Go to the source code of this file.
Functions | |
ldns_status | ldns_dane_create_tlsa_owner (ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport) |
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _port._transport. | |
ldns_status | ldns_dane_cert2rdf (ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type) |
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded using matching_type. | |
ldns_status | ldns_dane_select_certificate (X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset) |
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage and index. | |
ldns_status | ldns_dane_create_tlsa_rr (ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert) |
Creates a TLSA resource record from the certificate. | |
Variables | |
const long | NoOpenSSLv2 = 0L |
const long | NoOpenSSLv3 = 0L |
const long | NoOpenTLSv1 = 0L |
const long | NoOpenDTLSv1 = 0L |
const long | NoOpenSSLCompression = 0L |
ldns_status ldns_dane_create_tlsa_owner | ( | ldns_rdf ** | tlsa_owner, |
const ldns_rdf * | name, | ||
uint16_t | port, | ||
ldns_dane_transport | transport | ||
) |
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _port._transport.
name.
[out] | tlsa_owner | The created dname. |
[in] | name | The dname that should be prefixed. |
[in] | port | The service port number for which the name should be created. |
[in] | transport | The transport for which the name should be created. |
Definition at line 90 of file dane.c.
References LDNS_DANE_TRANSPORT_SCTP, LDNS_DANE_TRANSPORT_TCP, LDNS_DANE_TRANSPORT_UDP, LDNS_MAX_DOMAINLEN, ldns_rdf_data(), ldns_rdf_get_type(), ldns_rdf_new_frm_data(), ldns_rdf_size(), LDNS_RDF_TYPE_DNAME, LDNS_STATUS_DANE_UNKNOWN_TRANSPORT, LDNS_STATUS_DOMAINNAME_OVERFLOW, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.
ldns_status ldns_dane_cert2rdf | ( | ldns_rdf ** | rdf, |
X509 * | cert, | ||
ldns_tlsa_selector | selector, | ||
ldns_tlsa_matching_type | matching_type | ||
) |
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded using matching_type.
[out] | rdf | The created created rdf of type LDNS_RDF_TYPE_HEX. |
[in] | cert | The certificate from which the data is selected |
[in] | selector | The full certificate or the public key |
[in] | matching_type | The full data or the SHA256 or SHA512 hash of the selected data |
Definition at line 134 of file dane.c.
References LDNS_FREE, ldns_rdf_new(), LDNS_RDF_TYPE_HEX, ldns_sha256(), LDNS_SHA256_DIGEST_LENGTH, ldns_sha512(), LDNS_SHA512_DIGEST_LENGTH, LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE, LDNS_STATUS_DANE_UNKNOWN_SELECTOR, LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, LDNS_STATUS_SSL_ERR, LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED, LDNS_TLSA_MATCHING_TYPE_SHA256, LDNS_TLSA_MATCHING_TYPE_SHA512, LDNS_TLSA_SELECTOR_FULL_CERTIFICATE, LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO, and LDNS_XMALLOC.
ldns_status ldns_dane_select_certificate | ( | X509 ** | selected_cert, |
X509 * | cert, | ||
STACK_OF(X509) * | extra_certs, | ||
X509_STORE * | pkix_validation_store, | ||
ldns_tlsa_certificate_usage | cert_usage, | ||
int | index | ||
) |
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage and index.
[out] | selected_cert | The selected cert. |
[in] | cert | The certificate to validate (or not) |
[in] | extra_certs | Intermediate certificates that might be necessary during validation. May be NULL, except when the certificate usage is "Trust Anchor Assertion" because the trust anchor has to be provided.(otherwise choose a "Domain issued certificate!" |
[in] | pkix_validation_store | Used when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate and, in case of "CA constraint", select the CA. When pkix_validation_store is NULL, validation is explicitly turned off and the behaviour is then the same as for "Trust anchor assertion" and "Domain issued certificate" respectively. |
[in] | cert_usage | Which certificate to use and how to validate. |
[in] | index | Used to select the trust anchor when certificate usage is "Trust Anchor Assertion". 0 is the last certificate in the validation chain. 1 the one but last, etc. When index is -1, the last certificate is used that MUST be self-signed. This can help to make sure that the intended (self signed) trust anchor is actually present in extra_certs (which is a DANE requirement). |
Definition at line 405 of file dane.c.
References LDNS_STATUS_DANE_UNKNOWN_CERTIFICATE_USAGE, LDNS_STATUS_OK, LDNS_TLSA_USAGE_CA_CONSTRAINT, LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE, LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT, and LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION.
ldns_status ldns_dane_create_tlsa_rr | ( | ldns_rr ** | tlsa, |
ldns_tlsa_certificate_usage | certificate_usage, | ||
ldns_tlsa_selector | selector, | ||
ldns_tlsa_matching_type | matching_type, | ||
X509 * | cert | ||
) |
Creates a TLSA resource record from the certificate.
No PKIX validation is performed! The given certificate is used as data regardless the value of certificate_usage.
[out] | tlsa | The created TLSA resource record. |
[in] | certificate_usage | The value for the Certificate Usage field |
[in] | selector | The value for the Selector field |
[in] | matching_type | The value for the Matching Type field |
[in] | cert | The certificate which data will be represented |
Definition at line 511 of file dane.c.
References ldns_dane_cert2rdf(), ldns_native2rdf_int8(), LDNS_RDF_TYPE_INT8, ldns_rr_free(), ldns_rr_new_frm_type(), ldns_rr_set_rdf(), LDNS_RR_TYPE_TLSA, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.