Package org.gnome.gio

Class TlsDatabase

java.lang.Object

org.javagi.base.ProxyInstance

org.gnome.gobject.TypeInstance

org.gnome.gobject.GObject

org.gnome.gio.TlsDatabase

All Implemented Interfaces:

Proxy

Direct Known Subclasses:

TlsDatabase.TlsDatabase$Impl, TlsFileDatabase.TlsFileDatabase$Impl

@Generated("io.github.jwharm.JavaGI")
public abstract class TlsDatabase
extends GObject

GTlsDatabase is used to look up certificates and other information from a certificate or key store. It is an abstract base class which TLS library specific subtypes override.

A GTlsDatabase may be accessed from multiple threads by the TLS backend. All implementations are required to be fully thread-safe.

Most common client applications will not directly interact with GTlsDatabase. It is used internally by TlsConnection.

Since:

2.30

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	TlsDatabase.Builder<B extends TlsDatabase.Builder<B>>	Inner class implementing a builder pattern to construct a GObject with properties.
static class	TlsDatabase.TlsDatabase$Impl	The TlsDatabase$Impl type represents a native instance of the abstract TlsDatabase class.
static class	TlsDatabase.TlsDatabaseClass	The class for GTlsDatabase.

Nested classes/interfaces inherited from class org.gnome.gobject.GObject

GObject.NotifyCallback, GObject.ObjectClass

Constructor Summary

Constructors

Constructor	Description
TlsDatabase()	Creates a new TlsDatabase.
TlsDatabase(MemorySegment address)	Create a TlsDatabase proxy instance for the provided memory address.

Method Summary

Modifier and Type	Method	Description
protected TlsDatabase	asParent()	Returns this instance as if it were its parent type.
@Nullable String	createCertificateHandle(TlsCertificate certificate)	Create a handle string for the certificate.
static MemoryLayout	getMemoryLayout()	The memory layout of the native struct.
static @Nullable Type	getType()	Get the GType of the TlsDatabase class
@Nullable TlsCertificate	lookupCertificateForHandle(String handle_, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable)	Look up a certificate by its handle.
void	lookupCertificateForHandleAsync(String handle_, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable, @Nullable AsyncReadyCallback callback)	Asynchronously look up a certificate by its handle in the database.
TlsCertificate	lookupCertificateForHandleFinish(AsyncResult result)	Finish an asynchronous lookup of a certificate by its handle.
TlsCertificate	lookupCertificateIssuer(TlsCertificate certificate, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable)	Look up the issuer of certificate in the database.
void	lookupCertificateIssuerAsync(TlsCertificate certificate, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable, @Nullable AsyncReadyCallback callback)	Asynchronously look up the issuer of certificate in the database.
TlsCertificate	lookupCertificateIssuerFinish(AsyncResult result)	Finish an asynchronous lookup issuer operation.
List<TlsCertificate>	lookupCertificatesIssuedBy(@org.jspecify.annotations.Nullable byte @Nullable [] issuerRawDn, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable)	Look up certificates issued by this issuer in the database.
void	lookupCertificatesIssuedByAsync(@org.jspecify.annotations.Nullable byte @Nullable [] issuerRawDn, @Nullable TlsInteraction interaction, TlsDatabaseLookupFlags flags, @Nullable Cancellable cancellable, @Nullable AsyncReadyCallback callback)	Asynchronously look up certificates issued by this issuer in the database.
List<TlsCertificate>	lookupCertificatesIssuedByFinish(AsyncResult result)	Finish an asynchronous lookup of certificates.
Set<TlsCertificateFlags>	verifyChain(TlsCertificate chain, String purpose, @Nullable SocketConnectable identity, @Nullable TlsInteraction interaction, Set<TlsDatabaseVerifyFlags> flags, @Nullable Cancellable cancellable)	Determines the validity of a certificate chain, outside the context of a TLS session.
Set<TlsCertificateFlags>	verifyChain(TlsCertificate chain, String purpose, @Nullable SocketConnectable identity, @Nullable TlsInteraction interaction, TlsDatabaseVerifyFlags flags, @Nullable Cancellable cancellable)	Determines the validity of a certificate chain, outside the context of a TLS session.
void	verifyChainAsync(TlsCertificate chain, String purpose, @Nullable SocketConnectable identity, @Nullable TlsInteraction interaction, Set<TlsDatabaseVerifyFlags> flags, @Nullable Cancellable cancellable, @Nullable AsyncReadyCallback callback)	Asynchronously determines the validity of a certificate chain after looking up and adding any missing certificates to the chain.
void	verifyChainAsync(TlsCertificate chain, String purpose, @Nullable SocketConnectable identity, @Nullable TlsInteraction interaction, TlsDatabaseVerifyFlags flags, @Nullable Cancellable cancellable, @Nullable AsyncReadyCallback callback)	Asynchronously determines the validity of a certificate chain after looking up and adding any missing certificates to the chain.
Set<TlsCertificateFlags>	verifyChainFinish(AsyncResult result)	Finish an asynchronous verify chain operation.

Methods inherited from class org.gnome.gobject.GObject

addToggleRef, addWeakPointer, bindProperty, bindProperty, bindProperty, bindPropertyFull, bindPropertyFull, bindPropertyWithClosures, bindPropertyWithClosures, builder, compatControl, connect, connect, connect, constructed, disconnect, dispatchPropertiesChanged, dispose, dupData, dupQdata, emit, emitNotify, finalize_, forceFloating, freezeNotify, get, getData, getProperty, getProperty, getProperty, getQdata, getv, interfaceFindProperty, interfaceInstallProperty, interfaceListProperties, isFloating, newInstance, newInstance, newv, notify, notify, notifyByPspec, onNotify, ref, refSink, removeToggleRef, removeWeakPointer, replaceData, replaceQdata, runDispose, set, setData, setDataFull, setProperty, setProperty, setProperty, setQdata, setQdataFull, setv, stealData, stealQdata, takeRef, thawNotify, unref, watchClosure, weakRef, weakUnref, withProperties

Methods inherited from class org.gnome.gobject.TypeInstance

callParent, callParent, cast, getPrivate, readGClass, writeGClass

Methods inherited from class org.javagi.base.ProxyInstance

equals, handle, hashCode

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, toString, wait, wait, wait

Constructor Details

TlsDatabase

public TlsDatabase(MemorySegment address)

Create a TlsDatabase proxy instance for the provided memory address.

Parameters:

address - the memory address of the native object

TlsDatabase

public TlsDatabase()

Creates a new TlsDatabase.

Method Details

getType

public static @Nullable Type getType()

Get the GType of the TlsDatabase class

Returns:

the GType

getMemoryLayout

public static MemoryLayout getMemoryLayout()

The memory layout of the native struct.

Returns:

the memory layout

asParent

protected TlsDatabase asParent()

Returns this instance as if it were its parent type. This is mostly synonymous to the Java super keyword, but will set the native typeclass function pointers to the parent type. When overriding a native virtual method in Java, "chaining up" with super.methodName() doesn't work, because it invokes the overridden function pointer again. To chain up, call asParent().methodName(). This will call the native function pointer of this virtual method in the typeclass of the parent type.

Overrides:

asParent in class GObject

createCertificateHandle

public @Nullable String createCertificateHandle(TlsCertificate certificate)

Create a handle string for the certificate. The database will only be able to create a handle for certificates that originate from the database. In cases where the database cannot create a handle for a certificate, null will be returned.

This handle should be stable across various instances of the application, and between applications. If a certificate is modified in the database, then it is not guaranteed that this handle will continue to point to it.

Parameters:

certificate - certificate for which to create a handle.

Returns:

a newly allocated string containing the handle.

Since:

2.30

lookupCertificateForHandle

public @Nullable TlsCertificate lookupCertificateForHandle(String handle_,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable)
                                                    throws GErrorException

Look up a certificate by its handle.

The handle should have been created by calling g_tls_database_create_certificate_handle() on a GTlsDatabase object of the same TLS backend. The handle is designed to remain valid across instantiations of the database.

If the handle is no longer valid, or does not point to a certificate in this database, then null will be returned.

This function can block, use g_tls_database_lookup_certificate_for_handle_async() to perform the lookup operation asynchronously.

Parameters:

handle_ - a certificate handle

interaction - used to interact with the user if necessary

flags - Flags which affect the lookup.

cancellable - a GCancellable, or null

Returns:

a newly allocated GTlsCertificate, or null. Use g_object_unref() to release the certificate.

Throws:

GErrorException - see GError

Since:

2.30

lookupCertificateForHandleAsync

public void lookupCertificateForHandleAsync(String handle_,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable,
 @Nullable AsyncReadyCallback callback)

Asynchronously look up a certificate by its handle in the database. See g_tls_database_lookup_certificate_for_handle() for more information.

Parameters:

handle_ - a certificate handle

interaction - used to interact with the user if necessary

flags - Flags which affect the lookup.

cancellable - a GCancellable, or null

callback - callback to call when the operation completes

Since:

2.30

lookupCertificateForHandleFinish

public TlsCertificate lookupCertificateForHandleFinish(AsyncResult result)
                                                throws GErrorException

Finish an asynchronous lookup of a certificate by its handle. See g_tls_database_lookup_certificate_for_handle() for more information.

If the handle is no longer valid, or does not point to a certificate in this database, then null will be returned.

Parameters:

result - a GAsyncResult.

Returns:

a newly allocated GTlsCertificate object. Use g_object_unref() to release the certificate.

Throws:

GErrorException - see GError

Since:

2.30

lookupCertificateIssuer

public TlsCertificate lookupCertificateIssuer(TlsCertificate certificate,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable)
                                       throws GErrorException

Look up the issuer of certificate in the database. The GTlsCertificate:issuer property of certificate is not modified, and the two certificates are not hooked into a chain.

This function can block. Use g_tls_database_lookup_certificate_issuer_async() to perform the lookup operation asynchronously.

Beware this function cannot be used to build certification paths. The issuer certificate returned by this function may not be the same as the certificate that would actually be used to construct a valid certification path during certificate verification. RFC 4158 explains why an issuer certificate cannot be naively assumed to be part of the the certification path (though GLib's TLS backends may not follow the path building strategies outlined in this RFC). Due to the complexity of certification path building, GLib does not provide any way to know which certification path will actually be used when verifying a TLS certificate. Accordingly, this function cannot be used to make security-related decisions. Only GLib itself should make security decisions about TLS certificates.

Parameters:

certificate - a GTlsCertificate

interaction - used to interact with the user if necessary

flags - flags which affect the lookup operation

cancellable - a GCancellable, or null

Returns:

a newly allocated issuer GTlsCertificate, or null. Use g_object_unref() to release the certificate.

Throws:

GErrorException - see GError

Since:

2.30

lookupCertificateIssuerAsync

public void lookupCertificateIssuerAsync(TlsCertificate certificate,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable,
 @Nullable AsyncReadyCallback callback)

Asynchronously look up the issuer of certificate in the database. See g_tls_database_lookup_certificate_issuer() for more information.

Parameters:

certificate - a GTlsCertificate

interaction - used to interact with the user if necessary

flags - flags which affect the lookup operation

cancellable - a GCancellable, or null

callback - callback to call when the operation completes

Since:

2.30

lookupCertificateIssuerFinish

public TlsCertificate lookupCertificateIssuerFinish(AsyncResult result)
                                             throws GErrorException

Finish an asynchronous lookup issuer operation. See g_tls_database_lookup_certificate_issuer() for more information.

Parameters:

result - a GAsyncResult.

Returns:

a newly allocated issuer GTlsCertificate, or null. Use g_object_unref() to release the certificate.

Throws:

GErrorException - see GError

Since:

2.30

lookupCertificatesIssuedBy

public List<TlsCertificate> lookupCertificatesIssuedBy(@org.jspecify.annotations.Nullable byte @Nullable [] issuerRawDn,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable)
                                                throws GErrorException

Look up certificates issued by this issuer in the database.

This function can block, use g_tls_database_lookup_certificates_issued_by_async() to perform the lookup operation asynchronously.

Parameters:

issuerRawDn - a GByteArray which holds the DER encoded issuer DN.

interaction - used to interact with the user if necessary

flags - Flags which affect the lookup operation.

cancellable - a GCancellable, or null

Returns:

a newly allocated list of GTlsCertificate objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.

Throws:

GErrorException - see GError

Since:

2.30

lookupCertificatesIssuedByAsync

public void lookupCertificatesIssuedByAsync(@org.jspecify.annotations.Nullable byte @Nullable [] issuerRawDn,
 @Nullable TlsInteraction interaction,
 TlsDatabaseLookupFlags flags,
 @Nullable Cancellable cancellable,
 @Nullable AsyncReadyCallback callback)

Asynchronously look up certificates issued by this issuer in the database. See g_tls_database_lookup_certificates_issued_by() for more information.

The database may choose to hold a reference to the issuer byte array for the duration of this asynchronous operation. The byte array should not be modified during this time.

Parameters:

issuerRawDn - a GByteArray which holds the DER encoded issuer DN.

interaction - used to interact with the user if necessary

flags - Flags which affect the lookup operation.

cancellable - a GCancellable, or null

callback - callback to call when the operation completes

Since:

2.30

lookupCertificatesIssuedByFinish

public List<TlsCertificate> lookupCertificatesIssuedByFinish(AsyncResult result)
                                                      throws GErrorException

Finish an asynchronous lookup of certificates. See g_tls_database_lookup_certificates_issued_by() for more information.

Parameters:

result - a GAsyncResult.

Returns:

a newly allocated list of GTlsCertificate objects. Use g_object_unref() on each certificate, and g_list_free() on the release the list.

Throws:

GErrorException - see GError

Since:

2.30

verifyChain

public Set<TlsCertificateFlags> verifyChain(TlsCertificate chain,
 String purpose,
 @Nullable SocketConnectable identity,
 @Nullable TlsInteraction interaction,
 Set<TlsDatabaseVerifyFlags> flags,
 @Nullable Cancellable cancellable)
                                     throws GErrorException

Determines the validity of a certificate chain, outside the context of a TLS session.

chain is a chain of GTlsCertificate objects each pointing to the next certificate in the chain by its GTlsCertificate:issuer property.

purpose describes the purpose (or usage) for which the certificate is being used. Typically purpose will be set to G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER which means that the certificate is being used to authenticate a server (and we are acting as the client).

The identity is used to ensure the server certificate is valid for the expected peer identity. If the identity does not match the certificate, TlsCertificateFlags.BAD_IDENTITY will be set in the return value. If identity is null, that bit will never be set in the return value. The peer identity may also be used to check for pinned certificates (trust exceptions) in the database. These may override the normal verification process on a host-by-host basis.

Currently there are no flags, and TlsDatabaseVerifyFlags.NONE should be used.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate at least one problem found. If the function is unable to determine whether chain is valid (for example, because cancellable is triggered before it completes) then the return value will be TlsCertificateFlags.GENERIC_ERROR and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask TlsCertificateFlags.EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.

Prior to GLib 2.48, GLib's default TLS backend modified chain to represent the certification path built by GTlsDatabase during certificate verification by adjusting the GTlsCertificate:issuer property of each certificate in chain. Since GLib 2.48, this no longer occurs, so you cannot rely on GTlsCertificate:issuer to represent the actual certification path used during certificate verification.

Because TLS session context is not used, GTlsDatabase may not perform as many checks on the certificates as GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let GTlsConnection handle the verification.

The TLS backend may attempt to look up and add missing certificates to the chain. This may involve HTTP requests to download missing certificates.

This function can block. Use g_tls_database_verify_chain_async() to perform the verification operation asynchronously.

Parameters:

chain - a GTlsCertificate chain

purpose - the purpose that this certificate chain will be used for.

identity - the expected peer identity

interaction - used to interact with the user if necessary

flags - additional verify flags

cancellable - a GCancellable, or null

Returns:

the appropriate GTlsCertificateFlags which represents the result of verification.

Throws:

GErrorException - see GError

Since:

2.30

verifyChain

public Set<TlsCertificateFlags> verifyChain(TlsCertificate chain,
 String purpose,
 @Nullable SocketConnectable identity,
 @Nullable TlsInteraction interaction,
 TlsDatabaseVerifyFlags flags,
 @Nullable Cancellable cancellable)
                                     throws GErrorException

Determines the validity of a certificate chain, outside the context of a TLS session.

chain is a chain of GTlsCertificate objects each pointing to the next certificate in the chain by its GTlsCertificate:issuer property.

purpose describes the purpose (or usage) for which the certificate is being used. Typically purpose will be set to G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER which means that the certificate is being used to authenticate a server (and we are acting as the client).

The identity is used to ensure the server certificate is valid for the expected peer identity. If the identity does not match the certificate, TlsCertificateFlags.BAD_IDENTITY will be set in the return value. If identity is null, that bit will never be set in the return value. The peer identity may also be used to check for pinned certificates (trust exceptions) in the database. These may override the normal verification process on a host-by-host basis.

Currently there are no flags, and TlsDatabaseVerifyFlags.NONE should be used.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate at least one problem found. If the function is unable to determine whether chain is valid (for example, because cancellable is triggered before it completes) then the return value will be TlsCertificateFlags.GENERIC_ERROR and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask TlsCertificateFlags.EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.

Prior to GLib 2.48, GLib's default TLS backend modified chain to represent the certification path built by GTlsDatabase during certificate verification by adjusting the GTlsCertificate:issuer property of each certificate in chain. Since GLib 2.48, this no longer occurs, so you cannot rely on GTlsCertificate:issuer to represent the actual certification path used during certificate verification.

Because TLS session context is not used, GTlsDatabase may not perform as many checks on the certificates as GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let GTlsConnection handle the verification.

The TLS backend may attempt to look up and add missing certificates to the chain. This may involve HTTP requests to download missing certificates.

This function can block. Use g_tls_database_verify_chain_async() to perform the verification operation asynchronously.

Parameters:

chain - a GTlsCertificate chain

purpose - the purpose that this certificate chain will be used for.

identity - the expected peer identity

interaction - used to interact with the user if necessary

flags - additional verify flags

cancellable - a GCancellable, or null

Returns:

the appropriate GTlsCertificateFlags which represents the result of verification.

Throws:

GErrorException - see GError

Since:

2.30

verifyChainAsync

public void verifyChainAsync(TlsCertificate chain,
 String purpose,
 @Nullable SocketConnectable identity,
 @Nullable TlsInteraction interaction,
 Set<TlsDatabaseVerifyFlags> flags,
 @Nullable Cancellable cancellable,
 @Nullable AsyncReadyCallback callback)

Asynchronously determines the validity of a certificate chain after looking up and adding any missing certificates to the chain. See g_tls_database_verify_chain() for more information.

Parameters:

chain - a GTlsCertificate chain

purpose - the purpose that this certificate chain will be used for.

identity - the expected peer identity

interaction - used to interact with the user if necessary

flags - additional verify flags

cancellable - a GCancellable, or null

callback - callback to call when the operation completes

Since:

2.30

verifyChainAsync

public void verifyChainAsync(TlsCertificate chain,
 String purpose,
 @Nullable SocketConnectable identity,
 @Nullable TlsInteraction interaction,
 TlsDatabaseVerifyFlags flags,
 @Nullable Cancellable cancellable,
 @Nullable AsyncReadyCallback callback)

Asynchronously determines the validity of a certificate chain after looking up and adding any missing certificates to the chain. See g_tls_database_verify_chain() for more information.

Parameters:

chain - a GTlsCertificate chain

purpose - the purpose that this certificate chain will be used for.

identity - the expected peer identity

interaction - used to interact with the user if necessary

flags - additional verify flags

cancellable - a GCancellable, or null

callback - callback to call when the operation completes

Since:

2.30

verifyChainFinish

public Set<TlsCertificateFlags> verifyChainFinish(AsyncResult result)
                                           throws GErrorException

Finish an asynchronous verify chain operation. See g_tls_database_verify_chain() for more information.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate the problems found. If the function is unable to determine whether chain is valid or not (eg, because cancellable is triggered before it completes) then the return value will be TlsCertificateFlags.GENERIC_ERROR and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

Parameters:

result - a GAsyncResult.

Returns:

the appropriate GTlsCertificateFlags which represents the result of verification.

Throws:

GErrorException - see GError

Since:

2.30