]>
Commit | Line | Data |
---|---|---|
eacd30a7 JM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
5 | X509_check_purpose - Check the purpose of a certificate | |
6 | ||
7 | =head1 SYNOPSIS | |
8 | ||
9 | #include <openssl/x509v3.h> | |
10 | ||
f64f17c3 | 11 | int X509_check_purpose(X509 *x, int id, int ca); |
eacd30a7 JM |
12 | |
13 | =head1 DESCRIPTION | |
14 | ||
15 | This function checks if certificate I<x> was created with the purpose | |
16 | represented by I<id>. If I<ca> is nonzero, then certificate I<x> is | |
17 | checked to determine if it's a possible CA with various levels of certainty | |
54c0480d TM |
18 | possibly returned. The certificate I<x> must be a complete certificate |
19 | otherwise the function returns an error. | |
eacd30a7 JM |
20 | |
21 | Below are the potential ID's that can be checked: | |
22 | ||
23 | # define X509_PURPOSE_SSL_CLIENT 1 | |
24 | # define X509_PURPOSE_SSL_SERVER 2 | |
25 | # define X509_PURPOSE_NS_SSL_SERVER 3 | |
26 | # define X509_PURPOSE_SMIME_SIGN 4 | |
27 | # define X509_PURPOSE_SMIME_ENCRYPT 5 | |
28 | # define X509_PURPOSE_CRL_SIGN 6 | |
29 | # define X509_PURPOSE_ANY 7 | |
30 | # define X509_PURPOSE_OCSP_HELPER 8 | |
31 | # define X509_PURPOSE_TIMESTAMP_SIGN 9 | |
32 | ||
4acda863 DDO |
33 | The checks performed take into account the X.509 extensions |
34 | keyUsage, extendedKeyUsage, and basicConstraints. | |
35 | ||
eacd30a7 JM |
36 | =head1 RETURN VALUES |
37 | ||
38 | For non-CA checks | |
39 | ||
40 | =over 4 | |
41 | ||
8c1cbc72 | 42 | =item -1 an error condition has occurred |
eacd30a7 JM |
43 | |
44 | =item E<32>1 if the certificate was created to perform the purpose represented by I<id> | |
45 | ||
46 | =item E<32>0 if the certificate was not created to perform the purpose represented by I<id> | |
47 | ||
48 | =back | |
49 | ||
50 | For CA checks the below integers could be returned with the following meanings: | |
51 | ||
52 | =over 4 | |
53 | ||
8c1cbc72 | 54 | =item -1 an error condition has occurred |
eacd30a7 JM |
55 | |
56 | =item E<32>0 not a CA or does not have the purpose represented by I<id> | |
57 | ||
58 | =item E<32>1 is a CA. | |
59 | ||
60 | =item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent. | |
61 | New versions will not return this value. May be a CA | |
62 | ||
63 | =item E<32>3 basicConstraints absent but self signed V1. | |
64 | ||
65 | =item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted. | |
66 | ||
67 | =item E<32>5 legacy Netscape specific CA Flags present | |
68 | ||
69 | =back | |
70 | ||
71 | =head1 COPYRIGHT | |
72 | ||
54b40531 | 73 | Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. |
eacd30a7 JM |
74 | Licensed under the Apache License 2.0 (the "License"). You may not use this |
75 | file except in compliance with the License. You can obtain a copy in the file | |
76 | LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. | |
77 | ||
78 | =cut |