Provided by: gnutls-doc_3.8.9-2ubuntu3_all bug

NAME
       dane_verify_crt - API function


SYNOPSIS
       #include <gnutls/dane.h>

       int    dane_verify_crt(dane_state_t    s,    const   gnutls_datum_t   *   chain,   unsigned   chain_size,
       gnutls_certificate_type_t chain_type, const char * hostname, const  char  *  proto,  unsigned  int  port,
       unsigned int sflags, unsigned int vflags, unsigned int * verify);


ARGUMENTS
       dane_state_t s
                   A DANE state structure (may be NULL)

       const gnutls_datum_t * chain
                   A certificate chain

       unsigned chain_size
                   The size of the chain

       gnutls_certificate_type_t chain_type
                   The type of the certificate chain

       const char * hostname
                   The hostname associated with the chain

       const char * proto
                   The protocol of the service connecting (e.g. tcp)

       unsigned int port
                   The port of the service connecting (e.g. 443)

       unsigned int sflags
                   Flags for the initialization of  s (if NULL)

       unsigned int vflags
                   Verification flags; an OR'ed list of dane_verify_flags_t.

       unsigned int * verify
                   An OR'ed list of dane_verify_status_t.


DESCRIPTION
       This  function  will  verify the given certificate chain against the CA constrains and/or the certificate
       available via DANE.  If no information via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set.
       If  a  DNSSEC   signature   is   not   available   for   the   DANE   record   then   the   verify   flag
       DANE_VERIFY_NO_DNSSEC_DATA is set.

       Due  to  the many possible options of DANE, there is no single threat model countered. When notifying the
       user about DANE verification results it may be better to mention: DANE verification did  not  reject  the
       certificate, rather than mentioning a successful DANE verification.

       Note  that this function is designed to be run in addition to PKIX - certificate chain - verification. To
       be run independently the DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should be specified; then the function  will
       check whether the key of the peer matches the key advertised in the DANE entry.


RETURNS
       a  negative  error  code  on error and DANE_E_SUCCESS (0) when the DANE entries were successfully parsed,
       irrespective of whether they were verified (see  verify for that information). If no usable entries  were
       encountered DANE_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


REPORTING BUGS
       Report bugs to <bugs@gnutls.org>.
       Home page: https://www.gnutls.org


COPYRIGHT
       Copyright © 2001-2023 Free Software Foundation, Inc., and others.
       Copying  and distribution of this file, with or without modification, are permitted in any medium without
       royalty provided the copyright notice and this notice are preserved.


SEE ALSO
       The full documentation for gnutls is maintained as  a  Texinfo  manual.   If  the  /usr/share/doc/gnutls/
       directory does not contain the HTML form visit

       https://www.gnutls.org/manual/

gnutls                                                3.8.9                                   dane_verify_crt(3)