|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | ARGUMENTS | DESCRIPTION | RETURNS | REPORTING BUGS | COPYRIGHT | SEE ALSO | COLOPHON |
|
|
|
dane_verify_crt(3) gnutls dane_verify_crt(3)
dane_verify_crt - API function
#include <gnutls/dane.h>
int dane_verify_crt(dane_state_t s, const gnutls_datum_t * chain,
unsigned chain_size, gnutls_certificate_type_t chain_type, const
char * hostname, const char * proto, unsigned int port, unsigned
int sflags, unsigned int vflags, unsigned int * verify);
dane_state_t s
A DANE state structure (may be NULL)
const gnutls_datum_t * chain
A certificate chain
unsigned chain_size
The size of the chain
gnutls_certificate_type_t chain_type
The type of the certificate chain
const char * hostname
The hostname associated with the chain
const char * proto
The protocol of the service connecting (e.g. tcp)
unsigned int port
The port of the service connecting (e.g. 443)
unsigned int sflags
Flags for the initialization of s (if NULL)
unsigned int vflags
Verification flags; an OR'ed list of
dane_verify_flags_t.
unsigned int * verify
An OR'ed list of dane_verify_status_t.
This function will verify the given certificate chain against the
CA constrains and/or the certificate available via DANE. If no
information via DANE can be obtained the flag
DANE_VERIFY_NO_DANE_INFO is set. If a DNSSEC signature is not
available for the DANE record then the verify flag
DANE_VERIFY_NO_DNSSEC_DATA is set.
Due to the many possible options of DANE, there is no single
threat model countered. When notifying the user about DANE
verification results it may be better to mention: DANE
verification did not reject the certificate, rather than
mentioning a successful DANE verification.
Note that this function is designed to be run in addition to PKIX
- certificate chain - verification. To be run independently the
DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the
function will check whether the key of the peer matches the key
advertised in the DANE entry.
a negative error code on error and DANE_E_SUCCESS (0) when the
DANE entries were successfully parsed, irrespective of whether
they were verified (see verify for that information). If no
usable entries were encountered
DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
Report bugs to <bugs@gnutls.org>.
Home page: https://www.gnutls.org
Copyright © 2001-2023 Free Software Foundation, Inc., and others.
Copying and distribution of this file, with or without
modification, are permitted in any medium without royalty
provided the copyright notice and this notice are preserved.
The full documentation for gnutls is maintained as a Texinfo
manual. If the /usr/share/doc/gnutls/ directory does not contain
the HTML form visit
https://www.gnutls.org/manual/
This page is part of the GnuTLS (GnuTLS Transport Layer Security
Library) project. Information about the project can be found at
⟨http://www.gnutls.org/⟩. If you have a bug report for this
manual page, send it to bugs@gnutls.org. This page was obtained
from the tarball gnutls-3.8.5.tar.xz fetched from
⟨http://www.gnutls.org/download.html⟩ on 2024-06-14. If you
discover any rendering problems in this HTML version of the page,
or you believe there is a better or more up-to-date source for
the page, or you have corrections or improvements to the
information in this COLOPHON (which is not part of the original
manual page), send a mail to man-pages@man7.org
gnutls 3.8.5 dane_verify_crt(3)
|
HTML rendering created 2024-06-26 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|