1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
.\" $NetBSD: X509_check_purpose.3,v 1.5 2026/04/08 17:06:49 christos Exp $
.\"
.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man v6.0.2 (Pod::Simple 3.45)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Required to disable full justification in groff 1.23.0.
.if n .ds AD l
.\" ========================================================================
.\"
.IX Title "X509_check_purpose 3"
.TH X509_check_purpose 3 2026-04-07 3.5.6 OpenSSL
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
X509_check_purpose,
X509_PURPOSE_get_count,
X509_PURPOSE_get_unused_id,
X509_PURPOSE_get_by_sname,
X509_PURPOSE_get_by_id,
X509_PURPOSE_add,
X509_PURPOSE_cleanup,
X509_PURPOSE_get0,
X509_PURPOSE_get_id,
X509_PURPOSE_get0_name,
X509_PURPOSE_get0_sname,
X509_PURPOSE_get_trust,
X509_PURPOSE_set \- functions related to checking the purpose of a certificate
.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& #include <openssl/x509v3.h>
\&
\& int X509_check_purpose(X509 *x, int id, int ca);
\&
\& int X509_PURPOSE_get_count(void);
\& int X509_PURPOSE_get_unused_id(OSSL_LIB_CTX *libctx);
\& int X509_PURPOSE_get_by_sname(const char *sname);
\& int X509_PURPOSE_get_by_id(int id);
\& int X509_PURPOSE_add(int id, int trust, int flags,
\& int (*ck) (const X509_PURPOSE *, const X509 *, int),
\& const char *name, const char *sname, void *arg);
\& void X509_PURPOSE_cleanup(void);
\&
\& X509_PURPOSE *X509_PURPOSE_get0(int idx);
\& int X509_PURPOSE_get_id(const X509_PURPOSE *);
\& char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
\& char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
\& int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
\& int X509_PURPOSE_set(int *p, int purpose);
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
\&\fBX509_check_purpose()\fR checks if certificate \fIx\fR was created with the purpose
represented by \fIid\fR. If \fIca\fR is nonzero, then certificate \fIx\fR is
checked to determine if it\*(Aqs a possible CA with various levels of certainty
possibly returned. The certificate \fIx\fR must be a complete certificate
otherwise the function returns an error.
.PP
Below are the potential ID\*(Aqs that can be checked:
.PP
.Vb 10
\& # define X509_PURPOSE_SSL_CLIENT 1
\& # define X509_PURPOSE_SSL_SERVER 2
\& # define X509_PURPOSE_NS_SSL_SERVER 3
\& # define X509_PURPOSE_SMIME_SIGN 4
\& # define X509_PURPOSE_SMIME_ENCRYPT 5
\& # define X509_PURPOSE_CRL_SIGN 6
\& # define X509_PURPOSE_ANY 7
\& # define X509_PURPOSE_OCSP_HELPER 8
\& # define X509_PURPOSE_TIMESTAMP_SIGN 9
\& # define X509_PURPOSE_CODE_SIGN 10
.Ve
.PP
The checks performed take into account the X.509 extensions
keyUsage, extendedKeyUsage, and basicConstraints.
.PP
\&\fBX509_PURPOSE_get_count()\fR returns the number of currently defined purposes.
.PP
\&\fBX509_PURPOSE_get_unused_id()\fR returns the smallest purpose id not yet used,
which is guaranteed to be unique and larger than \fBX509_PURPOSE_MAX\fR.
The \fIlibctx\fR parameter should be used to provide the library context.
It is currently ignored as the purpose mapping table is global.
.PP
\&\fBX509_PURPOSE_get_by_sname()\fR returns the index of
the purpose with the given short name or \-1 if not found.
.PP
\&\fBX509_PURPOSE_get_by_id()\fR returns the index of
the purpose with the given id or \-1 if not found.
.PP
\&\fBX509_PURPOSE_add()\fR adds or modifies a purpose entry identified by \fIsname\fR.
Unless the id stays the same for an existing entry, \fIid\fR must be fresh,
which can be achieved by using the result of \fBX509_PURPOSE_get_unused_id()\fR.
The function also sets in the entry the trust id \fItrust\fR, the given \fIflags\fR,
the purpose (long) name \fIname\fR, the short name \fIsname\fR, the purpose checking
function \fIck\fR of type \fBint (*) (const X509_PURPOSE *, const X509 *, int)\fR,
and its user data \fIarg\fR which may be retrieved via the \fBX509_PURPOSE\fR pointer.
.PP
\&\fBX509_PURPOSE_cleanup()\fR removes all purposes that are not pre\-defined.
.PP
\&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error.
.PP
\&\fBX509_PURPOSE_get_id()\fR returns the id of the given \fBX509_PURPOSE\fR structure.
.PP
\&\fBX509_PURPOSE_get0_name()\fR returns the (long) name of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_get0_sname()\fR returns the short name of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_get_trust()\fR returns the trust id of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_set()\fR assigns the given \fIpurpose\fR id to the location pointed at by
\&\fIp\fR.
This resets to the any purpose if \fIpurpose\fR is \fBX509_PURPOSE_DEFAULT_ANY\fR.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
\&\fBX509_check_purpose()\fR returns the following values.
For non\-CA checks
.IP "\-1 an error condition has occurred" 4
.IX Item "-1 an error condition has occurred"
.PD 0
.IP " 1 if the certificate was created to perform the purpose represented by \fIid\fR" 4
.IX Item " 1 if the certificate was created to perform the purpose represented by id"
.IP " 0 if the certificate was not created to perform the purpose represented by \fIid\fR" 4
.IX Item " 0 if the certificate was not created to perform the purpose represented by id"
.PD
.PP
For CA checks the below integers could be returned with the following meanings:
.IP "\-1 an error condition has occurred" 4
.IX Item "-1 an error condition has occurred"
.PD 0
.IP " 0 not a CA or does not have the purpose represented by \fIid\fR" 4
.IX Item " 0 not a CA or does not have the purpose represented by id"
.IP " 1 is a CA." 4
.IX Item " 1 is a CA."
.IP " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA" 4
.IX Item " 2 Only possible in old versions of openSSL when basicConstraints are absent. New versions will not return this value. May be a CA"
.IP " 3 basicConstraints absent but self signed V1." 4
.IX Item " 3 basicConstraints absent but self signed V1."
.IP " 4 basicConstraints absent but keyUsage present and keyCertSign asserted." 4
.IX Item " 4 basicConstraints absent but keyUsage present and keyCertSign asserted."
.IP " 5 legacy Netscape specific CA Flags present" 4
.IX Item " 5 legacy Netscape specific CA Flags present"
.PD
.PP
\&\fBX509_PURPOSE_get_count()\fR returns the number of currently defined purposes.
.PP
\&\fBX509_PURPOSE_get_unused_id()\fR returns the smallest purpose id not yet used.
.PP
\&\fBX509_PURPOSE_get_by_sname()\fR returns the index of
the purpose with the given short name or \-1 if not found.
.PP
\&\fBX509_PURPOSE_get_by_id()\fR returns the index of
the purpose with the given id or \-1 if not found.
.PP
int \fBX509_PURPOSE_add()\fR returns 1 on success, 0 on error.
.PP
\&\fBX509_PURPOSE_cleanup()\fR does not return anything.
.PP
\&\fBX509_PURPOSE_get0()\fR returns an \fBX509_PURPOSE\fR pointer or NULL on error.
.PP
\&\fBX509_PURPOSE_get_id()\fR returns the id of the given \fBX509_PURPOSE\fR structure.
.PP
\&\fBX509_PURPOSE_get0_name()\fR returns the (long) name of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_get0_sname()\fR returns the short name of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_get_trust()\fR returns the trust id of the given \fBX509_PURPOSE\fR.
.PP
\&\fBX509_PURPOSE_set()\fR returns 1 on success, 0 on error.
.SH BUGS
.IX Header "BUGS"
The X509_PURPOSE implementation so far is not thread\-safe.
There may be race conditions retrieving purpose information while
\&\fBX509_PURPOSE_add()\fR or X509_PURPOSE_cleanup(void) is being called.
.SH HISTORY
.IX Header "HISTORY"
\&\fBX509_PURPOSE_get_unused_id()\fR was added in OpensSL 3.5.
.SH COPYRIGHT
.IX Header "COPYRIGHT"
Copyright 2019\-2025 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use this
file except in compliance with the License. You can obtain a copy in the file
LICENSE in the source distribution or at <https://www.openssl.org/source/license.html>.
|
