dane.h
Go to the documentation of this file.
1 /*
2  * dane.h -- defines for the DNS-Based Authentication of Named Entities (DANE)
3  * Transport Layer Security (TLS) Protocol: TLSA
4  *
5  * Copyright (c) 2012, NLnet Labs. All rights reserved.
6  *
7  * See LICENSE for the license.
8  *
9  */
10 
23 #ifndef LDNS_DANE_H
24 #define LDNS_DANE_H
25 
26 #include <ldns/common.h>
27 #include <ldns/rdata.h>
28 #include <ldns/rr.h>
29 #if LDNS_BUILD_CONFIG_HAVE_SSL
30 #include <openssl/ssl.h>
31 #include <openssl/err.h>
32 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
33 
34 #ifdef __cplusplus
35 extern "C" {
36 #endif
37 
42 {
57 };
59 
64 {
71 
78 
81 };
83 
88 {
100 };
102 
107 {
114 };
116 
117 
118 #if LDNS_BUILD_CONFIG_USE_DANE
119 
130  const ldns_rdf* name, uint16_t port,
131  ldns_dane_transport transport);
132 
133 
134 #if LDNS_BUILD_CONFIG_HAVE_SSL
135 
146 ldns_status ldns_dane_cert2rdf(ldns_rdf** rdf, X509* cert,
147  ldns_tlsa_selector selector,
148  ldns_tlsa_matching_type matching_type);
149 
150 
179 ldns_status ldns_dane_select_certificate(X509** selected_cert,
180  X509* cert, STACK_OF(X509)* extra_certs,
181  X509_STORE* pkix_validation_store,
182  ldns_tlsa_certificate_usage cert_usage, int index);
183 
198  ldns_tlsa_certificate_usage certificate_usage,
199  ldns_tlsa_selector selector,
200  ldns_tlsa_matching_type matching_type,
201  X509* cert);
202 
243  X509* cert, STACK_OF(X509)* extra_certs,
244  X509_STORE* pkix_validation_store);
245 
280  X509* cert, STACK_OF(X509)* extra_certs,
281  X509_STORE* pkix_validation_store);
282 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
283 #endif /* LDNS_BUILD_CONFIG_USE_DANE */
284 
285 #ifdef __cplusplus
286 }
287 #endif
288 
289 #endif /* LDNS_DANE_H */
290 
@ LDNS_TLSA_USAGE_DANE_EE
Domain issued certificate.
Definition: dane.h:53
List or Set of Resource Records.
Definition: rr.h:337
@ LDNS_TLSA_MATCHING_TYPE_SHA256
Definition: dane.h:94
ldns_enum_dane_transport
Known transports to use with TLSA owner names.
Definition: dane.h:106
Resource Record.
Definition: rr.h:309
@ LDNS_TLSA_MATCHING_TYPE_SHA2_256
SHA-256 hash of selected content [RFC6234].
Definition: dane.h:93
@ LDNS_TLSA_MATCHING_TYPE_SHA512
Definition: dane.h:97
ldns_enum_tlsa_selector
The different "Selector" rdata field values for a TLSA RR.
Definition: dane.h:63
ldns_enum_tlsa_matching_type
The different "Matching type" rdata field values for a TLSA RR.
Definition: dane.h:87
ldns_status ldns_dane_verify(const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int index)
Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cer...
Definition: dane.c:405
enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
Definition: dane.h:101
@ LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION
Definition: dane.h:51
enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
Definition: dane.h:58
@ LDNS_TLSA_USAGE_DANE_TA
Trust anchor assertion.
Definition: dane.h:50
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
Creates a dname consisting of the given name, prefixed by the service port and type of transport: _po...
Definition: dane.c:90
@ LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO
Definition: dane.h:77
@ LDNS_TLSA_MATCHING_TYPE_PRIVMATCH
Reserved for Private Use.
Definition: dane.h:99
@ LDNS_TLSA_USAGE_PRIVCERT
Reserved for Private Use.
Definition: dane.h:56
@ LDNS_TLSA_MATCHING_TYPE_FULL
Exact match on selected content.
Definition: dane.h:90
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
Creates a TLSA resource record from the certificate.
Definition: dane.c:511
enum ldns_enum_tlsa_selector ldns_tlsa_selector
Definition: dane.h:82
ldns_enum_tlsa_certificate_usage
The different "Certificate usage" rdata field values for a TLSA RR.
Definition: dane.h:41
@ LDNS_DANE_TRANSPORT_SCTP
SCTP.
Definition: dane.h:113
@ LDNS_TLSA_SELECTOR_SPKI
SubjectPublicKeyInfo: DER-encoded binary structure as defined in [RFC5280].
Definition: dane.h:76
enum ldns_enum_status ldns_status
Definition: error.h:146
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded usin...
Definition: dane.c:134
@ LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE
Definition: dane.h:54
@ LDNS_TLSA_SELECTOR_FULL_CERTIFICATE
Definition: dane.h:70
@ LDNS_TLSA_USAGE_PKIX_EE
Service certificate constraint.
Definition: dane.h:47
Resource record data field.
Definition: rdata.h:196
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones pr...
@ LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT
Definition: dane.h:48
@ LDNS_DANE_TRANSPORT_TCP
TCP.
Definition: dane.h:109
@ LDNS_TLSA_SELECTOR_PRIVSEL
Reserved for Private Use.
Definition: dane.h:80
@ LDNS_TLSA_SELECTOR_CERT
Full certificate: the Certificate binary structure as defined in [RFC5280].
Definition: dane.h:69
@ LDNS_TLSA_MATCHING_TYPE_SHA2_512
SHA-512 hash of selected content [RFC6234].
Definition: dane.h:96
enum ldns_enum_dane_transport ldns_dane_transport
Definition: dane.h:115
@ LDNS_TLSA_USAGE_CA_CONSTRAINT
Definition: dane.h:45
@ LDNS_TLSA_USAGE_PKIX_TA
CA constraint.
Definition: dane.h:44
@ LDNS_DANE_TRANSPORT_UDP
UDP.
Definition: dane.h:111
@ LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED
Definition: dane.h:91