TEE and never leave it.
Because the keys are generated in the TEE, the keys themselves cannot be
exported. Instead, a handle to the key is exported. The handle can be
used to import the key and use it for signing and verification, but not
to extract the key itself.
A new options parameter is added to crypto.subtle.generateKey(). It
has two optional properties: inTee and usageRequiresAuth. inTee is
a boolean that indicates whether the key should be generated in a TEE.
usageRequiresAuth is also a boolean that indicates whether the key can
only be used when the user has authenticated.
An example of how to generate and use a key in a TEE is added to the
crypto-sign snippet. The snippet now contains two examples: one for
generating and using keys in the normal way, and one for generating and
using keys in a TEE. The crypto-sign snippets now also demonstrate
exporting and importing keys.
This adds support for generating ECDSA keys in a trusted execution environment (TEE) that can be used for signing and verification. Such keys are generated in the TEE and never leave it.
Because the keys are generated in the TEE, the keys themselves cannot be exported. Instead, a handle to the key is exported. The handle can be used to import the key and use it for signing and verification, but not to extract the key itself.
A new
options
parameter is added tocrypto.subtle.generateKey()
. It has two optional properties:inTee
andusageRequiresAuth
.inTee
is a boolean that indicates whether the key should be generated in a TEE.usageRequiresAuth
is also a boolean that indicates whether the key can only be used when the user has authenticated.An example of how to generate and use a key in a TEE is added to the
crypto-sign
snippet. The snippet now contains two examples: one for generating and using keys in the normal way, and one for generating and using keys in a TEE. Thecrypto-sign
snippets now also demonstrate exporting and importing keys.