execute

Parses the PKCS#7 container for the message type, calls a function depending on that type and returns the result, including the HTTP header needed for the scep CGI script.

__send_cert

Create the response for the GetCert request by extracting serial number and issuer from the request, find the certificate and return it.

__send_crl

Create the response for the GetCRL request by extracting the issuer and serial from the request. As we do not support scoped CRLs yet it is sufficient to check the issuer dn but to catch situations where the issuer dn is used over multiple generations we search for both.

__pkcs_req

Called by execute if the message type is 'PKCSReq' (19). This is the message type that is used when an SCEP client asks for a certificate. Named parameters are TOKEN and PKCS7, where token is a token from the OpenXPKI::Crypto::TokenManager of type 'SCEP'. PKCS7 is the sanitized PKCS#7 data received from the client including an (artificial) start and end line. Using the crypto token, the transaction ID of the request is acquired. Using this transaction ID, a database lookup is done (using the datapool) to see whether there is already an existing workflow corresponding to the transaction ID.

If there is no workflow, a new one of the type defined in the server configuration is created and the (base64-encoded) PKCS#7 request as well as the transaction ID is saved in the workflow context. From there on, the work takes place in the workflow.

If there is a workflow, the status of this workflow is looked up and the response depends on the status:
- as long as the workflow is not in the "finished" process state, a
pending message is send.
- if the status is 'SUCCESS', the certificate is extracted from the
workflow and returned to the SCEP client.
- in any other case a FAILURE response is sent. If the context item
scep_error is set to a proper SCEP error code it is used, default
is to send "badRequest".