3 files changed, 57 insertions, 10 deletions

diff --git a/lib/public_key/doc/src/notes.xml b/lib/public_key/doc/src/notes.xml
index 592d3c797d..fe4bf5ce2d 100644
--- a/lib/public_key/doc/src/notes.xml
+++ b/lib/public_key/doc/src/notes.xml
@@ -34,6 +34,22 @@
     <file>notes.xml</file>
   </header>
 
+<section><title>Public_Key 0.22.1</title>
+
+    <section><title>Fixed Bugs and Malfunctions</title>
+      <list>
+        <item>
+          <p>
+	    Added missing encoding support for PBES2, and also
+	    completed support for PBES1 that was incomplete.</p>
+          <p>
+	    Own Id: OTP-11915</p>
+        </item>
+      </list>
+    </section>
+
+</section>
+
 <section><title>Public_Key 0.22</title>
 
     <section><title>Fixed Bugs and Malfunctions</title>
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml
index 88b1a9248e..e3473f80d7 100644
--- a/lib/public_key/doc/src/public_key.xml
+++ b/lib/public_key/doc/src/public_key.xml
@@ -431,10 +431,12 @@
     <name>pkix_path_validation(TrustedCert, CertChain, Options) -> {ok, {PublicKeyInfo, PolicyTree}} | {error, {bad_cert, Reason}} </name>
     <fsummary> Performs a basic path validation according to RFC 5280.</fsummary>
      <type>
-       <v> TrustedCert =  #'OTPCertificate'{} | der_encode() | unknown_ca | selfsigned_peer  </v>
-       <d>Normally a trusted certificate but it can also be one of the path validation
-       errors <c>unknown_ca </c> or <c>selfsigned_peer </c> that can be discovered while
-       constructing the input to this function and that should be run through the <c>verify_fun</c>.</d>
+       <v> TrustedCert =  #'OTPCertificate'{} | der_encode() | atom()  </v>
+       <d>Normally a trusted certificate but it can also be a path validation
+       error that can be discovered while
+       constructing the input to this function and that should be run through the <c>verify_fun</c>.
+       For example <c>unknown_ca </c> or <c>selfsigned_peer </c>
+       </d>
        <v> CertChain = [der_encode()]</v>
        <d>A list of DER encoded certificates in trust order ending with the peer certificate.</d>
        <v> Options = proplists:proplist()</v>
@@ -442,8 +444,8 @@
        rsa_public_key() | integer(), 'NULL' | 'Dss-Parms'{}}</v>
        <v> PolicyTree = term() </v>
        <d>At the moment this will always be an empty list as Policies are not currently supported</d>
-       <v> Reason = cert_expired | invalid_issuer | invalid_signature | unknown_ca |
-       selfsigned_peer | name_not_permitted | missing_basic_constraint | invalid_key_usage | crl_reason()
+       <v> Reason = cert_expired | invalid_issuer | invalid_signature | name_not_permitted |
+       missing_basic_constraint | invalid_key_usage | {revoked, crl_reason()} | atom()
        </v>
      </type>
      <desc>
@@ -451,7 +453,7 @@
 	 Performs a basic path validation according to
 	 <url href="http://www.ietf.org/rfc/rfc5280.txt">RFC 5280.</url>
 	 However CRL validation is done separately by <seealso
-	 marker="public_key#pkix_crls_validate-3">pkix_crls_validate/3 </seealso> and should be called
+	 marker="#pkix_crls_validate-3">pkix_crls_validate/3 </seealso> and should be called
 	 from the supplied <c>verify_fun</c>
        </p>
 
@@ -464,7 +466,7 @@
 
 	  <code>
 fun(OtpCert :: #'OTPCertificate'{},
-    Event :: {bad_cert, Reason :: atom()} |
+    Event :: {bad_cert, Reason :: atom() | {revoked, atom()}} |
              {extension, #'Extension'{}},
     InitialUserState :: term()) ->
 	{valid, UserState :: term()} |
@@ -493,6 +495,35 @@ fun(OtpCert :: #'OTPCertificate'{},
 	  on.
 	</item>
       </taglist>
+
+      <p> Possible reasons for a bad certificate are: </p>
+      <taglist>
+	<tag>cert_expired</tag>
+	<item>The certificate is no longer valid as its expiration date has passed.</item>
+
+	<tag>invalid_issuer</tag>
+	<item>The certificate issuer name does not match the name of the issuer certificate in the chain.</item>
+
+	<tag>invalid_signature</tag>
+	<item>The certificate was not signed by its issuer certificate in the chain.</item>
+
+	<tag>name_not_permitted</tag>
+	<item>Invalid Subject Alternative Name extension.</item>
+
+	<tag>missing_basic_constraint</tag>
+	<item>Certificate, required to have the basic constraints extension, does not have
+	a basic constraints extension.</item>
+
+	<tag>invalid_key_usage</tag>
+	<item>Certificate key is used in an invalid way according to the key usage extension.</item>
+
+	<tag>{revoked, crl_reason()}</tag>
+	<item>Certificate has been revoked.</item>
+
+	<tag>atom()</tag>
+	<item>Application specific error reason that should be checked by the verify_fun</item>
+      </taglist>
+
     </desc>
    </func>
 
@@ -508,7 +539,7 @@ fun(OtpCert :: #'OTPCertificate'{},
      </type>
      <desc>
       <p> Performs CRL validation. It is intended to be called from
-      the verify fun of  <seealso marker="public_key#pkix_path_validation-3"> pkix_path_validation/3
+      the verify fun of  <seealso marker="#pkix_path_validation-3"> pkix_path_validation/3
        </seealso></p>
       <taglist>
 	<p> Available options are: </p>
diff --git a/lib/public_key/vsn.mk b/lib/public_key/vsn.mk
index f0450918aa..2fa2d725c3 100644
--- a/lib/public_key/vsn.mk
+++ b/lib/public_key/vsn.mk
@@ -1 +1 @@
-PUBLIC_KEY_VSN = 0.22
+PUBLIC_KEY_VSN = 0.22.1