NAME

X509_add1_trust_object, X509_trust_clear, X509_add1_reject_object, X509_reject_clear — mark an X.509 certificate as intended for a specific purpose

SYNOPSIS

#include <openssl/x509.h>

int
X509_add1_trust_object(X509 *x, const ASN1_OBJECT *purpose);

void
X509_trust_clear(X509 *x);

int
X509_add1_reject_object(X509 *x, const ASN1_OBJECT *purpose);

void
X509_reject_clear(X509 *x);

DESCRIPTION

X509_add1_trust_object() appends a deep copy of the purpose object to the set of intended purposes that x contains as non-standard auxiliary data. The function OBJ_nid2obj(3) can be used to create appropriate purpose objects from the NID_* constants mentioned in X509_check_purpose(3), even though the X509_PURPOSE_* constants listed in that manual page are not intended for use with X509_add1_trust_object().

X509_trust_clear() frees and removes all purpose objects from the set of intended purposes in the non-standard auxiliary data of x.

X509_add1_reject_object() and X509_reject_clear() are similar except that they operate on a set of unintended purposes.

As an alternative to using the functions documented in the present manual page, X.509 certificate extensions can be used. At the price of higher complexity, those allow storing the purpose inside the certificate itself in a standard-conforming way rather than merely in non-standard auxiliary data associated with the certificate. See EXTENDED_KEY_USAGE_new(3) for details.

RETURN VALUES

X509_add1_trust_object() and X509_add1_reject_object() return the new number of purposes in the respective set or 0 if an error occurs, in particular if memory allocation fails or if x does not contain a sub-object that can hold non-standard auxiliary data.

SEE ALSO

ASN1_OBJECT_new(3), EXTENDED_KEY_USAGE_new(3), OBJ_nid2obj(3), X509_CERT_AUX_new(3), X509_new(3)

HISTORY

These functions first appeared in OpenSSL 0.9.4 and have been available since OpenBSD 2.7.