Trait gio::prelude::TlsCertificateExt
source · pub trait TlsCertificateExt: 'static {
Show 21 methods
// Required methods
fn dns_names(&self) -> Vec<Bytes>;
fn ip_addresses(&self) -> Vec<InetAddress>;
fn issuer(&self) -> Option<TlsCertificate>;
fn issuer_name(&self) -> Option<GString>;
fn not_valid_after(&self) -> Option<DateTime>;
fn not_valid_before(&self) -> Option<DateTime>;
fn subject_name(&self) -> Option<GString>;
fn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool;
fn verify(
&self,
identity: Option<&impl IsA<SocketConnectable>>,
trusted_ca: Option<&impl IsA<TlsCertificate>>
) -> TlsCertificateFlags;
fn certificate(&self) -> Option<ByteArray>;
fn certificate_pem(&self) -> Option<GString>;
fn pkcs11_uri(&self) -> Option<GString>;
fn private_key(&self) -> Option<ByteArray>;
fn private_key_pem(&self) -> Option<GString>;
fn private_key_pkcs11_uri(&self) -> Option<GString>;
fn connect_dns_names_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
fn connect_ip_addresses_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
fn connect_issuer_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
fn connect_not_valid_after_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
fn connect_not_valid_before_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
fn connect_subject_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId;
}
Expand description
Required Methods§
sourcefn dns_names(&self) -> Vec<Bytes>
fn dns_names(&self) -> Vec<Bytes>
v2_70
only.Gets the value of property::TlsCertificate::dns-names
.
Returns
A GPtrArray
of
glib::Bytes
elements, or None
if it’s not available.
sourcefn ip_addresses(&self) -> Vec<InetAddress>
fn ip_addresses(&self) -> Vec<InetAddress>
v2_70
only.Gets the value of property::TlsCertificate::ip-addresses
.
Returns
A GPtrArray
of InetAddress
elements, or None
if it’s not available.
sourcefn issuer(&self) -> Option<TlsCertificate>
fn issuer(&self) -> Option<TlsCertificate>
Gets the TlsCertificate
representing self
’s issuer, if known
Returns
The certificate of self
’s issuer,
or None
if self
is self-signed or signed with an unknown
certificate.
sourcefn issuer_name(&self) -> Option<GString>
fn issuer_name(&self) -> Option<GString>
v2_70
only.sourcefn not_valid_after(&self) -> Option<DateTime>
fn not_valid_after(&self) -> Option<DateTime>
v2_70
only.sourcefn not_valid_before(&self) -> Option<DateTime>
fn not_valid_before(&self) -> Option<DateTime>
v2_70
only.sourcefn subject_name(&self) -> Option<GString>
fn subject_name(&self) -> Option<GString>
v2_70
only.sourcefn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool
fn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool
Check if two TlsCertificate
objects represent the same certificate.
The raw DER byte data of the two certificates are checked for equality.
This has the effect that two certificates may compare equal even if
their property::TlsCertificate::issuer
, property::TlsCertificate::private-key
, or
property::TlsCertificate::private-key-pem
properties differ.
cert_two
second certificate to compare
Returns
whether the same or not
sourcefn verify(
&self,
identity: Option<&impl IsA<SocketConnectable>>,
trusted_ca: Option<&impl IsA<TlsCertificate>>
) -> TlsCertificateFlags
fn verify( &self, identity: Option<&impl IsA<SocketConnectable>>, trusted_ca: Option<&impl IsA<TlsCertificate>> ) -> TlsCertificateFlags
This verifies self
and returns a set of TlsCertificateFlags
indicating any problems found with it. This can be used to verify a
certificate outside the context of making a connection, or to
check a certificate against a CA that is not part of the system
CA database.
If identity
is not None
, self
’s name(s) will be compared against
it, and TlsCertificateFlags::BAD_IDENTITY
will be set in the return
value if it does not match. If identity
is None
, that bit will
never be set in the return value.
If trusted_ca
is not None
, then self
(or one of the certificates
in its chain) must be signed by it, or else
TlsCertificateFlags::UNKNOWN_CA
will be set in the return value. If
trusted_ca
is None
, that bit will never be set in the return
value.
GLib guarantees that if certificate verification fails, at least one
error will be set in the return value, but it does not guarantee
that all possible errors will be set. Accordingly, you may not safely
decide to ignore any particular type of error. For example, it would
be incorrect to mask TlsCertificateFlags::EXPIRED
if you want to allow
expired certificates, because this could potentially be the only
error flag set even if other problems exist with the certificate.
Because TLS session context is not used, TlsCertificate
may not
perform as many checks on the certificates as TlsConnection
would.
For example, certificate constraints may not be honored, and
revocation checks may not be performed. The best way to verify TLS
certificates used by a TLS connection is to let TlsConnection
handle the verification.
identity
the expected peer identity
trusted_ca
the certificate of a trusted authority
Returns
the appropriate TlsCertificateFlags
sourcefn certificate(&self) -> Option<ByteArray>
fn certificate(&self) -> Option<ByteArray>
The DER (binary) encoded representation of the certificate.
This property and the property::TlsCertificate::certificate-pem
property
represent the same data, just in different forms.
sourcefn certificate_pem(&self) -> Option<GString>
fn certificate_pem(&self) -> Option<GString>
The PEM (ASCII) encoded representation of the certificate.
This property and the property::TlsCertificate::certificate
property represent the same data, just in different forms.
sourcefn pkcs11_uri(&self) -> Option<GString>
fn pkcs11_uri(&self) -> Option<GString>
v2_68
only.sourcefn private_key(&self) -> Option<ByteArray>
fn private_key(&self) -> Option<ByteArray>
The DER (binary) encoded representation of the certificate’s
private key, in either [PKCS `1 format](https://datatracker.ietf.org/doc/html/rfc8017) or unencrypted [PKCS \
8 format.](https://datatracker.ietf.org/doc/html/rfc5208) PKCS \
8 format is supported since 2.32; earlier releases only support PKCS \
1. You can use the
openssl rsa tool to convert PKCS \
8 keys to PKCS \
1`.
This property (or the property::TlsCertificate::private-key-pem
property)
can be set when constructing a key (for example, from a file).
Since GLib 2.70, it is now also readable; however, be aware that if
the private key is backed by a PKCS `11 URI – for example, if it is stored on a smartcard – then this property will be [
None]. If so, the private key must be referenced via its PKCS \
11URI,
property::TlsCertificate::private-key-pkcs11-uri. You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS \
8`.
sourcefn private_key_pem(&self) -> Option<GString>
fn private_key_pem(&self) -> Option<GString>
The PEM (ASCII) encoded representation of the certificate’s
private key in either [PKCS `1 format](https://datatracker.ietf.org/doc/html/rfc8017) ("
BEGIN RSA PRIVATE KEY") or unencrypted [PKCS \
8 format](https://datatracker.ietf.org/doc/html/rfc5208) ("
BEGIN PRIVATE KEY"). PKCS \
8 format is supported since 2.32; earlier releases only support PKCS \
1. You can use the
openssl rsa tool to convert PKCS \
8 keys to PKCS \
1`.
This property (or the property::TlsCertificate::private-key
property)
can be set when constructing a key (for example, from a file).
Since GLib 2.70, it is now also readable; however, be aware that if
the private key is backed by a PKCS `11 URI - for example, if it is stored on a smartcard - then this property will be [
None]. If so, the private key must be referenced via its PKCS \
11URI,
property::TlsCertificate::private-key-pkcs11-uri. You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS \
8`.
sourcefn private_key_pkcs11_uri(&self) -> Option<GString>
fn private_key_pkcs11_uri(&self) -> Option<GString>
v2_68
only.A URI referencing a PKCS `11` object containing a private key.
sourcefn connect_dns_names_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_dns_names_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.sourcefn connect_ip_addresses_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_ip_addresses_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.sourcefn connect_issuer_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_issuer_name_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.sourcefn connect_not_valid_after_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_not_valid_after_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.sourcefn connect_not_valid_before_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_not_valid_before_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.sourcefn connect_subject_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F
) -> SignalHandlerId
fn connect_subject_name_notify<F: Fn(&Self) + 'static>( &self, f: F ) -> SignalHandlerId
v2_70
only.