> Diff is OK claudio@. I wonder if the name of the function is slowly
> outdated since x509_get_purpose() does not a lot more then just selecting
> the purpose. That's a different bikeshed and for a different diff.

I'm happy to change a different name for the function but I kind of
struggle to come up with a better one. Having Purpose in the name doesn't
seem that bad.

Maybe x509_validate_purpose() would be better? I don't really want to
use x509_check_purpose() since that will be very confusing for me due to
X509_check_purpose(3).

I'm inclined to see the basic constraints, and the (extended) key usage,
and also cert policy (which isn't handled here yet) as defining the
certificate's purpose.

The (extended) key usage extensions are by definition in RFC 5280:

KU:

   The key usage extension defines the purpose (e.g., encipherment,
   signature, certificate signing) of the key contained in the
   certificate.

EKU:

   This extension indicates one or more purposes for which the certified
   public key may be used, in addition to or in place of the basic
   purposes indicated in the key usage extension. 

Now granted, we have libcrypto look at subject, issuer, SKI and AKI, but
it's on the nature of the complex tangle that is X.509.

Also, purpose is an OpenSSL thing lumping together all these things.