Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ldns_dane_verify(3) [centos man page]

ldns(3) 						     Library Functions Manual							   ldns(3)

NAME
ldns_dane_verify, ldns_dane_verify_rr SYNOPSIS
#include <stdint.h> #include <stdbool.h> #include <ldns/ldns.h> ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); DESCRIPTION
ldns_dane_verify() Verify if any of the given TLSA resource records matches the given certificate. tlsas: The resource records that specify what and how to match the certificate. One must match for this function to succeed. With tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed. cert: The certificate to match (and validate) extra_certs: Intermediate certificates that might be necessary creating the validation chain. pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer- tificate. Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors. ldns_dane_verify_rr() Verify if the given TLSA resource record matches the given certificate. Reporting on a TLSA rr mismatch (- LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX valida- tion is required by the TLSA Certificate usage, but the TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is returned whether the PKIX validated or not. tlsa_rr: The resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is performed. cert: The certificate to match (and validate) extra_certs: Intermediate certificates that might be necessary creating the validation chain. pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer- tificate. Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, but the PKIX validation failed, or other ldns_status errors. AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben. REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs. Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO
ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035. REMARKS
This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl. 30 May 2006 ldns(3)

Check Out this Related Man Page

ldns(3) 						     Library Functions Manual							   ldns(3)

NAME
ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr SYNOPSIS
#include <stdint.h> #include <stdbool.h> #include <ldns/ldns.h> ldns_status ldns_dane_create_tlsa_owner(ldns_rdf** tlsa_owner, const ldns_rdf* name, uint16_t port, ldns_dane_transport transport); ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type); ldns_status ldns_dane_select_certificate(X509** selected_cert, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int index); ldns_status ldns_dane_create_tlsa_rr(ldns_rr** tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509* cert); DESCRIPTION
ldns_dane_create_tlsa_owner() Creates a dname consisting of the given name, prefixed by the service port and type of transport: _<- EM>port</EM>._<EM>transport</EM>.<EM>name</EM>. tlsa_owner: The created dname. name: The dname that should be prefixed. port: The service port number for wich the name should be created. transport: The transport for wich the name should be created. Returns LDNS_STATUS_OK on success or an error code otherwise. ldns_dane_cert2rdf() Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data choosen by the selector and encoded using matching_type. rdf: The created created rdf of type LDNS_RDF_TYPE_HEX. cert: The certificate from which the data is selected selector: The full certificate or the public key matching_type: The full data or the SHA256 or SHA512 hash of the selected data Returns LDNS_STATUS_OK on success or an error code otherwise. ldns_dane_select_certificate() Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage and index. selected_cert: The selected cert. cert: The certificate to validate (or not) extra_certs: Intermediate certificates that might be necessary during validation. May be NULL, except when the certificate usage is "Trust Anchor Assertion" because the trust anchor has to be provided.(otherwise choose a "Domain issued certificate!" pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer- tificate and, in case of "CA constraint", select the CA. When pkix_validation_store is NULL, validation is explicitely turned off and the behaviour is then the same as for "Trust anchor assertion" and "Domain issued certificate" respectively. cert_usage: Which certificate to use and how to validate. index: Used to select the trust anchor when certificate usage is "Trust Anchor Assertion". 0 is the last certificate in the valida- tion chain. 1 the one but last, etc. When index is -1, the last certificate is used that MUST be self-signed. This can help to make sure that the intended (self signed) trust anchor is actually present in extra_certs (which is a DANE requirement). Returns LDNS_STATUS_OK on success or an error code otherwise. ldns_dane_create_tlsa_rr() Creates a TLSA resource record from the certificate. No PKIX validation is performed! The given certificate is used as data regardless the value of certificate_usage. tlsa: The created TLSA resource record. certificate_usage: The value for the Certificate Usage field selector: The value for the Selector field matching_type: The value for the Matching Type field cert: The certificate which data will be represented Returns LDNS_STATUS_OK on success or an error code otherwise. AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben. REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs. Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO
ldns_dane_verify, ldns_dane_verify_rr. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035. REMARKS
This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl. 30 May 2006 ldns(3)
Man Page

Featured Tech Videos