doc update [ci skip]

3 files changed, 10 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index de3a4be302..5e299f22d6 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,10 @@ See the end for copying conditions.
 ** libgnutls: Introduced a function group to set known DH parameters
    using groups from RFC7919.
 
+** libgnutls: Introduced time and constraints checks in the end certificate
+   in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct()
+   functions.
+
 ** certtool: --get-dh-params will output parameters from the RFC7919
    groups.
 
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 558bef3f3a..b87dc7a3ca 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -970,6 +970,9 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
  * to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(),
  * or gnutls_x509_crt_check_key_purpose().
  *
+ * Note also, that since GnuTLS 3.5.6 this function introduces checks in the
+ * end certificate (@signer), including time checks and key usage checks.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value. A verification error results to a
  *   %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 29f776b6dc..a9adff2f4a 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -3981,6 +3981,9 @@ gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
  * is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired
  * or not yet activated certificate and zero or positive code on success.
  *
+ * Note that since GnuTLS 3.5.6 this function introduces checks in the
+ * end certificate (@crt), including time checks and key usage checks.
+ *
  * Since: 3.4.0
  **/
 int