X509_check_purpose.3ssl - Man Page

Check the purpose of a certificate


 #include <openssl/x509v3.h>

 int X509_check_purpose(X509 *x, int id, int ca)


This function checks if certificate x was created with the purpose represented by id. If ca is nonzero, then certificate x is checked to determine if it's a possible CA with various levels of certainty possibly returned.

Below are the potential ID's that can be checked:

 # define X509_PURPOSE_SSL_CLIENT        1
 # define X509_PURPOSE_SSL_SERVER        2
 # define X509_PURPOSE_NS_SSL_SERVER     3
 # define X509_PURPOSE_SMIME_SIGN        4
 # define X509_PURPOSE_SMIME_ENCRYPT     5
 # define X509_PURPOSE_CRL_SIGN          6
 # define X509_PURPOSE_ANY               7
 # define X509_PURPOSE_OCSP_HELPER       8
 # define X509_PURPOSE_TIMESTAMP_SIGN    9

Return Values

For non-CA checks

-1 an error condition has occurred

1 if the certificate was created to perform the purpose represented by id

0 if the certificate was not created to perform the purpose represented by id

For CA checks the below integers could be returned with the following meanings:

-1 an error condition has occurred

0 not a CA or does not have the purpose represented by id

1 is a CA.

2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA

3 basicConstraints absent but self signed V1.

4 basicConstraints absent but keyUsage present and keyCertSign asserted.

5 legacy Netscape specific CA Flags present

Referenced By

EVP_PKEY_ASN1_METHOD.3ssl(3), X509_check_ca.3ssl(3), X509_get_extension_flags.3ssl(3).

2021-02-10 1.1.1i OpenSSL