dane_verify_crt_raw − API function


, const gnutls_datum_t * int
dane_verify_crt_raw(dane_state_t s

dane_state_t s
            A DANE state structure (may be NULL)

const gnutls_datum_t * chain
            A certificate chain

unsigned chain_size
            The size of the chain

gnutls_certificate_type_t chain_type
            The type of the certificate chain

dane_query_t r
            DANE data to check against

unsigned int sflags
            Flags for the the initialization of  s (if NULL)

unsigned int vflags
            Verification flags; an OR’ed list of

unsigned int * verify
            An OR’ed list of dane_verify_status_t.

This function will verify the given certificate chain
against the CA constrains and/or the certificate available
via DANE.  If no information via DANE can be obtained the
flag DANE_VERIFY_NO_DANE_INFO is set. If a DNSSEC signature
is not available for the DANE record then the verify flag

Due to the many possible options of DANE, there is no single
threat model countered. When notifying the user about DANE
verification results it may be better to mention: DANE
verification did not reject the certificate, rather than
mentioning a successful DANE verication.

Note that this function is designed to be run in addition to
PKIX − certificate chain − verification. To be run
independently the DANE_VFLAG_ONLY_CHECK_EE_USAGE flag should
be specified; then the function will check whether the key
of the peer matches the key advertized in the DANE entry.

If the  q parameter is provided it will be used for caching



On success, DANE_E_SUCCESS (0) is returned, otherwise a
negative error value.

Report bugs to <bugs@gnutls.org>.
Home page: http://www.gnutls.org

Copyright © 2001‐2016 Free Software Foundation, Inc., and
Copying and distribution of this file, with or without
modification, are permitted in any medium without royalty
provided the copyright notice and this notice are preserved.

The full documentation for gnutls is maintained as a Texinfo
manual.  If the /usr/share/doc/gnutls/ directory does not
contain the HTML form visit