1 files changed, 0 insertions, 403 deletions
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
deleted file mode 100644
index fdb58d5b21..0000000000
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ /dev/null
@@ -1,403 +0,0 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.6 2021/07/27 13:27:46 schwarze Exp $
-.\"
-.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: July 27 2021 $
-.Dt X509_CHECK_PURPOSE 3
-.Os
-.Sh NAME
-.Nm X509_check_purpose
-.Nd check intended usage of a public key
-.Sh SYNOPSIS
-.In openssl/x509v3.h
-.Ft int
-.Fo X509_check_purpose
-.Fa "X509 *certificate"
-.Fa "int purpose"
-.Fa "int ca"
-.Fc
-.Sh DESCRIPTION
-If the
-.Fa ca
-flag is 0,
-.Fn X509_check_purpose
-checks whether the public key contained in the
-.Fa certificate
-is intended to be used for the given
-.Fa purpose ,
-which can be one of the following integer constants.
-The check succeeds if none of the conditions given in the list below
-are violated.
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv digitalSignature
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL client certificate
-bit is set
-.Pq Dv NS_SSL_CLIENT .
-.El
-.It Dv X509_PURPOSE_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv keyEncipherment
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, the
-.Dq SSL server certificate
-bit is set
-.Pq Dv NS_SSL_SERVER
-.El
-.It Dv X509_PURPOSE_NS_SSL_SERVER
-.\" check_purpose_ns_ssl_server, "Netscape SSL server"
-This does the same checks as
-.Dv X509_PURPOSE_SSL_SERVER
-and additionally requires that a Key Usage extension, if present,
-has the
-.Dv keyEncipherment
-bit set.
-.It Dv X509_PURPOSE_SMIME_SIGN
-.\" check_purpose_smime_sign, "S/MIME signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_SMIME_ENCRYPT
-.\" check_purpose_smime_encrypt, "S/MIME encryption"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyEncipherment
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Netscape Cert Type extension, it has the
-.Dq S/MIME certificate
-bit set.
-If the
-.Dq SSL client certificate
-bit is set but the
-.Dq S/MIME certificate
-bit is not, no decision is made.
-.El
-.It Dv X509_PURPOSE_CRL_SIGN
-.\" check_purpose_crl_sign, "CRL signing"
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv cRLSign
-bit is set.
-.El
-.It Dv X509_PURPOSE_ANY
-The check always succeeds.
-.It Dv X509_PURPOSE_OCSP_HELPER
-.\" ocsp_helper, "OCSP helper"
-The check always succeeds.
-The application program is expected
-to do the actual checking by other means.
-.It Dv X509_PURPOSE_TIMESTAMP_SIGN
-.\" check_purpose_timestamp_sign, "Time Stamp signing"
-.Bl -dash -width 1n -compact
-.It
-The
-.Fa certificate
-contains an Extended Key Usage extension containing the RFC 5280
-.Dq Time Stamping
-purpose and no other purpose.
-This extension is marked as critical.
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, at least one of the
-.Dv digitalSignature
-and
-.Dv nonRepudiation
-bits is set, and no other bits are set.
-.El
-.El
-.Pp
-If the
-.Fa ca
-flag is non-zero,
-.Fn X509_check_purpose
-instead checks whether the
-.Fa certificate
-can be used as a certificate authority certificate
-in the context of the given
-.Fa purpose .
-To succeed, the check always requires that none of the following
-conditions are violated:
-.Pp
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains a Key Usage extension, the
-.Dv keyCertSign
-bit is set.
-.It
-If the
-.Fa certificate
-contains a Basic Constraints extension, the
-.Fa cA
-field is set.
-.It
-If the
-.Fa certificate
-is a version 1 certificate, the subject name matches the issuer name
-and the certificate is self signed.
-.El
-.Pp
-The check succeeds if none of the additional conditions given in
-the list below are violated.
-.Bl -tag -width 1n
-.It Dv X509_PURPOSE_SSL_CLIENT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW client authentication
-purpose
-.Pq Dv NID_client_auth .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq TLS WWW server authentication
-purpose
-.Pq Dv NID_server_auth
-or the private
-.Dq Netscape Server Gated Crypto
-.Pq Dv NID_ns_sgc
-or
-.Dq Microsoft Server Gated Crypto
-.Pq Dv NID_ms_sgc
-purpose.
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq SSL CA certificate
-bit set.
-.El
-.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-contains an Extended Key Usage extension, it contains the RFC 5280
-.Dq Email protection
-purpose
-.Pq Dv NID_email_protect .
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with the
-.Dq S/MIME CA certificate
-bit set.
-.El
-.It Xo
-.Dv X509_PURPOSE_CRL_SIGN ,
-.Dv X509_PURPOSE_OCSP_HELPER ,
-or
-.Dv X509_PURPOSE_TIMESTAMP_SIGN
-.Xc
-.Bl -dash -width 1n -compact
-.It
-If the
-.Fa certificate
-is not a version 1 certificate and does not contain a Basic Constraints
-extension, it contains a Key Usage extension with the
-.Dv keyCertSign
-bit set or a Netscape Cert Type extension with at least one of the
-.Dq SSL CA certificate ,
-.Dq S/MIME CA certificate ,
-or
-.Dq Object-signing CA certificate
-bits set.
-.El
-.It Dv X509_PURPOSE_ANY
-The check always succeeds, even if the three common conditions
-cited above this list are violated.
-.El
-.Pp
-If the
-.Fa purpose
-is -1,
-.Fn X509_check_purpose
-always succeeds, no matter whether or not the
-.Fa ca
-flag is set.
-.Pp
-If the function
-.Xr X509_PURPOSE_add 3
-was called before
-.Fn X509_check_purpose ,
-it may have installed different, user-supplied checking functions
-for some of the standard purposes listed above, or it may have
-installed additional, user-supplied checking functions for user-defined
-.Fa purpose
-identifiers not listed above.
-.Sh RETURN VALUES
-.Fn X509_check_purpose
-returns the following values:
-.Bl -column -1 Failure -compact
-.It -1 Ta Error Ta The
-.Fa purpose
-is invalid.
-.It 0 Ta Failure Ta The
-.Fa certificate
-cannot be used for the
-.Fa purpose .
-.El
-.Pp
-If
-.Fa ca
-is 0, the following values can also be returned:
-.Bl -column -1 Failure -compact
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used for the
-.Fa purpose .
-.It 2 Ta Unknown Ta \&No decision can be made.
-.El
-.Pp
-If
-.Fa ca
-is non-zero, the following values can also be returned:
-.Bl -column -1 Failure -compact
-.It 1 Ta Success Ta The
-.Fa certificate
-can be used as a CA for the
-.Fa purpose .
-.It 3 Ta Success Ta The Fa certificate No is a version 1 CA .
-.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
-.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
-.El
-.Sh SEE ALSO
-.Xr BASIC_CONSTRAINTS_new 3 ,
-.Xr EXTENDED_KEY_USAGE_new 3 ,
-.Xr X509_check_trust 3 ,
-.Xr X509_new 3 ,
-.Xr X509_policy_check 3 ,
-.Xr X509_PURPOSE_set 3 ,
-.Xr X509V3_get_d2i 3 ,
-.Xr x509v3.cnf 5
-.Sh STANDARDS
-RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
-Certificate Revocation List (CRL) Profile
-.Bl -dash -offset indent -compact
-.It
-section 4.2.1.3: Key Usage
-.It
-section 4.2.1.9: Basic Constraints
-.It
-section 4.2.1.12: Extended Key Usage
-.El
-.Sh HISTORY
-.Fn X509_check_purpose
-first appeared in OpenSSL 0.9.5 and has been available since
-.Ox 2.7 .

diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3 deleted file mode 100644 index fdb58d5b21..0000000000 --- a/src/lib/libcrypto/man/X509_check_purpose.3 +++ /dev/null
@@ -1,403 +0,0 @@
1	.\" $OpenBSD: X509_check_purpose.3,v 1.6 2021/07/27 13:27:46 schwarze Exp $
2	.\"
3	.\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
4	.\"
5	.\" Permission to use, copy, modify, and distribute this software for any
6	.\" purpose with or without fee is hereby granted, provided that the above
7	.\" copyright notice and this permission notice appear in all copies.
8	.\"
9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16	.\"
17	.Dd $Mdocdate: July 27 2021 $
18	.Dt X509_CHECK_PURPOSE 3
19	.Os
20	.Sh NAME
21	.Nm X509_check_purpose
22	.Nd check intended usage of a public key
23	.Sh SYNOPSIS
24	.In openssl/x509v3.h
25	.Ft int
26	.Fo X509_check_purpose
27	.Fa "X509 *certificate"
28	.Fa "int purpose"
29	.Fa "int ca"
30	.Fc
31	.Sh DESCRIPTION
32	If the
33	.Fa ca
34	flag is 0,
35	.Fn X509_check_purpose
36	checks whether the public key contained in the
37	.Fa certificate
38	is intended to be used for the given
39	.Fa purpose ,
40	which can be one of the following integer constants.
41	The check succeeds if none of the conditions given in the list below
42	are violated.
43	.Bl -tag -width 1n
44	.It Dv X509_PURPOSE_SSL_CLIENT
45	.Bl -dash -width 1n -compact
46	.It
47	If the
48	.Fa certificate
49	contains an Extended Key Usage extension, it contains the RFC 5280
50	.Dq TLS WWW client authentication
51	purpose
52	.Pq Dv NID_client_auth .
53	.It
54	If the
55	.Fa certificate
56	contains a Key Usage extension, the
57	.Dv digitalSignature
58	bit is set.
59	.It
60	If the
61	.Fa certificate
62	contains a Netscape Cert Type extension, the
63	.Dq SSL client certificate
64	bit is set
65	.Pq Dv NS_SSL_CLIENT .
66	.El
67	.It Dv X509_PURPOSE_SSL_SERVER
68	.Bl -dash -width 1n -compact
69	.It
70	If the
71	.Fa certificate
72	contains an Extended Key Usage extension, it contains the RFC 5280
73	.Dq TLS WWW server authentication
74	purpose
75	.Pq Dv NID_server_auth
76	or the private
77	.Dq Netscape Server Gated Crypto
78	.Pq Dv NID_ns_sgc
79	or
80	.Dq Microsoft Server Gated Crypto
81	.Pq Dv NID_ms_sgc
82	purpose.
83	.It
84	If the
85	.Fa certificate
86	contains a Key Usage extension, at least one of the
87	.Dv digitalSignature
88	and
89	.Dv keyEncipherment
90	bits is set.
91	.It
92	If the
93	.Fa certificate
94	contains a Netscape Cert Type extension, the
95	.Dq SSL server certificate
96	bit is set
97	.Pq Dv NS_SSL_SERVER
98	.El
99	.It Dv X509_PURPOSE_NS_SSL_SERVER
100	.\" check_purpose_ns_ssl_server, "Netscape SSL server"
101	This does the same checks as
102	.Dv X509_PURPOSE_SSL_SERVER
103	and additionally requires that a Key Usage extension, if present,
104	has the
105	.Dv keyEncipherment
106	bit set.
107	.It Dv X509_PURPOSE_SMIME_SIGN
108	.\" check_purpose_smime_sign, "S/MIME signing"
109	.Bl -dash -width 1n -compact
110	.It
111	If the
112	.Fa certificate
113	contains an Extended Key Usage extension, it contains the RFC 5280
114	.Dq Email protection
115	purpose
116	.Pq Dv NID_email_protect .
117	.It
118	If the
119	.Fa certificate
120	contains a Key Usage extension, at least one of the
121	.Dv digitalSignature
122	and
123	.Dv nonRepudiation
124	bits is set.
125	.It
126	If the
127	.Fa certificate
128	contains a Netscape Cert Type extension, it has the
129	.Dq S/MIME certificate
130	bit set.
131	If the
132	.Dq SSL client certificate
133	bit is set but the
134	.Dq S/MIME certificate
135	bit is not, no decision is made.
136	.El
137	.It Dv X509_PURPOSE_SMIME_ENCRYPT
138	.\" check_purpose_smime_encrypt, "S/MIME encryption"
139	.Bl -dash -width 1n -compact
140	.It
141	If the
142	.Fa certificate
143	contains an Extended Key Usage extension, it contains the RFC 5280
144	.Dq Email protection
145	purpose
146	.Pq Dv NID_email_protect .
147	.It
148	If the
149	.Fa certificate
150	contains a Key Usage extension, the
151	.Dv keyEncipherment
152	bit is set.
153	.It
154	If the
155	.Fa certificate
156	contains a Netscape Cert Type extension, it has the
157	.Dq S/MIME certificate
158	bit set.
159	If the
160	.Dq SSL client certificate
161	bit is set but the
162	.Dq S/MIME certificate
163	bit is not, no decision is made.
164	.El
165	.It Dv X509_PURPOSE_CRL_SIGN
166	.\" check_purpose_crl_sign, "CRL signing"
167	.Bl -dash -width 1n -compact
168	.It
169	If the
170	.Fa certificate
171	contains a Key Usage extension, the
172	.Dv cRLSign
173	bit is set.
174	.El
175	.It Dv X509_PURPOSE_ANY
176	The check always succeeds.
177	.It Dv X509_PURPOSE_OCSP_HELPER
178	.\" ocsp_helper, "OCSP helper"
179	The check always succeeds.
180	The application program is expected
181	to do the actual checking by other means.
182	.It Dv X509_PURPOSE_TIMESTAMP_SIGN
183	.\" check_purpose_timestamp_sign, "Time Stamp signing"
184	.Bl -dash -width 1n -compact
185	.It
186	The
187	.Fa certificate
188	contains an Extended Key Usage extension containing the RFC 5280
189	.Dq Time Stamping
190	purpose and no other purpose.
191	This extension is marked as critical.
192	.It
193	If the
194	.Fa certificate
195	contains a Key Usage extension, at least one of the
196	.Dv digitalSignature
197	and
198	.Dv nonRepudiation
199	bits is set, and no other bits are set.
200	.El
201	.El
202	.Pp
203	If the
204	.Fa ca
205	flag is non-zero,
206	.Fn X509_check_purpose
207	instead checks whether the
208	.Fa certificate
209	can be used as a certificate authority certificate
210	in the context of the given
211	.Fa purpose .
212	To succeed, the check always requires that none of the following
213	conditions are violated:
214	.Pp
215	.Bl -dash -width 1n -compact
216	.It
217	If the
218	.Fa certificate
219	contains a Key Usage extension, the
220	.Dv keyCertSign
221	bit is set.
222	.It
223	If the
224	.Fa certificate
225	contains a Basic Constraints extension, the
226	.Fa cA
227	field is set.
228	.It
229	If the
230	.Fa certificate
231	is a version 1 certificate, the subject name matches the issuer name
232	and the certificate is self signed.
233	.El
234	.Pp
235	The check succeeds if none of the additional conditions given in
236	the list below are violated.
237	.Bl -tag -width 1n
238	.It Dv X509_PURPOSE_SSL_CLIENT
239	.Bl -dash -width 1n -compact
240	.It
241	If the
242	.Fa certificate
243	contains an Extended Key Usage extension, it contains the RFC 5280
244	.Dq TLS WWW client authentication
245	purpose
246	.Pq Dv NID_client_auth .
247	.It
248	If the
249	.Fa certificate
250	is not a version 1 certificate and does not contain a Basic Constraints
251	extension, it contains a Key Usage extension with the
252	.Dv keyCertSign
253	bit set or a Netscape Cert Type extension with the
254	.Dq SSL CA certificate
255	bit set.
256	.El
257	.It Dv X509_PURPOSE_SSL_SERVER No or Dv X509_PURPOSE_NS_SSL_SERVER
258	.Bl -dash -width 1n -compact
259	.It
260	If the
261	.Fa certificate
262	contains an Extended Key Usage extension, it contains the RFC 5280
263	.Dq TLS WWW server authentication
264	purpose
265	.Pq Dv NID_server_auth
266	or the private
267	.Dq Netscape Server Gated Crypto
268	.Pq Dv NID_ns_sgc
269	or
270	.Dq Microsoft Server Gated Crypto
271	.Pq Dv NID_ms_sgc
272	purpose.
273	.It
274	If the
275	.Fa certificate
276	is not a version 1 certificate and does not contain a Basic Constraints
277	extension, it contains a Key Usage extension with the
278	.Dv keyCertSign
279	bit set or a Netscape Cert Type extension with the
280	.Dq SSL CA certificate
281	bit set.
282	.El
283	.It Dv X509_PURPOSE_SMIME_SIGN No or Dv X509_PURPOSE_SMIME_ENCRYPT
284	.Bl -dash -width 1n -compact
285	.It
286	If the
287	.Fa certificate
288	contains an Extended Key Usage extension, it contains the RFC 5280
289	.Dq Email protection
290	purpose
291	.Pq Dv NID_email_protect .
292	.It
293	If the
294	.Fa certificate
295	is not a version 1 certificate and does not contain a Basic Constraints
296	extension, it contains a Key Usage extension with the
297	.Dv keyCertSign
298	bit set or a Netscape Cert Type extension with the
299	.Dq S/MIME CA certificate
300	bit set.
301	.El
302	.It Xo
303	.Dv X509_PURPOSE_CRL_SIGN ,
304	.Dv X509_PURPOSE_OCSP_HELPER ,
305	or
306	.Dv X509_PURPOSE_TIMESTAMP_SIGN
307	.Xc
308	.Bl -dash -width 1n -compact
309	.It
310	If the
311	.Fa certificate
312	is not a version 1 certificate and does not contain a Basic Constraints
313	extension, it contains a Key Usage extension with the
314	.Dv keyCertSign
315	bit set or a Netscape Cert Type extension with at least one of the
316	.Dq SSL CA certificate ,
317	.Dq S/MIME CA certificate ,
318	or
319	.Dq Object-signing CA certificate
320	bits set.
321	.El
322	.It Dv X509_PURPOSE_ANY
323	The check always succeeds, even if the three common conditions
324	cited above this list are violated.
325	.El
326	.Pp
327	If the
328	.Fa purpose
329	is -1,
330	.Fn X509_check_purpose
331	always succeeds, no matter whether or not the
332	.Fa ca
333	flag is set.
334	.Pp
335	If the function
336	.Xr X509_PURPOSE_add 3
337	was called before
338	.Fn X509_check_purpose ,
339	it may have installed different, user-supplied checking functions
340	for some of the standard purposes listed above, or it may have
341	installed additional, user-supplied checking functions for user-defined
342	.Fa purpose
343	identifiers not listed above.
344	.Sh RETURN VALUES
345	.Fn X509_check_purpose
346	returns the following values:
347	.Bl -column -1 Failure -compact
348	.It -1 Ta Error Ta The
349	.Fa purpose
350	is invalid.
351	.It 0 Ta Failure Ta The
352	.Fa certificate
353	cannot be used for the
354	.Fa purpose .
355	.El
356	.Pp
357	If
358	.Fa ca
359	is 0, the following values can also be returned:
360	.Bl -column -1 Failure -compact
361	.It 1 Ta Success Ta The
362	.Fa certificate
363	can be used for the
364	.Fa purpose .
365	.It 2 Ta Unknown Ta \&No decision can be made.
366	.El
367	.Pp
368	If
369	.Fa ca
370	is non-zero, the following values can also be returned:
371	.Bl -column -1 Failure -compact
372	.It 1 Ta Success Ta The
373	.Fa certificate
374	can be used as a CA for the
375	.Fa purpose .
376	.It 3 Ta Success Ta The Fa certificate No is a version 1 CA .
377	.It 4 Ta Success Ta The Key Usage allows Dv keyCertSign .
378	.It 5 Ta Success Ta A Netscape Cert Type allows usage as a CA.
379	.El
380	.Sh SEE ALSO
381	.Xr BASIC_CONSTRAINTS_new 3 ,
382	.Xr EXTENDED_KEY_USAGE_new 3 ,
383	.Xr X509_check_trust 3 ,
384	.Xr X509_new 3 ,
385	.Xr X509_policy_check 3 ,
386	.Xr X509_PURPOSE_set 3 ,
387	.Xr X509V3_get_d2i 3 ,
388	.Xr x509v3.cnf 5
389	.Sh STANDARDS
390	RFC 5280: Internet X.509 Public Key Infrastructure Certificate and
391	Certificate Revocation List (CRL) Profile
392	.Bl -dash -offset indent -compact
393	.It
394	section 4.2.1.3: Key Usage
395	.It
396	section 4.2.1.9: Basic Constraints
397	.It
398	section 4.2.1.12: Extended Key Usage
399	.El
400	.Sh HISTORY
401	.Fn X509_check_purpose
402	first appeared in OpenSSL 0.9.5 and has been available since
403	.Ox 2.7 .