What is the procedure to validate an arbitrary extended key usage (EKU)
with NSS?
Suppose that one has an application built on NSS, where certificates can
be used if they have the extended key usage (EKU) 1.2.3.4.5.999999.
The API calls CERT_VerifyCertificate and CERT_PKIXVerifyCert expect a
SECCertificateUsage argument to be passed to them. This argument can be
one or possibly more of a very small set of enumerated items such as SSL
client and SSL server, defined in certt.h. There is evidence that
CERT_PKIXVerifyCert has some code floating around in it (namely in
functions such as cert_NssCertificateUsageToPkixKUAndEKU and
PKIX_EkuChecker_Create) where arbitrary EKUs were at least considered,
but it also looks like these code paths were never hooked up to the main
CERT_PKIXVerifyCert algorithm.
If validating an arbitrary EKU is not possible, what is the procedure to
validate a certificate for "any usage", so that the application can then
whittle down the chains as it sees fit after candidate chain(s) are
returned?
Sean
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
