ldns_dane_verify_rr(3) [centos man page]
ldns(3) Library Functions Manual ldns(3) NAME
ldns_dane_verify, ldns_dane_verify_rr SYNOPSIS
#include <stdint.h> #include <stdbool.h> #include <ldns/ldns.h> ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); DESCRIPTION
ldns_dane_verify() Verify if any of the given TLSA resource records matches the given certificate. tlsas: The resource records that specify what and how to match the certificate. One must match for this function to succeed. With tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed. cert: The certificate to match (and validate) extra_certs: Intermediate certificates that might be necessary creating the validation chain. pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer- tificate. Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors. ldns_dane_verify_rr() Verify if the given TLSA resource record matches the given certificate. Reporting on a TLSA rr mismatch (- LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX valida- tion is required by the TLSA Certificate usage, but the TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is returned whether the PKIX validated or not. tlsa_rr: The resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is performed. cert: The certificate to match (and validate) extra_certs: Intermediate certificates that might be necessary creating the validation chain. pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the cer- tificate. Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, but the PKIX validation failed, or other ldns_status errors. AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben. REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs. Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO
ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035. REMARKS
This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl. 30 May 2006 ldns(3)
Check Out this Related Man Page
ldns(3) Library Functions Manual ldns(3) NAME
ldns_verify, ldns_verify_rrsig, ldns_verify_rrsig_keylist, ldns_verify_rrsig_keylist_notime, ldns_verify_notime- SYNOPSIS
#include <stdint.h> #include <stdbool.h> #include <ldns/ldns.h> ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys); ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key); ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys); ldns_status ldns_verify_rrsig_keylist_notime(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys); ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys); DESCRIPTION
ldns_verify() Verifies a list of signatures for one rrset. rrset: the rrset to verify rrsig: a list of signatures to check keys: a list of keys to check with good_keys: if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it Returns status LDNS_STATUS_OK if there is at least one correct key ldns_verify_rrsig() verify an rrsig with 1 key rrset: the rrset rrsig: the rrsig to verify key: the key to use Returns status message wether verification succeeded. ldns_verify_rrsig_keylist() Verifies an rrsig. All keys in the keyset are tried. rrset: the rrset to check rrsig: the signature of the rrset keys: the keys to try good_keys: if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it Returns a list of keys which validate the rrsig + rrset. Returns status LDNS_STATUS_OK if at least one key matched. Else an error. ldns_verify_rrsig_keylist_notime() Verifies an rrsig. All keys in the keyset are tried. Time is not checked. rrset: the rrset to check rrsig: the signature of the rrset keys: the keys to try good_keys: if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it Returns a list of keys which validate the rrsig + rrset. Returns status LDNS_STATUS_OK if at least one key matched. Else an error. ldns_verify_notime() Verifies a list of signatures for one rrset, but disregard the time. Inception and Expiration are not checked. rrset: the rrset to verify rrsig: a list of signatures to check keys: a list of keys to check with good_keys: if this is a (initialized) list, the pointer to keys from keys that validate one of the signatures are added to it Returns status LDNS_STATUS_OK if there is at least one correct key AUTHOR
The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben. REPORTING BUGS
Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html COPYRIGHT
Copyright (c) 2004 - 2006 NLnet Labs. Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. SEE ALSO
ldns_verify_rrsig_evp. And perldoc Net::DNS, RFC1034, RFC1035, RFC4033, RFC4034 and RFC4035. REMARKS
This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl. 30 May 2006 ldns(3)