diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md index 348fe32f71..2acb3bfbe6 100644 --- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md @@ -1,20 +1,18 @@ Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h` --- +------------------------------------------------------------------- -This change affects users who have chosen the compilation time options to disable -the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509 -certificate. +This change affects users who have chosen the configuration options to disable the +library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509 +certificates. -The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and -MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration. +The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE` +configuration options are removed and the X509 code now behaves as if they were +always enabled. It is consequently not possible anymore to disable at compile +time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509 +certificates. -After the change the options are removed and the compilation is done in a way that -the verification of the key usage fields is allways enabled by default. - -This verification is an important step and disabling it can cause security issues. -If the verification is for some reason undesirable it can still be disabled at -a runtime with even more flexibility by using the callback parameter in -`mbedtls_x509_crt_verify()`. - -For example the user can disable the verification by using the callback which -clears the corresponding flags when they've been set. +The verification of the `keyUsage` and `extendedKeyUsage` fields is important, +disabling it can cause security issues and it is thus not recommended. If the +verification is for some reason undesirable, it can still be disabled by means +of the verification callback function passed to `mbedtls_x509_crt_verify()` (see +the documentation of this function for more information).