dane_verify_crt(3) — Linux manual page


dane_verify_crt(3)               gnutls               dane_verify_crt(3)

NAME         top

       dane_verify_crt - API function

SYNOPSIS         top

       #include <gnutls/dane.h>

       int dane_verify_crt(dane_state_t s, const gnutls_datum_t * chain,
       unsigned chain_size, gnutls_certificate_type_t chain_type, const
       char * hostname, const char * proto, unsigned int port, unsigned
       int sflags, unsigned int vflags, unsigned int * verify);

ARGUMENTS         top

       dane_state_t s
                   A DANE state structure (may be NULL)

       const gnutls_datum_t * chain
                   A certificate chain

       unsigned chain_size
                   The size of the chain

       gnutls_certificate_type_t chain_type
                   The type of the certificate chain

       const char * hostname
                   The hostname associated with the chain

       const char * proto
                   The protocol of the service connecting (e.g. tcp)

       unsigned int port
                   The port of the service connecting (e.g. 443)

       unsigned int sflags
                   Flags for the initialization of  s (if NULL)

       unsigned int vflags
                   Verification flags; an OR'ed list of

       unsigned int * verify
                   An OR'ed list of dane_verify_status_t.

DESCRIPTION         top

       This function will verify the given certificate chain against the
       CA constrains and/or the certificate available via DANE.  If no
       information via DANE can be obtained the flag
       DANE_VERIFY_NO_DANE_INFO is set. If a DNSSEC signature is not
       available for the DANE record then the verify flag

       Due to the many possible options of DANE, there is no single
       threat model countered. When notifying the user about DANE
       verification results it may be better to mention: DANE
       verification did not reject the certificate, rather than
       mentioning a successful DANE verication.

       Note that this function is designed to be run in addition to PKIX
       - certificate chain - verification. To be run independently the
       DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the
       function will check whether the key of the peer matches the key
       advertized in the DANE entry.

RETURNS         top

       a negative error code on error and DANE_E_SUCCESS (0) when the
       DANE entries were successfully parsed, irrespective of whether
       they were verified (see  verify for that information). If no
       usable entries were encountered
       DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

REPORTING BUGS         top

       Report bugs to <bugs@gnutls.org>.
       Home page: https://www.gnutls.org

COPYRIGHT         top

       Copyright © 2001- Free Software Foundation, Inc., and others.
       Copying and distribution of this file, with or without
       modification, are permitted in any medium without royalty
       provided the copyright notice and this notice are preserved.

SEE ALSO         top

       The full documentation for gnutls is maintained as a Texinfo
       manual.  If the /usr/share/doc/gnutls/ directory does not contain
       the HTML form visit


COLOPHON         top

       This page is part of the GnuTLS (GnuTLS Transport Layer Security
       Library) project.  Information about the project can be found at
       ⟨http://www.gnutls.org/⟩.  If you have a bug report for this
       manual page, send it to bugs@gnutls.org.  This page was obtained
       from the tarball gnutls-3.7.2.tar.xz fetched from
       ⟨http://www.gnutls.org/download.html⟩ on 2021-08-27.  If you
       discover any rendering problems in this HTML version of the page,
       or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the
       information in this COLOPHON (which is not part of the original
       manual page), send a mail to man-pages@man7.org

gnutls                            3.7.2               dane_verify_crt(3)