summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsINSSComponent.idl
blob: 6f8ece0bddc74bb5dee0f6738b78c38f8ef17d8e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"

%{C++
#include "cert.h"
#include "SharedCertVerifier.h"
#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
%}

[ptr] native CERTCertificatePtr(CERTCertificate);
[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);

[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
interface nsINSSComponent : nsISupports {
  /**
   * When we log out of a PKCS#11 token, any TLS connections that may have
   * involved a client certificate stored on that token must be closed. Since we
   * don't have a fine-grained way to do this, we basically cancel everything.
   * More speficially, this clears all temporary certificate exception overrides
   * and any remembered client authentication certificate decisions, and then
   * cancels all network connections (strictly speaking, this last part is
   * overzealous - we only need to cancel all https connections (see bug
   * 1446645)).
   */
  [noscript] void logoutAuthenticatedPK11();

  /**
   * Used to determine if the given CERTCertificate is the certificate we use in
   * tests to simulate a built-in root certificate. Returns false in non-debug
   * builds.
   */
  [noscript] bool isCertTestBuiltInRoot(in CERTCertificatePtr cert);

  /**
   * Used to determine if the given certificate (represented as an array of
   * bytes) is the content signing root certificate.
   */
  [noscript] bool isCertContentSigningRoot(in Array<octet> cert);

  /**
   * If enabled by the preference "security.enterprise_roots.enabled", returns
   * an array of arrays of bytes representing the imported enterprise root
   * certificates (i.e. root certificates gleaned from the OS certificate
   * store). Returns an empty array otherwise.
   * Currently this is only implemented on Windows and MacOS X, so this
   * function returns an empty array on all other platforms.
   */
  Array<Array<octet> > getEnterpriseRoots();

  /**
   * Similarly, but for intermediate certificates.
   */
  Array<Array<octet> > getEnterpriseIntermediates();

  /**
   * Test utility for adding an intermediate certificate to the current set of
   * imported enterprise intermediates, if any. Additions to the set made using
   * this function will be cleared when the value of the preference
   * "security.enterprise_roots.enabled" changes.
   */
  void addEnterpriseIntermediate(in Array<octet> intermediateBytes);

  /**
   * For performance reasons, the builtin roots module is loaded on a background
   * thread. When any code that depends on the builtin roots module runs, it
   * must first wait for the module to be loaded.
   */
  [noscript] void blockUntilLoadableCertsLoaded();

  /**
   * In theory a token on a PKCS#11 module can be inserted or removed at any
   * time. Operations that may depend on resources on external tokens should
   * call this to ensure they have a recent view of the token.
   */
  [noscript] void checkForSmartCardChanges();

  /**
   * Used to potentially detect when a user's internet connection is being
   * intercepted. When doing an update ping, if certificate verification fails,
   * we make a note of the issuer distinguished name of that certificate.
   * If a subsequent certificate verification fails, we compare issuer
   * distinguished names. If they match, something may be intercepting the
   * user's traffic (if they don't match, the server is likely misconfigured).
   * This function succeeds if the given DN matches the noted DN and fails
   * otherwise (e.g. if the update ping never failed).
   */
  [noscript] void issuerMatchesMitmCanary(in string certIssuer);

  /**
   * Returns true if the user has a PKCS#11 module with removable slots.
   */
  [noscript] bool hasActiveSmartCards();

  /**
   * Returns true if the user has any client authentication certificates.
   */
  [noscript] bool hasUserCertsInstalled();

  /**
   * Returns an already-adrefed handle to the currently configured shared
   * certificate verifier.
   */
  [noscript] SharedCertVerifierPtr getDefaultCertVerifier();

  /**
   * For clearing both SSL internal and external session cache from JS.
   */
  void clearSSLExternalAndInternalSessionCache();
};