X509_GET_EXTENSION_FLAGS(3)                           Library Functions Manual

NAME
     X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage
     - retrieve certificate extension data

SYNOPSIS
     #include <openssl/x509v3.h>

     uint32_t
     X509_get_extension_flags(X509 *x);

     uint32_t
     X509_get_key_usage(X509 *x);

     uint32_t
     X509_get_extended_key_usage(X509 *x);

DESCRIPTION
     These functions retrieve information related to commonly used certificate
     extensions.

     X509_get_extension_flags() retrieves general information about a
     certificate.  It returns one or more of the following flags OR'ed
     together.

     EXFLAG_V1
             The certificate is an obsolete version 1 certificate.

     EXFLAG_BCONS
             The certificate contains a basic constraints extension.

     EXFLAG_CA
             The certificate contains basic constraints and asserts the CA
             flag.

     EXFLAG_PROXY
             The certificate is a valid proxy certificate.  In LibreSSL this
             flag is never set.

     EXFLAG_SI
             The certificate is self issued (that is subject and issuer names
             match).

     EXFLAG_SS
             The subject and issuer names match and extension values imply it
             is self signed.

     EXFLAG_FRESHEST
             The freshest CRL extension is present in the certificate.

     EXFLAG_CRITICAL
             The certificate contains an unhandled critical extension.

     EXFLAG_INVALID
             Some certificate extension values are invalid or inconsistent.
             The certificate should be rejected.  This bit may also be raised
             after an out-of-memory error while processing the X509 object, so
             it may not be related to the processed ASN1 object itself.

     EXFLAG_INVALID_POLICY
             The NID_certificate_policies certificate extension is invalid or
             inconsistent.  The certificate should be rejected.  This bit may
             also be raised after an out-of-memory error while processing the
             X509 object, so it may not be related to the processed ASN1
             object itself.

     EXFLAG_KUSAGE
             The certificate contains a key usage extension.  The value can be
             retrieved using X509_get_key_usage().

     EXFLAG_XKUSAGE
             The certificate contains an extended key usage extension.  The
             value can be retrieved using X509_get_extended_key_usage().

     X509_get_key_usage() returns the value of the key usage extension.  If
     key usage is present, it returns zero or more of these flags:
     KU_DIGITAL_SIGNATURE, KU_NON_REPUDIATION, KU_KEY_ENCIPHERMENT,
     KU_DATA_ENCIPHERMENT, KU_KEY_AGREEMENT, KU_KEY_CERT_SIGN, KU_CRL_SIGN,
     KU_ENCIPHER_ONLY, or KU_DECIPHER_ONLY, corresponding to individual key
     usage bits.  If key usage is absent, UINT32_MAX is returned.

     The following aliases for these flags are defined in <openssl/x509.h>:
     X509v3_KU_DIGITAL_SIGNATURE, X509v3_KU_NON_REPUDIATION,
     X509v3_KU_KEY_ENCIPHERMENT, X509v3_KU_DATA_ENCIPHERMENT,
     X509v3_KU_KEY_AGREEMENT, X509v3_KU_KEY_CERT_SIGN, X509v3_KU_CRL_SIGN,
     X509v3_KU_ENCIPHER_ONLY, and X509v3_KU_DECIPHER_ONLY.

     X509_get_extended_key_usage() returns the value of the extended key usage
     extension.  If extended key usage is present, it returns zero or more of
     these flags: XKU_SSL_SERVER, XKU_SSL_CLIENT, XKU_SMIME, XKU_CODE_SIGN
     XKU_OCSP_SIGN, XKU_TIMESTAMP, XKU_DVCS, or XKU_ANYEKU.  These correspond
     to the OIDs "id-kp-serverAuth", "id-kp-clientAuth",
     "id-kp-emailProtection", "id-kp-codeSigning", "id-kp-OCSPSigning",
     "id-kp-timeStamping", "id-kp-dvcs", and "anyExtendedKeyUsage",
     respectively.  Additionally, XKU_SGC is set if either Netscape or
     Microsoft SGC OIDs are present.

     The value of the flags correspond to extension values which are cached in
     the X509 structure.  If the flags returned do not provide sufficient
     information, an application should examine extension values directly, for
     example using X509_get_ext_d2i(3).

     If the key usage or extended key usage extension is absent then typically
     usage is unrestricted.  For this reason X509_get_key_usage() and
     X509_get_extended_key_usage() return UINT32_MAX when the corresponding
     extension is absent.  Applications can additionally check the return
     value of X509_get_extension_flags() and take appropriate action if an
     extension is absent.

RETURN VALUES
     X509_get_extension_flags(), X509_get_key_usage() and
     X509_get_extended_key_usage() return sets of flags corresponding to the
     certificate extension values.

SEE ALSO
     BASIC_CONSTRAINTS_new(3), EXTENDED_KEY_USAGE_new(3), POLICYINFO_new(3),
     X509_check_ca(3), X509_check_purpose(3), X509_EXTENSION_new(3),
     X509_get_ext_d2i(3), X509_get_subject_name(3), X509_get_version(3),
     X509_new(3)

HISTORY
     X509_get_extension_flags, X509_get_key_usage, and
     X509_get_extended_key_usage first appeared in OpenSSL 1.1.0 and have been
     available since OpenBSD 7.1.

Linux 6.8.2-arch2-1             April 30, 2023             Linux 6.8.2-arch2-1