3.1.5.1.1.3 Processing Details
The server MUST perform the following steps after receiving RollTransportKey.
Validate the HealthCertificate in an implementation-specific manner and return an error “HealthCertificateException” if validation fails.
Validate that the IngressProtector is in a valid XML format and return the error “InvalidProtectorException” if validation fails.
Validate the following in the IngressProtector in an implementation-specific manner and return the error “InvalidProtectorException” if validation fails:
WrappingId in GuardianSignature points to a valid wrapping.
Signature fields in GuardianSignature and TransportKeySignature have valid values.
Validate that each Wrapping in the Wrappings field of IngressProtector is properly constructed and signed, as follows, and return the error “InvalidWrappingException” if validation fails:
SigningCertificate and EncryptionCertificate are valid X.509 certificates.
ParentWrappingId in SigningCertificateSignature points to a valid wrapping in the protector, or to the current Wrapping if it is the owner.
Current Wrapping chains up to the owner of the protector.
Signature in SigningCertificateSignature is created using the SigningCertificate of the parent wrapping.
Signature in EncryptionCertificateSignature is created using the SigningCertificate of the current wrapping.
Verify that Protector has a wrapping for the KPS, process the IngressProtector and extract the IngressTransportKey, generate EgressTransportKey, and generate an EgressProtector in an implementation-specific manner.
Sign the EngressProtector with the private key of the KPS’s SigningCertificate, as specified in section 2.2.2.8.
Derive the key from the TransportKey of EgressProtector using the KeyDerivationMethod, as specified in section 2.2.2.9, and sign the EgressProtector with that key.
Encrypt and sign the TransportKeys of both the IngressProtector and TransportKey in an implementation-specific manner.
The server MUST return the EgressProtector and EncryptedTransportKeys to the calling application.