Поделиться через

3.1.4.2.16 ICertAdminD2::ImportKey (Opnum 46)

  • Статья

The ImportKey method adds an encrypted key set to an item in the CA database.

 HRESULT ImportKey(
   [in, string, unique] wchar_t const* pwszAuthority,
   [in] DWORD dwRequestId,
   [in, string, unique] wchar_t const* pwszCertHash,
   [in] DWORD dwFlags,
   [in, ref] CERTTRANSBLOB* pctbKey
 );

pwszAuthority: See the pwszAuthority definition in section 3.1.4.1.1.

dwRequestId: An unsigned integer value that represents the certificate request ID in the CA database.

pwszCertHash: A null-terminated Unicode string value that represents the SHA-1 hash of the ASN.1 DER–encoded certificate data (as specified in [X660]) and that is formatted as a hexadecimal string.

dwFlags: An unsigned integer that specifies the optional flags for this method.

Value

Meaning

0x00010000

Overwrite the existing archived key, if present.

pctbKey: A CERTTRANSBLOB structure that contains the ASN.1 DER–encoded (as specified in [X660] and [X690]) PKCS#7 message (as specified in [RFC2315]) that contains the private key to be archived. The content of the enveloped PKCS#7 is as specified in [MS-WCCE] section 3.2.1.4.2.1.4.

The following processing rules apply:

  1. The CA MUST process the enveloped PKCS#7 in the pctbKey parameter as specified in [MS-WCCE] section 3.2.1.4.2.1.4.

  2. If the Request ID is 0 or 4294967295 and pwszCertHash is null, the CA server MUST fail with the error ERROR_INVALID_PARAMETER.

  3. If pwszCertHash is non-null, the CA MUST look up the request based on the provided pwszCertHash parameter value in the CA Request table by computing the SHA-1 hash of each issued certificate in the Request table and comparing the hexadecimal string form of it with the value that is specified in pwszCertHash.

    1. If the request is not found, the CA server MUST fail the request with the error ERROR_INVALID_PARAMETER.

    2. If the request is found, the CA MUST verify that the private key (decrypted in step 1) is cryptographically related to the public key in the certificate. If the keys are not related, the method MUST fail with the error ERROR_INVALID_PARAMETER.

  4. If pwszCertHash is null, the CA MUST look up the request based on the provided dwRequestId parameter in the CA database Request table:

    1. If the request is not found, the method MUST fail with the error CERTSRV_E_PROPERTY_EMPTY.

    2. If the request is found, the CA MUST verify that the private key (decrypted in step 1) is cryptographically related to the public key in the private key. If the keys are not related, the method MUST fail with the error ERROR_INVALID_PARAMETER.

  5. If the request is found, has an encrypted private key associated with it, and the value of dwFlags is not 0x00010000, the CA MUST fail with the error ERROR_INVALID_PARAMETER.

  6. If the request is found, has an encrypted private key associated with it, and the value of dwFlags is 0x00010000, the CA MUST replace the encrypted private key (in the request stored in the Request table) with the encrypted private key that is specified in the pctbKey parameter.

  7. If the request is found and does not have an encrypted private key that is associated with it, the CA MUST replace the encrypted private key (in the request that is stored in the Request table) with the encrypted private key that is specified in the pctbKey parameter.