I have 2 certs sitting on a smartcard, both of which have a critical Digital
Signature and Non-Repudiation key usages. However one is supposed to be an
ID cert, the other an Email signing cert. How does NSS tell the ID cert from
the Email cert?

When I check the for the digitalSignature key usage
(usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage, the
latter returns *success*, but when I do the same with the Email signing
cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage
(which calls CERT_FindKeyUsageExtension, which calls
CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return
failure on the Email signing cert when this cert has the same key usages as
the ID cert...

I understand NSS can use the netscape-cert-type extension, if present, to
differentiate between certs, but isn't CERT_CheckCertUsage checking the
standard keyUsage extension and *not* the netscape-cert-type extension?

-- POC



Reply via email to