Key Pair Generation

This section describes the generation and persistent storage of an RSA-2048 key pair in the Trusted Execution Environment (TEE).

Overview

  • Key Type: RSA-2048

  • Storage: Persistent in TEE private storage

  • Security: Private key remains inside the TEE

  • Lifecycle:

    • Generated once on first launch

    • Reused for all future operations

Process

  1. Check for Existing Key Pair:

    • Uses TEE_OpenPersistentObject() to check for an already generated key pair.

    • If the object exists, returns early with TEE_SUCCESS.

  2. Generate New Key Pair:

    • Allocates a transient RSA keypair object (TEE_AllocateTransientObject).

    • Generates a key pair using TEE_GenerateKey().

  3. Persist the Private Key:

    • Stores the generated key using TEE_CreatePersistentObject().

    • Ensures the key is retained securely across sessions.

  4. Cleanup:

    • Frees temporary objects and handles.

Code Reference

 1TEE_Result generate_rsa_key_pair(TEE_ObjectHandle *key_pair_handle)
 2{
 3    TEE_Result res;
 4    uint32_t flags = TEE_DATA_FLAG_ACCESS_READ;
 5    TEE_ObjectHandle transient_key = TEE_HANDLE_NULL;
 6    TEE_ObjectHandle pubkey_transient = TEE_HANDLE_NULL;
 7
 8    /* Try to open existing key pair */
 9    res = TEE_OpenPersistentObject(
10        TEE_STORAGE_PRIVATE,              /* storageID */
11        RSA_KEYPAIR_STORAGE_NAME,         /* objectID */
12        strlen(RSA_KEYPAIR_STORAGE_NAME), /* objectIDLen */
13        flags,                            /* flags */
14        key_pair_handle                   /* object */
15    );
16    if (res == TEE_SUCCESS)
17    {
18        DMSG("RSA key pair already exists in persistent storage");
19        return TEE_SUCCESS;
20    }
21    if (res != TEE_ERROR_ITEM_NOT_FOUND)
22    {
23        EMSG("Failed to open RSA key pair: 0x%08x", res);
24        return res;
25    }
26
27    DMSG("Generating new RSA key pair");
28
29    /* Allocate RSA keypair transient object */
30    res = TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, RSA_KEY_SIZE_BITS, &transient_key);
31    if (res != TEE_SUCCESS)
32    {
33        EMSG("Failed to allocate RSA key pair object: 0x%08x", res);
34        return res;
35    }
36
37    /* Generate key pair with default exponent */
38    res = TEE_GenerateKey(transient_key, RSA_KEY_SIZE_BITS, NULL, 0);
39    if (res != TEE_SUCCESS)
40    {
41        EMSG("Failed to generate RSA key pair: 0x%08x", res);
42        TEE_FreeTransientObject(transient_key);
43        return res;
44    }
45
46    /* Persist the key pair */
47    res = TEE_CreatePersistentObject(
48        TEE_STORAGE_PRIVATE,              /* storageID */
49        RSA_KEYPAIR_STORAGE_NAME,         /* objectID */
50        strlen(RSA_KEYPAIR_STORAGE_NAME), /* objectIDLen */
51        flags,                            /* flags */
52        transient_key,                    /* attributes */
53        NULL, 0,                          /* initialData , initialDataLen */
54        key_pair_handle                   /* object */
55    );
56    if (res != TEE_SUCCESS)
57    {
58        EMSG("Failed to persist RSA key pair: 0x%08x", res);
59        TEE_FreeTransientObject(transient_key);
60        return res;
61    }
62
63    TEE_FreeTransientObject(pubkey_transient);
64
65    DMSG("RSA key pair and public key successfully generated and stored");
66    return TEE_SUCCESS;
67}

Possible Results

  • TEE_ERROR_ITEM_NOT_FOUND: Expected on first launch

  • TEE_ERROR_OUT_OF_MEMORY: If memory allocation fails

  • TEE_ERROR_ACCESS_CONFLICT: If another handle is using the object

  • TEE_ERROR_BAD_PARAMETERS: Incorrect object attributes

  • TEE_SUCCESS: Key pair successfully generated and stored