2.2.2.7.13 szOID_ENROLL_EK_INFO

OID = 1.3.6.1.4.1.311.21.23.

Internal Name: szOID_ENROLL_EK_INFO

Description: The value of this attribute contains endorsement certificates (EKCerts) and an EKPub from the TPM, protected by a certificate. A maximum of 3 non-manufacturer EKCerts will be passed. If there is a manufacturer EKCert then it is guaranteed to be supplied as the first EKCert in the sequence after the EKPub (as shown below).

Format: The value of the property is an EnvelopedData CMS structure ([RFC3852] section 6.1) with one RecipientInfo ([RFC3852] section 6.2). The RecipientInfo is for the CA exchange certificate. The EncryptedContent field MUST be the encrypted form of the following ASN.1 structure, DER encoded:

 EndorsementKeyInfo ::= SEQUENCE SIZE (2..5) OF ANY

The first element of the sequence must be a SubjectPublicKeyInfo ([RFC2986] section 4) for the EKPub.

The second element of the sequence must be the manufacturer certificate, if available. Otherwise, it must contain the zero length NULL tag: 05 00.

If there are any non-manufacturer EKCerts available, then element three up to element five contain individual EKCerts.

The total number of EKCerts cannot exceed three.