blob: d55d0fe90b1edf3af04ed5f0300ef9defa5288cf [file] [log] [blame]
/* GIO - GLib Input, Output and Streaming Library
*
* Copyright (C) 2010 Collabora, Ltd.
*
* SPDX-License-Identifier: LGPL-2.1-or-later
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General
* Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
* Author: Stef Walter <stefw@collabora.co.uk>
*/
#include "config.h"
#include "gtlsdatabase.h"
#include "gasyncresult.h"
#include "gcancellable.h"
#include "glibintl.h"
#include "gsocketconnectable.h"
#include "gtask.h"
#include "gtlscertificate.h"
#include "gtlsinteraction.h"
/**
* GTlsDatabase:
*
* `GTlsDatabase` is used to look up certificates and other information
* from a certificate or key store. It is an abstract base class which
* TLS library specific subtypes override.
*
* A `GTlsDatabase` may be accessed from multiple threads by the TLS backend.
* All implementations are required to be fully thread-safe.
*
* Most common client applications will not directly interact with
* `GTlsDatabase`. It is used internally by [class@Gio.TlsConnection].
*
* Since: 2.30
*/
/**
* GTlsDatabaseClass:
* @verify_chain: Virtual method implementing
* g_tls_database_verify_chain().
* @verify_chain_async: Virtual method implementing
* g_tls_database_verify_chain_async().
* @verify_chain_finish: Virtual method implementing
* g_tls_database_verify_chain_finish().
* @create_certificate_handle: Virtual method implementing
* g_tls_database_create_certificate_handle().
* @lookup_certificate_for_handle: Virtual method implementing
* g_tls_database_lookup_certificate_for_handle().
* @lookup_certificate_for_handle_async: Virtual method implementing
* g_tls_database_lookup_certificate_for_handle_async().
* @lookup_certificate_for_handle_finish: Virtual method implementing
* g_tls_database_lookup_certificate_for_handle_finish().
* @lookup_certificate_issuer: Virtual method implementing
* g_tls_database_lookup_certificate_issuer().
* @lookup_certificate_issuer_async: Virtual method implementing
* g_tls_database_lookup_certificate_issuer_async().
* @lookup_certificate_issuer_finish: Virtual method implementing
* g_tls_database_lookup_certificate_issuer_finish().
* @lookup_certificates_issued_by: Virtual method implementing
* g_tls_database_lookup_certificates_issued_by().
* @lookup_certificates_issued_by_async: Virtual method implementing
* g_tls_database_lookup_certificates_issued_by_async().
* @lookup_certificates_issued_by_finish: Virtual method implementing
* g_tls_database_lookup_certificates_issued_by_finish().
*
* The class for #GTlsDatabase. Derived classes should implement the various
* virtual methods. _async and _finish methods have a default
* implementation that runs the corresponding sync method in a thread.
*
* Since: 2.30
*/
G_DEFINE_ABSTRACT_TYPE (GTlsDatabase, g_tls_database, G_TYPE_OBJECT)
enum {
UNLOCK_REQUIRED,
LAST_SIGNAL
};
/**
* G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER:
*
* The purpose used to verify the server certificate in a TLS connection. This
* is the most common purpose in use. Used by TLS clients.
*/
/**
* G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT:
*
* The purpose used to verify the client certificate in a TLS connection.
* Used by TLS servers.
*/
static void
g_tls_database_init (GTlsDatabase *cert)
{
}
typedef struct _AsyncVerifyChain {
GTlsCertificate *chain;
gchar *purpose;
GSocketConnectable *identity;
GTlsInteraction *interaction;
GTlsDatabaseVerifyFlags flags;
} AsyncVerifyChain;
static void
async_verify_chain_free (gpointer data)
{
AsyncVerifyChain *args = data;
g_clear_object (&args->chain);
g_free (args->purpose);
g_clear_object (&args->identity);
g_clear_object (&args->interaction);
g_slice_free (AsyncVerifyChain, args);
}
static void
async_verify_chain_thread (GTask *task,
gpointer object,
gpointer task_data,
GCancellable *cancellable)
{
AsyncVerifyChain *args = task_data;
GTlsCertificateFlags verify_result;
GError *error = NULL;
verify_result = g_tls_database_verify_chain (G_TLS_DATABASE (object),
args->chain,
args->purpose,
args->identity,
args->interaction,
args->flags,
cancellable,
&error);
if (error)
g_task_return_error (task, error);
else
g_task_return_int (task, (gssize)verify_result);
}
static void
g_tls_database_real_verify_chain_async (GTlsDatabase *self,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
GTask *task;
AsyncVerifyChain *args;
args = g_slice_new0 (AsyncVerifyChain);
args->chain = g_object_ref (chain);
args->purpose = g_strdup (purpose);
args->identity = identity ? g_object_ref (identity) : NULL;
args->interaction = interaction ? g_object_ref (interaction) : NULL;
args->flags = flags;
task = g_task_new (self, cancellable, callback, user_data);
g_task_set_source_tag (task, g_tls_database_real_verify_chain_async);
g_task_set_name (task, "[gio] verify TLS chain");
g_task_set_task_data (task, args, async_verify_chain_free);
g_task_run_in_thread (task, async_verify_chain_thread);
g_object_unref (task);
}
static GTlsCertificateFlags
g_tls_database_real_verify_chain_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
GTlsCertificateFlags ret;
g_return_val_if_fail (g_task_is_valid (result, self), G_TLS_CERTIFICATE_GENERIC_ERROR);
ret = (GTlsCertificateFlags)g_task_propagate_int (G_TASK (result), error);
if (ret == (GTlsCertificateFlags)-1)
return G_TLS_CERTIFICATE_GENERIC_ERROR;
else
return ret;
}
typedef struct {
gchar *handle;
GTlsInteraction *interaction;
GTlsDatabaseLookupFlags flags;
} AsyncLookupCertificateForHandle;
static void
async_lookup_certificate_for_handle_free (gpointer data)
{
AsyncLookupCertificateForHandle *args = data;
g_free (args->handle);
g_clear_object (&args->interaction);
g_slice_free (AsyncLookupCertificateForHandle, args);
}
static void
async_lookup_certificate_for_handle_thread (GTask *task,
gpointer object,
gpointer task_data,
GCancellable *cancellable)
{
AsyncLookupCertificateForHandle *args = task_data;
GTlsCertificate *result;
GError *error = NULL;
result = g_tls_database_lookup_certificate_for_handle (G_TLS_DATABASE (object),
args->handle,
args->interaction,
args->flags,
cancellable,
&error);
if (result)
g_task_return_pointer (task, result, g_object_unref);
else
g_task_return_error (task, error);
}
static void
g_tls_database_real_lookup_certificate_for_handle_async (GTlsDatabase *self,
const gchar *handle,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
GTask *task;
AsyncLookupCertificateForHandle *args;
args = g_slice_new0 (AsyncLookupCertificateForHandle);
args->handle = g_strdup (handle);
args->interaction = interaction ? g_object_ref (interaction) : NULL;
task = g_task_new (self, cancellable, callback, user_data);
g_task_set_source_tag (task,
g_tls_database_real_lookup_certificate_for_handle_async);
g_task_set_name (task, "[gio] lookup TLS certificate");
g_task_set_task_data (task, args, async_lookup_certificate_for_handle_free);
g_task_run_in_thread (task, async_lookup_certificate_for_handle_thread);
g_object_unref (task);
}
static GTlsCertificate*
g_tls_database_real_lookup_certificate_for_handle_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (g_task_is_valid (result, self), NULL);
return g_task_propagate_pointer (G_TASK (result), error);
}
typedef struct {
GTlsCertificate *certificate;
GTlsInteraction *interaction;
GTlsDatabaseLookupFlags flags;
} AsyncLookupCertificateIssuer;
static void
async_lookup_certificate_issuer_free (gpointer data)
{
AsyncLookupCertificateIssuer *args = data;
g_clear_object (&args->certificate);
g_clear_object (&args->interaction);
g_slice_free (AsyncLookupCertificateIssuer, args);
}
static void
async_lookup_certificate_issuer_thread (GTask *task,
gpointer object,
gpointer task_data,
GCancellable *cancellable)
{
AsyncLookupCertificateIssuer *args = task_data;
GTlsCertificate *issuer;
GError *error = NULL;
issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (object),
args->certificate,
args->interaction,
args->flags,
cancellable,
&error);
if (issuer)
g_task_return_pointer (task, issuer, g_object_unref);
else
g_task_return_error (task, error);
}
static void
g_tls_database_real_lookup_certificate_issuer_async (GTlsDatabase *self,
GTlsCertificate *certificate,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
GTask *task;
AsyncLookupCertificateIssuer *args;
args = g_slice_new0 (AsyncLookupCertificateIssuer);
args->certificate = g_object_ref (certificate);
args->flags = flags;
args->interaction = interaction ? g_object_ref (interaction) : NULL;
task = g_task_new (self, cancellable, callback, user_data);
g_task_set_source_tag (task,
g_tls_database_real_lookup_certificate_issuer_async);
g_task_set_name (task, "[gio] lookup certificate issuer");
g_task_set_task_data (task, args, async_lookup_certificate_issuer_free);
g_task_run_in_thread (task, async_lookup_certificate_issuer_thread);
g_object_unref (task);
}
static GTlsCertificate *
g_tls_database_real_lookup_certificate_issuer_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (g_task_is_valid (result, self), NULL);
return g_task_propagate_pointer (G_TASK (result), error);
}
typedef struct {
GByteArray *issuer;
GTlsInteraction *interaction;
GTlsDatabaseLookupFlags flags;
} AsyncLookupCertificatesIssuedBy;
static void
async_lookup_certificates_issued_by_free (gpointer data)
{
AsyncLookupCertificatesIssuedBy *args = data;
g_byte_array_unref (args->issuer);
g_clear_object (&args->interaction);
g_slice_free (AsyncLookupCertificatesIssuedBy, args);
}
static void
async_lookup_certificates_free_certificates (gpointer data)
{
GList *list = data;
g_list_free_full (list, g_object_unref);
}
static void
async_lookup_certificates_issued_by_thread (GTask *task,
gpointer object,
gpointer task_data,
GCancellable *cancellable)
{
AsyncLookupCertificatesIssuedBy *args = task_data;
GList *results;
GError *error = NULL;
results = g_tls_database_lookup_certificates_issued_by (G_TLS_DATABASE (object),
args->issuer,
args->interaction,
args->flags,
cancellable,
&error);
if (results)
g_task_return_pointer (task, results, async_lookup_certificates_free_certificates);
else
g_task_return_error (task, error);
}
static void
g_tls_database_real_lookup_certificates_issued_by_async (GTlsDatabase *self,
GByteArray *issuer,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
GTask *task;
AsyncLookupCertificatesIssuedBy *args;
args = g_slice_new0 (AsyncLookupCertificatesIssuedBy);
args->issuer = g_byte_array_ref (issuer);
args->flags = flags;
args->interaction = interaction ? g_object_ref (interaction) : NULL;
task = g_task_new (self, cancellable, callback, user_data);
g_task_set_source_tag (task,
g_tls_database_real_lookup_certificates_issued_by_async);
g_task_set_name (task, "[gio] lookup certificates issued by");
g_task_set_task_data (task, args, async_lookup_certificates_issued_by_free);
g_task_run_in_thread (task, async_lookup_certificates_issued_by_thread);
g_object_unref (task);
}
static GList *
g_tls_database_real_lookup_certificates_issued_by_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (g_task_is_valid (result, self), NULL);
return g_task_propagate_pointer (G_TASK (result), error);
}
static void
g_tls_database_class_init (GTlsDatabaseClass *klass)
{
klass->verify_chain_async = g_tls_database_real_verify_chain_async;
klass->verify_chain_finish = g_tls_database_real_verify_chain_finish;
klass->lookup_certificate_for_handle_async = g_tls_database_real_lookup_certificate_for_handle_async;
klass->lookup_certificate_for_handle_finish = g_tls_database_real_lookup_certificate_for_handle_finish;
klass->lookup_certificate_issuer_async = g_tls_database_real_lookup_certificate_issuer_async;
klass->lookup_certificate_issuer_finish = g_tls_database_real_lookup_certificate_issuer_finish;
klass->lookup_certificates_issued_by_async = g_tls_database_real_lookup_certificates_issued_by_async;
klass->lookup_certificates_issued_by_finish = g_tls_database_real_lookup_certificates_issued_by_finish;
}
/**
* g_tls_database_verify_chain:
* @self: a #GTlsDatabase
* @chain: a #GTlsCertificate chain
* @purpose: the purpose that this certificate chain will be used for.
* @identity: (nullable): the expected peer identity
* @interaction: (nullable): used to interact with the user if necessary
* @flags: additional verify flags
* @cancellable: (nullable): a #GCancellable, or %NULL
* @error: (nullable): a #GError, or %NULL
*
* Determines the validity of a certificate chain, outside the context
* of a TLS session.
*
* @chain is a chain of #GTlsCertificate objects each pointing to the next
* certificate in the chain by its #GTlsCertificate:issuer property.
*
* @purpose describes the purpose (or usage) for which the certificate
* is being used. Typically @purpose will be set to %G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER
* which means that the certificate is being used to authenticate a server
* (and we are acting as the client).
*
* The @identity is used to ensure the server certificate is valid for
* the expected peer identity. If the identity does not match the
* certificate, %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the
* return value. If @identity is %NULL, that bit will never be set in
* the return value. The peer identity may also be used to check for
* pinned certificates (trust exceptions) in the database. These may
* override the normal verification process on a host-by-host basis.
*
* Currently there are no @flags, and %G_TLS_DATABASE_VERIFY_NONE should be
* used.
*
* If @chain is found to be valid, then the return value will be 0. If
* @chain is found to be invalid, then the return value will indicate at
* least one problem found. If the function is unable to determine
* whether @chain is valid (for example, because @cancellable is
* triggered before it completes) then the return value will be
* %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set accordingly.
* @error is not set when @chain is successfully analyzed but found to
* be invalid.
*
* GLib guarantees that if certificate verification fails, at least one
* error will be set in the return value, but it does not guarantee
* that all possible errors will be set. Accordingly, you may not safely
* decide to ignore any particular type of error. For example, it would
* be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
* expired certificates, because this could potentially be the only
* error flag set even if other problems exist with the certificate.
*
* Prior to GLib 2.48, GLib's default TLS backend modified @chain to
* represent the certification path built by #GTlsDatabase during
* certificate verification by adjusting the #GTlsCertificate:issuer
* property of each certificate in @chain. Since GLib 2.48, this no
* longer occurs, so you cannot rely on #GTlsCertificate:issuer to
* represent the actual certification path used during certificate
* verification.
*
* Because TLS session context is not used, #GTlsDatabase may not
* perform as many checks on the certificates as #GTlsConnection would.
* For example, certificate constraints may not be honored, and
* revocation checks may not be performed. The best way to verify TLS
* certificates used by a TLS connection is to let #GTlsConnection
* handle the verification.
*
* The TLS backend may attempt to look up and add missing certificates
* to the chain. This may involve HTTP requests to download missing
* certificates.
*
* This function can block. Use g_tls_database_verify_chain_async() to
* perform the verification operation asynchronously.
*
* Returns: the appropriate #GTlsCertificateFlags which represents the
* result of verification.
*
* Since: 2.30
*/
GTlsCertificateFlags
g_tls_database_verify_chain (GTlsDatabase *self,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (G_IS_TLS_CERTIFICATE (chain),
G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (purpose, G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction),
G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (identity == NULL || G_IS_SOCKET_CONNECTABLE (identity),
G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (error == NULL || *error == NULL, G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain,
G_TLS_CERTIFICATE_GENERIC_ERROR);
return G_TLS_DATABASE_GET_CLASS (self)->verify_chain (self,
chain,
purpose,
identity,
interaction,
flags,
cancellable,
error);
}
/**
* g_tls_database_verify_chain_async:
* @self: a #GTlsDatabase
* @chain: a #GTlsCertificate chain
* @purpose: the purpose that this certificate chain will be used for.
* @identity: (nullable): the expected peer identity
* @interaction: (nullable): used to interact with the user if necessary
* @flags: additional verify flags
* @cancellable: (nullable): a #GCancellable, or %NULL
* @callback: callback to call when the operation completes
* @user_data: the data to pass to the callback function
*
* Asynchronously determines the validity of a certificate chain after
* looking up and adding any missing certificates to the chain. See
* g_tls_database_verify_chain() for more information.
*
* Since: 2.30
*/
void
g_tls_database_verify_chain_async (GTlsDatabase *self,
GTlsCertificate *chain,
const gchar *purpose,
GSocketConnectable *identity,
GTlsInteraction *interaction,
GTlsDatabaseVerifyFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
g_return_if_fail (G_IS_TLS_DATABASE (self));
g_return_if_fail (G_IS_TLS_CERTIFICATE (chain));
g_return_if_fail (purpose != NULL);
g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
g_return_if_fail (identity == NULL || G_IS_SOCKET_CONNECTABLE (identity));
g_return_if_fail (callback != NULL);
g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain_async);
G_TLS_DATABASE_GET_CLASS (self)->verify_chain_async (self,
chain,
purpose,
identity,
interaction,
flags,
cancellable,
callback,
user_data);
}
/**
* g_tls_database_verify_chain_finish:
* @self: a #GTlsDatabase
* @result: a #GAsyncResult.
* @error: a #GError pointer, or %NULL
*
* Finish an asynchronous verify chain operation. See
* g_tls_database_verify_chain() for more information.
*
* If @chain is found to be valid, then the return value will be 0. If
* @chain is found to be invalid, then the return value will indicate
* the problems found. If the function is unable to determine whether
* @chain is valid or not (eg, because @cancellable is triggered
* before it completes) then the return value will be
* %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set
* accordingly. @error is not set when @chain is successfully analyzed
* but found to be invalid.
*
* Returns: the appropriate #GTlsCertificateFlags which represents the
* result of verification.
*
* Since: 2.30
*/
GTlsCertificateFlags
g_tls_database_verify_chain_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (G_IS_ASYNC_RESULT (result), G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (error == NULL || *error == NULL, G_TLS_CERTIFICATE_GENERIC_ERROR);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain_finish,
G_TLS_CERTIFICATE_GENERIC_ERROR);
return G_TLS_DATABASE_GET_CLASS (self)->verify_chain_finish (self,
result,
error);
}
/**
* g_tls_database_create_certificate_handle:
* @self: a #GTlsDatabase
* @certificate: certificate for which to create a handle.
*
* Create a handle string for the certificate. The database will only be able
* to create a handle for certificates that originate from the database. In
* cases where the database cannot create a handle for a certificate, %NULL
* will be returned.
*
* This handle should be stable across various instances of the application,
* and between applications. If a certificate is modified in the database,
* then it is not guaranteed that this handle will continue to point to it.
*
* Returns: (nullable): a newly allocated string containing the
* handle.
*
* Since: 2.30
*/
gchar*
g_tls_database_create_certificate_handle (GTlsDatabase *self,
GTlsCertificate *certificate)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (G_IS_TLS_CERTIFICATE (certificate), NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->create_certificate_handle, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->create_certificate_handle (self,
certificate);
}
/**
* g_tls_database_lookup_certificate_for_handle:
* @self: a #GTlsDatabase
* @handle: a certificate handle
* @interaction: (nullable): used to interact with the user if necessary
* @flags: Flags which affect the lookup.
* @cancellable: (nullable): a #GCancellable, or %NULL
* @error: (nullable): a #GError, or %NULL
*
* Look up a certificate by its handle.
*
* The handle should have been created by calling
* g_tls_database_create_certificate_handle() on a #GTlsDatabase object of
* the same TLS backend. The handle is designed to remain valid across
* instantiations of the database.
*
* If the handle is no longer valid, or does not point to a certificate in
* this database, then %NULL will be returned.
*
* This function can block, use g_tls_database_lookup_certificate_for_handle_async() to perform
* the lookup operation asynchronously.
*
* Returns: (transfer full) (nullable): a newly allocated
* #GTlsCertificate, or %NULL. Use g_object_unref() to release the certificate.
*
* Since: 2.30
*/
GTlsCertificate*
g_tls_database_lookup_certificate_for_handle (GTlsDatabase *self,
const gchar *handle,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (handle != NULL, NULL);
g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle (self,
handle,
interaction,
flags,
cancellable,
error);
}
/**
* g_tls_database_lookup_certificate_for_handle_async:
* @self: a #GTlsDatabase
* @handle: a certificate handle
* @interaction: (nullable): used to interact with the user if necessary
* @flags: Flags which affect the lookup.
* @cancellable: (nullable): a #GCancellable, or %NULL
* @callback: callback to call when the operation completes
* @user_data: the data to pass to the callback function
*
* Asynchronously look up a certificate by its handle in the database. See
* g_tls_database_lookup_certificate_for_handle() for more information.
*
* Since: 2.30
*/
void
g_tls_database_lookup_certificate_for_handle_async (GTlsDatabase *self,
const gchar *handle,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
g_return_if_fail (G_IS_TLS_DATABASE (self));
g_return_if_fail (handle != NULL);
g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_async);
G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_async (self,
handle,
interaction,
flags,
cancellable,
callback,
user_data);
}
/**
* g_tls_database_lookup_certificate_for_handle_finish:
* @self: a #GTlsDatabase
* @result: a #GAsyncResult.
* @error: a #GError pointer, or %NULL
*
* Finish an asynchronous lookup of a certificate by its handle. See
* g_tls_database_lookup_certificate_for_handle() for more information.
*
* If the handle is no longer valid, or does not point to a certificate in
* this database, then %NULL will be returned.
*
* Returns: (transfer full): a newly allocated #GTlsCertificate object.
* Use g_object_unref() to release the certificate.
*
* Since: 2.30
*/
GTlsCertificate*
g_tls_database_lookup_certificate_for_handle_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_finish, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_finish (self,
result,
error);
}
/**
* g_tls_database_lookup_certificate_issuer:
* @self: a #GTlsDatabase
* @certificate: a #GTlsCertificate
* @interaction: (nullable): used to interact with the user if necessary
* @flags: flags which affect the lookup operation
* @cancellable: (nullable): a #GCancellable, or %NULL
* @error: (nullable): a #GError, or %NULL
*
* Look up the issuer of @certificate in the database. The
* #GTlsCertificate:issuer property of @certificate is not modified, and
* the two certificates are not hooked into a chain.
*
* This function can block. Use g_tls_database_lookup_certificate_issuer_async()
* to perform the lookup operation asynchronously.
*
* Beware this function cannot be used to build certification paths. The
* issuer certificate returned by this function may not be the same as
* the certificate that would actually be used to construct a valid
* certification path during certificate verification.
* [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158) explains
* why an issuer certificate cannot be naively assumed to be part of the
* the certification path (though GLib's TLS backends may not follow the
* path building strategies outlined in this RFC). Due to the complexity
* of certification path building, GLib does not provide any way to know
* which certification path will actually be used when verifying a TLS
* certificate. Accordingly, this function cannot be used to make
* security-related decisions. Only GLib itself should make security
* decisions about TLS certificates.
*
* Returns: (transfer full): a newly allocated issuer #GTlsCertificate,
* or %NULL. Use g_object_unref() to release the certificate.
*
* Since: 2.30
*/
GTlsCertificate*
g_tls_database_lookup_certificate_issuer (GTlsDatabase *self,
GTlsCertificate *certificate,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (G_IS_TLS_CERTIFICATE (certificate), NULL);
g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer (self,
certificate,
interaction,
flags,
cancellable,
error);
}
/**
* g_tls_database_lookup_certificate_issuer_async:
* @self: a #GTlsDatabase
* @certificate: a #GTlsCertificate
* @interaction: (nullable): used to interact with the user if necessary
* @flags: flags which affect the lookup operation
* @cancellable: (nullable): a #GCancellable, or %NULL
* @callback: callback to call when the operation completes
* @user_data: the data to pass to the callback function
*
* Asynchronously look up the issuer of @certificate in the database. See
* g_tls_database_lookup_certificate_issuer() for more information.
*
* Since: 2.30
*/
void
g_tls_database_lookup_certificate_issuer_async (GTlsDatabase *self,
GTlsCertificate *certificate,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
g_return_if_fail (G_IS_TLS_DATABASE (self));
g_return_if_fail (G_IS_TLS_CERTIFICATE (certificate));
g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
g_return_if_fail (callback != NULL);
g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_async);
G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_async (self,
certificate,
interaction,
flags,
cancellable,
callback,
user_data);
}
/**
* g_tls_database_lookup_certificate_issuer_finish:
* @self: a #GTlsDatabase
* @result: a #GAsyncResult.
* @error: a #GError pointer, or %NULL
*
* Finish an asynchronous lookup issuer operation. See
* g_tls_database_lookup_certificate_issuer() for more information.
*
* Returns: (transfer full): a newly allocated issuer #GTlsCertificate,
* or %NULL. Use g_object_unref() to release the certificate.
*
* Since: 2.30
*/
GTlsCertificate*
g_tls_database_lookup_certificate_issuer_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_finish, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_finish (self,
result,
error);
}
/**
* g_tls_database_lookup_certificates_issued_by:
* @self: a #GTlsDatabase
* @issuer_raw_dn: a #GByteArray which holds the DER encoded issuer DN.
* @interaction: (nullable): used to interact with the user if necessary
* @flags: Flags which affect the lookup operation.
* @cancellable: (nullable): a #GCancellable, or %NULL
* @error: (nullable): a #GError, or %NULL
*
* Look up certificates issued by this issuer in the database.
*
* This function can block, use g_tls_database_lookup_certificates_issued_by_async() to perform
* the lookup operation asynchronously.
*
* Returns: (transfer full) (element-type GTlsCertificate): a newly allocated list of #GTlsCertificate
* objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
*
* Since: 2.30
*/
GList*
g_tls_database_lookup_certificates_issued_by (GTlsDatabase *self,
GByteArray *issuer_raw_dn,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (issuer_raw_dn, NULL);
g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by (self,
issuer_raw_dn,
interaction,
flags,
cancellable,
error);
}
/**
* g_tls_database_lookup_certificates_issued_by_async:
* @self: a #GTlsDatabase
* @issuer_raw_dn: a #GByteArray which holds the DER encoded issuer DN.
* @interaction: (nullable): used to interact with the user if necessary
* @flags: Flags which affect the lookup operation.
* @cancellable: (nullable): a #GCancellable, or %NULL
* @callback: callback to call when the operation completes
* @user_data: the data to pass to the callback function
*
* Asynchronously look up certificates issued by this issuer in the database. See
* g_tls_database_lookup_certificates_issued_by() for more information.
*
* The database may choose to hold a reference to the issuer byte array for the duration
* of this asynchronous operation. The byte array should not be modified during
* this time.
*
* Since: 2.30
*/
void
g_tls_database_lookup_certificates_issued_by_async (GTlsDatabase *self,
GByteArray *issuer_raw_dn,
GTlsInteraction *interaction,
GTlsDatabaseLookupFlags flags,
GCancellable *cancellable,
GAsyncReadyCallback callback,
gpointer user_data)
{
g_return_if_fail (G_IS_TLS_DATABASE (self));
g_return_if_fail (issuer_raw_dn != NULL);
g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
g_return_if_fail (callback != NULL);
g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_async);
G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_async (self,
issuer_raw_dn,
interaction,
flags,
cancellable,
callback,
user_data);
}
/**
* g_tls_database_lookup_certificates_issued_by_finish:
* @self: a #GTlsDatabase
* @result: a #GAsyncResult.
* @error: a #GError pointer, or %NULL
*
* Finish an asynchronous lookup of certificates. See
* g_tls_database_lookup_certificates_issued_by() for more information.
*
* Returns: (transfer full) (element-type GTlsCertificate): a newly allocated list of #GTlsCertificate
* objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
*
* Since: 2.30
*/
GList*
g_tls_database_lookup_certificates_issued_by_finish (GTlsDatabase *self,
GAsyncResult *result,
GError **error)
{
g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
g_return_val_if_fail (error == NULL || *error == NULL, NULL);
g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_finish, NULL);
return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_finish (self,
result,
error);
}