I have 2 certs sitting on a smartcard, both of which have a critical Digital Signature and Non-Repudiation key usages. However one is supposed to be an ID cert, the other an Email signing cert. How does NSS tell the ID cert from the Email cert?
When I check the for the digitalSignature key usage (usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage, the latter returns *success*, but when I do the same with the Email signing cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage (which calls CERT_FindKeyUsageExtension, which calls CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return failure on the Email signing cert when this cert has the same key usages as the ID cert... I understand NSS can use the netscape-cert-type extension, if present, to differentiate between certs, but isn't CERT_CheckCertUsage checking the standard keyUsage extension and *not* the netscape-cert-type extension? -- POC
