The DER (binary) encoded representation of the certificate. This property and the #GTlsCertificate:certificate-pem property represent the same data, just in different forms.
The PEM (ASCII) encoded representation of the certificate. This property and the #GTlsCertificate:certificate property represent the same data, just in different forms.
The DNS names from the certificate's Subject Alternative Names (SANs), %NULL if unavailable.
The IP addresses from the certificate's Subject Alternative Names (SANs), %NULL if unavailable.
A #GTlsCertificate representing the entity that issued this certificate. If %NULL, this means that the certificate is either self-signed, or else the certificate of the issuer is not available.
Beware the issuer certificate may not be the same as the certificate that would actually be used to construct a valid certification path during certificate verification. RFC 4158 explains why an issuer certificate cannot be naively assumed to be part of the the certification path (though GLib's TLS backends may not follow the path building strategies outlined in this RFC). Due to the complexity of certification path building, GLib does not provide any way to know which certification path will actually be used. Accordingly, this property cannot be used to make security-related decisions. Only GLib itself should make security decisions about TLS certificates.
The issuer from the certificate, %NULL if unavailable.
The time at which this cert is no longer valid, %NULL if unavailable.
The time at which this cert is considered to be valid, %NULL if unavailable.
An optional password used when constructed with GTlsCertificate:pkcs12-data.
A URI referencing the PKCS #11 objects containing an X.509 certificate and optionally a private key.
If %NULL, the certificate is either not backed by PKCS #11 or the #GTlsBackend does not support PKCS #11.
The PKCS #12 formatted data used to construct the object.
See also: g_tls_certificate_new_from_pkcs12()
The DER (binary) encoded representation of the certificate's
private key, in either PKCS #1 format
or unencrypted PKCS #8 format.
PKCS #8 format is supported since 2.32; earlier releases only
support PKCS #1. You can use the openssl rsa
tool to convert
PKCS #8 keys to PKCS #1.
This property (or the #GTlsCertificate:private-key-pem property) can be set when constructing a key (for example, from a file). Since GLib 2.70, it is now also readable; however, be aware that if the private key is backed by a PKCS #11 URI – for example, if it is stored on a smartcard – then this property will be %NULL. If so, the private key must be referenced via its PKCS #11 URI, #GTlsCertificate:private-key-pkcs11-uri. You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS #8.
The PEM (ASCII) encoded representation of the certificate's
private key in either PKCS #1 format
("BEGIN RSA PRIVATE KEY
") or unencrypted
PKCS #8 format
("BEGIN PRIVATE KEY
"). PKCS #8 format is supported since 2.32;
earlier releases only support PKCS #1. You can use the openssl rsa
tool to convert PKCS #8 keys to PKCS #1.
This property (or the #GTlsCertificate:private-key property) can be set when constructing a key (for example, from a file). Since GLib 2.70, it is now also readable; however, be aware that if the private key is backed by a PKCS #11 URI - for example, if it is stored on a smartcard - then this property will be %NULL. If so, the private key must be referenced via its PKCS #11 URI, #GTlsCertificate:private-key-pkcs11-uri. You must check both properties to see if the certificate really has a private key. When this property is read, the output format will be unencrypted PKCS #8.
A URI referencing a PKCS #11 object containing a private key.
The subject from the cert, %NULL if unavailable.
Creates a binding between source_property
on source
and target_property
on target
.
Whenever the source_property
is changed the target_property
is
updated using the same value. For instance:
g_object_bind_property (action, "active", widget, "sensitive", 0);
Will result in the "sensitive" property of the widget #GObject instance to be updated with the same value of the "active" property of the action #GObject instance.
If flags
contains %G_BINDING_BIDIRECTIONAL then the binding will be mutual:
if target_property
on target
changes then the source_property
on source
will be updated as well.
The binding will automatically be removed when either the source
or the
target
instances are finalized. To remove the binding without affecting the
source
and the target
you can just call g_object_unref() on the returned
#GBinding instance.
Removing the binding by calling g_object_unref() on it must only be done if
the binding, source
and target
are only used from a single thread and it
is clear that both source
and target
outlive the binding. Especially it
is not safe to rely on this if the binding, source
or target
can be
finalized from different threads. Keep another reference to the binding and
use g_binding_unbind() instead to be on the safe side.
A #GObject can have multiple bindings.
the property on source
to bind
the target #GObject
the property on target
to bind
flags to pass to #GBinding
Creates a binding between source_property
on source
and target_property
on target,
allowing you to set the transformation functions to be used by
the binding.
This function is the language bindings friendly version of g_object_bind_property_full(), using #GClosures instead of function pointers.
the property on source
to bind
the target #GObject
the property on target
to bind
flags to pass to #GBinding
a #GClosure wrapping the transformation function from the source
to the target,
or %NULL to use the default
a #GClosure wrapping the transformation function from the target
to the source,
or %NULL to use the default
This function is intended for #GObject implementations to re-enforce a [floating][floating-ref] object reference. Doing this is seldom required: all #GInitiallyUnowneds are created with a floating reference which usually just needs to be sunken by calling g_object_ref_sink().
Increases the freeze count on object
. If the freeze count is
non-zero, the emission of "notify" signals on object
is
stopped. The signals are queued until the freeze count is decreased
to zero. Duplicate notifications are squashed so that at most one
#GObject::notify signal is emitted for each property modified while the
object is frozen.
This is necessary for accessors that modify multiple properties to prevent premature notification while the object is still being modified.
Gets a named field from the objects table of associations (see g_object_set_data()).
name of the key for that association
Gets the value of #GTlsCertificate:dns-names.
Gets the value of #GTlsCertificate:ip-addresses.
Gets the #GTlsCertificate representing cert'
s issuer, if known
Returns the issuer name from the certificate.
Gets a property of an object.
The value
can be:
In general, a copy is made of the property contents and the caller is responsible for freeing the memory by calling g_value_unset().
Note that g_object_get_property() is really intended for language bindings, g_object_get() is much more convenient for C programming.
the name of the property to get
return location for the property value
This function gets back user data pointers stored via g_object_set_qdata().
A #GQuark, naming the user data pointer
Returns the subject name from the certificate.
Gets n_properties
properties for an object
.
Obtained properties will be set to values
. All properties must be valid.
Warnings will be emitted and undefined behaviour may result if invalid
properties are passed in.
the names of each property to get
the values of each property to get
Checks whether object
has a [floating][floating-ref] reference.
Check if two #GTlsCertificate objects represent the same certificate. The raw DER byte data of the two certificates are checked for equality. This has the effect that two certificates may compare equal even if their #GTlsCertificate:issuer, #GTlsCertificate:private-key, or #GTlsCertificate:private-key-pem properties differ.
second certificate to compare
Emits a "notify" signal for the property property_name
on object
.
When possible, eg. when signaling a property change from within the class that registered the property, you should use g_object_notify_by_pspec() instead.
Note that emission of the notify signal may be blocked with g_object_freeze_notify(). In this case, the signal emissions are queued and will be emitted (in reverse order) when g_object_thaw_notify() is called.
the name of a property installed on the class of object
.
Emits a "notify" signal for the property specified by pspec
on object
.
This function omits the property name lookup, hence it is faster than g_object_notify().
One way to avoid using g_object_notify() from within the class that registered the properties, and using g_object_notify_by_pspec() instead, is to store the GParamSpec used with g_object_class_install_property() inside a static array, e.g.:
enum
{
PROP_0,
PROP_FOO,
PROP_LAST
};
static GParamSpec *properties[PROP_LAST];
static void
my_object_class_init (MyObjectClass *klass)
{
properties[PROP_FOO] = g_param_spec_int ("foo", "Foo", "The foo",
0, 100,
50,
G_PARAM_READWRITE);
g_object_class_install_property (gobject_class,
PROP_FOO,
properties[PROP_FOO]);
}
and then notify a change on the "foo" property with:
g_object_notify_by_pspec (self, properties[PROP_FOO]);
the #GParamSpec of a property installed on the class of object
.
Increase the reference count of object,
and possibly remove the
[floating][floating-ref] reference, if object
has a floating reference.
In other words, if the object is floating, then this call "assumes ownership" of the floating reference, converting it to a normal reference by clearing the floating flag while leaving the reference count unchanged. If the object is not floating, then this call adds a new normal reference increasing the reference count by one.
Since GLib 2.56, the type of object
will be propagated to the return type
under the same conditions as for g_object_ref().
Releases all references to other objects. This can be used to break reference cycles.
This function should only be called from object system implementations.
Each object carries around a table of associations from strings to pointers. This function lets you set an association.
If the object already had an association with that name, the old association will be destroyed.
Internally, the key
is converted to a #GQuark using g_quark_from_string().
This means a copy of key
is kept permanently (even after object
has been
finalized) — so it is recommended to only use a small, bounded set of values
for key
in your program, to avoid the #GQuark storage growing unbounded.
name of the key
data to associate with that key
Sets a property on an object.
the name of the property to set
the value
Remove a specified datum from the object's data associations, without invoking the association's destroy handler.
name of the key
This function gets back user data pointers stored via
g_object_set_qdata() and removes the data
from object
without invoking its destroy() function (if any was
set).
Usually, calling this function is only required to update
user data pointers with a destroy notifier, for example:
void
object_add_to_user_list (GObject *object,
const gchar *new_string)
{
// the quark, naming the object data
GQuark quark_string_list = g_quark_from_static_string ("my-string-list");
// retrieve the old string list
GList *list = g_object_steal_qdata (object, quark_string_list);
// prepend new string
list = g_list_prepend (list, g_strdup (new_string));
// this changed 'list', so we need to set it again
g_object_set_qdata_full (object, quark_string_list, list, free_string_list);
}
static void
free_string_list (gpointer data)
{
GList *node, *list = data;
for (node = list; node; node = node->next)
g_free (node->data);
g_list_free (list);
}
Using g_object_get_qdata() in the above example, instead of g_object_steal_qdata() would have left the destroy function set, and thus the partial string list would have been freed upon g_object_set_qdata_full().
A #GQuark, naming the user data pointer
Reverts the effect of a previous call to
g_object_freeze_notify(). The freeze count is decreased on object
and when it reaches zero, queued "notify" signals are emitted.
Duplicate notifications for each property are squashed so that at most one #GObject::notify signal is emitted for each property, in the reverse order in which they have been queued.
It is an error to call this function when the freeze count is zero.
Decreases the reference count of object
. When its reference count
drops to 0, the object is finalized (i.e. its memory is freed).
If the pointer to the #GObject may be reused in future (for example, if it is an instance variable of another object), it is recommended to clear the pointer to %NULL rather than retain a dangling pointer to a potentially invalid #GObject instance. Use g_clear_object() for this.
This verifies cert
and returns a set of #GTlsCertificateFlags
indicating any problems found with it. This can be used to verify a
certificate outside the context of making a connection, or to
check a certificate against a CA that is not part of the system
CA database.
If identity
is not %NULL, cert'
s name(s) will be compared against
it, and %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return
value if it does not match. If identity
is %NULL, that bit will
never be set in the return value.
If trusted_ca
is not %NULL, then cert
(or one of the certificates
in its chain) must be signed by it, or else
%G_TLS_CERTIFICATE_UNKNOWN_CA will be set in the return value. If
trusted_ca
is %NULL, that bit will never be set in the return
value.
GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.
Because TLS session context is not used, #GTlsCertificate may not perform as many checks on the certificates as #GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let #GTlsConnection handle the verification.
the expected peer identity
the certificate of a trusted authority
Emits a "notify" signal for the property property_name
on object
.
When possible, eg. when signaling a property change from within the class that registered the property, you should use g_object_notify_by_pspec() instead.
Note that emission of the notify signal may be blocked with g_object_freeze_notify(). In this case, the signal emissions are queued and will be emitted (in reverse order) when g_object_thaw_notify() is called.
This verifies cert
and returns a set of #GTlsCertificateFlags
indicating any problems found with it. This can be used to verify a
certificate outside the context of making a connection, or to
check a certificate against a CA that is not part of the system
CA database.
If identity
is not %NULL, cert'
s name(s) will be compared against
it, and %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return
value if it does not match. If identity
is %NULL, that bit will
never be set in the return value.
If trusted_ca
is not %NULL, then cert
(or one of the certificates
in its chain) must be signed by it, or else
%G_TLS_CERTIFICATE_UNKNOWN_CA will be set in the return value. If
trusted_ca
is %NULL, that bit will never be set in the return
value.
GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.
Because TLS session context is not used, #GTlsCertificate may not perform as many checks on the certificates as #GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let #GTlsConnection handle the verification.
the expected peer identity
the certificate of a trusted authority
This function essentially limits the life time of the closure
to
the life time of the object. That is, when the object is finalized,
the closure
is invalidated by calling g_closure_invalidate() on
it, in order to prevent invocations of the closure with a finalized
(nonexisting) object. Also, g_object_ref() and g_object_unref() are
added as marshal guards to the closure,
to ensure that an extra
reference count is held on object
during invocation of the
closure
. Usually, this function will be called on closures that
use this object
as closure data.
#GClosure to watch
Find the #GParamSpec with the given name for an
interface. Generally, the interface vtable passed in as g_iface
will be the default vtable from g_type_default_interface_ref(), or,
if you know the interface has already been loaded,
g_type_default_interface_peek().
any interface vtable for the interface, or the default vtable for the interface
name of a property to look up.
Add a property to an interface; this is only useful for interfaces that are added to GObject-derived types. Adding a property to an interface forces all objects classes with that interface to have a compatible property. The compatible property could be a newly created #GParamSpec, but normally g_object_class_override_property() will be used so that the object class only needs to provide an implementation and inherits the property description, default value, bounds, and so forth from the interface property.
This function is meant to be called from the interface's default
vtable initialization function (the class_init
member of
#GTypeInfo.) It must not be called after after class_init
has
been called for any object types implementing this interface.
If pspec
is a floating reference, it will be consumed.
any interface vtable for the interface, or the default vtable for the interface.
the #GParamSpec for the new property
Lists the properties of an interface.Generally, the interface
vtable passed in as g_iface
will be the default vtable from
g_type_default_interface_ref(), or, if you know the interface has
already been loaded, g_type_default_interface_peek().
any interface vtable for the interface, or the default vtable for the interface
Creates one or more #GTlsCertificates from the PEM-encoded
data in file
. If file
cannot be read or parsed, the function will
return %NULL and set error
. If file
does not contain any
PEM-encoded certificates, this will return an empty list and not
set error
.
file containing PEM-encoded certificates to import
Creates a #GTlsCertificate from the data in file
.
As of 2.72, if the filename ends in .p12
or .pfx
the data is loaded by
g_tls_certificate_new_from_pkcs12() otherwise it is loaded by
g_tls_certificate_new_from_pem(). See those functions for
exact details.
If file
cannot be read or parsed, the function will return %NULL and
set error
.
file containing a certificate to import
Creates a #GTlsCertificate from the data in file
.
If file
cannot be read or parsed, the function will return %NULL and
set error
.
Any unknown file types will error with %G_IO_ERROR_NOT_SUPPORTED.
Currently only .p12
and .pfx
files are supported.
See g_tls_certificate_new_from_pkcs12() for more details.
file containing a certificate to import
password for PKCS #12 files
Creates a #GTlsCertificate from the PEM-encoded data in cert_file
and key_file
. The returned certificate will be the first certificate
found in cert_file
. As of GLib 2.44, if cert_file
contains more
certificates it will try to load a certificate chain. All
certificates will be verified in the order found (top-level
certificate should be the last one in the file) and the
#GTlsCertificate:issuer property of each certificate will be set
accordingly if the verification succeeds. If any certificate in the
chain cannot be verified, the first certificate in the file will
still be returned.
If either file cannot be read or parsed, the function will return
%NULL and set error
. Otherwise, this behaves like
g_tls_certificate_new_from_pem().
file containing one or more PEM-encoded certificates to import
file containing a PEM-encoded private key to import
Creates a #GTlsCertificate from the PEM-encoded data in data
. If
data
includes both a certificate and a private key, then the
returned certificate will include the private key data as well. (See
the #GTlsCertificate:private-key-pem property for information about
supported formats.)
The returned certificate will be the first certificate found in
data
. As of GLib 2.44, if data
contains more certificates it will
try to load a certificate chain. All certificates will be verified in
the order found (top-level certificate should be the last one in the
file) and the #GTlsCertificate:issuer property of each certificate
will be set accordingly if the verification succeeds. If any
certificate in the chain cannot be verified, the first certificate in
the file will still be returned.
PEM-encoded certificate data
the length of data,
or -1 if it's 0-terminated.
Creates a #GTlsCertificate from a PKCS #11 URI.
An example pkcs1
1_uri would be pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01
Where the token’s layout is:
|[ Object 0: URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private Type: Private key (RSA-2048) ID: 01
Object 1: URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert Type: X.509 Certificate (RSA-2048) ID: 01
In this case the certificate and private key would both be detected and used as expected.
`pkcs_uri` may also just reference an X.509 certificate object and then optionally
`private_key_pkcs1`1_uri allows using a private key exposed under a different URI.
Note that the private key is not accessed until usage and may fail or require a PIN later.
@constructor
@param pkcs11_uri A PKCS \#11 URI
@param private_key_pkcs11_uri A PKCS \#11 URI
Creates a #GTlsCertificate from the data in data
. It must contain
a certificate and matching private key.
If extra certificates are included they will be verified as a chain and the #GTlsCertificate:issuer property will be set. All other data will be ignored.
You can pass as single password for all of the data which will be used both for the PKCS #12 container as well as encrypted private keys. If decryption fails it will error with %G_TLS_ERROR_BAD_CERTIFICATE_PASSWORD.
This constructor requires support in the current #GTlsBackend. If support is missing it will error with %G_IO_ERROR_NOT_SUPPORTED.
Other parsing failures will error with %G_TLS_ERROR_BAD_CERTIFICATE.
DER-encoded PKCS #12 format certificate data
optional password for encrypted certificate data
Creates a new instance of a #GObject subtype and sets its properties.
Construction parameters (see %G_PARAM_CONSTRUCT, %G_PARAM_CONSTRUCT_ONLY) which are not explicitly specified are set to their default values.
the type id of the #GObject subtype to instantiate
an array of #GParameter
A certificate used for TLS authentication and encryption. This can represent either a certificate only (eg, the certificate received by a client from a server), or the combination of a certificate and a private key (which is needed when acting as a #GTlsServerConnection).