NAME

       ldns_dane_verify, ldns_dane_verify_rr-

SYNOPSIS

       #include <stdint.h>
       #include <stdbool.h>

       #include <ldns/ldns.h>

       ldns_status ldns_dane_verify(ldns_rr_list* tlsas, X509* cert, STACK_OF(X509)* extra_certs,
       X509_STORE* pkix_validation_store);

       ldns_status  ldns_dane_verify_rr(const  ldns_rr*  tlsa_rr,  X509*  cert,   STACK_OF(X509)*
       extra_certs, X509_STORE* pkix_validation_store);

DESCRIPTION

       ldns_dane_verify()  Verify  if  any  of  the given TLSA resource records matches the given
              certificate.

              tlsas: The resource records that specify what and how to match the certificate. One
              must  match  for this function to succeed. With tlsas == NULL or the number of TLSA
              records in tlsas == 0, regular PKIX validation is performed.
              cert: The certificate to match (and validate)
              extra_certs:  Intermediate  certificates  that  might  be  necessary  creating  the
              validation chain.
              pkix_validation_store:  Used  when  the  certificate  usage  is  "CA constraint" or
              "Service Certificate Constraint" to validate the certificate.

              Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when  one
              of     the     TLSA's     matched     but     the     PKIX    validation    failed,
              LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none  of  the  TLSA's  matched,  or  other
              ldns_status errors.

       ldns_dane_verify_rr()  Verify  if  the  given  TLSA  resource  record  matches  the  given
              certificate.  Reporting on a TLSA rr mismatch (LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH)
              is  preferred over PKIX failure  (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE).  So when
              PKIX validation is required by the TLSA Certificate usage, but the TLSA  data  does
              not   match,  LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH  is  returned  whether  the  PKIX
              validated or not.

              tlsa_rr: The resource record that specifies what and how to match the  certificate.
              With tlsa_rr == NULL, regular PKIX validation is performed.
              cert: The certificate to match (and validate)
              extra_certs:  Intermediate  certificates  that  might  be  necessary  creating  the
              validation chain.
              pkix_validation_store: Used when  the  certificate  usage  is  "CA  constraint"  or
              "Service Certificate Constraint" to validate the certificate.

              Returns LDNS_STATUS_OK on success, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data
              mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched,  but  the  PKIX
              validation failed, or other ldns_status errors.

AUTHOR

       The ldns team at NLnet Labs. Which consists out of Jelte Jansen and Miek Gieben.

REPORTING BUGS

       Please    report    bugs    to    ldns-team@nlnetlabs.nl    or    in   our   bugzilla   at
       http://www.nlnetlabs.nl/bugs/index.html

COPYRIGHT

       Copyright (c) 2004 - 2006 NLnet Labs.

       Licensed under the BSD License. There is NO warranty;  not  even  for  MERCHANTABILITY  or
       FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO

       ldns_dane_create_tlsa_owner,       ldns_dane_cert2rdf,       ldns_dane_select_certificate,
       ldns_dane_create_tlsa_rr.  And perldoc Net::DNS, RFC1034, RFC1035, RFC4033,  RFC4034   and
       RFC4035.

REMARKS

       This  manpage  was  automaticly  generated from the ldns source code by use of Doxygen and
       some perl.

                                           30 May 2006                                    ldns(3)