AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Correction to the migration guide entry wording

Browse Source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-06-09 16:54:20 +02:00
parent 442fdc22ea
commit 2a5e5a2759
1 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md
View File

@ -1,20 +1,18 @@
Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h`
--
-------------------------------------------------------------------
This change affects users who have chosen the compilation time options to disable
the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509
certificate.
This change affects users who have chosen the configuration options to disable the
library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509
certificates.
The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration.
The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE`
configuration options are removed and the X509 code now behaves as if they were
always enabled. It is consequently not possible anymore to disable at compile
time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509
certificates.
After the change the options are removed and the compilation is done in a way that
the verification of the key usage fields is allways enabled by default.
This verification is an important step and disabling it can cause security issues.
If the verification is for some reason undesirable it can still be disabled at
a runtime with even more flexibility by using the callback parameter in
`mbedtls_x509_crt_verify()`.
For example the user can disable the verification by using the callback which
clears the corresponding flags when they've been set.
The verification of the `keyUsage` and `extendedKeyUsage` fields is important,
disabling it can cause security issues and it is thus not recommended. If the
verification is for some reason undesirable, it can still be disabled by means
of the verification callback function passed to `mbedtls_x509_crt_verify()` (see
the documentation of this function for more information).