Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
Intel® EPID 1.1 Provisioning Sample
Intel® EPID 1.1 Signing Sample
DRM Solution Sample
Events Sample
IAC Sample
Protected Storage Sample
SIGMA 1.1 Sample
SSL Sample
Sample Components
Sample Flow
First Step - Establishing a Session
Second Step - Verifying CRLs (if required)
Third Step - Closing the Session
Secure Data Migration Sample
For API Level 1 - Intel® ME 7.x - Sandy Bridge
For API Level 1.1 - Intel® ME 8.x lite - Sandy Bridge
For API Level 2 - Intel® ME 8.0 - Ivy Bridge
For API Level 3 - Intel® ME 8.1 - Ivy Bridge
For API Level 3 - SEC1.0, SEC1.1, SEC1.2, SEC2.0
For API Level 4 - Intel® ME 9.5, Intel ME 9.5.55 - Haswell
For API Level 4 - Intel® ME 9.1, Intel ME 9.1.35 - Haswell
For API Level 5 - Intel® ME 10.0.0 - Haswell
For API Level 6 - Intel® ME 10.0.20 - Broadwell
For API Level 7 - ME 11.0 - Skylake_LP and Skylake_H
For API Level 8 - TXE3.0 - Broxton, ME 11.5/11.8 - Kabylake_LP, Kabylake_H
For API Level 9 - Intel® ME 12.0 - Cannon Lake
Trusted Application Validation Guidelines
Validating the Manifest
Memory and Performance
Error Handling and Recovery
Functional Validation and Multi-Instance Support
Pack and DALP Generation and Validation
Host-Side Software Validation Guidelines
Trusted Application Management Flows
Error Handling and Recovery Flows
Multi-Instance and Interoperability Testing of Trusted Application Management
General and Platform-Related Events
End-to-End and Setup Validation Guidelines
Cross Trusted Application Interoperability Functional Testing
Creating a New Project
Importing an Existing Project
Converting an Existing Project
Building and Packaging Your Project and Running in Emulated Environment
Running Your Project
Running and Testing on Emulation and on Silicon
Debugging Trusted Applications
Preparing and Submitting Your Project for Signing
Signing an Applet
Signing New Versions
Visible to Intel only — GUID: GUID-6915541C-C873-4C10-A27E-DBCA5D67729C
SSL Sample
This sample demonstrates an SSL communication between a Trusted Application (TA) and a remote SSL server. Intel® Dynamic Application Loader (Intel® DAL) has provided the SSL APIs for the client side - as implemented in the Trusted Application.
The sample was written for API level 4, but can be upgraded or downgraded as needed.
Note: • This sample has no executable file, but only TA and host application code. • The host code provided is a library to be used from C#/C++ code as a dynamic library. The library consists of an interface and the SslLibrary classes that implement the SSL functionality.
Sample Components
- Host Application: the proxy that passes messages between the server and the Trusted Application. The host application code in the sample is a C++ library that can be used from any other code, i.e., C#, C++.
- Server: any SSL server that implements the handshake.
Sample Flow
Following is the basic flow of SSL communication.
First Step - Establishing a Session
- Create a new certificate store in the TA. This store can be reused by multiple sessions.
- Add trusted root CA certificates to the store using the CertificateStore.addCertificate API.
- Create a Calendar instance and initialize the time to establish the session's notion of time.
- Create an SSL session with the session parameters in the TA.
- Perform the handshake: sequentially transferring the handshake messages between the session and the remote SSL server.
- Check whether the session is established (whether the handshake completed successfully).
- Once the session is established, the caller can continue to use encrypt and decrypt methods inside the SSL session.
Second Step - Verifying CRLs (if required)
Note: This step is not implemented in the sample.
- Retrieve the certificate chain that was received from the SSL server during the handshake phase, ordered from leaf to root.
- For each certificate in the chain, retrieve the CRL distribution points from the certificate and pass them to the host software.
- After the host software obtains the CRLs, for each CRL distribution point:
- Create a CRL using the same index of the certificate with the CRL distribution point.
- Add the CRL to the created CRL, chunk by chunk.
- Verify that the CRL is in the correct format and signed.
- Verify that the CRL in hand is up to date.
- Obtain the certificate's serial number.
- Search for the serial number to make sure that the certificate has not been revoked.
- Release system resources.
Third Step - Closing the Session
If SSL services are no longer needed, the user should invoke destruction of the created certificate store and SslSession to release the system resources.