Merge pull request #4619 from TRodziewicz/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options

Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
2025-08-01 10:06:53 +03:00 · 2021-06-10 17:43:36 +02:00
parent 44eea8f067 2a5e5a2759
commit 02b76b7d18
9 changed files with 27 additions and 63 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1832,33 +1832,6 @@
 */
 //#define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK

-/**
- * \def MBEDTLS_X509_CHECK_KEY_USAGE
- *
- * Enable verification of the keyUsage extension (CA and leaf certificates).
- *
- * Disabling this avoids problems with mis-issued and/or misused
- * (intermediate) CA and leaf certificates.
- *
- * \warning Depending on your PKI use, disabling this can be a security risk!
- *
- * Comment to skip keyUsage checking for both CA and leaf certificates.
- */
-#define MBEDTLS_X509_CHECK_KEY_USAGE
-
-/**
- * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
- *
- * Enable verification of the extendedKeyUsage extension (leaf certificates).
- *
- * Disabling this avoids problems with mis-issued and/or misused certificates.
- *
- * \warning Depending on your PKI use, disabling this can be a security risk!
- *
- * Comment to skip extendedKeyUsage checking for certificates.
- */
-#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
-
 /**
 * \def MBEDTLS_X509_REMOVE_INFO
 *
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -827,7 +827,6 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,

 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */

-#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
 /**
 * \brief          Check usage of certificate against keyUsage extension.
 *
@ -851,9 +850,7 @@ int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
 */
 int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
                                      unsigned int usage );
-#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */

-#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
 /**
 * \brief           Check usage of certificate against extendedKeyUsage.
 *
@ -870,7 +867,6 @@ int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
 int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
                                               const char *usage_oid,
                                               size_t usage_len );
-#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */

 #if defined(MBEDTLS_X509_CRL_PARSE_C)
 /**