ldns(3) ldns(3)
NAME
ldns_dane_verify, ldns_dane_verify_rr
SYNOPSIS
#include <stdint.h>
#include <stdbool.h>
#include <ldns/ldns.h>
ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert,
STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert,
STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);
DESCRIPTION
ldns_dane_verify() Verify if any of the given TLSA resource records
matches the given certificate.
tlsas: The resource records that specify what and how to match
the certificate. One must match for this function to succeed.
With tlsas == NULL or the number of TLSA records in tlsas == 0,
regular PKIX validation is performed.
cert: The certificate to match (and validate)
extra_certs: Intermediate certificates that might be necessary
creating the validation chain.
pkix_validation_store: Used when the certificate usage is "CA
constraint" or "Service Certificate Constraint" to validate the
certificate.
Returns LDNS_STATUS_OK on success,
LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's
matched but the PKIX validation failed,
LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's
matched, or other ldns_status errors.
ldns_dane_verify_rr() Verify if the given TLSA resource record matches
the given certificate. Reporting on a TLSA rr mismatch (-
LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX
failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX
validation is required by the TLSA Certificate usage, but the
TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is
returned whether the PKIX validated or not.
tlsa_rr: The resource record that specifies what and how to
match the certificate. With tlsa_rr == NULL, regular PKIX vali-
dation is performed.
cert: The certificate to match (and validate)
extra_certs: Intermediate certificates that might be necessary
creating the validation chain.
pkix_validation_store: Used when the certificate usage is "CA
constraint" or "Service Certificate Constraint" to validate the
certificate.
Returns LDNS_STATUS_OK on success,
LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch,
LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, but
the PKIX validation failed, or other ldns_status errors.
AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and
Miek Gieben.
REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at
http://www.nlnetlabs.nl/bugs/index.html
COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs.
Licensed under the BSD License. There is NO warranty; not even for MER-
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
SEE ALSO
ldns_dane_create_tlsa_owner(3), ldns_dane_cert2rdf(3),
ldns_dane_select_certificate(3), ldns_dane_create_tlsa_rr(3). And
perldoc Net::DNS(3), RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035.
REMARKS
This manpage was automaticly generated from the ldns source code by use
of Doxygen and some perl.
30 May 2006 ldns(3)
ldns 1.6.17 - Generated Sun Feb 2 10:14:34 CST 2014