Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
SSL Sample
This sample demonstrates an SSL communication between a Trusted Application (TA) and a remote SSL server. Intel® Dynamic Application Loader (Intel® DAL) has provided the SSL APIs for the client side - as implemented in the Trusted Application.
The sample was written for API level 4, but can be upgraded or downgraded as needed.
Note: • This sample has no executable file, but only TA and host application code. • The host code provided is a library to be used from C#/C++ code as a dynamic library. The library consists of an interface and the SslLibrary classes that implement the SSL functionality.
Sample Components
- Host Application: the proxy that passes messages between the server and the Trusted Application. The host application code in the sample is a C++ library that can be used from any other code, i.e., C#, C++.
- Server: any SSL server that implements the handshake.
Sample Flow
Following is the basic flow of SSL communication.
First Step - Establishing a Session
- Create a new certificate store in the TA. This store can be reused by multiple sessions.
- Add trusted root CA certificates to the store using the CertificateStore.addCertificate API.
- Create a Calendar instance and initialize the time to establish the session's notion of time.
- Create an SSL session with the session parameters in the TA.
- Perform the handshake: sequentially transferring the handshake messages between the session and the remote SSL server.
- Check whether the session is established (whether the handshake completed successfully).
- Once the session is established, the caller can continue to use encrypt and decrypt methods inside the SSL session.
Second Step - Verifying CRLs (if required)
Note: This step is not implemented in the sample.
- Retrieve the certificate chain that was received from the SSL server during the handshake phase, ordered from leaf to root.
- For each certificate in the chain, retrieve the CRL distribution points from the certificate and pass them to the host software.
- After the host software obtains the CRLs, for each CRL distribution point:
- Create a CRL using the same index of the certificate with the CRL distribution point.
- Add the CRL to the created CRL, chunk by chunk.
- Verify that the CRL is in the correct format and signed.
- Verify that the CRL in hand is up to date.
- Obtain the certificate's serial number.
- Search for the serial number to make sure that the certificate has not been revoked.
- Release system resources.
Third Step - Closing the Session
If SSL services are no longer needed, the user should invoke destruction of the created certificate store and SslSession to release the system resources.
Did you find the information on this page useful?
Feedback Message
Characters remaining: