Added gnutls_certificate_verify_peers4 which will verify in addition to hostname, the purpose of the end-certificate.

4 files changed, 13 insertions, 6 deletions

diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index fcd089cb88..dfd4f8c9ec 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -349,10 +349,13 @@ When operating in the context of a TLS session, the trusted certificate
 authority list may also be set using:
 @showfuncC{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust}
 
-Then it is not required to setup a trusted list as above.
-The function @funcref{gnutls_certificate_verify_peers3} 
-may then be used to verify the peer's certificate chain and identity. The flags
+In that case it is not required to setup a trusted list as above, and 
+the function @funcref{gnutls_certificate_verify_peers3} 
+may be used to verify the peer's certificate chain and identity. The flags
 are set similarly to the verification functions in the previous section.
+Note that in certain cases it is required to check the marked purpose of
+the end certificate (e.g. @code{GNUTLS_KP_TLS_WWW_SERVER}); in these case
+@funcref{gnutls_certificate_verify_peers4} should be used instead.
 
 There is also the possibility to pass some input to the verification
 functions in the form of flags. For @funcref{gnutls_x509_trust_list_verify_crt} the
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 0cd328240e..a6482a8a4c 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -154,7 +154,7 @@ in a CRL and/or perform an OCSP check for the certificate.
 
 Note that in the context of a TLS session the server may provide an
 OCSP response that will used during the TLS certificate verification 
-(see @funcref{gnutls_certificate_verify_peers3}).
+(see @funcref{gnutls_certificate_verify_peers2}).
 You may obtain this response using @funcref{gnutls_ocsp_status_request_get}.
 
 Before performing the OCSP query, the application will need to figure
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index df96444f9f..dc6b2985e0 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -158,7 +158,9 @@ static int _verify_certificate_callback(gnutls_session_t session)
         /* This verification function uses the trusted CAs in the credentials
          * structure. So you must have installed one or more CA certificates.
          */
-        ret = gnutls_certificate_verify_peers3(session, hostname, &status);
+        ret = gnutls_certificate_verify_peers4(session, hostname,
+					       GNUTLS_KP_TLS_WWW_SERVER,
+					       &status);
         if (ret < 0) {
                 printf("Error\n");
                 return GNUTLS_E_CERTIFICATE_ERROR;
diff --git a/doc/examples/verify.c b/doc/examples/verify.c
index 4d0d059ea6..86d35808fc 100644
--- a/doc/examples/verify.c
+++ b/doc/examples/verify.c
@@ -23,7 +23,9 @@ int verify_certificate_callback(gnutls_session_t session)
         /* This verification function uses the trusted CAs in the credentials
          * structure. So you must have installed one or more CA certificates.
          */
-        ret = gnutls_certificate_verify_peers3(session, hostname, &status);
+        ret = gnutls_certificate_verify_peers4(session, hostname,
+                                               GNUTLS_KP_TLS_WWW_SERVER,
+                                               &status);
         if (ret < 0) {
                 printf("Error\n");
                 return GNUTLS_E_CERTIFICATE_ERROR;