glibmm 2.80.0
|
TlsCertificate - TLS certificate. More...
#include <giomm/tlscertificate.h>
Public Member Functions | |
TlsCertificate (TlsCertificate &&src) noexcept | |
TlsCertificate & | operator= (TlsCertificate &&src) noexcept |
~TlsCertificate () noexcept override | |
GTlsCertificate * | gobj () |
Provides access to the underlying C GObject. | |
const GTlsCertificate * | gobj () const |
Provides access to the underlying C GObject. | |
GTlsCertificate * | gobj_copy () |
Provides access to the underlying C instance. The caller is responsible for unrefing it. Use when directly setting fields in structs. | |
Glib::RefPtr< TlsCertificate > | get_issuer () |
Gets the TlsCertificate representing cert's issuer, if known. | |
Glib::RefPtr< const TlsCertificate > | get_issuer () const |
Gets the TlsCertificate representing cert's issuer, if known. | |
TlsCertificateFlags | verify (const Glib::RefPtr< const SocketConnectable > & identity, const Glib::RefPtr< const TlsCertificate > &trusted_ca) const |
This verifies cert and returns a set of TlsCertificateFlags indicating any problems found with it. | |
TlsCertificateFlags | verify (const Glib::RefPtr< const SocketConnectable > & identity) const |
A verify() convenience overload. | |
TlsCertificateFlags | verify (const Glib::RefPtr< const TlsCertificate > &trusted_ca) const |
A verify() convenience overload. | |
TlsCertificateFlags | verify () const |
A verify() convenience overload. | |
bool | is_same (const Glib::RefPtr< const TlsCertificate > &cert_two) const |
Check if two TlsCertificate objects represent the same certificate. | |
Glib::DateTime | get_not_valid_before () const |
Returns the time at which the certificate became or will become valid. | |
Glib::DateTime | get_not_valid_after () const |
Returns the time at which the certificate became or will become invalid. | |
Glib::ustring | get_subject_name () const |
Returns the subject name from the certificate. | |
Glib::ustring | get_issuer_name () const |
Returns the issuer name from the certificate. | |
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< Glib::ByteArray > > | property_certificate () const |
The DER (binary) encoded representation of the certificate. | |
Glib::PropertyProxy_ReadOnly< std::string > | property_certificate_pem () const |
The PEM (ASCII) encoded representation of the certificate. | |
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< Glib::ByteArray > > | property_private_key () const |
The DER (binary) encoded representation of the certificate's private key, in either PKCS \#1 format or unencrypted PKCS \#8 format. | |
Glib::PropertyProxy_ReadOnly< std::string > | property_private_key_pem () const |
The PEM (ASCII) encoded representation of the certificate's private key in either PKCS \#1 format ("`BEGIN RSA PRIVATE KEY`") or unencrypted PKCS \#8 format ("`BEGIN PRIVATE KEY`"). | |
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< TlsCertificate > > | property_issuer () const |
A TlsCertificate representing the entity that issued this certificate. | |
Glib::PropertyProxy_ReadOnly< std::string > | property_pkcs11_uri () const |
A URI referencing the PKCS \#11 objects containing an X.509 certificate and optionally a private key. | |
Glib::PropertyProxy_ReadOnly< std::string > | property_private_key_pkcs11_uri () const |
A URI referencing a PKCS \#11 object containing a private key. | |
Glib::PropertyProxy_ReadOnly< Glib::DateTime > | property_not_valid_before () const |
The time at which this cert is considered to be valid, nullptr if unavailable. | |
Glib::PropertyProxy_ReadOnly< Glib::DateTime > | property_not_valid_after () const |
The time at which this cert is no longer valid, nullptr if unavailable. | |
Glib::PropertyProxy_ReadOnly< Glib::ustring > | property_subject_name () const |
The subject from the cert, nullptr if unavailable. | |
Glib::PropertyProxy_ReadOnly< Glib::ustring > | property_issuer_name () const |
The issuer from the certificate, nullptr if unavailable. | |
Public Member Functions inherited from Glib::Object | |
Object (const Object &)=delete | |
Object & | operator= (const Object &)=delete |
Object (Object &&src) noexcept | |
Object & | operator= (Object &&src) noexcept |
void * | get_data (const QueryQuark & key) |
void | set_data (const Quark & key, void *data) |
void | set_data_with_c_callback (const Quark & key, void *data, GDestroyNotify notify) |
void | set_data (const Quark & key, void *data, DestroyNotify notify) |
Prefer set_data_with_c_callback() with a callback with C linkage. | |
void | remove_data (const QueryQuark &quark) |
void * | steal_data (const QueryQuark &quark) |
Public Member Functions inherited from Glib::ObjectBase | |
ObjectBase (const ObjectBase &)=delete | |
ObjectBase & | operator= (const ObjectBase &)=delete |
void | set_property_value (const Glib::ustring & property_name, const Glib::ValueBase & value) |
You probably want to use a specific property_*() accessor method instead. | |
void | get_property_value (const Glib::ustring & property_name, Glib::ValueBase & value) const |
You probably want to use a specific property_*() accessor method instead. | |
template<class PropertyType > | |
void | set_property (const Glib::ustring & property_name, const PropertyType & value) |
You probably want to use a specific property_*() accessor method instead. | |
template<class PropertyType > | |
void | get_property (const Glib::ustring & property_name, PropertyType & value) const |
You probably want to use a specific property_*() accessor method instead. | |
template<class PropertyType > | |
PropertyType | get_property (const Glib::ustring & property_name) const |
You probably want to use a specific property_*() accessor method instead. | |
sigc::connection | connect_property_changed (const Glib::ustring & property_name, const sigc::slot< void()> &slot) |
You can use the signal_changed() signal of the property proxy instead. | |
sigc::connection | connect_property_changed (const Glib::ustring & property_name, sigc::slot< void()> &&slot) |
You can use the signal_changed() signal of the property proxy instead. | |
void | freeze_notify () |
Increases the freeze count on object. | |
void | thaw_notify () |
Reverts the effect of a previous call to freeze_notify(). | |
virtual void | reference () const |
Increment the reference count for this object. | |
virtual void | unreference () const |
Decrement the reference count for this object. | |
GObject * | gobj () |
Provides access to the underlying C GObject. | |
const GObject * | gobj () const |
Provides access to the underlying C GObject. | |
GObject * | gobj_copy () const |
Give a ref-ed copy to someone. Use for direct struct access. | |
Static Public Member Functions | |
static GType | get_type () |
Get the GType for this class, for use with the underlying GObject type system. | |
static Glib::RefPtr< TlsCertificate > | create_from_pem (const std::string &data, gssize length=-1) |
Creates a TlsCertificate from the PEM-encoded data in data. | |
static Glib::RefPtr< TlsCertificate > | create (const std::string & file) |
Creates a TlsCertificate from the data in file. | |
static Glib::RefPtr< TlsCertificate > | create (const std::string &cert_file, const std::string &key_file) |
Creates a TlsCertificate from the PEM-encoded data in cert_file and key_file. | |
static std::vector< Glib::RefPtr< TlsCertificate > > | create_list_from_file (const std::string & file) |
Creates one or more TlsCertificates from the PEM-encoded data in file. | |
Related Symbols | |
(Note that these are not member symbols.) | |
Glib::RefPtr< Gio::TlsCertificate > | wrap (GTlsCertificate *object, bool take_copy=false) |
A Glib::wrap() method for this object. | |
Related Symbols inherited from Glib::Object | |
Glib::RefPtr< Glib::Object > | wrap (GObject *object, bool take_copy=false) |
Additional Inherited Members | |
Public Types inherited from Glib::Object | |
using | DestroyNotify = void(*)(gpointer data) |
TlsCertificate - TLS certificate.
A certificate used for TLS authentication and encryption. This can represent either a certificate only (eg, the certificate received by a client from a server), or the combination of a certificate and a private key (which is needed when acting as a TlsServerConnection).
|
noexcept |
|
overridenoexcept |
|
explicitprotected |
|
explicitprotected |
|
explicitprotected |
|
static |
Creates a TlsCertificate from the PEM-encoded data in cert_file and key_file.
The returned certificate will be the first certificate found in cert_file. As of GLib 2.44, if cert_file contains more certificates it will try to load a certificate chain. All certificates will be verified in the order found (top-level certificate should be the last one in the file) and the TlsCertificate::property_issuer() property of each certificate will be set accordingly if the verification succeeds. If any certificate in the chain cannot be verified, the first certificate in the file will still be returned.
If either file cannot be read or parsed, the function will return nullptr
and set error. Otherwise, this behaves like g_tls_certificate_new_from_pem().
cert_file | File containing one or more PEM-encoded certificates to import. |
key_file | File containing a PEM-encoded private key to import. |
nullptr
on error.Glib::Error |
|
static |
Creates a TlsCertificate from the data in file.
As of 2.72, if the filename ends in .p12
or .pfx
the data is loaded by g_tls_certificate_new_from_pkcs12() otherwise it is loaded by g_tls_certificate_new_from_pem(). See those functions for exact details.
If file cannot be read or parsed, the function will return nullptr
and set error.
file | File containing a certificate to import. |
nullptr
on error.Glib::Error |
|
static |
Creates a TlsCertificate from the PEM-encoded data in data.
If data includes both a certificate and a private key, then the returned certificate will include the private key data as well. (See the TlsCertificate::property_private_key_pem() property for information about supported formats.)
The returned certificate will be the first certificate found in data. As of GLib 2.44, if data contains more certificates it will try to load a certificate chain. All certificates will be verified in the order found (top-level certificate should be the last one in the file) and the TlsCertificate::property_issuer() property of each certificate will be set accordingly if the verification succeeds. If any certificate in the chain cannot be verified, the first certificate in the file will still be returned.
data | PEM-encoded certificate data. |
length | The length of data, or -1 if it's 0-terminated. |
nullptr
if data is invalid.Glib::Error |
|
static |
Creates one or more TlsCertificates from the PEM-encoded data in file.
If file cannot be read or parsed, the function will return nullptr
and set error. If file does not contain any PEM-encoded certificates, this will return an empty list and not set error.
file | File containing PEM-encoded certificates to import. |
Glib::Error |
Glib::RefPtr< TlsCertificate > Gio::TlsCertificate::get_issuer | ( | ) |
Gets the TlsCertificate representing cert's issuer, if known.
nullptr
if cert is self-signed or signed with an unknown certificate. Glib::RefPtr< const TlsCertificate > Gio::TlsCertificate::get_issuer | ( | ) | const |
Gets the TlsCertificate representing cert's issuer, if known.
nullptr
if cert is self-signed or signed with an unknown certificate. Glib::ustring Gio::TlsCertificate::get_issuer_name | ( | ) | const |
Returns the issuer name from the certificate.
nullptr
if it's not available. Glib::DateTime Gio::TlsCertificate::get_not_valid_after | ( | ) | const |
Returns the time at which the certificate became or will become invalid.
nullptr
if it's not available. Glib::DateTime Gio::TlsCertificate::get_not_valid_before | ( | ) | const |
Returns the time at which the certificate became or will become valid.
nullptr
if it's not available. Glib::ustring Gio::TlsCertificate::get_subject_name | ( | ) | const |
Returns the subject name from the certificate.
nullptr
if it's not available. Get the GType for this class, for use with the underlying GObject type system.
|
inline |
Provides access to the underlying C GObject.
|
inline |
Provides access to the underlying C GObject.
GTlsCertificate * Gio::TlsCertificate::gobj_copy | ( | ) |
Provides access to the underlying C instance. The caller is responsible for unrefing it. Use when directly setting fields in structs.
bool Gio::TlsCertificate::is_same | ( | const Glib::RefPtr< const TlsCertificate > & | cert_two | ) | const |
Check if two TlsCertificate objects represent the same certificate.
The raw DER byte data of the two certificates are checked for equality. This has the effect that two certificates may compare equal even if their TlsCertificate::property_issuer(), TlsCertificate::property_private_key(), or TlsCertificate::property_private_key_pem() properties differ.
cert_two | Second certificate to compare. |
|
noexcept |
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< Glib::ByteArray > > Gio::TlsCertificate::property_certificate | ( | ) | const |
The DER (binary) encoded representation of the certificate.
This property and the TlsCertificate::property_certificate_pem() property represent the same data, just in different forms.
Glib::PropertyProxy_ReadOnly< std::string > Gio::TlsCertificate::property_certificate_pem | ( | ) | const |
The PEM (ASCII) encoded representation of the certificate.
This property and the TlsCertificate::property_certificate() property represent the same data, just in different forms.
Default value: ""
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< TlsCertificate > > Gio::TlsCertificate::property_issuer | ( | ) | const |
A TlsCertificate representing the entity that issued this certificate.
If nullptr
, this means that the certificate is either self-signed, or else the certificate of the issuer is not available.
Beware the issuer certificate may not be the same as the certificate that would actually be used to construct a valid certification path during certificate verification. RFC 4158 explains why an issuer certificate cannot be naively assumed to be part of the the certification path (though GLib's TLS backends may not follow the path building strategies outlined in this RFC). Due to the complexity of certification path building, GLib does not provide any way to know which certification path will actually be used. Accordingly, this property cannot be used to make security-related decisions. Only GLib itself should make security decisions about TLS certificates.
Glib::PropertyProxy_ReadOnly< Glib::ustring > Gio::TlsCertificate::property_issuer_name | ( | ) | const |
The issuer from the certificate, nullptr
if unavailable.
Default value: ""
Glib::PropertyProxy_ReadOnly< Glib::DateTime > Gio::TlsCertificate::property_not_valid_after | ( | ) | const |
The time at which this cert is no longer valid, nullptr
if unavailable.
Glib::PropertyProxy_ReadOnly< Glib::DateTime > Gio::TlsCertificate::property_not_valid_before | ( | ) | const |
The time at which this cert is considered to be valid, nullptr
if unavailable.
Glib::PropertyProxy_ReadOnly< std::string > Gio::TlsCertificate::property_pkcs11_uri | ( | ) | const |
A URI referencing the PKCS \#11 objects containing an X.509 certificate and optionally a private key.
If nullptr
, the certificate is either not backed by PKCS \#11 or the TlsBackend does not support PKCS \#11.
Default value: ""
Glib::PropertyProxy_ReadOnly< Glib::RefPtr< Glib::ByteArray > > Gio::TlsCertificate::property_private_key | ( | ) | const |
The DER (binary) encoded representation of the certificate's private key, in either PKCS \#1 format or unencrypted PKCS \#8 format.
PKCS \#8 format is supported since 2.32; earlier releases only support PKCS \#1. You can use the openssl rsa
tool to convert PKCS \#8 keys to PKCS \#1.
This property (or the TlsCertificate::property_private_key_pem() property) can be set when constructing a key (for example, from a file). Since GLib 2.70, it is now also readable; however, be aware that if the private key is backed by a PKCS \#11 URI – for example, if it is stored on a smartcard – then this property will be nullptr
. If so, the private key must be referenced via its PKCS \#11 URI, TlsCertificate::property_private_key_pkcs11_uri(). You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS \#8.
Glib::PropertyProxy_ReadOnly< std::string > Gio::TlsCertificate::property_private_key_pem | ( | ) | const |
The PEM (ASCII) encoded representation of the certificate's private key in either PKCS \#1 format ("`BEGIN RSA PRIVATE KEY`") or unencrypted PKCS \#8 format ("`BEGIN PRIVATE KEY`").
PKCS \#8 format is supported since 2.32; earlier releases only support PKCS \#1. You can use the openssl rsa
tool to convert PKCS \#8 keys to PKCS \#1.
This property (or the TlsCertificate::property_private_key() property) can be set when constructing a key (for example, from a file). Since GLib 2.70, it is now also readable; however, be aware that if the private key is backed by a PKCS \#11 URI - for example, if it is stored on a smartcard - then this property will be nullptr
. If so, the private key must be referenced via its PKCS \#11 URI, TlsCertificate::property_private_key_pkcs11_uri(). You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS \#8.
Default value: ""
Glib::PropertyProxy_ReadOnly< std::string > Gio::TlsCertificate::property_private_key_pkcs11_uri | ( | ) | const |
A URI referencing a PKCS \#11 object containing a private key.
Default value: ""
Glib::PropertyProxy_ReadOnly< Glib::ustring > Gio::TlsCertificate::property_subject_name | ( | ) | const |
The subject from the cert, nullptr
if unavailable.
Default value: ""
TlsCertificateFlags Gio::TlsCertificate::verify | ( | ) | const |
A verify() convenience overload.
TlsCertificateFlags Gio::TlsCertificate::verify | ( | const Glib::RefPtr< const SocketConnectable > & | identity | ) | const |
A verify() convenience overload.
TlsCertificateFlags Gio::TlsCertificate::verify | ( | const Glib::RefPtr< const SocketConnectable > & | identity, |
const Glib::RefPtr< const TlsCertificate > & | trusted_ca | ||
) | const |
This verifies cert and returns a set of TlsCertificateFlags indicating any problems found with it.
This can be used to verify a certificate outside the context of making a connection, or to check a certificate against a CA that is not part of the system CA database.
If cert is valid, Gio::TlsCertificateFlags::NO_FLAGS is returned.
If identity is not nullptr
, cert's name(s) will be compared against it, and Gio::TlsCertificateFlags::BAD_IDENTITY will be set in the return value if it does not match. If identity is nullptr
, that bit will never be set in the return value.
If trusted_ca is not nullptr
, then cert (or one of the certificates in its chain) must be signed by it, or else Gio::TlsCertificateFlags::UNKNOWN_CA will be set in the return value. If trusted_ca is nullptr
, that bit will never be set in the return value.
GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask Gio::TlsCertificateFlags::EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.
Because TLS session context is not used, TlsCertificate may not perform as many checks on the certificates as TlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let TlsConnection handle the verification.
identity | The expected peer identity. |
trusted_ca | The certificate of a trusted authority. |
TlsCertificateFlags Gio::TlsCertificate::verify | ( | const Glib::RefPtr< const TlsCertificate > & | trusted_ca | ) | const |
A verify() convenience overload.
|
protectedvirtual |
|
related |
A Glib::wrap() method for this object.
object | The C instance. |
take_copy | False if the result should take ownership of the C instance. True if it should take a new copy or ref. |