| dane_verify_crt(3) | gnutls | dane_verify_crt(3) |
dane_verify_crt - API function
#include <gnutls/dane.h>
int dane_verify_crt(dane_state_t s, const gnutls_datum_t * chain, unsigned chain_size, gnutls_certificate_type_t chain_type, const char * hostname, const char * proto, unsigned int port, unsigned int sflags, unsigned int vflags, unsigned int * verify);
This function will verify the given certificate chain against the CA constrains and/or the certificate available via DANE. If no information via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set. If a DNSSEC signature is not available for the DANE record then the verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.
Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verification.
Note that this function is designed to be run in addition to PKIX - certificate chain - verification. To be run independently the DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the function will check whether the key of the peer matches the key advertised in the DANE entry.
a negative error code on error and DANE_E_SUCCESS (0) when the DANE entries were successfully parsed, irrespective of whether they were verified (see verify for that information). If no usable entries were encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.
Report bugs to <bugs@gnutls.org>.
Home page: https://www.gnutls.org
Copyright © 2001-2023 Free Software Foundation, Inc., and
others.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved.
The full documentation for gnutls is maintained as a Texinfo manual. If the /usr/share/doc/gnutls/ directory does not contain the HTML form visit
| 3.8.3 | gnutls |