OpenSSL x509 Purpose flag "Any Purpose" What is this?

Solution 1:

The Any Purpose : Yes and Any Purpose CA : Yes lines from the openssl x509 -purpose are special. It is openssl specific and represents what the certificate will be validated for when used with ancient software versions that do not check for extensions.

These specific purpose flags can not be turned off or disabled. From openssl source purpose checking is defined in openssl/crypto/x509v3/v3_purp.c as static X509_PURPOSE xstandard[] = { … }. The X509_PURPOSE_ANY check validation function returns 1.

The closest to official documentation on this flag is probably these posts by Dr Stephen N. Henson who authored v3_purp.c - http://marc.info/?l=openssl-users&m=96219426811480 and http://openssl.6102.n7.nabble.com/quot-critical-CA-FALSE-quot-but-quot-Any-Purpose-CA-Yes-quot-td29933.html.

To quote Steve:

'The "Any Purpose" setting is something which lets anything through and performs no checks at all. It was put there originally as a way for people to use broken certificates if they had no other choice and could live with the consequences... Since then CA checks have been made mandatory in the code even if "Any Purpose" is set. So if you actually tried to use that certificate as a CA it would be rejected.'

Solution 2:

The KeyUsage is a v3 extension, which may or may not be present in a certificate.

A useful (if slightly dated) summary of id-ce-keyUsage values: http://www.alvestrand.no/objectid/2.5.29.15.html [newly added values are 7 = encipherOnly and 8 = decipherOnly]

The trick is that this "OID=2.5.29.15 keyUsage extension" /might or might not/ be present in a particular certificate.

What OpenSSL probably presumes with PURPOSE_ANY, is that this extension was /not present/, and that it's therefore "up to your own policy" to decide what to use or not use it for. Otherwise, there's no bitmap value that corresponds to "ANY"...