ldns_dane_verify_rr(3)

1ldns(3)                    Library Functions Manual                    ldns(3)
2
3
4

NAME

6       ldns_dane_verify, ldns_dane_verify_rr
7
8

SYNOPSIS

10       #include <stdint.h>
11       #include <stdbool.h>
12
13       #include <ldns/ldns.h>
14
15       ldns_status    ldns_dane_verify(ldns_rr_list*    tlsas,   X509*   cert,
16       STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
17
18       ldns_status ldns_dane_verify_rr(const  ldns_rr*  tlsa_rr,  X509*  cert,
19       STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
20

DESCRIPTION

22       ldns_dane_verify()  Verify  if  any  of the given TLSA resource records
23              matches the given certificate.
24
25              tlsas: The resource records that specify what and how  to  match
26              the  certificate.  One  must match for this function to succeed.
27              With tlsas == NULL or the number of TLSA records in tlsas ==  0,
28              regular PKIX validation is performed.
29              cert: The certificate to match (and validate)
30              extra_certs:  Intermediate  certificates that might be necessary
31              creating the validation chain.
32              pkix_validation_store: Used when the certificate  usage  is  "CA
33              constraint"  or "Service Certificate Constraint" to validate the
34              certificate.
35
36              Returns           LDNS_STATUS_OK           on           success,
37              LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE  when  one  of the TLSA's
38              matched      but      the      PKIX      validation      failed,
39              LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH  when  none  of  the  TLSA's
40              matched, or other ldns_status errors.
41
42       ldns_dane_verify_rr() Verify if the given TLSA resource record  matches
43              the  given  certificate.   Reporting  on  a  TLSA rr mismatch (‐
44              LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH)  is  preferred  over   PKIX
45              failure  (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE).  So when PKIX
46              validation is required by the TLSA Certificate  usage,  but  the
47              TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is
48              returned whether the PKIX validated or not.
49
50              tlsa_rr: The resource record that  specifies  what  and  how  to
51              match  the certificate. With tlsa_rr == NULL, regular PKIX vali‐
52              dation is performed.
53              cert: The certificate to match (and validate)
54              extra_certs: Intermediate certificates that might  be  necessary
55              creating the validation chain.
56              pkix_validation_store:  Used  when  the certificate usage is "CA
57              constraint" or "Service Certificate Constraint" to validate  the
58              certificate.
59
60              Returns           LDNS_STATUS_OK           on           success,
61              LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH  on  TLSA   data   mismatch,
62              LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE  when  TLSA  matched, but
63              the PKIX validation failed, or other ldns_status errors.
64

AUTHOR

66       The ldns team at NLnet Labs. Which consists out  of  Jelte  Jansen  and
67       Miek Gieben.
68
69

REPORTING BUGS

71       Please  report  bugs  to  ldns-team@nlnetlabs.nl  or in our bugzilla at
72       http://www.nlnetlabs.nl/bugs/index.html
73
74

COPYRIGHT

76       Copyright (c) 2004 - 2006 NLnet Labs.
77
78       Licensed under the BSD License. There is NO warranty; not even for MER‐
79       CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
80
81

REMARKS

88       This manpage was automaticly generated from the ldns source code by use
89       of Doxygen and some perl.
90
91
92
93                                  30 May 2006                          ldns(3)