2019-10-30 23:27:04 +08:00
|
|
|
=pod
|
|
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
X509_check_purpose - Check the purpose of a certificate
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
#include <openssl/x509v3.h>
|
|
|
|
|
|
2020-07-15 16:26:35 +08:00
|
|
|
int X509_check_purpose(X509 *x, int id, int ca);
|
2019-10-30 23:27:04 +08:00
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
|
|
This function checks if certificate I<x> was created with the purpose
|
|
|
|
|
represented by I<id>. If I<ca> is nonzero, then certificate I<x> is
|
|
|
|
|
checked to determine if it's a possible CA with various levels of certainty
|
2021-07-13 23:59:37 +08:00
|
|
|
possibly returned. The certificate I<x> must be a complete certificate
|
|
|
|
|
otherwise the function returns an error.
|
2019-10-30 23:27:04 +08:00
|
|
|
|
|
|
|
|
Below are the potential ID's that can be checked:
|
|
|
|
|
|
|
|
|
|
# define X509_PURPOSE_SSL_CLIENT 1
|
|
|
|
|
# define X509_PURPOSE_SSL_SERVER 2
|
|
|
|
|
# define X509_PURPOSE_NS_SSL_SERVER 3
|
|
|
|
|
# define X509_PURPOSE_SMIME_SIGN 4
|
|
|
|
|
# define X509_PURPOSE_SMIME_ENCRYPT 5
|
|
|
|
|
# define X509_PURPOSE_CRL_SIGN 6
|
|
|
|
|
# define X509_PURPOSE_ANY 7
|
|
|
|
|
# define X509_PURPOSE_OCSP_HELPER 8
|
|
|
|
|
# define X509_PURPOSE_TIMESTAMP_SIGN 9
|
2021-10-14 21:24:18 +08:00
|
|
|
# define X509_PURPOSE_CODE_SIGN 10
|
2019-10-30 23:27:04 +08:00
|
|
|
|
2021-02-16 18:17:07 +08:00
|
|
|
The checks performed take into account the X.509 extensions
|
|
|
|
|
keyUsage, extendedKeyUsage, and basicConstraints.
|
|
|
|
|
|
2019-10-30 23:27:04 +08:00
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
|
|
|
|
|
For non-CA checks
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
2020-06-30 03:13:07 +08:00
|
|
|
=item -1 an error condition has occurred
|
2019-10-30 23:27:04 +08:00
|
|
|
|
|
|
|
|
=item E<32>1 if the certificate was created to perform the purpose represented by I<id>
|
|
|
|
|
|
|
|
|
|
=item E<32>0 if the certificate was not created to perform the purpose represented by I<id>
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
For CA checks the below integers could be returned with the following meanings:
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
2020-06-30 03:13:07 +08:00
|
|
|
=item -1 an error condition has occurred
|
2019-10-30 23:27:04 +08:00
|
|
|
|
|
|
|
|
=item E<32>0 not a CA or does not have the purpose represented by I<id>
|
|
|
|
|
|
|
|
|
|
=item E<32>1 is a CA.
|
|
|
|
|
|
|
|
|
|
=item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent.
|
|
|
|
|
New versions will not return this value. May be a CA
|
|
|
|
|
|
|
|
|
|
=item E<32>3 basicConstraints absent but self signed V1.
|
|
|
|
|
|
|
|
|
|
=item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted.
|
|
|
|
|
|
|
|
|
|
=item E<32>5 legacy Netscape specific CA Flags present
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
|
2021-07-29 22:41:35 +08:00
|
|
|
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
2019-10-30 23:27:04 +08:00
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use this
|
|
|
|
|
file except in compliance with the License. You can obtain a copy in the file
|
|
|
|
|
LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
|
|
=cut
|
