Class TlsCertificate

All Implemented Interfaces:
PointerInterface

public class TlsCertificate extends Object
A certificate used for TLS authentication and encryption.
This can represent either a certificate only (eg, the certificate
received by a client from a server), or the combination of
a certificate and a private key (which is needed when acting as a
#GTlsServerConnection).

https://docs.gtk.org/gio/class.TlsCertificate.html

  • Constructor Details

  • Method Details

    • getClassHandler

      public static ClassHandler getClassHandler()
    • newFromFileTlsCertificate

      public static TlsCertificate newFromFileTlsCertificate(@Nonnull Str file) throws AllocationError
      Creates a #GTlsCertificate from the data in @file.

      As of 2.72, if the filename ends in `.p12` or `.pfx` the data is loaded by
      g_tls_certificate_new_from_pkcs12() otherwise it is loaded by
      g_tls_certificate_new_from_pem(). See those functions for
      exact details.

      If @file cannot be read or parsed, the function will return %NULL and
      set @error.
      Parameters:
      file - file containing a certificate to import
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromFileTlsCertificate

      public static TlsCertificate newFromFileTlsCertificate(String file) throws AllocationError
      Creates a #GTlsCertificate from the data in @file.

      As of 2.72, if the filename ends in `.p12` or `.pfx` the data is loaded by
      g_tls_certificate_new_from_pkcs12() otherwise it is loaded by
      g_tls_certificate_new_from_pem(). See those functions for
      exact details.

      If @file cannot be read or parsed, the function will return %NULL and
      set @error.
      Parameters:
      file - file containing a certificate to import
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromFileWithPasswordTlsCertificate

      public static TlsCertificate newFromFileWithPasswordTlsCertificate(@Nonnull Str file, @Nonnull Str password) throws AllocationError
      Creates a #GTlsCertificate from the data in @file.

      If @file cannot be read or parsed, the function will return %NULL and
      set @error.

      Any unknown file types will error with %G_IO_ERROR_NOT_SUPPORTED.
      Currently only `.p12` and `.pfx` files are supported.
      See g_tls_certificate_new_from_pkcs12() for more details.
      Parameters:
      file - file containing a certificate to import
      password - password for PKCS #12 files
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromFileWithPasswordTlsCertificate

      public static TlsCertificate newFromFileWithPasswordTlsCertificate(String file, String password) throws AllocationError
      Creates a #GTlsCertificate from the data in @file.

      If @file cannot be read or parsed, the function will return %NULL and
      set @error.

      Any unknown file types will error with %G_IO_ERROR_NOT_SUPPORTED.
      Currently only `.p12` and `.pfx` files are supported.
      See g_tls_certificate_new_from_pkcs12() for more details.
      Parameters:
      file - file containing a certificate to import
      password - password for PKCS #12 files
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromFilesTlsCertificate

      public static TlsCertificate newFromFilesTlsCertificate(@Nonnull Str cert_file, @Nonnull Str key_file) throws AllocationError
      Creates a #GTlsCertificate from the PEM-encoded data in @cert_file
      and @key_file. The returned certificate will be the first certificate
      found in @cert_file. As of GLib 2.44, if @cert_file contains more
      certificates it will try to load a certificate chain. All
      certificates will be verified in the order found (top-level
      certificate should be the last one in the file) and the
      #GTlsCertificate:issuer property of each certificate will be set
      accordingly if the verification succeeds. If any certificate in the
      chain cannot be verified, the first certificate in the file will
      still be returned.

      If either file cannot be read or parsed, the function will return
      %NULL and set @error. Otherwise, this behaves like
      g_tls_certificate_new_from_pem().
      Parameters:
      cert_file - file containing one or more PEM-encoded certificates to import
      key_file - file containing a PEM-encoded private key to import
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromFilesTlsCertificate

      public static TlsCertificate newFromFilesTlsCertificate(String cert_file, String key_file) throws AllocationError
      Creates a #GTlsCertificate from the PEM-encoded data in @cert_file
      and @key_file. The returned certificate will be the first certificate
      found in @cert_file. As of GLib 2.44, if @cert_file contains more
      certificates it will try to load a certificate chain. All
      certificates will be verified in the order found (top-level
      certificate should be the last one in the file) and the
      #GTlsCertificate:issuer property of each certificate will be set
      accordingly if the verification succeeds. If any certificate in the
      chain cannot be verified, the first certificate in the file will
      still be returned.

      If either file cannot be read or parsed, the function will return
      %NULL and set @error. Otherwise, this behaves like
      g_tls_certificate_new_from_pem().
      Parameters:
      cert_file - file containing one or more PEM-encoded certificates to import
      key_file - file containing a PEM-encoded private key to import
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromPemTlsCertificate

      public static TlsCertificate newFromPemTlsCertificate(@Nonnull Str data, long length) throws AllocationError
      Creates a #GTlsCertificate from the PEM-encoded data in @data. If
      @data includes both a certificate and a private key, then the
      returned certificate will include the private key data as well. (See
      the #GTlsCertificate:private-key-pem property for information about
      supported formats.)

      The returned certificate will be the first certificate found in
      @data. As of GLib 2.44, if @data contains more certificates it will
      try to load a certificate chain. All certificates will be verified in
      the order found (top-level certificate should be the last one in the
      file) and the #GTlsCertificate:issuer property of each certificate
      will be set accordingly if the verification succeeds. If any
      certificate in the chain cannot be verified, the first certificate in
      the file will still be returned.
      Parameters:
      data - PEM-encoded certificate data
      length - the length of @data, or -1 if it's 0-terminated.
      Returns:
      the new certificate, or %NULL if @data is invalid
      Throws:
      AllocationError
    • newFromPemTlsCertificate

      public static TlsCertificate newFromPemTlsCertificate(String data, long length) throws AllocationError
      Creates a #GTlsCertificate from the PEM-encoded data in @data. If
      @data includes both a certificate and a private key, then the
      returned certificate will include the private key data as well. (See
      the #GTlsCertificate:private-key-pem property for information about
      supported formats.)

      The returned certificate will be the first certificate found in
      @data. As of GLib 2.44, if @data contains more certificates it will
      try to load a certificate chain. All certificates will be verified in
      the order found (top-level certificate should be the last one in the
      file) and the #GTlsCertificate:issuer property of each certificate
      will be set accordingly if the verification succeeds. If any
      certificate in the chain cannot be verified, the first certificate in
      the file will still be returned.
      Parameters:
      data - PEM-encoded certificate data
      length - the length of @data, or -1 if it's 0-terminated.
      Returns:
      the new certificate, or %NULL if @data is invalid
      Throws:
      AllocationError
    • newFromPkcs11UrisTlsCertificate

      public static TlsCertificate newFromPkcs11UrisTlsCertificate(@Nonnull Str pkcs11_uri, @Nullable Str private_key_pkcs11_uri) throws AllocationError
      Creates a #GTlsCertificate from a
      [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html) URI.

      An example @pkcs11_uri would be `pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`

      Where the token’s layout is:
       Object 0:
         URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
         Type: Private key (RSA-2048)
         ID: 01
       
       Object 1:
         URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
         Type: X.509 Certificate (RSA-2048)
         ID: 01
       


      In this case the certificate and private key would both be detected and used as expected.
      @pkcs_uri may also just reference an X.509 certificate object and then optionally
      @private_key_pkcs11_uri allows using a private key exposed under a different URI.

      Note that the private key is not accessed until usage and may fail or require a PIN later.
      Parameters:
      pkcs11_uri - A PKCS \#11 URI
      private_key_pkcs11_uri - A PKCS \#11 URI
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • newFromPkcs11UrisTlsCertificate

      public static TlsCertificate newFromPkcs11UrisTlsCertificate(String pkcs11_uri, String private_key_pkcs11_uri) throws AllocationError
      Creates a #GTlsCertificate from a
      [PKCS \#11](https://docs.oasis-open.org/pkcs11/pkcs11-base/v3.0/os/pkcs11-base-v3.0-os.html) URI.

      An example @pkcs11_uri would be `pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01`

      Where the token’s layout is:
       Object 0:
         URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
         Type: Private key (RSA-2048)
         ID: 01
       
       Object 1:
         URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
         Type: X.509 Certificate (RSA-2048)
         ID: 01
       


      In this case the certificate and private key would both be detected and used as expected.
      @pkcs_uri may also just reference an X.509 certificate object and then optionally
      @private_key_pkcs11_uri allows using a private key exposed under a different URI.

      Note that the private key is not accessed until usage and may fail or require a PIN later.
      Parameters:
      pkcs11_uri - A PKCS \#11 URI
      private_key_pkcs11_uri - A PKCS \#11 URI
      Returns:
      the new certificate, or %NULL on error
      Throws:
      AllocationError
    • getDnsNames

      public PtrArray getDnsNames()
      Gets the value of #GTlsCertificate:dns-names.
      Returns:
      A #GPtrArray of #GBytes elements, or %NULL if it's not available.
    • getIpAddresses

      public PtrArray getIpAddresses()
      Gets the value of #GTlsCertificate:ip-addresses.
      Returns:
      A #GPtrArray of #GInetAddress elements, or %NULL if it's not available.
    • getIssuer

      public TlsCertificate getIssuer()
      Gets the #GTlsCertificate representing @cert's issuer, if known
      Returns:
      The certificate of @cert's issuer, or %NULL if @cert is self-signed or signed with an unknown certificate.
    • getIssuerName

      public Str getIssuerName()
      Returns the issuer name from the certificate.
      Returns:
      The issuer name, or %NULL if it's not available.
    • getNotValidAfter

      public DateTime getNotValidAfter()
      Returns the time at which the certificate became or will become invalid.
      Returns:
      The not-valid-after date, or %NULL if it's not available.
    • getNotValidBefore

      public DateTime getNotValidBefore()
      Returns the time at which the certificate became or will become valid.
      Returns:
      The not-valid-before date, or %NULL if it's not available.
    • getSubjectName

      public Str getSubjectName()
      Returns the subject name from the certificate.
      Returns:
      The subject name, or %NULL if it's not available.
    • isSame

      public boolean isSame(@Nonnull TlsCertificate cert_two)
      Check if two #GTlsCertificate objects represent the same certificate.
      The raw DER byte data of the two certificates are checked for equality.
      This has the effect that two certificates may compare equal even if
      their #GTlsCertificate:issuer, #GTlsCertificate:private-key, or
      #GTlsCertificate:private-key-pem properties differ.
      Parameters:
      cert_two - second certificate to compare
      Returns:
      whether the same or not
    • verify

      public int verify(@Nullable SocketConnectable identity, @Nullable TlsCertificate trusted_ca)
      This verifies @cert and returns a set of #GTlsCertificateFlags
      indicating any problems found with it. This can be used to verify a
      certificate outside the context of making a connection, or to
      check a certificate against a CA that is not part of the system
      CA database.

      If @cert is valid, %G_TLS_CERTIFICATE_NO_FLAGS is returned.

      If @identity is not %NULL, @cert's name(s) will be compared against
      it, and %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return
      value if it does not match. If @identity is %NULL, that bit will
      never be set in the return value.

      If @trusted_ca is not %NULL, then @cert (or one of the certificates
      in its chain) must be signed by it, or else
      %G_TLS_CERTIFICATE_UNKNOWN_CA will be set in the return value. If
      @trusted_ca is %NULL, that bit will never be set in the return
      value.

      GLib guarantees that if certificate verification fails, at least one
      error will be set in the return value, but it does not guarantee
      that all possible errors will be set. Accordingly, you may not safely
      decide to ignore any particular type of error. For example, it would
      be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
      expired certificates, because this could potentially be the only
      error flag set even if other problems exist with the certificate.

      Because TLS session context is not used, #GTlsCertificate may not
      perform as many checks on the certificates as #GTlsConnection would.
      For example, certificate constraints may not be honored, and
      revocation checks may not be performed. The best way to verify TLS
      certificates used by a TLS connection is to let #GTlsConnection
      handle the verification.
      Parameters:
      identity - the expected peer identity
      trusted_ca - the certificate of a trusted authority
      Returns:
      the appropriate #GTlsCertificateFlags
    • listNewFromFile

      public static List listNewFromFile(@Nonnull Str file) throws AllocationError
      Creates one or more #GTlsCertificates from the PEM-encoded
      data in @file. If @file cannot be read or parsed, the function will
      return %NULL and set @error. If @file does not contain any
      PEM-encoded certificates, this will return an empty list and not
      set @error.
      Parameters:
      file - file containing PEM-encoded certificates to import
      Returns:
      a #GList containing #GTlsCertificate objects. You must free the list and its contents when you are done with it.
      Throws:
      AllocationError
    • getTypeID

      public static long getTypeID()
    • getParentTypeID

      public static long getParentTypeID()
    • getTypeSize

      public static TypeSystem.TypeSize getTypeSize()
    • getParentTypeSize

      public static TypeSystem.TypeSize getParentTypeSize()
    • getInstanceSize

      public static int getInstanceSize()