Addition of the migration guide

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2025-11-01 04:01:13 -04:00 · 2021-05-12 11:03:42 +02:00 · 2021-05-12 11:03:42 +02:00 · b8367380b1
commit b8367380b1
parent 3ecb92e680
2 changed files with 14 additions and 1 deletions
--- a/ChangeLog.d/issue4378.txt
+++ b/ChangeLog.d/issue4378.txt
@ -1,4 +1,4 @@
 Removals
   * Remove the  MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION config.h
     option. The mbedtls_x509_crt_parse_der_with_ext_cb() is the way to go for
-     for migration path. Fixes #4378.
+     migration path. Fixes #4378.
--- a/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
+++ b/docs/3.0-migration-guide.d/remove_MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION.md
@ -0,0 +1,13 @@
+Remove the X509 parser sensitivity control for an unknown critical extension from config.h
+------------------------------------------------------------------------------------------
+
+It affects users who use the `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION`
+option which if set, allowed the X509 parser to parse an X509 certificate
+even when it encountered an unknown critical extension.
+
+The migration path from that option is to use the
+`mbedtls_x509_crt_parse_der_with_ext_cb()` function which is functionally
+equivalent to `mbedtls_x509_crt_parse_der()`, and/or
+`mbedtls_x509_crt_parse_der_nocopy()` but it calls the callback with every
+unsupported certificate extension and additionally the "certificate policies"
+extension if it contains any unsupported certificate policies.