2.2.2 Client-Side-Wrapped Secret

The Client-Side-Wrapped_Secret structure MUST be used by the client to represent a secret wrapped using the server's public key, as specified in section 3.2.4.1.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

dwVersion

cbEncryptedSecret

cbAccessCheck

guidKey (16 bytes)

...

...

EncryptedSecret (variable)

...

AccessCheck (variable)

...

dwVersion (4 bytes): A 32-bit unsigned integer. This field MUST be encoded using little-endian format. The value of this field MUST be set to one of the values in the following table.

Value

Meaning

0x00000002

The EncryptedSecret and AccessCheck fields MUST be formatted using the version 2 formats specified in section 2.2.2.1 and section 2.2.2.3 respectively.

0x00000003

The EncryptedSecret and AccessCheck fields MUST be formatted using the version 3 formats specified in section 2.2.2.2 and section 2.2.2.4 respectively.

cbEncryptedSecret (4 bytes): A 32-bit unsigned integer. It MUST be the length of the EncryptedSecret field, in bytes. This field is encoded using little-endian format.

cbAccessCheck (4 bytes): A 32-bit unsigned integer. It MUST be the length of the AccessCheck field, in bytes. This field is encoded using little-endian format.

guidKey (16 bytes): A 16-byte GUID ([MS-DTYP] section 2.3.4.2) that is used by the server to uniquely identify this public key.

EncryptedSecret (variable): This field contains an encrypted version of the secret. Its length MUST be equal to cbEncryptedSecret bytes. It MUST be populated in accordance with the processing rules specified in section 3.2.4.1.

AccessCheck (variable): This field contains information used by the server to determine which clients are permitted to unwrap the secret. Its length MUST be equal to cbAccessCheck bytes. It MUST be populated in accordance with the processing rules specified in section 3.2.4.1.