2.2.1 SSL_CERT_LOGON_REQ Message
The SSL_CERT_LOGON_REQ structure defines a request to map a client certificate to a security principal for the purpose of retrieving the authorization information. All member fields MUST be encoded in little-endian format.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
MessageType |
|||||||||||||||||||||||||||||||
|
Length |
|||||||||||||||||||||||||||||||
|
OffsetCertificate |
|||||||||||||||||||||||||||||||
|
CertLength |
|||||||||||||||||||||||||||||||
|
Flags |
|||||||||||||||||||||||||||||||
|
IssuerCount |
|||||||||||||||||||||||||||||||
|
NameInfo (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
Payload (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
MessageType (4 bytes): A 32-bit unsigned integer that defines the Remote Certificate Mapping Protocol message type. This member MUST be 0x00000002.
Length (4 bytes): A 32-bit unsigned integer that defines the length, in bytes, of the SSL_CERT_LOGON_REQ request message, including the variable length NameInfo and Payload sections.
OffsetCertificate (4 bytes): A 32-bit unsigned integer that defines the offset, in bytes, from the beginning of the SSL_CERT_LOGON_REQ request structure to the X.509 certificate, as specified in [X509], in the Payload member.
CertLength (4 bytes): A 32-bit unsigned integer that defines the length, in bytes, of the X.509 certificate in the Payload member.
Flags (4 bytes): A 32-bit unsigned integer that defines mapping behaviors. The value of this member is any combination of the flags as specified in the following diagram.
-
All other bits MUST be set to 0 by the Remote Certificate Mapping Protocol client and ignored on receipt.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
10
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
D
C
B
A
0
0
0
0
-
Where the bits are defined as:
-
Value
Description
A
REQ_UPN_MAPPING
When set, this indicates that the Remote Certificate Mapping Protocol client requests the Remote Certificate Mapping Protocol server to use the subjectAltName from the X.509 certificate in the Payload member to locate the authorization information, as specified in section 3.5. If not set, the subjectAltName extension SHOULD NOT be used during the lookup operation.
B
REQ_SUBJECT_MAPPING
When set, the Remote Certificate Mapping Protocol client requests the Remote Certificate Mapping Protocol server to use the issuer and subject names from the X.509 certificate in the Payload member together to locate the authorization information, as specified in section 3.5. If not set, the issuer and subject fields SHOULD NOT be used during the lookup operation.
C
REQ_ISSUER_MAPPING
When set, the Remote Certificate Mapping Protocol client requests the Remote Certificate Mapping Protocol server to use the issuer from the X.509 certificate in the Payload member to locate the authorization information, as specified in section 3.5. If not set, the issuer name SHOULD NOT be used during the lookup operation.
D
REQ_ISSUER_CHAIN_MAPPING
When set, the Remote Certificate Mapping Protocol client requests the Remote Certificate Mapping Protocol server to use the chain of issuing authorities for the X.509 certificate in the Payload member to locate the authorization information, as specified in section 3.5. If not set, the chain of issuers SHOULD NOT be used during the lookup operation.
IssuerCount (4 bytes): A 32-bit unsigned integer that defines the number of NameInfo elements.
NameInfo (variable): An array of IssuerOffset and IssuerLength pairs, as defined in the following diagram. The issuers MUST be in the same order as the chain of issuing authorities for the X.509 certificate in the Payload section. That is, if the certificate was issued by A, and certificate authority A was in turn issued by B, the order would be A B.
-
0
1
2
3
4
5
6
7
8
91
0
1
2
3
4
5
6
7
8
92
0
1
2
3
4
5
6
7
8
93
0
1IssuerOffset
IssuerLength
-
IssuerOffset (4 bytes): A 32-bit unsigned integer that defines the byte offset from the start of the packet to an IssuerName in the Payload member.
-
IssuerLength (4 bytes): A 32-bit unsigned integer that defines the length, in bytes, of an IssuerName in the Payload member.
Payload (variable): A byte-array that contains the data referred to by the OffsetCertificate and IssuerOffset members. The IssuerName members in the Payload section has no guaranteed order; order is defined by the NameInfo array listed previously. Thus, the data might be packed into the buffer as "Issuer1, Issuer3, Certificate, Issuer2", but the NameInfo array would list them as "Issuer1, Issuer2, Issuer3." The actual order is specified in section 3.5.1. The number of issuer names encoded into the Payload section is determined by the IssuerCount member. Each IssuerName MUST be 2-byte aligned.
-
Certificate: The client's BER-encoded X.509 certificate referred to by the OffsetCertificate member. The format of an X.509 certificate is specified in ASN.1 per the X.509 standard, as specified in [X509]. BER encoding is specified in [X690].
-
IssuerName: The BER-encoded certificate issuer name referred to by an IssuerOffset. Each IssuerName corresponds to the issuerName member of an X.509 certificate in the certificate chain, as specified in [X509]. Only the issuer name is present, not the complete issuer certificate.