Class
GcrCertificateChain
Description [src]
class Gcr.CertificateChain : GObject.Object {
parent: GObject
}
Represents a chain of certificates, normally used to validate the trust in a certificate. An X.509 certificate chain has one endpoint certificate (the one for which trust is being verified) and then in turn the certificate that issued each previous certificate in the chain.
This functionality is for building of certificate chains not for validating them. Use your favorite crypto library to validate trust in a certificate chain once its built.
The order of certificates in the chain should be first the endpoint certificates and then the signing certificates.
Create a new certificate chain with gcr_certificate_chain_new()
and then
add the certificates with gcr_certificate_chain_add()
.
You can then use gcr_certificate_chain_build()
to build the remainder of
the chain. This will lookup missing certificates in PKCS#11 modules and
also check that each certificate in the chain is the signer of the previous
one. If a trust anchor, pinned certificate, or self-signed certificate is
found, then the chain is considered built. Any extra certificates are
removed from the chain.
Once the certificate chain has been built, you can access its status
through gcr_certificate_chain_get_status()
. The status signifies whether
the chain is anchored on a trust root, self-signed, incomplete etc. See
GcrCertificateChainStatus
for information on the various statuses.
It’s important to understand that the building of a certificate chain is merely the first step towards verifying trust in a certificate.
Constructors
gcr_certificate_chain_new
Create a new GcrCertificateChain
.
Instance methods
gcr_certificate_chain_add
Add certificate
to the chain. The order of certificates in the chain are
important. The first certificate should be the endpoint certificate, and
then come the signers (certificate authorities) each in turn. If a root
certificate authority is present, it should come last.
gcr_certificate_chain_build
Complete a certificate chain. Once a certificate chain has been built its status can be examined.
gcr_certificate_chain_build_async
Complete a certificate chain. Once a certificate chain has been built its status can be examined.
gcr_certificate_chain_build_finish
Finishes an asynchronous operation started by gcr_certificate_chain_build_async().
gcr_certificate_chain_get_anchor
If the certificate chain has been built and is of status
GCR_CERTIFICATE_CHAIN_ANCHORED
, then this will return the anchor
certificate that was found. This is not necessarily a root certificate
authority. If an intermediate certificate authority in the chain was
found to be anchored, then that certificate will be returned.
gcr_certificate_chain_get_certificate
Get a certificate in the chain. It is an error to call this function with an invalid index.
gcr_certificate_chain_get_endpoint
Get the endpoint certificate in the chain. This is always the first certificate in the chain. The endpoint certificate cannot be anchored.
gcr_certificate_chain_get_length
Get the length of the certificate chain.
gcr_certificate_chain_get_status
Get the status of a certificate chain. If the certificate chain has not
been built, then the status will be GCR_CERTIFICATE_CHAIN_UNKNOWN
.
Properties
Gcr.CertificateChain:length
The length of the certificate chain.
Gcr.CertificateChain:status
The certificate chain status. See GcrCertificateChainStatus
.
Signals
Signals inherited from GObject (1)
GObject.Object::notify
The notify signal is emitted on an object when one of its properties has its value set through g_object_set_property(), g_object_set(), et al.