X509_check_purpose.3ossl - Man Page

Check the purpose of a certificate

Synopsis

 #include <openssl/x509v3.h>

 int X509_check_purpose(X509 *x, int id, int ca);

Description

This function checks if certificate x was created with the purpose represented by id. If ca is nonzero, then certificate x is checked to determine if it's a possible CA with various levels of certainty possibly returned. The certificate x must be a complete certificate otherwise the function returns an error.

Below are the potential ID's that can be checked:

 # define X509_PURPOSE_SSL_CLIENT        1
 # define X509_PURPOSE_SSL_SERVER        2
 # define X509_PURPOSE_NS_SSL_SERVER     3
 # define X509_PURPOSE_SMIME_SIGN        4
 # define X509_PURPOSE_SMIME_ENCRYPT     5
 # define X509_PURPOSE_CRL_SIGN          6
 # define X509_PURPOSE_ANY               7
 # define X509_PURPOSE_OCSP_HELPER       8
 # define X509_PURPOSE_TIMESTAMP_SIGN    9
 # define X509_PURPOSE_CODE_SIGN        10

The checks performed take into account the X.509 extensions keyUsage, extendedKeyUsage, and basicConstraints.

Return Values

For non-CA checks

-1 an error condition has occurred

1 if the certificate was created to perform the purpose represented by id

0 if the certificate was not created to perform the purpose represented by id

For CA checks the below integers could be returned with the following meanings:

-1 an error condition has occurred

0 not a CA or does not have the purpose represented by id

1 is a CA.

2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA

3 basicConstraints absent but self signed V1.

4 basicConstraints absent but keyUsage present and keyCertSign asserted.

5 legacy Netscape specific CA Flags present

Referenced By

EVP_PKEY_ASN1_METHOD.3ossl(3), X509_check_ca.3ossl(3), X509_get_extension_flags.3ossl(3).

2024-09-12 3.2.2 OpenSSL