Methods
Accept | () | → | nothing | |
Reject | (a(usa{sv}): Rejections) | → | nothing |
Signals
Accepted | () | |
Rejected | (a(usa{sv}): Rejections) |
Properties
State | u (TLS_Certificate_State) | Read only | |
Rejections | a(usa{sv}) (TLS_Certificate_Rejection_List) | Read only | |
CertificateType | s | Read only | |
CertificateChainData | aay (Certificate_Data_List) | Read only |
Types
Certificate_Data | Simple Type | ay | |
TLS_Certificate_State | Enum | u | |
TLS_Certificate_Reject_Reason | Enum | u | |
TLS_Certificate_Rejection | Struct | (usa{sv}) |
Description
Methods
Reject (a(usa{sv}): Rejections) → nothing
Parameters
- Rejections — a(usa{sv}) (TLS_Certificate_Rejection_List)
The new value of the Rejections property.
This MUST NOT be an empty array.
Possible Errors
- Invalid Argument
Pending
, or when the provided rejection list is empty.
Signals
Rejected (a(usa{sv}): Rejections)
Parameters
- Rejections — a(usa{sv}) (TLS_Certificate_Rejection_List)
Properties
Rejections — a(usa{sv}) (TLS_Certificate_Rejection_List)
If the State is Rejected, an array of TLS_Certificate_Rejection structures containing the reason why the certificate is rejected.
If the State is not Rejected, this property is not meaningful, and SHOULD be set to an empty array.
The first rejection in the list MAY be assumed to be the most important; if the array contains more than one element, the CM MAY either use the values after the first, or ignore them.
CertificateType — s
This property is immutable
CertificateChainData — aay (Certificate_Data_List)
One or more TLS certificates forming a trust chain, each encoded as specified by Certificate_Data.
The first certificate in the chain MUST be the server certificate, followed by the issuer's certificate, followed by the issuer's issuer and so on.
Types
Certificate_Data — ay
The raw data contained in a TLS certificate.
For X.509 certificates (CertificateType = "x509"), this MUST be in DER format, as defined by the X.690 ITU standard.
For PGP certificates (CertificateType = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 of RFC 4880.
TLS_Certificate_State — u
- Pending (0)
- Accepted (1)
- Rejected (2)
TLS_Certificate_Reject_Reason — u
- Unknown (0)
- Untrusted (1)
- Expired (2)
- Not_Activated (3)
- Fingerprint_Mismatch (4)
- Hostname_Mismatch (5)
- Self_Signed (6)
- Revoked (7)
- Insecure (8)
- Limit_Exceeded (9)
TLS_Certificate_Rejection — (usa{sv})
Struct representing one reason why a TLS certificate was rejected.
Since there can be multiple things wrong with a TLS certificate, arrays of this type are used to represent lists of reasons for rejection. In that case, the most important reason SHOULD be placed first in the list.
- Reason — u (TLS_Certificate_Reject_Reason)
- Error — s (DBus_Error_Name)
- Details — a{sv} (String_Variant_Map)
- user-requested (b)
- True if the error was due to an user-requested rejection of the certificate; False if there was an unrecoverable error in the verification process.
- expected-hostname (s)
- If the rejection reason is Hostname_Mismatch, the hostname that the server certificate was expected to have.
- certificate-hostname (s)
- If the rejection reason is Hostname_Mismatch, the hostname of
the certificate that was presented.
Rationale:
For instance, if you try to connect to gmail.com but are presented with a TLS certificate issued to evil.example.org, the error details for Hostname_Mismatch MAY include:
{ 'expected-hostname': 'gmail.com', 'certificate-hostname': 'evil.example.org', }
- debug-message (s)
- Debugging information on the error, corresponding to the message part of a D-Bus error message, which SHOULD NOT be displayed to users under normal circumstances
The value of the TLS_Certificate_Reject_Reason enumeration for this certificate rejection.
Rationale:
Error
member,
which may be implementation-specific, can use this property to
classify rejection reasons into common categories.
The DBus error name for this certificate rejection.
This MAY correspond to the value of the Reason
member,
or MAY be a more specific D-Bus error name, perhaps implementation-specific.
Additional information about why the certificate was rejected. This MAY also include one or more of the following well-known keys: