4.4 Key Usage Extension Values

The X.509 key usage extension is used to specify for what purpose a key should be used. When an application goes through the verification process, it typically checks whether the key is being used for a purpose that it was not intended for.

The value of this extension is returned in a pointer to a nuint16 by NPKIT_x509KeyUsageInfo where each bit specifies a key usage. Any combination of key usages can be present but not all are appropriate combinations or are appropriate for all types of keys.

The following values for key usages are defined:

Value

Name

Description

0x8000

X509_KEY_USAGE_DIGITAL_SIGNATURE

For creating digital signatures.

0x4000

X509_KEY_USAGE_NON_REPUDIATION

For non-repudiation. This type of key usually has legal ramifications.

0x2000

X509_KEY_USAGE_KEY_ENCIPHERMENT

For encrypting other keys.

0x1000

X509_KEY_USAGE_DATA_ENCIPHERMENT

For directly encrypting data.

0x0800

X509_KEY_USAGE_KEY_AGREEMENT

For key agreement (for example, when a Diffie_Hellman key is to be used for key management). Not valid for RSA keys.

0x0400

X509_KEY_USAGE_KEY_CERT_SIGN

For signing certificates.

0x0200

X509_KEY_USAGE_CRL_SIGN

For signing CRLs.

0x0100

X509_KEY_USAGE_ENCIPHER_ONLY

Only for enciphering data while performing key agreement (X509_KEY_USAGE_KEY_AGREEMENT must also be set). Not valid for RSA keys

0x0080

X509_KEY_USAGE_DECIPHER_ONLY

Only for deciphering data while performing key agreement (X509_KEY_USAGE_KEY_AGREEMENT must also be set). Not valid for RSA keys.