Branch data Line data Source code
1 : : /* GIO - GLib Input, Output and Streaming Library
2 : : *
3 : : * Copyright (C) 2010 Collabora, Ltd.
4 : : *
5 : : * SPDX-License-Identifier: LGPL-2.1-or-later
6 : : *
7 : : * This library is free software; you can redistribute it and/or
8 : : * modify it under the terms of the GNU Lesser General Public
9 : : * License as published by the Free Software Foundation; either
10 : : * version 2.1 of the License, or (at your option) any later version.
11 : : *
12 : : * This library is distributed in the hope that it will be useful,
13 : : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 : : * Lesser General Public License for more details.
16 : : *
17 : : * You should have received a copy of the GNU Lesser General
18 : : * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 : : *
20 : : * Author: Stef Walter <stefw@collabora.co.uk>
21 : : */
22 : :
23 : : #include "config.h"
24 : :
25 : : #include "gtlsdatabase.h"
26 : :
27 : : #include "gasyncresult.h"
28 : : #include "gcancellable.h"
29 : : #include "glibintl.h"
30 : : #include "gsocketconnectable.h"
31 : : #include "gtask.h"
32 : : #include "gtlscertificate.h"
33 : : #include "gtlsinteraction.h"
34 : :
35 : : /**
36 : : * GTlsDatabase:
37 : : *
38 : : * `GTlsDatabase` is used to look up certificates and other information
39 : : * from a certificate or key store. It is an abstract base class which
40 : : * TLS library specific subtypes override.
41 : : *
42 : : * A `GTlsDatabase` may be accessed from multiple threads by the TLS backend.
43 : : * All implementations are required to be fully thread-safe.
44 : : *
45 : : * Most common client applications will not directly interact with
46 : : * `GTlsDatabase`. It is used internally by [class@Gio.TlsConnection].
47 : : *
48 : : * Since: 2.30
49 : : */
50 : :
51 : : /**
52 : : * GTlsDatabaseClass:
53 : : * @verify_chain: Virtual method implementing
54 : : * g_tls_database_verify_chain().
55 : : * @verify_chain_async: Virtual method implementing
56 : : * g_tls_database_verify_chain_async().
57 : : * @verify_chain_finish: Virtual method implementing
58 : : * g_tls_database_verify_chain_finish().
59 : : * @create_certificate_handle: Virtual method implementing
60 : : * g_tls_database_create_certificate_handle().
61 : : * @lookup_certificate_for_handle: Virtual method implementing
62 : : * g_tls_database_lookup_certificate_for_handle().
63 : : * @lookup_certificate_for_handle_async: Virtual method implementing
64 : : * g_tls_database_lookup_certificate_for_handle_async().
65 : : * @lookup_certificate_for_handle_finish: Virtual method implementing
66 : : * g_tls_database_lookup_certificate_for_handle_finish().
67 : : * @lookup_certificate_issuer: Virtual method implementing
68 : : * g_tls_database_lookup_certificate_issuer().
69 : : * @lookup_certificate_issuer_async: Virtual method implementing
70 : : * g_tls_database_lookup_certificate_issuer_async().
71 : : * @lookup_certificate_issuer_finish: Virtual method implementing
72 : : * g_tls_database_lookup_certificate_issuer_finish().
73 : : * @lookup_certificates_issued_by: Virtual method implementing
74 : : * g_tls_database_lookup_certificates_issued_by().
75 : : * @lookup_certificates_issued_by_async: Virtual method implementing
76 : : * g_tls_database_lookup_certificates_issued_by_async().
77 : : * @lookup_certificates_issued_by_finish: Virtual method implementing
78 : : * g_tls_database_lookup_certificates_issued_by_finish().
79 : : *
80 : : * The class for #GTlsDatabase. Derived classes should implement the various
81 : : * virtual methods. _async and _finish methods have a default
82 : : * implementation that runs the corresponding sync method in a thread.
83 : : *
84 : : * Since: 2.30
85 : : */
86 : :
87 : 24 : G_DEFINE_ABSTRACT_TYPE (GTlsDatabase, g_tls_database, G_TYPE_OBJECT)
88 : :
89 : : enum {
90 : : UNLOCK_REQUIRED,
91 : :
92 : : LAST_SIGNAL
93 : : };
94 : :
95 : : /**
96 : : * G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER:
97 : : *
98 : : * The purpose used to verify the server certificate in a TLS connection. This
99 : : * is the most common purpose in use. Used by TLS clients.
100 : : */
101 : :
102 : : /**
103 : : * G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT:
104 : : *
105 : : * The purpose used to verify the client certificate in a TLS connection.
106 : : * Used by TLS servers.
107 : : */
108 : :
109 : : static void
110 : 2 : g_tls_database_init (GTlsDatabase *cert)
111 : : {
112 : :
113 : 2 : }
114 : :
115 : : typedef struct _AsyncVerifyChain {
116 : : GTlsCertificate *chain;
117 : : gchar *purpose;
118 : : GSocketConnectable *identity;
119 : : GTlsInteraction *interaction;
120 : : GTlsDatabaseVerifyFlags flags;
121 : : } AsyncVerifyChain;
122 : :
123 : : static void
124 : 0 : async_verify_chain_free (gpointer data)
125 : : {
126 : 0 : AsyncVerifyChain *args = data;
127 : 0 : g_clear_object (&args->chain);
128 : 0 : g_free (args->purpose);
129 : 0 : g_clear_object (&args->identity);
130 : 0 : g_clear_object (&args->interaction);
131 : 0 : g_slice_free (AsyncVerifyChain, args);
132 : 0 : }
133 : :
134 : : static void
135 : 0 : async_verify_chain_thread (GTask *task,
136 : : gpointer object,
137 : : gpointer task_data,
138 : : GCancellable *cancellable)
139 : : {
140 : 0 : AsyncVerifyChain *args = task_data;
141 : : GTlsCertificateFlags verify_result;
142 : 0 : GError *error = NULL;
143 : :
144 : 0 : verify_result = g_tls_database_verify_chain (G_TLS_DATABASE (object),
145 : : args->chain,
146 : 0 : args->purpose,
147 : : args->identity,
148 : : args->interaction,
149 : : args->flags,
150 : : cancellable,
151 : : &error);
152 : 0 : if (error)
153 : 0 : g_task_return_error (task, error);
154 : : else
155 : 0 : g_task_return_int (task, (gssize)verify_result);
156 : 0 : }
157 : :
158 : : static void
159 : 0 : g_tls_database_real_verify_chain_async (GTlsDatabase *self,
160 : : GTlsCertificate *chain,
161 : : const gchar *purpose,
162 : : GSocketConnectable *identity,
163 : : GTlsInteraction *interaction,
164 : : GTlsDatabaseVerifyFlags flags,
165 : : GCancellable *cancellable,
166 : : GAsyncReadyCallback callback,
167 : : gpointer user_data)
168 : : {
169 : : GTask *task;
170 : : AsyncVerifyChain *args;
171 : :
172 : 0 : args = g_slice_new0 (AsyncVerifyChain);
173 : 0 : args->chain = g_object_ref (chain);
174 : 0 : args->purpose = g_strdup (purpose);
175 : 0 : args->identity = identity ? g_object_ref (identity) : NULL;
176 : 0 : args->interaction = interaction ? g_object_ref (interaction) : NULL;
177 : 0 : args->flags = flags;
178 : :
179 : 0 : task = g_task_new (self, cancellable, callback, user_data);
180 : 0 : g_task_set_source_tag (task, g_tls_database_real_verify_chain_async);
181 : 0 : g_task_set_name (task, "[gio] verify TLS chain");
182 : 0 : g_task_set_task_data (task, args, async_verify_chain_free);
183 : 0 : g_task_run_in_thread (task, async_verify_chain_thread);
184 : 0 : g_object_unref (task);
185 : 0 : }
186 : :
187 : : static GTlsCertificateFlags
188 : 0 : g_tls_database_real_verify_chain_finish (GTlsDatabase *self,
189 : : GAsyncResult *result,
190 : : GError **error)
191 : : {
192 : : GTlsCertificateFlags ret;
193 : :
194 : 0 : g_return_val_if_fail (g_task_is_valid (result, self), G_TLS_CERTIFICATE_GENERIC_ERROR);
195 : :
196 : 0 : ret = (GTlsCertificateFlags)g_task_propagate_int (G_TASK (result), error);
197 : 0 : if (ret == (GTlsCertificateFlags)-1)
198 : 0 : return G_TLS_CERTIFICATE_GENERIC_ERROR;
199 : : else
200 : 0 : return ret;
201 : : }
202 : :
203 : : typedef struct {
204 : : gchar *handle;
205 : : GTlsInteraction *interaction;
206 : : GTlsDatabaseLookupFlags flags;
207 : : } AsyncLookupCertificateForHandle;
208 : :
209 : : static void
210 : 0 : async_lookup_certificate_for_handle_free (gpointer data)
211 : : {
212 : 0 : AsyncLookupCertificateForHandle *args = data;
213 : :
214 : 0 : g_free (args->handle);
215 : 0 : g_clear_object (&args->interaction);
216 : 0 : g_slice_free (AsyncLookupCertificateForHandle, args);
217 : 0 : }
218 : :
219 : : static void
220 : 0 : async_lookup_certificate_for_handle_thread (GTask *task,
221 : : gpointer object,
222 : : gpointer task_data,
223 : : GCancellable *cancellable)
224 : : {
225 : 0 : AsyncLookupCertificateForHandle *args = task_data;
226 : : GTlsCertificate *result;
227 : 0 : GError *error = NULL;
228 : :
229 : 0 : result = g_tls_database_lookup_certificate_for_handle (G_TLS_DATABASE (object),
230 : 0 : args->handle,
231 : : args->interaction,
232 : : args->flags,
233 : : cancellable,
234 : : &error);
235 : 0 : if (result)
236 : 0 : g_task_return_pointer (task, result, g_object_unref);
237 : : else
238 : 0 : g_task_return_error (task, error);
239 : 0 : }
240 : :
241 : : static void
242 : 0 : g_tls_database_real_lookup_certificate_for_handle_async (GTlsDatabase *self,
243 : : const gchar *handle,
244 : : GTlsInteraction *interaction,
245 : : GTlsDatabaseLookupFlags flags,
246 : : GCancellable *cancellable,
247 : : GAsyncReadyCallback callback,
248 : : gpointer user_data)
249 : : {
250 : : GTask *task;
251 : : AsyncLookupCertificateForHandle *args;
252 : :
253 : 0 : args = g_slice_new0 (AsyncLookupCertificateForHandle);
254 : 0 : args->handle = g_strdup (handle);
255 : 0 : args->interaction = interaction ? g_object_ref (interaction) : NULL;
256 : :
257 : 0 : task = g_task_new (self, cancellable, callback, user_data);
258 : 0 : g_task_set_source_tag (task,
259 : : g_tls_database_real_lookup_certificate_for_handle_async);
260 : 0 : g_task_set_name (task, "[gio] lookup TLS certificate");
261 : 0 : g_task_set_task_data (task, args, async_lookup_certificate_for_handle_free);
262 : 0 : g_task_run_in_thread (task, async_lookup_certificate_for_handle_thread);
263 : 0 : g_object_unref (task);
264 : 0 : }
265 : :
266 : : static GTlsCertificate*
267 : 0 : g_tls_database_real_lookup_certificate_for_handle_finish (GTlsDatabase *self,
268 : : GAsyncResult *result,
269 : : GError **error)
270 : : {
271 : 0 : g_return_val_if_fail (g_task_is_valid (result, self), NULL);
272 : :
273 : 0 : return g_task_propagate_pointer (G_TASK (result), error);
274 : : }
275 : :
276 : :
277 : : typedef struct {
278 : : GTlsCertificate *certificate;
279 : : GTlsInteraction *interaction;
280 : : GTlsDatabaseLookupFlags flags;
281 : : } AsyncLookupCertificateIssuer;
282 : :
283 : : static void
284 : 0 : async_lookup_certificate_issuer_free (gpointer data)
285 : : {
286 : 0 : AsyncLookupCertificateIssuer *args = data;
287 : :
288 : 0 : g_clear_object (&args->certificate);
289 : 0 : g_clear_object (&args->interaction);
290 : 0 : g_slice_free (AsyncLookupCertificateIssuer, args);
291 : 0 : }
292 : :
293 : : static void
294 : 0 : async_lookup_certificate_issuer_thread (GTask *task,
295 : : gpointer object,
296 : : gpointer task_data,
297 : : GCancellable *cancellable)
298 : : {
299 : 0 : AsyncLookupCertificateIssuer *args = task_data;
300 : : GTlsCertificate *issuer;
301 : 0 : GError *error = NULL;
302 : :
303 : 0 : issuer = g_tls_database_lookup_certificate_issuer (G_TLS_DATABASE (object),
304 : : args->certificate,
305 : : args->interaction,
306 : : args->flags,
307 : : cancellable,
308 : : &error);
309 : 0 : if (issuer)
310 : 0 : g_task_return_pointer (task, issuer, g_object_unref);
311 : : else
312 : 0 : g_task_return_error (task, error);
313 : 0 : }
314 : :
315 : : static void
316 : 0 : g_tls_database_real_lookup_certificate_issuer_async (GTlsDatabase *self,
317 : : GTlsCertificate *certificate,
318 : : GTlsInteraction *interaction,
319 : : GTlsDatabaseLookupFlags flags,
320 : : GCancellable *cancellable,
321 : : GAsyncReadyCallback callback,
322 : : gpointer user_data)
323 : : {
324 : : GTask *task;
325 : : AsyncLookupCertificateIssuer *args;
326 : :
327 : 0 : args = g_slice_new0 (AsyncLookupCertificateIssuer);
328 : 0 : args->certificate = g_object_ref (certificate);
329 : 0 : args->flags = flags;
330 : 0 : args->interaction = interaction ? g_object_ref (interaction) : NULL;
331 : :
332 : 0 : task = g_task_new (self, cancellable, callback, user_data);
333 : 0 : g_task_set_source_tag (task,
334 : : g_tls_database_real_lookup_certificate_issuer_async);
335 : 0 : g_task_set_name (task, "[gio] lookup certificate issuer");
336 : 0 : g_task_set_task_data (task, args, async_lookup_certificate_issuer_free);
337 : 0 : g_task_run_in_thread (task, async_lookup_certificate_issuer_thread);
338 : 0 : g_object_unref (task);
339 : 0 : }
340 : :
341 : : static GTlsCertificate *
342 : 0 : g_tls_database_real_lookup_certificate_issuer_finish (GTlsDatabase *self,
343 : : GAsyncResult *result,
344 : : GError **error)
345 : : {
346 : 0 : g_return_val_if_fail (g_task_is_valid (result, self), NULL);
347 : :
348 : 0 : return g_task_propagate_pointer (G_TASK (result), error);
349 : : }
350 : :
351 : : typedef struct {
352 : : GByteArray *issuer;
353 : : GTlsInteraction *interaction;
354 : : GTlsDatabaseLookupFlags flags;
355 : : } AsyncLookupCertificatesIssuedBy;
356 : :
357 : : static void
358 : 0 : async_lookup_certificates_issued_by_free (gpointer data)
359 : : {
360 : 0 : AsyncLookupCertificatesIssuedBy *args = data;
361 : :
362 : 0 : g_byte_array_unref (args->issuer);
363 : 0 : g_clear_object (&args->interaction);
364 : 0 : g_slice_free (AsyncLookupCertificatesIssuedBy, args);
365 : 0 : }
366 : :
367 : : static void
368 : 0 : async_lookup_certificates_free_certificates (gpointer data)
369 : : {
370 : 0 : GList *list = data;
371 : :
372 : 0 : g_list_free_full (list, g_object_unref);
373 : 0 : }
374 : :
375 : : static void
376 : 0 : async_lookup_certificates_issued_by_thread (GTask *task,
377 : : gpointer object,
378 : : gpointer task_data,
379 : : GCancellable *cancellable)
380 : : {
381 : 0 : AsyncLookupCertificatesIssuedBy *args = task_data;
382 : : GList *results;
383 : 0 : GError *error = NULL;
384 : :
385 : 0 : results = g_tls_database_lookup_certificates_issued_by (G_TLS_DATABASE (object),
386 : : args->issuer,
387 : : args->interaction,
388 : : args->flags,
389 : : cancellable,
390 : : &error);
391 : 0 : if (results)
392 : 0 : g_task_return_pointer (task, results, async_lookup_certificates_free_certificates);
393 : : else
394 : 0 : g_task_return_error (task, error);
395 : 0 : }
396 : :
397 : : static void
398 : 0 : g_tls_database_real_lookup_certificates_issued_by_async (GTlsDatabase *self,
399 : : GByteArray *issuer,
400 : : GTlsInteraction *interaction,
401 : : GTlsDatabaseLookupFlags flags,
402 : : GCancellable *cancellable,
403 : : GAsyncReadyCallback callback,
404 : : gpointer user_data)
405 : : {
406 : : GTask *task;
407 : : AsyncLookupCertificatesIssuedBy *args;
408 : :
409 : 0 : args = g_slice_new0 (AsyncLookupCertificatesIssuedBy);
410 : 0 : args->issuer = g_byte_array_ref (issuer);
411 : 0 : args->flags = flags;
412 : 0 : args->interaction = interaction ? g_object_ref (interaction) : NULL;
413 : :
414 : 0 : task = g_task_new (self, cancellable, callback, user_data);
415 : 0 : g_task_set_source_tag (task,
416 : : g_tls_database_real_lookup_certificates_issued_by_async);
417 : 0 : g_task_set_name (task, "[gio] lookup certificates issued by");
418 : 0 : g_task_set_task_data (task, args, async_lookup_certificates_issued_by_free);
419 : 0 : g_task_run_in_thread (task, async_lookup_certificates_issued_by_thread);
420 : 0 : g_object_unref (task);
421 : 0 : }
422 : :
423 : : static GList *
424 : 0 : g_tls_database_real_lookup_certificates_issued_by_finish (GTlsDatabase *self,
425 : : GAsyncResult *result,
426 : : GError **error)
427 : : {
428 : 0 : g_return_val_if_fail (g_task_is_valid (result, self), NULL);
429 : :
430 : 0 : return g_task_propagate_pointer (G_TASK (result), error);
431 : : }
432 : :
433 : : static void
434 : 2 : g_tls_database_class_init (GTlsDatabaseClass *klass)
435 : : {
436 : 2 : klass->verify_chain_async = g_tls_database_real_verify_chain_async;
437 : 2 : klass->verify_chain_finish = g_tls_database_real_verify_chain_finish;
438 : 2 : klass->lookup_certificate_for_handle_async = g_tls_database_real_lookup_certificate_for_handle_async;
439 : 2 : klass->lookup_certificate_for_handle_finish = g_tls_database_real_lookup_certificate_for_handle_finish;
440 : 2 : klass->lookup_certificate_issuer_async = g_tls_database_real_lookup_certificate_issuer_async;
441 : 2 : klass->lookup_certificate_issuer_finish = g_tls_database_real_lookup_certificate_issuer_finish;
442 : 2 : klass->lookup_certificates_issued_by_async = g_tls_database_real_lookup_certificates_issued_by_async;
443 : 2 : klass->lookup_certificates_issued_by_finish = g_tls_database_real_lookup_certificates_issued_by_finish;
444 : 2 : }
445 : :
446 : : /**
447 : : * g_tls_database_verify_chain:
448 : : * @self: a #GTlsDatabase
449 : : * @chain: a #GTlsCertificate chain
450 : : * @purpose: the purpose that this certificate chain will be used for.
451 : : * @identity: (nullable): the expected peer identity
452 : : * @interaction: (nullable): used to interact with the user if necessary
453 : : * @flags: additional verify flags
454 : : * @cancellable: (nullable): a #GCancellable, or %NULL
455 : : * @error: (nullable): a #GError, or %NULL
456 : : *
457 : : * Determines the validity of a certificate chain, outside the context
458 : : * of a TLS session.
459 : : *
460 : : * @chain is a chain of #GTlsCertificate objects each pointing to the next
461 : : * certificate in the chain by its #GTlsCertificate:issuer property.
462 : : *
463 : : * @purpose describes the purpose (or usage) for which the certificate
464 : : * is being used. Typically @purpose will be set to %G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER
465 : : * which means that the certificate is being used to authenticate a server
466 : : * (and we are acting as the client).
467 : : *
468 : : * The @identity is used to ensure the server certificate is valid for
469 : : * the expected peer identity. If the identity does not match the
470 : : * certificate, %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the
471 : : * return value. If @identity is %NULL, that bit will never be set in
472 : : * the return value. The peer identity may also be used to check for
473 : : * pinned certificates (trust exceptions) in the database. These may
474 : : * override the normal verification process on a host-by-host basis.
475 : : *
476 : : * Currently there are no @flags, and %G_TLS_DATABASE_VERIFY_NONE should be
477 : : * used.
478 : : *
479 : : * If @chain is found to be valid, then the return value will be 0. If
480 : : * @chain is found to be invalid, then the return value will indicate at
481 : : * least one problem found. If the function is unable to determine
482 : : * whether @chain is valid (for example, because @cancellable is
483 : : * triggered before it completes) then the return value will be
484 : : * %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set accordingly.
485 : : * @error is not set when @chain is successfully analyzed but found to
486 : : * be invalid.
487 : : *
488 : : * GLib guarantees that if certificate verification fails, at least one
489 : : * error will be set in the return value, but it does not guarantee
490 : : * that all possible errors will be set. Accordingly, you may not safely
491 : : * decide to ignore any particular type of error. For example, it would
492 : : * be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
493 : : * expired certificates, because this could potentially be the only
494 : : * error flag set even if other problems exist with the certificate.
495 : : *
496 : : * Prior to GLib 2.48, GLib's default TLS backend modified @chain to
497 : : * represent the certification path built by #GTlsDatabase during
498 : : * certificate verification by adjusting the #GTlsCertificate:issuer
499 : : * property of each certificate in @chain. Since GLib 2.48, this no
500 : : * longer occurs, so you cannot rely on #GTlsCertificate:issuer to
501 : : * represent the actual certification path used during certificate
502 : : * verification.
503 : : *
504 : : * Because TLS session context is not used, #GTlsDatabase may not
505 : : * perform as many checks on the certificates as #GTlsConnection would.
506 : : * For example, certificate constraints may not be honored, and
507 : : * revocation checks may not be performed. The best way to verify TLS
508 : : * certificates used by a TLS connection is to let #GTlsConnection
509 : : * handle the verification.
510 : : *
511 : : * The TLS backend may attempt to look up and add missing certificates
512 : : * to the chain. This may involve HTTP requests to download missing
513 : : * certificates.
514 : : *
515 : : * This function can block. Use g_tls_database_verify_chain_async() to
516 : : * perform the verification operation asynchronously.
517 : : *
518 : : * Returns: the appropriate #GTlsCertificateFlags which represents the
519 : : * result of verification.
520 : : *
521 : : * Since: 2.30
522 : : */
523 : : GTlsCertificateFlags
524 : 0 : g_tls_database_verify_chain (GTlsDatabase *self,
525 : : GTlsCertificate *chain,
526 : : const gchar *purpose,
527 : : GSocketConnectable *identity,
528 : : GTlsInteraction *interaction,
529 : : GTlsDatabaseVerifyFlags flags,
530 : : GCancellable *cancellable,
531 : : GError **error)
532 : : {
533 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), G_TLS_CERTIFICATE_GENERIC_ERROR);
534 : 0 : g_return_val_if_fail (G_IS_TLS_CERTIFICATE (chain),
535 : : G_TLS_CERTIFICATE_GENERIC_ERROR);
536 : 0 : g_return_val_if_fail (purpose, G_TLS_CERTIFICATE_GENERIC_ERROR);
537 : 0 : g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction),
538 : : G_TLS_CERTIFICATE_GENERIC_ERROR);
539 : 0 : g_return_val_if_fail (identity == NULL || G_IS_SOCKET_CONNECTABLE (identity),
540 : : G_TLS_CERTIFICATE_GENERIC_ERROR);
541 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, G_TLS_CERTIFICATE_GENERIC_ERROR);
542 : :
543 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain,
544 : : G_TLS_CERTIFICATE_GENERIC_ERROR);
545 : :
546 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->verify_chain (self,
547 : : chain,
548 : : purpose,
549 : : identity,
550 : : interaction,
551 : : flags,
552 : : cancellable,
553 : : error);
554 : : }
555 : :
556 : : /**
557 : : * g_tls_database_verify_chain_async:
558 : : * @self: a #GTlsDatabase
559 : : * @chain: a #GTlsCertificate chain
560 : : * @purpose: the purpose that this certificate chain will be used for.
561 : : * @identity: (nullable): the expected peer identity
562 : : * @interaction: (nullable): used to interact with the user if necessary
563 : : * @flags: additional verify flags
564 : : * @cancellable: (nullable): a #GCancellable, or %NULL
565 : : * @callback: callback to call when the operation completes
566 : : * @user_data: the data to pass to the callback function
567 : : *
568 : : * Asynchronously determines the validity of a certificate chain after
569 : : * looking up and adding any missing certificates to the chain. See
570 : : * g_tls_database_verify_chain() for more information.
571 : : *
572 : : * Since: 2.30
573 : : */
574 : : void
575 : 0 : g_tls_database_verify_chain_async (GTlsDatabase *self,
576 : : GTlsCertificate *chain,
577 : : const gchar *purpose,
578 : : GSocketConnectable *identity,
579 : : GTlsInteraction *interaction,
580 : : GTlsDatabaseVerifyFlags flags,
581 : : GCancellable *cancellable,
582 : : GAsyncReadyCallback callback,
583 : : gpointer user_data)
584 : : {
585 : 0 : g_return_if_fail (G_IS_TLS_DATABASE (self));
586 : 0 : g_return_if_fail (G_IS_TLS_CERTIFICATE (chain));
587 : 0 : g_return_if_fail (purpose != NULL);
588 : 0 : g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
589 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
590 : 0 : g_return_if_fail (identity == NULL || G_IS_SOCKET_CONNECTABLE (identity));
591 : 0 : g_return_if_fail (callback != NULL);
592 : :
593 : 0 : g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain_async);
594 : 0 : G_TLS_DATABASE_GET_CLASS (self)->verify_chain_async (self,
595 : : chain,
596 : : purpose,
597 : : identity,
598 : : interaction,
599 : : flags,
600 : : cancellable,
601 : : callback,
602 : : user_data);
603 : : }
604 : :
605 : : /**
606 : : * g_tls_database_verify_chain_finish:
607 : : * @self: a #GTlsDatabase
608 : : * @result: a #GAsyncResult.
609 : : * @error: a #GError pointer, or %NULL
610 : : *
611 : : * Finish an asynchronous verify chain operation. See
612 : : * g_tls_database_verify_chain() for more information.
613 : : *
614 : : * If @chain is found to be valid, then the return value will be 0. If
615 : : * @chain is found to be invalid, then the return value will indicate
616 : : * the problems found. If the function is unable to determine whether
617 : : * @chain is valid or not (eg, because @cancellable is triggered
618 : : * before it completes) then the return value will be
619 : : * %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set
620 : : * accordingly. @error is not set when @chain is successfully analyzed
621 : : * but found to be invalid.
622 : : *
623 : : * Returns: the appropriate #GTlsCertificateFlags which represents the
624 : : * result of verification.
625 : : *
626 : : * Since: 2.30
627 : : */
628 : : GTlsCertificateFlags
629 : 0 : g_tls_database_verify_chain_finish (GTlsDatabase *self,
630 : : GAsyncResult *result,
631 : : GError **error)
632 : : {
633 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), G_TLS_CERTIFICATE_GENERIC_ERROR);
634 : 0 : g_return_val_if_fail (G_IS_ASYNC_RESULT (result), G_TLS_CERTIFICATE_GENERIC_ERROR);
635 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, G_TLS_CERTIFICATE_GENERIC_ERROR);
636 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->verify_chain_finish,
637 : : G_TLS_CERTIFICATE_GENERIC_ERROR);
638 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->verify_chain_finish (self,
639 : : result,
640 : : error);
641 : : }
642 : :
643 : : /**
644 : : * g_tls_database_create_certificate_handle:
645 : : * @self: a #GTlsDatabase
646 : : * @certificate: certificate for which to create a handle.
647 : : *
648 : : * Create a handle string for the certificate. The database will only be able
649 : : * to create a handle for certificates that originate from the database. In
650 : : * cases where the database cannot create a handle for a certificate, %NULL
651 : : * will be returned.
652 : : *
653 : : * This handle should be stable across various instances of the application,
654 : : * and between applications. If a certificate is modified in the database,
655 : : * then it is not guaranteed that this handle will continue to point to it.
656 : : *
657 : : * Returns: (nullable): a newly allocated string containing the
658 : : * handle.
659 : : *
660 : : * Since: 2.30
661 : : */
662 : : gchar*
663 : 0 : g_tls_database_create_certificate_handle (GTlsDatabase *self,
664 : : GTlsCertificate *certificate)
665 : : {
666 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
667 : 0 : g_return_val_if_fail (G_IS_TLS_CERTIFICATE (certificate), NULL);
668 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->create_certificate_handle, NULL);
669 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->create_certificate_handle (self,
670 : : certificate);
671 : : }
672 : :
673 : : /**
674 : : * g_tls_database_lookup_certificate_for_handle:
675 : : * @self: a #GTlsDatabase
676 : : * @handle: a certificate handle
677 : : * @interaction: (nullable): used to interact with the user if necessary
678 : : * @flags: Flags which affect the lookup.
679 : : * @cancellable: (nullable): a #GCancellable, or %NULL
680 : : * @error: (nullable): a #GError, or %NULL
681 : : *
682 : : * Look up a certificate by its handle.
683 : : *
684 : : * The handle should have been created by calling
685 : : * g_tls_database_create_certificate_handle() on a #GTlsDatabase object of
686 : : * the same TLS backend. The handle is designed to remain valid across
687 : : * instantiations of the database.
688 : : *
689 : : * If the handle is no longer valid, or does not point to a certificate in
690 : : * this database, then %NULL will be returned.
691 : : *
692 : : * This function can block, use g_tls_database_lookup_certificate_for_handle_async() to perform
693 : : * the lookup operation asynchronously.
694 : : *
695 : : * Returns: (transfer full) (nullable): a newly allocated
696 : : * #GTlsCertificate, or %NULL. Use g_object_unref() to release the certificate.
697 : : *
698 : : * Since: 2.30
699 : : */
700 : : GTlsCertificate*
701 : 0 : g_tls_database_lookup_certificate_for_handle (GTlsDatabase *self,
702 : : const gchar *handle,
703 : : GTlsInteraction *interaction,
704 : : GTlsDatabaseLookupFlags flags,
705 : : GCancellable *cancellable,
706 : : GError **error)
707 : : {
708 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
709 : 0 : g_return_val_if_fail (handle != NULL, NULL);
710 : 0 : g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
711 : 0 : g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
712 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
713 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle, NULL);
714 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle (self,
715 : : handle,
716 : : interaction,
717 : : flags,
718 : : cancellable,
719 : : error);
720 : : }
721 : :
722 : :
723 : : /**
724 : : * g_tls_database_lookup_certificate_for_handle_async:
725 : : * @self: a #GTlsDatabase
726 : : * @handle: a certificate handle
727 : : * @interaction: (nullable): used to interact with the user if necessary
728 : : * @flags: Flags which affect the lookup.
729 : : * @cancellable: (nullable): a #GCancellable, or %NULL
730 : : * @callback: callback to call when the operation completes
731 : : * @user_data: the data to pass to the callback function
732 : : *
733 : : * Asynchronously look up a certificate by its handle in the database. See
734 : : * g_tls_database_lookup_certificate_for_handle() for more information.
735 : : *
736 : : * Since: 2.30
737 : : */
738 : : void
739 : 0 : g_tls_database_lookup_certificate_for_handle_async (GTlsDatabase *self,
740 : : const gchar *handle,
741 : : GTlsInteraction *interaction,
742 : : GTlsDatabaseLookupFlags flags,
743 : : GCancellable *cancellable,
744 : : GAsyncReadyCallback callback,
745 : : gpointer user_data)
746 : : {
747 : 0 : g_return_if_fail (G_IS_TLS_DATABASE (self));
748 : 0 : g_return_if_fail (handle != NULL);
749 : 0 : g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
750 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
751 : 0 : g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_async);
752 : 0 : G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_async (self,
753 : : handle,
754 : : interaction,
755 : : flags,
756 : : cancellable,
757 : : callback,
758 : : user_data);
759 : : }
760 : :
761 : : /**
762 : : * g_tls_database_lookup_certificate_for_handle_finish:
763 : : * @self: a #GTlsDatabase
764 : : * @result: a #GAsyncResult.
765 : : * @error: a #GError pointer, or %NULL
766 : : *
767 : : * Finish an asynchronous lookup of a certificate by its handle. See
768 : : * g_tls_database_lookup_certificate_for_handle() for more information.
769 : : *
770 : : * If the handle is no longer valid, or does not point to a certificate in
771 : : * this database, then %NULL will be returned.
772 : : *
773 : : * Returns: (transfer full): a newly allocated #GTlsCertificate object.
774 : : * Use g_object_unref() to release the certificate.
775 : : *
776 : : * Since: 2.30
777 : : */
778 : : GTlsCertificate*
779 : 0 : g_tls_database_lookup_certificate_for_handle_finish (GTlsDatabase *self,
780 : : GAsyncResult *result,
781 : : GError **error)
782 : : {
783 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
784 : 0 : g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
785 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
786 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_finish, NULL);
787 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_for_handle_finish (self,
788 : : result,
789 : : error);
790 : : }
791 : :
792 : : /**
793 : : * g_tls_database_lookup_certificate_issuer:
794 : : * @self: a #GTlsDatabase
795 : : * @certificate: a #GTlsCertificate
796 : : * @interaction: (nullable): used to interact with the user if necessary
797 : : * @flags: flags which affect the lookup operation
798 : : * @cancellable: (nullable): a #GCancellable, or %NULL
799 : : * @error: (nullable): a #GError, or %NULL
800 : : *
801 : : * Look up the issuer of @certificate in the database. The
802 : : * #GTlsCertificate:issuer property of @certificate is not modified, and
803 : : * the two certificates are not hooked into a chain.
804 : : *
805 : : * This function can block. Use g_tls_database_lookup_certificate_issuer_async()
806 : : * to perform the lookup operation asynchronously.
807 : : *
808 : : * Beware this function cannot be used to build certification paths. The
809 : : * issuer certificate returned by this function may not be the same as
810 : : * the certificate that would actually be used to construct a valid
811 : : * certification path during certificate verification.
812 : : * [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158) explains
813 : : * why an issuer certificate cannot be naively assumed to be part of the
814 : : * the certification path (though GLib's TLS backends may not follow the
815 : : * path building strategies outlined in this RFC). Due to the complexity
816 : : * of certification path building, GLib does not provide any way to know
817 : : * which certification path will actually be used when verifying a TLS
818 : : * certificate. Accordingly, this function cannot be used to make
819 : : * security-related decisions. Only GLib itself should make security
820 : : * decisions about TLS certificates.
821 : : *
822 : : * Returns: (transfer full): a newly allocated issuer #GTlsCertificate,
823 : : * or %NULL. Use g_object_unref() to release the certificate.
824 : : *
825 : : * Since: 2.30
826 : : */
827 : : GTlsCertificate*
828 : 0 : g_tls_database_lookup_certificate_issuer (GTlsDatabase *self,
829 : : GTlsCertificate *certificate,
830 : : GTlsInteraction *interaction,
831 : : GTlsDatabaseLookupFlags flags,
832 : : GCancellable *cancellable,
833 : : GError **error)
834 : : {
835 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
836 : 0 : g_return_val_if_fail (G_IS_TLS_CERTIFICATE (certificate), NULL);
837 : 0 : g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
838 : 0 : g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
839 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
840 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer, NULL);
841 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer (self,
842 : : certificate,
843 : : interaction,
844 : : flags,
845 : : cancellable,
846 : : error);
847 : : }
848 : :
849 : : /**
850 : : * g_tls_database_lookup_certificate_issuer_async:
851 : : * @self: a #GTlsDatabase
852 : : * @certificate: a #GTlsCertificate
853 : : * @interaction: (nullable): used to interact with the user if necessary
854 : : * @flags: flags which affect the lookup operation
855 : : * @cancellable: (nullable): a #GCancellable, or %NULL
856 : : * @callback: callback to call when the operation completes
857 : : * @user_data: the data to pass to the callback function
858 : : *
859 : : * Asynchronously look up the issuer of @certificate in the database. See
860 : : * g_tls_database_lookup_certificate_issuer() for more information.
861 : : *
862 : : * Since: 2.30
863 : : */
864 : : void
865 : 0 : g_tls_database_lookup_certificate_issuer_async (GTlsDatabase *self,
866 : : GTlsCertificate *certificate,
867 : : GTlsInteraction *interaction,
868 : : GTlsDatabaseLookupFlags flags,
869 : : GCancellable *cancellable,
870 : : GAsyncReadyCallback callback,
871 : : gpointer user_data)
872 : : {
873 : 0 : g_return_if_fail (G_IS_TLS_DATABASE (self));
874 : 0 : g_return_if_fail (G_IS_TLS_CERTIFICATE (certificate));
875 : 0 : g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
876 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
877 : 0 : g_return_if_fail (callback != NULL);
878 : 0 : g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_async);
879 : 0 : G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_async (self,
880 : : certificate,
881 : : interaction,
882 : : flags,
883 : : cancellable,
884 : : callback,
885 : : user_data);
886 : : }
887 : :
888 : : /**
889 : : * g_tls_database_lookup_certificate_issuer_finish:
890 : : * @self: a #GTlsDatabase
891 : : * @result: a #GAsyncResult.
892 : : * @error: a #GError pointer, or %NULL
893 : : *
894 : : * Finish an asynchronous lookup issuer operation. See
895 : : * g_tls_database_lookup_certificate_issuer() for more information.
896 : : *
897 : : * Returns: (transfer full): a newly allocated issuer #GTlsCertificate,
898 : : * or %NULL. Use g_object_unref() to release the certificate.
899 : : *
900 : : * Since: 2.30
901 : : */
902 : : GTlsCertificate*
903 : 0 : g_tls_database_lookup_certificate_issuer_finish (GTlsDatabase *self,
904 : : GAsyncResult *result,
905 : : GError **error)
906 : : {
907 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
908 : 0 : g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
909 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
910 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_finish, NULL);
911 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificate_issuer_finish (self,
912 : : result,
913 : : error);
914 : : }
915 : :
916 : : /**
917 : : * g_tls_database_lookup_certificates_issued_by:
918 : : * @self: a #GTlsDatabase
919 : : * @issuer_raw_dn: a #GByteArray which holds the DER encoded issuer DN.
920 : : * @interaction: (nullable): used to interact with the user if necessary
921 : : * @flags: Flags which affect the lookup operation.
922 : : * @cancellable: (nullable): a #GCancellable, or %NULL
923 : : * @error: (nullable): a #GError, or %NULL
924 : : *
925 : : * Look up certificates issued by this issuer in the database.
926 : : *
927 : : * This function can block, use g_tls_database_lookup_certificates_issued_by_async() to perform
928 : : * the lookup operation asynchronously.
929 : : *
930 : : * Returns: (transfer full) (element-type GTlsCertificate): a newly allocated list of #GTlsCertificate
931 : : * objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
932 : : *
933 : : * Since: 2.30
934 : : */
935 : : GList*
936 : 0 : g_tls_database_lookup_certificates_issued_by (GTlsDatabase *self,
937 : : GByteArray *issuer_raw_dn,
938 : : GTlsInteraction *interaction,
939 : : GTlsDatabaseLookupFlags flags,
940 : : GCancellable *cancellable,
941 : : GError **error)
942 : : {
943 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
944 : 0 : g_return_val_if_fail (issuer_raw_dn, NULL);
945 : 0 : g_return_val_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction), NULL);
946 : 0 : g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), NULL);
947 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
948 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by, NULL);
949 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by (self,
950 : : issuer_raw_dn,
951 : : interaction,
952 : : flags,
953 : : cancellable,
954 : : error);
955 : : }
956 : :
957 : : /**
958 : : * g_tls_database_lookup_certificates_issued_by_async:
959 : : * @self: a #GTlsDatabase
960 : : * @issuer_raw_dn: a #GByteArray which holds the DER encoded issuer DN.
961 : : * @interaction: (nullable): used to interact with the user if necessary
962 : : * @flags: Flags which affect the lookup operation.
963 : : * @cancellable: (nullable): a #GCancellable, or %NULL
964 : : * @callback: callback to call when the operation completes
965 : : * @user_data: the data to pass to the callback function
966 : : *
967 : : * Asynchronously look up certificates issued by this issuer in the database. See
968 : : * g_tls_database_lookup_certificates_issued_by() for more information.
969 : : *
970 : : * The database may choose to hold a reference to the issuer byte array for the duration
971 : : * of this asynchronous operation. The byte array should not be modified during
972 : : * this time.
973 : : *
974 : : * Since: 2.30
975 : : */
976 : : void
977 : 0 : g_tls_database_lookup_certificates_issued_by_async (GTlsDatabase *self,
978 : : GByteArray *issuer_raw_dn,
979 : : GTlsInteraction *interaction,
980 : : GTlsDatabaseLookupFlags flags,
981 : : GCancellable *cancellable,
982 : : GAsyncReadyCallback callback,
983 : : gpointer user_data)
984 : : {
985 : 0 : g_return_if_fail (G_IS_TLS_DATABASE (self));
986 : 0 : g_return_if_fail (issuer_raw_dn != NULL);
987 : 0 : g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
988 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
989 : 0 : g_return_if_fail (callback != NULL);
990 : 0 : g_return_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_async);
991 : 0 : G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_async (self,
992 : : issuer_raw_dn,
993 : : interaction,
994 : : flags,
995 : : cancellable,
996 : : callback,
997 : : user_data);
998 : : }
999 : :
1000 : : /**
1001 : : * g_tls_database_lookup_certificates_issued_by_finish:
1002 : : * @self: a #GTlsDatabase
1003 : : * @result: a #GAsyncResult.
1004 : : * @error: a #GError pointer, or %NULL
1005 : : *
1006 : : * Finish an asynchronous lookup of certificates. See
1007 : : * g_tls_database_lookup_certificates_issued_by() for more information.
1008 : : *
1009 : : * Returns: (transfer full) (element-type GTlsCertificate): a newly allocated list of #GTlsCertificate
1010 : : * objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.
1011 : : *
1012 : : * Since: 2.30
1013 : : */
1014 : : GList*
1015 : 0 : g_tls_database_lookup_certificates_issued_by_finish (GTlsDatabase *self,
1016 : : GAsyncResult *result,
1017 : : GError **error)
1018 : : {
1019 : 0 : g_return_val_if_fail (G_IS_TLS_DATABASE (self), NULL);
1020 : 0 : g_return_val_if_fail (G_IS_ASYNC_RESULT (result), NULL);
1021 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, NULL);
1022 : 0 : g_return_val_if_fail (G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_finish, NULL);
1023 : 0 : return G_TLS_DATABASE_GET_CLASS (self)->lookup_certificates_issued_by_finish (self,
1024 : : result,
1025 : : error);
1026 : : }
|