dane_verify_crt(3) gnutls dane_verify_crt(3)
NAME
dane_verify_crt - API function
SYNOPSIS
#include <gnutls/dane.h>
int dane_verify_crt(dane_state_t s, const gnutls_datum_t * chain, un-
signed chain_size, gnutls_certificate_type_t chain_type, const char *
hostname, const char * proto, unsigned int port, unsigned int sflags,
unsigned int vflags, unsigned int * verify);
ARGUMENTS
dane_state_t s
A DANE state structure (may be NULL)
const gnutls_datum_t * chain
A certificate chain
unsigned chain_size
The size of the chain
gnutls_certificate_type_t chain_type
The type of the certificate chain
const char * hostname
The hostname associated with the chain
const char * proto
The protocol of the service connecting (e.g. tcp)
unsigned int port
The port of the service connecting (e.g. 443)
unsigned int sflags
Flags for the initialization of s (if NULL)
unsigned int vflags
Verification flags; an OR'ed list of dane_verify_flags_t.
unsigned int * verify
An OR'ed list of dane_verify_status_t.
DESCRIPTION
This function will verify the given certificate chain against the CA
constrains and/or the certificate available via DANE. If no informa-
tion via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set.
If a DNSSEC signature is not available for the DANE record then the
verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.
Due to the many possible options of DANE, there is no single threat
model countered. When notifying the user about DANE verification re-
sults it may be better to mention: DANE verification did not reject the
certificate, rather than mentioning a successful DANE verication.
Note that this function is designed to be run in addition to PKIX -
certificate chain - verification. To be run independently the
DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the func-
tion will check whether the key of the peer matches the key advertized
in the DANE entry.
RETURNS
a negative error code on error and DANE_E_SUCCESS (0) when the DANE en-
tries were successfully parsed, irrespective of whether they were veri-
fied (see verify for that information). If no usable entries were en-
countered DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
REPORTING BUGS
Report bugs to <bugs@gnutls.org>.
Home page: https://www.gnutls.org
COPYRIGHT
Copyright © 2001- Free Software Foundation, Inc., and others.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright no-
tice and this notice are preserved.
SEE ALSO
The full documentation for gnutls is maintained as a Texinfo manual.
If the /usr/share/doc/gnutls/ directory does not contain the HTML form
visit
https://www.gnutls.org/manual/
gnutls 3.7.3 dane_verify_crt(3)
Generated by dwww version 1.14 on Mon Feb 3 07:45:17 CET 2025.