3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"
The client has requested the CA exchange certificate and its complete chain. The CA MUST follow these processing rules to process the client's request:
If PropIndex parameter is not equal to 0x0 or 0xFFFFFFFF, return the E_INVALIDARG (0x80070057) error to the client.
Validate that the Current_CA_Exchange_Cert datum contains a current, valid CA exchange certificate by executing steps 2 and 3 in section 3.2.1.4.3.2.15.
Find the CA signing certificate corresponding to the Current_CA_Exchange_Cert by looking for an entry in the Signing_Cert table with the certificate index (section 3.2.1.4.3.2.39) matching the lower 16 bits of the Issuer_Name_Id value retrieved in step 3 of this procedure.<97>
Construct a signed CMS message with the following fields:
ContentType: szOID_RSA_signedData (1.2.840.113549.1.7.2, id-signedData).
Content: SignedData (as specified in [RFC3852], section 5.1) with the following requirements:
version: See section [RFC3852], section 5.1.
digestAlgorithms: Same digest algorithm as was used by the CA signing certificate retrieved in step 4 of this procedure to sign the Current_CA_Exchange_Cert.
encapContentInfo: EncapsulatedContentInfo structure (as specified in [RFC3852], section 5.2) with the eContentType set to the OID szOID_PKCS_7_DATA (1.2.840.113549.1.7.1, id-data) and the eContent field set to the CA's exchange certificate from the Current_CA_Exchange_Cert datum.
certificates: Contains CA's certificate, as retrieved in step 4 of this procedure, and its parent certificates. To obtain parent certificates, the CA SHOULD use Authority Information Access (AIA) extension of its certificate and its parent certificates. The AIA extension is specified in [RFC3280] section 4.2.2.1.
crls: Not used.
signerInfos: Not used.
Return the CMS message through a CERTTRANSBLOB structure (as specified in section 2.2.2.2). Marshaling rules for the CERTTRANSBLOB structure are specified in section 2.2.2.2.