[glib/tls] Add g_tls_certificate_verify()



commit 2c773872b9c35677477efbd2f5e15071ba1701e6
Author: Dan Winship <danw gnome org>
Date:   Tue Nov 30 19:57:16 2010 -0500

    Add g_tls_certificate_verify()
    
    Add a method to verify a certificate against a CA; this can be used
    for apps that need to test against non-default CAs.
    
    Also make the GTlsCertificate::issuer property virtual

 gio/gtlscertificate.c |   90 ++++++++++++++++++++++++------------------------
 gio/gtlscertificate.h |   32 +++++++++++------
 2 files changed, 65 insertions(+), 57 deletions(-)
---
diff --git a/gio/gtlscertificate.c b/gio/gtlscertificate.c
index be1f9af..ab40a50 100644
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -53,11 +53,6 @@
 
 G_DEFINE_ABSTRACT_TYPE (GTlsCertificate, g_tls_certificate, G_TYPE_OBJECT);
 
-struct _GTlsCertificatePrivate
-{
-  GTlsCertificate *issuer;
-};
-
 enum
 {
   PROP_0,
@@ -72,9 +67,6 @@ enum
 static void
 g_tls_certificate_init (GTlsCertificate *cert)
 {
-  cert->priv = G_TYPE_INSTANCE_GET_PRIVATE (cert,
-					    G_TYPE_TLS_CERTIFICATE,
-					    GTlsCertificatePrivate);
 }
 
 static void
@@ -83,17 +75,7 @@ g_tls_certificate_get_property (GObject    *object,
 				GValue     *value,
 				GParamSpec *pspec)
 {
-  GTlsCertificate *cert = G_TLS_CERTIFICATE (object);
-
-  switch (prop_id)
-    {
-    case PROP_ISSUER:
-      g_value_set_object (value, cert->priv->issuer);
-      break;
-
-    default:
-      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-    }
+  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 }
 
 static void
@@ -102,28 +84,7 @@ g_tls_certificate_set_property (GObject      *object,
 				const GValue *value,
 				GParamSpec   *pspec)
 {
-  GTlsCertificate *cert = G_TLS_CERTIFICATE (object);
-
-  switch (prop_id)
-    {
-    case PROP_ISSUER:
-      cert->priv->issuer = g_value_dup_object (value);
-      break;
-
-    default:
-      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
-    }
-}
-
-static void
-g_tls_certificate_finalize (GObject *object)
-{
-  GTlsCertificate *cert = G_TLS_CERTIFICATE (object);
-
-  if (cert->priv->issuer)
-    g_object_unref (cert->priv->issuer);
-
-  G_OBJECT_CLASS (g_tls_certificate_parent_class)->finalize (object);
+  G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
 }
 
 static void
@@ -131,11 +92,8 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
 {
   GObjectClass *gobject_class = G_OBJECT_CLASS (class);
 
-  g_type_class_add_private (class, sizeof (GTlsCertificatePrivate));
-
   gobject_class->set_property = g_tls_certificate_set_property;
   gobject_class->get_property = g_tls_certificate_get_property;
-  gobject_class->finalize = g_tls_certificate_finalize;
 
   /**
    * GTlsCertificate:certificate:
@@ -482,5 +440,47 @@ g_tls_certificate_list_new_from_file (const gchar  *file,
 GTlsCertificate *
 g_tls_certificate_get_issuer (GTlsCertificate  *cert)
 {
-  return cert->priv->issuer;
+  GTlsCertificate *issuer;
+
+  g_object_get (G_OBJECT (cert), "issuer", &issuer, NULL);
+  if (issuer)
+    g_object_unref (issuer);
+
+  return issuer;
+}
+
+/**
+ * g_tls_certificate_verify:
+ * @cert: a #GTlsCertificate
+ * @identity: (allow-none): the expected peer identity
+ * @trusted_ca: (allow-none): the certificate of a trusted authority
+ *
+ * This verifies @cert and returns a set of #GTlsCertificateFlags
+ * indicating any problems found with it. This can be used to verify a
+ * certificate outside the context of making a connection, or to
+ * check a certificate against a CA that is not part of the system
+ * CA database.
+ *
+ * If @identity is not %NULL, @cert's name(s) will be compared against
+ * it, and %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return
+ * value if it does not match. If @identity is %NULL, that bit will
+ * never be set in the return value.
+ *
+ * If @trusted_ca is not %NULL, then @cert (or one of the certificates
+ * in its chain) must be signed by it, or else
+ * %G_TLS_CERTIFICATE_UNKNOWN_CA will be set in the return value. If
+ * @trusted_ca is %NULL, that bit will never be set in the return
+ * value.
+ *
+ * (All other #GTlsCertificateFlags values will always be set or unset
+ * as appropriate.)
+ *
+ * Return value: the appropriate #GTlsCertificateFlags
+ */
+GTlsCertificateFlags
+g_tls_certificate_verify (GTlsCertificate     *cert,
+			  GSocketConnectable  *identity,
+			  GTlsCertificate     *trusted_ca)
+{
+  return G_TLS_CERTIFICATE_GET_CLASS (cert)->verify (cert, identity, trusted_ca);
 }
diff --git a/gio/gtlscertificate.h b/gio/gtlscertificate.h
index f8a7fd1..40cabf9 100644
--- a/gio/gtlscertificate.h
+++ b/gio/gtlscertificate.h
@@ -49,26 +49,34 @@ struct _GTlsCertificateClass
 {
   GObjectClass parent_class;
 
+  GTlsCertificateFlags  (* verify) (GTlsCertificate     *cert,
+				    GSocketConnectable  *identity,
+				    GTlsCertificate     *trusted_ca);
+
   /*< private >*/
   /* Padding for future expansion */
   gpointer padding[8];
 };
 
-GType            g_tls_certificate_get_type           (void) G_GNUC_CONST;
+GType                 g_tls_certificate_get_type           (void) G_GNUC_CONST;
+
+GTlsCertificate      *g_tls_certificate_new_from_pem       (const gchar         *data,
+							    gssize               length,
+							    GError             **error);
 
-GTlsCertificate *g_tls_certificate_new_from_pem       (const gchar      *data,
-						       gssize            length,
-						       GError          **error);
+GTlsCertificate      *g_tls_certificate_new_from_file      (const gchar         *file,
+							    GError             **error);
+GTlsCertificate      *g_tls_certificate_new_from_files     (const gchar         *cert_file,
+							    const gchar         *key_file,
+							    GError             **error);
+GList                *g_tls_certificate_list_new_from_file (const gchar         *file,
+							    GError             **error);
 
-GTlsCertificate *g_tls_certificate_new_from_file      (const gchar      *file,
-						       GError          **error);
-GTlsCertificate *g_tls_certificate_new_from_files     (const gchar      *cert_file,
-						       const gchar      *key_file,
-						       GError          **error);
-GList           *g_tls_certificate_list_new_from_file (const gchar      *file,
-						       GError          **error);
+GTlsCertificate      *g_tls_certificate_get_issuer         (GTlsCertificate     *cert);
 
-GTlsCertificate *g_tls_certificate_get_issuer         (GTlsCertificate  *cert);
+GTlsCertificateFlags  g_tls_certificate_verify             (GTlsCertificate     *cert,
+							    GSocketConnectable  *identity,
+							    GTlsCertificate     *trusted_ca);
 
 G_END_DECLS
 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]