On 08/13/2011 12:30 PM, Sean Leonard wrote: > On 7/29/2011 2:21 AM, Sean Leonard wrote: >> What is the procedure to validate an arbitrary extended key usage (EKU) >> with NSS? >> >> Suppose that one has an application built on NSS, where certificates can >> be used if they have the extended key usage (EKU) 1.2.3.4.5.999999. >> >> The API calls CERT_VerifyCertificate and CERT_PKIXVerifyCert expect a >> SECCertificateUsage argument to be passed to them. No, there's no way to dynamically extend SECCertificateUsage currently. >> This argument can be >> one or possibly more of a very small set of enumerated items such as SSL >> client and SSL server, defined in certt.h. There is evidence that >> CERT_PKIXVerifyCert has some code floating around in it (namely in >> functions such as cert_NssCertificateUsageToPkixKUAndEKU and >> PKIX_EkuChecker_Create) where arbitrary EKUs were at least considered, >> but it also looks like these code paths were never hooked up to the main >> CERT_PKIXVerifyCert algorithm. Without refreshing my memory by looking at the code, I suspect your evaluation is correct. I don't think a patch corrects this issue would be looked on unfavorably. I think we just haven't needed to dynamically add additional EKU's yet. The CERT_PKIXVerifyCert has the ability to take on new parameter types without changing it's signature, so it could be a fixable problem...
NOTE: our current usages don't always map to EKU, some certificates get implicit usages. >> >> If validating an arbitrary EKU is not possible, what is the procedure to >> validate a certificate for "any usage", so that the application can then >> whittle down the chains as it sees fit after candidate chain(s) are >> returned? certificateUsageCheckAllUsages will verify the cert against all the possible usages and return the usages it found. It doesn't look like we have a generic 'Any' usage. bob >> >> Sean > > *Bump* > > Anybody? > > -Sean
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
