centos man page for ldns_dane_verify_rr

Centos Man Pages All Man Pages Latest Topics Forum Categories

Query: ldns_dane_verify_rr

OS: centos

Section: 3

Format: Original Unix Latex Style Formatted with HTML and a Horizontal Scroll Bar

ldns(3) 						     Library Functions Manual							   ldns(3)


NAME

       ldns_dane_verify, ldns_dane_verify_rr


SYNOPSIS

       #include <stdint.h>
       #include <stdbool.h>

       #include <ldns/ldns.h>

       ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);

       ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store);


DESCRIPTION

       ldns_dane_verify() Verify if any of the given TLSA resource records matches the given certificate.

	      tlsas:  The  resource  records that specify what and how to match the certificate. One must match for this function to succeed. With
	      tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed.
	      cert: The certificate to match (and validate)
	      extra_certs: Intermediate certificates that might be necessary creating the validation chain.
	      pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate  the  cer-
	      tificate.

	      Returns  LDNS_STATUS_OK  on  success,  LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation
	      failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors.

       ldns_dane_verify_rr() Verify if the given TLSA resource record matches  the  given  certificate.   Reporting  on  a  TLSA  rr  mismatch	(-
	      LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure  (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE).  So when PKIX valida-
	      tion is required by the TLSA Certificate usage, but the TLSA data does not match,  LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH  is  returned
	      whether the PKIX validated or not.

	      tlsa_rr:	The resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is
	      performed.
	      cert: The certificate to match (and validate)
	      extra_certs: Intermediate certificates that might be necessary creating the validation chain.
	      pkix_validation_store: Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate  the  cer-
	      tificate.

	      Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE
	      when TLSA matched, but the PKIX validation failed, or other ldns_status errors.


AUTHOR

       The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben.


REPORTING BUGS

       Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html


COPYRIGHT

       Copyright (c) 2004 - 2006 NLnet Labs.

       Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.


SEE ALSO

       ldns_dane_create_tlsa_owner, ldns_dane_cert2rdf, ldns_dane_select_certificate, ldns_dane_create_tlsa_rr.  And  perldoc  Net::DNS,  RFC1034,
       RFC1035, RFC4033, RFC4034  and RFC4035.


REMARKS

       This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl.

								    30 May 2006 							   ldns(3)
Related Man Pages
ldns_verify_rrsig(3) - debian
ldns_verify(3) - debian
ldns_verify_notime(3) - debian
ldns-dane(1) - centos
ldns_dane_create_tlsa_owner(3) - centos
Similar Topics in the Unix Linux Community
Ubuntu: Bind vulnerability
Need Help _ Unix Script
what is the better way to validate records in a file.
Wanted best way to validate delimited file records
File validation