luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2024-11-10 03:16:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

gtlscertificate: improve documentation

Browse Source 
Let's explain the advantages of relying on GTlsConnection to perform
certificate verification.

Also, document that the issuer property is a little tricky, because the
issuer certificate might not be the certificate that actually gets used
in final certification path building. This is very unexpected to anybody
who is not an expert.
This commit is contained in:
Michael Catanzaro 2021-08-04 14:34:58 -05:00
parent 235401b056
commit b11d3fc2f4
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
gio/gtlscertificate.c
View File

@ -226,6 +226,18 @@ g_tls_certificate_class_init (GTlsCertificateClass *class)
* self-signed, or else the certificate of the issuer is not
* available.
*
* Beware the issuer certificate may not be the same as the
* certificate that would actually be used to construct a valid
* certification path during certificate verification.
* [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158) explains
* why an issuer certificate cannot be naively assumed to be part of the
* the certification path (though GLib's TLS backends may not follow the
* path building strategies outlined in this RFC). Due to the complexity
* of certification path building, GLib does not provide any way to know
* which certification path will actually be used. Accordingly, this
* property cannot be used to make security-related decisions. Only
* GLib itself should make security decisions about TLS certificates.
*
* Since: 2.28
*/
g_object_class_install_property (gobject_class, PROP_ISSUER,
@ -950,6 +962,13 @@ g_tls_certificate_get_issuer (GTlsCertificate *cert)
* (All other #GTlsCertificateFlags values will always be set or unset
* as appropriate.)
*
* Because TLS session context is not used, #GTlsCertificate may not
* perform as many checks on the certificates as #GTlsConnection would.
* For example, certificate constraints cannot be honored, and some
* revocation checks cannot be performed. The best way to verify TLS
* certificates used by a TLS connection is to let #GTlsConnection
* handle the verification.
*
* Returns: the appropriate #GTlsCertificateFlags
*
* Since: 2.28