The answer to the question posed in the subjent of this message is: CERT_CheckCertUsage checks only the KeyUsage extension.
But see below. Patrick wrote: > I have 2 certs sitting on a smartcard, both of which have a critical Digital > Signature and Non-Repudiation key usages. However one is supposed to be an > ID cert, the other an Email signing cert. How does NSS tell the ID cert from > the Email cert? In order to answer that question, you have to ask it about a specific NSS function. For example, you could ask "How does CERT_VerifyCert determine whether a cert is valid for Email signing?" But different functions in NSS form their conclusions using different criteria, so your question cannot be answered with a blanket answer for all of NSS. In NSS, the function CERT_CheckCertUsage gets called from only one place, inside function CERT_ImportCRL(). It is not used for checking certs under any other circumstances. So, CERT_CheckCertUsage may not be the function you really want to use. > When I check the for the digitalSignature key usage > (usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage, the > latter returns *success*, but when I do the same with the Email signing > cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage > (which calls CERT_FindKeyUsageExtension, which calls > CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return > failure on the Email signing cert when this cert has the same key usages as > the ID cert... CERT_CheckCertUsage takes as input a pointer to an array of pointers to CERTCertExtension structs. That array is normally initialized when the cert is imported into NSS (I think). Perhaps it was initialized properly for one of the certs you checked, but was empty for the other one? Or perhaps the two certs aren't identical with respect to that extension? > I understand NSS can use the netscape-cert-type extension, if present, to > differentiate between certs, Some NSS functions can do that, yes, but not CERTCertExtension(). > but isn't CERT_CheckCertUsage checking the > standard keyUsage extension and *not* the netscape-cert-type extension? That is correct. > -- POC -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
