x509smime

How to interpret the properties of an S/MIME certificate?


When parsing an S/MIME certificate, there are a lot of variations and possible combinations, especially of the Key Usage and Extended Key Usage fields. It's not easy to understand what exactly they mean, how they mutually influence their meanings, and in what order to interpret them best.

How to interpret these properly in order to determine if the certificate can be used for encrypting or signing emails or both?


Solution

  • After much research, I've finally determined the following decision matrix of how to properly interpret an S/MIME certificate's properties:

    Case a b c d e f g
    Extension Extended Key Usage exists? Y - - - - - -
    Extension Extended Key Usage marked critical? Y - - - - - -
    Extended Key Usage has value Email (1.3.6.1.5.5.7.3.4)? N - - - - - -
    Extension Key Usage exists? - Y Y Y Y Y N
    Extension Key Usage marked critical? - Y Y Y Y N -
    Key Usage has value keyEncipherment? - Y Y N N - -
    Key Usage has value digitalSignature? - Y N Y N - -
    → Certificate can be used to encrypt x x x x
    → Certificate can be used to sign x x x x

    How to read the decision table

    Just in case your are not familiar with decision tables, this is how to read it:

    1. start with case a
    2. go down to the first Y or N value (dashes mean not relevant)
    3. check the condition (question and answer)
    4. if it is true, continue down vertically
    5. if it is false, continue to the right horizontally
    6. repeat until all conditions are true
    7. do down in the same column to see the results

    Example

    Case a in pseudo code

    if exists(ExtensionExtendedKeyUsage) and isExtensionExtendedKeyUsageCritical == true and ExtendedKeyUsageValue == "1.3.6.1.5.5.7.3.4"
        useForEncryption = false
        useForSigning = false
    end-if