ldns  1.7.0
Typedefs | Enumerations | Functions
dane.h File Reference

This module contains base functions for creating and verifying TLSA RR's with PKIX certificates, certificate chains and validation stores. More...

Go to the source code of this file.

Typedefs

typedef enum ldns_enum_tlsa_certificate_usage ldns_tlsa_certificate_usage
 
typedef enum ldns_enum_tlsa_selector ldns_tlsa_selector
 
typedef enum ldns_enum_tlsa_matching_type ldns_tlsa_matching_type
 
typedef enum ldns_enum_dane_transport ldns_dane_transport
 

Enumerations

enum  ldns_enum_tlsa_certificate_usage {
  LDNS_TLSA_USAGE_PKIX_TA = 0, LDNS_TLSA_USAGE_CA_CONSTRAINT = 0, LDNS_TLSA_USAGE_PKIX_EE = 1, LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT = 1,
  LDNS_TLSA_USAGE_DANE_TA = 2, LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION = 2, LDNS_TLSA_USAGE_DANE_EE = 3, LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE = 3,
  LDNS_TLSA_USAGE_PRIVCERT = 255
}
 The different "Certificate usage" rdata field values for a TLSA RR. More...
 
enum  ldns_enum_tlsa_selector {
  LDNS_TLSA_SELECTOR_CERT = 0, LDNS_TLSA_SELECTOR_FULL_CERTIFICATE = 0, LDNS_TLSA_SELECTOR_SPKI = 1, LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO = 1,
  LDNS_TLSA_SELECTOR_PRIVSEL = 255
}
 The different "Selector" rdata field values for a TLSA RR. More...
 
enum  ldns_enum_tlsa_matching_type {
  LDNS_TLSA_MATCHING_TYPE_FULL = 0, LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED = 0, LDNS_TLSA_MATCHING_TYPE_SHA2_256 = 1, LDNS_TLSA_MATCHING_TYPE_SHA256 = 1,
  LDNS_TLSA_MATCHING_TYPE_SHA2_512 = 2, LDNS_TLSA_MATCHING_TYPE_SHA512 = 2, LDNS_TLSA_MATCHING_TYPE_PRIVMATCH = 255
}
 The different "Matching type" rdata field values for a TLSA RR. More...
 
enum  ldns_enum_dane_transport { LDNS_DANE_TRANSPORT_TCP = 0, LDNS_DANE_TRANSPORT_UDP = 1, LDNS_DANE_TRANSPORT_SCTP = 2 }
 Known transports to use with TLSA owner names. More...
 

Functions

ldns_status ldns_dane_create_tlsa_owner (ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
 Creates a dname consisting of the given name, prefixed by the service port and type of transport: _port._transport. More...
 
ldns_status ldns_dane_cert2rdf (ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
 Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded using matching_type. More...
 
ldns_status ldns_dane_select_certificate (X509 **selected_cert, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int index)
 Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage and index. More...
 
ldns_status ldns_dane_create_tlsa_rr (ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
 Creates a TLSA resource record from the certificate. More...
 
ldns_status ldns_dane_verify_rr (const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
 BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones provided by ldns. More...
 
ldns_status ldns_dane_verify (const ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509) *extra_certs, X509_STORE *pkix_validation_store)
 BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones provided by ldns. More...
 

Detailed Description

This module contains base functions for creating and verifying TLSA RR's with PKIX certificates, certificate chains and validation stores.

(See RFC6394 and RFC6698).

Since those functions heavily rely op cryptographic operations, this module is dependent on openssl.

Definition in file dane.h.

Typedef Documentation

§ ldns_tlsa_certificate_usage

Definition at line 58 of file dane.h.

§ ldns_tlsa_selector

Definition at line 82 of file dane.h.

§ ldns_tlsa_matching_type

Definition at line 101 of file dane.h.

§ ldns_dane_transport

Definition at line 115 of file dane.h.

Enumeration Type Documentation

§ ldns_enum_tlsa_certificate_usage

The different "Certificate usage" rdata field values for a TLSA RR.

Enumerator
LDNS_TLSA_USAGE_PKIX_TA 

CA constraint.

LDNS_TLSA_USAGE_CA_CONSTRAINT 
LDNS_TLSA_USAGE_PKIX_EE 

Sevice certificate constraint.

LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT 
LDNS_TLSA_USAGE_DANE_TA 

Trust anchor assertion.

LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION 
LDNS_TLSA_USAGE_DANE_EE 

Domain issued certificate.

LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE 
LDNS_TLSA_USAGE_PRIVCERT 

Reserved for Private Use.

Definition at line 41 of file dane.h.

§ ldns_enum_tlsa_selector

The different "Selector" rdata field values for a TLSA RR.

Enumerator
LDNS_TLSA_SELECTOR_CERT 

Full certificate: the Certificate binary structure as defined in [RFC5280].

LDNS_TLSA_SELECTOR_FULL_CERTIFICATE 
LDNS_TLSA_SELECTOR_SPKI 

SubjectPublicKeyInfo: DER-encoded binary structure as defined in [RFC5280].

LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO 
LDNS_TLSA_SELECTOR_PRIVSEL 

Reserved for Private Use.

Definition at line 63 of file dane.h.

§ ldns_enum_tlsa_matching_type

The different "Matching type" rdata field values for a TLSA RR.

Enumerator
LDNS_TLSA_MATCHING_TYPE_FULL 

Exact match on selected content.

LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED 
LDNS_TLSA_MATCHING_TYPE_SHA2_256 

SHA-256 hash of selected content [RFC6234].

LDNS_TLSA_MATCHING_TYPE_SHA256 
LDNS_TLSA_MATCHING_TYPE_SHA2_512 

SHA-512 hash of selected content [RFC6234].

LDNS_TLSA_MATCHING_TYPE_SHA512 
LDNS_TLSA_MATCHING_TYPE_PRIVMATCH 

Reserved for Private Use.

Definition at line 87 of file dane.h.

§ ldns_enum_dane_transport

Known transports to use with TLSA owner names.

Enumerator
LDNS_DANE_TRANSPORT_TCP 

TCP.

LDNS_DANE_TRANSPORT_UDP 

UDP.

LDNS_DANE_TRANSPORT_SCTP 

SCTP.

Definition at line 106 of file dane.h.

Function Documentation

§ ldns_dane_create_tlsa_owner()

ldns_status ldns_dane_create_tlsa_owner ( ldns_rdf **  tlsa_owner,
const ldns_rdf name,
uint16_t  port,
ldns_dane_transport  transport 
)

Creates a dname consisting of the given name, prefixed by the service port and type of transport: _port._transport.

name.

Parameters
[out]tlsa_ownerThe created dname.
[in]nameThe dname that should be prefixed.
[in]portThe service port number for wich the name should be created.
[in]transportThe transport for which the name should be created.
Returns
LDNS_STATUS_OK on success or an error code otherwise.

Definition at line 33 of file dane.c.

References LDNS_DANE_TRANSPORT_SCTP, LDNS_DANE_TRANSPORT_TCP, LDNS_DANE_TRANSPORT_UDP, LDNS_MAX_DOMAINLEN, ldns_rdf_data(), ldns_rdf_get_type(), ldns_rdf_new_frm_data(), ldns_rdf_size(), LDNS_RDF_TYPE_DNAME, LDNS_STATUS_DANE_UNKNOWN_TRANSPORT, LDNS_STATUS_DOMAINNAME_OVERFLOW, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.

§ ldns_dane_cert2rdf()

ldns_status ldns_dane_cert2rdf ( ldns_rdf **  rdf,
X509 *  cert,
ldns_tlsa_selector  selector,
ldns_tlsa_matching_type  matching_type 
)

Creates a LDNS_RDF_TYPE_HEX type rdf based on the binary data chosen by the selector and encoded using matching_type.

Parameters
[out]rdfThe created created rdf of type LDNS_RDF_TYPE_HEX.
[in]certThe certificate from which the data is selected
[in]selectorThe full certificate or the public key
[in]matching_typeThe full data or the SHA256 or SHA512 hash of the selected data
Returns
LDNS_STATUS_OK on success or an error code otherwise.

Definition at line 77 of file dane.c.

References LDNS_FREE, ldns_rdf_new(), LDNS_RDF_TYPE_HEX, ldns_sha256(), LDNS_SHA256_DIGEST_LENGTH, ldns_sha512(), LDNS_SHA512_DIGEST_LENGTH, LDNS_STATUS_DANE_UNKNOWN_MATCHING_TYPE, LDNS_STATUS_DANE_UNKNOWN_SELECTOR, LDNS_STATUS_MEM_ERR, LDNS_STATUS_OK, LDNS_STATUS_SSL_ERR, LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED, LDNS_TLSA_MATCHING_TYPE_SHA256, LDNS_TLSA_MATCHING_TYPE_SHA512, LDNS_TLSA_SELECTOR_FULL_CERTIFICATE, LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO, and LDNS_XMALLOC.

§ ldns_dane_select_certificate()

ldns_status ldns_dane_select_certificate ( X509 **  selected_cert,
X509 *  cert,
STACK_OF(X509) *  extra_certs,
X509_STORE *  pkix_validation_store,
ldns_tlsa_certificate_usage  cert_usage,
int  index 
)

Selects the certificate from cert, extra_certs or the pkix_validation_store based on the value of cert_usage and index.

Parameters
[out]selected_certThe selected cert.
[in]certThe certificate to validate (or not)
[in]extra_certsIntermediate certificates that might be necessary during validation. May be NULL, except when the certificate usage is "Trust Anchor Assertion" because the trust anchor has to be provided.(otherwise choose a "Domain issued certificate!"
[in]pkix_validation_storeUsed when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate and, in case of "CA constraint", select the CA. When pkix_validation_store is NULL, validation is explicitly turned off and the behaviour is then the same as for "Trust anchor assertion" and "Domain issued certificate" respectively.
[in]cert_usageWhich certificate to use and how to validate.
[in]indexUsed to select the trust anchor when certificate usage is "Trust Anchor Assertion". 0 is the last certificate in the validation chain. 1 the one but last, etc. When index is -1, the last certificate is used that MUST be self-signed. This can help to make sure that the intended (self signed) trust anchor is actually present in extra_certs (which is a DANE requirement).
Returns
LDNS_STATUS_OK on success or an error code otherwise.

Definition at line 348 of file dane.c.

References LDNS_TLSA_USAGE_CA_CONSTRAINT, LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE, LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT, and LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION.

§ ldns_dane_create_tlsa_rr()

ldns_status ldns_dane_create_tlsa_rr ( ldns_rr **  tlsa,
ldns_tlsa_certificate_usage  certificate_usage,
ldns_tlsa_selector  selector,
ldns_tlsa_matching_type  matching_type,
X509 *  cert 
)

Creates a TLSA resource record from the certificate.

No PKIX validation is performed! The given certificate is used as data regardless the value of certificate_usage.

Parameters
[out]tlsaThe created TLSA resource record.
[in]certificate_usageThe value for the Certificate Usage field
[in]selectorThe value for the Selector field
[in]matching_typeThe value for the Matching Type field
[in]certThe certificate which data will be represented
Returns
LDNS_STATUS_OK on success or an error code otherwise.

Definition at line 454 of file dane.c.

References ldns_dane_cert2rdf(), ldns_native2rdf_int8(), LDNS_RDF_TYPE_INT8, ldns_rr_free(), ldns_rr_new_frm_type(), ldns_rr_set_rdf(), LDNS_RR_TYPE_TLSA, LDNS_STATUS_MEM_ERR, and LDNS_STATUS_OK.

§ ldns_dane_verify_rr()

ldns_status ldns_dane_verify_rr ( const ldns_rr tlsa_rr,
X509 *  cert,
STACK_OF(X509) *  extra_certs,
X509_STORE *  pkix_validation_store 
)

BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones provided by ldns.

When OpenSSL 1.1.0 was available ldns will use the OpenSSL 1.1.0 dane verification functions under the hood. When ldns was linked with OpenSSL < 1.1.0, this function will not be able to verify TLSA records with DANE-TA usage types.

BEWARE! The ldns dane verification functions do not do server name checks. The user has to perform additional server name checks themselves!

Verify if the given TLSA resource record matches the given certificate. Reporting on a TLSA rr mismatch (LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH) is preferred over PKIX failure (LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE). So when PKIX validation is required by the TLSA Certificate usage, but the TLSA data does not match, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH is returned whether the PKIX validated or not.

When ldns is linked with OpenSSL < 1.1.0 and this function is available, then the DANE-TA usage type will not be verified, and on a tlsa_rr with this usage type, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA will be returned.

Parameters
[in]tlsa_rrThe resource record that specifies what and how to match the certificate. With tlsa_rr == NULL, regular PKIX validation is performed.
[in]certThe certificate to match (and validate)
[in]extra_certsIntermediate certificates that might be necessary creating the validation chain.
[in]pkix_validation_storeUsed when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate.
Returns
LDNS_STATUS_OK on success, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when the provided TLSA had the DANE-TA usage type, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH on TLSA data mismatch, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when TLSA matched, but the PKIX validation failed, or other ldns_status errors.

Definition at line 601 of file dane.c.

References LDNS_STATUS_OK.

§ ldns_dane_verify()

ldns_status ldns_dane_verify ( const ldns_rr_list tlsas,
X509 *  cert,
STACK_OF(X509) *  extra_certs,
X509_STORE *  pkix_validation_store 
)

BEWARE! We strongly recommend to use OpenSSL 1.1.0 dane verification functions instead of the ones provided by ldns.

When OpenSSL 1.1.0 was available ldns will use the OpenSSL 1.1.0 dane verification functions under the hood. When ldns was linked with OpenSSL < 1.1.0, this function will not be able to verify TLSA records with DANE-TA usage types.

BEWARE! The ldns dane verification functions do not do server name checks. The user has to perform additional server name checks themselves!

Verify if any of the given TLSA resource records matches the given certificate.

Parameters
[in]tlsasThe resource records that specify what and how to match the certificate. One must match for this function to succeed. With tlsas == NULL or the number of TLSA records in tlsas == 0, regular PKIX validation is performed.
[in]certThe certificate to match (and validate)
[in]extra_certsIntermediate certificates that might be necessary creating the validation chain.
[in]pkix_validation_storeUsed when the certificate usage is "CA constraint" or "Service Certificate Constraint" to validate the certificate.
Returns
LDNS_STATUS_OK on success, LDNS_STATUS_DANE_NEED_OPENSSL_GE_1_1_FOR_DANE_TA when at least one of the TLSA's had usage type DANE-TA and none of the TLSA's matched or PKIX validated, LDNS_STATUS_DANE_PKIX_DID_NOT_VALIDATE when one of the TLSA's matched but the PKIX validation failed, LDNS_STATUS_DANE_TLSA_DID_NOT_MATCH when none of the TLSA's matched, or other ldns_status errors.

Definition at line 784 of file dane.c.

References ldns_rr_list_rr_count(), and LDNS_STATUS_OK.