Actually I'm passing a CERTCertificate pointer to CERT_CheckCertUsage which I get back from PK11_FindCertFromNickname. So I'm assuming the array of extension structs for each cert is properly initialized by NSS...
BTW, both certs do have the same subject DN, but different issuer DNs -- POC "Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > The answer to the question posed in the subjent of this message is: > > CERT_CheckCertUsage checks only the KeyUsage extension. > > But see below. > > Patrick wrote: > > > I have 2 certs sitting on a smartcard, both of which have a critical Digital > > Signature and Non-Repudiation key usages. However one is supposed to be an > > ID cert, the other an Email signing cert. How does NSS tell the ID cert from > > the Email cert? > > In order to answer that question, you have to ask it about a specific NSS > function. For example, you could ask "How does CERT_VerifyCert determine > whether a cert is valid for Email signing?" But different functions in > NSS form their conclusions using different criteria, so your question > cannot be answered with a blanket answer for all of NSS. > > In NSS, the function CERT_CheckCertUsage gets called from only one place, > inside function CERT_ImportCRL(). It is not used for checking certs under > any other circumstances. So, CERT_CheckCertUsage may not be the function > you really want to use. > > > When I check the for the digitalSignature key usage > > (usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage, the > > latter returns *success*, but when I do the same with the Email signing > > cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage > > (which calls CERT_FindKeyUsageExtension, which calls > > CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return > > failure on the Email signing cert when this cert has the same key usages as > > the ID cert... > > CERT_CheckCertUsage takes as input a pointer to an array of pointers to > CERTCertExtension structs. That array is normally initialized when the > cert is imported into NSS (I think). Perhaps it was initialized properly > for one of the certs you checked, but was empty for the other one? > > Or perhaps the two certs aren't identical with respect to that extension? > > > I understand NSS can use the netscape-cert-type extension, if present, to > > differentiate between certs, > > Some NSS functions can do that, yes, but not CERTCertExtension(). > > > but isn't CERT_CheckCertUsage checking the > > standard keyUsage extension and *not* the netscape-cert-type extension? > > That is correct. > > > -- POC > > > -- > Nelson Bolyard > Disclaimer: I speak for myself, not for Netscape
