| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | X509_check_purpose - Check the purpose of a certificate
|
|---|
| 6 |
|
|---|
| 7 | =head1 SYNOPSIS
|
|---|
| 8 |
|
|---|
| 9 | #include <openssl/x509v3.h>
|
|---|
| 10 |
|
|---|
| 11 | int X509_check_purpose(X509 *x, int id, int ca);
|
|---|
| 12 |
|
|---|
| 13 | =head1 DESCRIPTION
|
|---|
| 14 |
|
|---|
| 15 | This function checks if certificate I<x> was created with the purpose
|
|---|
| 16 | represented by I<id>. If I<ca> is nonzero, then certificate I<x> is
|
|---|
| 17 | checked to determine if it's a possible CA with various levels of certainty
|
|---|
| 18 | possibly returned. The certificate I<x> must be a complete certificate
|
|---|
| 19 | otherwise the function returns an error.
|
|---|
| 20 |
|
|---|
| 21 | Below are the potential ID's that can be checked:
|
|---|
| 22 |
|
|---|
| 23 | # define X509_PURPOSE_SSL_CLIENT 1
|
|---|
| 24 | # define X509_PURPOSE_SSL_SERVER 2
|
|---|
| 25 | # define X509_PURPOSE_NS_SSL_SERVER 3
|
|---|
| 26 | # define X509_PURPOSE_SMIME_SIGN 4
|
|---|
| 27 | # define X509_PURPOSE_SMIME_ENCRYPT 5
|
|---|
| 28 | # define X509_PURPOSE_CRL_SIGN 6
|
|---|
| 29 | # define X509_PURPOSE_ANY 7
|
|---|
| 30 | # define X509_PURPOSE_OCSP_HELPER 8
|
|---|
| 31 | # define X509_PURPOSE_TIMESTAMP_SIGN 9
|
|---|
| 32 | # define X509_PURPOSE_CODE_SIGN 10
|
|---|
| 33 |
|
|---|
| 34 | The checks performed take into account the X.509 extensions
|
|---|
| 35 | keyUsage, extendedKeyUsage, and basicConstraints.
|
|---|
| 36 |
|
|---|
| 37 | =head1 RETURN VALUES
|
|---|
| 38 |
|
|---|
| 39 | For non-CA checks
|
|---|
| 40 |
|
|---|
| 41 | =over 4
|
|---|
| 42 |
|
|---|
| 43 | =item -1 an error condition has occurred
|
|---|
| 44 |
|
|---|
| 45 | =item E<32>1 if the certificate was created to perform the purpose represented by I<id>
|
|---|
| 46 |
|
|---|
| 47 | =item E<32>0 if the certificate was not created to perform the purpose represented by I<id>
|
|---|
| 48 |
|
|---|
| 49 | =back
|
|---|
| 50 |
|
|---|
| 51 | For CA checks the below integers could be returned with the following meanings:
|
|---|
| 52 |
|
|---|
| 53 | =over 4
|
|---|
| 54 |
|
|---|
| 55 | =item -1 an error condition has occurred
|
|---|
| 56 |
|
|---|
| 57 | =item E<32>0 not a CA or does not have the purpose represented by I<id>
|
|---|
| 58 |
|
|---|
| 59 | =item E<32>1 is a CA.
|
|---|
| 60 |
|
|---|
| 61 | =item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent.
|
|---|
| 62 | New versions will not return this value. May be a CA
|
|---|
| 63 |
|
|---|
| 64 | =item E<32>3 basicConstraints absent but self signed V1.
|
|---|
| 65 |
|
|---|
| 66 | =item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted.
|
|---|
| 67 |
|
|---|
| 68 | =item E<32>5 legacy Netscape specific CA Flags present
|
|---|
| 69 |
|
|---|
| 70 | =back
|
|---|
| 71 |
|
|---|
| 72 | =head1 COPYRIGHT
|
|---|
| 73 |
|
|---|
| 74 | Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 75 | Licensed under the Apache License 2.0 (the "License"). You may not use this
|
|---|
| 76 | file except in compliance with the License. You can obtain a copy in the file
|
|---|
| 77 | LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>.
|
|---|
| 78 |
|
|---|
| 79 | =cut
|
|---|
