summaryrefslogtreecommitdiffstats
path: root/doc/manpages/dane_verify_crt.3
diff options
context:
space:
mode:
Diffstat (limited to 'doc/manpages/dane_verify_crt.3')
-rw-r--r--doc/manpages/dane_verify_crt.372
1 files changed, 72 insertions, 0 deletions
diff --git a/doc/manpages/dane_verify_crt.3 b/doc/manpages/dane_verify_crt.3
new file mode 100644
index 0000000..91f7521
--- /dev/null
+++ b/doc/manpages/dane_verify_crt.3
@@ -0,0 +1,72 @@
+.\" DO NOT MODIFY THIS FILE! It was generated by gdoc.
+.TH "dane_verify_crt" 3 "3.7.9" "gnutls" "gnutls"
+.SH NAME
+dane_verify_crt \- API function
+.SH SYNOPSIS
+.B #include <gnutls/dane.h>
+.sp
+.BI "int dane_verify_crt(dane_state_t " s ", const gnutls_datum_t * " chain ", unsigned " chain_size ", gnutls_certificate_type_t " chain_type ", const char * " hostname ", const char * " proto ", unsigned int " port ", unsigned int " sflags ", unsigned int " vflags ", unsigned int * " verify ");"
+.SH ARGUMENTS
+.IP "dane_state_t s" 12
+A DANE state structure (may be NULL)
+.IP "const gnutls_datum_t * chain" 12
+A certificate chain
+.IP "unsigned chain_size" 12
+The size of the chain
+.IP "gnutls_certificate_type_t chain_type" 12
+The type of the certificate chain
+.IP "const char * hostname" 12
+The hostname associated with the chain
+.IP "const char * proto" 12
+The protocol of the service connecting (e.g. tcp)
+.IP "unsigned int port" 12
+The port of the service connecting (e.g. 443)
+.IP "unsigned int sflags" 12
+Flags for the initialization of \fIs\fP (if NULL)
+.IP "unsigned int vflags" 12
+Verification flags; an OR'ed list of \fBdane_verify_flags_t\fP.
+.IP "unsigned int * verify" 12
+An OR'ed list of \fBdane_verify_status_t\fP.
+.SH "DESCRIPTION"
+This function will verify the given certificate chain against the
+CA constrains and/or the certificate available via DANE.
+If no information via DANE can be obtained the flag \fBDANE_VERIFY_NO_DANE_INFO\fP
+is set. If a DNSSEC signature is not available for the DANE
+record then the verify flag \fBDANE_VERIFY_NO_DNSSEC_DATA\fP is set.
+
+Due to the many possible options of DANE, there is no single threat
+model countered. When notifying the user about DANE verification results
+it may be better to mention: DANE verification did not reject the certificate,
+rather than mentioning a successful DANE verication.
+
+Note that this function is designed to be run in addition to
+PKIX \- certificate chain \- verification. To be run independently
+the \fBDANE_VFLAG_ONLY_CHECK_EE_USAGE\fP flag should be specified;
+then the function will check whether the key of the peer matches the
+key advertized in the DANE entry.
+.SH "RETURNS"
+a negative error code on error and \fBDANE_E_SUCCESS\fP (0)
+when the DANE entries were successfully parsed, irrespective of
+whether they were verified (see \fIverify\fP for that information). If
+no usable entries were encountered \fBDANE_E_REQUESTED_DATA_NOT_AVAILABLE\fP
+will be returned.
+.SH "REPORTING BUGS"
+Report bugs to <bugs@gnutls.org>.
+.br
+Home page: https://www.gnutls.org
+
+.SH COPYRIGHT
+Copyright \(co 2001- Free Software Foundation, Inc., and others.
+.br
+Copying and distribution of this file, with or without modification,
+are permitted in any medium without royalty provided the copyright
+notice and this notice are preserved.
+.SH "SEE ALSO"
+The full documentation for
+.B gnutls
+is maintained as a Texinfo manual.
+If the /usr/share/doc/gnutls/
+directory does not contain the HTML form visit
+.B
+.IP https://www.gnutls.org/manual/
+.PP
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 14:16:28 +0000