1cfac584bSJung-uk Kim=pod 2cfac584bSJung-uk Kim 3cfac584bSJung-uk Kim=head1 NAME 4cfac584bSJung-uk Kim 5cfac584bSJung-uk KimX509_check_purpose - Check the purpose of a certificate 6cfac584bSJung-uk Kim 7cfac584bSJung-uk Kim=head1 SYNOPSIS 8cfac584bSJung-uk Kim 9cfac584bSJung-uk Kim #include <openssl/x509v3.h> 10cfac584bSJung-uk Kim 11*b077aed3SPierre Pronchery int X509_check_purpose(X509 *x, int id, int ca); 12cfac584bSJung-uk Kim 13cfac584bSJung-uk Kim=head1 DESCRIPTION 14cfac584bSJung-uk Kim 15cfac584bSJung-uk KimThis function checks if certificate I<x> was created with the purpose 16cfac584bSJung-uk Kimrepresented by I<id>. If I<ca> is nonzero, then certificate I<x> is 17cfac584bSJung-uk Kimchecked to determine if it's a possible CA with various levels of certainty 18*b077aed3SPierre Proncherypossibly returned. The certificate I<x> must be a complete certificate 19*b077aed3SPierre Proncheryotherwise the function returns an error. 20cfac584bSJung-uk Kim 21cfac584bSJung-uk KimBelow are the potential ID's that can be checked: 22cfac584bSJung-uk Kim 23cfac584bSJung-uk Kim # define X509_PURPOSE_SSL_CLIENT 1 24cfac584bSJung-uk Kim # define X509_PURPOSE_SSL_SERVER 2 25cfac584bSJung-uk Kim # define X509_PURPOSE_NS_SSL_SERVER 3 26cfac584bSJung-uk Kim # define X509_PURPOSE_SMIME_SIGN 4 27cfac584bSJung-uk Kim # define X509_PURPOSE_SMIME_ENCRYPT 5 28cfac584bSJung-uk Kim # define X509_PURPOSE_CRL_SIGN 6 29cfac584bSJung-uk Kim # define X509_PURPOSE_ANY 7 30cfac584bSJung-uk Kim # define X509_PURPOSE_OCSP_HELPER 8 31cfac584bSJung-uk Kim # define X509_PURPOSE_TIMESTAMP_SIGN 9 32cfac584bSJung-uk Kim 33*b077aed3SPierre ProncheryThe checks performed take into account the X.509 extensions 34*b077aed3SPierre ProncherykeyUsage, extendedKeyUsage, and basicConstraints. 35*b077aed3SPierre Pronchery 36cfac584bSJung-uk Kim=head1 RETURN VALUES 37cfac584bSJung-uk Kim 38cfac584bSJung-uk KimFor non-CA checks 39cfac584bSJung-uk Kim 40cfac584bSJung-uk Kim=over 4 41cfac584bSJung-uk Kim 4258f35182SJung-uk Kim=item -1 an error condition has occurred 43cfac584bSJung-uk Kim 44cfac584bSJung-uk Kim=item E<32>1 if the certificate was created to perform the purpose represented by I<id> 45cfac584bSJung-uk Kim 46cfac584bSJung-uk Kim=item E<32>0 if the certificate was not created to perform the purpose represented by I<id> 47cfac584bSJung-uk Kim 48cfac584bSJung-uk Kim=back 49cfac584bSJung-uk Kim 50cfac584bSJung-uk KimFor CA checks the below integers could be returned with the following meanings: 51cfac584bSJung-uk Kim 52cfac584bSJung-uk Kim=over 4 53cfac584bSJung-uk Kim 5458f35182SJung-uk Kim=item -1 an error condition has occurred 55cfac584bSJung-uk Kim 56cfac584bSJung-uk Kim=item E<32>0 not a CA or does not have the purpose represented by I<id> 57cfac584bSJung-uk Kim 58cfac584bSJung-uk Kim=item E<32>1 is a CA. 59cfac584bSJung-uk Kim 60cfac584bSJung-uk Kim=item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent. 61cfac584bSJung-uk Kim New versions will not return this value. May be a CA 62cfac584bSJung-uk Kim 63cfac584bSJung-uk Kim=item E<32>3 basicConstraints absent but self signed V1. 64cfac584bSJung-uk Kim 65cfac584bSJung-uk Kim=item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted. 66cfac584bSJung-uk Kim 67cfac584bSJung-uk Kim=item E<32>5 legacy Netscape specific CA Flags present 68cfac584bSJung-uk Kim 69cfac584bSJung-uk Kim=back 70cfac584bSJung-uk Kim 71cfac584bSJung-uk Kim=head1 COPYRIGHT 72cfac584bSJung-uk Kim 73*b077aed3SPierre ProncheryCopyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. 74cfac584bSJung-uk KimLicensed under the Apache License 2.0 (the "License"). You may not use this 75cfac584bSJung-uk Kimfile except in compliance with the License. You can obtain a copy in the file 76cfac584bSJung-uk KimLICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. 77cfac584bSJung-uk Kim 78cfac584bSJung-uk Kim=cut 79