Google Git
Sign in
boringssl / boringssl / e6ce79a89f031af791fe0910dc11d811cbfd3bc7^! / .
commite6ce79a89f031af791fe0910dc11d811cbfd3bc7[log] [tgz]
authorDavid Benjamin <davidben@google.com>Sat Nov 25 01:14:12 2023 -0500
committerBoringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com>Fri Dec 01 20:31:02 2023 +0000
tree6de4ac4d428122e3e1c564bf2f5e271c6150d03e
parent7ff31d3ecf1343eff108e54f5b4448461412f876 [diff]
Document some key usage accessors

Bug: 426
Change-Id: I423d1471c586764e20c720684e3d225abbf5d662
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64251
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 0c8d5df..51ee208 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h

@@ -3207,6 +3207,8 @@
 OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn
 X509_STORE_get_check_crl(X509_STORE *ctx);
 
+// X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL
+// on error.
 OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void);
 
 OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer,
@@ -4041,9 +4043,25 @@
 OPENSSL_EXPORT int X509_check_issued(X509 *issuer, X509 *subject);
 OPENSSL_EXPORT int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
 
-OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x);
-OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x);
-OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x);
+OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509);
+
+// X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of
+// RFC 5280) which |x509| is valid for. The result will be a combination of
+// |KU_*| constants.
+//
+// If |x509| has no key usage extension, all key usages are valid and this
+// function returns |UINT32_MAX|. If there was an error processing |x509|'s
+// extensions, this function returns zero.
+OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509);
+
+// X509_get_extended_key_usage returns a bitmask of extended key usages (see
+// Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be
+// a combination of |XKU_*| constants.
+//
+// If |x509| has no extended key usage extension, all extended key usages are
+// valid and this function returns |UINT32_MAX|. If there was an error
+// processing |x509|'s extensions, this function returns zero.
+OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509);
 
 // X509_get0_subject_key_id returns |x509|'s subject key identifier, if present.
 // (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not