5 files changed, 161 insertions, 10 deletions

diff --git a/lib/public_key/doc/src/Makefile b/lib/public_key/doc/src/Makefile
index f5157fe87a..03467e9783 100644
--- a/lib/public_key/doc/src/Makefile
+++ b/lib/public_key/doc/src/Makefile
@@ -99,6 +99,7 @@ html: gifs $(HTML_REF_MAN_FILE)
 
 clean clean_docs:
 	rm -rf $(HTMLDIR)/*
+	rm -rf $(XMLDIR)
 	rm -f $(MAN3DIR)/*
 	rm -f $(MAN6DIR)/*
 	rm -f $(TOP_PDF_FILE) $(TOP_PDF_FILE:%.pdf=%.fo)
diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
index 11012ee9e5..204520473a 100644
--- a/lib/public_key/doc/src/notes.xml
+++ b/lib/public_key/doc/src/notes.xml
@@ -5,7 +5,7 @@
   <header>
     <copyright>
       <year>2008</year>
-      <year>2017</year>
+      <year>2018</year>
       <holder>Ericsson AB, All Rights Reserved</holder>
     </copyright>
     <legalnotice>
@@ -35,6 +35,83 @@
     <file>notes.xml</file>
   </header>
 
+<section><title>Public_Key 1.6.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Some of the keylengths in the newly generated moduli file
+	    in public_key are not universally supported. This could
+	    cause the SSH key exchange
+	    diffie-hellman-group-exchange-sha* to fail.</p>
+          <p>
+	    Those keylengths are now removed.</p>
+          <p>
+	    Own Id: OTP-15151 Aux Id: OTP-15113 </p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
+<section><title>Public_Key 1.6</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Update calls to the base64 module to conform to that
+	    module's type specifications.</p>
+          <p>
+	    Own Id: OTP-14788 Aux Id: OTP-14624 </p>
+        </item>
+      </list>
+    </section>
+
+
+    <section><title>Improvements and New Features</title>
+      <list>
+        <item>
+          <p>
+	    Use uri_string module instead of http_uri.</p>
+          <p>
+	    Own Id: OTP-14902</p>
+        </item>
+        <item>
+          <p>
+	    A new function -
+	    <c>public_key:pkix_verify_hostname_match_fun/1</c> -
+	    returns a fun to be given as option <c>match_fun</c> to
+	    <c>public_key:pkix_verify_hostname/3</c> or via ssl.</p>
+          <p>
+	    The fun makes the verify hostname matching according to
+	    the specific rules for the protocol in the argument.
+	    Presently only <c>https</c> is supported.</p>
+          <p>
+	    Own Id: OTP-14962 Aux Id: ERL-542, OTP-15102 </p>
+        </item>
+        <item>
+          <p>
+	    Compleate PKCS-8 encoding support and enhance the
+	    decoding of 'PrivateKeyInfo' to conform to the rest of
+	    Erlang public_key API.</p>
+          <p>
+	    Own Id: OTP-15093</p>
+        </item>
+        <item>
+          <p>
+	    A new moduli file is generated. This file is used for the
+	    recommended <c>diffie-hellman-group-exchange-sha256</c>
+	    key exchange algorithm in SSH.</p>
+          <p>
+	    Own Id: OTP-15113</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Public_Key 1.5.2</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index dea35bc390..c0a67c25b8 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -5,7 +5,7 @@
   <header>
     <copyright>
       <year>2008</year>
-      <year>2017</year>
+      <year>2018</year>
       <holder>Ericsson AB, All Rights Reserved</holder>
     </copyright>
     <legalnotice>
@@ -95,10 +95,12 @@
       <p><c>| {#'PBEParameter{}, digest_type()} | #'PBES2-params'{}}</c></p>
       </item>
       
-      <tag><c>public_key() =</c></tag>
+      <tag><marker id="type-public_key"/>
+      <c>public_key() =</c></tag>
       <item><p><c>rsa_public_key() | dsa_public_key() | ec_public_key()</c></p></item>
       
-      <tag><c>private_key() =</c></tag>
+      <tag><marker id="type-private_key"/>
+      <c>private_key() =</c></tag>
       <item><p><c>rsa_private_key() | dsa_private_key() | ec_private_key()</c></p></item>
 
       <tag><c>rsa_public_key() =</c></tag>
@@ -967,27 +969,96 @@ fun(#'DistributionPoint'{}, #'CertificateList'{},
     </type>
     <desc>
       <p>This function checks that the <i>Presented Identifier</i> (e.g hostname) in a peer certificate
-      is in agreement with the <i>Reference Identifier</i> that the client expects to be connected to.
+      is in agreement with at least one of the <i>Reference Identifier</i> that the client expects to be connected to.
       The function is intended to be added as an extra client check of the peer certificate when performing
       <seealso marker="public_key:public_key#pkix_path_validation-3">public_key:pkix_path_validation/3</seealso>
       </p>
       <p>See <url href="https://tools.ietf.org/html/rfc6125">RFC 6125</url>
       for detailed information about hostname verification.
-      The <seealso marker="using_public_key#verify_hostname">User's Manual</seealso>
+      The <seealso marker="using_public_key#verify_hostname">User's Guide</seealso>
       and
       <seealso marker="using_public_key#verify_hostname_examples">code examples</seealso>
       describes this function more detailed.
       </p>
       <p>The <c>{OtherRefId,term()}</c> is defined by the user and is passed to the <c>match_fun</c>, if defined.
-      If that term is a binary, it will be converted to a string.
+      If the term in <c>OtherRefId</c> is a binary, it will be converted to a string.
       </p>
       <p>The <c>ip</c> Reference ID takes an <seealso marker="inet:inet#type-ip_address">inet:ip_address()</seealso>
       or an ip address in string format (E.g "10.0.1.1" or "1234::5678:9012") as second element.
       </p>
+      <p>The options are:</p>
+      <taglist>
+	<tag><c>match_fun</c></tag>
+	<item>
+	  The <c>fun/2</c> in this option replaces the default host name matching rules. The fun should return a
+	  boolean to tell if the Reference ID and Presented ID matches or not. The fun can also return a third 
+	  value, the atom <c>default</c>, if the default matching rules shall apply.
+	  This makes it possible to augment the tests with a special case:
+	  <code>
+fun(....) -> true;   % My special case
+   (_, _) -> default % all others falls back to the inherit tests
+end
+	  </code>
+	  <br/>See <seealso marker="#pkix_verify_hostname_match_fun-1">pkix_verify_hostname_match_fun/1</seealso> for a
+	  function that takes a protocol name as argument and returns a <c>fun/2</c> suitable for this option and
+	  <seealso marker="using_public_key#redefining_match_op">Re-defining the match operation</seealso>
+	  in the User's Guide for an example.
+	</item>
+
+	<tag><c>fail_callback</c></tag>
+	<item>If a matching fails, there could be circumstances when the certificate should be accepted anyway. Think for
+	example of a web browser where you choose to accept an outdated certificate. This option enables implementation
+	of such a function. This <c>fun/1</c> is called when no <c>ReferenceID</c> matches. The return value of the fun
+	(a <c>boolean()</c>) decides the outcome. If <c>true</c> the the certificate is accepted otherwise
+	it is rejected. See
+	<seealso marker="using_public_key#-pinning--a-certificate">"Pinning" a Certificate</seealso>
+	in the User's Guide.
+	</item>
+
+	<tag><c>fqdn_fun</c></tag>
+	<item>This option augments the host name extraction from URIs and other Reference IDs. It could for example be
+	a very special URI that is not standardised. The fun takes a Reference ID as argument and returns one of:
+	<list>
+	  <item>the hostname</item>
+	  <item>the atom <c>default</c>: the default host name extract function will be used</item>
+	  <item>the atom <c>undefined</c>: a host name could not be extracted. The pkix_verify_hostname/3
+	  will return <c>false</c>.</item>
+	</list>
+	<br/>For an example, see
+	<seealso marker="using_public_key#hostname_extraction">Hostname extraction</seealso>
+	in the User's Guide.
+	</item>
+      </taglist>
+
     </desc>
   </func>
 
   <func>
+    <name>pkix_verify_hostname_match_fun(Protcol) ->  fun(RefId | FQDN::string(), PresentedID) -> boolean() | default</name>
+    <fsummary>Returns a fun that is intendended as argument to the match_fun option in pkix_verify_hostname/3.
+    </fsummary>
+    <type>
+      <v>Protocol = https</v>
+      <d>The algorithm for wich the fun should implement the special matching rules</d>
+      <v>RefId</v>
+      <d>See <seealso marker="#pkix_verify_hostname-3">pkix_verify_hostname/3</seealso>.</d>
+      <v>FQDN</v>
+      <d>See <seealso marker="#pkix_verify_hostname-3">pkix_verify_hostname/3</seealso>.</d>
+      <v>PresentedID</v>
+      <d>See <seealso marker="#pkix_verify_hostname-3">pkix_verify_hostname/3</seealso>.</d>
+    </type>
+    <desc>
+      <p>The return value of calling this function is intended to be used in the <c>match_fun</c> option in
+      <seealso marker="#pkix_verify_hostname-3">pkix_verify_hostname/3</seealso>.
+      </p>
+      <p>The returned fun augments the verify hostname matching according to the specific rules for
+      the protocol in the argument.
+      </p>
+    </desc>
+  </func>
+  
+
+  <func>
     <name>sign(Msg, DigestType, Key) -> binary()</name>
     <name>sign(Msg, DigestType, Key, Options) -> binary()</name>
     <fsummary>Creates a digital signature.</fsummary>
diff --git a/lib/public_key/doc/src/public_key_records.xml b/lib/public_key/doc/src/public_key_records.xml
index 9ebdbb244d..d26867c12f 100644
--- a/lib/public_key/doc/src/public_key_records.xml
+++ b/lib/public_key/doc/src/public_key_records.xml
@@ -5,7 +5,7 @@
   <header>
     <copyright>
       <year>2008</year>
-      <year>2015</year>
+      <year>2018</year>
       <holder>Ericsson AB, All Rights Reserved</holder>
     </copyright>
     <legalnotice>
diff --git a/lib/public_key/doc/src/using_public_key.xml b/lib/public_key/doc/src/using_public_key.xml
index 417d479da3..de0a6596c3 100644
--- a/lib/public_key/doc/src/using_public_key.xml
+++ b/lib/public_key/doc/src/using_public_key.xml
@@ -4,7 +4,7 @@
 <chapter>
   <header>
     <copyright>
-      <year>2011</year><year>2016</year>
+      <year>2011</year><year>2018</year>
       <holder>Ericsson AB. All Rights Reserved.</holder>
     </copyright>
     <legalnotice>
@@ -570,6 +570,7 @@ true = public_key:verify(Digest, none, Signature, PublicKey),</code>
      <c>fqdn_fun</c> and <c>match_fun</c>.
      </p>
      <section>
+       <marker id="hostname_extraction"></marker>
        <title>Hostname extraction</title>
        <p>The <c>fqdn_fun</c> extracts hostnames (Fully Qualified Domain Names) from uri_id
        or other ReferenceIDs that are not pre-defined in the public_key function.
@@ -595,7 +596,8 @@ true = public_key:verify(Digest, none, Signature, PublicKey),</code>
        </code>
      </section>
      <section>
-       <title>Re-defining the match operations</title>
+       <marker id="redefining_match_op"></marker>
+       <title>Re-defining the match operation</title>
        <p>The default matching handles dns_id and uri_id. In an uri_id the value is tested for
        equality with a value from the <c>Subject Alternate Name</c>. If som other kind of matching
        is needed, use the  <c>match_fun</c> option.