From 2b9fb88281187667a848582a3f30c1607bc64991 Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Thu, 11 Oct 2018 11:36:29 +0100
Subject: [PATCH] Clarify documentation of mbedtls_x509_crt_profile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit fixes #1992: The documentation of mbedtls_x509_crt_profile
previously stated that the bitfield `allowed_pks` defined which signature
algorithms shall be allowed in CRT chains. In actual fact, however,
the field also applies to guard the public key of the end entity
certificate.

This commit changes the documentation to state that `allowed_pks`
applies to the public keys of all CRTs in the provided chain.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 include/mbedtls/x509_crt.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 51883dc86..551c624d6 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -190,7 +190,9 @@ mbedtls_x509_subject_alternative_name;
 typedef struct mbedtls_x509_crt_profile
 {
     uint32_t allowed_mds;       /**< MDs for signatures         */
-    uint32_t allowed_pks;       /**< PK algs for signatures     */
+    uint32_t allowed_pks;       /**< PK algs for public keys;
+                                 *   this applies to any CRT
+                                 *   in the provided chain.     */
     uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
     uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
 }