add keyusage extension
diff --git a/docs/x509.rst b/docs/x509.rst
index af24944..39df4a0 100644
--- a/docs/x509.rst
+++ b/docs/x509.rst
@@ -447,6 +447,99 @@
Returns an instance of the extension type corresponding to the OID.
+.. class:: KeyUsage
+
+ .. versionadded:: 0.9
+
+ The key usage extension defines the purpose of the key contained in the
+ certificate. The usage restriction might be employed when a key that could
+ be used for more than one operation is to be restricted. It corresponds to
+ :data:`OID_KEY_USAGE`.
+
+ .. attribute:: digital_signature
+
+ :type: bool
+
+ This is asserted when the subject public key is used for verifying
+ digital signatures, other than signatures on certificates
+ (``key_cert_sign``) and CRLs (``crl_sign``).
+
+ .. attribute:: content_commitment
+
+ :type: bool
+
+ This is asserted when the subject public key is used for verifying
+ digital signatures, other than signatures on certificates
+ (``key_cert_sign``) and CRLs (``crl_sign``). It is used to provide a
+ non-repudiation service that protects against the signing entity
+ falsely denying some action. In the case of later conflict, a
+ reliable third party may determine the authenticity of the signed
+ data. This was called ``non_repudiation`` in older revisions of the
+ X.509 specification.
+
+ .. attribute:: key_encipherment
+
+ :type: bool
+
+ This is asserted when the subject public key is used for enciphering
+ private or secret keys.
+
+ .. attribute:: data_encipherment
+
+ :type: bool
+
+ This is asserted when the subject public key is used for directly
+ enciphering raw user data without the use of an intermediate symmetric
+ cipher.
+
+ .. attribute:: key_agreement
+
+ :type: bool
+
+ This is asserted when the subject public key is used for key agreement.
+ For example, when a Diffie-Hellman key is to be used for key
+ management, then this bit is set.
+
+ .. attribute:: key_cert_sign
+
+ :type: bool
+
+ This is asserted when the subject public key is used for verifying
+ signatures on public key certificates. If this bit is asserted then
+ ``ca`` must be true in the :class:`BasicConstraints` extension.
+
+ .. attribute:: crl_sign
+
+ :type: bool
+
+ This is asserted when the subject public key is used for verifying
+ signatures on certificate revocation lists.
+
+ .. attribute:: encipher_only
+
+ :type: bool
+
+ The meaning of this bit is undefined in the absence of the
+ ``key_agreement`` bit. When this bit is asserted and the
+ ``key_agreement`` bit is also set, the subject public key may be
+ used only for enciphering data while performing key agreement.
+
+ :raises ValueError: This is raised if accessed when ``key_agreement``
+ is false.
+
+ .. attribute:: decipher_only
+
+ :type: bool
+
+ The meaning of this bit is undefined in the absence of the
+ ``key_agreement`` bit. When this bit is asserted and the
+ ``key_agreement`` bit is also set, the subject public key may be
+ used only for deciphering data while performing key agreement.
+
+ :raises ValueError: This is raised if accessed when ``key_agreement``
+ is false.
+
+
.. class:: BasicConstraints
.. versionadded:: 0.9
@@ -687,6 +780,11 @@
Corresponds to the dotted string ``"2.5.29.19"``. The identifier for the
:class:`BasicConstraints` extension type.
+.. data:: OID_KEY_USAGE
+
+ Corresponds to the dotted string ``"2.5.29.15"``. The identifier for the
+ :class:`KeyUsage` extension type.
+
Exceptions
~~~~~~~~~~