The following functions are to be used for DANE certificate verification.
Their prototypes lie in gnutls/dane.h. Note that you need to link
with the libgnutls-dane library to use them.
const char * dane_cert_type_name (dane_cert_type_t type) ¶type: is a DANE match type
Convert a dane_cert_type_t value to a string.
Returns: a string that contains the name of the specified
type, or NULL .
const char * dane_cert_usage_name (dane_cert_usage_t usage) ¶usage: is a DANE certificate usage
Convert a dane_cert_usage_t value to a string.
Returns: a string that contains the name of the specified
type, or NULL .
const char * dane_match_type_name (dane_match_type_t type) ¶type: is a DANE match type
Convert a dane_match_type_t value to a string.
Returns: a string that contains the name of the specified
type, or NULL .
int dane_query_data (dane_query_t q, unsigned int idx, unsigned int * usage, unsigned int * type, unsigned int * match, gnutls_datum_t * data) ¶q: The query result structure
idx: The index of the query response.
usage: The certificate usage (see dane_cert_usage_t )
type: The certificate type (see dane_cert_type_t )
match: The DANE matching type (see dane_match_type_t )
data: The DANE data.
This function will provide the DANE data from the query response.
Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.
void dane_query_deinit (dane_query_t q) ¶q: The structure to be deinitialized
This function will deinitialize a DANE query result structure.
unsigned int dane_query_entries (dane_query_t q) ¶q: The query result structure
This function will return the number of entries in a query.
Returns: The number of entries.
dane_query_status_t dane_query_status (dane_query_t q) ¶q: The query result structure
This function will return the status of the query response.
See dane_query_status_t for the possible types.
Returns: The status type.
int dane_query_tlsa (dane_state_t s, dane_query_t * r, const char * host, const char * proto, unsigned int port) ¶s: The DANE state structure
r: A structure to place the result
host: The host name to resolve.
proto: The protocol type (tcp, udp, etc.)
port: The service port number (eg. 443).
This function will query the DNS server for the TLSA (DANE) data for the given host.
Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.
int dane_query_to_raw_tlsa (dane_query_t q, unsigned int * data_entries, char *** dane_data, int ** dane_data_len, int * secure, int * bogus) ¶q: The query result structure
data_entries: Pointer set to the number of entries in the query
dane_data: Pointer to contain an array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until dane_query_deinit() is called.
dane_data_len: Pointer to contain the length n bytes of the dane_data items
secure: Pointer set true if the result is validated securely, false if validation failed or the domain queried has no security info
bogus: Pointer set true if the result was not secure due to a security failure
This function will provide the DANE data from the query response.
The pointers dane_data and dane_data_len are allocated with gnutls_malloc()
to contain the data from the query result structure (individual
dane_data items simply point to the original data and are not allocated separately).
The returned dane_data are only valid during the lifetime of q .
Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.
int dane_raw_tlsa (dane_state_t s, dane_query_t * r, char *const * dane_data, const int * dane_data_len, int secure, int bogus) ¶s: The DANE state structure
r: A structure to place the result
dane_data: array of DNS rdata items, terminated with a NULL pointer;
caller must guarantee that the referenced data remains
valid until dane_query_deinit() is called.
dane_data_len: the length n bytes of the dane_data items
secure: true if the result is validated securely, false if validation failed or the domain queried has no security info
bogus: if the result was not secure (secure = 0) due to a security failure, and the result is due to a security failure, bogus is true.
This function will fill in the TLSA (DANE) structure from
the given raw DNS record data. The dane_data must be valid
during the lifetime of the query.
Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.
void dane_state_deinit (dane_state_t s) ¶s: The structure to be deinitialized
This function will deinitialize a DANE query structure.
int dane_state_init (dane_state_t * s, unsigned int flags) ¶s: The structure to be initialized
flags: flags from the dane_state_flags enumeration
This function will initialize the backend resolver. It is intended to be used in scenarios where multiple resolvings occur, to optimize against multiple re-initializations.
Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.
int dane_state_set_dlv_file (dane_state_t s, const char * file) ¶s: The structure to be deinitialized
file: The file holding the DLV keys.
This function will set a file with trusted keys for DLV (DNSSEC Lookaside Validation).
const char * dane_strerror (int error) ¶error: is a DANE error code, a negative error code
This function is similar to strerror. The difference is that it
accepts an error number returned by a gnutls function; In case of
an unknown error a descriptive string is sent instead of NULL .
Error codes are always a negative error code.
Returns: A string explaining the DANE error message.
int dane_verification_status_print (unsigned int status, gnutls_datum_t * out, unsigned int flags) ¶status: The status flags to be printed
out: Newly allocated datum with (0) terminated string.
flags: should be zero
This function will pretty print the status of a verification
process – eg. the one obtained by dane_verify_crt() .
The output out needs to be deallocated using gnutls_free() .
Returns: On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a
negative error value.
int dane_verify_crt (dane_state_t s, const gnutls_datum_t * chain, unsigned chain_size, gnutls_certificate_type_t chain_type, const char * hostname, const char * proto, unsigned int port, unsigned int sflags, unsigned int vflags, unsigned int * verify) ¶s: A DANE state structure (may be NULL)
chain: A certificate chain
chain_size: The size of the chain
chain_type: The type of the certificate chain
hostname: The hostname associated with the chain
proto: The protocol of the service connecting (e.g. tcp)
port: The port of the service connecting (e.g. 443)
sflags: Flags for the initialization of s (if NULL)
vflags: Verification flags; an OR’ed list of dane_verify_flags_t .
verify: An OR’ed list of dane_verify_status_t .
This function will verify the given certificate chain against the
CA constrains and/or the certificate available via DANE.
If no information via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO
is set. If a DNSSEC signature is not available for the DANE
record then the verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.
Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verification.
Note that this function is designed to be run in addition to
PKIX - certificate chain - verification. To be run independently
the DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified;
then the function will check whether the key of the peer matches the
key advertised in the DANE entry.
Returns: a negative error code on error and DANE_E_SUCCESS (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see verify for that information). If
no usable entries were encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
int dane_verify_crt_raw (dane_state_t s, const gnutls_datum_t * chain, unsigned chain_size, gnutls_certificate_type_t chain_type, dane_query_t r, unsigned int sflags, unsigned int vflags, unsigned int * verify) ¶s: A DANE state structure (may be NULL)
chain: A certificate chain
chain_size: The size of the chain
chain_type: The type of the certificate chain
r: DANE data to check against
sflags: Flags for the initialization of s (if NULL)
vflags: Verification flags; an OR’ed list of dane_verify_flags_t .
verify: An OR’ed list of dane_verify_status_t .
This is the low-level function of dane_verify_crt() . See the
high level function for documentation.
This function does not perform any resolving, it utilizes
cached entries from r .
Returns: a negative error code on error and DANE_E_SUCCESS (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see verify for that information). If
no usable entries were encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.
int dane_verify_session_crt (dane_state_t s, gnutls_session_t session, const char * hostname, const char * proto, unsigned int port, unsigned int sflags, unsigned int vflags, unsigned int * verify) ¶s: A DANE state structure (may be NULL)
session: A gnutls session
hostname: The hostname associated with the chain
proto: The protocol of the service connecting (e.g. tcp)
port: The port of the service connecting (e.g. 443)
sflags: Flags for the initialization of s (if NULL)
vflags: Verification flags; an OR’ed list of dane_verify_flags_t .
verify: An OR’ed list of dane_verify_status_t .
This function will verify session’s certificate chain against the
CA constrains and/or the certificate available via DANE.
See dane_verify_crt() for more information.
This will not verify the chain for validity; unless the DANE
verification is restricted to end certificates, this must be
be performed separately using gnutls_certificate_verify_peers3() .
Returns: a negative error code on error and DANE_E_SUCCESS (0)
when the DANE entries were successfully parsed, irrespective of
whether they were verified (see verify for that information). If
no usable entries were encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE
will be returned.