1dane_verify_crt(3)                  gnutls                  dane_verify_crt(3)
2
3
4

NAME

6       dane_verify_crt - API function
7

SYNOPSIS

9       #include <gnutls/dane.h>
10
11       int  dane_verify_crt(dane_state_t  s,  const  gnutls_datum_t  *  chain,
12       unsigned chain_size, gnutls_certificate_type_t chain_type, const char *
13       hostname,  const  char * proto, unsigned int port, unsigned int sflags,
14       unsigned int vflags, unsigned int * verify);
15

ARGUMENTS

17       dane_state_t s
18                   A DANE state structure (may be NULL)
19
20       const gnutls_datum_t * chain
21                   A certificate chain
22
23       unsigned chain_size
24                   The size of the chain
25
26       gnutls_certificate_type_t chain_type
27                   The type of the certificate chain
28
29       const char * hostname
30                   The hostname associated with the chain
31
32       const char * proto
33                   The protocol of the service connecting (e.g. tcp)
34
35       unsigned int port
36                   The port of the service connecting (e.g. 443)
37
38       unsigned int sflags
39                   Flags for the initialization of  s (if NULL)
40
41       unsigned int vflags
42                   Verification flags; an OR'ed list of dane_verify_flags_t.
43
44       unsigned int * verify
45                   An OR'ed list of dane_verify_status_t.
46

DESCRIPTION

48       This function will verify the given certificate chain  against  the  CA
49       constrains  and/or  the certificate available via DANE.  If no informa‐
50       tion via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set.
51       If  a  DNSSEC  signature  is not available for the DANE record then the
52       verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.
53
54       Due to the many possible options of DANE, there  is  no  single  threat
55       model  countered.  When  notifying  the  user  about  DANE verification
56       results it may be better to mention: DANE verification did  not  reject
57       the certificate, rather than mentioning a successful DANE verication.
58
59       Note  that  this  function  is designed to be run in addition to PKIX -
60       certificate  chain  -  verification.  To  be  run   independently   the
61       DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the func‐
62       tion will check whether the key of the peer matches the key  advertized
63       in the DANE entry.
64

RETURNS

66       a  negative  error  code  on error and DANE_E_SUCCESS (0) when the DANE
67       entries were successfully parsed, irrespective  of  whether  they  were
68       verified  (see  verify for that information). If no usable entries were
69       encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
70

REPORTING BUGS

72       Report bugs to <bugs@gnutls.org>.
73       Home page: http://www.gnutls.org
74
75

COPYRIGHT

77       Copyright © 2001-2018 Free Software Foundation, Inc., and others.
78       Copying and distribution of this file, with  or  without  modification,
79       are  permitted  in  any  medium  without royalty provided the copyright
80       notice and this notice are preserved.
81

SEE ALSO

83       The full documentation for gnutls is maintained as  a  Texinfo  manual.
84       If  the /usr/share/doc/gnutls/ directory does not contain the HTML form
85       visit
86
87       http://www.gnutls.org/manual/
88
89gnutls                               3.6.5                  dane_verify_crt(3)