Skip to content

Certificate Usage

Endi S. Dewata edited this page May 8, 2023 · 3 revisions

Overview

NS_CERT_TYPE defines are used in two areas:

  1. The old NSS Cert Type Extension, which is a certificate extension in the actual cert. It was created before the x509 Extended Key Usage Extension, which has now taken over it’s function. This field is only 8 bits wide.

  2. The nsCertType entry in the CERTCertificate structure. This field is 32 bits wide.

Any entries in this table greater than 0x80 will not be able to be encoded in an NSS Cert Type Extension, but can still be represented internally in the nsCertType field.

See also lib/certdb/certt.h.

NS_CERT_TYPE

#define NS_CERT_TYPE_IPSEC_CA (0x200)         /* outside the NS Cert Type Extenstion */
#define NS_CERT_TYPE_IPSEC (0x100)            /* outside the NS Cert Type Extenstion */
#define NS_CERT_TYPE_SSL_CLIENT (0x80)        /* bit 0 */
#define NS_CERT_TYPE_SSL_SERVER (0x40)        /* bit 1 */
#define NS_CERT_TYPE_EMAIL (0x20)             /* bit 2 */
#define NS_CERT_TYPE_OBJECT_SIGNING (0x10)    /* bit 3 */
#define NS_CERT_TYPE_RESERVED (0x08)          /* bit 4 */
#define NS_CERT_TYPE_SSL_CA (0x04)            /* bit 5 */
#define NS_CERT_TYPE_EMAIL_CA (0x02)          /* bit 6 */
#define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */

#define EXT_KEY_USAGE_TIME_STAMP (0x8000)
#define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000)

#define NS_CERT_TYPE_APP                                                      \
    (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
     NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING)

#define NS_CERT_TYPE_CA                                                \
    (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA |                     \
     NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \
     NS_CERT_TYPE_IPSEC_CA)

SECCertUsage

typedef enum SECCertUsageEnum {
    certUsageSSLClient = 0,
    certUsageSSLServer = 1,
    certUsageSSLServerWithStepUp = 2,
    certUsageSSLCA = 3,
    certUsageEmailSigner = 4,
    certUsageEmailRecipient = 5,
    certUsageObjectSigner = 6,
    certUsageUserCertImport = 7,
    certUsageVerifyCA = 8,
    certUsageProtectedObjectSigner = 9,
    certUsageStatusResponder = 10,
    certUsageAnyCA = 11,
    certUsageIPsec = 12
} SECCertUsage;

typedef PRInt64 SECCertificateUsage;

Certificate Usage Constants

#define certificateUsageCheckAllUsages (0x0000)
#define certificateUsageSSLClient (0x0001)
#define certificateUsageSSLServer (0x0002)
#define certificateUsageSSLServerWithStepUp (0x0004)
#define certificateUsageSSLCA (0x0008)
#define certificateUsageEmailSigner (0x0010)
#define certificateUsageEmailRecipient (0x0020)
#define certificateUsageObjectSigner (0x0040)
#define certificateUsageUserCertImport (0x0080)
#define certificateUsageVerifyCA (0x0100)
#define certificateUsageProtectedObjectSigner (0x0200)
#define certificateUsageStatusResponder (0x0400)
#define certificateUsageAnyCA (0x0800)
#define certificateUsageIPsec (0x1000)

cert_ComputeCertType()

The cert_ComputeCertType() can be used to compute the certificate type/usage of a certificate.

CERT_VerifyCertificate()

The CERT_VerifyCertificate() can be used to verify whether a certificate is valid, trusted, and has the required usages.