NAME

X509_check_purpose - Check the purpose of a certificate


SYNOPSIS

 #include <openssl/x509v3.h>
 int X509_check_purpose(X509 *x, int id, int ca)


DESCRIPTION

This function checks if certificate x was created with the purpose represented by id. If ca is nonzero, then certificate x is checked to determine if it's a possible CA with various levels of certainty possibly returned.

Below are the potential ID's that can be checked:

 # define X509_PURPOSE_SSL_CLIENT        1
 # define X509_PURPOSE_SSL_SERVER        2
 # define X509_PURPOSE_NS_SSL_SERVER     3
 # define X509_PURPOSE_SMIME_SIGN        4
 # define X509_PURPOSE_SMIME_ENCRYPT     5
 # define X509_PURPOSE_CRL_SIGN          6
 # define X509_PURPOSE_ANY               7
 # define X509_PURPOSE_OCSP_HELPER       8
 # define X509_PURPOSE_TIMESTAMP_SIGN    9


RETURN VALUES

For non-CA checks

-1 an error condition has occured
  • 1 if the certificate was created to perform the purpose represented by id
  • 0 if the certificate was not created to perform the purpose represented by id
  • For CA checks the below integers could be returned with the following meanings:

    -1 an error condition has occured
  • 0 not a CA or does not have the purpose represented by id
  • 1 is a CA.
  • 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA
  • 3 basicConstraints absent but self signed V1.
  • 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
  • 5 legacy Netscape specific CA Flags present

  • COPYRIGHT

    Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the ``License''). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.