| Top | |
|
|
|
GEnum
╰── GTlsDatabaseLookupFlags
GFlags
╰── GTlsDatabaseVerifyFlags
GObject
╰── GTlsDatabase
GTlsDatabase is used to look up certificates and other information from a certificate or key store. It is an abstract base class which TLS library specific subtypes override.
A GTlsDatabase may be accessed from multiple threads by the TLS backend. All implementations are required to be fully thread-safe.
Most common client applications will not directly interact with GTlsDatabase. It is used internally by GTlsConnection.
GTlsCertificateFlags g_tls_database_verify_chain (GTlsDatabase *self,GTlsCertificate *chain,const gchar *purpose,GSocketConnectable *identity,GTlsInteraction *interaction,GTlsDatabaseVerifyFlags flags,GCancellable *cancellable,GError **error);
Determines the validity of a certificate chain, outside the context of a TLS session.
chain
is a chain of GTlsCertificate objects each pointing to the next
certificate in the chain by its “issuer” property.
purpose
describes the purpose (or usage) for which the certificate
is being used. Typically purpose
will be set to G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER
which means that the certificate is being used to authenticate a server
(and we are acting as the client).
The identity
is used to ensure the server certificate is valid for
the expected peer identity. If the identity does not match the
certificate, G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the
return value. If identity
is NULL, that bit will never be set in
the return value. The peer identity may also be used to check for
pinned certificates (trust exceptions) in the database. These may
override the normal verification process on a host-by-host basis.
Currently there are no flags
, and G_TLS_DATABASE_VERIFY_NONE should be
used.
If chain
is found to be valid, then the return value will be 0. If
chain
is found to be invalid, then the return value will indicate
the problems found. If the function is unable to determine whether
chain
is valid or not (eg, because cancellable
is triggered
before it completes) then the return value will be
G_TLS_CERTIFICATE_GENERIC_ERROR and error
will be set
accordingly. error
is not set when chain
is successfully analyzed
but found to be invalid.
Prior to GLib 2.48, GLib's default TLS backend modified chain
to
represent the certification path built by GTlsDatabase during
certificate verification by adjusting the “issuer”
property of each certificate in chain
. Since GLib 2.48, this no
longer occurs, so you cannot rely on “issuer” to
represent the actual certification path used during certificate
verification.
Because TLS session context is not used, GTlsDatabase may not perform as many checks on the certificates as GTlsConnection would. For example, certificate constraints cannot be honored, and some revocation checks cannot be performed. The best way to verify TLS certificates used by a TLS connection is to let GTlsConnection handle the verification.
The TLS backend may attempt to look up and add missing certificates to the chain. Since GLib 2.70, this may involve HTTP requests to download missing certificates.
This function can block. Use g_tls_database_verify_chain_async() to
perform the verification operation asynchronously.
self |
||
chain |
a GTlsCertificate chain |
|
purpose |
the purpose that this certificate chain will be used for. |
|
identity |
the expected peer identity. |
[nullable] |
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
additional verify flags |
|
cancellable |
a GCancellable, or |
[nullable] |
error |
a GError, or |
[nullable] |
Since: 2.30
void g_tls_database_verify_chain_async (GTlsDatabase *self,GTlsCertificate *chain,const gchar *purpose,GSocketConnectable *identity,GTlsInteraction *interaction,GTlsDatabaseVerifyFlags flags,GCancellable *cancellable,GAsyncReadyCallback callback,gpointer user_data);
Asynchronously determines the validity of a certificate chain after
looking up and adding any missing certificates to the chain. See
g_tls_database_verify_chain() for more information.
self |
||
chain |
a GTlsCertificate chain |
|
purpose |
the purpose that this certificate chain will be used for. |
|
identity |
the expected peer identity. |
[nullable] |
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
additional verify flags |
|
cancellable |
a GCancellable, or |
[nullable] |
callback |
callback to call when the operation completes |
|
user_data |
the data to pass to the callback function |
Since: 2.30
GTlsCertificateFlags g_tls_database_verify_chain_finish (GTlsDatabase *self,GAsyncResult *result,GError **error);
Finish an asynchronous verify chain operation. See
g_tls_database_verify_chain() for more information.
If chain
is found to be valid, then the return value will be 0. If
chain
is found to be invalid, then the return value will indicate
the problems found. If the function is unable to determine whether
chain
is valid or not (eg, because cancellable
is triggered
before it completes) then the return value will be
G_TLS_CERTIFICATE_GENERIC_ERROR and error
will be set
accordingly. error
is not set when chain
is successfully analyzed
but found to be invalid.
Since: 2.30
GTlsCertificate * g_tls_database_lookup_certificate_issuer (GTlsDatabase *self,GTlsCertificate *certificate,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GError **error);
Look up the issuer of certificate
in the database. The
“issuer” property of certificate
is not modified, and
the two certificates are not hooked into a chain.
This function can block. Use g_tls_database_lookup_certificate_issuer_async()
to perform the lookup operation asynchronously.
Beware this function cannot be used to build certification paths. The issuer certificate returned by this function may not be the same as the certificate that would actually be used to construct a valid certification path during certificate verification. RFC 4158 explains why an issuer certificate cannot be naively assumed to be part of the the certification path (though GLib's TLS backends may not follow the path building strategies outlined in this RFC). Due to the complexity of certification path building, GLib does not provide any way to know which certification path will actually be used when verifying a TLS certificate. Accordingly, this function cannot be used to make security-related decisions. Only GLib itself should make security decisions about TLS certificates.
self |
||
certificate |
||
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
flags which affect the lookup operation |
|
cancellable |
a GCancellable, or |
[nullable] |
error |
a GError, or |
[nullable] |
a newly allocated issuer GTlsCertificate,
or NULL. Use g_object_unref() to release the certificate.
[transfer full]
Since: 2.30
void g_tls_database_lookup_certificate_issuer_async (GTlsDatabase *self,GTlsCertificate *certificate,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GAsyncReadyCallback callback,gpointer user_data);
Asynchronously look up the issuer of certificate
in the database. See
g_tls_database_lookup_certificate_issuer() for more information.
self |
||
certificate |
||
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
flags which affect the lookup operation |
|
cancellable |
a GCancellable, or |
[nullable] |
callback |
callback to call when the operation completes |
|
user_data |
the data to pass to the callback function |
Since: 2.30
GTlsCertificate * g_tls_database_lookup_certificate_issuer_finish (GTlsDatabase *self,GAsyncResult *result,GError **error);
Finish an asynchronous lookup issuer operation. See
g_tls_database_lookup_certificate_issuer() for more information.
a newly allocated issuer GTlsCertificate,
or NULL. Use g_object_unref() to release the certificate.
[transfer full]
Since: 2.30
GList * g_tls_database_lookup_certificates_issued_by (GTlsDatabase *self,GByteArray *issuer_raw_dn,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GError **error);
Look up certificates issued by this issuer in the database.
This function can block, use g_tls_database_lookup_certificates_issued_by_async() to perform
the lookup operation asynchronously.
self |
||
issuer_raw_dn |
a GByteArray which holds the DER encoded issuer DN. |
|
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
Flags which affect the lookup operation. |
|
cancellable |
a GCancellable, or |
[nullable] |
error |
a GError, or |
[nullable] |
a newly allocated list of GTlsCertificate
objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
[transfer full][element-type GTlsCertificate]
Since: 2.30
void g_tls_database_lookup_certificates_issued_by_async (GTlsDatabase *self,GByteArray *issuer_raw_dn,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GAsyncReadyCallback callback,gpointer user_data);
Asynchronously look up certificates issued by this issuer in the database. See
g_tls_database_lookup_certificates_issued_by() for more information.
The database may choose to hold a reference to the issuer byte array for the duration of of this asynchronous operation. The byte array should not be modified during this time.
self |
||
issuer_raw_dn |
a GByteArray which holds the DER encoded issuer DN. |
|
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
Flags which affect the lookup operation. |
|
cancellable |
a GCancellable, or |
[nullable] |
callback |
callback to call when the operation completes |
|
user_data |
the data to pass to the callback function |
Since: 2.30
GList * g_tls_database_lookup_certificates_issued_by_finish (GTlsDatabase *self,GAsyncResult *result,GError **error);
Finish an asynchronous lookup of certificates. See
g_tls_database_lookup_certificates_issued_by() for more information.
a newly allocated list of GTlsCertificate
objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
[transfer full][element-type GTlsCertificate]
Since: 2.30
gchar * g_tls_database_create_certificate_handle (GTlsDatabase *self,GTlsCertificate *certificate);
Create a handle string for the certificate. The database will only be able
to create a handle for certificates that originate from the database. In
cases where the database cannot create a handle for a certificate, NULL
will be returned.
This handle should be stable across various instances of the application, and between applications. If a certificate is modified in the database, then it is not guaranteed that this handle will continue to point to it.
Since: 2.30
GTlsCertificate * g_tls_database_lookup_certificate_for_handle (GTlsDatabase *self,const gchar *handle,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GError **error);
Look up a certificate by its handle.
The handle should have been created by calling
g_tls_database_create_certificate_handle() on a GTlsDatabase object of
the same TLS backend. The handle is designed to remain valid across
instantiations of the database.
If the handle is no longer valid, or does not point to a certificate in
this database, then NULL will be returned.
This function can block, use g_tls_database_lookup_certificate_for_handle_async() to perform
the lookup operation asynchronously.
self |
||
handle |
a certificate handle |
|
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
Flags which affect the lookup. |
|
cancellable |
a GCancellable, or |
[nullable] |
error |
a GError, or |
[nullable] |
a newly allocated
GTlsCertificate, or NULL. Use g_object_unref() to release the certificate.
[transfer full][nullable]
Since: 2.30
void g_tls_database_lookup_certificate_for_handle_async (GTlsDatabase *self,const gchar *handle,GTlsInteraction *interaction,GTlsDatabaseLookupFlags flags,GCancellable *cancellable,GAsyncReadyCallback callback,gpointer user_data);
Asynchronously look up a certificate by its handle in the database. See
g_tls_database_lookup_certificate_for_handle() for more information.
self |
||
handle |
a certificate handle |
|
interaction |
used to interact with the user if necessary. |
[nullable] |
flags |
Flags which affect the lookup. |
|
cancellable |
a GCancellable, or |
[nullable] |
callback |
callback to call when the operation completes |
|
user_data |
the data to pass to the callback function |
Since: 2.30
GTlsCertificate * g_tls_database_lookup_certificate_for_handle_finish (GTlsDatabase *self,GAsyncResult *result,GError **error);
Finish an asynchronous lookup of a certificate by its handle. See
g_tls_database_lookup_certificate_for_handle() for more information.
If the handle is no longer valid, or does not point to a certificate in
this database, then NULL will be returned.
a newly allocated GTlsCertificate object.
Use g_object_unref() to release the certificate.
[transfer full]
Since: 2.30
typedef struct _GTlsDatabase GTlsDatabase;
Abstract base class for the backend-specific database types.
Since: 2.30
struct GTlsDatabaseClass {
GObjectClass parent_class;
/* virtual methods */
GTlsCertificateFlags (*verify_chain) (GTlsDatabase *self,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GError **error);
void (*verify_chain_async) (GTlsDatabase *self,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data);
GTlsCertificateFlags (*verify_chain_finish) (GTlsDatabase *self,
GAsyncResult *result,
GError **error);
gchar* (*create_certificate_handle) (GTlsDatabase *self,
GTlsCertificate *certificate);
GTlsCertificate* (*lookup_certificate_for_handle) (GTlsDatabase *self,
const gchar *handle,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error);
void (*lookup_certificate_for_handle_async) (GTlsDatabase *self,
const gchar *handle,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data);
GTlsCertificate* (*lookup_certificate_for_handle_finish) (GTlsDatabase *self,
GAsyncResult *result,
GError **error);
GTlsCertificate* (*lookup_certificate_issuer) (GTlsDatabase *self,
GTlsCertificate *certificate,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error);
void (*lookup_certificate_issuer_async) (GTlsDatabase *self,
GTlsCertificate *certificate,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data);
GTlsCertificate* (*lookup_certificate_issuer_finish) (GTlsDatabase *self,
GAsyncResult *result,
GError **error);
GList* (*lookup_certificates_issued_by) (GTlsDatabase *self,
GByteArray *issuer_raw_dn,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error);
void (*lookup_certificates_issued_by_async) (GTlsDatabase *self,
GByteArray *issuer_raw_dn,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data);
GList* (*lookup_certificates_issued_by_finish) (GTlsDatabase *self,
GAsyncResult *result,
GError **error);
};
The class for GTlsDatabase. Derived classes should implement the various virtual methods. _async and _finish methods have a default implementation that runs the corresponding sync method in a thread.
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
||
Virtual method implementing
|
Since: 2.30
#define G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER "1.3.6.1.5.5.7.3.1"
The purpose used to verify the server certificate in a TLS connection. This is the most common purpose in use. Used by TLS clients.
#define G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT "1.3.6.1.5.5.7.3.2"
The purpose used to verify the client certificate in a TLS connection. Used by TLS servers.
Flags for g_tls_database_lookup_certificate_for_handle(),
g_tls_database_lookup_certificate_issuer(),
and g_tls_database_lookup_certificates_issued_by().
Since: 2.30