Trait gio::prelude::TlsCertificateExt
source · pub trait TlsCertificateExt: IsA<TlsCertificate> + Sealed + 'static {
Show 21 methods
// Provided methods
fn dns_names(&self) -> Vec<Bytes> { ... }
fn ip_addresses(&self) -> Vec<InetAddress> { ... }
fn issuer(&self) -> Option<TlsCertificate> { ... }
fn issuer_name(&self) -> Option<GString> { ... }
fn not_valid_after(&self) -> Option<DateTime> { ... }
fn not_valid_before(&self) -> Option<DateTime> { ... }
fn subject_name(&self) -> Option<GString> { ... }
fn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool { ... }
fn verify(
&self,
identity: Option<&impl IsA<SocketConnectable>>,
trusted_ca: Option<&impl IsA<TlsCertificate>>,
) -> TlsCertificateFlags { ... }
fn certificate(&self) -> Option<ByteArray> { ... }
fn certificate_pem(&self) -> Option<GString> { ... }
fn pkcs11_uri(&self) -> Option<GString> { ... }
fn private_key(&self) -> Option<ByteArray> { ... }
fn private_key_pem(&self) -> Option<GString> { ... }
fn private_key_pkcs11_uri(&self) -> Option<GString> { ... }
fn connect_dns_names_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
fn connect_ip_addresses_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
fn connect_issuer_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
fn connect_not_valid_after_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
fn connect_not_valid_before_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
fn connect_subject_name_notify<F: Fn(&Self) + 'static>(
&self,
f: F,
) -> SignalHandlerId { ... }
}
Expand description
Provided Methods§
sourcefn ip_addresses(&self) -> Vec<InetAddress>
Available on crate feature v2_70
only.
fn ip_addresses(&self) -> Vec<InetAddress>
v2_70
only.sourcefn issuer(&self) -> Option<TlsCertificate>
fn issuer(&self) -> Option<TlsCertificate>
sourcefn issuer_name(&self) -> Option<GString>
Available on crate feature v2_70
only.
fn issuer_name(&self) -> Option<GString>
v2_70
only.sourcefn not_valid_after(&self) -> Option<DateTime>
Available on crate feature v2_70
only.
fn not_valid_after(&self) -> Option<DateTime>
v2_70
only.sourcefn not_valid_before(&self) -> Option<DateTime>
Available on crate feature v2_70
only.
fn not_valid_before(&self) -> Option<DateTime>
v2_70
only.sourcefn subject_name(&self) -> Option<GString>
Available on crate feature v2_70
only.
fn subject_name(&self) -> Option<GString>
v2_70
only.sourcefn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool
fn is_same(&self, cert_two: &impl IsA<TlsCertificate>) -> bool
Check if two #GTlsCertificate objects represent the same certificate. The raw DER byte data of the two certificates are checked for equality. This has the effect that two certificates may compare equal even if their #GTlsCertificate:issuer, #GTlsCertificate:private-key, or #GTlsCertificate:private-key-pem properties differ.
§cert_two
second certificate to compare
§Returns
whether the same or not
sourcefn verify(
&self,
identity: Option<&impl IsA<SocketConnectable>>,
trusted_ca: Option<&impl IsA<TlsCertificate>>,
) -> TlsCertificateFlags
fn verify( &self, identity: Option<&impl IsA<SocketConnectable>>, trusted_ca: Option<&impl IsA<TlsCertificate>>, ) -> TlsCertificateFlags
This verifies @self and returns a set of #GTlsCertificateFlags indicating any problems found with it. This can be used to verify a certificate outside the context of making a connection, or to check a certificate against a CA that is not part of the system CA database.
If @self is valid, G_TLS_CERTIFICATE_NO_FLAGS
is returned.
If @identity is not None
, @self’s name(s) will be compared against
it, and TlsCertificateFlags::BAD_IDENTITY
will be set in the return
value if it does not match. If @identity is None
, that bit will
never be set in the return value.
If @trusted_ca is not None
, then @self (or one of the certificates
in its chain) must be signed by it, or else
TlsCertificateFlags::UNKNOWN_CA
will be set in the return value. If
@trusted_ca is None
, that bit will never be set in the return
value.
GLib guarantees that if certificate verification fails, at least one
error will be set in the return value, but it does not guarantee
that all possible errors will be set. Accordingly, you may not safely
decide to ignore any particular type of error. For example, it would
be incorrect to mask TlsCertificateFlags::EXPIRED
if you want to allow
expired certificates, because this could potentially be the only
error flag set even if other problems exist with the certificate.
Because TLS session context is not used, #GTlsCertificate may not perform as many checks on the certificates as #GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let #GTlsConnection handle the verification.
§identity
the expected peer identity
§trusted_ca
the certificate of a trusted authority
§Returns
the appropriate #GTlsCertificateFlags
sourcefn certificate(&self) -> Option<ByteArray>
fn certificate(&self) -> Option<ByteArray>
The DER (binary) encoded representation of the certificate. This property and the #GTlsCertificate:certificate-pem property represent the same data, just in different forms.
sourcefn certificate_pem(&self) -> Option<GString>
fn certificate_pem(&self) -> Option<GString>
The PEM (ASCII) encoded representation of the certificate. This property and the #GTlsCertificate:certificate property represent the same data, just in different forms.
sourcefn pkcs11_uri(&self) -> Option<GString>
Available on crate feature v2_68
only.
fn pkcs11_uri(&self) -> Option<GString>
v2_68
only.sourcefn private_key(&self) -> Option<ByteArray>
fn private_key(&self) -> Option<ByteArray>
The DER (binary) encoded representation of the certificate’s
private key, in either PKCS #1 format
or unencrypted PKCS #8 format.
PKCS #8 format is supported since 2.32; earlier releases only
support PKCS #1. You can use the openssl rsa
tool to convert
PKCS #8 keys to PKCS #1.
This property (or the #GTlsCertificate:private-key-pem property)
can be set when constructing a key (for example, from a file).
Since GLib 2.70, it is now also readable; however, be aware that if
the private key is backed by a PKCS #11 URI – for example, if it
is stored on a smartcard – then this property will be None
. If so,
the private key must be referenced via its PKCS #11 URI,
#GTlsCertificate:private-key-pkcs11-uri. You must check both
properties to see if the certificate really has a private key.
When this property is read, the output format will be unencrypted
PKCS #8.
sourcefn private_key_pem(&self) -> Option<GString>
fn private_key_pem(&self) -> Option<GString>
The PEM (ASCII) encoded representation of the certificate’s
private key in either PKCS #1 format
(“BEGIN RSA PRIVATE KEY
”) or unencrypted
PKCS #8 format
(“BEGIN PRIVATE KEY
”). PKCS #8 format is supported since 2.32;
earlier releases only support PKCS #1. You can use the openssl rsa
tool to convert PKCS #8 keys to PKCS #1.
This property (or the #GTlsCertificate:private-key property)
can be set when constructing a key (for example, from a file).
Since GLib 2.70, it is now also readable; however, be aware that if
the private key is backed by a PKCS #11 URI - for example, if it
is stored on a smartcard - then this property will be None
. If so,
the private key must be referenced via its PKCS #11 URI,
#GTlsCertificate:private-key-pkcs11-uri. You must check both
properties to see if the certificate really has a private key.
When this property is read, the output format will be unencrypted
PKCS #8.
sourcefn private_key_pkcs11_uri(&self) -> Option<GString>
Available on crate feature v2_68
only.
fn private_key_pkcs11_uri(&self) -> Option<GString>
v2_68
only.A URI referencing a PKCS #11 object containing a private key.
fn connect_dns_names_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.fn connect_ip_addresses_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.fn connect_issuer_name_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.fn connect_not_valid_after_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.fn connect_not_valid_before_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.fn connect_subject_name_notify<F: Fn(&Self) + 'static>( &self, f: F, ) -> SignalHandlerId
v2_70
only.