diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 14:29:10 +0000 |
commit | 2aa4a82499d4becd2284cdb482213d541b8804dd (patch) | |
tree | b80bf8bf13c3766139fbacc530efd0dd9d54394c /security/manager/ssl/nsINSSComponent.idl | |
parent | Initial commit. (diff) | |
download | firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip |
Adding upstream version 86.0.1.upstream/86.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/manager/ssl/nsINSSComponent.idl')
-rw-r--r-- | security/manager/ssl/nsINSSComponent.idl | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl new file mode 100644 index 0000000000..6f8ece0bdd --- /dev/null +++ b/security/manager/ssl/nsINSSComponent.idl @@ -0,0 +1,114 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +%{C++ +#include "cert.h" +#include "SharedCertVerifier.h" +#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1" +%} + +[ptr] native CERTCertificatePtr(CERTCertificate); +[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier); + +[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)] +interface nsINSSComponent : nsISupports { + /** + * When we log out of a PKCS#11 token, any TLS connections that may have + * involved a client certificate stored on that token must be closed. Since we + * don't have a fine-grained way to do this, we basically cancel everything. + * More speficially, this clears all temporary certificate exception overrides + * and any remembered client authentication certificate decisions, and then + * cancels all network connections (strictly speaking, this last part is + * overzealous - we only need to cancel all https connections (see bug + * 1446645)). + */ + [noscript] void logoutAuthenticatedPK11(); + + /** + * Used to determine if the given CERTCertificate is the certificate we use in + * tests to simulate a built-in root certificate. Returns false in non-debug + * builds. + */ + [noscript] bool isCertTestBuiltInRoot(in CERTCertificatePtr cert); + + /** + * Used to determine if the given certificate (represented as an array of + * bytes) is the content signing root certificate. + */ + [noscript] bool isCertContentSigningRoot(in Array<octet> cert); + + /** + * If enabled by the preference "security.enterprise_roots.enabled", returns + * an array of arrays of bytes representing the imported enterprise root + * certificates (i.e. root certificates gleaned from the OS certificate + * store). Returns an empty array otherwise. + * Currently this is only implemented on Windows and MacOS X, so this + * function returns an empty array on all other platforms. + */ + Array<Array<octet> > getEnterpriseRoots(); + + /** + * Similarly, but for intermediate certificates. + */ + Array<Array<octet> > getEnterpriseIntermediates(); + + /** + * Test utility for adding an intermediate certificate to the current set of + * imported enterprise intermediates, if any. Additions to the set made using + * this function will be cleared when the value of the preference + * "security.enterprise_roots.enabled" changes. + */ + void addEnterpriseIntermediate(in Array<octet> intermediateBytes); + + /** + * For performance reasons, the builtin roots module is loaded on a background + * thread. When any code that depends on the builtin roots module runs, it + * must first wait for the module to be loaded. + */ + [noscript] void blockUntilLoadableCertsLoaded(); + + /** + * In theory a token on a PKCS#11 module can be inserted or removed at any + * time. Operations that may depend on resources on external tokens should + * call this to ensure they have a recent view of the token. + */ + [noscript] void checkForSmartCardChanges(); + + /** + * Used to potentially detect when a user's internet connection is being + * intercepted. When doing an update ping, if certificate verification fails, + * we make a note of the issuer distinguished name of that certificate. + * If a subsequent certificate verification fails, we compare issuer + * distinguished names. If they match, something may be intercepting the + * user's traffic (if they don't match, the server is likely misconfigured). + * This function succeeds if the given DN matches the noted DN and fails + * otherwise (e.g. if the update ping never failed). + */ + [noscript] void issuerMatchesMitmCanary(in string certIssuer); + + /** + * Returns true if the user has a PKCS#11 module with removable slots. + */ + [noscript] bool hasActiveSmartCards(); + + /** + * Returns true if the user has any client authentication certificates. + */ + [noscript] bool hasUserCertsInstalled(); + + /** + * Returns an already-adrefed handle to the currently configured shared + * certificate verifier. + */ + [noscript] SharedCertVerifierPtr getDefaultCertVerifier(); + + /** + * For clearing both SSL internal and external session cache from JS. + */ + void clearSSLExternalAndInternalSessionCache(); +}; |