David,
David Stutzman wrote:
I'm looking at the functions CERT_VerifyCertificate and
CERT_VerifyCertificateNow and see it has 2 parameters of type
SECCertificateUsage, one required and one returned. What is the purpose
of the returned one?
SECCertificateUsage is a bit-field. If you requested several usages to
be checked, the returned one will contain the usages for which the cert
actually verified .
If you only request one, then I believe the output argument is optional
(ie. you can pass NULL).
I checked the certutil code and the same variable
is being passed into the verify function and the return is never
checked. (ValidateCert on line 750 of certutil.c, "usage" declared on
756, passed into the verify method on 816 and never looked at again in
the method.)
certutil only checks one usage at a time, so it doesn't need to check
the output argument. The SECStatus return from CERT_VerifyCertificate is
sufficient .
I'm generating and verifying digital signatures in my application. Do I
need to slurp out the key usages from the certificate and make sure
digital signature and non-repudiation are present before I do the verify
or is passing in the requiredusages of "certificateUsageEmailSigner" to
CERT_VerifyCertificate good enough? Does NSS care that the signing
going on has nothing to do with email? I figured object signing wasn't
really appropriate.
I'm using NSS 3.11.2.
NSS won't know what you are trying to do with the cert.
If you pass certificateUsageEmailSigner to CERT_VerifyCertificate, NSS
will check that the cert is appropriate for e-mail signing - including
key usage/extended key usage extension .
What purpose are you using the digital signatures for in your
application ? That may help determine the right usage to check .
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto