Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ldns_dane_verify_rr(3) [centos man page]

ldns(3) 						     Library Functions Manual							   ldns(3)

NAME

       ldns_dane_verify, ldns_dane_verify_rr

SYNOPSIS

       #include <stdint.h>
       #include <stdbool.h>

       #include <ldns/ldns.h>

       ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);

       ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);

DESCRIPTION

       ldns_dane_verify() Verify if any of the given TLSA resource records matches the given certificate.

	      tlsas:  The  resource  records that specify what and how to match the certificate. One must match for this function to succeed. With
	      tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed.
	      cert: The certificate to match (and validate)
	      extra_certs: Intermediate certificates that might be necessary creating the validation chain.
	      pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate  the  cer-
	      tificate.

	      Returns  LDNS_STATUS_OK  on  success,  LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation
	      failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors.

       ldns_dane_verify_rr() Verify if the given TLSA resource record matches  the  given  certificate.   Reporting  on  a  TLSA  rr  mismatch	(-
	      LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure  (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE).  So when PKIX valida-
	      tion is required by the TLSA Certificate usage, but the TLSA data does not match,  LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH  is  returned
	      whether the PKIX validated or not.

	      tlsa_rr:	The resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is
	      performed.
	      cert: The certificate to match (and validate)
	      extra_certs: Intermediate certificates that might be necessary creating the validation chain.
	      pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate  the  cer-
	      tificate.

	      Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
	      when TLSA matched, but the PKIX validation failed, or other ldns_status errors.

AUTHOR

       The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben.

REPORTING BUGS

       Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html

COPYRIGHT

       Copyright (c) 2004 - 2006 NLnet Labs.

       Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO

       ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr.  And  perldoc  Net::DNS,  RFC1034,
       RFC1035, RFC4033, RFC4034  and RFC4035.

REMARKS

       This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl.

								    30 May 2006 							   ldns(3)

Check Out this Related Man Page

Net::DNS::RR::TLSA(3)					User Contributed Perl Documentation				     Net::DNS::RR::TLSA(3)

NAME

       Net::DNS::RR::TLSA - DNS TLSA resource record

SYNOPSIS

	   use Net::DNS;
	   $rr = new Net::DNS::RR('name TLSA usage selector matchingtype certificate');

DESCRIPTION

       The Transport Layer Security Authentication (TLSA) DNS resource record is used to associate a TLS server certificate or public key with the
       domain name where the record is found, forming a "TLSA certificate association".  The semantics of how the TLSA RR is interpreted are
       described in RFC6698.

METHODS

       The available methods are those inherited from the base class augmented by the type-specific methods defined in this package.

       Use of undocumented package features or direct access to internal data structures is discouraged and could result in program termination or
       other unpredictable behaviour.

   usage
	   $usage = $rr->usage;
	   $rr->usage( $usage );

       8-bit integer value which specifies the provided association that will be used to match the certificate presented in the TLS handshake.

   selector
	   $selector = $rr->selector;
	   $rr->selector( $selector );

       8-bit integer value which specifies which part of the TLS certificate presented by the server will be matched against the association data.

   matchingtype
	   $matchingtype = $rr->matchingtype;
	   $rr->matchingtype( $matchingtype );

       8-bit integer value which specifies how the certificate association is presented.

   cert
	   $cert = $rr->cert;
	   $rr->cert( $cert );

       Hexadecimal representation of the certificate data.

   certbin
	   $certbin = $rr->certbin;
	   $rr->certbin( $certbin );

       Binary representation of the certificate data.

COPYRIGHT

       Copyright (c)2012 Willem Toorop, NLnet Labs.

       All rights reserved.

       This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.

       Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.

SEE ALSO

       perl, Net::DNS, Net::DNS::RR, RFC6698

perl v5.18.2							    2014-01-16						     Net::DNS::RR::TLSA(3)
Man Page