Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
SSL Sample
This sample demonstrates an SSL communication between a Trusted Application (TA) and a remote SSL server. Intel® Dynamic Application Loader (Intel® DAL) has provided the SSL APIs for the client side - as implemented in the Trusted Application.
The sample was written for API level 4, but can be upgraded or downgraded as needed.
Note: • This sample has no executable file, but only TA and host application code. • The host code provided is a library to be used from C#/C++ code as a dynamic library. The library consists of an interface and the SslLibrary classes that implement the SSL functionality.
Sample Components
- Host Application: the proxy that passes messages between the server and the Trusted Application. The host application code in the sample is a C++ library that can be used from any other code, i.e., C#, C++.
- Server: any SSL server that implements the handshake.
Sample Flow
Following is the basic flow of SSL communication.
First Step - Establishing a Session
- Create a new certificate store in the TA. This store can be reused by multiple sessions.
- Add trusted root CA certificates to the store using the CertificateStore.addCertificate API.
- Create a Calendar instance and initialize the time to establish the session's notion of time.
- Create an SSL session with the session parameters in the TA.
- Perform the handshake: sequentially transferring the handshake messages between the session and the remote SSL server.
- Check whether the session is established (whether the handshake completed successfully).
- Once the session is established, the caller can continue to use encrypt and decrypt methods inside the SSL session.
Second Step - Verifying CRLs (if required)
Note: This step is not implemented in the sample.
- Retrieve the certificate chain that was received from the SSL server during the handshake phase, ordered from leaf to root.
- For each certificate in the chain, retrieve the CRL distribution points from the certificate and pass them to the host software.
- After the host software obtains the CRLs, for each CRL distribution point:
- Create a CRL using the same index of the certificate with the CRL distribution point.
- Add the CRL to the created CRL, chunk by chunk.
- Verify that the CRL is in the correct format and signed.
- Verify that the CRL in hand is up to date.
- Obtain the certificate's serial number.
- Search for the serial number to make sure that the certificate has not been revoked.
- Release system resources.
Third Step - Closing the Session
If SSL services are no longer needed, the user should invoke destruction of the created certificate store and SslSession to release the system resources.