2 files changed, 6 insertions, 0 deletions

diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index 558bef3f3a..b87dc7a3ca 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -970,6 +970,9 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
  * to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(),
  * or gnutls_x509_crt_check_key_purpose().
  *
+ * Note also, that since GnuTLS 3.5.6 this function introduces checks in the
+ * end certificate (@signer), including time checks and key usage checks.
+ *
  * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
  *   negative error value. A verification error results to a
  *   %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 29f776b6dc..a9adff2f4a 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -3981,6 +3981,9 @@ gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt,
  * is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired
  * or not yet activated certificate and zero or positive code on success.
  *
+ * Note that since GnuTLS 3.5.6 this function introduces checks in the
+ * end certificate (@crt), including time checks and key usage checks.
+ *
  * Since: 3.4.0
  **/
 int