Define KU_ constants via corresponding X509v3_KU_

Also wrap X509v3_KU_UNDEF in `#ifndef OPENSSL_NO_DEPRECATED_3_4`.

Fixes #22955

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24138)

2 files changed, 28 insertions, 19 deletions

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 7210391305..7d7ffa27d0 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -67,16 +67,24 @@ extern "C" {
 # define X509_FILETYPE_ASN1      2
 # define X509_FILETYPE_DEFAULT   3
 
-# define X509v3_KU_DIGITAL_SIGNATURE     0x0080
-# define X509v3_KU_NON_REPUDIATION       0x0040
-# define X509v3_KU_KEY_ENCIPHERMENT      0x0020
-# define X509v3_KU_DATA_ENCIPHERMENT     0x0010
-# define X509v3_KU_KEY_AGREEMENT         0x0008
-# define X509v3_KU_KEY_CERT_SIGN         0x0004
-# define X509v3_KU_CRL_SIGN              0x0002
-# define X509v3_KU_ENCIPHER_ONLY         0x0001
-# define X509v3_KU_DECIPHER_ONLY         0x8000
-# define X509v3_KU_UNDEF                 0xffff
+/*-
+ * <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3>:
+ * The KeyUsage BITSTRING is treated as a little-endian integer, hence bit `0`
+ * is 0x80, while bit `7` is 0x01 (the LSB of the integer value), bit `8` is
+ * then the MSB of the second octet, or 0x8000.
+ */
+# define X509v3_KU_DIGITAL_SIGNATURE     0x0080     /* (0) */
+# define X509v3_KU_NON_REPUDIATION       0x0040     /* (1) */
+# define X509v3_KU_KEY_ENCIPHERMENT      0x0020     /* (2) */
+# define X509v3_KU_DATA_ENCIPHERMENT     0x0010     /* (3) */
+# define X509v3_KU_KEY_AGREEMENT         0x0008     /* (4) */
+# define X509v3_KU_KEY_CERT_SIGN         0x0004     /* (5) */
+# define X509v3_KU_CRL_SIGN              0x0002     /* (6) */
+# define X509v3_KU_ENCIPHER_ONLY         0x0001     /* (7) */
+# define X509v3_KU_DECIPHER_ONLY         0x8000     /* (8) */
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+#  define X509v3_KU_UNDEF                0xffff     /* vestigial, not used */
+# endif
 
 struct X509_algor_st {
     ASN1_OBJECT *algorithm;
diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in
index 569680378d..b8711d5304 100644
--- a/include/openssl/x509v3.h.in
+++ b/include/openssl/x509v3.h.in
@@ -422,15 +422,16 @@ struct ISSUING_DIST_POINT_st {
 # define EXFLAG_SAN_CRITICAL     0x80000
 # define EXFLAG_NO_FINGERPRINT   0x100000
 
-# define KU_DIGITAL_SIGNATURE    0x0080
-# define KU_NON_REPUDIATION      0x0040
-# define KU_KEY_ENCIPHERMENT     0x0020
-# define KU_DATA_ENCIPHERMENT    0x0010
-# define KU_KEY_AGREEMENT        0x0008
-# define KU_KEY_CERT_SIGN        0x0004
-# define KU_CRL_SIGN             0x0002
-# define KU_ENCIPHER_ONLY        0x0001
-# define KU_DECIPHER_ONLY        0x8000
+/* https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3 */
+# define KU_DIGITAL_SIGNATURE    X509v3_KU_DIGITAL_SIGNATURE
+# define KU_NON_REPUDIATION      X509v3_KU_NON_REPUDIATION
+# define KU_KEY_ENCIPHERMENT     X509v3_KU_KEY_ENCIPHERMENT
+# define KU_DATA_ENCIPHERMENT    X509v3_KU_DATA_ENCIPHERMENT
+# define KU_KEY_AGREEMENT        X509v3_KU_KEY_AGREEMENT
+# define KU_KEY_CERT_SIGN        X509v3_KU_KEY_CERT_SIGN
+# define KU_CRL_SIGN             X509v3_KU_CRL_SIGN
+# define KU_ENCIPHER_ONLY        X509v3_KU_ENCIPHER_ONLY
+# define KU_DECIPHER_ONLY        X509v3_KU_DECIPHER_ONLY
 
 # define NS_SSL_CLIENT           0x80
 # define NS_SSL_SERVER           0x40