1dane_verify_crt(3)                  gnutls                  dane_verify_crt(3)
2
3
4

NAME

6       dane_verify_crt - API function
7

SYNOPSIS

9       #include <gnutls/dane.h>
10
11       int  dane_verify_crt(dane_state_t  s, const gnutls_datum_t * chain, un‐
12       signed chain_size, gnutls_certificate_type_t chain_type, const  char  *
13       hostname,  const  char * proto, unsigned int port, unsigned int sflags,
14       unsigned int vflags, unsigned int * verify);
15

ARGUMENTS

17       dane_state_t s
18                   A DANE state structure (may be NULL)
19
20       const gnutls_datum_t * chain
21                   A certificate chain
22
23       unsigned chain_size
24                   The size of the chain
25
26       gnutls_certificate_type_t chain_type
27                   The type of the certificate chain
28
29       const char * hostname
30                   The hostname associated with the chain
31
32       const char * proto
33                   The protocol of the service connecting (e.g. tcp)
34
35       unsigned int port
36                   The port of the service connecting (e.g. 443)
37
38       unsigned int sflags
39                   Flags for the initialization of  s (if NULL)
40
41       unsigned int vflags
42                   Verification flags; an OR'ed list of dane_verify_flags_t.
43
44       unsigned int * verify
45                   An OR'ed list of dane_verify_status_t.
46

DESCRIPTION

48       This function will verify the given certificate chain  against  the  CA
49       constrains  and/or  the certificate available via DANE.  If no informa‐
50       tion via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set.
51       If  a  DNSSEC  signature  is not available for the DANE record then the
52       verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.
53
54       Due to the many possible options of DANE, there  is  no  single  threat
55       model  countered.  When  notifying the user about DANE verification re‐
56       sults it may be better to mention: DANE verification did not reject the
57       certificate, rather than mentioning a successful DANE verication.
58
59       Note  that  this  function  is designed to be run in addition to PKIX -
60       certificate  chain  -  verification.  To  be  run   independently   the
61       DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the func‐
62       tion will check whether the key of the peer matches the key  advertized
63       in the DANE entry.
64

RETURNS

66       a negative error code on error and DANE_E_SUCCESS (0) when the DANE en‐
67       tries were successfully parsed, irrespective of whether they were veri‐
68       fied  (see  verify for that information). If no usable entries were en‐
69       countered DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
70

REPORTING BUGS

72       Report bugs to <bugs@gnutls.org>.
73       Home page: https://www.gnutls.org
74
75
77       Copyright © 2001- Free Software Foundation, Inc., and others.
78       Copying and distribution of this file, with  or  without  modification,
79       are  permitted in any medium without royalty provided the copyright no‐
80       tice and this notice are preserved.
81

SEE ALSO

83       The full documentation for gnutls is maintained as  a  Texinfo  manual.
84       If  the /usr/share/doc/gnutls/ directory does not contain the HTML form
85       visit
86
87       https://www.gnutls.org/manual/
88
89gnutls                               3.7.6                  dane_verify_crt(3)
Impressum