Compartir a través de

2.2.1.11.1 Marshaling Format for Officer and Enrollment Agent Rights

  • Artículo

The marshaling of Officer rights and Enrollment Agent rights into a CERTTRANSBLOB structure depends on whether the server supports Enrollment Agent rights. CA implementers can determine whether to support Enrollment Agent rights; there is no requirement to support them.

If Enrollment Agent rights are not supported by the server, the pb member of the CERTTRANSBLOB structure refers to the Officer rights security descriptor (as defined in [MS-DTYP] section 2.4.6), and the cb member contains the length of the marshaled data.

If Enrollment Agent rights are supported by the server, the CERTTRANSBLOB structure is created as follows:

  1. If Officer rights are enabled and Enrollment Agent rights are disabled, the pb member of the CERTTRANSBLOB structure refers to the following marshaled structure.

     struct {
 SECURITY_DESCRIPTOR OfficerRights;
 DWORD bEARightDisabled;
 };
           

    Member

    Value

    OfficerRights

    bEARightsDisabled

    (0x00000000)

    OfficerRights: A marshaled security descriptor for Officer rights.

    bEARightsDisabled: A little-endian encoded DWORD. This value MUST be 0x00000000.

    There is no padding or DWORD boundary requirement.

  2. If Officer rights are disabled and Enrollment Agent rights are disabled, the pb member of the CERTTRANSBLOB structure refers to the following marshaled structure.

     struct {
 DWORD bEARightDisabled;
 };
           

    Member

    Value

    bEARightsDisabled

    (0x00000000)

    bEARightsDisabled: A little-endian encoded DWORD. This value MUST be 0x00000000.

    There is no padding or DWORD boundary requirement.

  3. If Officer rights are disabled and Enrollment Agent rights are enabled, the pb member of the CERTTRANSBLOB structure refers to the following marshaled structure.

     struct {
 DWORD bEARightEnabled;
 SECURITY_DESCRIPTOR EnrollmentAgentRights;
 };
           

    Member

    Value

    bEARightsEnabled

    Must be nonzero.

    EnrollAgentRights

    bEARightsEnabled: A little-endian encoded DWORD. This value MUST be nonzero.

    Enrollment Agent Rights: A marshaled security descriptor for Enrollment Agent rights.

    There is no padding or DWORD boundary requirement.

  4. If Officer rights are enabled and Enrollment Agent rights are enabled, the pb member of the CERTTRANSBLOB structure refers to the following marshaled structure.

     struct {
 SECURITY_DESCRIPTOR OfficerRights;
 DWORD bEARightEnabled;
 SECURITY_DESCRIPTOR EnrollmentAgentRights;
 };
           

    Member

    Value

    OfficerRights

    bEARightsEnabled

    Must be nonzero.

    EnrollAgentRights

    OfficerRights: A marshaled security descriptor for Officer rights.

    bEARightsEnabled: A little-endian encoded DWORD. The value MUST be nonzero.

    Enrollment Agent Rights: A marshaled security descriptor for Enrollment Agent rights.

    There is no padding or DWORD boundary requirement.