David Stutzman wrote:
Julien Pierre wrote:
What purpose are you using the digital signatures for in your
application ? That may help determine the right usage to check .
A blob of data will be signed and sent out over a network to another
system running the same application and the signature will need to be
verified on the other end. It has nothing to do with S/MIME and email.
That's why I wasn't sure if "email signing" was the right usage to
check. Object signing is more like code signing, right?
Here's some certutil -L output for the cert I am playing with here:
Signed Extensions:
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Name: Certificate Type
Critical: True
Data: <SSL Client,SSL Server>
I tested the certificate with the usages above passing in both
certificateUsageEmailSigner and certificateUsageObjectSigner to
CERT_VerifyCertificate and got a -8101 (SEC_ERROR_INADEQUATE_CERT_TYPE)
both times.
Is it ok to ignore cert usage and just look at the raw key usages myself
and require that digital signature and non-repudiation be present or am
I just beating the dead horse with the stick here and really should be
using either an email signing cert or an object signing cert? Again, I
just need to sign an arbitrary blob of input data that is passed in and
pass it back to the caller and it's not being used for email.
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
