The answer to the question posed in the subjent of this message is:

CERT_CheckCertUsage checks only the KeyUsage extension.  

But see below.

Patrick wrote:

> I have 2 certs sitting on a smartcard, both of which have a critical Digital
> Signature and Non-Repudiation key usages. However one is supposed to be an
> ID cert, the other an Email signing cert. How does NSS tell the ID cert from
> the Email cert?

In order to answer that question, you have to ask it about a specific NSS
function.  For example, you could ask "How does CERT_VerifyCert determine
whether a cert is valid for Email signing?"  But different functions in 
NSS form their conclusions using different criteria, so your question 
cannot be answered with a blanket answer for all of NSS.

In NSS, the function CERT_CheckCertUsage gets called from only one place,
inside function CERT_ImportCRL().  It is not used for checking certs under
any other circumstances.  So, CERT_CheckCertUsage  may not be the function 
you really want to use.

> When I check the for the digitalSignature key usage
> (usage=KU_DIGITAL_SIGNATURE) on the ID cert with CERT_CheckCertUsage, the
> latter returns *success*, but when I do the same with the Email signing
> cert, it return *failure*...But why? I don't see how CERT_CheckCertUsage
> (which calls CERT_FindKeyUsageExtension, which calls
> CERT_FindBitStringExtension with tag=SEC_OID_X509_KEY_USAGE), can return
> failure on the Email signing cert when this cert has the same key usages as
> the ID cert...

CERT_CheckCertUsage takes as input a pointer to an array of pointers to
CERTCertExtension structs.  That array is normally initialized when the 
cert is imported into NSS (I think).  Perhaps it was initialized properly 
for one of the certs you checked, but was empty for the other one?  

Or perhaps the two certs aren't identical with respect to that extension?

> I understand NSS can use the netscape-cert-type extension, if present, to
> differentiate between certs, 

Some NSS functions can do that, yes, but not CERTCertExtension().

> but isn't CERT_CheckCertUsage checking the
> standard keyUsage extension and *not* the netscape-cert-type extension?

That is correct.

> -- POC


--
Nelson Bolyard               
Disclaimer:                  I speak for myself, not for Netscape

Reply via email to