Fix the documentation of X509_pubkey_digest.
It doesn't hash the SPKI, just the BIT STRING in it.
Bug: 426
Change-Id: Ib5b8f14f530cc8045a60ac1e9780779d90f5a3bf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/53330
Commit-Queue: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index b9e6ab4..58e4c4d 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1412,11 +1412,16 @@
OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey,
const EVP_MD *md);
-// X509_pubkey_digest hashes the DER encoding of |x509|'s subjectPublicKeyInfo
-// field with |md| and writes the result to |out|. |EVP_MD_CTX_size| bytes are
-// written, which is at most |EVP_MAX_MD_SIZE|. If |out_len| is not NULL,
-// |*out_len| is set to the number of bytes written. This function returns one
-// on success and zero on error.
+// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s
+// subjectPublicKeyInfo field with |md| and writes the result to |out|.
+// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If
+// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This
+// function returns one on success and zero on error.
+//
+// This hash omits the BIT STRING tag, length, and number of unused bits. It
+// also omits the AlgorithmIdentifier which describes the key type. It
+// corresponds to the OCSP KeyHash definition and is not suitable for other
+// purposes.
OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md,
uint8_t *out, unsigned *out_len);
