gio/auto/tls_certificate.rs
1// This file was generated by gir (https://github.com/gtk-rs/gir)
2// from gir-files (https://github.com/gtk-rs/gir-files)
3// DO NOT EDIT
4
5#[cfg(feature = "v2_70")]
6#[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
7use crate::InetAddress;
8use crate::{SocketConnectable, TlsCertificateFlags, ffi};
9#[cfg(feature = "v2_70")]
10#[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
11use glib::signal::{SignalHandlerId, connect_raw};
12use glib::{prelude::*, translate::*};
13#[cfg(feature = "v2_70")]
14#[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
15use std::boxed::Box as Box_;
16
17glib::wrapper! {
18 /// A certificate used for TLS authentication and encryption.
19 /// This can represent either a certificate only (eg, the certificate
20 /// received by a client from a server), or the combination of
21 /// a certificate and a private key (which is needed when acting as a
22 /// [`TlsServerConnection`][crate::TlsServerConnection]).
23 ///
24 /// This is an Abstract Base Class, you cannot instantiate it.
25 ///
26 /// ## Properties
27 ///
28 ///
29 /// #### `certificate`
30 /// The DER (binary) encoded representation of the certificate.
31 /// This property and the #GTlsCertificate:certificate-pem property
32 /// represent the same data, just in different forms.
33 ///
34 /// Readable | Writable | Construct Only
35 ///
36 ///
37 /// #### `certificate-pem`
38 /// The PEM (ASCII) encoded representation of the certificate.
39 /// This property and the #GTlsCertificate:certificate
40 /// property represent the same data, just in different forms.
41 ///
42 /// Readable | Writable | Construct Only
43 ///
44 ///
45 /// #### `dns-names`
46 /// The DNS names from the certificate's Subject Alternative Names (SANs),
47 /// [`None`] if unavailable.
48 ///
49 /// Readable
50 ///
51 ///
52 /// #### `ip-addresses`
53 /// The IP addresses from the certificate's Subject Alternative Names (SANs),
54 /// [`None`] if unavailable.
55 ///
56 /// Readable
57 ///
58 ///
59 /// #### `issuer`
60 /// A #GTlsCertificate representing the entity that issued this
61 /// certificate. If [`None`], this means that the certificate is either
62 /// self-signed, or else the certificate of the issuer is not
63 /// available.
64 ///
65 /// Beware the issuer certificate may not be the same as the
66 /// certificate that would actually be used to construct a valid
67 /// certification path during certificate verification.
68 /// [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158) explains
69 /// why an issuer certificate cannot be naively assumed to be part of the
70 /// the certification path (though GLib's TLS backends may not follow the
71 /// path building strategies outlined in this RFC). Due to the complexity
72 /// of certification path building, GLib does not provide any way to know
73 /// which certification path will actually be used. Accordingly, this
74 /// property cannot be used to make security-related decisions. Only
75 /// GLib itself should make security decisions about TLS certificates.
76 ///
77 /// Readable | Writable | Construct Only
78 ///
79 ///
80 /// #### `issuer-name`
81 /// The issuer from the certificate,
82 /// [`None`] if unavailable.
83 ///
84 /// Readable
85 ///
86 ///
87 /// #### `not-valid-after`
88 /// The time at which this cert is no longer valid,
89 /// [`None`] if unavailable.
90 ///
91 /// Readable
92 ///
93 ///
94 /// #### `not-valid-before`
95 /// The time at which this cert is considered to be valid,
96 /// [`None`] if unavailable.
97 ///
98 /// Readable
99 ///
100 ///
101 /// #### `password`
102 /// An optional password used when constructed with GTlsCertificate:pkcs12-data.
103 ///
104 /// Writable | Construct Only
105 ///
106 ///
107 /// #### `pkcs11-uri`
108 /// A URI referencing the [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
109 /// objects containing an X.509 certificate and optionally a private key.
110 ///
111 /// If [`None`], the certificate is either not backed by PKCS \#11 or the
112 /// #GTlsBackend does not support PKCS \#11.
113 ///
114 /// Readable | Writable | Construct Only
115 ///
116 ///
117 /// #### `pkcs12-data`
118 /// The PKCS #12 formatted data used to construct the object.
119 ///
120 /// See also: g_tls_certificate_new_from_pkcs12()
121 ///
122 /// Writable | Construct Only
123 ///
124 ///
125 /// #### `private-key`
126 /// then this property will be [`None`]. If so,
127 /// the private key must be referenced via its PKCS \#11 URI,
128 /// #GTlsCertificate:private-key-pkcs11-uri. You must check both
129 /// properties to see if the certificate really has a private key.
130 /// When this property is read, the output format will be unencrypted
131 /// PKCS \#8.
132 ///
133 /// Readable | Writable | Construct Only
134 ///
135 ///
136 /// #### `private-key-pem`
137 /// The PEM (ASCII) encoded representation of the certificate's
138 /// private key in either [PKCS \#1 format](https://datatracker.ietf.org/doc/html/rfc8017)
139 /// ("`BEGIN RSA PRIVATE KEY`") or unencrypted
140 /// [PKCS \#8 format](https://datatracker.ietf.org/doc/html/rfc5208)
141 /// ("`BEGIN PRIVATE KEY`"). PKCS \#8 format is supported since 2.32;
142 /// earlier releases only support PKCS \#1. You can use the `openssl rsa`
143 /// tool to convert PKCS \#8 keys to PKCS \#1.
144 ///
145 /// This property (or the #GTlsCertificate:private-key property)
146 /// can be set when constructing a key (for example, from a file).
147 /// Since GLib 2.70, it is now also readable; however, be aware that if
148 /// the private key is backed by a PKCS \#11 URI - for example, if it
149 /// is stored on a smartcard - then this property will be [`None`]. If so,
150 /// the private key must be referenced via its PKCS \#11 URI,
151 /// #GTlsCertificate:private-key-pkcs11-uri. You must check both
152 /// properties to see if the certificate really has a private key.
153 /// When this property is read, the output format will be unencrypted
154 /// PKCS \#8.
155 ///
156 /// Readable | Writable | Construct Only
157 ///
158 ///
159 /// #### `private-key-pkcs11-uri`
160 /// A URI referencing a [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
161 /// object containing a private key.
162 ///
163 /// Readable | Writable | Construct Only
164 ///
165 ///
166 /// #### `subject-name`
167 /// The subject from the cert,
168 /// [`None`] if unavailable.
169 ///
170 /// Readable
171 ///
172 /// # Implements
173 ///
174 /// [`TlsCertificateExt`][trait@crate::prelude::TlsCertificateExt], [`trait@glib::ObjectExt`]
175 #[doc(alias = "GTlsCertificate")]
176 pub struct TlsCertificate(Object<ffi::GTlsCertificate, ffi::GTlsCertificateClass>);
177
178 match fn {
179 type_ => || ffi::g_tls_certificate_get_type(),
180 }
181}
182
183impl TlsCertificate {
184 pub const NONE: Option<&'static TlsCertificate> = None;
185
186 /// Creates a #GTlsCertificate from the data in @file.
187 ///
188 /// As of 2.72, if the filename ends in `.p12` or `.pfx` the data is loaded by
189 /// g_tls_certificate_new_from_pkcs12() otherwise it is loaded by
190 /// g_tls_certificate_new_from_pem(). See those functions for
191 /// exact details.
192 ///
193 /// If @file cannot be read or parsed, the function will return [`None`] and
194 /// set @error.
195 /// ## `file`
196 /// file containing a certificate to import
197 ///
198 /// # Returns
199 ///
200 /// the new certificate, or [`None`] on error
201 #[doc(alias = "g_tls_certificate_new_from_file")]
202 #[doc(alias = "new_from_file")]
203 pub fn from_file(file: impl AsRef<std::path::Path>) -> Result<TlsCertificate, glib::Error> {
204 unsafe {
205 let mut error = std::ptr::null_mut();
206 let ret =
207 ffi::g_tls_certificate_new_from_file(file.as_ref().to_glib_none().0, &mut error);
208 if error.is_null() {
209 Ok(from_glib_full(ret))
210 } else {
211 Err(from_glib_full(error))
212 }
213 }
214 }
215
216 /// Creates a #GTlsCertificate from the data in @file.
217 ///
218 /// If @file cannot be read or parsed, the function will return [`None`] and
219 /// set @error.
220 ///
221 /// Any unknown file types will error with [`IOErrorEnum::NotSupported`][crate::IOErrorEnum::NotSupported].
222 /// Currently only `.p12` and `.pfx` files are supported.
223 /// See g_tls_certificate_new_from_pkcs12() for more details.
224 /// ## `file`
225 /// file containing a certificate to import
226 /// ## `password`
227 /// password for PKCS #12 files
228 ///
229 /// # Returns
230 ///
231 /// the new certificate, or [`None`] on error
232 #[cfg(feature = "v2_72")]
233 #[cfg_attr(docsrs, doc(cfg(feature = "v2_72")))]
234 #[doc(alias = "g_tls_certificate_new_from_file_with_password")]
235 #[doc(alias = "new_from_file_with_password")]
236 pub fn from_file_with_password(
237 file: impl AsRef<std::path::Path>,
238 password: &str,
239 ) -> Result<TlsCertificate, glib::Error> {
240 unsafe {
241 let mut error = std::ptr::null_mut();
242 let ret = ffi::g_tls_certificate_new_from_file_with_password(
243 file.as_ref().to_glib_none().0,
244 password.to_glib_none().0,
245 &mut error,
246 );
247 if error.is_null() {
248 Ok(from_glib_full(ret))
249 } else {
250 Err(from_glib_full(error))
251 }
252 }
253 }
254
255 /// Creates a #GTlsCertificate from the PEM-encoded data in @cert_file
256 /// and @key_file. The returned certificate will be the first certificate
257 /// found in @cert_file. As of GLib 2.44, if @cert_file contains more
258 /// certificates it will try to load a certificate chain. All
259 /// certificates will be verified in the order found (top-level
260 /// certificate should be the last one in the file) and the
261 /// #GTlsCertificate:issuer property of each certificate will be set
262 /// accordingly if the verification succeeds. If any certificate in the
263 /// chain cannot be verified, the first certificate in the file will
264 /// still be returned.
265 ///
266 /// If either file cannot be read or parsed, the function will return
267 /// [`None`] and set @error. Otherwise, this behaves like
268 /// g_tls_certificate_new_from_pem().
269 /// ## `cert_file`
270 /// file containing one or more PEM-encoded
271 /// certificates to import
272 /// ## `key_file`
273 /// file containing a PEM-encoded private key
274 /// to import
275 ///
276 /// # Returns
277 ///
278 /// the new certificate, or [`None`] on error
279 #[doc(alias = "g_tls_certificate_new_from_files")]
280 #[doc(alias = "new_from_files")]
281 pub fn from_files(
282 cert_file: impl AsRef<std::path::Path>,
283 key_file: impl AsRef<std::path::Path>,
284 ) -> Result<TlsCertificate, glib::Error> {
285 unsafe {
286 let mut error = std::ptr::null_mut();
287 let ret = ffi::g_tls_certificate_new_from_files(
288 cert_file.as_ref().to_glib_none().0,
289 key_file.as_ref().to_glib_none().0,
290 &mut error,
291 );
292 if error.is_null() {
293 Ok(from_glib_full(ret))
294 } else {
295 Err(from_glib_full(error))
296 }
297 }
298 }
299
300 /// Creates a #GTlsCertificate from the PEM-encoded data in @data. If
301 /// @data includes both a certificate and a private key, then the
302 /// returned certificate will include the private key data as well. (See
303 /// the #GTlsCertificate:private-key-pem property for information about
304 /// supported formats.)
305 ///
306 /// The returned certificate will be the first certificate found in
307 /// @data. As of GLib 2.44, if @data contains more certificates it will
308 /// try to load a certificate chain. All certificates will be verified in
309 /// the order found (top-level certificate should be the last one in the
310 /// file) and the #GTlsCertificate:issuer property of each certificate
311 /// will be set accordingly if the verification succeeds. If any
312 /// certificate in the chain cannot be verified, the first certificate in
313 /// the file will still be returned.
314 /// ## `data`
315 /// PEM-encoded certificate data
316 /// ## `length`
317 /// the length of @data, or -1 if it's 0-terminated.
318 ///
319 /// # Returns
320 ///
321 /// the new certificate, or [`None`] if @data is invalid
322 #[doc(alias = "g_tls_certificate_new_from_pem")]
323 #[doc(alias = "new_from_pem")]
324 pub fn from_pem(data: &str) -> Result<TlsCertificate, glib::Error> {
325 let length = data.len() as _;
326 unsafe {
327 let mut error = std::ptr::null_mut();
328 let ret =
329 ffi::g_tls_certificate_new_from_pem(data.to_glib_none().0, length, &mut error);
330 if error.is_null() {
331 Ok(from_glib_full(ret))
332 } else {
333 Err(from_glib_full(error))
334 }
335 }
336 }
337
338 /// s layout is:
339 ///
340 ///
341 /// ```text
342 /// Object 0:
343 /// URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
344 /// Type: Private key (RSA-2048)
345 /// ID: 01
346 ///
347 /// Object 1:
348 /// URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
349 /// Type: X.509 Certificate (RSA-2048)
350 /// ID: 01
351 /// ```
352 ///
353 /// In this case the certificate and private key would both be detected and used as expected.
354 /// @pkcs_uri may also just reference an X.509 certificate object and then optionally
355 /// @private_key_pkcs11_uri allows using a private key exposed under a different URI.
356 ///
357 /// Note that the private key is not accessed until usage and may fail or require a PIN later.
358 /// ## `pkcs11_uri`
359 /// A PKCS \#11 URI
360 /// ## `private_key_pkcs11_uri`
361 /// A PKCS \#11 URI
362 ///
363 /// # Returns
364 ///
365 /// the new certificate, or [`None`] on error
366 #[cfg(feature = "v2_68")]
367 #[cfg_attr(docsrs, doc(cfg(feature = "v2_68")))]
368 #[doc(alias = "g_tls_certificate_new_from_pkcs11_uris")]
369 #[doc(alias = "new_from_pkcs11_uris")]
370 pub fn from_pkcs11_uris(
371 pkcs11_uri: &str,
372 private_key_pkcs11_uri: Option<&str>,
373 ) -> Result<TlsCertificate, glib::Error> {
374 unsafe {
375 let mut error = std::ptr::null_mut();
376 let ret = ffi::g_tls_certificate_new_from_pkcs11_uris(
377 pkcs11_uri.to_glib_none().0,
378 private_key_pkcs11_uri.to_glib_none().0,
379 &mut error,
380 );
381 if error.is_null() {
382 Ok(from_glib_full(ret))
383 } else {
384 Err(from_glib_full(error))
385 }
386 }
387 }
388
389 /// Creates a #GTlsCertificate from the data in @data. It must contain
390 /// a certificate and matching private key.
391 ///
392 /// If extra certificates are included they will be verified as a chain
393 /// and the #GTlsCertificate:issuer property will be set.
394 /// All other data will be ignored.
395 ///
396 /// You can pass as single password for all of the data which will be
397 /// used both for the PKCS #12 container as well as encrypted
398 /// private keys. If decryption fails it will error with
399 /// [`TlsError::BadCertificatePassword`][crate::TlsError::BadCertificatePassword].
400 ///
401 /// This constructor requires support in the current #GTlsBackend.
402 /// If support is missing it will error with
403 /// [`IOErrorEnum::NotSupported`][crate::IOErrorEnum::NotSupported].
404 ///
405 /// Other parsing failures will error with [`TlsError::BadCertificate`][crate::TlsError::BadCertificate].
406 /// ## `data`
407 /// DER-encoded PKCS #12 format certificate data
408 /// ## `password`
409 /// optional password for encrypted certificate data
410 ///
411 /// # Returns
412 ///
413 /// the new certificate, or [`None`] if @data is invalid
414 #[cfg(feature = "v2_72")]
415 #[cfg_attr(docsrs, doc(cfg(feature = "v2_72")))]
416 #[doc(alias = "g_tls_certificate_new_from_pkcs12")]
417 #[doc(alias = "new_from_pkcs12")]
418 pub fn from_pkcs12(data: &[u8], password: Option<&str>) -> Result<TlsCertificate, glib::Error> {
419 let length = data.len() as _;
420 unsafe {
421 let mut error = std::ptr::null_mut();
422 let ret = ffi::g_tls_certificate_new_from_pkcs12(
423 data.to_glib_none().0,
424 length,
425 password.to_glib_none().0,
426 &mut error,
427 );
428 if error.is_null() {
429 Ok(from_glib_full(ret))
430 } else {
431 Err(from_glib_full(error))
432 }
433 }
434 }
435
436 /// Creates one or more #GTlsCertificates from the PEM-encoded
437 /// data in @file. If @file cannot be read or parsed, the function will
438 /// return [`None`] and set @error. If @file does not contain any
439 /// PEM-encoded certificates, this will return an empty list and not
440 /// set @error.
441 /// ## `file`
442 /// file containing PEM-encoded certificates to import
443 ///
444 /// # Returns
445 ///
446 /// a
447 /// #GList containing #GTlsCertificate objects. You must free the list
448 /// and its contents when you are done with it.
449 #[doc(alias = "g_tls_certificate_list_new_from_file")]
450 pub fn list_new_from_file(
451 file: impl AsRef<std::path::Path>,
452 ) -> Result<Vec<TlsCertificate>, glib::Error> {
453 unsafe {
454 let mut error = std::ptr::null_mut();
455 let ret = ffi::g_tls_certificate_list_new_from_file(
456 file.as_ref().to_glib_none().0,
457 &mut error,
458 );
459 if error.is_null() {
460 Ok(FromGlibPtrContainer::from_glib_full(ret))
461 } else {
462 Err(from_glib_full(error))
463 }
464 }
465 }
466}
467
468/// Trait containing all [`struct@TlsCertificate`] methods.
469///
470/// # Implementors
471///
472/// [`TlsCertificate`][struct@crate::TlsCertificate]
473pub trait TlsCertificateExt: IsA<TlsCertificate> + 'static {
474 /// Gets the value of #GTlsCertificate:dns-names.
475 ///
476 /// # Returns
477 ///
478 /// A #GPtrArray of
479 /// #GBytes elements, or [`None`] if it's not available.
480 #[cfg(feature = "v2_70")]
481 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
482 #[doc(alias = "g_tls_certificate_get_dns_names")]
483 #[doc(alias = "get_dns_names")]
484 #[doc(alias = "dns-names")]
485 fn dns_names(&self) -> Vec<glib::Bytes> {
486 unsafe {
487 FromGlibPtrContainer::from_glib_container(ffi::g_tls_certificate_get_dns_names(
488 self.as_ref().to_glib_none().0,
489 ))
490 }
491 }
492
493 /// Gets the value of #GTlsCertificate:ip-addresses.
494 ///
495 /// # Returns
496 ///
497 /// A #GPtrArray
498 /// of #GInetAddress elements, or [`None`] if it's not available.
499 #[cfg(feature = "v2_70")]
500 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
501 #[doc(alias = "g_tls_certificate_get_ip_addresses")]
502 #[doc(alias = "get_ip_addresses")]
503 #[doc(alias = "ip-addresses")]
504 fn ip_addresses(&self) -> Vec<InetAddress> {
505 unsafe {
506 FromGlibPtrContainer::from_glib_container(ffi::g_tls_certificate_get_ip_addresses(
507 self.as_ref().to_glib_none().0,
508 ))
509 }
510 }
511
512 /// Gets the #GTlsCertificate representing @self's issuer, if known
513 ///
514 /// # Returns
515 ///
516 /// The certificate of @self's issuer,
517 /// or [`None`] if @self is self-signed or signed with an unknown
518 /// certificate.
519 #[doc(alias = "g_tls_certificate_get_issuer")]
520 #[doc(alias = "get_issuer")]
521 #[must_use]
522 fn issuer(&self) -> Option<TlsCertificate> {
523 unsafe {
524 from_glib_none(ffi::g_tls_certificate_get_issuer(
525 self.as_ref().to_glib_none().0,
526 ))
527 }
528 }
529
530 /// Returns the issuer name from the certificate.
531 ///
532 /// # Returns
533 ///
534 /// The issuer name, or [`None`] if it's not available.
535 #[cfg(feature = "v2_70")]
536 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
537 #[doc(alias = "g_tls_certificate_get_issuer_name")]
538 #[doc(alias = "get_issuer_name")]
539 #[doc(alias = "issuer-name")]
540 fn issuer_name(&self) -> Option<glib::GString> {
541 unsafe {
542 from_glib_full(ffi::g_tls_certificate_get_issuer_name(
543 self.as_ref().to_glib_none().0,
544 ))
545 }
546 }
547
548 /// Returns the time at which the certificate became or will become invalid.
549 ///
550 /// # Returns
551 ///
552 /// The not-valid-after date, or [`None`] if it's not available.
553 #[cfg(feature = "v2_70")]
554 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
555 #[doc(alias = "g_tls_certificate_get_not_valid_after")]
556 #[doc(alias = "get_not_valid_after")]
557 #[doc(alias = "not-valid-after")]
558 fn not_valid_after(&self) -> Option<glib::DateTime> {
559 unsafe {
560 from_glib_full(ffi::g_tls_certificate_get_not_valid_after(
561 self.as_ref().to_glib_none().0,
562 ))
563 }
564 }
565
566 /// Returns the time at which the certificate became or will become valid.
567 ///
568 /// # Returns
569 ///
570 /// The not-valid-before date, or [`None`] if it's not available.
571 #[cfg(feature = "v2_70")]
572 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
573 #[doc(alias = "g_tls_certificate_get_not_valid_before")]
574 #[doc(alias = "get_not_valid_before")]
575 #[doc(alias = "not-valid-before")]
576 fn not_valid_before(&self) -> Option<glib::DateTime> {
577 unsafe {
578 from_glib_full(ffi::g_tls_certificate_get_not_valid_before(
579 self.as_ref().to_glib_none().0,
580 ))
581 }
582 }
583
584 /// Returns the subject name from the certificate.
585 ///
586 /// # Returns
587 ///
588 /// The subject name, or [`None`] if it's not available.
589 #[cfg(feature = "v2_70")]
590 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
591 #[doc(alias = "g_tls_certificate_get_subject_name")]
592 #[doc(alias = "get_subject_name")]
593 #[doc(alias = "subject-name")]
594 fn subject_name(&self) -> Option<glib::GString> {
595 unsafe {
596 from_glib_full(ffi::g_tls_certificate_get_subject_name(
597 self.as_ref().to_glib_none().0,
598 ))
599 }
600 }
601
602 /// Check if two #GTlsCertificate objects represent the same certificate.
603 /// The raw DER byte data of the two certificates are checked for equality.
604 /// This has the effect that two certificates may compare equal even if
605 /// their #GTlsCertificate:issuer, #GTlsCertificate:private-key, or
606 /// #GTlsCertificate:private-key-pem properties differ.
607 /// ## `cert_two`
608 /// second certificate to compare
609 ///
610 /// # Returns
611 ///
612 /// whether the same or not
613 #[doc(alias = "g_tls_certificate_is_same")]
614 fn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool {
615 unsafe {
616 from_glib(ffi::g_tls_certificate_is_same(
617 self.as_ref().to_glib_none().0,
618 cert_two.as_ref().to_glib_none().0,
619 ))
620 }
621 }
622
623 /// This verifies @self and returns a set of #GTlsCertificateFlags
624 /// indicating any problems found with it. This can be used to verify a
625 /// certificate outside the context of making a connection, or to
626 /// check a certificate against a CA that is not part of the system
627 /// CA database.
628 ///
629 /// If @self is valid, `G_TLS_CERTIFICATE_NO_FLAGS` is returned.
630 ///
631 /// If @identity is not [`None`], @self's name(s) will be compared against
632 /// it, and [`TlsCertificateFlags::BAD_IDENTITY`][crate::TlsCertificateFlags::BAD_IDENTITY] will be set in the return
633 /// value if it does not match. If @identity is [`None`], that bit will
634 /// never be set in the return value.
635 ///
636 /// If @trusted_ca is not [`None`], then @self (or one of the certificates
637 /// in its chain) must be signed by it, or else
638 /// [`TlsCertificateFlags::UNKNOWN_CA`][crate::TlsCertificateFlags::UNKNOWN_CA] will be set in the return value. If
639 /// @trusted_ca is [`None`], that bit will never be set in the return
640 /// value.
641 ///
642 /// GLib guarantees that if certificate verification fails, at least one
643 /// error will be set in the return value, but it does not guarantee
644 /// that all possible errors will be set. Accordingly, you may not safely
645 /// decide to ignore any particular type of error. For example, it would
646 /// be incorrect to mask [`TlsCertificateFlags::EXPIRED`][crate::TlsCertificateFlags::EXPIRED] if you want to allow
647 /// expired certificates, because this could potentially be the only
648 /// error flag set even if other problems exist with the certificate.
649 ///
650 /// Because TLS session context is not used, #GTlsCertificate may not
651 /// perform as many checks on the certificates as #GTlsConnection would.
652 /// For example, certificate constraints may not be honored, and
653 /// revocation checks may not be performed. The best way to verify TLS
654 /// certificates used by a TLS connection is to let #GTlsConnection
655 /// handle the verification.
656 /// ## `identity`
657 /// the expected peer identity
658 /// ## `trusted_ca`
659 /// the certificate of a trusted authority
660 ///
661 /// # Returns
662 ///
663 /// the appropriate #GTlsCertificateFlags
664 #[doc(alias = "g_tls_certificate_verify")]
665 fn verify(
666 &self,
667 identity: Option<&impl IsA<SocketConnectable>>,
668 trusted_ca: Option<&impl IsA<TlsCertificate>>,
669 ) -> TlsCertificateFlags {
670 unsafe {
671 from_glib(ffi::g_tls_certificate_verify(
672 self.as_ref().to_glib_none().0,
673 identity.map(|p| p.as_ref()).to_glib_none().0,
674 trusted_ca.map(|p| p.as_ref()).to_glib_none().0,
675 ))
676 }
677 }
678
679 /// The DER (binary) encoded representation of the certificate.
680 /// This property and the #GTlsCertificate:certificate-pem property
681 /// represent the same data, just in different forms.
682 fn certificate(&self) -> Option<glib::ByteArray> {
683 ObjectExt::property(self.as_ref(), "certificate")
684 }
685
686 /// The PEM (ASCII) encoded representation of the certificate.
687 /// This property and the #GTlsCertificate:certificate
688 /// property represent the same data, just in different forms.
689 #[doc(alias = "certificate-pem")]
690 fn certificate_pem(&self) -> Option<glib::GString> {
691 ObjectExt::property(self.as_ref(), "certificate-pem")
692 }
693
694 /// A URI referencing the [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
695 /// objects containing an X.509 certificate and optionally a private key.
696 ///
697 /// If [`None`], the certificate is either not backed by PKCS \#11 or the
698 /// #GTlsBackend does not support PKCS \#11.
699 #[cfg(feature = "v2_68")]
700 #[cfg_attr(docsrs, doc(cfg(feature = "v2_68")))]
701 #[doc(alias = "pkcs11-uri")]
702 fn pkcs11_uri(&self) -> Option<glib::GString> {
703 ObjectExt::property(self.as_ref(), "pkcs11-uri")
704 }
705
706 /// then this property will be [`None`]. If so,
707 /// the private key must be referenced via its PKCS \#11 URI,
708 /// #GTlsCertificate:private-key-pkcs11-uri. You must check both
709 /// properties to see if the certificate really has a private key.
710 /// When this property is read, the output format will be unencrypted
711 /// PKCS \#8.
712 #[doc(alias = "private-key")]
713 fn private_key(&self) -> Option<glib::ByteArray> {
714 ObjectExt::property(self.as_ref(), "private-key")
715 }
716
717 /// The PEM (ASCII) encoded representation of the certificate's
718 /// private key in either [PKCS \#1 format](https://datatracker.ietf.org/doc/html/rfc8017)
719 /// ("`BEGIN RSA PRIVATE KEY`") or unencrypted
720 /// [PKCS \#8 format](https://datatracker.ietf.org/doc/html/rfc5208)
721 /// ("`BEGIN PRIVATE KEY`"). PKCS \#8 format is supported since 2.32;
722 /// earlier releases only support PKCS \#1. You can use the `openssl rsa`
723 /// tool to convert PKCS \#8 keys to PKCS \#1.
724 ///
725 /// This property (or the #GTlsCertificate:private-key property)
726 /// can be set when constructing a key (for example, from a file).
727 /// Since GLib 2.70, it is now also readable; however, be aware that if
728 /// the private key is backed by a PKCS \#11 URI - for example, if it
729 /// is stored on a smartcard - then this property will be [`None`]. If so,
730 /// the private key must be referenced via its PKCS \#11 URI,
731 /// #GTlsCertificate:private-key-pkcs11-uri. You must check both
732 /// properties to see if the certificate really has a private key.
733 /// When this property is read, the output format will be unencrypted
734 /// PKCS \#8.
735 #[doc(alias = "private-key-pem")]
736 fn private_key_pem(&self) -> Option<glib::GString> {
737 ObjectExt::property(self.as_ref(), "private-key-pem")
738 }
739
740 /// A URI referencing a [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html)
741 /// object containing a private key.
742 #[cfg(feature = "v2_68")]
743 #[cfg_attr(docsrs, doc(cfg(feature = "v2_68")))]
744 #[doc(alias = "private-key-pkcs11-uri")]
745 fn private_key_pkcs11_uri(&self) -> Option<glib::GString> {
746 ObjectExt::property(self.as_ref(), "private-key-pkcs11-uri")
747 }
748
749 #[cfg(feature = "v2_70")]
750 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
751 #[doc(alias = "dns-names")]
752 fn connect_dns_names_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
753 unsafe extern "C" fn notify_dns_names_trampoline<
754 P: IsA<TlsCertificate>,
755 F: Fn(&P) + 'static,
756 >(
757 this: *mut ffi::GTlsCertificate,
758 _param_spec: glib::ffi::gpointer,
759 f: glib::ffi::gpointer,
760 ) {
761 unsafe {
762 let f: &F = &*(f as *const F);
763 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
764 }
765 }
766 unsafe {
767 let f: Box_<F> = Box_::new(f);
768 connect_raw(
769 self.as_ptr() as *mut _,
770 c"notify::dns-names".as_ptr(),
771 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
772 notify_dns_names_trampoline::<Self, F> as *const (),
773 )),
774 Box_::into_raw(f),
775 )
776 }
777 }
778
779 #[cfg(feature = "v2_70")]
780 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
781 #[doc(alias = "ip-addresses")]
782 fn connect_ip_addresses_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
783 unsafe extern "C" fn notify_ip_addresses_trampoline<
784 P: IsA<TlsCertificate>,
785 F: Fn(&P) + 'static,
786 >(
787 this: *mut ffi::GTlsCertificate,
788 _param_spec: glib::ffi::gpointer,
789 f: glib::ffi::gpointer,
790 ) {
791 unsafe {
792 let f: &F = &*(f as *const F);
793 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
794 }
795 }
796 unsafe {
797 let f: Box_<F> = Box_::new(f);
798 connect_raw(
799 self.as_ptr() as *mut _,
800 c"notify::ip-addresses".as_ptr(),
801 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
802 notify_ip_addresses_trampoline::<Self, F> as *const (),
803 )),
804 Box_::into_raw(f),
805 )
806 }
807 }
808
809 #[cfg(feature = "v2_70")]
810 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
811 #[doc(alias = "issuer-name")]
812 fn connect_issuer_name_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
813 unsafe extern "C" fn notify_issuer_name_trampoline<
814 P: IsA<TlsCertificate>,
815 F: Fn(&P) + 'static,
816 >(
817 this: *mut ffi::GTlsCertificate,
818 _param_spec: glib::ffi::gpointer,
819 f: glib::ffi::gpointer,
820 ) {
821 unsafe {
822 let f: &F = &*(f as *const F);
823 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
824 }
825 }
826 unsafe {
827 let f: Box_<F> = Box_::new(f);
828 connect_raw(
829 self.as_ptr() as *mut _,
830 c"notify::issuer-name".as_ptr(),
831 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
832 notify_issuer_name_trampoline::<Self, F> as *const (),
833 )),
834 Box_::into_raw(f),
835 )
836 }
837 }
838
839 #[cfg(feature = "v2_70")]
840 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
841 #[doc(alias = "not-valid-after")]
842 fn connect_not_valid_after_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
843 unsafe extern "C" fn notify_not_valid_after_trampoline<
844 P: IsA<TlsCertificate>,
845 F: Fn(&P) + 'static,
846 >(
847 this: *mut ffi::GTlsCertificate,
848 _param_spec: glib::ffi::gpointer,
849 f: glib::ffi::gpointer,
850 ) {
851 unsafe {
852 let f: &F = &*(f as *const F);
853 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
854 }
855 }
856 unsafe {
857 let f: Box_<F> = Box_::new(f);
858 connect_raw(
859 self.as_ptr() as *mut _,
860 c"notify::not-valid-after".as_ptr(),
861 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
862 notify_not_valid_after_trampoline::<Self, F> as *const (),
863 )),
864 Box_::into_raw(f),
865 )
866 }
867 }
868
869 #[cfg(feature = "v2_70")]
870 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
871 #[doc(alias = "not-valid-before")]
872 fn connect_not_valid_before_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
873 unsafe extern "C" fn notify_not_valid_before_trampoline<
874 P: IsA<TlsCertificate>,
875 F: Fn(&P) + 'static,
876 >(
877 this: *mut ffi::GTlsCertificate,
878 _param_spec: glib::ffi::gpointer,
879 f: glib::ffi::gpointer,
880 ) {
881 unsafe {
882 let f: &F = &*(f as *const F);
883 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
884 }
885 }
886 unsafe {
887 let f: Box_<F> = Box_::new(f);
888 connect_raw(
889 self.as_ptr() as *mut _,
890 c"notify::not-valid-before".as_ptr(),
891 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
892 notify_not_valid_before_trampoline::<Self, F> as *const (),
893 )),
894 Box_::into_raw(f),
895 )
896 }
897 }
898
899 #[cfg(feature = "v2_70")]
900 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
901 #[doc(alias = "subject-name")]
902 fn connect_subject_name_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
903 unsafe extern "C" fn notify_subject_name_trampoline<
904 P: IsA<TlsCertificate>,
905 F: Fn(&P) + 'static,
906 >(
907 this: *mut ffi::GTlsCertificate,
908 _param_spec: glib::ffi::gpointer,
909 f: glib::ffi::gpointer,
910 ) {
911 unsafe {
912 let f: &F = &*(f as *const F);
913 f(TlsCertificate::from_glib_borrow(this).unsafe_cast_ref())
914 }
915 }
916 unsafe {
917 let f: Box_<F> = Box_::new(f);
918 connect_raw(
919 self.as_ptr() as *mut _,
920 c"notify::subject-name".as_ptr(),
921 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
922 notify_subject_name_trampoline::<Self, F> as *const (),
923 )),
924 Box_::into_raw(f),
925 )
926 }
927 }
928}
929
930impl<O: IsA<TlsCertificate>> TlsCertificateExt for O {}