Processing Rules for an Initial Key Attestation Request

Note For information on product behavior, see the following product behavior note.<105>

In addition to the processing rules defined in section, the CA MUST perform the following processing on the certificate request, which is formatted as explained in section

  1. The CA MUST decrypt the encrypted szOID_ENROLL_EK_INFO or szOID_ENROLL_AIK_INFO attribute that contains the Client_HardwareKeyInfo ADM element using the current CA exchange certificate private key. The encryption algorithm will be sent back to the client as the szOID_ENROLL_ENCRYPTION_ALGORITHM attribute defined in section On failure to decrypt the szOID_ENROLL_EK_INFO or szOID_ENROLL_AIK_INFO attribute, fail with a suitable HRESULT.

  2. The CA MUST extract the trust module public key from the decrypted Client_HardwareKeyInfo, verify it can be loaded, and record its SHA-2 hash as a hexadecimal string with no spaces in the EndorsementKeyHash column of the database ([MS-CSRA] section

  3. The CA performs the following processing.

    1. The CA SHOULD set the CR_FLG_TRUSTONUSE flag in the Request_Request_Flags column of the Request table ([MS-CSRA] section

    2. The CA SHOULD verify all trust module certificates obtained from the decrypted Client_HardwareKeyInfo according to the processing rules in section

    3. The CA SHOULD check that the trust module public key exists in one of the locations listed under the Config_Hardware_Key_List_Directories ADM element according to the processing rules in section; if it exists, the CA MUST set the CR_FLG_TRUSTEKKEY in the Request_Request_Flags column of the Request table ([MS-CSRA] section

  4. The CA MUST verify the KeyAttestationStatement data stored under the szOID_ENROLL_ATTESTATION_STATEMENT attribute in a CSP-specific manner; otherwise, fail with an HRESULT indicating that the CA failed to validate the KeyAttestationStatement data.

  5. The CA MUST verify that the value of the szOID_ENROLL_KSP_NAME attribute is a Unicode string that contains the name of a valid TPM provider.<106>

  6. If the request contains an szOID_ENROLL_EK_INFO attribute (section, then the CA creates a Challenge message, sends it to the client, and sets the CR_FLG_CHALLENGEPENDING bit in the Request_Request_Flags column, as described in section If the request contains an szOID_ENROLL_AIK_INFO attribute (section, then the CA sets the CR_FLG_CHALLENGESATISFIED bit in the Request_Request_Flags column.