Actually I'm passing a CERTCertificate pointer to CERT_CheckCertUsage which
I get back from PK11_FindCertFromNickname.
So I'm assuming the array of extension structs for each cert is properly
initialized by NSS...

BTW, both certs do have the same subject DN, but different issuer DNs

-- POC

"Nelson B. Bolyard" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The answer to the question posed in the subjent of this message is:
>
> CERT_CheckCertUsage checks only the KeyUsage extension.
>
> But see below.
>
> Patrick wrote:
>
> > I have 2 certs sitting on a smartcard, both of which have a critical
Digital
> > Signature and Non-Repudiation key usages. However one is supposed to be
an
> > ID cert, the other an Email signing cert. How does NSS tell the ID cert
from
> > the Email cert?
>
> In order to answer that question, you have to ask it about a specific NSS
> function.  For example, you could ask "How does CERT_VerifyCert determine
> whether a cert is valid for Email signing?"  But different functions in
> NSS form their conclusions using different criteria, so your question
> cannot be answered with a blanket answer for all of NSS.
>
> In NSS, the function CERT_CheckCertUsage gets called from only one place,
> inside function CERT_ImportCRL().  It is not used for checking certs under
> any other circumstances.  So, CERT_CheckCertUsage  may not be the function
> you really want to use.
>
> > When I check the for the digitalSignature key usage
> > (usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage,
the
> > latter returns *success*, but when I do the same with the Email signing
> > cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage
> > (which calls CERT_FindKeyUsageExtension, which calls
> > CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return
> > failure on the Email signing cert when this cert has the same key usages
as
> > the ID cert...
>
> CERT_CheckCertUsage takes as input a pointer to an array of pointers to
> CERTCertExtension structs.  That array is normally initialized when the
> cert is imported into NSS (I think).  Perhaps it was initialized properly
> for one of the certs you checked, but was empty for the other one?
>
> Or perhaps the two certs aren't identical with respect to that extension?
>
> > I understand NSS can use the netscape-cert-type extension, if present,
to
> > differentiate between certs,
>
> Some NSS functions can do that, yes, but not CERTCertExtension().
>
> > but isn't CERT_CheckCertUsage checking the
> > standard keyUsage extension and *not* the netscape-cert-type extension?
>
> That is correct.
>
> > -- POC
>
>
> --
> Nelson Bolyard
> Disclaimer:                  I speak for myself, not for Netscape



Reply via email to