diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 07:33:12 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 07:33:12 +0000 |
| commit | 36082a2fe36ecd800d784ae44c14f1f18c66a7e9 (patch) | |
| tree | 6c68e0c0097987aff85a01dabddd34b862309a7c /doc/functions/gnutls_certificate_verify_peers | |
| parent | Initial commit. (diff) | |
| download | gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.tar.xz gnutls28-36082a2fe36ecd800d784ae44c14f1f18c66a7e9.zip | |
Adding upstream version 3.7.9.upstream/3.7.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/functions/gnutls_certificate_verify_peers')
| -rw-r--r-- | doc/functions/gnutls_certificate_verify_peers | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/doc/functions/gnutls_certificate_verify_peers b/doc/functions/gnutls_certificate_verify_peers new file mode 100644 index 0000000..a6a9590 --- /dev/null +++ b/doc/functions/gnutls_certificate_verify_peers @@ -0,0 +1,50 @@ + + + + +@deftypefun {int} {gnutls_certificate_verify_peers} (gnutls_session_t @var{session}, gnutls_typed_vdata_st * @var{data}, unsigned int @var{elements}, unsigned int * @var{status}) +@var{session}: is a gnutls session + +@var{data}: an array of typed data + +@var{elements}: the number of data elements + +@var{status}: is the output of the verification + +This function will verify the peer's certificate and store the +the status in the @code{status} variable as a bitwise OR of gnutls_certificate_status_t +values or zero if the certificate is trusted. Note that value in @code{status} is set only when the return value of this function is success (i.e, failure +to trust a certificate does not imply a negative return value). +The default verification flags used by this function can be overridden +using @code{gnutls_certificate_set_verify_flags()} . See the documentation +of @code{gnutls_certificate_verify_peers2()} for details in the verification process. + +This function will take into account the stapled OCSP responses sent by the server, +as well as the following X.509 certificate extensions: Name Constraints, +Key Usage, and Basic Constraints (pathlen). + +The acceptable @code{data} types are @code{GNUTLS_DT_DNS_HOSTNAME} , @code{GNUTLS_DT_RFC822NAME} and @code{GNUTLS_DT_KEY_PURPOSE_OID} . +The former two accept as data a null-terminated hostname or email address, and the latter a null-terminated +object identifier (e.g., @code{GNUTLS_KP_TLS_WWW_SERVER} ). + +If a DNS hostname is provided then this function will compare +the hostname in the certificate against the given. If names do not match the +@code{GNUTLS_CERT_UNEXPECTED_OWNER} status flag will be set. +If a key purpose OID is provided and the end-certificate contains the extended key +usage PKIX extension, it will be required to be have the provided key purpose +or be marked for any purpose, otherwise verification status will have the +@code{GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE} flag set. + +To avoid denial of service attacks some +default upper limits regarding the certificate key size and chain +size are set. To override them use @code{gnutls_certificate_set_verify_limits()} . + +Note that when using raw public-keys verification will not work because there is +no corresponding certificate body belonging to the raw key that can be verified. In that +case this function will return @code{GNUTLS_E_INVALID_REQUEST} . + +@strong{Returns:} @code{GNUTLS_E_SUCCESS} (0) when the validation is performed, or a negative error code otherwise. +A successful error code means that the @code{status} parameter must be checked to obtain the validation status. + +@strong{Since:} 3.3.0 +@end deftypefun |