| blob | 9e497c58bb6e2d050a1098fb3a339eaf6ac7063d |
1 /* GIO - GLib Input, Output and Certificateing Library
2 *
3 * Copyright (C) 2010 Red Hat, Inc.
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
17 */
23 #include <string.h>
29 /**
30 * SECTION:gtlscertificate
31 * @title: GTlsCertificate
32 * @short_description: TLS certificate
33 * @include: gio/gio.h
34 * @see_also: #GTlsConnection
35 *
36 * A certificate used for TLS authentication and encryption.
37 * This can represent either a certificate only (eg, the certificate
38 * received by a client from a server), or the combination of
39 * a certificate and a private key (which is needed when acting as a
40 * #GTlsServerConnection).
41 *
42 * Since: 2.28
43 */
45 /**
46 * GTlsCertificate:
47 *
48 * Abstract base class for TLS certificate types.
49 *
50 * Since: 2.28
51 */
55 enum
56 {
57 PROP_0,
59 PROP_CERTIFICATE,
60 PROP_CERTIFICATE_PEM,
61 PROP_PRIVATE_KEY,
62 PROP_PRIVATE_KEY_PEM,
63 PROP_ISSUER
64 };
66 static void
68 {
69 }
71 static void
73 guint prop_id,
76 {
78 }
80 static void
82 guint prop_id,
85 {
87 }
89 static void
91 {
97 /**
98 * GTlsCertificate:certificate:
99 *
100 * The DER (binary) encoded representation of the certificate.
101 * This property and the #GTlsCertificate:certificate-pem property
102 * represent the same data, just in different forms.
103 *
104 * Since: 2.28
105 */
110 G_TYPE_BYTE_ARRAY,
111 G_PARAM_READWRITE |
112 G_PARAM_CONSTRUCT_ONLY |
113 G_PARAM_STATIC_STRINGS));
114 /**
115 * GTlsCertificate:certificate-pem:
116 *
117 * The PEM (ASCII) encoded representation of the certificate.
118 * This property and the #GTlsCertificate:certificate
119 * property represent the same data, just in different forms.
120 *
121 * Since: 2.28
122 */
127 NULL,
128 G_PARAM_READWRITE |
129 G_PARAM_CONSTRUCT_ONLY |
130 G_PARAM_STATIC_STRINGS));
131 /**
132 * GTlsCertificate:private-key:
133 *
134 * The DER (binary) encoded representation of the certificate's
135 * private key, in either PKCS#1 format or unencrypted PKCS#8
136 * format. This property (or the #GTlsCertificate:private-key-pem
137 * property) can be set when constructing a key (eg, from a file),
138 * but cannot be read.
139 *
140 * PKCS#8 format is supported since 2.32; earlier releases only
141 * support PKCS#1. You can use the `openssl rsa`
142 * tool to convert PKCS#8 keys to PKCS#1.
143 *
144 * Since: 2.28
145 */
150 G_TYPE_BYTE_ARRAY,
151 G_PARAM_WRITABLE |
152 G_PARAM_CONSTRUCT_ONLY |
153 G_PARAM_STATIC_STRINGS));
154 /**
155 * GTlsCertificate:private-key-pem:
156 *
157 * The PEM (ASCII) encoded representation of the certificate's
158 * private key in either PKCS#1 format ("`BEGIN RSA PRIVATE
159 * KEY`") or unencrypted PKCS#8 format ("`BEGIN
160 * PRIVATE KEY`"). This property (or the
161 * #GTlsCertificate:private-key property) can be set when
162 * constructing a key (eg, from a file), but cannot be read.
163 *
164 * PKCS#8 format is supported since 2.32; earlier releases only
165 * support PKCS#1. You can use the `openssl rsa`
166 * tool to convert PKCS#8 keys to PKCS#1.
167 *
168 * Since: 2.28
169 */
174 NULL,
175 G_PARAM_WRITABLE |
176 G_PARAM_CONSTRUCT_ONLY |
177 G_PARAM_STATIC_STRINGS));
178 /**
179 * GTlsCertificate:issuer:
180 *
181 * A #GTlsCertificate representing the entity that issued this
182 * certificate. If %NULL, this means that the certificate is either
183 * self-signed, or else the certificate of the issuer is not
184 * available.
185 *
186 * Since: 2.28
187 */
192 G_TYPE_TLS_CERTIFICATE,
193 G_PARAM_READWRITE |
194 G_PARAM_CONSTRUCT_ONLY |
195 G_PARAM_STATIC_STRINGS));
196 }
203 {
214 NULL);
217 }
230 gsize data_len,
231 gboolean required,
233 {
239 else
240 {
244 else
245 {
248 {
251 }
253 {
256 }
258 }
259 }
263 {
267 }
270 end++;
273 }
279 gboolean required,
281 {
286 {
288 {
291 }
293 }
297 {
301 }
304 end++;
309 }
313 gsize data_len,
315 {
323 /* Make sure we can load, at least, one certificate. */
328 /* Create a list with a single element. If we load more certificates
329 * below, we will concatenate the two lists at the end. */
332 /* If we read one certificate successfully, let's see if we can read
333 * some more. If not, we will simply return a list with the first one.
334 */
336 {
342 {
346 }
348 {
350 }
353 }
358 }
363 {
365 GTlsCertificateFlags flags;
370 {
373 /* Private key belongs only to the first certificate. */
377 /* We assume that the whole file is a certificate chain, so we use
378 * each certificate as the issuer of the next one (list is in
379 * reverse order).
380 */
389 /* root will point to the last certificate in the file. */
394 }
396 /* Verify that the certificates form a chain. (We don't care at this
397 * point if there are other problems with it.)
398 */
401 {
402 /* It wasn't a chain, it's just a bunch of unrelated certs. */
404 }
407 }
411 gsize data_len,
415 {
423 /* We don't pass the error here because, if it fails, we still want to
424 * load and return the first certificate.
425 */
428 {
431 /* Get the first certificate (which is the last one as the list is
432 * in reverse order).
433 */
437 }
442 }
444 /**
445 * g_tls_certificate_new_from_pem:
446 * @data: PEM-encoded certificate data
447 * @length: the length of @data, or -1 if it's 0-terminated.
448 * @error: #GError for error reporting, or %NULL to ignore.
449 *
450 * Creates a #GTlsCertificate from the PEM-encoded data in @data. If
451 * @data includes both a certificate and a private key, then the
452 * returned certificate will include the private key data as well. (See
453 * the #GTlsCertificate:private-key-pem property for information about
454 * supported formats.)
455 *
456 * The returned certificate will be the first certificate found in
457 * @data. As of GLib 2.44, if @data contains more certificates it will
458 * try to load a certificate chain. All certificates will be verified in
459 * the order found (top-level certificate should be the last one in the
460 * file) and the #GTlsCertificate:issuer property of each certificate
461 * will be set accordingly if the verification succeeds. If any
462 * certificate in the chain cannot be verified, the first certificate in
463 * the file will still be returned.
464 *
465 * Returns: the new certificate, or %NULL if @data is invalid
466 *
467 * Since: 2.28
468 */
469 GTlsCertificate *
471 gssize length,
473 {
486 {
489 }
495 }
497 /**
498 * g_tls_certificate_new_from_file:
499 * @file: (type filename): file containing a PEM-encoded certificate to import
500 * @error: #GError for error reporting, or %NULL to ignore.
501 *
502 * Creates a #GTlsCertificate from the PEM-encoded data in @file. The
503 * returned certificate will be the first certificate found in @file. As
504 * of GLib 2.44, if @file contains more certificates it will try to load
505 * a certificate chain. All certificates will be verified in the order
506 * found (top-level certificate should be the last one in the file) and
507 * the #GTlsCertificate:issuer property of each certificate will be set
508 * accordingly if the verification succeeds. If any certificate in the
509 * chain cannot be verified, the first certificate in the file will
510 * still be returned.
511 *
512 * If @file cannot be read or parsed, the function will return %NULL and
513 * set @error. Otherwise, this behaves like
514 * g_tls_certificate_new_from_pem().
515 *
516 * Returns: the new certificate, or %NULL on error
517 *
518 * Since: 2.28
519 */
520 GTlsCertificate *
523 {
526 gsize length;
534 }
536 /**
537 * g_tls_certificate_new_from_files:
538 * @cert_file: (type filename): file containing one or more PEM-encoded
539 * certificates to import
540 * @key_file: (type filename): file containing a PEM-encoded private key
541 * to import
542 * @error: #GError for error reporting, or %NULL to ignore.
543 *
544 * Creates a #GTlsCertificate from the PEM-encoded data in @cert_file
545 * and @key_file. The returned certificate will be the first certificate
546 * found in @cert_file. As of GLib 2.44, if @cert_file contains more
547 * certificates it will try to load a certificate chain. All
548 * certificates will be verified in the order found (top-level
549 * certificate should be the last one in the file) and the
550 * #GTlsCertificate:issuer property of each certificate will be set
551 * accordingly if the verification succeeds. If any certificate in the
552 * chain cannot be verified, the first certificate in the file will
553 * still be returned.
554 *
555 * If either file cannot be read or parsed, the function will return
556 * %NULL and set @error. Otherwise, this behaves like
557 * g_tls_certificate_new_from_pem().
558 *
559 * Returns: the new certificate, or %NULL on error
560 *
561 * Since: 2.28
562 */
563 GTlsCertificate *
567 {
582 {
585 }
591 }
593 /**
594 * g_tls_certificate_list_new_from_file:
595 * @file: (type filename): file containing PEM-encoded certificates to import
596 * @error: #GError for error reporting, or %NULL to ignore.
597 *
598 * Creates one or more #GTlsCertificates from the PEM-encoded
599 * data in @file. If @file cannot be read or parsed, the function will
600 * return %NULL and set @error. If @file does not contain any
601 * PEM-encoded certificates, this will return an empty list and not
602 * set @error.
603 *
604 * Returns: (element-type Gio.TlsCertificate) (transfer full): a
605 * #GList containing #GTlsCertificate objects. You must free the list
606 * and its contents when you are done with it.
607 *
608 * Since: 2.28
609 */
610 GList *
613 {
617 gsize length;
625 {
632 {
635 }
637 {
639 {
643 }
645 }
647 }
651 }
654 /**
655 * g_tls_certificate_get_issuer:
656 * @cert: a #GTlsCertificate
657 *
658 * Gets the #GTlsCertificate representing @cert's issuer, if known
659 *
660 * Returns: (transfer none): The certificate of @cert's issuer,
661 * or %NULL if @cert is self-signed or signed with an unknown
662 * certificate.
663 *
664 * Since: 2.28
665 */
666 GTlsCertificate *
668 {
676 }
678 /**
679 * g_tls_certificate_verify:
680 * @cert: a #GTlsCertificate
681 * @identity: (nullable): the expected peer identity
682 * @trusted_ca: (nullable): the certificate of a trusted authority
683 *
684 * This verifies @cert and returns a set of #GTlsCertificateFlags
685 * indicating any problems found with it. This can be used to verify a
686 * certificate outside the context of making a connection, or to
687 * check a certificate against a CA that is not part of the system
688 * CA database.
689 *
690 * If @identity is not %NULL, @cert's name(s) will be compared against
691 * it, and %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return
692 * value if it does not match. If @identity is %NULL, that bit will
693 * never be set in the return value.
694 *
695 * If @trusted_ca is not %NULL, then @cert (or one of the certificates
696 * in its chain) must be signed by it, or else
697 * %G_TLS_CERTIFICATE_UNKNOWN_CA will be set in the return value. If
698 * @trusted_ca is %NULL, that bit will never be set in the return
699 * value.
700 *
701 * (All other #GTlsCertificateFlags values will always be set or unset
702 * as appropriate.)
703 *
704 * Returns: the appropriate #GTlsCertificateFlags
705 *
706 * Since: 2.28
707 */
708 GTlsCertificateFlags
712 {
714 }
716 /**
717 * g_tls_certificate_is_same:
718 * @cert_one: first certificate to compare
719 * @cert_two: second certificate to compare
720 *
721 * Check if two #GTlsCertificate objects represent the same certificate.
722 * The raw DER byte data of the two certificates are checked for equality.
723 * This has the effect that two certificates may compare equal even if
724 * their #GTlsCertificate:issuer, #GTlsCertificate:private-key, or
725 * #GTlsCertificate:private-key-pem properties differ.
726 *
727 * Returns: whether the same or not
728 *
729 * Since: 2.34
730 */
731 gboolean
734 {
736 gboolean equal;
751 }