1 files changed, 0 insertions, 431 deletions
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
deleted file mode 100644
index 8fea6679fc..0000000000
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ /dev/null
@@ -1,431 +0,0 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
-.\"
-.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: September 2 2024 $
-.Dt X509_CHECK_PURPOSE 3
-.Os
-.Sh NAME
-.Nm X509_check_purpose
-.Nd check intended usage of a public key
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_purpose
-.Fa "X509 *certificate"
-.Fa "int purpose"
-.Fa "int ca"
-.Fc
-.Sh DESCRIPTION
-If the
-.Fa purpose
-argument is \-1,
-.Fn X509_check_purpose
-ignores the
-.Fa ca
-argument and checks that all the extensions of the
-.Fa certificate
-can be parsed and pass minimal sanity checks, ensuring that
-no extension occurs more than once.
-It also makes sure that all extensions are cached in the
-.Vt X509
-object.
-.Pp
-If the
-.Fa purpose
-argument is not \-1 and the
-.Fa ca
-flag is 0,
-.Fn X509_check_purpose
-also checks whether the public key contained in the
-.Fa certificate
-is intended to be used for the given
-.Fa purpose ,
-which can be one of the following integer constants.
-The check succeeds if none of the conditions given in the list below
-are violated.
-It always fails if parsing fails for any extension contained in the
-.Fa certificate .
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv digitalSignature
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL client certificate
-bit is set
-.Pq Dv NS_SSL_CLIENT .
-.El
-.It Dv X509_PURPOSE_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv keyEncipherment
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL server certificate
-bit is set
-.Pq Dv NS_SSL_SERVER
-.El
-.It Dv X509_PURPOSE_NS_SSL_SERVER
-.\" check_purpose_ns_ssl_server, "Netscape SSL server"
-This does the same checks as
-.Dv X509_PURPOSE_SSL_SERVER
-and additionally requires that a Key Usage extension, if present,
-has the
-.Dv keyEncipherment
-bit set.
-.It Dv X509_PURPOSE_SMIME_SIGN
-.\" check_purpose_smime_sign, "S/MIME signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_SMIME_ENCRYPT
-.\" check_purpose_smime_encrypt, "S/MIME encryption"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyEncipherment
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_CRL_SIGN
-.\" check_purpose_crl_sign, "CRL signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv cRLSign
-bit is set.
-.El
-.It Dv X509_PURPOSE_ANY
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-.It Dv X509_PURPOSE_OCSP_HELPER
-.\" ocsp_helper, "OCSP helper"
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-The application program is expected
-to do the actual checking by other means.
-.It Dv X509_PURPOSE_TIMESTAMP_SIGN
-.\" check_purpose_timestamp_sign, "Time Stamp signing"
-.Bl -dash -width 1n -compact
-.It
-The
-.Fa certificate
-contains an Extended Key Usage extension containing the RFC 5280
-.Dq Time Stamping
-purpose and no other purpose.
-This extension is marked as critical.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set, and no other bits are set.
-.El
-.El
-.Pp
-If the
-.Fa purpose
-argument is not \-1 and the
-.Fa ca
-flag is non-zero,
-.Fn X509_check_purpose
-instead checks, in addition to the minimal sanity checks, whether the
-.Fa certificate
-can be used as a certificate authority certificate
-in the context of the given
-.Fa purpose .
-To succeed, the check always requires that none of the following
-conditions are violated:
-.Pp
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains any extensions, parsing them succeeds.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyCertSign
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Basic Constraints extension, the
-.Fa cA
-field is set.
-.It
-If the
-.Fa certificate
-is a version 1 certificate, the subject name matches the issuer name
-and the certificate is self signed.
-.El
-.Pp
-The check succeeds if none of the additional conditions given in
-the list below are violated.
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq S/MIME CA certificate
-bit set.
-.El
-.It Xo
-.Dv X509_PURPOSE_CRL_SIGN ,
-.Dv X509_PURPOSE_OCSP_HELPER ,
-or
-.Dv X509_PURPOSE_TIMESTAMP_SIGN
-.Xc
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with at least one of the
-.Dq SSL CA certificate ,
-.Dq S/MIME CA certificate ,
-or
-.Dq Object-signing CA certificate
-bits set.
-.El
-.It Dv X509_PURPOSE_ANY
-Nothing is required except that, if any extensions are present,
-parsing them needs to succeed.
-The check even succeeds if the three other common conditions
-cited above this list are violated.
-.El
-.Pp
-If the function
-.Xr X509_PURPOSE_add 3
-was called before
-.Fn X509_check_purpose ,
-it may have installed different, user-supplied checking functions
-for some of the standard purposes listed above, or it may have
-installed additional, user-supplied checking functions for user-defined
-.Fa purpose
-identifiers not listed above.
-.Sh RETURN VALUES
-If the parsing of certificate extensions fails, sanity checks fail or the
-.Fa purpose
-is invalid,
-.Fn X509_check_purpose
-returns \-1 to indicate the error.
-.Pp
-If the
-.Fa purpose
-argument is \-1 and parsing and minimal sanity checks succeed,
-.Fn X509_check_purpose
-returns 1 to indicate success.
-.Pp
-Otherwise, it returns the following values:
-.Pp
-If
-.Fa ca
-is 0:
-.Bl -column -1 Failure -compact
-.It 0 Ta Failure Ta The
-.Fa certificate
-cannot be used for the
-.Fa purpose .
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used for the
-.Fa purpose .
-.It 2 Ta Unknown Ta \&No decision can be made.
-.El
-.Pp
-If
-.Fa ca
-is non-zero:
-.Bl -column -1 Failure -compact
-.It 0 Ta Failure Ta The
-.Fa certificate
-cannot be used as a CA for the
-.Fa purpose .
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used as a CA for the
-.Fa purpose .
-.It 3 Ta Success Ta The Fa certificate No is a version 1 CA .
-.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
-.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
-.El
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PURPOSE_set 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr x509v3.cnf 5
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -offset indent -compact
-.It
-section 4.2.1.3: Key Usage
-.It
-section 4.2.1.9: Basic Constraints
-.It
-section 4.2.1.12: Extended Key Usage
-.El
-.Sh HISTORY
-.Fn X509_check_purpose
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .

diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 deleted file mode 100644 index 8fea6679fc..0000000000 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ /dev/null
@@ -1,431 +0,0 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
2	.\"
3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: September 2 2024 $
18	.Dt X509_CHECK_PURPOSE 3
19	.Os
20	.Sh NAME
21	.Nm X509_check_purpose
22	.Nd check intended usage of a public key
23	.Sh SYNOPSIS
24	.In openssl/x509v3.h
25	.Ft int
26	.Fo X509_check_purpose
27	.Fa "X509 *certificate"
28	.Fa "int purpose"
29	.Fa "int ca"
30	.Fc
31	.Sh DESCRIPTION
32	If the
33	.Fa purpose
34	argument is \-1,
35	.Fn X509_check_purpose
36	ignores the
37	.Fa ca
38	argument and checks that all the extensions of the
39	.Fa certificate
40	can be parsed and pass minimal sanity checks, ensuring that
41	no extension occurs more than once.
42	It also makes sure that all extensions are cached in the
43	.Vt X509
44	object.
45	.Pp
46	If the
47	.Fa purpose
48	argument is not \-1 and the
49	.Fa ca
50	flag is 0,
51	.Fn X509_check_purpose
52	also checks whether the public key contained in the
53	.Fa certificate
54	is intended to be used for the given
55	.Fa purpose ,
56	which can be one of the following integer constants.
57	The check succeeds if none of the conditions given in the list below
58	are violated.
59	It always fails if parsing fails for any extension contained in the
60	.Fa certificate .
61	.Bl -tag -width 1n
62	.It Dv X509_PURPOSE_SSL_CLIENT
63	.Bl -dash -width 1n -compact
64	.It
65	If the
66	.Fa certificate
67	contains an Extended Key Usage extension, it contains the RFC 5280
68	.Dq TLS WWW client authentication
69	purpose
70	.Pq Dv NID_client_auth .
71	.It
72	If the
73	.Fa certificate
74	contains a Key Usage extension, the
75	.Dv digitalSignature
76	bit is set.
77	.It
78	If the
79	.Fa certificate
80	contains a Netscape Cert Type extension, the
81	.Dq SSL client certificate
82	bit is set
83	.Pq Dv NS_SSL_CLIENT .
84	.El
85	.It Dv X509_PURPOSE_SSL_SERVER
86	.Bl -dash -width 1n -compact
87	.It
88	If the
89	.Fa certificate
90	contains an Extended Key Usage extension, it contains the RFC 5280
91	.Dq TLS WWW server authentication
92	purpose
93	.Pq Dv NID_server_auth
94	or the private
95	.Dq Netscape Server Gated Crypto
96	.Pq Dv NID_ns_sgc
97	or
98	.Dq Microsoft Server Gated Crypto
99	.Pq Dv NID_ms_sgc
100	purpose.
101	.It
102	If the
103	.Fa certificate
104	contains a Key Usage extension, at least one of the
105	.Dv digitalSignature
106	and
107	.Dv keyEncipherment
108	bits is set.
109	.It
110	If the
111	.Fa certificate
112	contains a Netscape Cert Type extension, the
113	.Dq SSL server certificate
114	bit is set
115	.Pq Dv NS_SSL_SERVER
116	.El
117	.It Dv X509_PURPOSE_NS_SSL_SERVER
118	.\" check_purpose_ns_ssl_server, "Netscape SSL server"
119	This does the same checks as
120	.Dv X509_PURPOSE_SSL_SERVER
121	and additionally requires that a Key Usage extension, if present,
122	has the
123	.Dv keyEncipherment
124	bit set.
125	.It Dv X509_PURPOSE_SMIME_SIGN
126	.\" check_purpose_smime_sign, "S/MIME signing"
127	.Bl -dash -width 1n -compact
128	.It
129	If the
130	.Fa certificate
131	contains an Extended Key Usage extension, it contains the RFC 5280
132	.Dq Email protection
133	purpose
134	.Pq Dv NID_email_protect .
135	.It
136	If the
137	.Fa certificate
138	contains a Key Usage extension, at least one of the
139	.Dv digitalSignature
140	and
141	.Dv nonRepudiation
142	bits is set.
143	.It
144	If the
145	.Fa certificate
146	contains a Netscape Cert Type extension, it has the
147	.Dq S/MIME certificate
148	bit set.
149	If the
150	.Dq SSL client certificate
151	bit is set but the
152	.Dq S/MIME certificate
153	bit is not, no decision is made.
154	.El
155	.It Dv X509_PURPOSE_SMIME_ENCRYPT
156	.\" check_purpose_smime_encrypt, "S/MIME encryption"
157	.Bl -dash -width 1n -compact
158	.It
159	If the
160	.Fa certificate
161	contains an Extended Key Usage extension, it contains the RFC 5280
162	.Dq Email protection
163	purpose
164	.Pq Dv NID_email_protect .
165	.It
166	If the
167	.Fa certificate
168	contains a Key Usage extension, the
169	.Dv keyEncipherment
170	bit is set.
171	.It
172	If the
173	.Fa certificate
174	contains a Netscape Cert Type extension, it has the
175	.Dq S/MIME certificate
176	bit set.
177	If the
178	.Dq SSL client certificate
179	bit is set but the
180	.Dq S/MIME certificate
181	bit is not, no decision is made.
182	.El
183	.It Dv X509_PURPOSE_CRL_SIGN
184	.\" check_purpose_crl_sign, "CRL signing"
185	.Bl -dash -width 1n -compact
186	.It
187	If the
188	.Fa certificate
189	contains a Key Usage extension, the
190	.Dv cRLSign
191	bit is set.
192	.El
193	.It Dv X509_PURPOSE_ANY
194	Nothing is required except that, if any extensions are present,
195	parsing them needs to succeed.
196	.It Dv X509_PURPOSE_OCSP_HELPER
197	.\" ocsp_helper, "OCSP helper"
198	Nothing is required except that, if any extensions are present,
199	parsing them needs to succeed.
200	The application program is expected
201	to do the actual checking by other means.
202	.It Dv X509_PURPOSE_TIMESTAMP_SIGN
203	.\" check_purpose_timestamp_sign, "Time Stamp signing"
204	.Bl -dash -width 1n -compact
205	.It
206	The
207	.Fa certificate
208	contains an Extended Key Usage extension containing the RFC 5280
209	.Dq Time Stamping
210	purpose and no other purpose.
211	This extension is marked as critical.
212	.It
213	If the
214	.Fa certificate
215	contains a Key Usage extension, at least one of the
216	.Dv digitalSignature
217	and
218	.Dv nonRepudiation
219	bits is set, and no other bits are set.
220	.El
221	.El
222	.Pp
223	If the
224	.Fa purpose
225	argument is not \-1 and the
226	.Fa ca
227	flag is non-zero,
228	.Fn X509_check_purpose
229	instead checks, in addition to the minimal sanity checks, whether the
230	.Fa certificate
231	can be used as a certificate authority certificate
232	in the context of the given
233	.Fa purpose .
234	To succeed, the check always requires that none of the following
235	conditions are violated:
236	.Pp
237	.Bl -dash -width 1n -compact
238	.It
239	If the
240	.Fa certificate
241	contains any extensions, parsing them succeeds.
242	.It
243	If the
244	.Fa certificate
245	contains a Key Usage extension, the
246	.Dv keyCertSign
247	bit is set.
248	.It
249	If the
250	.Fa certificate
251	contains a Basic Constraints extension, the
252	.Fa cA
253	field is set.
254	.It
255	If the
256	.Fa certificate
257	is a version 1 certificate, the subject name matches the issuer name
258	and the certificate is self signed.
259	.El
260	.Pp
261	The check succeeds if none of the additional conditions given in
262	the list below are violated.
263	.Bl -tag -width 1n
264	.It Dv X509_PURPOSE_SSL_CLIENT
265	.Bl -dash -width 1n -compact
266	.It
267	If the
268	.Fa certificate
269	contains an Extended Key Usage extension, it contains the RFC 5280
270	.Dq TLS WWW client authentication
271	purpose
272	.Pq Dv NID_client_auth .
273	.It
274	If the
275	.Fa certificate
276	is not a version 1 certificate and does not contain a Basic Constraints
277	extension, it contains a Key Usage extension with the
278	.Dv keyCertSign
279	bit set or a Netscape Cert Type extension with the
280	.Dq SSL CA certificate
281	bit set.
282	.El
283	.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
284	.Bl -dash -width 1n -compact
285	.It
286	If the
287	.Fa certificate
288	contains an Extended Key Usage extension, it contains the RFC 5280
289	.Dq TLS WWW server authentication
290	purpose
291	.Pq Dv NID_server_auth
292	or the private
293	.Dq Netscape Server Gated Crypto
294	.Pq Dv NID_ns_sgc
295	or
296	.Dq Microsoft Server Gated Crypto
297	.Pq Dv NID_ms_sgc
298	purpose.
299	.It
300	If the
301	.Fa certificate
302	is not a version 1 certificate and does not contain a Basic Constraints
303	extension, it contains a Key Usage extension with the
304	.Dv keyCertSign
305	bit set or a Netscape Cert Type extension with the
306	.Dq SSL CA certificate
307	bit set.
308	.El
309	.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
310	.Bl -dash -width 1n -compact
311	.It
312	If the
313	.Fa certificate
314	contains an Extended Key Usage extension, it contains the RFC 5280
315	.Dq Email protection
316	purpose
317	.Pq Dv NID_email_protect .
318	.It
319	If the
320	.Fa certificate
321	is not a version 1 certificate and does not contain a Basic Constraints
322	extension, it contains a Key Usage extension with the
323	.Dv keyCertSign
324	bit set or a Netscape Cert Type extension with the
325	.Dq S/MIME CA certificate
326	bit set.
327	.El
328	.It Xo
329	.Dv X509_PURPOSE_CRL_SIGN ,
330	.Dv X509_PURPOSE_OCSP_HELPER ,
331	or
332	.Dv X509_PURPOSE_TIMESTAMP_SIGN
333	.Xc
334	.Bl -dash -width 1n -compact
335	.It
336	If the
337	.Fa certificate
338	is not a version 1 certificate and does not contain a Basic Constraints
339	extension, it contains a Key Usage extension with the
340	.Dv keyCertSign
341	bit set or a Netscape Cert Type extension with at least one of the
342	.Dq SSL CA certificate ,
343	.Dq S/MIME CA certificate ,
344	or
345	.Dq Object-signing CA certificate
346	bits set.
347	.El
348	.It Dv X509_PURPOSE_ANY
349	Nothing is required except that, if any extensions are present,
350	parsing them needs to succeed.
351	The check even succeeds if the three other common conditions
352	cited above this list are violated.
353	.El
354	.Pp
355	If the function
356	.Xr X509_PURPOSE_add 3
357	was called before
358	.Fn X509_check_purpose ,
359	it may have installed different, user-supplied checking functions
360	for some of the standard purposes listed above, or it may have
361	installed additional, user-supplied checking functions for user-defined
362	.Fa purpose
363	identifiers not listed above.
364	.Sh RETURN VALUES
365	If the parsing of certificate extensions fails, sanity checks fail or the
366	.Fa purpose
367	is invalid,
368	.Fn X509_check_purpose
369	returns \-1 to indicate the error.
370	.Pp
371	If the
372	.Fa purpose
373	argument is \-1 and parsing and minimal sanity checks succeed,
374	.Fn X509_check_purpose
375	returns 1 to indicate success.
376	.Pp
377	Otherwise, it returns the following values:
378	.Pp
379	If
380	.Fa ca
381	is 0:
382	.Bl -column -1 Failure -compact
383	.It 0 Ta Failure Ta The
384	.Fa certificate
385	cannot be used for the
386	.Fa purpose .
387	.It 1 Ta Success Ta The
388	.Fa certificate
389	can be used for the
390	.Fa purpose .
391	.It 2 Ta Unknown Ta \&No decision can be made.
392	.El
393	.Pp
394	If
395	.Fa ca
396	is non-zero:
397	.Bl -column -1 Failure -compact
398	.It 0 Ta Failure Ta The
399	.Fa certificate
400	cannot be used as a CA for the
401	.Fa purpose .
402	.It 1 Ta Success Ta The
403	.Fa certificate
404	can be used as a CA for the
405	.Fa purpose .
406	.It 3 Ta Success Ta The Fa certificate No is a version 1 CA .
407	.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
408	.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
409	.El
410	.Sh SEE ALSO
411	.Xr BASIC_CONSTRAINTS_new 3 ,
412	.Xr EXTENDED_KEY_USAGE_new 3 ,
413	.Xr X509_new 3 ,
414	.Xr X509_PURPOSE_set 3 ,
415	.Xr X509V3_get_d2i 3 ,
416	.Xr x509v3.cnf 5
417	.Sh STANDARDS
418	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
419	Certificate Revocation List (CRL) Profile
420	.Bl -dash -offset indent -compact
421	.It
422	section 4.2.1.3: Key Usage
423	.It
424	section 4.2.1.9: Basic Constraints
425	.It
426	section 4.2.1.12: Extended Key Usage
427	.El
428	.Sh HISTORY
429	.Fn X509_check_purpose
430	first appeared in OpenSSL 0.9.5 and has been available since
431	.Ox 2.7 .