since: 2.30


g_tls_database_verify_chain (
  GTlsDatabase* self,
  GTlsCertificate* chain,
  const gchar* purpose,
  GSocketConnectable* identity,
  GTlsInteraction* interaction,
  GTlsDatabaseVerifyFlags flags,
  GCancellable* cancellable,
  GError** error


Determines the validity of a certificate chain, outside the context of a TLS session.

chain is a chain of GTlsCertificate objects each pointing to the next certificate in the chain by its GTlsCertificate:issuer property.

purpose describes the purpose (or usage) for which the certificate is being used. Typically purpose will be set to G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER which means that the certificate is being used to authenticate a server (and we are acting as the client).

The identity is used to ensure the server certificate is valid for the expected peer identity. If the identity does not match the certificate, G_TLS_CERTIFICATE_BAD_IDENTITY will be set in the return value. If identity is NULL, that bit will never be set in the return value. The peer identity may also be used to check for pinned certificates (trust exceptions) in the database. These may override the normal verification process on a host-by-host basis.

Currently there are no flags, and G_TLS_DATABASE_VERIFY_NONE should be used.

If chain is found to be valid, then the return value will be 0. If chain is found to be invalid, then the return value will indicate at least one problem found. If the function is unable to determine whether chain is valid (for example, because cancellable is triggered before it completes) then the return value will be G_TLS_CERTIFICATE_GENERIC_ERROR and error will be set accordingly. error is not set when chain is successfully analyzed but found to be invalid.

GLib guarantees that if certificate verification fails, at least one error will be set in the return value, but it does not guarantee that all possible errors will be set. Accordingly, you may not safely decide to ignore any particular type of error. For example, it would be incorrect to mask G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates, because this could potentially be the only error flag set even if other problems exist with the certificate.

Prior to GLib 2.48, GLib’s default TLS backend modified chain to represent the certification path built by GTlsDatabase during certificate verification by adjusting the GTlsCertificate:issuer property of each certificate in chain. Since GLib 2.48, this no longer occurs, so you cannot rely on GTlsCertificate:issuer to represent the actual certification path used during certificate verification.

Because TLS session context is not used, GTlsDatabase may not perform as many checks on the certificates as GTlsConnection would. For example, certificate constraints may not be honored, and revocation checks may not be performed. The best way to verify TLS certificates used by a TLS connection is to let GTlsConnection handle the verification.

The TLS backend may attempt to look up and add missing certificates to the chain. This may involve HTTP requests to download missing certificates.

This function can block. Use g_tls_database_verify_chain_async() to perform the verification operation asynchronously.

Available since: 2.30



Type: GTlsCertificate

A GTlsCertificate chain.

The data is owned by the caller of the function.

Type: const gchar*

The purpose that this certificate chain will be used for.

The data is owned by the caller of the function.
The value is a NUL terminated UTF-8 string.

Type: GSocketConnectable

The expected peer identity.

The argument can be NULL.
The data is owned by the caller of the function.

Type: GTlsInteraction

Used to interact with the user if necessary.

The argument can be NULL.
The data is owned by the caller of the function.

Type: GTlsDatabaseVerifyFlags

Additional verify flags.


Type: GCancellable

A GCancellable, or NULL.

The argument can be NULL.
The data is owned by the caller of the function.

Type: GError **

The return location for a recoverable error.

The argument can be NULL.
If the return location is not NULL, then you must initialize it to a NULL GError*.
The argument will left initialized to NULL by the method if there are no errors.
In case of error, the argument will be set to a newly allocated GError; the caller will take ownership of the data, and be responsible for freeing it.

Return value

Type: GTlsCertificateFlags

The appropriate GTlsCertificateFlags which represents the result of verification.