Sortix
current nightly

Sortix nightly manual

This manual documents Sortix nightly, a development build that has not been officially released. You can instead view this document in the latest official manual.

NAME

X509_PURPOSE_set, X509_PURPOSE_get_by_id, X509_PURPOSE_add, X509_PURPOSE_get_count, X509_PURPOSE_cleanup, X509_PURPOSE_get0, X509_PURPOSE_get_by_sname, X509_PURPOSE_get_id, X509_PURPOSE_get0_name, X509_PURPOSE_get0_sname, X509_PURPOSE_get_trustpurpose objects, indices, and identifiers

SYNOPSIS

#include <openssl/x509v3.h>
int
X509_PURPOSE_set(int *id_out, int id_in);
int
X509_PURPOSE_get_by_id(int identifier);
int
X509_PURPOSE_add(int identifier, int trust, int flags, int (*check_purpose)(const X509_PURPOSE *, const X509 *, int), const char *name, const char *sname, void *usr_data);
int
X509_PURPOSE_get_count(void);
void
X509_PURPOSE_cleanup(void);
X509_PURPOSE *
X509_PURPOSE_get0(int index);
int
X509_PURPOSE_get_by_sname(const char *sname);
int
X509_PURPOSE_get_id(const X509_PURPOSE *object);
char *
X509_PURPOSE_get0_name(const X509_PURPOSE *object);
char *
X509_PURPOSE_get0_sname(const X509_PURPOSE *object);
int
X509_PURPOSE_get_trust(const X509_PURPOSE *object);

DESCRIPTION

The purposes that an X.509 certificate is intended to be used for can be identified in three equivalent ways:
  1. By purpose identifiers, which are positive integer constants. Standard purpose identifiers lie in the range from X509_PURPOSE_MIN to X509_PURPOSE_MAX, inclusive, and are listed in the X509_check_purpose(3) manual page. User defined purpose identifiers are larger than X509_PURPOSE_MAX.
  2. By purpose indices, which are non-negative integer constants but differ from the purpose identifiers for the same purpose. Standard purpose indices are smaller than X509_PURPOSE_MAX. User defined purpose indices are larger than or equal to X509_PURPOSE_MAX.
  3. By purpose objects of the type X509_PURPOSE. Standard purpose objects are available in static storage. User defined purpose objects can be created with X509_PURPOSE_add().
Application programmers cannot choose the way to identify purposes that they like best; depending on the circumstances, all three ways are needed. Be warned that the naming of most functions is misleading.
Most API functions documented outside the present manual page use purpose identifiers rather than purpose indices.

Using purpose identifiers

X509_PURPOSE_set() validates the purpose identifier id_in. If it is valid, it is copied to *id_out. Otherwise, *id_out remains unchanged.
X509_PURPOSE_get_by_id() converts the purpose identifier to the corresponding purpose index. To find the corresponding purpose object, pass the result to X509_PURPOSE_get0().
X509_PURPOSE_add() defines a purpose with the given identifier or modifies its properties if it already exists. The purpose identifier, the trust identifier, the flags, the check_purpose function, the name, the short name sname, and the usr_data pointer are copied into the X509_PURPOSE object. When modifying an existing purpose object, previous values of fields are overwritten and previous name and sname strings are freed if they were dynamically allocated. When creating a new purpose object, it is added to the global array of user-defined purpose objects.
X509_PURPOSE_DYNAMIC and X509_PURPOSE_DYNAMIC_NAME are always ignored in the flags argument. X509_PURPOSE_DYNAMIC is automatically set if the object was created by the user. It is never set for standard objects, not even if they were modified by the user. X509_PURPOSE_DYNAMIC_NAME is automatically set if the object was created or modified by the user. It is only unset for unmodified standard objects. The library does not appear to define any other flags, so the flags argument is probably useless unless users define their own flags and use them in the check_purpose function.
The third and final argument of the check_purpose function is the ca argument documented in X509_check_purpose(3).
X509_PURPOSE_get_count() returns the total number of purposes currently defined, including both standard and user-defined purposes. If no user-defined purposes exist, the returned value is X509_PURPOSE_MAX.
X509_PURPOSE_cleanup() deletes all user-defined purpose objects and invalidates their purpose identifiers and purpose indices. If any of the standard purpose objects were modified by the user, those changes are not reverted.

Using purpose indices

X509_PURPOSE_get0() converts the purpose index to a pointer to the corresponding purpose object. To find the corresponding purpose identifier, pass the result to X509_PURPOSE_get_id().
X509_PURPOSE_get_by_sname() returns the lowest index of a purpose with the given short name.

Using purpose objects

X509_PURPOSE_get_id() converts a pointer to a purpose object to the corresponding purpose identifier. To find the corresponding purpose index, pass the result to X509_PURPOSE_get_by_id().
X509_PURPOSE_get0_name(), X509_PURPOSE_get0_sname(), and X509_PURPOSE_get_trust() retrieve the name, short name, and trust identifier from the object, respectively.

RETURN VALUES

X509_PURPOSE_set() returns 1 if id_in is valid or 0 otherwise.
X509_PURPOSE_get_by_id() and X509_PURPOSE_get_by_sname() return the corresponding purpose index or -1 if no matching purpose is found.
X509_PURPOSE_add() returns 1 for success or 0 for failure.
X509_PURPOSE_get_count() returns the total number of purposes currently defined.
X509_PURPOSE_get0() returns a standard or user-defined purpose object or NULL if the index is invalid.
X509_PURPOSE_get_id() always returns a valid purpose identifier.
X509_PURPOSE_get0_name() and X509_PURPOSE_get0_sname() return pointers to storage owned by the object.
X509_PURPOSE_get_trust() returns the trust identifier associated with the object.

ERRORS

The following diagnostics can be retrieved with ERR_get_error(3), ERR_GET_REASON(3), and ERR_reason_error_string(3):
X509V3_R_INVALID_PURPOSE “invalid purpose”
X509_PURPOSE_set() was called with an invalid id_in argument.
X509V3_R_INVALID_NULL_ARGUMENT “invalid null argument”
X509_PURPOSE_add() was called with a name or sname argument of NULL.
ERR_R_MALLOC_FAILURE “malloc failure”
X509_PURPOSE_add() failed to allocate memory.
The other functions provide no diagnostics.

SEE ALSO

X509_check_purpose(3), X509_new(3), X509_STORE_set_purpose(3), X509_VERIFY_PARAM_set_purpose(3)

HISTORY

X509_PURPOSE_set() first appeared in OpenSSL 0.9.7 and has been available since OpenBSD 3.2.
The other functions first appeared in OpenSSL 0.9.5 and have been available since OpenBSD 2.7.

CAVEATS

The difference between purpose identifiers and purpose indices provides an ideal breeding ground for off-by-one bugs.
Copyright 2011-2024 Jonas 'Sortie' Termansen and contributors.
Sortix is free software under the ISC license. 		#sortix on irc.sortix.org
@sortix_org