hash
Click on the red underlined text to get to the source
... during the TLS handshake MUST be included in the hash calculations
involved in "Finished" messages.
...
... struct {
CertChainType type;
URLAndOptionalHash url_and_hash_list<1..2^16-1>;
} CertificateURL;
...
... case false: struct {};
case true: SHA1Hash;
} hash;
} URLAndOptionalHash;
...
... opaque SHA1Hash[20];
Here "url_and_hash_list" contains a sequence of URLs and optional
hashes ...
... URL at the client's discretion either
is not present or is the SHA-1 hash of the certificate or certificate
chain (in the case of X.509 certificates ...
... certificate chain as usual. A cached copy of the content of any URL
in the chain MAY be used, provided that a SHA-1 hash is present for
that URL and it matches the hash ...
... SHA-1 hash is present for
that URL and it matches the hash of the cached copy.
Servers that support this extension MUST support the http: URL scheme ...
... "application/pkix-pkipath" (see Section 8).
If a SHA-1 hash is present for an URL, then the server MUST check
that the SHA-1 hash ...
... SHA-1 hash is present for an URL, then the server MUST check
that the SHA-1 hash of the contents of the object retrieved from that
URL (after decoding any MIME Content ...
... MIME Content-Transfer-Encoding) matches the
given hash. If any retrieved object does not have the correct SHA-1
hash, the server MUST abort the handshake with a
...
... Transfer-Encoding) matches the
given hash. If any retrieved object does not have the correct SHA-1
hash, the server MUST abort the handshake with a
"bad_certificate ...
... identifier_type) {
case pre_agreed: struct {};
case key_sha1_hash: SHA1Hash;
case x509_name: DistinguishedName;
...
... DSA) and Elliptic Curve Digital
Signature Algorithm (ECDSA) keys, this is the hash of the
"subjectPublicKey" value. For RSA keys, the hash ...
... hash of the
"subjectPublicKey" value. For RSA keys, the hash is of the big-
endian byte string representation of the modulus without any
...
... endian byte string representation of the modulus without any
initial 0-valued bytes. (This copies the key hash formats
deployed in other environments.)
...
... they possess in this extension.
Note also that it is possible that a key hash or a Distinguished Name
alone may not uniquely identify a certificate ...
... record layer
communications. In TLS, the entire output of the hash function is
used as the MAC tag ...
... tag. However, it may be desirable in constrained
environments to save bandwidth by truncating the output of the hash
function to 80 bits when forming MAC tags ...
... HMACs, calculated as
specified in [HMAC]. That is, CipherSpec.hash_size is 10 bytes, and
only the first 10 bytes of the HMAC output are transmitted and
...
... alert is sent by servers when a
certificate hash does not match a client-provided
certificate ...
... certificate_status_response(113), /* new */
bad_certificate_hash_value(114), /* new */
(255)
} AlertDescription;
...
... extension fields are included in the
inputs to the Finished message hashes will be sufficient, but
extreme care is needed when the extension changes the meaning of
messages sent in the handshake ...
... client certificate chain is
covered by the Finished message hashes. The purpose of including
hashes and checking them against the retrieved certificate chain ...
... Finished message hashes. The purpose of including
hashes and checking them against the retrieved certificate chain is
to ensure that the same property holds when this extension is used,
...
...
On the other hand, omitting certificate hashes enables functionality
that is desirable in some circumstances; for example, clients can be
...
... Clients that choose to omit certificate
hashes should be aware of the possibility of an attack in which the
attacker ...
... TLS uses both MD5 and SHA-1 hashes in several other places,
this was not believed to be necessary here. The property required of
SHA-1 ...
... The use of the SHA-1 certificate hash alternative ensures that each
certificate is specified unambiguously. As for the previous
...
... messages that affect extension parameters have been authenticated by
the hashes in the Finished messages, it is not possible for an active
attacker to force negotiation ...