luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2024-11-10 03:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve documentation of g_tls_database_verify_chain()

Browse Source 
It is critical to mention how the identity parameter is expected to be
handled. In particular, if identity is not passed, then the identity of
the server certificate will not be checked at all. This is in contrast
to the connection-level APIs, which are supposed to be fail-safe. The
database and certificate-level APIs are more manual.
This commit is contained in:
Michael Catanzaro 2020-05-04 17:13:39 -05:00 committed by Philip Withnall
parent 2be506a3be
commit 33c9c305e3
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
gio/gtlsdatabase.c
View File

@ -473,9 +473,13 @@ g_tls_database_class_init (GTlsDatabaseClass *klass)
* which means that the certificate is being used to authenticate a server
* (and we are acting as the client).
*
* The @identity is used to check for pinned certificates (trust exceptions)
* in the database. These will override the normal verification process on a
* host by host basis.
* The @identity is used to ensure the server certificate is valid for
* the expected peer identity. If the identity does not match the
* certificate, %G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the
* return value. If @identity is %NULL, that bit will never be set in
* the return value. The peer identity may also be used to check for
* pinned certificates (trust exceptions) in the database. These may
* override the normal verification process on a host-by-host basis.
*
* Currently there are no @flags, and %G_TLS_DATABASE_VERIFY_NONE should be
* used.