diff options
Diffstat (limited to 'security/manager/ssl/nsICertOverrideService.idl')
-rw-r--r-- | security/manager/ssl/nsICertOverrideService.idl | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl new file mode 100644 index 0000000000..6dfd07d6b6 --- /dev/null +++ b/security/manager/ssl/nsICertOverrideService.idl @@ -0,0 +1,143 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIArray; +interface nsIX509Cert; + +[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes); + +%{C++ +#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1" + +namespace mozilla { +class OriginAttributes; +} +%} + +[scriptable, builtinclass, uuid(ed735e24-fa55-4163-906d-17fb78851fe1)] +interface nsICertOverride : nsISupports { + + /** + * The hostname of the server the override is used for. + */ + readonly attribute ACString asciiHost; + + /** + * The port of the server the override is used for. + */ + readonly attribute int32_t port; + + /** + * A combination of hostname and port in the form host:port. + * Since the port can be -1 which is equivalent to port 433 we use an + * existing function of nsCertOverrideService to create this property. + */ + readonly attribute ACString hostPort; + + /** + * The fingerprint for the associated certificate. + */ + readonly attribute ACString fingerprint; + + /** + * The origin attributes associated with this override. + */ + [implicit_jscontext] + readonly attribute jsval originAttributes; +}; + +[scriptable, builtinclass, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)] +interface nsICertOverrideService : nsISupports { + /** + * When making a TLS connection to the given hostname and port (in the + * context of the given origin attributes), if the certificate verifier + * encounters an overridable error when verifying the given certificate, the + * connection will continue (provided overrides are allowed for that host). + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to. If it is -1 then it + * is internaly treated as 443. + * @param aOriginAttributes the origin attributes of the mapping + * @param aCert The certificate used by the server + * @param aTemporary Whether or not to only store the mapping for the session + */ + [binaryname(RememberValidityOverride), noscript, must_use] + void rememberValidityOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes, + in nsIX509Cert aCert, + in boolean aTemporary); + [binaryname(RememberValidityOverrideScriptable), implicit_jscontext, must_use] + void rememberValidityOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes, + in nsIX509Cert aCert, + in boolean aTemporary); + + /** + * Return whether this host, port, cert triple has a stored override. + * If so, the outparams will contain the specific errors that were + * overridden, and whether the override is permanent, or only for the current + * session. + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to, if it is -1 then it + * is internally treated as 443 + * @param aCert The certificate this mapping belongs to + * @param aIsTemporary Whether the stored override is session-only, + * or permanent + * @return Whether an override has been stored for this host+port+cert + */ + [binaryname(HasMatchingOverride), noscript, must_use] + boolean hasMatchingOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes, + in nsIX509Cert aCert, + out boolean aIsTemporary); + [binaryname(HasMatchingOverrideScriptable), implicit_jscontext, must_use] + boolean hasMatchingOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes, + in nsIX509Cert aCert, + out boolean aIsTemporary); + + /** + * Remove a override for the given hostname:port. + * + * @param aHostName The host (punycode) whose entry should be cleared. + * @param aPort The port whose entry should be cleared. + * If it is -1, then it is internaly treated as 443. + * If it is 0 and aHostName is "all:temporary-certificates", + * then all temporary certificates should be cleared. + */ + [binaryname(ClearValidityOverride), noscript] + void clearValidityOverrideNative(in AUTF8String aHostName, + in int32_t aPort, + in const_OriginAttributesRef aOriginAttributes); + [binaryname(ClearValidityOverrideScriptable), implicit_jscontext] + void clearValidityOverride(in AUTF8String aHostName, + in int32_t aPort, + in jsval aOriginAttributes); + + /** + * Remove all overrides. + */ + void clearAllOverrides(); + + Array<nsICertOverride> getOverrides(); + + /** + * NOTE: This function is used only for testing! + * + * @param aDisable If true, disable all security check and make + * hasMatchingOverride always return true. + */ + void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable); + + readonly attribute boolean securityCheckDisabled; +}; |