Merge branch 'tls-connection'

13 files changed, 2153 insertions, 3 deletions

diff --git a/libempathy/Makefile.am b/libempathy/Makefile.am
index 94bbabe77..9b0dcfb92 100644
--- a/libempathy/Makefile.am
+++ b/libempathy/Makefile.am
@@ -26,6 +26,7 @@ noinst_LTLIBRARIES = libempathy.la
 
 libempathy_headers =				\
 	empathy-account-settings.h		\
+	empathy-auth-factory.h			\
 	empathy-call-factory.h			\
 	empathy-call-handler.h			\
 	empathy-chatroom-manager.h		\
@@ -48,8 +49,11 @@ libempathy_headers =				\
 	empathy-irc-server.h			\
 	empathy-location.h			\
 	empathy-message.h			\
+	empathy-server-tls-handler.h		\
 	empathy-status-presets.h		\
 	empathy-time.h				\
+	empathy-tls-certificate.h		\
+	empathy-tls-verifier.h			\
 	empathy-tp-call.h			\
 	empathy-tp-chat.h			\
 	empathy-tp-contact-factory.h		\
@@ -62,6 +66,7 @@ libempathy_headers =				\
 libempathy_la_SOURCES =					\
 	$(libempathy_headers)				\
 	empathy-account-settings.c			\
+	empathy-auth-factory.c				\
 	empathy-call-factory.c				\
 	empathy-call-handler.c				\
 	empathy-chatroom-manager.c			\
@@ -82,8 +87,11 @@ libempathy_la_SOURCES =					\
 	empathy-irc-network.c				\
 	empathy-irc-server.c				\
 	empathy-message.c				\
+	empathy-server-tls-handler.c			\
 	empathy-status-presets.c			\
 	empathy-time.c					\
+	empathy-tls-certificate.c			\
+	empathy-tls-verifier.c				\
 	empathy-tp-call.c				\
 	empathy-tp-chat.c				\
 	empathy-tp-contact-factory.c			\
diff --git a/libempathy/empathy-auth-factory.c b/libempathy/empathy-auth-factory.c
new file mode 100644
index 000000000..5a8f9f9f7
--- /dev/null
+++ b/libempathy/empathy-auth-factory.c
@@ -0,0 +1,251 @@
+/*
+ * empathy-auth-factory.c - Source for EmpathyAuthFactory
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include "empathy-auth-factory.h"
+
+#include <telepathy-glib/interfaces.h>
+#include <telepathy-glib/simple-handler.h>
+#include <telepathy-glib/util.h>
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-server-tls-handler.h"
+#include "empathy-utils.h"
+
+#include "extensions/extensions.h"
+
+G_DEFINE_TYPE (EmpathyAuthFactory, empathy_auth_factory, G_TYPE_OBJECT);
+
+typedef struct {
+  TpBaseClient *handler;
+  TpHandleChannelsContext *context;
+
+  gboolean dispose_run;
+} EmpathyAuthFactoryPriv;
+
+enum {
+  NEW_SERVER_TLS_HANDLER,
+  LAST_SIGNAL,
+};
+
+static guint signals[LAST_SIGNAL] = { 0, };
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyAuthFactory)
+
+static EmpathyAuthFactory *auth_factory_singleton = NULL;
+
+static void
+server_tls_handler_ready_cb (GObject *source,
+    GAsyncResult *res,
+    gpointer user_data)
+{
+  EmpathyServerTLSHandler *handler;
+  GError *error = NULL;
+  EmpathyAuthFactory *self = user_data;
+  EmpathyAuthFactoryPriv *priv = GET_PRIV (self);
+
+  handler = empathy_server_tls_handler_new_finish (res, &error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Failed to create a server TLS handler; error %s",
+          error->message);
+      tp_handle_channels_context_fail (priv->context, error);
+
+      g_error_free (error);
+    }
+  else
+    {
+      tp_handle_channels_context_accept (priv->context);
+      g_signal_emit (self, signals[NEW_SERVER_TLS_HANDLER], 0,
+          handler);
+
+      g_object_unref (handler);
+    }
+
+  tp_clear_object (&priv->context);
+}
+
+static void
+handle_channels_cb (TpSimpleHandler *handler,
+    TpAccount *account,
+    TpConnection *connection,
+    GList *channels,
+    GList *requests_satisfied,
+    gint64 user_action_time,
+    TpHandleChannelsContext *context,
+    gpointer user_data)
+{
+  TpChannel *channel;
+  const GError *dbus_error;
+  GError *error = NULL;
+  EmpathyAuthFactory *self = user_data;
+  EmpathyAuthFactoryPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Handle TLS carrier channels.");
+
+  /* there can't be more than one ServerTLSConnection channels
+   * at the same time, for the same connection/account.
+   */
+  if (g_list_length (channels) != 1)
+    {
+      g_set_error_literal (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT,
+          "Can't handle more than one ServerTLSConnection channel "
+          "for the same connection.");
+
+      goto error;
+    }
+
+  channel = channels->data;
+
+  if (tp_channel_get_channel_type_id (channel) !=
+      EMP_IFACE_QUARK_CHANNEL_TYPE_SERVER_TLS_CONNECTION)
+    {
+      g_set_error (&error, TP_ERROR, TP_ERROR_INVALID_ARGUMENT,
+          "Can only handle ServerTLSConnection channels, this was a %s "
+          "channel", tp_channel_get_channel_type (channel));
+
+      goto error;
+    }
+
+  dbus_error = tp_proxy_get_invalidated (channel);
+
+  if (dbus_error != NULL)
+    {
+      error = g_error_copy (dbus_error);
+      goto error;
+    }
+
+  /* create a handler */
+  priv->context = g_object_ref (context);
+  tp_handle_channels_context_delay (context);
+  empathy_server_tls_handler_new_async (channel, server_tls_handler_ready_cb,
+      self);
+
+  return;
+
+ error:
+  tp_handle_channels_context_fail (context, error);
+  g_clear_error (&error);
+}
+
+static GObject *
+empathy_auth_factory_constructor (GType type,
+    guint n_params,
+    GObjectConstructParam *params)
+{
+  GObject *retval;
+
+  if (auth_factory_singleton != NULL)
+    {
+      retval = g_object_ref (auth_factory_singleton);
+    }
+  else
+    {
+      retval = G_OBJECT_CLASS (empathy_auth_factory_parent_class)->constructor
+        (type, n_params, params);
+
+      auth_factory_singleton = EMPATHY_AUTH_FACTORY (retval);
+      g_object_add_weak_pointer (retval, (gpointer *) &auth_factory_singleton);
+    }
+
+  return retval;
+}
+
+static void
+empathy_auth_factory_init (EmpathyAuthFactory *self)
+{
+  EmpathyAuthFactoryPriv *priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+      EMPATHY_TYPE_AUTH_FACTORY, EmpathyAuthFactoryPriv);
+  TpDBusDaemon *bus;
+  GError *error = NULL;
+
+  self->priv = priv;
+
+  bus = tp_dbus_daemon_dup (&error);
+  if (error != NULL)
+    {
+      g_critical ("Failed to get TpDBusDaemon: %s", error->message);
+      g_error_free (error);
+      return;
+    }
+
+  priv->handler = tp_simple_handler_new (bus, FALSE, FALSE, "Empathy.Auth",
+      FALSE, handle_channels_cb, self, NULL);
+
+  tp_base_client_take_handler_filter (priv->handler, tp_asv_new (
+          TP_PROP_CHANNEL_CHANNEL_TYPE, G_TYPE_STRING,
+          EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION,
+          TP_PROP_CHANNEL_TARGET_HANDLE_TYPE, G_TYPE_UINT,
+          TP_HANDLE_TYPE_NONE, NULL));
+
+  g_object_unref (bus);
+}
+
+static void
+empathy_auth_factory_dispose (GObject *object)
+{
+  EmpathyAuthFactoryPriv *priv = GET_PRIV (object);
+
+  if (priv->dispose_run)
+    return;
+
+  priv->dispose_run = TRUE;
+
+  tp_clear_object (&priv->handler);
+  tp_clear_object (&priv->context);
+
+  G_OBJECT_CLASS (empathy_auth_factory_parent_class)->dispose (object);
+}
+
+static void
+empathy_auth_factory_class_init (EmpathyAuthFactoryClass *klass)
+{
+  GObjectClass *oclass = G_OBJECT_CLASS (klass);
+
+  oclass->constructor = empathy_auth_factory_constructor;
+  oclass->dispose = empathy_auth_factory_dispose;
+
+  g_type_class_add_private (klass, sizeof (EmpathyAuthFactoryPriv));
+
+  signals[NEW_SERVER_TLS_HANDLER] =
+    g_signal_new ("new-server-tls-handler",
+      G_TYPE_FROM_CLASS (klass),
+      G_SIGNAL_RUN_LAST, 0,
+      NULL, NULL,
+      g_cclosure_marshal_VOID__OBJECT,
+      G_TYPE_NONE,
+      1, EMPATHY_TYPE_SERVER_TLS_HANDLER);
+}
+
+EmpathyAuthFactory *
+empathy_auth_factory_dup_singleton (void)
+{
+  return g_object_new (EMPATHY_TYPE_AUTH_FACTORY, NULL);
+}
+
+gboolean
+empathy_auth_factory_register (EmpathyAuthFactory *self,
+    GError **error)
+{
+  EmpathyAuthFactoryPriv *priv = GET_PRIV (self);
+
+  return tp_base_client_register (priv->handler, error);
+}
diff --git a/libempathy/empathy-auth-factory.h b/libempathy/empathy-auth-factory.h
new file mode 100644
index 000000000..507f69b95
--- /dev/null
+++ b/libempathy/empathy-auth-factory.h
@@ -0,0 +1,66 @@
+/*
+ * empathy-auth-factory.h - Header for EmpathyAuthFactory
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef __EMPATHY_AUTH_FACTORY_H__
+#define __EMPATHY_AUTH_FACTORY_H__
+
+#include <glib-object.h>
+
+G_BEGIN_DECLS
+
+typedef struct _EmpathyAuthFactory EmpathyAuthFactory;
+typedef struct _EmpathyAuthFactoryClass EmpathyAuthFactoryClass;
+
+struct _EmpathyAuthFactoryClass {
+    GObjectClass parent_class;
+};
+
+struct _EmpathyAuthFactory {
+    GObject parent;
+    gpointer priv;
+};
+
+GType empathy_auth_factory_get_type (void);
+
+/* TYPE MACROS */
+#define EMPATHY_TYPE_AUTH_FACTORY \
+  (empathy_auth_factory_get_type ())
+#define EMPATHY_AUTH_FACTORY(obj) \
+  (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_AUTH_FACTORY, \
+    EmpathyAuthFactory))
+#define EMPATHY_AUTH_FACTORY_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_AUTH_FACTORY, \
+    EmpathyAuthFactoryClass))
+#define EMPATHY_IS_AUTH_FACTORY(obj) \
+  (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_AUTH_FACTORY))
+#define EMPATHY_IS_AUTH_FACTORY_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_AUTH_FACTORY))
+#define EMPATHY_AUTH_FACTORY_GET_CLASS(obj) \
+  (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_AUTH_FACTORY, \
+    EmpathyAuthFactoryClass))
+
+EmpathyAuthFactory * empathy_auth_factory_dup_singleton (void);
+
+gboolean empathy_auth_factory_register (EmpathyAuthFactory *self,
+    GError **error);
+
+G_END_DECLS
+
+#endif /* #ifndef __EMPATHY_AUTH_FACTORY_H__*/
diff --git a/libempathy/empathy-debug.c b/libempathy/empathy-debug.c
index 1f29259fd..dd507bc42 100644
--- a/libempathy/empathy-debug.c
+++ b/libempathy/empathy-debug.c
@@ -52,6 +52,7 @@ static GDebugKey keys[] = {
   { "ImportMc4Accounts", EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS },
   { "Tests", EMPATHY_DEBUG_TESTS },
   { "Voip", EMPATHY_DEBUG_VOIP },
+  { "Tls", EMPATHY_DEBUG_TLS },
   { 0, }
 };
 
diff --git a/libempathy/empathy-debug.h b/libempathy/empathy-debug.h
index 0a5c3f697..ece3af73c 100644
--- a/libempathy/empathy-debug.h
+++ b/libempathy/empathy-debug.h
@@ -46,6 +46,7 @@ typedef enum
   EMPATHY_DEBUG_IMPORT_MC4_ACCOUNTS = 1 << 11,
   EMPATHY_DEBUG_TESTS = 1 << 12,
   EMPATHY_DEBUG_VOIP = 1 << 13,
+  EMPATHY_DEBUG_TLS = 1 << 14,
 } EmpathyDebugFlags;
 
 gboolean empathy_debug_flag_is_set (EmpathyDebugFlags flag);
diff --git a/libempathy/empathy-server-tls-handler.c b/libempathy/empathy-server-tls-handler.c
new file mode 100644
index 000000000..6180fefea
--- /dev/null
+++ b/libempathy/empathy-server-tls-handler.c
@@ -0,0 +1,290 @@
+/*
+ * empathy-server-tls-handler.c - Source for EmpathyServerTLSHandler
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include "empathy-server-tls-handler.h"
+
+#include <telepathy-glib/util.h>
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-tls-certificate.h"
+#include "empathy-utils.h"
+
+#include "extensions/extensions.h"
+
+static void async_initable_iface_init (GAsyncInitableIface *iface);
+
+enum {
+  PROP_CHANNEL = 1,
+  PROP_TLS_CERTIFICATE,
+  PROP_HOSTNAME,
+  LAST_PROPERTY,
+};
+
+typedef struct {
+  TpChannel *channel;
+
+  EmpathyTLSCertificate *certificate;
+  gchar *hostname;
+
+  GSimpleAsyncResult *async_init_res;
+} EmpathyServerTLSHandlerPriv;
+
+G_DEFINE_TYPE_WITH_CODE (EmpathyServerTLSHandler, empathy_server_tls_handler,
+    G_TYPE_OBJECT,
+    G_IMPLEMENT_INTERFACE (G_TYPE_ASYNC_INITABLE, async_initable_iface_init));
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyServerTLSHandler);
+
+static void
+tls_certificate_prepared_cb (GObject *source,
+    GAsyncResult *result,
+    gpointer user_data)
+{
+  EmpathyTLSCertificate *certificate = EMPATHY_TLS_CERTIFICATE (source);
+  EmpathyServerTLSHandler *self = user_data;
+  GError *error = NULL;
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self);
+
+  empathy_tls_certificate_prepare_finish (certificate, result, &error);
+
+  if (error != NULL)
+    {
+      g_simple_async_result_set_from_error (priv->async_init_res, error);
+      g_error_free (error);
+    }
+
+  g_simple_async_result_complete_in_idle (priv->async_init_res);
+  tp_clear_object (&priv->async_init_res);
+}
+
+static gboolean
+tls_handler_init_finish (GAsyncInitable *initable,
+    GAsyncResult *res,
+    GError **error)
+{
+  gboolean retval = TRUE;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
+          error))
+    retval = FALSE;
+
+  return retval;
+}
+
+static void
+tls_handler_init_async (GAsyncInitable *initable,
+    gint io_priority,
+    GCancellable *cancellable,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  GHashTable *properties;
+  const gchar *cert_object_path;
+  const gchar *hostname;
+  const gchar *bus_name;
+  TpDBusDaemon *dbus;
+  GError *error = NULL;
+  EmpathyServerTLSHandler *self = EMPATHY_SERVER_TLS_HANDLER (initable);
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self);
+
+  g_assert (priv->channel != NULL);
+
+  priv->async_init_res = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, empathy_server_tls_handler_new_async);
+  properties = tp_channel_borrow_immutable_properties (priv->channel);
+
+  hostname = tp_asv_get_string (properties,
+      EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".Hostname");
+  priv->hostname = g_strdup (hostname);
+
+  DEBUG ("Received hostname: %s", hostname);
+
+  cert_object_path = tp_asv_get_object_path (properties,
+      EMP_IFACE_CHANNEL_TYPE_SERVER_TLS_CONNECTION ".ServerCertificate");
+  bus_name = tp_proxy_get_bus_name (TP_PROXY (priv->channel));
+  dbus = tp_proxy_get_dbus_daemon (TP_PROXY (priv->channel));
+
+  DEBUG ("Creating an EmpathyTLSCertificate for path %s, bus name %s",
+      cert_object_path, bus_name);
+
+  priv->certificate = empathy_tls_certificate_new (dbus, bus_name,
+      cert_object_path, &error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Unable to create the EmpathyTLSCertificate: error %s",
+          error->message);
+
+      g_simple_async_result_set_from_error (priv->async_init_res, error);
+      g_simple_async_result_complete_in_idle (priv->async_init_res);
+
+      g_error_free (error);
+      tp_clear_object (&priv->async_init_res);
+
+      return;
+    }
+
+  empathy_tls_certificate_prepare_async (priv->certificate,
+      tls_certificate_prepared_cb, self);
+}
+
+static void
+async_initable_iface_init (GAsyncInitableIface *iface)
+{
+  iface->init_async = tls_handler_init_async;
+  iface->init_finish = tls_handler_init_finish;
+}
+
+static void
+empathy_server_tls_handler_finalize (GObject *object)
+{
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object);
+
+  DEBUG ("%p", object);
+
+  tp_clear_object (&priv->channel);
+  tp_clear_object (&priv->certificate);
+
+  G_OBJECT_CLASS (empathy_server_tls_handler_parent_class)->finalize (object);
+}
+
+static void
+empathy_server_tls_handler_get_property (GObject *object,
+    guint property_id,
+    GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_CHANNEL:
+      g_value_set_object (value, priv->channel);
+      break;
+    case PROP_TLS_CERTIFICATE:
+      g_value_set_object (value, priv->certificate);
+      break;
+    case PROP_HOSTNAME:
+      g_value_set_string (value, priv->hostname);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_server_tls_handler_set_property (GObject *object,
+    guint property_id,
+    const GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_CHANNEL:
+      priv->channel = g_value_dup_object (value);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_server_tls_handler_class_init (EmpathyServerTLSHandlerClass *klass)
+{
+  GObjectClass *oclass = G_OBJECT_CLASS (klass);
+  GParamSpec *pspec;
+
+  oclass->get_property = empathy_server_tls_handler_get_property;
+  oclass->set_property = empathy_server_tls_handler_set_property;
+  oclass->finalize = empathy_server_tls_handler_finalize;
+
+  g_type_class_add_private (klass, sizeof (EmpathyServerTLSHandlerPriv));
+
+  pspec = g_param_spec_object ("channel", "The TpChannel",
+      "The TpChannel this handler is supposed to handle.",
+      TP_TYPE_CHANNEL,
+      G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_CHANNEL, pspec);
+
+  pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
+      "The EmpathyTLSCertificate carried by the channel.",
+      EMPATHY_TYPE_TLS_CERTIFICATE,
+      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
+
+  pspec = g_param_spec_string ("hostname", "The hostname",
+      "The hostname which should be certified by the server certificate.",
+      NULL,
+      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+}
+
+static void
+empathy_server_tls_handler_init (EmpathyServerTLSHandler *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+      EMPATHY_TYPE_SERVER_TLS_HANDLER, EmpathyServerTLSHandlerPriv);
+}
+
+void
+empathy_server_tls_handler_new_async (TpChannel *channel,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  g_assert (TP_IS_CHANNEL (channel));
+  g_assert (channel != NULL);
+
+  g_async_initable_new_async (EMPATHY_TYPE_SERVER_TLS_HANDLER,
+      G_PRIORITY_DEFAULT, NULL, callback, user_data,
+      "channel", channel, NULL);
+}
+
+EmpathyServerTLSHandler *
+empathy_server_tls_handler_new_finish (GAsyncResult *result,
+    GError **error)
+{
+  GObject *object, *source_object;
+
+  source_object = g_async_result_get_source_object (result);
+
+  object = g_async_initable_new_finish (G_ASYNC_INITABLE (source_object),
+      result, error);
+  g_object_unref (source_object);
+
+  if (object != NULL)
+    return EMPATHY_SERVER_TLS_HANDLER (object);
+  else
+    return NULL;
+}
+
+EmpathyTLSCertificate *
+empathy_server_tls_handler_get_certificate (EmpathyServerTLSHandler *self)
+{
+  EmpathyServerTLSHandlerPriv *priv = GET_PRIV (self);
+
+  g_assert (priv->certificate != NULL);
+
+  return priv->certificate;
+}
diff --git a/libempathy/empathy-server-tls-handler.h b/libempathy/empathy-server-tls-handler.h
new file mode 100644
index 000000000..1fae98b0a
--- /dev/null
+++ b/libempathy/empathy-server-tls-handler.h
@@ -0,0 +1,73 @@
+/*
+ * empathy-server-tls-handler.h - Header for EmpathyServerTLSHandler
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef __EMPATHY_SERVER_TLS_HANDLER_H__
+#define __EMPATHY_SERVER_TLS_HANDLER_H__
+
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include <telepathy-glib/channel.h>
+
+#include <libempathy/empathy-tls-certificate.h>
+
+G_BEGIN_DECLS
+
+typedef struct _EmpathyServerTLSHandler EmpathyServerTLSHandler;
+typedef struct _EmpathyServerTLSHandlerClass EmpathyServerTLSHandlerClass;
+
+struct _EmpathyServerTLSHandlerClass {
+    GObjectClass parent_class;
+};
+
+struct _EmpathyServerTLSHandler {
+    GObject parent;
+    gpointer priv;
+};
+
+GType empathy_server_tls_handler_get_type (void);
+
+#define EMPATHY_TYPE_SERVER_TLS_HANDLER \
+  (empathy_server_tls_handler_get_type ())
+#define EMPATHY_SERVER_TLS_HANDLER(obj) \
+  (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \
+    EmpathyServerTLSHandler))
+#define EMPATHY_SERVER_TLS_HANDLER_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER, \
+  EmpathyServerTLSHandlerClass))
+#define EMPATHY_IS_SERVER_TLS_HANDLER(obj) \
+  (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER))
+#define EMPATHY_IS_SERVER_TLS_HANDLER_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_SERVER_TLS_HANDLER))
+#define EMPATHY_SERVER_TLS_HANDLER_GET_CLASS(obj) \
+  (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_SERVER_TLS_HANDLER, \
+  EmpathyServerTLSHandlerClass))
+
+void empathy_server_tls_handler_new_async (TpChannel *channel,
+    GAsyncReadyCallback callback, gpointer user_data);
+EmpathyServerTLSHandler * empathy_server_tls_handler_new_finish (
+    GAsyncResult *result, GError **error);
+
+EmpathyTLSCertificate * empathy_server_tls_handler_get_certificate (
+    EmpathyServerTLSHandler *self);
+
+G_END_DECLS
+
+#endif /* #ifndef __EMPATHY_SERVER_TLS_HANDLER_H__*/
diff --git a/libempathy/empathy-tls-certificate.c b/libempathy/empathy-tls-certificate.c
new file mode 100644
index 000000000..acb94c79d
--- /dev/null
+++ b/libempathy/empathy-tls-certificate.c
@@ -0,0 +1,537 @@
+/*
+ * empathy-tls-certificate.c - Source for EmpathyTLSCertificate
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#include <config.h>
+
+#include "empathy-tls-certificate.h"
+
+#include <errno.h>
+
+#include <glib/gstdio.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include <telepathy-glib/util.h>
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-utils.h"
+
+#include "extensions/extensions.h"
+
+enum {
+  /* proxy properties */
+  PROP_CERT_TYPE = 1,
+  PROP_CERT_DATA,
+  PROP_STATE,
+  LAST_PROPERTY,
+};
+
+typedef struct {
+  GSimpleAsyncResult *async_prepare_res;
+
+  /* TLSCertificate properties */
+  gchar *cert_type;
+  GPtrArray *cert_data;
+  EmpTLSCertificateState state;
+
+  gboolean is_prepared;
+} EmpathyTLSCertificatePriv;
+
+G_DEFINE_TYPE (EmpathyTLSCertificate, empathy_tls_certificate,
+    TP_TYPE_PROXY);
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSCertificate);
+
+static GType
+array_of_ay_get_type (void)
+{
+  static GType t = 0;
+
+  if (G_UNLIKELY (t == 0))
+    {
+      t = dbus_g_type_get_collection ("GPtrArray",
+          dbus_g_type_get_collection ("GArray",
+              G_TYPE_UCHAR));
+    }
+
+  return t;
+}
+
+static void
+tls_certificate_got_all_cb (TpProxy *proxy,
+    GHashTable *properties,
+    const GError *error,
+    gpointer user_data,
+    GObject *weak_object)
+{
+  GPtrArray *cert_data;
+  EmpathyTLSCertificate *self = EMPATHY_TLS_CERTIFICATE (weak_object);
+  EmpathyTLSCertificatePriv *priv = GET_PRIV (self);
+
+  if (error != NULL)
+    {
+      g_simple_async_result_set_from_error (priv->async_prepare_res, error);
+      g_simple_async_result_complete (priv->async_prepare_res);
+      tp_clear_object (&priv->async_prepare_res);
+
+      return;
+    }
+
+  priv->cert_type = g_strdup (tp_asv_get_string (properties,
+          "CertificateType"));
+  priv->state = tp_asv_get_uint32 (properties, "State", NULL);
+
+  cert_data = tp_asv_get_boxed (properties, "CertificateChainData",
+      array_of_ay_get_type ());
+  g_assert (cert_data != NULL);
+  priv->cert_data = g_boxed_copy (array_of_ay_get_type (), cert_data);
+
+  DEBUG ("Got a certificate chain long %u, of type %s",
+      priv->cert_data->len, priv->cert_type);
+
+  priv->is_prepared = TRUE;
+
+  g_simple_async_result_complete (priv->async_prepare_res);
+  tp_clear_object (&priv->async_prepare_res);
+}
+
+void
+empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  EmpathyTLSCertificatePriv *priv = GET_PRIV (self);
+
+  /* emit an error if we're already preparing the object */
+  if (priv->async_prepare_res != NULL)
+    {
+      g_simple_async_report_error_in_idle (G_OBJECT (self),
+          callback, user_data,
+          G_IO_ERROR, G_IO_ERROR_PENDING,
+          "%s",
+          "Prepare operation already in progress on the TLS certificate.");
+
+      return;
+    }
+                     
+
+  /* if the object is already prepared, just complete in idle */
+  if (priv->is_prepared)
+    {    
+      tp_simple_async_report_success_in_idle (G_OBJECT (self),
+          callback, user_data, empathy_tls_certificate_prepare_async);
+
+      return;
+    }
+
+  priv->async_prepare_res = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, empathy_tls_certificate_prepare_async);
+
+  /* call GetAll() on the certificate */
+  tp_cli_dbus_properties_call_get_all (self,
+      -1, EMP_IFACE_AUTHENTICATION_TLS_CERTIFICATE,
+      tls_certificate_got_all_cb, NULL, NULL,
+      G_OBJECT (self));
+}
+
+gboolean
+empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error)
+{
+  gboolean retval = TRUE;
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+          error))
+    retval = FALSE;
+
+  return retval;
+}
+
+static void
+empathy_tls_certificate_finalize (GObject *object)
+{
+  EmpathyTLSCertificatePriv *priv = GET_PRIV (object);
+
+  DEBUG ("%p", object);
+
+  g_free (priv->cert_type);
+  tp_clear_boxed (array_of_ay_get_type (), &priv->cert_data);
+
+  G_OBJECT_CLASS (empathy_tls_certificate_parent_class)->finalize (object);
+}
+
+static void
+empathy_tls_certificate_get_property (GObject *object,
+    guint property_id,
+    GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyTLSCertificatePriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_CERT_TYPE:
+      g_value_set_string (value, priv->cert_type);
+      break;
+    case PROP_CERT_DATA:
+      g_value_set_boxed (value, priv->cert_data);
+      break;
+    case PROP_STATE:
+      g_value_set_uint (value, priv->state);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_tls_certificate_init (EmpathyTLSCertificate *self)
+{
+  self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+      EMPATHY_TYPE_TLS_CERTIFICATE, EmpathyTLSCertificatePriv);
+}
+
+static void
+empathy_tls_certificate_class_init (EmpathyTLSCertificateClass *klass)
+{
+  GParamSpec *pspec;
+  GObjectClass *oclass = G_OBJECT_CLASS (klass);
+  TpProxyClass *pclass = TP_PROXY_CLASS (klass);
+
+  oclass->get_property = empathy_tls_certificate_get_property;
+  oclass->finalize = empathy_tls_certificate_finalize;
+
+  pclass->interface = EMP_IFACE_QUARK_AUTHENTICATION_TLS_CERTIFICATE;
+  pclass->must_have_unique_name = TRUE;
+
+  g_type_class_add_private (klass, sizeof (EmpathyTLSCertificatePriv));
+
+  pspec = g_param_spec_string ("cert-type", "Certificate type",
+      "The type of this certificate.",
+      NULL,
+      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_CERT_TYPE, pspec);
+
+  pspec = g_param_spec_boxed ("cert-data", "Certificate chain data",
+      "The raw DER-encoded certificate chain data.",
+      array_of_ay_get_type (),
+      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_CERT_DATA, pspec);
+
+  pspec = g_param_spec_uint ("state", "State",
+      "The state of this certificate.",
+      EMP_TLS_CERTIFICATE_STATE_PENDING, NUM_EMP_TLS_CERTIFICATE_STATES -1,
+      EMP_TLS_CERTIFICATE_STATE_PENDING,
+      G_PARAM_READABLE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_STATE, pspec);
+}
+
+static void
+cert_proxy_accept_cb (TpProxy *proxy,
+    const GError *error,
+    gpointer user_data,
+    GObject *weak_object)
+{
+  GSimpleAsyncResult *accept_result = user_data;
+
+  DEBUG ("Callback for accept(), error %p", error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Error was %s", error->message);
+      g_simple_async_result_set_from_error (accept_result, error);
+    }
+
+  g_simple_async_result_complete (accept_result);
+}
+
+static void
+cert_proxy_reject_cb (TpProxy *proxy,
+    const GError *error,
+    gpointer user_data,
+    GObject *weak_object)
+{
+  GSimpleAsyncResult *reject_result = user_data;
+
+  DEBUG ("Callback for reject(), error %p", error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Error was %s", error->message);
+      g_simple_async_result_set_from_error (reject_result, error);
+    }
+
+  g_simple_async_result_complete (reject_result);
+}
+
+static const gchar *
+reject_reason_get_dbus_error (EmpTLSCertificateRejectReason reason)
+{
+  const gchar *retval = NULL;
+
+  switch (reason)
+    {
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_UNTRUSTED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_EXPIRED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_NOT_ACTIVATED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_FINGERPRINT_MISMATCH:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_FINGERPRINT_MISMATCH);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_HOSTNAME_MISMATCH);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_SELF_SIGNED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_REVOKED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_REVOKED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_INSECURE);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_LIMIT_EXCEEDED);
+      break;
+    case EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN:
+    default:
+      retval = tp_error_get_dbus_name (TP_ERROR_CERT_INVALID);
+      break;
+    }
+
+  return retval;
+}
+
+EmpathyTLSCertificate *
+empathy_tls_certificate_new (TpDBusDaemon *dbus,
+    const gchar *bus_name,
+    const gchar *object_path,
+    GError **error)
+{
+  EmpathyTLSCertificate *retval = NULL;
+
+  if (!tp_dbus_check_valid_bus_name (bus_name,
+          TP_DBUS_NAME_TYPE_UNIQUE, error))
+    goto finally;
+
+  if (!tp_dbus_check_valid_object_path (object_path, error))
+    goto finally;
+
+  retval = g_object_new (EMPATHY_TYPE_TLS_CERTIFICATE,
+      "dbus-daemon", dbus,
+      "bus-name", bus_name,
+      "object-path", object_path,
+      NULL);
+
+finally:
+  if (*error != NULL)
+    DEBUG ("Error while creating the TLS certificate: %s",
+        (*error)->message);
+
+  return retval;
+}
+
+void
+empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  GSimpleAsyncResult *accept_result;
+
+  g_assert (EMPATHY_IS_TLS_CERTIFICATE (self));
+
+  DEBUG ("Accepting TLS certificate");
+
+  accept_result = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, empathy_tls_certificate_accept_async);
+
+  emp_cli_authentication_tls_certificate_call_accept (TP_PROXY (self),
+      -1, cert_proxy_accept_cb,
+      accept_result, g_object_unref,
+      G_OBJECT (self));
+}
+
+gboolean
+empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error)
+{
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+          error))
+    return FALSE;
+
+  return TRUE;
+}
+
+void
+empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self,
+    EmpTLSCertificateRejectReason reason,
+    GHashTable *details,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  const gchar *dbus_error;
+  GSimpleAsyncResult *reject_result;
+
+  g_assert (EMPATHY_IS_TLS_CERTIFICATE (self));
+
+  DEBUG ("Rejecting TLS certificate with reason %u", reason);
+
+  dbus_error = reject_reason_get_dbus_error (reason);
+  reject_result = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, empathy_tls_certificate_reject_async);
+
+  emp_cli_authentication_tls_certificate_call_reject (TP_PROXY (self),
+      -1, reason, dbus_error, details, cert_proxy_reject_cb,
+      reject_result, g_object_unref, G_OBJECT (self));
+}
+
+gboolean
+empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error)
+{
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (result),
+          error))
+    return FALSE;
+
+  return TRUE;
+}
+
+static gsize
+get_exported_size (gnutls_x509_crt_t cert)
+{
+  gsize retval;
+  guchar fake;
+
+  /* fake an export so we get the size to allocate */
+  gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM,
+      &fake, &retval);
+
+  DEBUG ("Should allocate %lu bytes", (gulong) retval);
+
+  return retval;
+}
+
+void
+empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self)
+{
+  GArray *last_cert;
+  gnutls_x509_crt_t cert;
+  gnutls_datum_t datum = { NULL, 0 };
+  gsize exported_len;
+  guchar *exported_cert = NULL;
+  gint res;
+  gchar *user_certs_dir = NULL, *filename = NULL, *path = NULL;
+  GError *error = NULL;
+  EmpathyTLSCertificatePriv *priv = GET_PRIV (self);
+
+  last_cert = g_ptr_array_index (priv->cert_data, priv->cert_data->len - 1);
+  datum.data = (guchar *) last_cert->data;
+  datum.size = last_cert->len;
+
+  gnutls_x509_crt_init (&cert);
+  gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
+
+  /* make sure it's self-signed, otherwise it's not a CA */
+  if (gnutls_x509_crt_check_issuer (cert, cert) <= 0)
+    {
+      DEBUG ("Can't import the CA, as it's not self-signed");
+      gnutls_x509_crt_deinit (cert);
+
+      return;
+    }
+
+  if (gnutls_x509_crt_get_ca_status (cert, NULL) <= 0)
+    {
+      DEBUG ("Can't import the CA, it's not a valid CA certificate");
+      gnutls_x509_crt_deinit (cert);
+
+      goto out;
+    }
+
+  exported_len = get_exported_size (cert);
+  exported_cert = g_malloc (sizeof (guchar) * exported_len);
+
+  res = gnutls_x509_crt_export (cert, GNUTLS_X509_FMT_PEM,
+      exported_cert, &exported_len);
+
+  if (res < 0)
+    {
+      DEBUG ("Failed to export the CA certificate; GnuTLS returned %d", res);
+      gnutls_x509_crt_deinit (cert);
+
+      goto out;
+    }
+
+  gnutls_x509_crt_deinit (cert);
+
+  /* write the file */
+  user_certs_dir = g_build_filename (g_get_user_config_dir (),
+      "telepathy", "certs", NULL);
+
+  res = g_mkdir_with_parents (user_certs_dir, S_IRWXU | S_IRWXG);
+
+  if (res < 0)
+    {
+      DEBUG ("Failed to create the user certificate directory: %s",
+          g_strerror (errno));
+
+      goto out;
+    }
+
+  do
+    {
+      g_free (path);
+
+      filename = g_strdup_printf ("cert-%p", cert);
+      path = g_build_filename (user_certs_dir, filename, NULL);
+
+      g_free (filename);
+    }
+  while (g_file_test (path, G_FILE_TEST_EXISTS));
+
+  DEBUG ("Will save to %s", path);
+
+  g_file_set_contents (path, (const gchar *) exported_cert, exported_len,
+      &error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Can't save the CA certificate to %s: %s",
+          path, error->message);
+
+      g_error_free (error);
+    }
+
+ out:
+  g_free (path);
+  g_free (exported_cert);
+  g_free (user_certs_dir);
+}
diff --git a/libempathy/empathy-tls-certificate.h b/libempathy/empathy-tls-certificate.h
new file mode 100644
index 000000000..d9dd07d44
--- /dev/null
+++ b/libempathy/empathy-tls-certificate.h
@@ -0,0 +1,95 @@
+/*
+ * empathy-tls-certificate.h - Header for EmpathyTLSCertificate
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef __EMPATHY_TLS_CERTIFICATE_H__
+#define __EMPATHY_TLS_CERTIFICATE_H__
+
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include <telepathy-glib/proxy-subclass.h>
+
+#include <extensions/extensions.h>
+
+G_BEGIN_DECLS
+
+typedef struct _EmpathyTLSCertificate EmpathyTLSCertificate;
+typedef struct _EmpathyTLSCertificateClass EmpathyTLSCertificateClass;
+
+struct _EmpathyTLSCertificateClass {
+    TpProxyClass parent_class;
+};
+
+struct _EmpathyTLSCertificate {
+    TpProxy parent;
+    gpointer priv;
+};
+
+GType empathy_tls_certificate_get_type (void);
+
+#define EMPATHY_TYPE_TLS_CERTIFICATE \
+  (empathy_tls_certificate_get_type ())
+#define EMPATHY_TLS_CERTIFICATE(obj) \
+  (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \
+    EmpathyTLSCertificate))
+#define EMPATHY_TLS_CERTIFICATE_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_CERTIFICATE, \
+  EmpathyTLSCertificateClass))
+#define EMPATHY_IS_TLS_CERTIFICATE(obj) \
+  (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_CERTIFICATE))
+#define EMPATHY_IS_TLS_CERTIFICATE_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_CERTIFICATE))
+#define EMPATHY_TLS_CERTIFICATE_GET_CLASS(obj) \
+  (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_CERTIFICATE, \
+  EmpathyTLSCertificateClass))
+
+EmpathyTLSCertificate * empathy_tls_certificate_new (TpDBusDaemon *dbus,
+    const gchar *bus_name,
+    const gchar *object_path,
+    GError **error);
+
+void empathy_tls_certificate_prepare_async (EmpathyTLSCertificate *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data);
+gboolean empathy_tls_certificate_prepare_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error);
+
+void empathy_tls_certificate_accept_async (EmpathyTLSCertificate *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data);
+gboolean empathy_tls_certificate_accept_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error);
+
+void empathy_tls_certificate_reject_async (EmpathyTLSCertificate *self,
+    EmpTLSCertificateRejectReason reason,
+    GHashTable *details,
+    GAsyncReadyCallback callback,
+    gpointer user_data);
+gboolean empathy_tls_certificate_reject_finish (EmpathyTLSCertificate *self,
+    GAsyncResult *result,
+    GError **error);
+
+void empathy_tls_certificate_store_ca (EmpathyTLSCertificate *self);
+
+G_END_DECLS
+
+#endif /* #ifndef __EMPATHY_TLS_CERTIFICATE_H__*/
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
new file mode 100644
index 000000000..000c9a35b
--- /dev/null
+++ b/libempathy/empathy-tls-verifier.c
@@ -0,0 +1,737 @@
+/*
+ * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the
+ * same GNU Lesser General Public License 2.1 (or later) version. See
+ * get_certified_hostname ().
+ */
+
+#include <config.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include <telepathy-glib/util.h>
+
+#include "empathy-tls-verifier.h"
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-utils.h"
+
+G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
+    G_TYPE_OBJECT)
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
+
+enum {
+  PROP_TLS_CERTIFICATE = 1,
+  PROP_HOSTNAME,
+
+  LAST_PROPERTY,
+};
+
+static const gchar* system_ca_paths[] = {
+  "/etc/ssl/certs/ca-certificates.crt",
+  NULL,
+};
+
+typedef struct {
+  GPtrArray *cert_chain;
+
+  GPtrArray *trusted_ca_list;
+  GPtrArray *trusted_crl_list;
+
+  EmpathyTLSCertificate *certificate;
+  gchar *hostname;
+
+  GSimpleAsyncResult *verify_result;
+  GHashTable *details;
+
+  gboolean dispose_run;
+} EmpathyTLSVerifierPriv;
+
+static gnutls_x509_crt_t *
+ptr_array_to_x509_crt_list (GPtrArray *chain)
+{
+  gnutls_x509_crt_t *retval;
+  gint idx;
+
+  retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
+
+  for (idx = 0; idx < (gint) chain->len; idx++)
+    retval[idx] = g_ptr_array_index (chain, idx);
+
+  return retval;
+}
+
+static gboolean
+verification_output_to_reason (gint res,
+    guint verify_output,
+    EmpTLSCertificateRejectReason *reason)
+{
+  gboolean retval = TRUE;
+
+  g_assert (reason != NULL);
+
+  if (res != GNUTLS_E_SUCCESS)
+    {
+      retval = FALSE;
+
+      /* the certificate is not structurally valid */
+      switch (res)
+        {
+        case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+          break;
+        case GNUTLS_E_CONSTRAINT_ERROR:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
+          break;
+        default:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+          break;
+        }
+
+      goto out;
+    }
+
+  /* the certificate is structurally valid, check for other errors. */
+  if (verify_output & GNUTLS_CERT_INVALID)
+    {
+      retval = FALSE;
+
+      if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+      else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+      else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
+      else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
+      else if (verify_output & GNUTLS_CERT_EXPIRED)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
+      else
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+
+      goto out;
+    }
+
+ out:
+  return retval;
+}
+
+static gboolean
+verify_last_certificate (EmpathyTLSVerifier *self,
+    gnutls_x509_crt_t cert,
+    EmpTLSCertificateRejectReason *reason)
+{
+  guint verify_output;
+  gint res;
+  gnutls_x509_crt_t *trusted_ca_list;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  if (priv->trusted_ca_list->len > 0)
+    {
+      trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
+      res = gnutls_x509_crt_verify (cert, trusted_ca_list,
+          priv->trusted_ca_list->len, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against trusted CAs, output %u",
+          cert, verify_output);
+
+      g_free (trusted_ca_list);
+    }
+  else
+    {
+      /* check it against itself to see if it's structurally valid */
+      res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against itself, output %u", cert,
+          verify_output);
+
+      /* if it's valid, return the SelfSigned error, so that we can add it
+       * later to our trusted CAs whitelist.
+       */
+      if (res == GNUTLS_E_SUCCESS)
+        {
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+          return FALSE;
+        }
+    }
+
+  return verification_output_to_reason (res, verify_output, reason);
+}
+
+static gboolean
+verify_certificate (EmpathyTLSVerifier *self,
+    gnutls_x509_crt_t cert,
+    gnutls_x509_crt_t issuer,
+    EmpTLSCertificateRejectReason *reason)
+{
+  guint verify_output;
+  gint res;
+
+  res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
+
+  DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output);
+
+  return verification_output_to_reason (res, verify_output, reason);
+}
+
+static void
+complete_verification (EmpathyTLSVerifier *self)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Verification successful, completing...");
+
+  g_simple_async_result_complete_in_idle (priv->verify_result);
+
+  tp_clear_object (&priv->verify_result);
+}
+
+static void
+abort_verification (EmpathyTLSVerifier *self,
+    EmpTLSCertificateRejectReason reason)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Verification error %u, aborting...", reason);
+
+  g_simple_async_result_set_error (priv->verify_result,
+      G_IO_ERROR, reason, "TLS verification failed with reason %u",
+      reason);
+  g_simple_async_result_complete_in_idle (priv->verify_result);
+
+  tp_clear_object (&priv->verify_result);
+}
+
+static gchar *
+get_certified_hostname (gnutls_x509_crt_t cert)
+{
+  gchar dns_name[256];
+  gsize dns_name_size;
+  gint idx;
+  gint res = 0;
+
+  /* this snippet is taken from GnuTLS.
+   * see gnutls/lib/x509/rfc2818_hostname.c
+   */
+  for (idx = 0; res >= 0; idx++)
+    {
+      dns_name_size = sizeof (dns_name);
+      res = gnutls_x509_crt_get_subject_alt_name (cert, idx,
+          dns_name, &dns_name_size, NULL);
+
+      if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS)
+        return g_strndup (dns_name, dns_name_size);
+    }
+
+  dns_name_size = sizeof (dns_name);
+  res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME,
+      0, 0, dns_name, &dns_name_size);
+
+  if (res >= 0)
+    return g_strndup (dns_name, dns_name_size);
+
+  return NULL;
+}
+
+static void
+real_start_verification (EmpathyTLSVerifier *self)
+{
+  gnutls_x509_crt_t first_cert, last_cert;
+  gint idx;
+  gboolean res = FALSE;
+  gint num_certs;
+  EmpTLSCertificateRejectReason reason =
+    EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Starting verification");
+
+  /* check if the certificate matches the hostname first. */
+  first_cert = g_ptr_array_index (priv->cert_chain, 0);
+  if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0)
+    {
+      gchar *certified_hostname;
+
+      reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
+      certified_hostname = get_certified_hostname (first_cert);
+      tp_asv_set_string (priv->details,
+          "expected-hostname", priv->hostname);
+      tp_asv_set_string (priv->details,
+          "certificate-hostname", certified_hostname);
+
+      DEBUG ("Hostname mismatch: got %s but expected %s",
+          certified_hostname, priv->hostname);
+
+      g_free (certified_hostname);
+      goto out;
+    }
+
+  DEBUG ("Hostname matched");
+
+  num_certs = priv->cert_chain->len;
+
+  if (priv->trusted_ca_list->len > 0)
+    {
+      /* if the last certificate is self-signed, and we have a list of
+       * trusted CAs, ignore it, as we want to check the chain against our
+       * trusted CAs list first.
+       */
+      last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
+
+      if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
+        num_certs--;
+    }
+
+  for (idx = 1; idx < num_certs; idx++)
+    {
+      res = verify_certificate (self,
+          g_ptr_array_index (priv->cert_chain, idx -1),
+          g_ptr_array_index (priv->cert_chain, idx),
+          &reason);
+
+      DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
+          res, reason);
+
+      if (!res)
+        {
+          abort_verification (self, reason);
+          return;
+        }
+    }
+
+  res = verify_last_certificate (self,
+      g_ptr_array_index (priv->cert_chain, num_certs - 1),
+      &reason);
+
+  DEBUG ("Last verification gave result %d with reason %u", res, reason);
+
+ out:
+  if (!res)
+    {
+      abort_verification (self, reason);
+      return;
+    }
+
+  complete_verification (self);
+}
+
+static gboolean
+start_verification (gpointer user_data)
+{
+  EmpathyTLSVerifier *self = user_data;
+
+  real_start_verification (self);
+
+  return FALSE;
+}
+
+static void
+build_gnutls_cert_list (EmpathyTLSVerifier *self)
+{
+  guint num_certs;
+  guint idx;
+  GPtrArray *certificate_data = NULL;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  g_object_get (priv->certificate,
+      "cert-data", &certificate_data,
+      NULL);
+  num_certs = certificate_data->len;
+
+  priv->cert_chain = g_ptr_array_new_with_free_func (
+      (GDestroyNotify) gnutls_x509_crt_deinit);
+
+  for (idx = 0; idx < num_certs; idx++)
+    {
+      gnutls_x509_crt_t cert;
+      GArray *one_cert;
+      gnutls_datum_t datum = { NULL, 0 };
+
+      one_cert = g_ptr_array_index (certificate_data, idx);
+      datum.data = (guchar *) one_cert->data;
+      datum.size = one_cert->len;
+
+      gnutls_x509_crt_init (&cert);
+      gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
+
+      g_ptr_array_add (priv->cert_chain, cert);
+    }
+}
+
+static gint
+get_number_and_type_of_certificates (gnutls_datum_t *datum,
+    gnutls_x509_crt_fmt_t *format)
+{
+  gnutls_x509_crt_t fake;
+  guint retval = 1;
+  gint res;
+
+  res = gnutls_x509_crt_list_import (&fake, &retval, datum,
+      GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+
+  if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
+    {
+      DEBUG ("Found PEM, with %u certificates", retval);
+      *format = GNUTLS_X509_FMT_PEM;
+      return retval;
+    }
+
+  /* try DER */
+  res = gnutls_x509_crt_list_import (&fake, &retval, datum,
+      GNUTLS_X509_FMT_DER, 0);
+
+  if (res > 0)
+    {
+      *format = GNUTLS_X509_FMT_DER;
+      return retval;
+    }
+
+  return res;
+}
+
+static gboolean
+build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
+    GCancellable *cancellable,
+    gpointer user_data)
+{
+  gint idx;
+  gchar *user_certs_dir;
+  GDir *dir;
+  GError *error = NULL;
+  EmpathyTLSVerifier *self = user_data;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  priv->trusted_ca_list = g_ptr_array_new_with_free_func
+    ((GDestroyNotify) gnutls_x509_crt_deinit);
+
+  for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
+    {
+      const gchar *path;
+      gchar *contents = NULL;
+      gsize length = 0;
+      gint res, n_certs;
+      gnutls_x509_crt_t *cert_list;
+      gnutls_datum_t datum = { NULL, 0 };
+      gnutls_x509_crt_fmt_t format = 0;
+
+      path = system_ca_paths[idx];
+      g_file_get_contents (path, &contents, &length, &error);
+
+      if (error != NULL)
+        {
+          DEBUG ("Unable to read system CAs from path %s: %s", path,
+              error->message);
+          g_clear_error (&error);
+          continue;
+        }
+
+      datum.data = (guchar *) contents;
+      datum.size = length;
+      n_certs = get_number_and_type_of_certificates (&datum, &format);
+
+      if (n_certs < 0)
+        {
+          DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
+              "returned error %d", path, n_certs);
+
+          g_free (contents);
+          continue;
+        }
+
+      cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
+      res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
+          format, 0);
+
+      if (res < 0)
+        {
+          DEBUG ("Unable to import system CAs from path %s; "
+              "GnuTLS returned error %d", path, res);
+
+          g_free (contents);
+          continue;
+        }
+
+      DEBUG ("Successfully imported %d system CA certificates from path %s",
+          n_certs, path);
+
+      /* append the newly created cert structutes into the global GPtrArray */
+      for (idx = 0; idx < n_certs; idx++)
+        g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
+
+      g_free (contents);
+      g_free (cert_list);
+    }
+
+  /* user certs */
+  user_certs_dir = g_build_filename (g_get_user_config_dir (),
+      "telepathy", "certs", NULL);
+  dir = g_dir_open (user_certs_dir, 0, &error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir,
+          error->message);
+
+      g_error_free (error);
+    }
+  else
+    {
+      const gchar *cert_name;
+
+      while ((cert_name = g_dir_read_name (dir)) != NULL)
+        {
+          gchar *contents = NULL, *cert_path = NULL;
+          gsize length = 0;
+          gint res;
+          gnutls_datum_t datum = { NULL, 0 };
+          gnutls_x509_crt_t cert;
+
+          cert_path = g_build_filename (user_certs_dir, cert_name, NULL);
+
+          g_file_get_contents (cert_path, &contents, &length, &error);
+
+          if (error != NULL)
+            {
+              DEBUG ("Can't open the certificate file at path %s: %s",
+                  cert_path, error->message);
+
+              g_clear_error (&error);
+              g_free (cert_path);
+              continue;
+            }
+
+          datum.data = (guchar *) contents;
+          datum.size = length;
+
+          gnutls_x509_crt_init (&cert);
+          res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM);
+
+          if (res != GNUTLS_E_SUCCESS)
+            {
+              DEBUG ("Can't import the certificate at path %s: "
+                  "GnuTLS returned %d", cert_path, res);
+            }
+          else
+            {
+              g_ptr_array_add (priv->trusted_ca_list, cert);
+            }
+
+          g_free (contents);
+          g_free (cert_path);
+        }
+
+      g_dir_close (dir);
+    }
+
+  g_free (user_certs_dir);
+
+  /* TODO: do the CRL too */
+
+  g_io_scheduler_job_send_to_mainloop_async (job,
+      start_verification, self, NULL);
+
+  return FALSE;
+}
+
+static void
+empathy_tls_verifier_get_property (GObject *object,
+    guint property_id,
+    GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_TLS_CERTIFICATE:
+      g_value_set_object (value, priv->certificate);
+      break;
+    case PROP_HOSTNAME:
+      g_value_set_string (value, priv->hostname);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_tls_verifier_set_property (GObject *object,
+    guint property_id,
+    const GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_TLS_CERTIFICATE:
+      priv->certificate = g_value_dup_object (value);
+      break;
+    case PROP_HOSTNAME:
+      priv->hostname = g_value_dup_string (value);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_tls_verifier_dispose (GObject *object)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  if (priv->dispose_run)
+    return;
+
+  priv->dispose_run = TRUE;
+
+  tp_clear_object (&priv->certificate);
+
+  G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
+}
+
+static void
+empathy_tls_verifier_finalize (GObject *object)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  DEBUG ("%p", object);
+
+  tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref);
+  tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref);
+  tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
+  g_free (priv->hostname);
+
+  G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
+}
+
+static void
+empathy_tls_verifier_constructed (GObject *object)
+{
+  EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
+
+  build_gnutls_cert_list (self);
+
+  if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
+    G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
+}
+
+static void
+empathy_tls_verifier_init (EmpathyTLSVerifier *self)
+{
+  EmpathyTLSVerifierPriv *priv;
+
+  priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+      EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
+  priv->details = tp_asv_new (NULL, NULL);
+}
+
+static void
+empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
+{
+  GParamSpec *pspec;
+  GObjectClass *oclass = G_OBJECT_CLASS (klass);
+
+  g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
+
+  oclass->set_property = empathy_tls_verifier_set_property;
+  oclass->get_property = empathy_tls_verifier_get_property;
+  oclass->finalize = empathy_tls_verifier_finalize;
+  oclass->dispose = empathy_tls_verifier_dispose;
+  oclass->constructed = empathy_tls_verifier_constructed;
+
+  pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
+      "The EmpathyTLSCertificate to be verified.",
+      EMPATHY_TYPE_TLS_CERTIFICATE,
+      G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
+
+  pspec = g_param_spec_string ("hostname", "The hostname",
+      "The hostname which should be certified by the certificate.",
+      NULL,
+      G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+}
+
+EmpathyTLSVerifier *
+empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
+    const gchar *hostname)
+{
+  g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
+  g_assert (hostname != NULL);
+
+  return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
+      "certificate", certificate,
+      "hostname", hostname,
+      NULL);
+}
+
+void
+empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  g_return_if_fail (priv->verify_result == NULL);
+
+  priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, NULL);
+
+  g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
+      self, NULL, G_PRIORITY_DEFAULT, NULL);
+}
+
+gboolean
+empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
+    GAsyncResult *res,
+    EmpTLSCertificateRejectReason *reason,
+    GHashTable **details,
+    GError **error)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
+          error))
+    {
+      if (reason != NULL)
+        *reason = (*error)->code;
+
+      if (details != NULL)
+        {
+          *details = tp_asv_new (NULL, NULL);
+          tp_g_hash_table_update (*details, priv->details,
+              (GBoxedCopyFunc) g_strdup,
+              (GBoxedCopyFunc) tp_g_value_slice_dup);
+        }
+
+      return FALSE;
+    }
+
+  if (reason != NULL)
+    *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+
+  return TRUE;
+}
diff --git a/libempathy/empathy-tls-verifier.h b/libempathy/empathy-tls-verifier.h
new file mode 100644
index 000000000..e73a71aeb
--- /dev/null
+++ b/libempathy/empathy-tls-verifier.h
@@ -0,0 +1,79 @@
+/*
+ * empathy-tls-verifier.h - Header for EmpathyTLSVerifier
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef __EMPATHY_TLS_VERIFIER_H__
+#define __EMPATHY_TLS_VERIFIER_H__
+
+#include <glib-object.h>
+#include <gio/gio.h>
+
+#include <libempathy/empathy-tls-certificate.h>
+
+#include <extensions/extensions.h>
+
+G_BEGIN_DECLS
+
+typedef struct _EmpathyTLSVerifier EmpathyTLSVerifier;
+typedef struct _EmpathyTLSVerifierClass EmpathyTLSVerifierClass;
+
+struct _EmpathyTLSVerifierClass {
+    GObjectClass parent_class;
+};
+
+struct _EmpathyTLSVerifier {
+    GObject parent;
+    gpointer priv;
+};
+
+GType empathy_tls_verifier_get_type (void);
+
+#define EMPATHY_TYPE_TLS_VERIFIER \
+  (empathy_tls_verifier_get_type ())
+#define EMPATHY_TLS_VERIFIER(obj) \
+  (G_TYPE_CHECK_INSTANCE_CAST((obj), EMPATHY_TYPE_TLS_VERIFIER, \
+    EmpathyTLSVerifier))
+#define EMPATHY_TLS_VERIFIER_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_CAST((klass), EMPATHY_TYPE_TLS_VERIFIER, \
+  EmpathyTLSVerifierClass))
+#define EMPATHY_IS_TLS_VERIFIER(obj) \
+  (G_TYPE_CHECK_INSTANCE_TYPE((obj), EMPATHY_TYPE_TLS_VERIFIER))
+#define EMPATHY_IS_TLS_VERIFIER_CLASS(klass) \
+  (G_TYPE_CHECK_CLASS_TYPE((klass), EMPATHY_TYPE_TLS_VERIFIER))
+#define EMPATHY_TLS_VERIFIER_GET_CLASS(obj) \
+  (G_TYPE_INSTANCE_GET_CLASS ((obj), EMPATHY_TYPE_TLS_VERIFIER, \
+  EmpathyTLSVerifierClass))
+
+EmpathyTLSVerifier * empathy_tls_verifier_new (
+    EmpathyTLSCertificate *certificate,
+    const gchar *hostname);
+
+void empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data);
+
+gboolean empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
+    GAsyncResult *res,
+    EmpTLSCertificateRejectReason *reason,
+    GHashTable **details,
+    GError **error);
+
+G_END_DECLS
+
+#endif /* #ifndef __EMPATHY_TLS_VERIFIER_H__*/
diff --git a/libempathy/empathy-utils.c b/libempathy/empathy-utils.c
index 4ab367b42..579870f80 100644
--- a/libempathy/empathy-utils.c
+++ b/libempathy/empathy-utils.c
@@ -396,13 +396,24 @@ empathy_dbus_error_name_get_default_message  (const gchar *error)
 }
 
 const gchar *
-empathy_account_get_error_message (TpAccount *account)
+empathy_account_get_error_message (TpAccount *account,
+    gboolean *user_requested)
 {
 	const gchar *dbus_error;
 	const gchar *message;
+        const GHashTable *details = NULL;
 	TpConnectionStatusReason reason;
 
-	dbus_error = tp_account_get_detailed_error (account, NULL);
+	dbus_error = tp_account_get_detailed_error (account, &details);
+
+        if (user_requested != NULL)
+          {
+            if (tp_asv_get_boolean (details, "user-requested", NULL))
+              *user_requested = TRUE;
+            else
+              *user_requested = FALSE;
+          }
+
 	message = empathy_dbus_error_name_get_default_message (dbus_error);
 	if (message != NULL)
 		return message;
diff --git a/libempathy/empathy-utils.h b/libempathy/empathy-utils.h
index 47b9b84ad..f588479b4 100644
--- a/libempathy/empathy-utils.h
+++ b/libempathy/empathy-utils.h
@@ -76,7 +76,8 @@ gboolean     empathy_check_available_state          (void);
 gint        empathy_uint_compare                    (gconstpointer a,
 						     gconstpointer b);
 
-const gchar * empathy_account_get_error_message (TpAccount *account);
+const gchar * empathy_account_get_error_message (TpAccount *account,
+                                                 gboolean *user_requested);
 
 gchar *empathy_protocol_icon_name (const gchar *protocol);
 const gchar *empathy_protocol_name_to_display_name (const gchar *proto_name);