AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Correction to the migration guide entry wording

Browse Source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-06-09 16:54:20 +02:00
parent 442fdc22ea
commit 2a5e5a2759
1 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md
View File

@ -1,20 +1,18 @@
Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h` Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h`
-- -------------------------------------------------------------------
This change affects users who have chosen the compilation time options to disable This change affects users who have chosen the configuration options to disable the
the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509 library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509
certificate. certificates.
The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE`
MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration. configuration options are removed and the X509 code now behaves as if they were
always enabled. It is consequently not possible anymore to disable at compile
time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509
certificates.
After the change the options are removed and the compilation is done in a way that The verification of the `keyUsage` and `extendedKeyUsage` fields is important,
the verification of the key usage fields is allways enabled by default. disabling it can cause security issues and it is thus not recommended. If the
verification is for some reason undesirable, it can still be disabled by means
This verification is an important step and disabling it can cause security issues. of the verification callback function passed to `mbedtls_x509_crt_verify()` (see
If the verification is for some reason undesirable it can still be disabled at the documentation of this function for more information).
a runtime with even more flexibility by using the callback parameter in
`mbedtls_x509_crt_verify()`.
For example the user can disable the verification by using the callback which
clears the corresponding flags when they've been set.