diff options
-rw-r--r-- | extensions/Authentication_TLS_Certificate.xml | 308 | ||||
-rw-r--r-- | extensions/Channel_Type_Server_TLS_Connection.xml | 26 |
2 files changed, 173 insertions, 161 deletions
diff --git a/extensions/Authentication_TLS_Certificate.xml b/extensions/Authentication_TLS_Certificate.xml index 56e378f4c..709ea282c 100644 --- a/extensions/Authentication_TLS_Certificate.xml +++ b/extensions/Authentication_TLS_Certificate.xml @@ -18,285 +18,287 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. </tp:license> <interface name="org.freedesktop.Telepathy.Authentication.TLSCertificate.DRAFT" - tp:causes-havoc="experimental"> + tp:causes-havoc="experimental"> + <tp:added version="0.19.11">(draft 1)</tp:added> <tp:docstring> This object represents a TLS certificate. </tp:docstring> <tp:simple-type name="Certificate_Data" array-name="Certificate_Data_List" - type="ay"> + type="ay"> <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> - <p>The raw data contained in a TLS certificate.</p> + <p>The raw data contained in a TLS certificate.</p> - <p>For X.509 certificates (<tp:member-ref>CertificateType</tp:member-ref> - = "x509"), this MUST be in DER format, as defined by the - <a href="http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">X.690</a> - ITU standard.</p> + <p>For X.509 certificates (<tp:member-ref>CertificateType</tp:member-ref> + = "x509"), this MUST be in DER format, as defined by the + <a href="http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf">X.690</a> + ITU standard.</p> - <p>For PGP certificates (<tp:member-ref>CertificateType</tp:member-ref> - = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 - of <a href="http://www.rfc-editor.org/rfc/4880.txt">RFC 4880</a>.</p> + <p>For PGP certificates (<tp:member-ref>CertificateType</tp:member-ref> + = "pgp"), this MUST be a binary OpenPGP key as defined by section 11.1 + of <a href="http://www.rfc-editor.org/rfc/4880.txt">RFC 4880</a>.</p> </tp:docstring> </tp:simple-type> <tp:enum type="u" name="TLS_Certificate_State"> <tp:docstring> - The possible states for a <tp:dbus-ref - namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> - object. + The possible states for a <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> + object. </tp:docstring> <tp:enumvalue suffix="Pending" value="0"> - <tp:docstring> - The certificate is currently waiting to be accepted or rejected. - </tp:docstring> + <tp:docstring> + The certificate is currently waiting to be accepted or rejected. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Accepted" value="1"> - <tp:docstring> - The certificate has been verified. - </tp:docstring> + <tp:docstring> + The certificate has been verified. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Rejected" value="2"> - <tp:docstring> - The certificate has been rejected. - </tp:docstring> + <tp:docstring> + The certificate has been rejected. + </tp:docstring> </tp:enumvalue> </tp:enum> <tp:enum type="u" name="TLS_Certificate_Reject_Reason"> <tp:docstring> - Possible reasons to reject a TLS certificate. + Possible reasons to reject a TLS certificate. </tp:docstring> <tp:enumvalue suffix="Unknown" value="0"> - <tp:docstring> - The certificate has been rejected for another reason - not listed in this enumeration. - </tp:docstring> + <tp:docstring> + The certificate has been rejected for another reason + not listed in this enumeration. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Untrusted" value="1"> - <tp:docstring> - The certificate is not trusted. - </tp:docstring> + <tp:docstring> + The certificate is not trusted. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Expired" value="2"> - <tp:docstring> - The certificate is expired. - </tp:docstring> + <tp:docstring> + The certificate is expired. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Not_Activated" value="3"> - <tp:docstring> - The certificate is not active yet. - </tp:docstring> + <tp:docstring> + The certificate is not active yet. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Fingerprint_Mismatch" value="4"> - <tp:docstring> - The certificate provided does not have the expected - fingerprint. - </tp:docstring> + <tp:docstring> + The certificate provided does not have the expected + fingerprint. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Hostname_Mismatch" value="5"> - <tp:docstring> - The hostname certified does not match the provided one. - </tp:docstring> + <tp:docstring> + The hostname certified does not match the provided one. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Self_Signed" value="6"> - <tp:docstring> - The certificate is self-signed. - </tp:docstring> + <tp:docstring> + The certificate is self-signed. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Revoked" value="7"> - <tp:docstring> - The certificate has been revoked. - </tp:docstring> + <tp:docstring> + The certificate has been revoked. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Insecure" value="8"> - <tp:docstring> - The certificate uses an insecure cipher algorithm, or is - cryptographically weak. - </tp:docstring> + <tp:docstring> + The certificate uses an insecure cipher algorithm, or is + cryptographically weak. + </tp:docstring> </tp:enumvalue> <tp:enumvalue suffix="Limit_Exceeded" value="9"> - <tp:docstring> - The length in bytes of the certificate, or the depth of the - certificate chain exceed the limits imposed by the crypto - library. - </tp:docstring> + <tp:docstring> + The length in bytes of the certificate, or the depth of the + certificate chain exceed the limits imposed by the crypto + library. + </tp:docstring> </tp:enumvalue> </tp:enum> <property name="State" type="u" access="read" - tp:type="TLS_Certificate_State" - tp:name-for-bindings="State"> + tp:type="TLS_Certificate_State" + tp:name-for-bindings="State"> <tp:docstring> - The current state of this certificate. - State change notifications happen by means of the - <tp:member-ref>Accepted</tp:member-ref> and - <tp:member-ref>Rejected</tp:member-ref> signals. + The current state of this certificate. + State change notifications happen by means of the + <tp:member-ref>Accepted</tp:member-ref> and + <tp:member-ref>Rejected</tp:member-ref> signals. </tp:docstring> </property> <property name="RejectError" type="s" access="read" - tp:type="DBus_Error_Name" - tp:name-for-bindings="Reject_Error"> + tp:type="DBus_Error_Name" + tp:name-for-bindings="Reject_Error"> <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> - <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, - the reason why the certificate was rejected; this MAY correspond to - the <tp:member-ref>RejectReason</tp:member-ref>, or MAY be a more - specific D-Bus error name, perhaps implementation-specific.</p> - <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, - this property is not meaningful, and SHOULD be set to an empty - string.</p> + <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, + the reason why the certificate was rejected; this MAY correspond to + the <tp:member-ref>RejectReason</tp:member-ref>, or MAY be a more + specific D-Bus error name, perhaps implementation-specific.</p> + <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, + this property is not meaningful, and SHOULD be set to an empty + string.</p> </tp:docstring> </property> <property name="RejectDetails" type="a{sv}" access="read" - tp:type="String_Variant_Map" - tp:name-for-bindings="Reject_Details"> + tp:type="String_Variant_Map" + tp:name-for-bindings="Reject_Details"> <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> - <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, - additional information about why the certificate was rejected.</p> - <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, - this property is not meaningful and SHOULD be set to an empty - map.</p> - <p>The additional information MAY also include - one or more of the following well-known keys:</p> - <dl> - <dt>user-requested (b)</dt> - <dd>True if the error was due to an user-requested rejection of - the certificate; False if there was an unrecoverable error in the - verification process.</dd> - <dt>expected-hostname (s)</dt> - <dd>If the rejection reason is Hostname_Mismatch, the hostname that - the server certificate was expected to have.</dd> - <dt>certificate-hostname (s)</dt> - <dd>If the rejection reason is Hostname_Mismatch, the hostname of - the certificate that was presented. - <tp:rationale> - <p>For instance, if you try to connect to gmail.com but are presented - with a TLS certificate issued to evil.example.org, the error details - for Hostname_Mismatch MAY include:</p> - <pre> - { - 'expected-hostname': 'gmail.com', - 'certificate-hostname': 'evil.example.org', - } - </pre> - </tp:rationale> - </dd> + <p>If the <tp:member-ref>State</tp:member-ref> is Rejected, + additional information about why the certificate was rejected.</p> + <p>If the <tp:member-ref>State</tp:member-ref> is not Rejected, + this property is not meaningful and SHOULD be set to an empty + map.</p> + <p>The additional information MAY also include + one or more of the following well-known keys:</p> + <dl> + <dt>user-requested (b)</dt> + <dd>True if the error was due to an user-requested rejection of + the certificate; False if there was an unrecoverable error in the + verification process.</dd> + <dt>expected-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname that + the server certificate was expected to have.</dd> + <dt>certificate-hostname (s)</dt> + <dd>If the rejection reason is Hostname_Mismatch, the hostname of + the certificate that was presented. + <tp:rationale> + <p>For instance, if you try to connect to gmail.com but are presented + with a TLS certificate issued to evil.example.org, the error details + for Hostname_Mismatch MAY include:</p> + <pre> + { + 'expected-hostname': 'gmail.com', + 'certificate-hostname': 'evil.example.org', + } + </pre> + </tp:rationale> + </dd> <dt>debug-message (s)</dt> <dd>Debugging information on the error, corresponding to the message part of a D-Bus error message, which SHOULD NOT be displayed to users under normal circumstances</dd> - </dl> + </dl> </tp:docstring> </property> <property name="RejectReason" type="u" access="read" - tp:type="TLS_Certificate_Reject_Reason" - tp:name-for-bindings="Reject_Reason"> + tp:type="TLS_Certificate_Reject_Reason" + tp:name-for-bindings="Reject_Reason"> <tp:docstring> - If the <tp:member-ref>State</tp:member-ref> is Rejected, the - reason why the certificate was rejected. - <tp:rationale> - Clients that do not understand the <tp:member-ref>RejectError</tp:member-ref>, - which may be implementation-specific, can use this property to - classify rejection reasons into common categories. - </tp:rationale> - Otherwise, this property is not meaningful, and SHOULD be set to - Unknown. + If the <tp:member-ref>State</tp:member-ref> is Rejected, the + reason why the certificate was rejected. + <tp:rationale> + Clients that do not understand the <tp:member-ref>RejectError</tp:member-ref>, + which may be implementation-specific, can use this property to + classify rejection reasons into common categories. + </tp:rationale> + Otherwise, this property is not meaningful, and SHOULD be set to + Unknown. </tp:docstring> </property> <property name="CertificateType" type="s" access="read" - tp:name-for-bindings="Certificate_Type"> + tp:name-for-bindings="Certificate_Type"> <tp:docstring> - The type of this TLS certificate (e.g. 'x509' or 'pgp'). - <p>This property is immutable</p> + The type of this TLS certificate (e.g. 'x509' or 'pgp'). + <p>This property is immutable</p> </tp:docstring> </property> <property name="CertificateChainData" type="aay" access="read" - tp:type="Certificate_Data[]" tp:name-for-bindings="Certificate_Chain_Data"> + tp:type="Certificate_Data[]" tp:name-for-bindings="Certificate_Chain_Data"> <tp:docstring xmlns="http://www.w3.org/1999/xhtml"> - <p>One or more TLS certificates forming a trust chain, each encoded as - specified by <tp:type>Certificate_Data</tp:type>.</p> - <p>The first certificate in the chain MUST be the server certificate, - followed by the issuer's certificate, followed by the issuer's issuer - and so on.</p> + <p>One or more TLS certificates forming a trust chain, each encoded as + specified by <tp:type>Certificate_Data</tp:type>.</p> + <p>The first certificate in the chain MUST be the server certificate, + followed by the issuer's certificate, followed by the issuer's issuer + and so on.</p> </tp:docstring> </property> <signal name="Accepted" - tp:name-for-bindings="Accepted"> + tp:name-for-bindings="Accepted"> <tp:docstring> - The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Accepted. + The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Accepted. </tp:docstring> </signal> <signal name="Rejected" - tp:name-for-bindings="Rejected"> + tp:name-for-bindings="Rejected"> <tp:docstring> - The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Rejected. + The <tp:member-ref>State</tp:member-ref> of this certificate has changed to Rejected. </tp:docstring> <arg name="Reason" type="u" tp:type="TLS_Certificate_Reject_Reason"> - <tp:docstring> - The new value of <tp:member-ref>RejectReason</tp:member-ref>. - </tp:docstring> + <tp:docstring> + The new value of <tp:member-ref>RejectReason</tp:member-ref>. + </tp:docstring> </arg> <arg name="Error" type="s" tp:type="DBus_Error_Name"> - <tp:docstring> - The new value of <tp:member-ref>RejectError</tp:member-ref>. - </tp:docstring> + <tp:docstring> + The new value of <tp:member-ref>RejectError</tp:member-ref>. + </tp:docstring> </arg> <arg name="Details" type="a{sv}" tp:type="String_Variant_Map"> - <tp:docstring> - The new value of <tp:member-ref>RejectDetails</tp:member-ref> - </tp:docstring> + <tp:docstring> + The new value of <tp:member-ref>RejectDetails</tp:member-ref> + </tp:docstring> </arg> </signal> <method name="Accept" tp:name-for-bindings="Accept"> <tp:docstring> - Accepts this certificate, i.e. marks it as verified. + Accepts this certificate, i.e. marks it as verified. </tp:docstring> </method> <method name="Reject" tp:name-for-bindings="Reject"> <tp:docstring> - Rejects this certificate. + Rejects this certificate. </tp:docstring> <arg direction="in" type="u" name="Reason" - tp:type="TLS_Certificate_Reject_Reason"> - <tp:docstring> - The new value of <tp:member-ref>RejectReason</tp:member-ref>. - </tp:docstring> + tp:type="TLS_Certificate_Reject_Reason"> + <tp:docstring> + The new value of <tp:member-ref>RejectReason</tp:member-ref>. + </tp:docstring> </arg> <arg direction="in" type="s" name="Error" - tp:type="DBus_Error_Name"> - <tp:docstring> - The new value of <tp:member-ref>RejectError</tp:member-ref>. - </tp:docstring> + tp:type="DBus_Error_Name"> + <tp:docstring> + The new value of <tp:member-ref>RejectError</tp:member-ref>. + </tp:docstring> </arg> <arg direction="in" type="a{sv}" name="Details" - tp:type="String_Variant_Map"> - <tp:docstring> - The new value of <tp:member-ref>RejectDetails</tp:member-ref>. - </tp:docstring> + tp:type="String_Variant_Map"> + <tp:docstring> + The new value of <tp:member-ref>RejectDetails</tp:member-ref>. + </tp:docstring> </arg> </method> </interface> </node> +<!-- vim:set sw=2 sts=2 et ft=xml: --> diff --git a/extensions/Channel_Type_Server_TLS_Connection.xml b/extensions/Channel_Type_Server_TLS_Connection.xml index af11218a9..977002f95 100644 --- a/extensions/Channel_Type_Server_TLS_Connection.xml +++ b/extensions/Channel_Type_Server_TLS_Connection.xml @@ -19,7 +19,8 @@ </tp:license> <interface name="org.freedesktop.Telepathy.Channel.Type.ServerTLSConnection.DRAFT" - tp:causes-havoc="experimental"> + tp:causes-havoc="experimental"> + <tp:added version="0.19.11">(draft 1)</tp:added> <tp:requires interface="org.freedesktop.Telepathy.Channel"/> @@ -44,16 +45,25 @@ </tp:docstring> <property name="ServerCertificate" type="o" access="read" - tp:name-for-bindings="ServerCertificate"> + tp:name-for-bindings="ServerCertificate"> <tp:docstring> - <p>A <tp:dbus-ref - namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> - containing the certificate chain as sent by the server, - and other relevant information.</p> - <p>This property is immutable.</p> + <p>A <tp:dbus-ref + namespace="org.freedesktop.Telepathy.Authentication">TLSCertificate.DRAFT</tp:dbus-ref> + containing the certificate chain as sent by the server, + and other relevant information.</p> + <p>This property is immutable.</p> + </tp:docstring> + </property> + + <property name="Hostname" type="s" access="read" + tp:name-for-bindings="Hostname"> + <tp:docstring> + The hostname of the server we expect <tp:member-ref>ServerCertificate</tp:member-ref> + to certify; clients SHOULD verify <tp:member-ref>ServerCertificate</tp:member-ref> against + this hostname when checking its validity. </tp:docstring> </property> </interface> </node> - +<!-- vim:set sw=2 sts=2 et ft=xml: --> |