3.2.2.6.2.1.2.7 Processing Rules for a Challenge Response Request

If a request of type Challenge Response is received the CA MUST adhere to the following processing rules:

1. The CA MUST look up the relevant Request row in the Request Table using the RequestId attribute (section 2.2.2.7.10) specified in the pwszAttributes parameter of ICertRequestD::Request or ICertRequestD2::Request2.

2. The CA MUST verify that the Request_Disposition column in the Request table ([MS-CSRA] section 3.1.1.1.1) is set to "request pending".

3. The CA MUST verify that the original requester or caller of the request is the caller for this request.

4. The CA MUST verify that the Request_Request_Flags column in the Request Table is set to CR_FLG_CHALLENGEPENDING and CR_FLG_CHALLENGESATISFIED is not set as specified in [MS-CSRA] section 3.1.1.1.2.

5. The CA MUST verify that the KeyAttestationChallenge column still has a challenge and is not set to a single zero byte. If this is true, then after these processing rules are complete (regardless of eventual success or failure), the contents of the KeyAttestationChallenge column MUST be set to a single zero byte to indicate a challenge response has been attempted.

6. The CA MUST decrypt the challenge in the response with the current CA exchange private key.

7. The CA MUST decrypt the challenge in the KeyAttestationChallenge column of the Request table.

8. The CA MUST verify that the decrypted challenge from the response matches the decrypted challenge in the database.

9. If the above processing is successful, the CA MUST set the Request_Request_Flags column in the Request table to CR_FLG_CHALLENGESATISFIED indicating that challenge verification is satisfied as specified in [MS-CSRA] section 3.1.1.1.2.

10. The CA MUST call the CA policy algorithm to process the request according to section 3.2.2.6.2.1.4.