Always require DNSSEC.
[gnutls.git] / libdane / includes / gnutls / dane.h
blob9a3a5e8c43a157c0f8d6d46f3ba0e9bd9e1d91ea
1 /* -*- c -*-
2 * Copyright (C) 2012 KU Leuven
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of libdane.
8 * libdane is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 #include <gnutls/gnutls.h> /* for gnutls_datum_t */
26 /**
27 * dane_cert_usage_t:
28 * @DANE_CERT_USAGE_CA: CA constraint. The certificate/key
29 * presented must have signed the verified key.
30 * @DANE_CERT_USAGE_EE: The key or the certificate of the end
31 * entity.
32 * @DANE_CERT_USAGE_LOCAL_CA: The remote CA is local and possibly
33 * untrusted by the verifier.
34 * @DANE_CERT_USAGE_LOCAL_EE: The remote end-entity key is local
35 * and possibly untrusted by the verifier (not signed by a CA).
37 * Enumeration of different certificate usage types.
39 typedef enum dane_cert_usage_t
41 DANE_CERT_USAGE_CA = 0,
42 DANE_CERT_USAGE_EE = 1,
43 DANE_CERT_USAGE_LOCAL_CA = 2,
44 DANE_CERT_USAGE_LOCAL_EE = 3
45 } dane_cert_usage_t;
47 /**
48 * dane_cert_type_t:
49 * @DANE_CERT_X509: An X.509 certificate.
50 * @DANE_CERT_PK: A public key.
52 * Enumeration of different certificate types.
54 typedef enum dane_cert_type_t
56 DANE_CERT_X509 = 0,
57 DANE_CERT_PK = 1
58 } dane_cert_type_t;
60 /**
61 * dane_match_type_t:
62 * @DANE_MATCH_EXACT: The full content.
63 * @DANE_MATCH_SHA2_256: A SHA-256 hash of the content.
64 * @DANE_MATCH_SHA2_512: A SHA-512 hash of the content.
66 * Enumeration of different content matching types.
68 typedef enum dane_match_type_t
70 DANE_MATCH_EXACT = 0,
71 DANE_MATCH_SHA2_256 = 1,
72 DANE_MATCH_SHA2_512 = 2
73 } dane_match_type_t;
75 /**
76 * dane_query_status_t:
77 * @DANE_QUERY_UNKNOWN: There was no query.
78 * @DANE_QUERY_DNSSEC_VERIFIED: The query was verified using DNSSEC.
79 * @DANE_QUERY_BOGUS: The query has wrong DNSSEC signature.
80 * @DANE_QUERY_NO_DNSSEC: The query has no DNSSEC data.
82 * Enumeration of different certificate types.
84 typedef enum dane_query_status_t
86 DANE_QUERY_UNKNOWN = 0,
87 DANE_QUERY_DNSSEC_VERIFIED,
88 DANE_QUERY_BOGUS,
89 DANE_QUERY_NO_DNSSEC
90 } dane_query_status_t;
92 typedef struct dane_query_st *dane_query_t;
95 int dane_query_init (dane_query_t* q, unsigned int flags);
96 void dane_query_deinit (dane_query_t q);
97 int dane_query_resolve_tlsa (dane_query_t q, const char* host, const char* proto, unsigned int port);
98 int dane_query_data(dane_query_t q, unsigned int idx,
99 unsigned int *usage, unsigned int *type,
100 unsigned int *match, gnutls_datum_t * data);
101 dane_query_status_t dane_query_status(dane_query_t q);
102 unsigned int dane_query_entries(dane_query_t q);
106 * dane_verify_status_t:
107 * @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
108 * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
109 * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
110 * @DANE_VERIFY_DNSSEC_DATA_INVALID: The DNSSEC data are invalid.
111 * @DANE_VERIFY_NO_DNSSEC_DATA: The DNS data were not signed using DNSSEC.
113 * Enumeration of different verification status flags.
115 typedef enum dane_verify_status_t
117 DANE_VERIFY_CA_CONSTRAINS_VIOLATED = 1,
118 DANE_VERIFY_CERT_DIFFERS = 1<<1,
119 DANE_VERIFY_NO_DANE_INFO = 1<<2,
120 DANE_VERIFY_DNSSEC_DATA_INVALID = 1<<3,
121 DANE_VERIFY_NO_DNSSEC_DATA = 1<<4,
122 } dane_verify_status_t;
125 * dane_verify_flags_t:
126 * @DANE_F_REQUIRE_DNSSEC: Require DNSSEC for verification.
127 * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
129 * Enumeration of different verification flags.
131 typedef enum dane_verify_flags_t
133 DANE_F_IGNORE_LOCAL_RESOLVER = 1,
134 } dane_verify_flags_t;
136 int dane_verify_crt (
137 const gnutls_datum_t *chain, unsigned chain_size,
138 gnutls_certificate_type_t chain_type,
139 const char * hostname, const char* proto, unsigned int port,
140 unsigned int flags, unsigned int *verify);
142 int dane_verify_session_crt (
143 gnutls_session_t session,
144 const char * hostname, const char* proto, unsigned int port,
145 unsigned int flags, unsigned int *verify);
147 const char * dane_strerror (int error);
149 #define DANE_E_SUCCESS 0
150 #define DANE_E_INITIALIZATION_ERROR -1
151 #define DANE_E_RESOLVING_ERROR -2
152 #define DANE_E_NO_DANE_DATA -3
153 #define DANE_E_RECEIVED_CORRUPT_DATA -4
154 #define DANE_E_INVALID_DNSSEC_SIG -5
155 #define DANE_E_NO_DNSSEC_SIG -6
156 #define DANE_E_MEMORY_ERROR -7
157 #define DANE_E_REQUESTED_DATA_NOT_AVAILABLE -8
158 #define DANE_E_INVALID_REQUEST -9
159 #define DANE_E_PUBKEY_ERROR -10
160 #define DANE_E_NO_CERT -11