From d10397abb13ee7b343c7ac5fb549a2fe07207d00 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 18 Oct 2016 15:42:52 +0200 Subject: doc update [ci skip] --- NEWS | 4 ++++ lib/x509/pkcs7.c | 3 +++ lib/x509/x509.c | 3 +++ 3 files changed, 10 insertions(+) diff --git a/NEWS b/NEWS index de3a4be302..5e299f22d6 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,10 @@ See the end for copying conditions. ** libgnutls: Introduced a function group to set known DH parameters using groups from RFC7919. +** libgnutls: Introduced time and constraints checks in the end certificate + in the gnutls_x509_crt_verify_data2() and gnutls_pkcs7_verify_direct() + functions. + ** certtool: --get-dh-params will output parameters from the RFC7919 groups. diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 558bef3f3a..b87dc7a3ca 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -970,6 +970,9 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7) * to verify the intended purpose of the %signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(), * or gnutls_x509_crt_check_key_purpose(). * + * Note also, that since GnuTLS 3.5.6 this function introduces checks in the + * end certificate (@signer), including time checks and key usage checks. + * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. A verification error results to a * %GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data diff --git a/lib/x509/x509.c b/lib/x509/x509.c index 29f776b6dc..a9adff2f4a 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -3981,6 +3981,9 @@ gnutls_x509_crt_verify_data3(gnutls_x509_crt_t crt, * is returned, %GNUTLS_E_EXPIRED or %GNUTLS_E_NOT_YET_ACTIVATED on expired * or not yet activated certificate and zero or positive code on success. * + * Note that since GnuTLS 3.5.6 this function introduces checks in the + * end certificate (@crt), including time checks and key usage checks. + * * Since: 3.4.0 **/ int -- cgit v1.2.1