Fields Not To Include In Digests
There are some parts of an image that you may not want to include in any message digest. This section identifies those parts, and describes why you might not want to include them in a message digest.
- Information related to Attribute Certificates - It is not possible to include a certificate in the calculation of a message digest that resides within the certificate. Since certificates can be added to or removed from an image without effecting the overall integrity of the image this is not a problem. Therefore, it is best to leave all attribute certificates out of the image even if there are certificates already in the image at the time you are calculating your message digest. There is no guarantee those certificates will still be there later, or that other certificates won’t have been added. To exclude attribute certificate information from the message digest calculation, you must exclude the following information from that calculation:
- The Certificate Table field of the Optional Header Data Directories.
- The Certificate Table and corresponding certificates pointed to by the Certificate Table field listed immediately above.
- Debug information - Debug information may generally be considered advisory (to debuggers) and does not effect the actual integrity of the executable program. It is quite literally possible to remove debug information from an image after a product has been delivered and not effect the functionality of the program. This is, in fact, a disk saving measure that is sometimes utilized. If you do not want to include debug information in your message digest, then you should not include the following information in your message digest calculation:
- The Debug entry of the Data Directory in with optional header.
- The .debug section
- File Checksum field of the Windows NT-Specific Fields of the Optional Header - This checksum includes the entire file (including any attribute certificates included in the file) and will, in all likelihood, be different after inserting your certificate than when you were originally calculating a message digest to include in your certificate.
- Unused, or obsolete fields - There are several fields that are either unused or obsolete. The value of these fields is undefined and may change after you calculate your message digest. These fields include:
- Reserved field of the Optional Header Windows NT-Specific Fields (offset 52).
- The DLL Flags field of the Optional Header Windows NT-Specific Fields. This field is obsolete.
- Loader Flags field of the Optional Header Windows NT-Specific Fields. This field is obsolete.
- Reserved entries of the Data Directory in the object header.
- Resources (makes localization easier) - depending upon the specifics of your Attribute Certificate, it may be desirable or undesirable to include resources in the message digest. If you want to allow localization without the generation of new certificates, then you do not want to include resources in your message digest. If the values of the resources are critical to your application, then you probably do want them included in your message digest, and you will accept the overhead of generating a certificate for each localized copy of the image. If you do not want to include resources in your message digest, then you should not include the following information in the message digest calculation:
- Resource Table entry of the Optional Header Data Directory.
- The .rsrc section.
Microsoft, MS, MS-DOS, and CodeView are registered trademarks, and Windows, Windows NT, Win32, Win32s, and Visual C++ are trademarks of Microsoft Corporation in the USA and other countries.
Alpha AXP is a trademark of Digital Equipment Corporation.
Intel is a registered trademark, and Intel386 is a trademark of Intel Corporation.
MIPS is a registered trademark of MIPS Computer Systems, Inc.
Unicode is a trademark of Unicode, Incorporated.
UNIX is a registered trademark of UNIX Systems Laboratories.