:right-sidebar: True

CertificateChain
===================================================================

.. currentmodule:: gi.repository.Gcr





.. class:: CertificateChain(**properties: ~typing.Any)
   :no-contents-entry:


Superclasses: :class:`~gi.repository.GObject.Object`





Represents a chain of certificates, normally used to
validate the trust in a certificate. An X.509 certificate chain has one
endpoint certificate (the one for which trust is being verified) and then
in turn the certificate that issued each previous certificate in the chain.

This functionality is for building of certificate chains not for validating
them. Use your favorite crypto library to validate trust in a certificate
chain once its built.

The order of certificates in the chain should be first the endpoint
certificates and then the signing certificates.

Create a new certificate chain with :obj:`~gi.repository.CertificateChain.new` and then
add the certificates with :obj:`~gi.repository.CertificateChain.add`\.

You can then use :obj:`~gi.repository.CertificateChain.build` to build the remainder of
the chain. This will lookup missing certificates in PKCS``11`` modules and
also check that each certificate in the chain is the signer of the previous
one. If a trust anchor, pinned certificate, or self-signed certificate is
found, then the chain is considered built. Any extra certificates are
removed from the chain.

Once the certificate chain has been built, you can access its status
through :obj:`~gi.repository.CertificateChain.get_status`\. The status signifies whether
the chain is anchored on a trust root, self-signed, incomplete etc. See
:obj:`~gi.repository.Gcr.CertificateChainStatus` for information on the various statuses.

It's important to understand that the building of a certificate chain is
merely the first step towards verifying trust in a certificate.


Constructors
------------

.. rst-class:: interim-class

.. class:: CertificateChain
   :no-index:


   .. classmethod:: new() -> ~gi.repository.Gcr.CertificateChain

      Create a new :obj:`~gi.repository.Gcr.CertificateChain`\.













Methods
-------

.. rst-class:: interim-class

.. class:: CertificateChain
   :no-index:


   .. method:: add(certificate: ~gi.repository.Gcr.Certificate) -> None

      Add ``certificate`` to the chain. The order of certificates in the chain are
      important. The first certificate should be the endpoint certificate, and
      then come the signers (certificate authorities) each in turn. If a root
      certificate authority is present, it should come last.

      Adding a certificate an already built chain (see
      :func:`~gi.repository.Gcr.CertificateChain.build`) resets the type of the certificate chain
      to :const:`~gi.repository.Gcr.CertificateChainStatus.UNKNOWN`






      :param certificate: a :obj:`~gi.repository.Gcr.Certificate` to add to the chain




   .. method:: build(purpose: str, peer: str | None, flags: ~gi.repository.Gcr.CertificateChainFlags, cancellable: ~gi.repository.Gio.Cancellable | None = None) -> bool

      Complete a certificate chain. Once a certificate chain has been built
      its status can be examined.

      This operation will lookup missing certificates in PKCS``11``
      modules and also that each certificate in the chain is the signer of the
      previous one. If a trust anchor, pinned certificate, or self-signed certificate
      is found, then the chain is considered built. Any extra certificates are
      removed from the chain.

      It's important to understand that building of a certificate chain does not
      constitute verifying that chain. This is merely the first step towards
      trust verification.

      The ``purpose`` is a string like :const:`~gi.repository.Gcr.PURPOSE_CLIENT_AUTH` and is the purpose
      for which the certificate chain will be used. Trust anchors are looked up
      for this purpose. This argument is required.

      The ``peer`` is usually the host name of the peer whith which this certificate
      chain is being used. It is used to look up pinned certificates that have
      been stored for this peer. If :const:`None` then no pinned certificates will
      be considered.

      If the :const:`~gi.repository.Gcr.CertificateChainFlags.NO_LOOKUPS` flag is specified then no
      lookups for anchors or pinned certificates are done, and the resulting chain
      will be neither anchored or pinned. Additionally no missing certificate
      authorities are looked up in PKCS``11``

      This call will block, see :func:`~gi.repository.Gcr.CertificateChain.build_async` for the
      asynchronous version.






      :param purpose: the purpose the certificate chain will be used for

      :param peer: the peer the certificate chain will be used with, or :const:`None`

      :param flags: chain completion flags

      :param cancellable: a :obj:`~gi.repository.Gio.Cancellable` or :const:`None`




   .. method:: build_async(purpose: str, peer: str | None, flags: ~gi.repository.Gcr.CertificateChainFlags, cancellable: ~gi.repository.Gio.Cancellable | None = None, callback: ~typing.Callable[[~gi.repository.GObject.Object | None, ~gi.repository.Gio.AsyncResult, ~typing.Any], None] | None = None, user_data: ~typing.Any = None) -> None

      Complete a certificate chain. Once a certificate chain has been built
      its status can be examined.

      This will lookup missing certificates in PKCS``11``
      modules and also that each certificate in the chain is the signer of the
      previous one. If a trust anchor, pinned certificate, or self-signed certificate
      is found, then the chain is considered built. Any extra certificates are
      removed from the chain.

      It's important to understand that building of a certificate chain does not
      constitute verifying that chain. This is merely the first step towards
      trust verification.

      The ``purpose`` is a string like :const:`~gi.repository.Gcr.PURPOSE_CLIENT_AUTH` and is the purpose
      for which the certificate chain will be used. Trust anchors are looked up
      for this purpose. This argument is required.

      The ``peer`` is usually the host name of the peer whith which this certificate
      chain is being used. It is used to look up pinned certificates that have
      been stored for this peer. If :const:`None` then no pinned certificates will
      be considered.

      If the :const:`~gi.repository.Gcr.CertificateChainFlags.NO_LOOKUPS` flag is specified then no
      lookups for anchors or pinned certificates are done, and the resulting chain
      will be neither anchored or pinned. Additionally no missing certificate
      authorities are looked up in PKCS``11``

      When the operation is finished, ``callback`` will be called. You can then call
      :func:`~gi.repository.Gcr.CertificateChain.build_finish` to get the result of the operation.






      :param purpose: the purpose the certificate chain will be used for

      :param peer: the peer the certificate chain will be used with, or :const:`None`

      :param flags: chain completion flags

      :param cancellable: a :obj:`~gi.repository.Gio.Cancellable` or :const:`None`

      :param callback: this will be called when the operation completes.

      :param user_data: data to pass to the callback




   .. method:: build_finish(result: ~gi.repository.Gio.AsyncResult) -> bool

      Finishes an asynchronous operation started by
      :func:`~gi.repository.Gcr.CertificateChain.build_async`.






      :param result: the :obj:`~gi.repository.Gio.AsyncResult` passed to the callback




   .. method:: get_anchor() -> ~gi.repository.Gcr.Certificate

      If the certificate chain has been built and is of status
      :const:`~gi.repository.Gcr.CertificateChainStatus.ANCHORED`, then this will return the anchor
      certificate that was found. This is not necessarily a root certificate
      authority. If an intermediate certificate authority in the chain was
      found to be anchored, then that certificate will be returned.

      If an anchor is returned it does not mean that the certificate chain has
      been verified, but merely that an anchor has been found.









   .. method:: get_certificate(index: int) -> ~gi.repository.Gcr.Certificate

      Get a certificate in the chain. It is an error to call this function
      with an invalid index.






      :param index: index of the certificate to get




   .. method:: get_endpoint() -> ~gi.repository.Gcr.Certificate

      Get the endpoint certificate in the chain. This is always the first
      certificate in the chain. The endpoint certificate cannot be anchored.









   .. method:: get_length() -> int

      Get the length of the certificate chain.









   .. method:: get_status() -> ~gi.repository.Gcr.CertificateChainStatus

      Get the status of a certificate chain. If the certificate chain has not
      been built, then the status will be :const:`~gi.repository.Gcr.CertificateChainStatus.UNKNOWN`.

      A status of :const:`~gi.repository.Gcr.CertificateChainStatus.ANCHORED` does not mean that the
      certificate chain has been verified, but merely that an anchor has been
      found.













Properties
----------

.. rst-class:: interim-class

.. class:: CertificateChain
   :no-index:
   

   .. attribute:: props.length
      :type: int

      The type of the None singleton.















Fields
------

.. rst-class:: interim-class

.. class:: CertificateChain
   :no-index:
   

   .. attribute:: parent

      






   .. attribute:: pv