Google Git
Sign in
coral / a71ch-crypto-support / 8dc1f1434da50a4b7361d651239c1f3f4f8cc25b / . / doc / demos / linux / tls_client / tls_client_demo.html
blob: e117720b4f850036768fa5e92e1a3bdadcdcf1e3 [file] [log] [blame]
<!DOCTYPE html>
<!--
Copyright 2019 NXP
This software is owned or controlled by NXP and may only be used
strictly in accordance with the applicable license terms. By expressly
accepting such terms or by downloading, installing, activating and/or
otherwise using the software, you are agreeing that you have read, and
that you agree to comply with and are bound by, such license terms. If
you do not agree to be bound by the applicable license terms, then you
may not retain, install, activate or otherwise use the software.
-->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<title>5.4.2. OpenSSL Engine: TLS Client example for iMX/Rpi3 &#8212; Plug &amp; Trust MW v03.00.05 documentation</title>
<link rel="stylesheet" href="../../../_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="../../../_static/pygments.css" type="text/css" />
<link rel="stylesheet" type="text/css" href="../../../_static/graphviz.css" />
<script id="documentation_options" data-url_root="../../../" src="../../../_static/documentation_options.js"></script>
<script src="../../../_static/jquery.js"></script>
<script src="../../../_static/underscore.js"></script>
<script src="../../../_static/doctools.js"></script>
<script src="../../../_static/language_data.js"></script>
<link rel="index" title="Index" href="../../../genindex.html" />
<link rel="search" title="Search" href="../../../search.html" />
<link rel="next" title="5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet" href="../../../hostlib/hostLib/accessManager/doc/accessManager.html" />
<link rel="prev" title="5.4.1. Greengrass Demo for Linux" href="../sss_pkcs11/Readme.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
<script type="text/javascript" src="../../../_static/js/jquery-1.11.0.min.js "></script>
<script type="text/javascript" src="../../../_static/js/jquery-fix.js "></script>
<script type="text/javascript" src="../../../_static/bootstrap-3.3.7/js/bootstrap.min.js "></script>
<script type="text/javascript" src="../../../_static/bootstrap-sphinx.js "></script>
</head><body>
<div id="navbar" class="navbar navbar-inverse navbar-default navbar-fixed-top">
<div class="container">
<div class="navbar-header">
<!-- .btn-navbar is used as the toggle for collapsed navbar content -->
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand" href="../../../toc.html"><span><img src="../../../_static/NXP_logo_JPG.jpg"></span>
MW</a>
<span class="navbar-text navbar-version pull-left"><b>v03.00.05</b></span>
</div>
<div class="collapse navbar-collapse nav-collapse">
<ul class="nav navbar-nav">
<li class="dropdown globaltoc-container">
<a role="button"
id="dLabelGlobalToc"
data-toggle="dropdown"
data-target="#"
href="../../../toc.html">TOC <b class="caret"></b></a>
<ul class="dropdown-menu globaltoc"
role="menu"
aria-labelledby="dLabelGlobalToc"><ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../index.html">1. NXP Plug &amp; Trust Middleware</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../organization-of-documentation.html">1.1. Organization of Documentation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../folder-structure.html">1.2. Folder Structure</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sw-prerequisites.html">1.3. List of Platform Prerequisites</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../changes/index.html">2. Changes</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/pending.html">2.1. Pending Refactoring items</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/pending.html#known-limitations">2.2. Known limitations</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_05.html">2.3. Release <code class="docutils literal notranslate"><span class="pre">v03.00.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_04.html">2.4. Release <code class="docutils literal notranslate"><span class="pre">v03.00.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_03.html">2.5. Release <code class="docutils literal notranslate"><span class="pre">v03.00.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v03_00_02.html">2.6. Release <code class="docutils literal notranslate"><span class="pre">v03.00.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_16_01.html">2.7. Release <code class="docutils literal notranslate"><span class="pre">v02.16.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_16_00.html">2.8. Release <code class="docutils literal notranslate"><span class="pre">v02.16.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_15_00.html">2.9. Release <code class="docutils literal notranslate"><span class="pre">v02.15.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_14_00.html">2.10. Release <code class="docutils literal notranslate"><span class="pre">v02.14.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html">2.11. Release <code class="docutils literal notranslate"><span class="pre">v02.12.05</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-04">2.12. Release <code class="docutils literal notranslate"><span class="pre">v02.12.04</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-03">2.13. Release <code class="docutils literal notranslate"><span class="pre">v02.12.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-02">2.14. Release <code class="docutils literal notranslate"><span class="pre">v02.12.02</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-01">2.15. Release <code class="docutils literal notranslate"><span class="pre">v02.12.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_12_00.html#release-v02-12-00">2.16. Release <code class="docutils literal notranslate"><span class="pre">v02.12.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_03.html">2.17. Release <code class="docutils literal notranslate"><span class="pre">v02.11.03</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_01.html">2.18. Internal Release <code class="docutils literal notranslate"><span class="pre">v02.11.01</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_11_00.html">2.19. Release <code class="docutils literal notranslate"><span class="pre">v02.11.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_10_00.html">2.20. Release <code class="docutils literal notranslate"><span class="pre">v02.10.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_09_00.html">2.21. Release <code class="docutils literal notranslate"><span class="pre">v02.09.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_07_00.html">2.22. Release <code class="docutils literal notranslate"><span class="pre">v02.07.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_06_00.html">2.23. Release <code class="docutils literal notranslate"><span class="pre">v02.06.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html">2.24. Release <code class="docutils literal notranslate"><span class="pre">v02.05.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html#release-v02-04-00">2.25. Release <code class="docutils literal notranslate"><span class="pre">v02.04.00</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../changes/v02_05_00_to_v02_03_00.html#release-02-03-00">2.26. Release <code class="docutils literal notranslate"><span class="pre">02.03.00</span></code></a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../stack/index.html">3. Plug &amp; Trust MW Stack</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/features.html">3.1. Features</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/features.html#plug-trust-mw-block-diagram">3.2. Plug &amp; Trust MW : Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss-apis.html">3.3. SSS APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/se05xfeatures.html">3.4. SSS APIs: SE051 vs SE050</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/param_checks.html">3.5. Parameter Check &amp; Conventions</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/i2cm.html">3.6. I2CM / Secure Sensor</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/logging.html">3.7. Logging</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/feature-file.html">3.8. Feature File - <code class="docutils literal notranslate"><span class="pre">fsl_sss_ftr.h</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/platf-scp-from-fs.html">3.9. Using Platform SCP Keys from File System</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects.html">3.10. Auth Objects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-userid.html">3.11. Auth Objects : UserID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-aeskey.html">3.12. Auth Objects : AESKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/auth/auth-objects-eckey.html">3.13. Auth Objects : ECKey</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html">3.14. Key Id Range and Purpose</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html#authentication-keys">3.15. Authentication Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../stack/key-id-range.html#trust-provisioned-keyids">3.16. Trust provisioned KeyIDs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/ex/doc/puf-scp03.html">3.17. SCP03 with PUF</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/doc/sss_heap_management.html">3.18. SSS Heap Management</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../building/index.html">4. Building / Compiling</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../building/windows.html">4.1. Windows Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/frdm-k64f-sdk.html">4.2. Import MCUXPresso projects from SDK</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/frdm-k64f-cmake.html">4.3. Freedom K64F Build (CMake - Advanced)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/imx6.html">4.4. i.MX Linux Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/rpi3.html">4.5. Raspberry Pi Build</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../building/cmake.html">4.6. CMake</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../scripts/cmake_options.html">4.7. CMake Options</a></li>
</ul>
</li>
<li class="toctree-l1 current"><a class="reference internal" href="../../index.html">5. Demo and Examples</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../index.html#demo-list">5.1. Demo List</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#sss-api-examples">5.2. SSS API Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#cloud-demos">5.3. Cloud Demos</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../../index.html#linux-specific-demos">5.4. Linux Specific Demos</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#opc-ua-example">5.5. OPC-UA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#arm-psa-example">5.6. ARM PSA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#se05x-examples">5.7. SE05X Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#openssl-examples">5.8. OpenSSL Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#tests-for-user-crypto">5.9. Tests for User Crypto</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#nxpnfcrdlib-examples">5.10. NXPNFCRDLIB examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#ease-of-use-examples">5.11. Ease-of-Use examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#semslite-examples">5.12. Semslite examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#puf-examples">5.13. PUF examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html">6.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#building-and-running-the-edgelock-2go-agent">6.2. Building and running the EdgeLock 2GO agent</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#datastore-keystore">6.3. Datastore / Keystore</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#connection-to-the-edgelock-2go-cloud-service">6.4. Connection to the EdgeLock 2GO cloud service</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/introduction.html#claim-codes">6.5. Claim Codes</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/edgelock2go_agent_apis.html">6.6. API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../nxp_iot_agent/doc/readme_usage_examples.html">6.7. Usage Examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../semslite/doc/index.html">7. SEMS Lite Agent</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_overview.html">7.1. SEMS Lite Overview (Only for SE051)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_package.html">7.2. Update Package</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_usage.html">7.3. SEMS Lite Agent Usage</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_mgmt_api.html">7.4. SEMS Lite management APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_process.html">7.5. SEMS Lite Agent Package Load Process</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_api.html">7.6. APIs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/sems_lite_known_issue.html">7.7. SEMS Lite Known Issue</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../semslite/doc/demo_update.html">7.8. SEMS Lite DEMOs</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../plugins/index.html">8. Plugins / Add-ins</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/plugin/openssl/scripts/readme.html">8.1. Introduction on OpenSSL engine</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/plugin/mbedtls/scripts/readme.html">8.2. Introduction on mbedTLS ALT Implementation</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/plugin/psa/Readme.html">8.3. Platform Security Architecture</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/akm.html">8.4. Android Key master</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../sss/plugin/open62541/readme.html">8.5. Introduction on Open62541 (OPC UA stack)</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/wifiEAP/wifiEAP.html">8.6. WiFi EAP Demo with Raspberry Pi3</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../plugins/pkcs11.html">8.7. PKCS#11 Standalone Library</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../cli-tool.html">9. CLI Tool</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/introduction.html">9.1. Introduction</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/block-diagram.html">9.2. Block Diagram</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/pre-steps.html">9.3. Steps needed before running <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/running.html">9.4. Running the <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> tool - Windows</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/Provisioning/readme.html">9.5. CLI Provisioning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/readme_usage_examples.html">9.6. Usage Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_commands_list.html">9.7. List of <code class="docutils literal notranslate"><span class="pre">ssscli</span></code> commands</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_data_format.html">9.8. CLI Data formats</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../pycli/doc/cli_object_policy.html">9.9. Object Policies Through ssscli</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/upload_se05x_using_pycli.html">9.10. Upload keys and certificates to SE05X using ssscli tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../a71ch.html">10. A71CH</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_sss.html">10.1. A71CH and SSS API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_miscellaneous.html">10.2. Miscellaneous</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_legacy_host_api.html">10.3. A71CH Legacy API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_legacy_hlse_api.html">10.4. A71CH Legacy HLSE (Generic) API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../a71ch/a71ch_configure_tool.html">10.5. A71CH Legacy Configure Tool</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../appendix.html">11. Appendix</a><ul>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/glossary.html">11.1. Glossary</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/vcom.html">11.2. APDU Commands over VCOM</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/vs2019-setup.html">11.3. Visual Studio 2019 Setup</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/ide_mcux.html">11.4. Setting up MCUXPresso IDE</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../dev-platforms.html">11.5. Development Platforms</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/se_uid.html">11.6. How to get SE Platform Information and UID</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/version_info.html">11.7. Version Information</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../Certificate_Chains/Readme.html">11.8. Certificate Chains</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/rjct_server.html">11.9. JRCP_v1 Server</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/platfscp.html">11.10. Using own Platform SCP03 Keys</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../appendix/apdu_write_to_buffer.html">11.11. Write APDU to buffer</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../../api/api_list.html">11.12. Plug &amp; Trust MW APIs</a></li>
</ul>
</li>
</ul>
</ul>
</li>
<li class="dropdown">
<a role="button"
id="dLabelLocalToc"
data-toggle="dropdown"
data-target="#"
href="#">Page <b class="caret"></b></a>
<ul class="dropdown-menu localtoc"
role="menu"
aria-labelledby="dLabelLocalToc"><ul>
<li><a class="reference internal" href="#">5.4.2. OpenSSL Engine: TLS Client example for iMX/Rpi3</a><ul>
<li><a class="reference internal" href="#summary">5.4.2.1. Summary</a></li>
<li><a class="reference internal" href="#credential-preparation-execute-once-optional">5.4.2.2. Credential preparation (execute once) [Optional]</a></li>
<li><a class="reference internal" href="#secure-element-preparation-client-side">5.4.2.3. Secure Element preparation (client side)</a><ul>
<li><a class="reference internal" href="#provisiontlsclient-py">5.4.2.3.1. provisionTlsClient.py</a></li>
</ul>
</li>
<li><a class="reference internal" href="#server-side-preparation">5.4.2.4. Server side preparation</a></li>
<li><a class="reference internal" href="#start-up-the-server">5.4.2.5. Start up the server</a></li>
<li><a class="reference internal" href="#establish-a-tls-link-from-the-client-to-the-server">5.4.2.6. Establish a TLS link from the client to the server</a><ul>
<li><a class="reference internal" href="#using-s-client">5.4.2.6.1. Using s_client</a></li>
<li><a class="reference internal" href="#using-tlsse050client-cpp">5.4.2.6.2. Using tlsSe050Client.cpp</a></li>
</ul>
</li>
<li><a class="reference internal" href="#tls-client-example-using-a71ch">5.4.2.7. TLS client example using A71CH</a><ul>
<li><a class="reference internal" href="#introduction">5.4.2.7.1. Introduction</a></li>
<li><a class="reference internal" href="#id1">5.4.2.7.2. Secure Element preparation (client side)</a></li>
<li><a class="reference internal" href="#invocation-of-client-program">5.4.2.7.3. Invocation of client program</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</ul>
</li>
<li>
<a href="../sss_pkcs11/Readme.html" title="Previous Chapter: 5.4.1. Greengrass Demo for Linux"><span class="glyphicon glyphicon-chevron-left visible-sm"></span><span class="hidden-sm hidden-tablet">&laquo; 5.4.1. Greeng...</span>
</a>
</li>
<li>
<a href="../../../hostlib/hostLib/accessManager/doc/accessManager.html" title="Next Chapter: 5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet"><span class="glyphicon glyphicon-chevron-right visible-sm"></span><span class="hidden-sm hidden-tablet">5.4.3. Access... &raquo;</span>
</a>
</li>
</ul>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-3">
<div id="sidebar" class="bs-sidenav" role="complementary">
<div class="sidebar-header">
<h3>Plug &amp; Trust MW</h3>
</div>
<div class="row">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../../index.html">1. NXP Plug &amp; Trust Middleware</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../changes/index.html">2. Changes</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../stack/index.html">3. Plug &amp; Trust MW Stack</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../building/index.html">4. Building / Compiling</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../../index.html">5. Demo and Examples</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../../index.html#demo-list">5.1. Demo List</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#sss-api-examples">5.2. SSS API Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#cloud-demos">5.3. Cloud Demos</a></li>
<li class="toctree-l2 current"><a class="reference internal" href="../../index.html#linux-specific-demos">5.4. Linux Specific Demos</a><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../sss_pkcs11/Readme.html">5.4.1. Greengrass Demo for Linux</a></li>
<li class="toctree-l3 current"><a class="current reference internal" href="#">5.4.2. OpenSSL Engine: TLS Client example for iMX/Rpi3</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../../hostlib/hostLib/accessManager/doc/accessManager.html">5.4.3. Access Manager: Manage access from multiple (Linux) processes to an SE05x IoT Applet</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#opc-ua-example">5.5. OPC-UA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#arm-psa-example">5.6. ARM PSA Example</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#se05x-examples">5.7. SE05X Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#openssl-examples">5.8. OpenSSL Examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#tests-for-user-crypto">5.9. Tests for User Crypto</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#nxpnfcrdlib-examples">5.10. NXPNFCRDLIB examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#ease-of-use-examples">5.11. Ease-of-Use examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#semslite-examples">5.12. Semslite examples</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../index.html#puf-examples">5.13. PUF examples</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../../edgelock2go-agent.html">6. NXP EdgeLock 2GO Agent</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../semslite/doc/index.html">7. SEMS Lite Agent</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../plugins/index.html">8. Plugins / Add-ins</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../cli-tool.html">9. CLI Tool</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../a71ch.html">10. A71CH</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../../appendix.html">11. Appendix</a></li>
</ul>
</div>
<div class="row">
<form class="form" action="../../../search.html" method="get">
<div class="form-group">
<label for="Search">Search:</label>
<input type="text" name="q" class="form-control" placeholder="Search" />
</div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
</div>
<div class="body col-md-9 content" role="main">
<div class="section" id="openssl-engine-tls-client-example-for-imx-rpi3">
<span id="tls-client-example"></span><h1><span class="section-number">5.4.2. </span>OpenSSL Engine: TLS Client example for iMX/Rpi3<a class="headerlink" href="#openssl-engine-tls-client-example-for-imx-rpi3" title="Permalink to this headline"></a></h1>
<ul class="simple">
<li><p>DocRevision : 0.94</p></li>
<li><p>Date : 2020-01-14</p></li>
</ul>
<p>This section explains how to set-up a TLS link using the SE050 OpenSSL Engine on the client side.
A note at the bottom of this page (<a class="reference internal" href="#tls-client-using-a71ch"><span class="std std-numref">Section 5.4.2.7</span></a>) highlights the changes in case one uses an A71CH secure element.</p>
<div class="section" id="summary">
<h2><span class="section-number">5.4.2.1. </span>Summary<a class="headerlink" href="#summary" title="Permalink to this headline"></a></h2>
<p>The TLS demo demonstrates setting up a mutually authenticated and encrypted
link between a client and a server system. The keypair used to identify the
client is stored in the Secure Element. The keypair used to identify the
server is simply available as a pem file.</p>
<p>The public keys associated with the respective key pairs are contained in
respectively a client and a server certificate.</p>
<p>The CA is a self-signed certificate. The same CA is used to sign client and
server certificate.</p>
<p>One can choose the keymaterial (CA, Client and Server) to be either RSA (4096 CA - 2048 client/server)
or EC (prime256v1).</p>
<p>The TLS demo comes in two flavours:</p>
<ol class="arabic simple">
<li><p><strong>Flavour-A:</strong> The standard OpenSSL tools <cite>s_server</cite> and <cite>s_client</cite> are
used to set-up and demonstrate the TLS link. The certificates used are
simply stored on the file system of the host. The client uses the keypair
stored inside the SE050.</p></li>
<li><p><strong>Flavour-B:</strong> A TLS client program - included in source code
(tlsSe050Client.cpp) - retrieves the client certificate from the SE050 and
uses the keypair stored inside the SE050. It establishes a TLS connection
with the server process <cite>s_server</cite>.</p></li>
</ol>
<p>Steps in <a class="reference internal" href="#credential-prep"><span class="std std-numref">Section 5.4.2.2</span></a> to <a class="reference internal" href="#startup-the-server"><span class="std std-numref">Section 5.4.2.5</span></a> are
identical for the two demo flavours.</p>
</div>
<div class="section" id="credential-preparation-execute-once-optional">
<span id="credential-prep"></span><h2><span class="section-number">5.4.2.2. </span>Credential preparation (execute once) [Optional]<a class="headerlink" href="#credential-preparation-execute-once-optional" title="Permalink to this headline"></a></h2>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; cd demos/linux/tls_client
&gt; ./scripts/createTlsCredentials_Optional.sh &lt;ECC|RSA&gt;
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The Host SW package comes bundled with the required credentials. The
<cite>createTlsCredentials_Optional.sh</cite> script will re-create equivalent
credentials (but with new/different keypairs)</p>
</div>
<p>The script creates all demo required client and server credentials on the
client platform. One must transfer the server credentials to the server
platform.</p>
</div>
<div class="section" id="secure-element-preparation-client-side">
<h2><span class="section-number">5.4.2.3. </span>Secure Element preparation (client side)<a class="headerlink" href="#secure-element-preparation-client-side" title="Permalink to this headline"></a></h2>
<p>For the purpose of the demo one MUST inject the TLS client key pair and
certificate into the Secure Element and create a reference pem file referring
to the provisioned key pair:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; cd demos/linux/tls_client/scripts
&gt; python3 provisionTlsClient.py --key_type &lt;ecc|rsa&gt;
</pre></div>
</div>
<p>Further details on using these scripts can be found in the following:</p>
<div class="section" id="provisiontlsclient-py">
<h3><span class="section-number">5.4.2.3.1. </span>provisionTlsClient.py<a class="headerlink" href="#provisiontlsclient-py" title="Permalink to this headline"></a></h3>
<dl class="simple">
<dt>usage: provisionTlsClient.py [-h] –key_type KEY_TYPE</dt><dd><p>[–connection_data CONNECTION_DATA]
[–connection_type CONNECTION_TYPE]
[–subsystem SUBSYSTEM]</p>
</dd>
</dl>
<p>Provision attached secure element with ECC/RSA keys</p>
<dl>
<dt>Preconditions:</dt><dd><ul class="simple">
<li><p>Secure element attached</p></li>
<li><p>Virtual environment should be activated (not for iMX platform.
Refer ssscli installation steps: Plug &amp; Trust MW, Section 8.3 <a class="reference internal" href="../../../pycli/doc/pre-steps.html#cli-doc-pre-steps"><span class="std std-ref">Steps needed before running ssscli tool</span></a>)</p></li>
</ul>
</dd>
<dt>Postconditions:</dt><dd><ul class="simple">
<li><p>Key pair injected on id referred by KEYPAIR_INDEX_CLIENT_PRIVATE variable</p></li>
<li><p>Ref pem created</p></li>
<li><p>Client certificate injected on id referred by CERTIFICATE_INDEX variable.</p></li>
</ul>
</dd>
<dt>optional arguments:</dt><dd><dl class="option-list">
<dt><kbd><span class="option">-h</span>, <span class="option">--help</span></kbd></dt>
<dd><p>show this help message and exit</p>
</dd>
</dl>
</dd>
<dt>required arguments:</dt><dd><dl class="option-list">
<dt><kbd><span class="option">--key_type <var>KEY_TYPE</var></span></kbd></dt>
<dd><p>Supported key types =&gt; <code class="docutils literal notranslate"><span class="pre">ecc</span></code>, <code class="docutils literal notranslate"><span class="pre">rsa</span></code></p>
</dd>
</dl>
</dd>
<dt>optional arguments:</dt><dd><dl class="option-list">
<dt><kbd><span class="option">--connection_data <var>CONNECTION_DATA</var></span></kbd></dt>
<dd><p>Parameter to connect to SE =&gt; eg. <code class="docutils literal notranslate"><span class="pre">COM3</span></code>, <code class="docutils literal notranslate"><span class="pre">127.0.0.1:8050</span></code>, <code class="docutils literal notranslate"><span class="pre">none</span></code>. Default: <code class="docutils literal notranslate"><span class="pre">none</span></code></p>
</dd>
<dt><kbd><span class="option">--connection_type <var>CONNECTION_TYPE</var></span></kbd></dt>
<dd><p>Supported connection types =&gt; <code class="docutils literal notranslate"><span class="pre">t1oi2c</span></code>, <code class="docutils literal notranslate"><span class="pre">sci2c</span></code>, <code class="docutils literal notranslate"><span class="pre">vcom</span></code>, <code class="docutils literal notranslate"><span class="pre">jrcpv1</span></code>, <code class="docutils literal notranslate"><span class="pre">jrcpv2</span></code>, <code class="docutils literal notranslate"><span class="pre">pcsc</span></code>. Default: <code class="docutils literal notranslate"><span class="pre">t1oi2c</span></code></p>
</dd>
<dt><kbd><span class="option">--subsystem <var>SUBSYSTEM</var></span></kbd></dt>
<dd><p>Supported subsystem =&gt; <code class="docutils literal notranslate"><span class="pre">se050</span></code>, <code class="docutils literal notranslate"><span class="pre">a71ch</span></code>. Default: <code class="docutils literal notranslate"><span class="pre">se050</span></code></p>
</dd>
</dl>
</dd>
</dl>
<p>Example invocation:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>python provisionTlsClient.py --key_type ecc
python provisionTlsClient.py --key_type ecc --connection_data 169.254.0.1:8050
python provisionTlsClient.py --key_type rsa --connection_data 127.0.0.1:8050 --connection_type jrcpv2
python provisionTlsClient.py --key_type rsa --connection_data COM3
python provisionTlsClient.py --key_type ecc --subsystem a71ch
</pre></div>
</div>
</div>
</div>
<div class="section" id="server-side-preparation">
<h2><span class="section-number">5.4.2.4. </span>Server side preparation<a class="headerlink" href="#server-side-preparation" title="Permalink to this headline"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The Host SW package comes bundled with the required server credentials.</p>
</div>
<p>Ensure the default server credentials or those created under (<a class="reference internal" href="#credential-prep"><span class="std std-numref">Section 5.4.2.2</span></a>) are available
on the server platform.</p>
</div>
<div class="section" id="start-up-the-server">
<span id="startup-the-server"></span><h2><span class="section-number">5.4.2.5. </span>Start up the server<a class="headerlink" href="#start-up-the-server" title="Permalink to this headline"></a></h2>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The server can run e.g. on a PC. The server must be reacheable over the
TCP/IP network for the Client. Choose either a server using EC based credentials or
a server using RSA based credentials.</p>
</div>
<p>Execute the following command on the server platform to use the EC based server credentials, make a note on the IP
address of the server:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; cd demos/linux/tls_client/scripts
&gt; ./tlsServer.sh &lt;ECDHE|ECDHE_SHA256|max&gt;
</pre></div>
</div>
<p>Execute the following command on the server platform to use the RSA based server credentials, make a note on the IP
address of the server:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; cd demos/linux/tls_client/scripts
&gt; ./tlsServer.sh RSA
</pre></div>
</div>
</div>
<div class="section" id="establish-a-tls-link-from-the-client-to-the-server">
<h2><span class="section-number">5.4.2.6. </span>Establish a TLS link from the client to the server<a class="headerlink" href="#establish-a-tls-link-from-the-client-to-the-server" title="Permalink to this headline"></a></h2>
<p>The client process establishing the TLS connection comes in two flavours:
either <cite>s_client</cite> or a program provided in source code (tlsSe050Client.cpp).
Invoke either example through a bash shell script.</p>
<div class="section" id="using-s-client">
<h3><span class="section-number">5.4.2.6.1. </span>Using s_client<a class="headerlink" href="#using-s-client" title="Permalink to this headline"></a></h3>
<p>Invoke the script using the IP address of the server as the first argument and
ECDHE or ECDHE_SHA256 as the second argument (ECDHE corresponding to ECDH ephemeral) when
connecting to a server using EC based credentials:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; ./tlsSeClient.sh &lt;server-IP-address&gt; &lt;ECDHE|ECDHE_256&gt;
</pre></div>
</div>
<p>Invoke the script using the IP address of the server as the first argument and
RSA as the second argument when connecting to a server using RSA based credentials:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; ./tlsSeClient.sh &lt;server-IP-address&gt; RSA
</pre></div>
</div>
<p>In case OpenSSL 1.1.1 is available on <em>both</em> Client (i.MX or Raspberry Pi) and Server side,
it’s possible to request the usage of the TLS1.3 protocol (by default TLS1.2 is used). This is
achieved by setting the environment variable REQ_TLS to tls1_3:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; REQ_TLS=tls1_3 ./tlsSeClient.sh &lt;server-IP-address&gt; ECDHE
</pre></div>
</div>
</div>
<div class="section" id="using-tlsse050client-cpp">
<h3><span class="section-number">5.4.2.6.2. </span>Using tlsSe050Client.cpp<a class="headerlink" href="#using-tlsse050client-cpp" title="Permalink to this headline"></a></h3>
<p>First compile the client program. Ensure all required SE050 specific libraries
and header files have been installed on the linux system. By default this example
links to static libraries:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; cd demos/linux/tls_client/build
&gt; cmake ../.
&gt; cmake --build .
</pre></div>
</div>
<p>Invoke the script using the IP address of the server as argument:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; ./tlsExtendedSeClient.sh &lt;server-IP-address&gt; &lt;EC|RSA&gt;
</pre></div>
</div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>The environment variable REQ_TLS is not applicable to this example.
In case OpenSSL 1.1.1 is available on the client, the actual TLS protocol version used will
be negotiated to the highest version supported by both client and server.
Otherwise TLS1.2 will be used.</p>
</div>
</div>
</div>
<div class="section" id="tls-client-example-using-a71ch">
<span id="tls-client-using-a71ch"></span><h2><span class="section-number">5.4.2.7. </span>TLS client example using A71CH<a class="headerlink" href="#tls-client-example-using-a71ch" title="Permalink to this headline"></a></h2>
<div class="section" id="introduction">
<h3><span class="section-number">5.4.2.7.1. </span>Introduction<a class="headerlink" href="#introduction" title="Permalink to this headline"></a></h3>
<p>The TLS client example can also be used in combination with an
A71CH secure element (in EC mode only).
The following steps are different:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>- secure element preparation
- client program invocation
</pre></div>
</div>
</div>
<div class="section" id="id1">
<h3><span class="section-number">5.4.2.7.2. </span>Secure Element preparation (client side)<a class="headerlink" href="#id1" title="Permalink to this headline"></a></h3>
<p>Specify an additional option <code class="docutils literal notranslate"><span class="pre">--subsystem</span> <span class="pre">a71ch</span></code>:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; python3 provisionTlsClient.py --key_type ecc --subsystem a71ch
</pre></div>
</div>
</div>
<div class="section" id="invocation-of-client-program">
<h3><span class="section-number">5.4.2.7.3. </span>Invocation of client program<a class="headerlink" href="#invocation-of-client-program" title="Permalink to this headline"></a></h3>
<p>Set the environment variable <code class="docutils literal notranslate"><span class="pre">REQ_SE</span></code> to <code class="docutils literal notranslate"><span class="pre">a71ch</span></code> when invoking the client program:</p>
<div class="highlight-text notranslate"><div class="highlight"><pre><span></span>&gt; REQ_SE=a71ch ./tlsSeClient.sh 192.168.1.190 ECDHE
&gt; ... or ...
&gt; REQ_SE=a71ch ./tlsExtendedSeClient.sh 192.168.1.190 EC
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<p class="pull-right">
<a href="#">Back to top</a>
</p>
<p>
&copy; Copyright 2018-2020, NXP.<br/>
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 2.4.1.<br/>
</p>
</div>
</footer>
</body>
</html>