Define KU_ constants via corresponding X509v3_KU_

Also wrap X509v3_KU_UNDEF in `#ifndef OPENSSL_NO_DEPRECATED_3_4`. Fixes #22955 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24138)
2025-02-17 14:32:04 +08:00 · 2024-04-14 19:43:30 -04:00 · 2024-04-14 19:43:30 -04:00 · 14bed67221
commit 14bed67221
parent 299996fb1f
2 changed files with 28 additions and 19 deletions
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@ -67,16 +67,24 @@ extern "C" {
 # define X509_FILETYPE_ASN1      2
 # define X509_FILETYPE_DEFAULT   3

-# define X509v3_KU_DIGITAL_SIGNATURE     0x0080
-# define X509v3_KU_NON_REPUDIATION       0x0040
-# define X509v3_KU_KEY_ENCIPHERMENT      0x0020
-# define X509v3_KU_DATA_ENCIPHERMENT     0x0010
-# define X509v3_KU_KEY_AGREEMENT         0x0008
-# define X509v3_KU_KEY_CERT_SIGN         0x0004
-# define X509v3_KU_CRL_SIGN              0x0002
-# define X509v3_KU_ENCIPHER_ONLY         0x0001
-# define X509v3_KU_DECIPHER_ONLY         0x8000
-# define X509v3_KU_UNDEF                 0xffff
+/*-
+ * <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3>:
+ * The KeyUsage BITSTRING is treated as a little-endian integer, hence bit `0`
+ * is 0x80, while bit `7` is 0x01 (the LSB of the integer value), bit `8` is
+ * then the MSB of the second octet, or 0x8000.
+ */
+# define X509v3_KU_DIGITAL_SIGNATURE     0x0080     /* (0) */
+# define X509v3_KU_NON_REPUDIATION       0x0040     /* (1) */
+# define X509v3_KU_KEY_ENCIPHERMENT      0x0020     /* (2) */
+# define X509v3_KU_DATA_ENCIPHERMENT     0x0010     /* (3) */
+# define X509v3_KU_KEY_AGREEMENT         0x0008     /* (4) */
+# define X509v3_KU_KEY_CERT_SIGN         0x0004     /* (5) */
+# define X509v3_KU_CRL_SIGN              0x0002     /* (6) */
+# define X509v3_KU_ENCIPHER_ONLY         0x0001     /* (7) */
+# define X509v3_KU_DECIPHER_ONLY         0x8000     /* (8) */
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+#  define X509v3_KU_UNDEF                0xffff     /* vestigial, not used */
+# endif

 struct X509_algor_st {
    ASN1_OBJECT *algorithm;
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@ -422,15 +422,16 @@ struct ISSUING_DIST_POINT_st {
 # define EXFLAG_SAN_CRITICAL     0x80000
 # define EXFLAG_NO_FINGERPRINT   0x100000

-# define KU_DIGITAL_SIGNATURE    0x0080
-# define KU_NON_REPUDIATION      0x0040
-# define KU_KEY_ENCIPHERMENT     0x0020
-# define KU_DATA_ENCIPHERMENT    0x0010
-# define KU_KEY_AGREEMENT        0x0008
-# define KU_KEY_CERT_SIGN        0x0004
-# define KU_CRL_SIGN             0x0002
-# define KU_ENCIPHER_ONLY        0x0001
-# define KU_DECIPHER_ONLY        0x8000
+/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+# define KU_DIGITAL_SIGNATURE    X509v3_KU_DIGITAL_SIGNATURE
+# define KU_NON_REPUDIATION      X509v3_KU_NON_REPUDIATION
+# define KU_KEY_ENCIPHERMENT     X509v3_KU_KEY_ENCIPHERMENT
+# define KU_DATA_ENCIPHERMENT    X509v3_KU_DATA_ENCIPHERMENT
+# define KU_KEY_AGREEMENT        X509v3_KU_KEY_AGREEMENT
+# define KU_KEY_CERT_SIGN        X509v3_KU_KEY_CERT_SIGN
+# define KU_CRL_SIGN             X509v3_KU_CRL_SIGN
+# define KU_ENCIPHER_ONLY        X509v3_KU_ENCIPHER_ONLY
+# define KU_DECIPHER_ONLY        X509v3_KU_DECIPHER_ONLY

 # define NS_SSL_CLIENT           0x80
 # define NS_SSL_SERVER           0x40