TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 2a5e5a2759f99ee084760fd4588b2a13e273b503^! / .
commit2a5e5a2759f99ee084760fd4588b2a13e273b503[log] [tgz]
authorTRodziewicz <tomasz.rodziewicz@mobica.com>Wed Jun 09 16:54:20 2021 +0200
committerTRodziewicz <tomasz.rodziewicz@mobica.com>Wed Jun 09 16:54:20 2021 +0200
tree2d3d9466bcc2f6b0ceccdacefd6dada2eba0e444
parent442fdc22eac7ae24c507543529a887ec33482165 [diff]
Correction to the migration guide entry wording

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>

diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md
index 348fe32..2acb3bf 100644
--- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md
+++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options.md

@@ -1,20 +1,18 @@
 Remove `MBEDTLS_X509_CHECK_*_KEY_USAGE` options from `config.h`
---
+-------------------------------------------------------------------
 
-This change affects users who have chosen the compilation time options to disable
-the library's verification of the `keyUsage` and `extendedKeyUsage` fields of an x509
-certificate.
+This change affects users who have chosen the configuration options to disable the
+library's verification of the `keyUsage` and `extendedKeyUsage` fields of x509
+certificates.
 
-The change is to remove MBEDTLS_X509_CHECK_KEY_USAGE and
-MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE from the configuration.
+The `MBEDTLS_X509_CHECK_KEY_USAGE` and `MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE`
+configuration options are removed and the X509 code now behaves as if they were
+always enabled. It is consequently not possible anymore to disable at compile
+time the verification of the `keyUsage` and `extendedKeyUsage` fields of X509
+certificates.
 
-After the change the options are removed and the compilation is done in a way that
-the verification of the key usage fields is allways enabled by default.
-
-This verification is an important step and disabling it can cause security issues.
-If the verification is for some reason undesirable it can still be disabled at
-a runtime with even more flexibility by using the callback parameter in
-`mbedtls_x509_crt_verify()`.
-
-For example the user can disable the verification by using the callback which
-clears the corresponding flags when they've been set.
+The verification of the `keyUsage` and `extendedKeyUsage` fields is important,
+disabling it can cause security issues and it is thus not recommended. If the
+verification is for some reason undesirable, it can still be disabled by means
+of the verification callback function passed to `mbedtls_x509_crt_verify()` (see
+the documentation of this function for more information).