manpagez: man pages & more
info gnutls
Home | html | info | man
[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

6.12.2.2 DANE verification

Since the DANE library is not included in GnuTLS it requires programs to be linked against it. This can be achieved with the following commands. 

gcc -o foo foo.c `pkg-config gnutls-dane --cflags --libs`

When a program uses the GNU autoconf system, then the following line or similar can be used to detect the presence of the library. 

PKG_CHECK_MODULES([LIBDANE], [gnutls-dane >= 3.0.0])

AC_SUBST([LIBDANE_CFLAGS])
AC_SUBST([LIBDANE_LIBS])

The high level functionality provided by the DANE library is shown below.

Function: int dane_verify_crt (dane_state_t s, const gnutls_datum_t * chain, unsigned chain_size, gnutls_certificate_type_t chain_type, const char * hostname, const char * proto, unsigned int port, unsigned int sflags, unsigned int vflags, unsigned int * verify)

s: A DANE state structure (may be NULL)

chain: A certificate chain

chain_size: The size of the chain

chain_type: The type of the certificate chain

hostname: The hostname associated with the chain

proto: The protocol of the service connecting (e.g. tcp)

port: The port of the service connecting (e.g. 443)

sflags: Flags for the the initialization of s (if NULL)

vflags: Verification flags; an OR’ed list of dane_verify_flags_t .

verify: An OR’ed list of dane_verify_status_t .

This function will verify the given certificate chain against the CA constrains and/or the certificate available via DANE. If no information via DANE can be obtained the flag DANE_VERIFY_NO_DANE_INFO is set. If a DNSSEC signature is not available for the DANE record then the verify flag DANE_VERIFY_NO_DNSSEC_DATA is set.

Note that the CA constraint only applies for the directly certifying CA and does not account for long CA chains. Moreover this function does not validate the provided chain.

Due to the many possible options of DANE, there is no single threat model countered. When notifying the user about DANE verification results it may be better to mention: DANE verification did not reject the certificate, rather than mentioning a successful DANE verication.

If the q parameter is provided it will be used for caching entries.

Returns: On success, DANE_E_SUCCESS (0) is returned, otherwise a negative error value.

int dane_verify_session_crt (dane_state_t s, gnutls_session_t session, const char * hostname, const char * proto, unsigned int port, unsigned int sflags, unsigned int vflags, unsigned int * verify)
const char * dane_strerror (int error)

Note that the dane_state_t structure that is accepted by both verification functions is optional. It is required when many queries are performed to facilitate caching. The following flags are returned by the verify functions to indicate the status of the verification.

DANE_VERIFY_CA_CONSTRAINTS_VIOLATED

The CA constraints were violated.

DANE_VERIFY_CERT_DIFFERS

The certificate obtained via DNS differs.

DANE_VERIFY_UNKNOWN_DANE_INFO

No known DANE data was found in the DNS record.

Figure 6.2: The DANE verification status flags.

In order to generate a DANE TLSA entry to use in a DNS server you may use danetool (see Invoking danetool).

[ << ] [ < ] [ Up ] [ > ] [ >> ]         [Top] [Contents] [Index] [ ? ]

This document was generated on May 31, 2014 using texi2html 5.0. 

© manpagez.com 2000-2025
Individual documents may contain additional copyright information.