1ldns(3) Library Functions Manual ldns(3)
2
3
4
6 ldns_dane_verify, ldns_dane_verify_rr - TLSA RR verification functions
7
8
10 #include <stdint.h>
11 #include <stdbool.h>
12
13 #include <ldns/ldns.h>
14
15 ldns_status ldns_dane_verify(const ldns_rr_list* tlsas, X509* cert,
16 STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
17
18 ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert,
19 STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
20
22 ldns_dane_verify() BEWARE! We strongly recommend to use OpenSSL 1.1.0
23 dane verification functions instead of the ones provided by
24 ldns. When OpenSSL 1.1.0 was available ldns will use the
25 OpenSSL 1.1.0 dane verification functions under the hood. When
26 ldns was linked with OpenSSL < 1.1.0, this function will not be
27 able to verify TLSA records with DANE-TA usage types.
28
29 BEWARE! The ldns dane verification functions do *not* do server
30 name checks. The user has to perform additional server name
31 checks themselves!
32
33 Verify if any of the given TLSA resource records matches the
34 given certificate.
35
36 tlsas: The resource records that specify what and how to match
37 the certificate. One must match for this function to succeed.
38 With tlsas == NULL or the number of TLSA records in tlsas == 0,
39 regular PKIX validation is performed.
40 cert: The certificate to match (and validate)
41 extra_certs: Intermediate certificates that might be necessary
42 creating the validation chain.
43 pkix_validation_store: Used when the certificate usage is "CA
44 constraint" or "Service Certificate Constraint" to validate the
45 certificate.
46
47 Returns LDNS_STATUS_OK on success, LDNS_STA‐
48 TUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when at least one of
49 the TLSA's had usage type DANE-TA and none of the TLSA's matched
50 or PKIX validated, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when
51 one of the TLSA's matched but the PKIX validation failed,
52 LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's
53 matched, or other ldns_status errors.
54
55 ldns_dane_verify_rr() BEWARE! We strongly recommend to use OpenSSL
56 1.1.0 dane verification functions instead of the ones provided
57 by ldns. When OpenSSL 1.1.0 was available ldns will use the
58 OpenSSL 1.1.0 dane verification functions under the hood. When
59 ldns was linked with OpenSSL < 1.1.0, this function will not be
60 able to verify TLSA records with DANE-TA usage types.
61
62 BEWARE! The ldns dane verification functions do *not* do server
63 name checks. The user has to perform additional server name
64 checks themselves!
65
66 Verify if the given TLSA resource record matches the given cer‐
67 tificate. Reporting on a TLSA rr mismatch (‐
68 LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX
69 failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX
70 validation is required by the TLSA Certificate usage, but the
71 TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is
72 returned whether the PKIX validated or not.
73
74 When ldns is linked with OpenSSL < 1.1.0 and this function is
75 available, then the DANE-TA usage type will not be verified, and
76 on a tlsa_rr with this usage type, LDNS_STA‐
77 TUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA will be returned.
78
79 tlsa_rr: The resource record that specifies what and how to
80 match the certificate. With tlsa_rr == NULL, regular PKIX vali‐
81 dation is performed.
82 cert: The certificate to match (and validate)
83 extra_certs: Intermediate certificates that might be necessary
84 creating the validation chain.
85 pkix_validation_store: Used when the certificate usage is "CA
86 constraint" or "Service Certificate Constraint" to validate the
87 certificate.
88
89 Returns LDNS_STATUS_OK on success, LDNS_STA‐
90 TUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when the provided TLSA
91 had the DANE-TA usage type, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH
92 on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
93 when TLSA matched, but the PKIX validation failed, or other
94 ldns_status errors.
95
97 The ldns team at NLnet Labs. Which consists out of Jelte Jansen and
98 Miek Gieben.
99
100
102 Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at
103 http://www.nlnetlabs.nl/bugs/index.html
104
105
107 Copyright (c) 2004 - 2006 NLnet Labs.
108
109 Licensed under the BSD License. There is NO warranty; not even for MER‐
110 CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
111
112
114 ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_cer‐
115 tificate, ldns_dane_create_tlsa_rr. And perldoc Net::DNS, RFC1034,
116 RFC1035, RFC4033, RFC4034 and RFC4035.
117
119 This manpage was automatically generated from the ldns source code by
120 use of Doxygen and some perl.
121
122
123
124 30 May 2006 ldns(3)