summaryrefslogtreecommitdiff
path: root/gio/gtlscertificate.c
Commit message (Collapse)AuthorAgeFilesLines
* gtlscertificate: Update reference to G_TLS_CERTIFICATE_NO_FLAGSMarco Trevisan (Treviño)2022-08-061-1/+1
| | | | G_TLS_CERTIFICATE_FLAGS_NONE was removed as part of commit aa65fc2537.
* gioenums: Add G_TLS_CERTIFICATE_FLAGS_NONESimon McVittie2022-06-231-0/+2
| | | | | | | This makes the absence of flags (in other words, a valid certificate) more self-documenting. Signed-off-by: Simon McVittie <smcv@collabora.com>
* gtlscertificate: Hold a ref on the root certificate when building chainsPhilip Withnall2022-06-211-1/+3
| | | | | | | | | | | | | | This is unlikely to be a bug in practice, as the certificate pointed to by `root` should have a ref held on it as the issuer of another certificate in the chain. However, we can’t guarantee that’s how the `GTlsCertificate` implementation behaves, so keep a temporary ref on `root` until it’s no longer needed. Signed-off-by: Philip Withnall <pwithnall@endlessos.org> Coverity CID: #1489985
* gio: Add SPDX license headers automaticallyPhilip Withnall2022-05-181-0/+2
| | | | | | | | | | | | | | Add SPDX license (but not copyright) headers to all files which follow a certain pattern in their existing non-machine-readable header comment. This commit was entirely generated using the command: ``` git ls-files gio/*.[ch] | xargs perl -0777 -pi -e 's/\n \*\n \* This library is free software; you can redistribute it and\/or\n \* modify it under the terms of the GNU Lesser General Public/\n \*\n \* SPDX-License-Identifier: LGPL-2.1-or-later\n \*\n \* This library is free software; you can redistribute it and\/or\n \* modify it under the terms of the GNU Lesser General Public/igs' ``` Signed-off-by: Philip Withnall <pwithnall@endlessos.org> Helps: #1415
* Fix redefinition of local variable in gio/gtlscertificate.cLoic Le Page2022-04-011-4/+4
|
* Add `(array length)` annotation to `g_tls_certificate_new_from_pkcs12()`Sebastian Dröge2022-01-251-1/+1
|
* gtlscertificate: Add ability to load PKCS #12 encrypted filesPatrick Griffis2022-01-071-18/+187
| | | | This depends on the GTlsBackend implementing these properties
* gtlscertificate: tone down warning about g_tls_certificate_verify()Michael Catanzaro2021-11-221-2/+2
|
* Document potential footgun with GTlsCertificateFlagsMichael Catanzaro2021-11-161-2/+7
| | | | | | | | | | | Once upon a time, we tried to return all possible certificate errors, but it never actually worked reliably and nowadays we have given up. This needs to be documented because a reasonable developer would not expect it. Because mistakes could be security-critical, I decided to copy the same warning in several different places rather than relying only on cross-referencese.
* gtlscertificate: improve documentationMichael Catanzaro2021-08-041-0/+19
| | | | | | | | | | Let's explain the advantages of relying on GTlsConnection to perform certificate verification. Also, document that the issuer property is a little tricky, because the issuer certificate might not be the certificate that actually gets used in final certification path building. This is very unexpected to anybody who is not an expert.
* gtlscertificate: Add more annotations to new propertiesMichael Catanzaro2021-06-211-2/+2
|
* gtlscertificate: add some doc links to PKCS #11 specificationMichael Catanzaro2021-06-151-5/+7
|
* gtlscertificate: make private key properties readableMichael Catanzaro2021-06-151-19/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | WebKit wants these private key properties to be readable in order to implement a deserialization function. Currently they are read-only because at the time GTlsCertificate was originally designed, the plan was to support PKCS#11-backed private keys: private keys that are stored on a smartcard, where the private key is completely unreadable. The design goal was to support both memory-backed and smartcard-backed private keys with the same GTlsCertificate API, abstracting away the implementation differences such that code using GTlsCertificate doesn't need to know the difference. The original PKCS#11 implementation was never fully baked and at some point in the past I deleted it all. It has since been replaced with a new implementation, including a GTlsCertificate:private-key-pkcs11-uri property, which is readable. So our current API already exposes the differences between normal private keys and PKCS#11-backed private keys. The point of making the private-key and private-key-pem properties write-only was to avoid exposing this difference. Do we have to make this API function readable? No, because WebKit could be just as well served if we were to expose serialize and deserialize functions instead. But WebKit needs to support serializing and deserializing the non-private portion of GTlsCertificate with older versions of GLib anyway, so we can do whatever is nicest for GLib. And I think making this property readable is nicest, since the original design reason for it to not be readable is now obsolete. The disadvantage to this approach is that it's now possible for an application to read the private-key or private-key-pem property, receive NULL, and think "this certificate must not have a private key," which would be incorrect if the private-key-pkcs11-uri property is set. That seems like a minor risk, but it should be documented.
* tls: expose SAN details on GTlsCertificateRoss Wollman2021-06-101-0/+80
| | | | | | | | | | | | | | | This changeset exposes * `dns-names` * `ip-addresses` on GTlsCertificate provided by the underlying TLS Backend. See https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/165 for the corresponding glib-networking changes. Relates: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2113 Relates: https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/156/diffs Relates: https://github.com/microsoft/playwright/issues/6759
* tlscertificate: Avoid possible invalid readPeter Bloomfield2021-06-041-3/+4
| | | | | In various places, do not read past the end of the data. Fixes https://gitlab.gnome.org/GNOME/glib/-/issues/2416
* tls: expose cert details on GTlsCertificateRoss A. Wollman2021-06-011-0/+156
| | | | | | | | | | | | | | | | | | | | | | | | | This changeset exposes * `not-valid-before` * `not-valid-after` * `subject-name` * `issuer-name` on GTlsCertificate provided by the underlying TLS Backend. In order to make use of these changes, see the related [glib-networking MR][glib-networking]. This change aims to help populate more of the [`Certificate`][wk-cert] info in the WebKit Inspector Protocol on Linux. This changeset stems from work in Microsoft Playwright to [add more info into its HAR capture][pw] generated from the Inspector Protocol events and will bring feature parity across WebKit platforms. [wk-cert]: https://github.com/WebKit/WebKit/blob/8afe31a018b11741abdf9b4d5bb973d7c1d9ff05/Source/JavaScriptCore/inspector/protocol/Security.json [pw]: https://github.com/microsoft/playwright/pull/6631 [glib-networking]: https://gitlab.gnome.org/GNOME/glib-networking/-/merge_requests/156
* docs: Fix formatting of code blockpgriffis/doc-fixPatrick Griffis2021-04-191-2/+2
|
* gio: Add missing nullable annotationsSebastian Dröge2020-11-111-1/+1
|
* gtlscertificate: Add support for PKCS #11 backed certificatesPatrick Griffis2020-10-011-3/+129
| | | | This reverts commit d58e5de9e9c8d93e64d34aa8a7100bdfbc9b8dac.
* Revert "gtlscertificate: Add support for PKCS #11 backed certificates"Michael Catanzaro2020-01-301-129/+3
| | | | | | | | | | | | | | | | | | | | | | This reverts commit b6d8efbebcc0ad1e12bf16f47a173cadfcbf986d. This GLib API is good, but the implentation is not ready, so there's no reason to commit to the API in GLib 2.64. We can reland again when the implementation is ready. There are three problems: (a) The glib-networking implementation normally works, but the test has been broken for a long time. I'm not comfortable with adding a major new feature without a working test. This is glib-networking#104. (b) The WebKit implementation never landed. There is a working patch, but it hasn't been accepted upstream yet. This API isn't needed in GLib until WebKit is ready to start using it. https://bugs.webkit.org/show_bug.cgi?id=200805. (c) Similarly, even if the WebKit API was ready, that itself isn't useful until an application is ready to start using it, and the Epiphany level work never happened. Let's try again for GLib 2.66. Reverting this commit now just means we gain another six months before committing to the API forever. No reason to keep this in GLib 2.64 when nothing is using it yet.
* gtlscertificate: Add support for PKCS #11 backed certificatesPatrick Griffis2019-10-021-3/+129
| | | | This adds properties to allow backends to expose PKCS #11 support.
* gtlscertificate: Allow any type of private key in PEM filesFredrik Ternerot2018-12-181-34/+35
| | | | | | | | | | | | | Allow any type of private key in PEM files by treating PEM guards ending with "PRIVATE KEY-----" as a private key instead of looking for a pre-defined set of PEM guards. This enables the possibility for custom GTlsBackend to add support for new key types. Test cases have been expanded to ensure PEM parsing works for private key when either header or footer is missing. Encrypted PKCS#8 is still rejected. Test case has been added for this to ensure behaviour is the same before and after this change.
* gtlscertificate: Fix bug in PEM private key parserFredrik Ternerot2018-12-141-1/+1
| | | | | | | Make sure to not go outside of PEM data buffer when looking for private key. Also adding test case that triggers this bug.
* gio/: LGPLv2+ -> LGPLv2.1+Sébastien Wilmet2017-05-291-1/+1
| | | | | | | | | | | | | | | | | Sub-directories inside gio/ already processed in a previous commit: - fam/ - gdbus-2.0/ (which contains only codegen/) - gvdb/ - inotify/ - tests/ - win32/ - xdgmime/ Other sub-directories inside gio/: - completion/: no license headers - kqueue/: not LGPL, BSD-style license https://bugzilla.gnome.org/show_bug.cgi?id=776504
* Drop trailing semi-colon from G_DEFINE_ macroEmmanuele Bassi2017-04-101-1/+1
| | | | | | | | It's unnecessary, and only adds visual noise; we have been fairly inconsistent in the past, but the semi-colon-less version clearly dominates in the code base. https://bugzilla.gnome.org/show_bug.cgi?id=669355
* introspection: use (nullable) or (optional) instead of (allow-none)Christian Hergert2016-11-221-2/+2
| | | | | | | | If we have an input parameter (or return value) we need to use (nullable). However, if it is an (inout) or (out) parameter, (optional) is sufficient. It looks like (nullable) could be used for everything according to the Annotation documentation, but (optional) is more specific.
* Use Unicode in translatable stringsPiotr Drąg2016-10-121-2/+2
| | | | | | See https://developer.gnome.org/hig/stable/typography.html https://bugzilla.gnome.org/show_bug.cgi?id=772221
* gio: Add filename type annotationsChristoph Reiter2016-06-041-5/+6
| | | | https://bugzilla.gnome.org/show_bug.cgi?id=767245
* gtlscertificate: Fix error reporting if a GError is not passed inPhilip Withnall2015-10-031-3/+8
| | | | | | | | | | | | If the certificate constructor is called as: g_tls_certificate_new_from_pem (data, length, NULL); and PEM parsing fails for the private key, the function would have continued to try and create a certificate using a NULL key_pem value, which would have failed or crashed. Use g_propagate_error() correctly to avoid this. Coverity CID: 1325403
* GTlsCertificate: fix loading of chain with private keyMichael Catanzaro2015-08-291-2/+8
| | | | | | | | | | If a private key (or anything, in fact) follows the final certificate in the file, certificate parsing will be aborted and only the first certificate in the chain will be returned, with the private key not set. Be tolerant of this, rather than expecting the final character in the file to be the newline following the last certificate. https://bugzilla.gnome.org/show_bug.cgi?id=754264
* docs: fix up docs issues in gio/Xavier Claessens2015-02-051-1/+0
|
* GTlsCertificate: fix loading of bad certificate chainsDan Winship2014-11-011-6/+6
| | | | | | | | | g_tls_certificate_new_from_file() was only loading the complete chain if it was fully valid, but we only meant to be validating that it formed an actual chain (since the caller may be planning to ignore other errors). https://bugzilla.gnome.org/show_bug.cgi?id=729739
* tlscertificate: add support for certificate chainsAleix Conchillo Flaqué2014-10-061-46/+184
| | | | | | | | | | | | | | | | This patch changes the behavior of the following functions: g_tls_certificate_new_from_pem g_tls_certificate_new_from_file g_tls_certificate_new_from_files If more than one certificate is found it will try to load the chain. It is assumed that the chain will be in the right order (top-level certificate will be the last one in the file). If the chain cannot be verified, the first certificate in the file will be returned as before. https://bugzilla.gnome.org/show_bug.cgi?id=729739
* gtlscertificate: fix certificate list parsing with trailing commentsDan Winship2014-04-091-10/+15
| | | | | | | | g_tls_certificate_list_new_from_file() was supposed to ignore non-PEM content, but it accidentally required that there not be anything after the last certificate. Fix that. https://bugzilla.gnome.org/show_bug.cgi?id=727692
* docs: use "Returns:" consistentlyWilliam Jon McCann2014-02-191-7/+7
| | | | Instead of "Return value:".
* Docs: replace <literal> by `Matthias Clasen2014-02-061-5/+5
|
* Docs: Big entity cleanupMatthias Clasen2014-02-011-1/+1
| | | | | Strip lots of entity use from |[ ]| examples (which are now implicit CDATA). Also remove many redundant uses of <!-- -->.
* Updated FSF's addressDaniel Mustieles2014-01-311-3/+1
|
* Add includes to all gio docsMatthias Clasen2014-01-071-0/+1
|
* Revert "gtlscertificate: Add certificate-bytes and private-key-bytes props"Stef Walter2012-08-211-48/+11
| | | | | | | | | | | | | * In order to add contstruct properties to an abstract base calls, and retain ABI stability, the base class must add a default implementation of those properties. * We cannot add a default implementation of certificate-bytes or private-key-bytes since certificate and private-key properties are writable on construct-only. This reverts commit 541c985869fe9f2c0a858c0a91b4eb60f99d19f0. https://bugzilla.gnome.org/show_bug.cgi?id=682081
* gtlscertificate: Add certificate-bytes and private-key-bytes propsStef Walter2012-08-061-11/+48
| | | | | | | * These properties contain the same data as certificate and private-key, but as GBytes https://bugzilla.gnome.org/show_bug.cgi?id=681319
* gtlscertificate: Don't confuse certificate and public key in docsStef Walter2012-08-061-8/+7
| | | | | | | | | | * A certificate sorta acts as a public key, but more specifically it contains a public key (in its subjectPublicKeyInfo) field. * Documentation was confusing and could have read like the certificate and certificate-pem properties were returning the public key part of the certificate. https://bugzilla.gnome.org/show_bug.cgi?id=681158
* gtlscertificate: Add g_tls_certificate_is_same() functionStef Walter2012-08-031-0/+37
| | | | | | | * Certificate equality in PKIX in general is equality between the DER encoding of the certificates. https://bugzilla.gnome.org/show_bug.cgi?id=681116
* GTlsCertificate: support unencrypted PKCS#8 private keysDan Winship2011-11-181-22/+54
| | | | | | | | PKCS#8 is the "right" way to encode private keys. Although the APIs do not currently support encrypted keys, we should at least support unencrypted PKCS#8 keys. https://bugzilla.gnome.org/show_bug.cgi?id=664321
* gio static fixupsRyan Lortie2011-10-161-2/+2
|
* Rework PEM parsing to not be order dependentNicolas Dufresne2011-07-271-54/+95
| | | | | Some valid PEM file would not work because the private key was put before the certificate.
* Fix two leaks seen when using TLS connectionsDan Winship2011-04-071-0/+1
| | | | | | g_tls_certificate_list_new_from_file() was leaking the file contents, and GSource was leaking the GSourcePrivate structure that got created when using child sources.
* Correct gtk-doc SECTION: syntaxJohan Dahlin2011-02-011-1/+1
| | | | | g-ir-scanner does not allow a space between the : and the section name.
* Add g_tls_certificate_verify()Dan Winship2010-12-071-45/+47
| | | | | | | Add a method to verify a certificate against a CA; this can be used for apps that need to test against non-default CAs. Also make the GTlsCertificate::issuer property virtual
* Various doc tweaksMatthias Clasen2010-11-281-1/+1
|
View Lorry Controller Status