FreeBSD manual
download PDF document: X509_check_purpose.3.pdf
X509_CHECK_PURPOSE(3ossl) OpenSSL X509_CHECK_PURPOSE(3ossl)
NAME
X509_check_purpose - Check the purpose of a certificate
SYNOPSIS
#include <openssl/x509v3.h>
int X509_check_purpose(X509 *x, int id, int ca);
DESCRIPTION
This function checks if certificate x was created with the purpose
represented by id. If ca is nonzero, then certificate x is checked to
determine if it's a possible CA with various levels of certainty
possibly returned. The certificate x must be a complete certificate
otherwise the function returns an error.
Below are the potential ID's that can be checked:
# define X509_PURPOSE_SSL_CLIENT 1
# define X509_PURPOSE_SSL_SERVER 2
# define X509_PURPOSE_NS_SSL_SERVER 3
# define X509_PURPOSE_SMIME_SIGN 4
# define X509_PURPOSE_SMIME_ENCRYPT 5
# define X509_PURPOSE_CRL_SIGN 6
# define X509_PURPOSE_ANY 7
# define X509_PURPOSE_OCSP_HELPER 8
# define X509_PURPOSE_TIMESTAMP_SIGN 9
The checks performed take into account the X.509 extensions keyUsage,
extendedKeyUsage, and basicConstraints.
RETURN VALUES
For non-CA checks
-1 an error condition has occurred
1 if the certificate was created to perform the purpose represented by
id
0 if the certificate was not created to perform the purpose
represented by id
For CA checks the below integers could be returned with the following
meanings:
-1 an error condition has occurred
0 not a CA or does not have the purpose represented by id
1 is a CA.
2 Only possible in old versions of openSSL when basicConstraints are
absent. New versions will not return this value. May be a CA
3 basicConstraints absent but self signed V1.
4 basicConstraints absent but keyUsage present and keyCertSign
asserted.
5 legacy Netscape specific CA Flags present
COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy