3.5.4.2 GetClientLicensorCert Operation
To create protected content without continually contacting a server, the user needs a CLC chain that corresponds to the user's account. The CLC chain represents the identity of a user who can create protected content on behalf of the issuing server. It issues an asymmetric signing key pair that is bound to the RAC.
The client uses the GetClientLicensorCert request to obtain a CLC. The client MUST have a valid RAC and SPC before calling GetClientLicensorCert. For more information about acquiring a RAC, see section 2.2.9.5. For more information about acquiring an SPC, see section 2.2.9.4.
Figure 12: GetClientLicensorCert message sequence
-
<wsdl:operation name="GetClientLicensorCert"> <wsdl:input message="tns:GetClientLicensorCertSoapIn" /> <wsdl:output message="tns:GetClientLicensorCertSoapOut" /> </wsdl:operation>
Exception |
Description |
---|---|
Microsoft.DigitalRightsManagement.Licensing.InvalidPersonaCertSignatureException |
The account certificate the requestor supplied has been tampered with. |
Microsoft.DigitalRightsManagement.Licensing.InvalidPersonaCertTimeException |
The account certificate the requestor supplied is currently invalid. |
Microsoft.DigitalRightsManagement.Licensing.UnexpectedPersonaCertException |
An unexpected error was encountered while validating the account certificate. |
Microsoft.DigitalRightsManagement.Licensing.UntrustedPersonaCertException |
The account certificate the requestor supplied was not issued by a trusted user domain server. |
Microsoft.DigitalRightsManagement.Licensing.DrmacIsExcludedException |
The account certificate has been excluded and is not permitted to submit this request. |
Microsoft.DigitalRightsManagement.Licensing.BlackBoxIsInvalidException |
The client's RM lockbox has been revoked. The client computer MUST be reactivated to retrieve the latest RM lockbox. |
Microsoft.RightsManagementServices.ClusterDecommissionedException |
A request was received, but the server is in a decommissioned state and cannot process the request. |
Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException |
The given certificate does not contain an acceptable combination of asymmetric key and signature hash algorithms. |
In the GetClientLicensorCert request, the client submits a RAC chain and requests a CLC chain. A properly formed GetClientLicensorCert request MUST contain a RAC chain.
Upon receiving a GetClientLicensorCert request the server SHOULD perform signature validation on the RAC chain in the request and verify that it trusts the RAC.
If the RAC chain fails signature validation the server SHOULD return a Microsoft.DigitalRightsManagement.Licensing.InvalidPersonaCertSignatureException SOAP fault code.
If the RAC chain is expired or not yet valid, the server SHOULD return a Microsoft.DigitalRightsManagement.Licensing.InvalidPersonaCertTimeException SOAP fault code.
If the RAC is signed by an SLC that is not in the trustedRacIssuers field of ServerState, the server SHOULD return a Microsoft.DigitalRightsManagement.Licensing.UntrustedPersonaCertException.
If the RAC public key is in the racExclusionPolicy field of ServerState, the server SHOULD return the SOAP fault Microsoft.DigitalRightsManagement.Licensing.DrmacIsExcludedException.
If any other errors are found validating the RAC chain the server SHOULD return a Microsoft.DigitalRightsManagement.Licensing.UnexpectedPersonaCertException SOAP fault.
If the serverDecommissioned field of ServerState is true, the server SHOULD return a Microsoft.RightsManagementServices.ClusterDecommissionedException SOAP fault code.
If the RAC contains a public key length or hash algorithm that is not allowed in the cryptographic mode indicated by the cryptographicMode attribute of ServerState, the server SHOULD return a Microsoft.DigitalRightsManagement.Cryptography.UnsupportedCryptographicSetException fault.
If validation succeeds, the server SHOULD<45> service the request by generating a CLC. To generate a CLC, the server MUST either retrieve or generate a unique asymmetric signing key pair for the user account. The server MUST encrypt the private key with the public key of the RAC so the RAC and the security processor are required to access the signing key in the CLC. The CLC MUST contain the public key and the encrypted private key. The ISSUER element of the CLC MUST contain the public key of the server. The ADDRESS of the distributionpoint-int of the CLC SHOULD contain the licensingUrl of the ServerState. The ADDRESS of the distributionpoint-ext of the CLC SHOULD contain the externalLicensingUrl of the ServerState if the URL is not null. The starttime and endtime of the rangetime element of the CLC SHOULD be copied from the starttime and endtime of the validitytime element of the RAC. The OBJECT element of the ISSUEDPRINCIPALS of the CLC SHOULD be copied from the OBJECT element of the ISSUEDPRINCIPALS of the RAC. The body of the CLC MUST be signed by the server, and the signature MUST be included in the SIGNATURE element of the CLC. The server MUST append its SLC chain to the CLC to complete the CLC chain.
For a successful request, the server MUST return a CLC chain. For an unsuccessful request, the server MUST return a SOAP fault code.
For information about certificate formats, see section 2.2.9.