.TH ldns 3 "30 May 2006" .SH NAME ldns_dane_verify, ldns_dane_verify_rr\- .SH SYNOPSIS #include .br #include .br .PP #include .PP ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); .PP ldns_status ldns_dane_verify_rr(const ldns_rr* tlsa_rr, X509* cert, STACK_OF(X509)* extra_certs, X509_STORE* pkix_validation_store); .PP .SH DESCRIPTION .HP \fIldns_dane_verify\fR() Verify if any of the given \%TLSA resource records matches the given certificate. \.br \fBtlsas\fR: The resource records that specify what and how to match the certificate. One must match for this function to succeed. With tlsas == \%NULL or the number of \%TLSA records in tlsas == 0, regular \%PKIX validation is performed. \.br \fBcert\fR: The certificate to match (and validate) \.br \fBextra_certs\fR: Intermediate certificates that might be necessary creating the validation chain. \.br \fBpkix_validation_store\fR: Used when the certificate usage is "\%CA constraint" or "Service Certificate Constraint" to validate the certificate. \.br Returns \%LDNS_STATUS_OK on success, \%LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the \%TLSA's matched but the \%PKIX validation failed, \%LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the \%TLSA's matched, or other ldns_status errors. .PP .HP \fIldns_dane_verify_rr\fR() Verify if the given \%TLSA resource record matches the given certificate. Reporting on a \%TLSA rr mismatch (\%LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over \%PKIX failure (\%LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when \%PKIX validation is required by the \%TLSA Certificate usage, but the \%TLSA data does not match, \%LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is returned whether the \%PKIX validated or not. \.br \fBtlsa_rr\fR: The resource record that specifies what and how to match the certificate. With tlsa_rr == \%NULL, regular \%PKIX validation is performed. \.br \fBcert\fR: The certificate to match (and validate) \.br \fBextra_certs\fR: Intermediate certificates that might be necessary creating the validation chain. \.br \fBpkix_validation_store\fR: Used when the certificate usage is "\%CA constraint" or "Service Certificate Constraint" to validate the certificate. \.br Returns \%LDNS_STATUS_OK on success, \%LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on \%TLSA data mismatch, \%LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when \%TLSA matched, but the \%PKIX validation failed, or other ldns_status errors. .PP .SH AUTHOR The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben. .SH REPORTING BUGS Please report bugs to ldns-team@nlnetlabs.nl or in our bugzilla at http://www.nlnetlabs.nl/bugs/index.html .SH COPYRIGHT Copyright (c) 2004 - 2006 NLnet Labs. .PP Licensed under the BSD License. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. .SH SEE ALSO \fIldns_dane_create_tlsa_owner\fR, \fIldns_dane_cert2rdf\fR, \fIldns_dane_select_certificate\fR, \fIldns_dane_create_tlsa_rr\fR. And \fBperldoc Net::DNS\fR, \fBRFC1034\fR, \fBRFC1035\fR, \fBRFC4033\fR, \fBRFC4034\fR and \fBRFC4035\fR. .SH REMARKS This manpage was automaticly generated from the ldns source code by use of Doxygen and some perl.