10.5.6 The Certificate message
The Certificate message contains the endpoint’s – server Alice’s or client Bob’s – certificate chain.
Server Alice sends the Certificate message to client Bob whenever the key exchange Alice and Bob agreed upon uses certificate-based authentication. This is the case for all TLS 1.3 key exchange methods except TLS handshake based on a pre-shared key.
Client Bob sends a Certificate message if and only if server Alice has requested him to authenticate himself using the CertificateRequest message. If Alice requested Bob authenticate himself using a certificate, but Bob has no suitable certificate at hand, he sends a Certificate message containing no certificates. More precisely, Bob sends a Certificate message with the certificate˙list field having a length of zero. The structure of the Certificate message is shown in Listing 10.5.
Listing 10.5: Structure of the Certificate message
enum {
X509(0),
RawPublicKey(2),
(255)
} CertificateType;
struct {
select (certificate_type) {
case RawPublicKey:
/* From RFC 7250 ASN.1_subjectPublicKeyInfo */
opaque ASN1_subjectPublicKeyInfo<1..2^24-1>;
case X509:
opaque cert_data<1..2^24-1>;
};
Extension extensions<0..2^16-1>;
} CertificateEntry;
struct {
opaque certificate_request_context<0..2^8-1>;
CertificateEntry certificate_list<0..2^24-1>;
} Certificate;
If the Certificate message is received in response to a CertificateRequest message, the certificate˙request˙context variable stores an identifier for the certificate request. When server Alice requests client Bob authenticate himself using a certificate, Alice can supply an additional context, which client Bob would return to bind his certificate to Alice’s request. If client Bob does not authenticate himself using a certificate (which is the most common case on the internet), certificate˙request˙context has a length of zero.
The certificate˙list field contains a chain of CertificateEntry data structures. Each CertificateEntry stores a single digital certificate together with its corresponding set of extensions.
The extensions field consists of certain extension values for a CertificateEntry, including OCSP status for server certificates and the SignedCertificateTimestamp extensions. The extensions in the Certificate message from server Alice must match those found in client Bob’s ClientHello message. Similarly, extensions in the Certificate message from client Bob have to match those in server Alice’s CertificateRequest message.
Server Alice’s certificate˙list must never be empty. In contrast, client Bob may send an empty certificate˙list if he has no appropriate certificate to respond to server Alice’s authentication request with.
Leave a Reply