doctolib · Nao-ris · Nov 26, 2025 · Nov 21, 2025 · Nov 21, 2025
@@ -2,7 +2,7 @@
 name = "couchbase_lite"
 description = "Rust bindings for Couchbase Lite C"
 # The first three numbers correspond to the Couchbase Lite C release, the fourth number corresponds to the Rust release
-version = "3.2.3-0"
+version = "3.2.4-0"
 
 edition = "2024"
 

@@ -1,4 +1,5 @@
-FROM --platform=amd64 rust@sha256:ad8c72c693b517ed60c930839daed91a5696fa6118f031d888cd0b7055a921a3 AS strip-stage
+ARG PLATFORM=amd64
+FROM --platform=${PLATFORM} rust@sha256:ad8c72c693b517ed60c930839daed91a5696fa6118f031d888cd0b7055a921a3 AS strip-stage
 ARG DIRNAME
 RUN apt-get update
 RUN apt-get -y install binutils binutils-aarch64-linux-gnu
@@ -12,4 +13,5 @@ RUN /usr/aarch64-linux-gnu/bin/strip /build/${DIRNAME}/lib/arm-linux-androideabi
 RUN strip /build/${DIRNAME}/lib/x86_64-pc-windows-gnu/cblite.dll -o /build/${DIRNAME}/lib/x86_64-pc-windows-gnu/cblite.stripped.dll
 
 FROM scratch AS strip
-COPY --from=strip-stage /build/${DIRNAME}/ .
+ARG DIRNAME
+COPY --from=strip-stage /build/${DIRNAME}/ ${DIRNAME}/
@@ -119,7 +119,7 @@ $ LSAN_OPTIONS=suppressions=san.supp RUSTFLAGS="-Zsanitizer=address" cargo +nigh
 
 [CBL_DOCS]: https://docs.couchbase.com/couchbase-lite/current/introduction.html
 
-[CBL_API_REFERENCE]: https://docs.couchbase.com/mobile/3.2.3/couchbase-lite-c/C/html/modules.html
+[CBL_API_REFERENCE]: https://docs.couchbase.com/mobile/3.2.4/couchbase-lite-c/C/html/modules.html
 
 [CBL_EDITIONS_DIFF]: https://www.couchbase.com/products/editions/
 

@@ -41,6 +41,7 @@ typedef CBL_ENUM(uint8_t, CBLErrorDomain) {
     kCBLFleeceDomain,       ///< code is a Fleece error; see "FleeceException.h"
     kCBLNetworkDomain,      ///< code is a network error; see \ref CBLNetworkErrorCode
     kCBLWebSocketDomain,    ///< code is a WebSocket close code (1000...1015) or HTTP error (300..599)
+    kCBLMbedTLSDomain       ///< code is an mbedTLS error.
 };
 
 /** Couchbase Lite error codes, in the CBLDomain. */

@@ -69,7 +69,7 @@ CBL_PUBLIC extern const FLString kCBLCertAttrKeySurname;           // "SN",
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyOrganization;      // "O",               e.g. "Example Corp."
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyOrganizationUnit;  // "OU",              e.g. "Marketing"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyPostalAddress;     // "postalAddress",   e.g. "123 Example Blvd #2A"
-CBL_PUBLIC extern const FLString kCBLCertAttrKeyLocality;          // "locality",        e.g. "Boston"
+CBL_PUBLIC extern const FLString kCBLCertAttrKeyLocality;          // "L",               e.g. "Boston"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyPostalCode;        // "postalCode",      e.g. "02134"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyStateOrProvince;   // "ST",              e.g. "Massachusetts" (or "Quebec", ...)
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyCountry;           // "C",               e.g. "us" (2-letter ISO country code)
@@ -79,7 +79,7 @@ CBL_PUBLIC extern const FLString kCBLCertAttrKeyEmailAddress;      // "rfc822Nam
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyHostname;          // "dNSName",         e.g. "www.example.com"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyURL;               // "uniformResourceIdentifier", e.g. "https://example.com/jane"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyIPAddress;         // "iPAddress",       e.g. An IP Address in binary format e.g. "\x0A\x00\x01\x01"
-CBL_PUBLIC extern const FLString kCBLCertAttrKeyRegisteredID;      // "registeredID",    e.g. A domain specific identifier.
+CBL_PUBLIC extern const FLString kCBLCertAttrKeyRegisteredID;      // "registeredID",    e.g. A domain-specific identifier encoded as an ASN.1 Object Identifier (OID) in DER format.
 
 /** An opaque object representing the X.509 Certifcate. */
 typedef struct CBLCert CBLCert;
@@ -168,7 +168,8 @@ typedef CBL_ENUM(int, CBLSignatureDigestAlgorithm) {
     The core idea is that all private key operations are delegated to the application's secure key storage,
     ensuring that the private key is never exposed outside the key storage. */
 typedef struct CBLExternalKeyCallbacks {
-    /** Provides the public key's raw data, as an ASN.1 DER sequence of [modulus, exponent].
+    /** Provides the public key data as an ASN.1 DER-encoded SubjectPublicKeyInfo structure.
+        For more information, see RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280
         @param externalKey  The external key pointer given to CBLKeyPair_CreateWithExternalKey.
         @param output  Where to copy the key data.
         @param outputMaxLen  Maximum length of output that can be written.
@@ -237,18 +238,20 @@ CBLKeyPair* _cbl_nullable CBLKeyPair_CreateWithPrivateKeyData(FLSlice privateKey
 /** Returns a hex-encoded digest of the public key.
     @param keyPair The key pair from which to extract the public key digest.
     @return A hex-encoded digest of the public key.
+    @note Returns empty result if the public key digest cannot be retrieved.
     @note You are responsible for releasing the returned data. */
 _cbl_warn_unused
 FLSliceResult CBLKeyPair_PublicKeyDigest(CBLKeyPair* keyPair) CBLAPI;
 
 /** Returns the public key data.
     @param keyPair The key pair from which to retrieve the public key.
     @return The public key data.
+    @note Returns empty result if the public key data cannot be retrieved.
     @note You are responsible for releasing the returned data. */
 _cbl_warn_unused
 FLSliceResult CBLKeyPair_PublicKeyData(CBLKeyPair* keyPair) CBLAPI;
 
-/** Returns the private key data, if the private key is known and its data is accessible.
+/** Returns the private key data in DER format, if the private key is known and its data is accessible.
     @param keyPair The key pair containing the private key.
     @return The private key data, or an empty slice if the key is not accessible.
     @note Persistent private keys in the secure key store generally don't have accessible data.
@@ -293,7 +296,7 @@ typedef CBL_OPTIONS(uint16_t, CBLKeyUsages) {
     the platform's secure key store (Keychain on Apple platforms or CNG Key Storage Provider on Windows).
     @param keyUsages The key usages for the generated identity.
     @param attributes A dictionary containing the certificate attributes.
-    @param expiration The expiration date/time of the certificate in the identity.
+    @param validityInMilliseconds Certificate validity duration in milliseconds.
     @param label The label used for persisting the identity in the platform's secure storage. If `kFLSliceNull` is passed, the identity will not be persisted.
     @param outError On failure, the error will be written here.
     @return A CBLTLSIdentity instance on success, or NULL on failure.
@@ -303,15 +306,15 @@ typedef CBL_OPTIONS(uint16_t, CBLKeyUsages) {
 _cbl_warn_unused
 CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_CreateIdentity(CBLKeyUsages keyUsages,
                                                             FLDict attributes,
-                                                            CBLTimestamp expiration,
+                                                            int64_t validityInMilliseconds,
                                                             FLString label,
                                                             CBLError* _cbl_nullable outError) CBLAPI;
 
 /** Creates a self-signed TLS identity using the provided RSA key pair and certificate attributes.
     @param keyUsages The key usages for the generated identity.
     @param keypair The RSA key pair to be used for generating the TLS identity.
     @param attributes A dictionary containing the certificate attributes.
-    @param expiration The expiration date/time of the certificate in the identity.
+    @param validityInMilliseconds Certificate validity duration in milliseconds.
     @param outError On failure, the error will be written here.
     @return A CBLTLSIdentity instance on success, or NULL on failure.
     @Note The Common Name (kCBLCertAttrKeyCommonName) attribute is required.
@@ -320,7 +323,7 @@ _cbl_warn_unused
 CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_CreateIdentityWithKeyPair(CBLKeyUsages keyUsages,
                                                                        CBLKeyPair* keypair,
                                                                        FLDict attributes,
-                                                                       CBLTimestamp expiration,
+                                                                       int64_t validityInMilliseconds,
                                                                        CBLError* _cbl_nullable outError) CBLAPI;
 
 #if !defined(__linux__) && !defined(__ANDROID__)
@@ -348,10 +351,10 @@ CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_IdentityWithLabel(FLString label,
 
 #endif //#if !defined(__linux__) && !defined(__ANDROID__)
 
-/** Returns a TLS identity from an existing identity using the provided RSA keypair and certificate.
- *  The certificate will not be resigned with the new keypair; it will be used as is.
+/** Returns a TLS identity from an existing identity using the provided RSA keypair and certificate chain.
+ *  The certificate chain is used as-is; the leaf certificate is not re-signed.
  *  @param keypair A CBLKeyPair instance representing the RSA keypair to be associated with the identity.
- *  @param cert A CBLCert instance representing the certificate associated with the identity.
+ *  @param cert A CBLCert instance representing the certificate chain.
  *  @param outError On failure, the error will be written here.
  *  @return A CBLTLSIdentity instance on success, or `NULL` if an error occurs.
     @note You are responsible for releasing the returned reference. */

@@ -104,8 +104,13 @@ const CBLURLEndpointListenerConfiguration* CBLURLEndpointListener_Config(const C
 /** The listening port of the listener. If the listener is not started, the port will be zero. */
 uint16_t CBLURLEndpointListener_Port(const CBLURLEndpointListener*) CBLAPI;
 
+/** The TLS identity used by the listener for TLS communication. The value will be nullptr if the listener is not started, or if the TLS is disabled.
+    @note The returned identity remains valid until the listener is stopped or released.
+          If you want to keep it longer, retain it with `CBLTLSIdentity_Retain`. */
+CBLTLSIdentity* CBLURLEndpointListener_TLSIdentity(const CBLURLEndpointListener*) CBLAPI;
+
 /** The possible URLs of the listener. If the listener is not started, NULL will be returned.
- @note You are responsible for releasing the returned reference. */
+    @note You are responsible for releasing the returned reference. */
 FLMutableArray CBLURLEndpointListener_Urls(const CBLURLEndpointListener*) CBLAPI;
 
 /** The connection status of the listener */

@@ -20,8 +20,8 @@
 /* #undef COUCHBASE_ENTERPRISE */
 #endif
 
-#define CBLITE_VERSION "3.2.3"
-#define CBLITE_VERSION_NUMBER 3002003
-#define CBLITE_BUILD_NUMBER 30
-#define CBLITE_SOURCE_ID "b3b6dc0"
-#define CBLITE_BUILD_TIMESTAMP "2025-04-29T06:42:35Z"
+#define CBLITE_VERSION "3.2.4"
+#define CBLITE_VERSION_NUMBER 3002004
+#define CBLITE_BUILD_NUMBER 9
+#define CBLITE_SOURCE_ID "664eff6"
+#define CBLITE_BUILD_TIMESTAMP "2025-06-04T20:51:59Z"
@@ -41,6 +41,7 @@ typedef CBL_ENUM(uint8_t, CBLErrorDomain) {
     kCBLFleeceDomain,       ///< code is a Fleece error; see "FleeceException.h"
     kCBLNetworkDomain,      ///< code is a network error; see \ref CBLNetworkErrorCode
     kCBLWebSocketDomain,    ///< code is a WebSocket close code (1000...1015) or HTTP error (300..599)
+    kCBLMbedTLSDomain       ///< code is an mbedTLS error.
 };
 
 /** Couchbase Lite error codes, in the CBLDomain. */

@@ -69,7 +69,7 @@ CBL_PUBLIC extern const FLString kCBLCertAttrKeySurname;           // "SN",
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyOrganization;      // "O",               e.g. "Example Corp."
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyOrganizationUnit;  // "OU",              e.g. "Marketing"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyPostalAddress;     // "postalAddress",   e.g. "123 Example Blvd #2A"
-CBL_PUBLIC extern const FLString kCBLCertAttrKeyLocality;          // "locality",        e.g. "Boston"
+CBL_PUBLIC extern const FLString kCBLCertAttrKeyLocality;          // "L",               e.g. "Boston"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyPostalCode;        // "postalCode",      e.g. "02134"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyStateOrProvince;   // "ST",              e.g. "Massachusetts" (or "Quebec", ...)
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyCountry;           // "C",               e.g. "us" (2-letter ISO country code)
@@ -79,7 +79,7 @@ CBL_PUBLIC extern const FLString kCBLCertAttrKeyEmailAddress;      // "rfc822Nam
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyHostname;          // "dNSName",         e.g. "www.example.com"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyURL;               // "uniformResourceIdentifier", e.g. "https://example.com/jane"
 CBL_PUBLIC extern const FLString kCBLCertAttrKeyIPAddress;         // "iPAddress",       e.g. An IP Address in binary format e.g. "\x0A\x00\x01\x01"
-CBL_PUBLIC extern const FLString kCBLCertAttrKeyRegisteredID;      // "registeredID",    e.g. A domain specific identifier.
+CBL_PUBLIC extern const FLString kCBLCertAttrKeyRegisteredID;      // "registeredID",    e.g. A domain-specific identifier encoded as an ASN.1 Object Identifier (OID) in DER format.
 
 /** An opaque object representing the X.509 Certifcate. */
 typedef struct CBLCert CBLCert;
@@ -168,7 +168,8 @@ typedef CBL_ENUM(int, CBLSignatureDigestAlgorithm) {
     The core idea is that all private key operations are delegated to the application's secure key storage,
     ensuring that the private key is never exposed outside the key storage. */
 typedef struct CBLExternalKeyCallbacks {
-    /** Provides the public key's raw data, as an ASN.1 DER sequence of [modulus, exponent].
+    /** Provides the public key data as an ASN.1 DER-encoded SubjectPublicKeyInfo structure.
+        For more information, see RFC 5280: https://datatracker.ietf.org/doc/html/rfc5280
         @param externalKey  The external key pointer given to CBLKeyPair_CreateWithExternalKey.
         @param output  Where to copy the key data.
         @param outputMaxLen  Maximum length of output that can be written.
@@ -237,18 +238,20 @@ CBLKeyPair* _cbl_nullable CBLKeyPair_CreateWithPrivateKeyData(FLSlice privateKey
 /** Returns a hex-encoded digest of the public key.
     @param keyPair The key pair from which to extract the public key digest.
     @return A hex-encoded digest of the public key.
+    @note Returns empty result if the public key digest cannot be retrieved.
     @note You are responsible for releasing the returned data. */
 _cbl_warn_unused
 FLSliceResult CBLKeyPair_PublicKeyDigest(CBLKeyPair* keyPair) CBLAPI;
 
 /** Returns the public key data.
     @param keyPair The key pair from which to retrieve the public key.
     @return The public key data.
+    @note Returns empty result if the public key data cannot be retrieved.
     @note You are responsible for releasing the returned data. */
 _cbl_warn_unused
 FLSliceResult CBLKeyPair_PublicKeyData(CBLKeyPair* keyPair) CBLAPI;
 
-/** Returns the private key data, if the private key is known and its data is accessible.
+/** Returns the private key data in DER format, if the private key is known and its data is accessible.
     @param keyPair The key pair containing the private key.
     @return The private key data, or an empty slice if the key is not accessible.
     @note Persistent private keys in the secure key store generally don't have accessible data.
@@ -293,7 +296,7 @@ typedef CBL_OPTIONS(uint16_t, CBLKeyUsages) {
     the platform's secure key store (Keychain on Apple platforms or CNG Key Storage Provider on Windows).
     @param keyUsages The key usages for the generated identity.
     @param attributes A dictionary containing the certificate attributes.
-    @param expiration The expiration date/time of the certificate in the identity.
+    @param validityInMilliseconds Certificate validity duration in milliseconds.
     @param label The label used for persisting the identity in the platform's secure storage. If `kFLSliceNull` is passed, the identity will not be persisted.
     @param outError On failure, the error will be written here.
     @return A CBLTLSIdentity instance on success, or NULL on failure.
@@ -303,15 +306,15 @@ typedef CBL_OPTIONS(uint16_t, CBLKeyUsages) {
 _cbl_warn_unused
 CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_CreateIdentity(CBLKeyUsages keyUsages,
                                                             FLDict attributes,
-                                                            CBLTimestamp expiration,
+                                                            int64_t validityInMilliseconds,
                                                             FLString label,
                                                             CBLError* _cbl_nullable outError) CBLAPI;
 
 /** Creates a self-signed TLS identity using the provided RSA key pair and certificate attributes.
     @param keyUsages The key usages for the generated identity.
     @param keypair The RSA key pair to be used for generating the TLS identity.
     @param attributes A dictionary containing the certificate attributes.
-    @param expiration The expiration date/time of the certificate in the identity.
+    @param validityInMilliseconds Certificate validity duration in milliseconds.
     @param outError On failure, the error will be written here.
     @return A CBLTLSIdentity instance on success, or NULL on failure.
     @Note The Common Name (kCBLCertAttrKeyCommonName) attribute is required.
@@ -320,7 +323,7 @@ _cbl_warn_unused
 CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_CreateIdentityWithKeyPair(CBLKeyUsages keyUsages,
                                                                        CBLKeyPair* keypair,
                                                                        FLDict attributes,
-                                                                       CBLTimestamp expiration,
+                                                                       int64_t validityInMilliseconds,
                                                                        CBLError* _cbl_nullable outError) CBLAPI;
 
 #if !defined(__linux__) && !defined(__ANDROID__)
@@ -348,10 +351,10 @@ CBLTLSIdentity* _cbl_nullable CBLTLSIdentity_IdentityWithLabel(FLString label,
 
 #endif //#if !defined(__linux__) && !defined(__ANDROID__)
 
-/** Returns a TLS identity from an existing identity using the provided RSA keypair and certificate.
- *  The certificate will not be resigned with the new keypair; it will be used as is.
+/** Returns a TLS identity from an existing identity using the provided RSA keypair and certificate chain.
+ *  The certificate chain is used as-is; the leaf certificate is not re-signed.
  *  @param keypair A CBLKeyPair instance representing the RSA keypair to be associated with the identity.
- *  @param cert A CBLCert instance representing the certificate associated with the identity.
+ *  @param cert A CBLCert instance representing the certificate chain.
  *  @param outError On failure, the error will be written here.
  *  @return A CBLTLSIdentity instance on success, or `NULL` if an error occurs.
     @note You are responsible for releasing the returned reference. */