Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help


       Implements the functionality required to	answer SCEP PKIOperation

       Parses the PKCS#7 container for the message type, calls a function
       depending on that type and returns the result, including	the HTTP
       header needed for the scep CGI script.

       Create the response for the GetCert request by extracting serial	number
       and issuer from the request, find the certificate and return it.

       Create the response for the GetCRL request by extracting	the issuer and
       serial from the request.	As we do not support scoped CRLs yet it	is
       sufficient to check the issuer dn but to	catch situations where the
       issuer dn is used over multiple generations we search for both.

       Called by execute if the	message	type is	'PKCSReq' (19).	This is	the
       message type that is used when an SCEP client asks for a	certificate.
       Named parameters	are TOKEN and PKCS7, where token is a token from the
       OpenXPKI::Crypto::TokenManager of type 'SCEP'. PKCS7 is the sanitized
       PKCS#7 data received from the client including an (artificial) start
       and end line.  Using the	crypto token, the transaction ID of the
       request is acquired. Using this transaction ID, a database lookup is
       done (using the datapool) to see	whether	there is already an existing
       workflow	corresponding to the transaction ID.

       If there	is no workflow,	a new one of the type defined in the server
       configuration is	created	and the	(base64-encoded) PKCS#7	request	as
       well as the transaction ID is saved in the workflow context. From there
       on, the work takes place	in the workflow.

       If there	is a workflow, the status of this workflow is looked up	and
       the response depends on the status:
	 - as long as the workflow is not in the "finished" process state, a
	   pending message is send.
	 - if the status is 'SUCCESS', the certificate is extracted from the
	   workflow and	returned to the	SCEP client.
	 - in any other	case a FAILURE response	is sent. If the	context	item
	   scep_error is set to	a proper SCEP error code it is used, default
	   is to send "badRequest".

perl v5.32.0		  OpenXPKI::Service::LibSCEP::Command::PKIOperation(3)

Name | Description | Functions

Want to link to this manual page? Use this URL:

home | help