|
Packit |
aea12f |
.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
|
|
Packit |
aea12f |
.TH "dane_verify_crt" 3 "3.6.8" "gnutls" "gnutls"
|
|
Packit |
aea12f |
.SH NAME
|
|
Packit |
aea12f |
dane_verify_crt \- API function
|
|
Packit |
aea12f |
.SH SYNOPSIS
|
|
Packit |
aea12f |
.B #include <gnutls/dane.h>
|
|
Packit |
aea12f |
.sp
|
|
Packit |
aea12f |
.BI "int dane_verify_crt(dane_state_t " s ", const gnutls_datum_t * " chain ", unsigned " chain_size ", gnutls_certificate_type_t " chain_type ", const char * " hostname ", const char * " proto ", unsigned int " port ", unsigned int " sflags ", unsigned int " vflags ", unsigned int * " verify ");"
|
|
Packit |
aea12f |
.SH ARGUMENTS
|
|
Packit |
aea12f |
.IP "dane_state_t s" 12
|
|
Packit |
aea12f |
A DANE state structure (may be NULL)
|
|
Packit |
aea12f |
.IP "const gnutls_datum_t * chain" 12
|
|
Packit |
aea12f |
A certificate chain
|
|
Packit |
aea12f |
.IP "unsigned chain_size" 12
|
|
Packit |
aea12f |
The size of the chain
|
|
Packit |
aea12f |
.IP "gnutls_certificate_type_t chain_type" 12
|
|
Packit |
aea12f |
The type of the certificate chain
|
|
Packit |
aea12f |
.IP "const char * hostname" 12
|
|
Packit |
aea12f |
The hostname associated with the chain
|
|
Packit |
aea12f |
.IP "const char * proto" 12
|
|
Packit |
aea12f |
The protocol of the service connecting (e.g. tcp)
|
|
Packit |
aea12f |
.IP "unsigned int port" 12
|
|
Packit |
aea12f |
The port of the service connecting (e.g. 443)
|
|
Packit |
aea12f |
.IP "unsigned int sflags" 12
|
|
Packit |
aea12f |
Flags for the initialization of \fIs\fP (if NULL)
|
|
Packit |
aea12f |
.IP "unsigned int vflags" 12
|
|
Packit |
aea12f |
Verification flags; an OR'ed list of \fBdane_verify_flags_t\fP.
|
|
Packit |
aea12f |
.IP "unsigned int * verify" 12
|
|
Packit |
aea12f |
An OR'ed list of \fBdane_verify_status_t\fP.
|
|
Packit |
aea12f |
.SH "DESCRIPTION"
|
|
Packit |
aea12f |
This function will verify the given certificate chain against the
|
|
Packit |
aea12f |
CA constrains and/or the certificate available via DANE.
|
|
Packit |
aea12f |
If no information via DANE can be obtained the flag \fBDANE_VERIFY_NO_DANE_INFO\fP
|
|
Packit |
aea12f |
is set. If a DNSSEC signature is not available for the DANE
|
|
Packit |
aea12f |
record then the verify flag \fBDANE_VERIFY_NO_DNSSEC_DATA\fP is set.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Due to the many possible options of DANE, there is no single threat
|
|
Packit |
aea12f |
model countered. When notifying the user about DANE verification results
|
|
Packit |
aea12f |
it may be better to mention: DANE verification did not reject the certificate,
|
|
Packit |
aea12f |
rather than mentioning a successful DANE verication.
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
Note that this function is designed to be run in addition to
|
|
Packit |
aea12f |
PKIX \- certificate chain \- verification. To be run independently
|
|
Packit |
aea12f |
the \fBDANE_VFLAG_ONLY_CHECK_EE_USAGE\fP flag should be specified;
|
|
Packit |
aea12f |
then the function will check whether the key of the peer matches the
|
|
Packit |
aea12f |
key advertized in the DANE entry.
|
|
Packit |
aea12f |
.SH "RETURNS"
|
|
Packit |
aea12f |
a negative error code on error and \fBDANE_E_SUCCESS\fP (0)
|
|
Packit |
aea12f |
when the DANE entries were successfully parsed, irrespective of
|
|
Packit |
aea12f |
whether they were verified (see \fIverify\fP for that information). If
|
|
Packit |
aea12f |
no usable entries were encountered \fBDANE_E_REQUESTED_DATA_NOT_AVAILABLE\fP
|
|
Packit |
aea12f |
will be returned.
|
|
Packit |
aea12f |
.SH "REPORTING BUGS"
|
|
Packit |
aea12f |
Report bugs to <bugs@gnutls.org>.
|
|
Packit |
aea12f |
.br
|
|
Packit |
aea12f |
Home page: https://www.gnutls.org
|
|
Packit |
aea12f |
|
|
Packit |
aea12f |
.SH COPYRIGHT
|
|
Packit |
aea12f |
Copyright \(co 2001-2019 Free Software Foundation, Inc., and others.
|
|
Packit |
aea12f |
.br
|
|
Packit |
aea12f |
Copying and distribution of this file, with or without modification,
|
|
Packit |
aea12f |
are permitted in any medium without royalty provided the copyright
|
|
Packit |
aea12f |
notice and this notice are preserved.
|
|
Packit |
aea12f |
.SH "SEE ALSO"
|
|
Packit |
aea12f |
The full documentation for
|
|
Packit |
aea12f |
.B gnutls
|
|
Packit |
aea12f |
is maintained as a Texinfo manual.
|
|
Packit |
aea12f |
If the /usr/share/doc/gnutls/
|
|
Packit |
aea12f |
directory does not contain the HTML form visit
|
|
Packit |
aea12f |
.B
|
|
Packit |
aea12f |
.IP https://www.gnutls.org/manual/
|
|
Packit |
aea12f |
.PP
|