Fixes #10263 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10301)master
parent
abfc73f374
commit
eacd30a703
@ -0,0 +1,74 @@
|
||||
=pod
|
||||
|
||||
=head1 NAME
|
||||
|
||||
X509_check_purpose - Check the purpose of a certificate
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
int X509_check_purpose(X509 *x, int id, int ca)
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
This function checks if certificate I<x> was created with the purpose
|
||||
represented by I<id>. If I<ca> is nonzero, then certificate I<x> is
|
||||
checked to determine if it's a possible CA with various levels of certainty
|
||||
possibly returned.
|
||||
|
||||
Below are the potential ID's that can be checked:
|
||||
|
||||
# define X509_PURPOSE_SSL_CLIENT 1
|
||||
# define X509_PURPOSE_SSL_SERVER 2
|
||||
# define X509_PURPOSE_NS_SSL_SERVER 3
|
||||
# define X509_PURPOSE_SMIME_SIGN 4
|
||||
# define X509_PURPOSE_SMIME_ENCRYPT 5
|
||||
# define X509_PURPOSE_CRL_SIGN 6
|
||||
# define X509_PURPOSE_ANY 7
|
||||
# define X509_PURPOSE_OCSP_HELPER 8
|
||||
# define X509_PURPOSE_TIMESTAMP_SIGN 9
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
For non-CA checks
|
||||
|
||||
=over 4
|
||||
|
||||
=item -1 an error condition has occured
|
||||
|
||||
=item E<32>1 if the certificate was created to perform the purpose represented by I<id>
|
||||
|
||||
=item E<32>0 if the certificate was not created to perform the purpose represented by I<id>
|
||||
|
||||
=back
|
||||
|
||||
For CA checks the below integers could be returned with the following meanings:
|
||||
|
||||
=over 4
|
||||
|
||||
=item -1 an error condition has occured
|
||||
|
||||
=item E<32>0 not a CA or does not have the purpose represented by I<id>
|
||||
|
||||
=item E<32>1 is a CA.
|
||||
|
||||
=item E<32>2 Only possible in old versions of openSSL when basicConstraints are absent.
|
||||
New versions will not return this value. May be a CA
|
||||
|
||||
=item E<32>3 basicConstraints absent but self signed V1.
|
||||
|
||||
=item E<32>4 basicConstraints absent but keyUsage present and keyCertSign asserted.
|
||||
|
||||
=item E<32>5 legacy Netscape specific CA Flags present
|
||||
|
||||
=back
|
||||
|
||||
=head1 COPYRIGHT
|
||||
|
||||
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use this
|
||||
file except in compliance with the License. You can obtain a copy in the file
|
||||
LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>.
|
||||
|
||||
=cut
|
Loading…
Reference in new issue