X509_CHECK_PURPOSE
Section: OpenSSL (3)
Updated: 2020-07-28
Page Index
NAME
X509_check_purpose - Check the purpose of a certificate
SYNOPSIS
#include <openssl/x509v3.h>
int X509_check_purpose(X509 *x, int id, int ca)
DESCRIPTION
This function checks if certificate
x was created with the purpose
represented by
id. If
ca is nonzero, then certificate
x is
checked to determine if it's a possible
CA with various levels of certainty
possibly returned.
Below are the potential ID's that can be checked:
# define X509_PURPOSE_SSL_CLIENT 1
# define X509_PURPOSE_SSL_SERVER 2
# define X509_PURPOSE_NS_SSL_SERVER 3
# define X509_PURPOSE_SMIME_SIGN 4
# define X509_PURPOSE_SMIME_ENCRYPT 5
# define X509_PURPOSE_CRL_SIGN 6
# define X509_PURPOSE_ANY 7
# define X509_PURPOSE_OCSP_HELPER 8
# define X509_PURPOSE_TIMESTAMP_SIGN 9
RETURN VALUES
For non-CA checks
- -1 an error condition has occured
-
- 1 if the certificate was created to perform the purpose represented by id
-
- 0 if the certificate was not created to perform the purpose represented by id
-
For CA checks the below integers could be returned with the following meanings:
- -1 an error condition has occured
-
- 0 not a CA or does not have the purpose represented by id
-
- 1 is a CA.
-
- 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA
-
- 3 basicConstraints absent but self signed V1.
-
- 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
-
- 5 legacy Netscape specific CA Flags present
-
COPYRIGHT
Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the ``License''). You may not use this
file except in compliance with the License. You can obtain a copy in the file
LICENSE in the source distribution or at <
https://www.openssl.org/source/license.html>.