2 * Copyright (C) 2012 KU Leuven
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of libdane.
8 * libdane is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
24 #include <gnutls/gnutls.h> /* for gnutls_datum_t */
28 * @DANE_CERT_USAGE_CA: CA constraint. The certificate/key
29 * presented must have signed the verified key.
30 * @DANE_CERT_USAGE_EE: The key or the certificate of the end
32 * @DANE_CERT_USAGE_LOCAL_CA: The remote CA is local and possibly
33 * untrusted by the verifier.
34 * @DANE_CERT_USAGE_LOCAL_EE: The remote end-entity key is local
35 * and possibly untrusted by the verifier (not signed by a CA).
37 * Enumeration of different certificate usage types.
39 typedef enum dane_cert_usage_t
41 DANE_CERT_USAGE_CA
= 0,
42 DANE_CERT_USAGE_EE
= 1,
43 DANE_CERT_USAGE_LOCAL_CA
= 2,
44 DANE_CERT_USAGE_LOCAL_EE
= 3
49 * @DANE_CERT_X509: An X.509 certificate.
50 * @DANE_CERT_PK: A public key.
52 * Enumeration of different certificate types.
54 typedef enum dane_cert_type_t
62 * @DANE_MATCH_EXACT: The full content.
63 * @DANE_MATCH_SHA2_256: A SHA-256 hash of the content.
64 * @DANE_MATCH_SHA2_512: A SHA-512 hash of the content.
66 * Enumeration of different content matching types.
68 typedef enum dane_match_type_t
71 DANE_MATCH_SHA2_256
= 1,
72 DANE_MATCH_SHA2_512
= 2
76 * dane_query_status_t:
77 * @DANE_QUERY_UNKNOWN: There was no query.
78 * @DANE_QUERY_DNSSEC_VERIFIED: The query was verified using DNSSEC.
79 * @DANE_QUERY_BOGUS: The query has wrong DNSSEC signature.
80 * @DANE_QUERY_NO_DNSSEC: The query has no DNSSEC data.
82 * Enumeration of different certificate types.
84 typedef enum dane_query_status_t
86 DANE_QUERY_UNKNOWN
= 0,
87 DANE_QUERY_DNSSEC_VERIFIED
,
90 } dane_query_status_t
;
92 typedef struct dane_query_st
*dane_query_t
;
95 int dane_query_init (dane_query_t
* q
, unsigned int flags
);
96 void dane_query_deinit (dane_query_t q
);
97 int dane_query_resolve_tlsa (dane_query_t q
, const char* host
, const char* proto
, unsigned int port
);
98 int dane_query_data(dane_query_t q
, unsigned int idx
,
99 unsigned int *usage
, unsigned int *type
,
100 unsigned int *match
, gnutls_datum_t
* data
);
101 dane_query_status_t
dane_query_status(dane_query_t q
);
102 unsigned int dane_query_entries(dane_query_t q
);
106 * dane_verify_status_t:
107 * @DANE_VERIFY_CA_CONSTRAINS_VIOLATED: The CA constrains was violated.
108 * @DANE_VERIFY_CERT_DIFFERS: The certificate obtained via DNS differs.
109 * @DANE_VERIFY_NO_DANE_INFO: No DANE data were found in the DNS record.
111 * Enumeration of different verification status flags.
113 typedef enum dane_verify_status_t
115 DANE_VERIFY_CA_CONSTRAINS_VIOLATED
= 1,
116 DANE_VERIFY_CERT_DIFFERS
= 1<<1,
117 DANE_VERIFY_NO_DANE_INFO
= 1<<2,
118 } dane_verify_status_t
;
121 * dane_verify_flags_t:
122 * @DANE_F_REQUIRE_DNSSEC: Require DNSSEC for verification.
123 * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
125 * Enumeration of different verification flags.
127 typedef enum dane_verify_flags_t
129 DANE_F_IGNORE_LOCAL_RESOLVER
= 1,
130 } dane_verify_flags_t
;
132 int dane_verify_crt (
133 const gnutls_datum_t
*chain
, unsigned chain_size
,
134 gnutls_certificate_type_t chain_type
,
135 const char * hostname
, const char* proto
, unsigned int port
,
136 unsigned int flags
, unsigned int *verify
);
138 int dane_verify_session_crt (
139 gnutls_session_t session
,
140 const char * hostname
, const char* proto
, unsigned int port
,
141 unsigned int flags
, unsigned int *verify
);
143 const char * dane_strerror (int error
);
145 #define DANE_E_SUCCESS 0
146 #define DANE_E_INITIALIZATION_ERROR -1
147 #define DANE_E_RESOLVING_ERROR -2
148 #define DANE_E_NO_DANE_DATA -3
149 #define DANE_E_RECEIVED_CORRUPT_DATA -4
150 #define DANE_E_INVALID_DNSSEC_SIG -5
151 #define DANE_E_NO_DNSSEC_SIG -6
152 #define DANE_E_MEMORY_ERROR -7
153 #define DANE_E_REQUESTED_DATA_NOT_AVAILABLE -8
154 #define DANE_E_INVALID_REQUEST -9
155 #define DANE_E_PUBKEY_ERROR -10
156 #define DANE_E_NO_CERT -11