projects / thirdparty / openssl.git / blame
| Commit | Line | Data |
|---|---|---|
| eacd30a7 JM |
1 | =pod |
| 2 | ||
| 3 | =head1 NAME | |
| 4 | ||
| 5 | X509_check_purpose - Check the purpose of a certificate | |
| 6 | ||
| 7 | =head1 SYNOPSIS | |
| 8 | ||
| 9 | #include <openssl/x509v3.h> | |
| 10 | ||
| f64f17c3 | 11 | int X509_check_purpose(X509 *x, int id, int ca); |
| eacd30a7 JM |
12 | |
| 13 | =head1 DESCRIPTION | |
| 14 | ||
| 15 | This function checks if certificate I<x> was created with the purpose | |
| 16 | represented by I<id>. If I<ca> is nonzero, then certificate I<x> is | |
| 17 | checked to determine if it's a possible CA with various levels of certainty | |
| 54c0480d TM |
18 | possibly returned. The certificate I<x> must be a complete certificate |
| 19 | otherwise the function returns an error. | |
| eacd30a7 JM |
20 | |
| 21 | Below are the potential ID's that can be checked: | |
| 22 | ||
| 23 | # define X509_PURPOSE_SSL_CLIENT 1 | |
| 24 | # define X509_PURPOSE_SSL_SERVER 2 | |
| 25 | # define X509_PURPOSE_NS_SSL_SERVER 3 | |
| 26 | # define X509_PURPOSE_SMIME_SIGN 4 | |
| 27 | # define X509_PURPOSE_SMIME_ENCRYPT 5 | |
| 28 | # define X509_PURPOSE_CRL_SIGN 6 | |
| 29 | # define X509_PURPOSE_ANY 7 | |
| 30 | # define X509_PURPOSE_OCSP_HELPER 8 | |
| 31 | # define X509_PURPOSE_TIMESTAMP_SIGN 9 | |
| 32 | ||
| 4acda863 DDO |
33 | The checks performed take into account the X.509 extensions |
| 34 | keyUsage, extendedKeyUsage, and basicConstraints. | |
| 35 | ||
| eacd30a7 JM |
36 | =head1 RETURN VALUES |
| 37 | ||
| 38 | For non-CA checks | |
| 39 | ||
| 40 | =over 4 | |
| 41 | ||
| 8c1cbc72 | 42 | =item -1 an error condition has occurred |
| eacd30a7 JM |
43 | |
| 44 | =item E<32>1 if the certificate was created to perform the purpose represented by I<id> | |
| 45 | ||
| 46 | =item E<32>0 if the certificate was not created to perform the purpose represented by I<id> | |
| 47 | ||
| 48 | =back | |
| 49 | ||
| 50 | For CA checks the below integers could be returned with the following meanings: | |
| 51 | ||
| 52 | =over 4 | |
| 53 | ||
| 8c1cbc72 | 54 | =item -1 an error condition has occurred |
| eacd30a7 JM |
55 | |
| 56 | =item E<32>0 not a CA or does not have the purpose represented by I<id> | |
| 57 | ||
| 58 | =item E<32>1 is a CA. | |
| 59 | ||
| 60 | =item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent. | |
| 61 | New versions will not return this value. May be a CA | |
| 62 | ||
| 63 | =item E<32>3 basicConstraints absent but self signed V1. | |
| 64 | ||
| 65 | =item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted. | |
| 66 | ||
| 67 | =item E<32>5 legacy Netscape specific CA Flags present | |
| 68 | ||
| 69 | =back | |
| 70 | ||
| 71 | =head1 COPYRIGHT | |
| 72 | ||
| 54b40531 | 73 | Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
| eacd30a7 JM |
74 | Licensed under the Apache License 2.0 (the "License"). You may not use this |
| 75 | file except in compliance with the License. You can obtain a copy in the file | |
| 76 | LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. | |
| 77 | ||
| 78 | =cut |