gi-gio-2.0.32: Gio bindings
CopyrightWill Thompson and Iñaki García Etxebarria
LicenseLGPL-2.1
MaintainerIñaki García Etxebarria
Safe HaskellSafe-Inferred
LanguageHaskell2010

GI.Gio.Objects.TlsDatabase

Description

TlsDatabase is used to look up certificates and other information from a certificate or key store. It is an abstract base class which TLS library specific subtypes override.

A TlsDatabase may be accessed from multiple threads by the TLS backend. All implementations are required to be fully thread-safe.

Most common client applications will not directly interact with TlsDatabase. It is used internally by TlsConnection.

Since: 2.30

Synopsis

Exported types

newtype TlsDatabase Source #

Memory-managed wrapper type.

Constructors

TlsDatabase (ManagedPtr TlsDatabase) 

Instances

Instances details
Eq TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

GObject TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

ManagedPtrNewtype TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

Methods

toManagedPtr :: TlsDatabase -> ManagedPtr TlsDatabase

TypedObject TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

Methods

glibType :: IO GType

HasParentTypes TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

IsGValue (Maybe TlsDatabase) Source #

Convert TlsDatabase to and from GValue. See toGValue and fromGValue.

Instance details

Defined in GI.Gio.Objects.TlsDatabase

Methods

gvalueGType_ :: IO GType

gvalueSet_ :: Ptr GValue -> Maybe TlsDatabase -> IO ()

gvalueGet_ :: Ptr GValue -> IO (Maybe TlsDatabase)

type ParentTypes TlsDatabase Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

type ParentTypes TlsDatabase = '[Object]

class (GObject o, IsDescendantOf TlsDatabase o) => IsTlsDatabase o Source #

Type class for types which can be safely cast to TlsDatabase, for instance with toTlsDatabase.

Instances

Instances details
(GObject o, IsDescendantOf TlsDatabase o) => IsTlsDatabase o Source # 
Instance details

Defined in GI.Gio.Objects.TlsDatabase

toTlsDatabase :: (MonadIO m, IsTlsDatabase o) => o -> m TlsDatabase Source #

Cast to TlsDatabase, for types for which this is known to be safe. For general casts, use castTo.

Methods

createCertificateHandle

tlsDatabaseCreateCertificateHandle Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsCertificate b) 
=> a

self: a TlsDatabase

-> b

certificate: certificate for which to create a handle.

-> m (Maybe Text)

Returns: a newly allocated string containing the handle.

Create a handle string for the certificate. The database will only be able to create a handle for certificates that originate from the database. In cases where the database cannot create a handle for a certificate, Nothing will be returned.

This handle should be stable across various instances of the application, and between applications. If a certificate is modified in the database, then it is not guaranteed that this handle will continue to point to it.

Since: 2.30

lookupCertificateForHandle

tlsDatabaseLookupCertificateForHandle Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsInteraction b, IsCancellable c) 
=> a

self: a TlsDatabase

-> Text

handle: a certificate handle

-> Maybe b

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: Flags which affect the lookup.

-> Maybe c

cancellable: a Cancellable, or Nothing

-> m (Maybe TlsCertificate)

Returns: a newly allocated TlsCertificate, or Nothing. Use objectUnref to release the certificate. (Can throw GError)

Look up a certificate by its handle.

The handle should have been created by calling tlsDatabaseCreateCertificateHandle on a TlsDatabase object of the same TLS backend. The handle is designed to remain valid across instantiations of the database.

If the handle is no longer valid, or does not point to a certificate in this database, then Nothing will be returned.

This function can block, use tlsDatabaseLookupCertificateForHandleAsync to perform the lookup operation asynchronously.

Since: 2.30

lookupCertificateForHandleAsync

tlsDatabaseLookupCertificateForHandleAsync Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsInteraction b, IsCancellable c) 
=> a

self: a TlsDatabase

-> Text

handle: a certificate handle

-> Maybe b

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: Flags which affect the lookup.

-> Maybe c

cancellable: a Cancellable, or Nothing

-> Maybe AsyncReadyCallback

callback: callback to call when the operation completes

-> m () 

Asynchronously look up a certificate by its handle in the database. See tlsDatabaseLookupCertificateForHandle for more information.

Since: 2.30

lookupCertificateForHandleFinish

tlsDatabaseLookupCertificateForHandleFinish Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsAsyncResult b) 
=> a

self: a TlsDatabase

-> b

result: a AsyncResult.

-> m TlsCertificate

Returns: a newly allocated TlsCertificate object. Use objectUnref to release the certificate. (Can throw GError)

Finish an asynchronous lookup of a certificate by its handle. See tlsDatabaseLookupCertificateForHandle for more information.

If the handle is no longer valid, or does not point to a certificate in this database, then Nothing will be returned.

Since: 2.30

lookupCertificateIssuer

tlsDatabaseLookupCertificateIssuer Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsCertificate b, IsTlsInteraction c, IsCancellable d) 
=> a

self: a TlsDatabase

-> b

certificate: a TlsCertificate

-> Maybe c

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: flags which affect the lookup operation

-> Maybe d

cancellable: a Cancellable, or Nothing

-> m TlsCertificate

Returns: a newly allocated issuer TlsCertificate, or Nothing. Use objectUnref to release the certificate. (Can throw GError)

Look up the issuer of certificate in the database. The TlsCertificate:issuer property of certificate is not modified, and the two certificates are not hooked into a chain.

This function can block. Use tlsDatabaseLookupCertificateIssuerAsync to perform the lookup operation asynchronously.

Beware this function cannot be used to build certification paths. The issuer certificate returned by this function may not be the same as the certificate that would actually be used to construct a valid certification path during certificate verification. RFC 4158 explains why an issuer certificate cannot be naively assumed to be part of the the certification path (though GLib's TLS backends may not follow the path building strategies outlined in this RFC). Due to the complexity of certification path building, GLib does not provide any way to know which certification path will actually be used when verifying a TLS certificate. Accordingly, this function cannot be used to make security-related decisions. Only GLib itself should make security decisions about TLS certificates.

Since: 2.30

lookupCertificateIssuerAsync

tlsDatabaseLookupCertificateIssuerAsync Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsCertificate b, IsTlsInteraction c, IsCancellable d) 
=> a

self: a TlsDatabase

-> b

certificate: a TlsCertificate

-> Maybe c

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: flags which affect the lookup operation

-> Maybe d

cancellable: a Cancellable, or Nothing

-> Maybe AsyncReadyCallback

callback: callback to call when the operation completes

-> m () 

Asynchronously look up the issuer of certificate in the database. See tlsDatabaseLookupCertificateIssuer for more information.

Since: 2.30

lookupCertificateIssuerFinish

tlsDatabaseLookupCertificateIssuerFinish Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsAsyncResult b) 
=> a

self: a TlsDatabase

-> b

result: a AsyncResult.

-> m TlsCertificate

Returns: a newly allocated issuer TlsCertificate, or Nothing. Use objectUnref to release the certificate. (Can throw GError)

Finish an asynchronous lookup issuer operation. See tlsDatabaseLookupCertificateIssuer for more information.

Since: 2.30

lookupCertificatesIssuedBy

tlsDatabaseLookupCertificatesIssuedBy Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsInteraction b, IsCancellable c) 
=> a

self: a TlsDatabase

-> ByteString

issuerRawDn: a ByteArray which holds the DER encoded issuer DN.

-> Maybe b

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: Flags which affect the lookup operation.

-> Maybe c

cancellable: a Cancellable, or Nothing

-> m [TlsCertificate]

Returns: a newly allocated list of TlsCertificate objects. Use objectUnref on each certificate, and g_list_free() on the release the list. (Can throw GError)

Look up certificates issued by this issuer in the database.

This function can block, use tlsDatabaseLookupCertificatesIssuedByAsync to perform the lookup operation asynchronously.

Since: 2.30

lookupCertificatesIssuedByAsync

tlsDatabaseLookupCertificatesIssuedByAsync Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsInteraction b, IsCancellable c) 
=> a

self: a TlsDatabase

-> ByteString

issuerRawDn: a ByteArray which holds the DER encoded issuer DN.

-> Maybe b

interaction: used to interact with the user if necessary

-> TlsDatabaseLookupFlags

flags: Flags which affect the lookup operation.

-> Maybe c

cancellable: a Cancellable, or Nothing

-> Maybe AsyncReadyCallback

callback: callback to call when the operation completes

-> m () 

Asynchronously look up certificates issued by this issuer in the database. See tlsDatabaseLookupCertificatesIssuedBy for more information.

The database may choose to hold a reference to the issuer byte array for the duration of of this asynchronous operation. The byte array should not be modified during this time.

Since: 2.30

lookupCertificatesIssuedByFinish

tlsDatabaseLookupCertificatesIssuedByFinish Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsAsyncResult b) 
=> a

self: a TlsDatabase

-> b

result: a AsyncResult.

-> m [TlsCertificate]

Returns: a newly allocated list of TlsCertificate objects. Use objectUnref on each certificate, and g_list_free() on the release the list. (Can throw GError)

Finish an asynchronous lookup of certificates. See tlsDatabaseLookupCertificatesIssuedBy for more information.

Since: 2.30

verifyChain

tlsDatabaseVerifyChain Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsCertificate b, IsSocketConnectable c, IsTlsInteraction d, IsCancellable e) 
=> a

self: a TlsDatabase

-> b

chain: a TlsCertificate chain

-> Text

purpose: the purpose that this certificate chain will be used for.

-> Maybe c

identity: the expected peer identity

-> Maybe d

interaction: used to interact with the user if necessary

-> [TlsDatabaseVerifyFlags]

flags: additional verify flags

-> Maybe e

cancellable: a Cancellable, or Nothing

-> m [TlsCertificateFlags]

Returns: the appropriate TlsCertificateFlags which represents the result of verification. (Can throw GError)

Determines the validity of a certificate chain, outside the context of a TLS session.

chain is a chain of TlsCertificate objects each pointing to the next certificate in the chain by its TlsCertificate:issuer property.

purpose describes the purpose (or usage) for which the certificate is being used. Typically purpose will be set to TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER which means that the certificate is being used to authenticate a server (and we are acting as the client).

The identity is used to ensure the server certificate is valid for the expected peer identity. If the identity does not match the certificate, TlsCertificateFlagsBadIdentity will be set in the return value. If identity is Nothing, that bit will never be set in the return value. The peer identity may also be used to check for pinned certificates (trust exceptions) in the database. These may override the normal verification process on a host-by-host basis.

Currently there are no flags, and TlsDatabaseVerifyFlagsNone should be used.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate at least one problem found. If the function is unable to determine whether chain is valid (for example, because cancellable is triggered before it completes) then the return value will be TlsCertificateFlagsGenericError and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask TlsCertificateFlagsExpired if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.

Prior to GLib 2.48, GLib's default TLS backend modified chain to represent the certification path built by TlsDatabase during certificate verification by adjusting the TlsCertificate:issuer property of each certificate in chain. Since GLib 2.48, this no longer occurs, so you cannot rely on TlsCertificate:issuer to represent the actual certification path used during certificate verification.

Because TLS session context is not used, TlsDatabase may not perform as many checks on the certificates as TlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let TlsConnection handle the verification.

The TLS backend may attempt to look up and add missing certificates to the chain. This may involve HTTP requests to download missing certificates.

This function can block. Use tlsDatabaseVerifyChainAsync to perform the verification operation asynchronously.

Since: 2.30

verifyChainAsync

tlsDatabaseVerifyChainAsync Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsTlsCertificate b, IsSocketConnectable c, IsTlsInteraction d, IsCancellable e) 
=> a

self: a TlsDatabase

-> b

chain: a TlsCertificate chain

-> Text

purpose: the purpose that this certificate chain will be used for.

-> Maybe c

identity: the expected peer identity

-> Maybe d

interaction: used to interact with the user if necessary

-> [TlsDatabaseVerifyFlags]

flags: additional verify flags

-> Maybe e

cancellable: a Cancellable, or Nothing

-> Maybe AsyncReadyCallback

callback: callback to call when the operation completes

-> m () 

Asynchronously determines the validity of a certificate chain after looking up and adding any missing certificates to the chain. See tlsDatabaseVerifyChain for more information.

Since: 2.30

verifyChainFinish

tlsDatabaseVerifyChainFinish Source #

Arguments

:: (HasCallStack, MonadIO m, IsTlsDatabase a, IsAsyncResult b) 
=> a

self: a TlsDatabase

-> b

result: a AsyncResult.

-> m [TlsCertificateFlags]

Returns: the appropriate TlsCertificateFlags which represents the result of verification. (Can throw GError)

Finish an asynchronous verify chain operation. See tlsDatabaseVerifyChain for more information.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate the problems found. If the function is unable to determine whether chain is valid or not (eg, because cancellable is triggered before it completes) then the return value will be TlsCertificateFlagsGenericError and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

Since: 2.30