Added dane_verification_status_print() and danetool can verify a DANE entry.

4 files changed, 52 insertions, 3 deletions

diff --git a/libdane/Makefile.am b/libdane/Makefile.am
index bffa102fbe..d880cc8aaa 100644
--- a/libdane/Makefile.am
+++ b/libdane/Makefile.am
@@ -22,12 +22,13 @@ ACLOCAL_AMFLAGS = -I ../m4 -I ../gl/m4
 
 AM_CFLAGS = $(WERROR_CFLAGS) $(WSTACK_CFLAGS) $(WARN_CFLAGS)
 AM_CPPFLAGS = \
-	-I$(srcdir)/../gl			\
-	-I$(builddir)/../gl			\
+	-I$(srcdir)/../gl		\
+	-I$(builddir)/../gl		\
 	-I$(builddir)/../lib/includes	\
 	-I$(srcdir)/../lib/includes	\
 	-I$(srcdir)/includes		\
-	-I$(builddir)/includes
+	-I$(builddir)/includes		\
+	-I$(srcdir)/../lib
 
 SUBDIRS = includes
 
diff --git a/libdane/dane.c b/libdane/dane.c
index 5428a33173..b1b83a0249 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -32,6 +32,7 @@
 #include <gnutls/x509.h>
 #include <gnutls/abstract.h>
 #include <gnutls/crypto.h>
+#include "../lib/gnutls_int.h"
 
 #define MAX_DATA_ENTRIES 4
 
@@ -602,3 +603,46 @@ unsigned int type;
 	return dane_verify_crt(s, cert_list, cert_list_size, type, hostname, proto, port, sflags, vflags, verify);
 }
 
+/**
+ * dane_verification_status_print:
+ * @status: The status flags to be printed
+ * @type: The certificate type
+ * @out: Newly allocated datum with (0) terminated string.
+ * @flags: should be zero
+ *
+ * This function will pretty print the status of a verification
+ * process -- eg. the one obtained by dane_verify_crt().
+ *
+ * The output @out needs to be deallocated using gnutls_free().
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ **/
+int
+dane_verification_status_print (unsigned int status,
+                       gnutls_datum_t * out, unsigned int flags)
+{
+  gnutls_buffer_st str;
+  int ret;
+
+  _gnutls_buffer_init (&str);
+
+  if (status == 0)
+    _gnutls_buffer_append_str (&str, _("DANE verification didn't reject the certificate. "));
+  else
+    _gnutls_buffer_append_str (&str, _("DANE verification failed. "));
+
+  if (status & DANE_VERIFY_CA_CONSTRAINS_VIOLATED)
+    _gnutls_buffer_append_str (&str, _("CA constrains were violated. "));
+
+  if (status & DANE_VERIFY_CERT_DIFFERS)
+    _gnutls_buffer_append_str (&str, _("The certificate differs. "));
+
+  if (status & DANE_VERIFY_NO_DANE_INFO)
+    _gnutls_buffer_append_str (&str, _("There was no DANE information. "));
+
+  ret = _gnutls_buffer_to_datum( &str, out);
+  if (out->size > 0) out->size--;
+      
+  return ret;
+}
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 9a08737a6a..75d2e36e6b 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -134,6 +134,9 @@ typedef enum dane_verify_status_t
   DANE_VERIFY_NO_DANE_INFO = 1<<2,
 } dane_verify_status_t;
 
+int
+dane_verification_status_print (unsigned int status,
+                       gnutls_datum_t * out, unsigned int flags);
 
 int dane_verify_crt (dane_state_t s,
 	const gnutls_datum_t *chain, unsigned chain_size,
diff --git a/libdane/libdane.map b/libdane/libdane.map
index 335869c1c8..b3894e1b37 100644
--- a/libdane/libdane.map
+++ b/libdane/libdane.map
@@ -16,6 +16,7 @@ DANE_0_0
         dane_cert_type_name;
 	dane_match_type_name;
 	dane_cert_usage_name;
+	dane_verification_status_print;
   local:
     *;
 };