Add x509_crt_check_key_usage()

commit: 603116c570f55f3d00f705d1862e7f685522162f [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Apr 09 09:50:03 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Apr 09 15:50:57 2014 +0200
tree: e2661ec6c569370b18ccbf4a80c5b200ab904a6f
parent: 0f79babd4b95bf287728721ac4e24533917207fb [diff] [blame]
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index c2c2708..2def1ee 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h

@@ -958,6 +958,20 @@
 //#define POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 
 /**
+ * \def POLARSSL_X509_CHECK_KEY_USAGE
+ *
+ * Enable verification of the keyUsage extension (CA and leaf certificates).
+ *
+ * Disabling this avoids problems with mis-issued and/or misused
+ * (intermediate) CA and leaf certificates.
+ *
+ * \warning Depending on your PKI use, disabling this can be a security risk!
+ *
+ * Comment to skip keyUsage checking for both CA and leaf certificates.
+ */
+#define POLARSSL_X509_CHECK_KEY_USAGE
+
+/**
  * \def POLARSSL_ZLIB_SUPPORT
  *
  * If set, the SSL/TLS module uses ZLIB to support compression and
commit	603116c570f55f3d00f705d1862e7f685522162f	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Apr 09 09:50:03 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Apr 09 15:50:57 2014 +0200
tree	e2661ec6c569370b18ccbf4a80c5b200ab904a6f
parent	0f79babd4b95bf287728721ac4e24533917207fb [diff] [blame]