-
Notifications
You must be signed in to change notification settings - Fork 0
Certificate Usage
NS_CERT_TYPE
defines are used in two areas:
-
The old NSS Cert Type Extension, which is a certificate extension in the actual cert. It was created before the x509 Extended Key Usage Extension, which has now taken over it’s function. This field is only 8 bits wide.
-
The
nsCertType
entry in theCERTCertificate
structure. This field is 32 bits wide.
Any entries in this table greater than 0x80 will not be able to be encoded in an NSS Cert Type Extension, but can still be represented internally in the nsCertType
field.
See also lib/certdb/certt.h.
#define NS_CERT_TYPE_IPSEC_CA (0x200) /* outside the NS Cert Type Extenstion */ #define NS_CERT_TYPE_IPSEC (0x100) /* outside the NS Cert Type Extenstion */ #define NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */ #define NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */ #define NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */ #define NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */ #define NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */ #define NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */ #define NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */ #define NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */ #define EXT_KEY_USAGE_TIME_STAMP (0x8000) #define EXT_KEY_USAGE_STATUS_RESPONDER (0x4000) #define NS_CERT_TYPE_APP \ (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \ NS_CERT_TYPE_IPSEC | NS_CERT_TYPE_OBJECT_SIGNING) #define NS_CERT_TYPE_CA \ (NS_CERT_TYPE_SSL_CA | NS_CERT_TYPE_EMAIL_CA | \ NS_CERT_TYPE_OBJECT_SIGNING_CA | EXT_KEY_USAGE_STATUS_RESPONDER | \ NS_CERT_TYPE_IPSEC_CA)
typedef enum SECCertUsageEnum { certUsageSSLClient = 0, certUsageSSLServer = 1, certUsageSSLServerWithStepUp = 2, certUsageSSLCA = 3, certUsageEmailSigner = 4, certUsageEmailRecipient = 5, certUsageObjectSigner = 6, certUsageUserCertImport = 7, certUsageVerifyCA = 8, certUsageProtectedObjectSigner = 9, certUsageStatusResponder = 10, certUsageAnyCA = 11, certUsageIPsec = 12 } SECCertUsage; typedef PRInt64 SECCertificateUsage;
#define certificateUsageCheckAllUsages (0x0000) #define certificateUsageSSLClient (0x0001) #define certificateUsageSSLServer (0x0002) #define certificateUsageSSLServerWithStepUp (0x0004) #define certificateUsageSSLCA (0x0008) #define certificateUsageEmailSigner (0x0010) #define certificateUsageEmailRecipient (0x0020) #define certificateUsageObjectSigner (0x0040) #define certificateUsageUserCertImport (0x0080) #define certificateUsageVerifyCA (0x0100) #define certificateUsageProtectedObjectSigner (0x0200) #define certificateUsageStatusResponder (0x0400) #define certificateUsageAnyCA (0x0800) #define certificateUsageIPsec (0x1000)
The cert_ComputeCertType()
can be used to compute the certificate type/usage of a certificate.
See also lib/certdb/certdb.c.
The CERT_VerifyCertificate()
can be used to verify whether a certificate is valid, trusted, and has the required usages.
See also lib/certhigh/certvfy.c.