From b8367380b1f6a84662743bbef81ec4ef09f467f8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 12 May 2021 11:03:42 +0200 Subject: [PATCH] Addition of the migration guide Signed-off-by: TRodziewicz --- ChangeLog.d/issue4378.txt | 2 +- ...TLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md diff --git a/ChangeLog.d/issue4378.txt b/ChangeLog.d/issue4378.txt index f10c23c58..9a7522b3a 100644 --- a/ChangeLog.d/issue4378.txt +++ b/ChangeLog.d/issue4378.txt @@ -1,4 +1,4 @@ Removals * Remove the MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for - for migration path. Fixes #4378. + migration path. Fixes #4378. diff --git a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md new file mode 100644 index 000000000..34ec4738a --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md @@ -0,0 +1,13 @@ +Remove the X509 parser sensitivity control for an unknown critical extension from config.h +------------------------------------------------------------------------------------------ + +It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` +option which if set, allowed the X509 parser to parse an X509 certificate +even when it encountered an unknown critical extension. + +The migration path from that option is to use the +`mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally +equivalent to `mbedtls_x509_crt_parse_der()`, and/or +`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every +unsupported certificate extension and additionally the "certificate policies" +extension if it contains any unsupported certificate policies.