Class TlsCertificate

java.lang.Object
org.javagi.base.ProxyInstance
org.gnome.gobject.TypeInstance
org.gnome.gobject.GObject
org.gnome.gio.TlsCertificate
All Implemented Interfaces:
Proxy
Direct Known Subclasses:
TlsCertificate.TlsCertificate$Impl
@Generated("org.javagi.JavaGI") public abstract class TlsCertificate extends GObject
A certificate used for TLS authentication and encryption. This can represent either a certificate only (eg, the certificate received by a client from a server), or the combination of a certificate and a private key (which is needed when acting as a TlsServerConnection).
Since:
2.28

  • Constructor Details

    • TlsCertificate

      public TlsCertificate(MemorySegment address)
      Create a TlsCertificate instance for the provided memory address.
      Parameters:
      address - the memory address of the native object

    • TlsCertificate

      public TlsCertificate()
      Create a new TlsCertificate.

  • Method Details

    • getType

      public static @Nullable Type getType()
      Get the GType of the TlsCertificate class.
      Returns:
      the GType

    • getMemoryLayout

      public static MemoryLayout getMemoryLayout()
      The memory layout of the native struct.
      Returns:
      the memory layout

    • asParent

      protected TlsCertificate asParent()
      Return this instance as if it were its parent type. Comparable to the Java super keyword, but ensures the parent typeclass is also used in native code.
      Overrides:
      asParent in class GObject
      Returns:
      the instance as if it were its parent type

    • fromFile

      public static TlsCertificate fromFile(String file) throws GErrorException

      Creates a GTlsCertificate from the data in file.

      As of 2.72, if the filename ends in .p12 or .pfx the data is loaded by g_tls_certificate_new_from_pkcs12() otherwise it is loaded by g_tls_certificate_new_from_pem(). See those functions for exact details.

      If file cannot be read or parsed, the function will return null and set error.

      Parameters:
      file - file containing a certificate to import
      Returns:
      the new certificate, or null on error
      Throws:
      GErrorException - see GError
      Since:
      2.28

    • fromFileWithPassword

      public static TlsCertificate fromFileWithPassword(String file, String password) throws GErrorException

      Creates a GTlsCertificate from the data in file.

      If file cannot be read or parsed, the function will return null and set error.

      Any unknown file types will error with IOErrorEnum.NOT_SUPPORTED. Currently only .p12 and .pfx files are supported. See g_tls_certificate_new_from_pkcs12() for more details.

      Parameters:
      file - file containing a certificate to import
      password - password for PKCS 12 files
      Returns:
      the new certificate, or null on error
      Throws:
      GErrorException - see GError
      Since:
      2.72

    • fromFiles

      public static TlsCertificate fromFiles(String certFile, String keyFile) throws GErrorException

      Creates a GTlsCertificate from the PEM-encoded data in certFile and keyFile. The returned certificate will be the first certificate found in certFile. As of GLib 2.44, if certFile contains more certificates it will try to load a certificate chain. All certificates will be verified in the order found (top-level certificate should be the last one in the file) and the GTlsCertificate:issuer property of each certificate will be set accordingly if the verification succeeds. If any certificate in the chain cannot be verified, the first certificate in the file will still be returned.

      If either file cannot be read or parsed, the function will return null and set error. Otherwise, this behaves like g_tls_certificate_new_from_pem().

      Parameters:
      certFile - file containing one or more PEM-encoded certificates to import
      keyFile - file containing a PEM-encoded private key to import
      Returns:
      the new certificate, or null on error
      Throws:
      GErrorException - see GError
      Since:
      2.28

    • fromPem

      public static TlsCertificate fromPem(String data, long length) throws GErrorException

      Creates a GTlsCertificate from the PEM-encoded data in data. If data includes both a certificate and a private key, then the returned certificate will include the private key data as well. (See the GTlsCertificate:private-key-pem property for information about supported formats.)

      The returned certificate will be the first certificate found in data. As of GLib 2.44, if data contains more certificates it will try to load a certificate chain. All certificates will be verified in the order found (top-level certificate should be the last one in the file) and the GTlsCertificate:issuer property of each certificate will be set accordingly if the verification succeeds. If any certificate in the chain cannot be verified, the first certificate in the file will still be returned.

      Parameters:
      data - PEM-encoded certificate data
      length - the length of data, or -1 if it's 0-terminated.
      Returns:
      the new certificate, or null if data is invalid
      Throws:
      GErrorException - see GError
      Since:
      2.28

    • fromPkcs11Uris

      public static TlsCertificate fromPkcs11Uris(String pkcs11Uri, @Nullable String privateKeyPkcs11Uri) throws GErrorException

      Creates a GTlsCertificate from a PKCS \#11 URI.

      An example pkcs11Uri would be pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01

      Where the token’s layout is:

      Object 0:
  URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=private%20key;type=private
  Type: Private key (RSA-2048)
  ID: 01

Object 1:
  URL: pkcs11:model=Model;manufacturer=Manufacture;serial=1;token=My%20Client%20Certificate;id=%01;object=Certificate%20for%20Authentication;type=cert
  Type: X.509 Certificate (RSA-2048)
  ID: 01

      In this case the certificate and private key would both be detected and used as expected. pkcsUri may also just reference an X.509 certificate object and then optionally privateKeyPkcs11Uri allows using a private key exposed under a different URI.

      Note that the private key is not accessed until usage and may fail or require a PIN later.

      Parameters:
      pkcs11Uri - A PKCS \11 URI @param privateKeyPkcs11Uri A PKCS \11 URI @return the new certificate, or null on error
      Throws:
      GErrorException - see GError
      Since:
      2.68

    • fromPkcs12

      public static TlsCertificate fromPkcs12(@Nullable byte @Nullable [] data, @Nullable String password) throws GErrorException

      Creates a GTlsCertificate from the data in data. It must contain a certificate and matching private key.

      If extra certificates are included they will be verified as a chain and the GTlsCertificate:issuer property will be set. All other data will be ignored.

      You can pass as single password for all of the data which will be used both for the PKCS 12 container as well as encrypted private keys. If decryption fails it will error with TlsError.BAD_CERTIFICATE_PASSWORD.

      This constructor requires support in the current GTlsBackend. If support is missing it will error with IOErrorEnum.NOT_SUPPORTED.

      Other parsing failures will error with TlsError.BAD_CERTIFICATE.

      Parameters:
      data - DER-encoded PKCS 12 format certificate data
      password - optional password for encrypted certificate data
      Returns:
      the new certificate, or null if data is invalid
      Throws:
      GErrorException - see GError
      Since:
      2.72

    • listNewFromFile

      public static List<TlsCertificate> listNewFromFile(String file) throws GErrorException
      Creates one or more GTlsCertificates from the PEM-encoded data in file. If file cannot be read or parsed, the function will return null and set error. If file does not contain any PEM-encoded certificates, this will return an empty list and not set error.
      Parameters:
      file - file containing PEM-encoded certificates to import
      Returns:
      a GList containing GTlsCertificate objects. You must free the list and its contents when you are done with it.
      Throws:
      GErrorException - see GError
      Since:
      2.28

    • getIpAddresses

      public @Nullable InetAddress @Nullable [] getIpAddresses()
      Gets the value of GTlsCertificate:ip-addresses.
      Returns:
      A GPtrArray of GInetAddress elements, or null if it's not available.
      Since:
      2.70

    • getIssuer

      public @Nullable TlsCertificate getIssuer()
      Gets the GTlsCertificate representing cert's issuer, if known
      Returns:
      The certificate of cert's issuer, or null if this TlsCertificate is self-signed or signed with an unknown certificate.
      Since:
      2.28

    • getIssuerName

      public @Nullable String getIssuerName()
      Returns the issuer name from the certificate.
      Returns:
      The issuer name, or null if it's not available.
      Since:
      2.70

    • getNotValidAfter

      public @Nullable DateTime getNotValidAfter()
      Returns the time at which the certificate became or will become invalid.
      Returns:
      The not-valid-after date, or null if it's not available.
      Since:
      2.70

    • getNotValidBefore

      public @Nullable DateTime getNotValidBefore()
      Returns the time at which the certificate became or will become valid.
      Returns:
      The not-valid-before date, or null if it's not available.
      Since:
      2.70

    • getSubjectName

      public @Nullable String getSubjectName()
      Returns the subject name from the certificate.
      Returns:
      The subject name, or null if it's not available.
      Since:
      2.70

    • isSame

      public boolean isSame(TlsCertificate certTwo)
      Check if two GTlsCertificate objects represent the same certificate. The raw DER byte data of the two certificates are checked for equality. This has the effect that two certificates may compare equal even if their GTlsCertificate:issuer, GTlsCertificate:private-key, or GTlsCertificate:private-key-pem properties differ.
      Parameters:
      certTwo - second certificate to compare
      Returns:
      whether the same or not
      Since:
      2.34

    • verify

      public Set<TlsCertificateFlags> verify(@Nullable SocketConnectable identity, @Nullable TlsCertificate trustedCa)

      This verifies this TlsCertificate and returns a set of GTlsCertificateFlags indicating any problems found with it. This can be used to verify a certificate outside the context of making a connection, or to check a certificate against a CA that is not part of the system CA database.

      If this TlsCertificate is valid, TlsCertificateFlags.NO_FLAGS is returned.

      If identity is not null, cert's name(s) will be compared against it, and TlsCertificateFlags.BAD_IDENTITY will be set in the return value if it does not match. If identity is null, that bit will never be set in the return value.

      If trustedCa is not null, then this TlsCertificate (or one of the certificates in its chain) must be signed by it, or else TlsCertificateFlags.UNKNOWN_CA will be set in the return value. If trustedCa is null, that bit will never be set in the return value.

      GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask TlsCertificateFlags.EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.

      Because TLS session context is not used, GTlsCertificate may not perform as many checks on the certificates as GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let GTlsConnection handle the verification.

      Parameters:
      identity - the expected peer identity
      trustedCa - the certificate of a trusted authority
      Returns:
      the appropriate GTlsCertificateFlags
      Since:
      2.28