summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsICertOverrideService.idl
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsICertOverrideService.idl')
-rw-r--r--security/manager/ssl/nsICertOverrideService.idl143
1 files changed, 143 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl
new file mode 100644
index 0000000000..6dfd07d6b6
--- /dev/null
+++ b/security/manager/ssl/nsICertOverrideService.idl
@@ -0,0 +1,143 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509Cert;
+
+[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);
+
+%{C++
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
+
+namespace mozilla {
+class OriginAttributes;
+}
+%}
+
+[scriptable, builtinclass, uuid(ed735e24-fa55-4163-906d-17fb78851fe1)]
+interface nsICertOverride : nsISupports {
+
+ /**
+ * The hostname of the server the override is used for.
+ */
+ readonly attribute ACString asciiHost;
+
+ /**
+ * The port of the server the override is used for.
+ */
+ readonly attribute int32_t port;
+
+ /**
+ * A combination of hostname and port in the form host:port.
+ * Since the port can be -1 which is equivalent to port 433 we use an
+ * existing function of nsCertOverrideService to create this property.
+ */
+ readonly attribute ACString hostPort;
+
+ /**
+ * The fingerprint for the associated certificate.
+ */
+ readonly attribute ACString fingerprint;
+
+ /**
+ * The origin attributes associated with this override.
+ */
+ [implicit_jscontext]
+ readonly attribute jsval originAttributes;
+};
+
+[scriptable, builtinclass, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
+interface nsICertOverrideService : nsISupports {
+ /**
+ * When making a TLS connection to the given hostname and port (in the
+ * context of the given origin attributes), if the certificate verifier
+ * encounters an overridable error when verifying the given certificate, the
+ * connection will continue (provided overrides are allowed for that host).
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to. If it is -1 then it
+ * is internaly treated as 443.
+ * @param aOriginAttributes the origin attributes of the mapping
+ * @param aCert The certificate used by the server
+ * @param aTemporary Whether or not to only store the mapping for the session
+ */
+ [binaryname(RememberValidityOverride), noscript, must_use]
+ void rememberValidityOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes,
+ in nsIX509Cert aCert,
+ in boolean aTemporary);
+ [binaryname(RememberValidityOverrideScriptable), implicit_jscontext, must_use]
+ void rememberValidityOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes,
+ in nsIX509Cert aCert,
+ in boolean aTemporary);
+
+ /**
+ * Return whether this host, port, cert triple has a stored override.
+ * If so, the outparams will contain the specific errors that were
+ * overridden, and whether the override is permanent, or only for the current
+ * session.
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to, if it is -1 then it
+ * is internally treated as 443
+ * @param aCert The certificate this mapping belongs to
+ * @param aIsTemporary Whether the stored override is session-only,
+ * or permanent
+ * @return Whether an override has been stored for this host+port+cert
+ */
+ [binaryname(HasMatchingOverride), noscript, must_use]
+ boolean hasMatchingOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes,
+ in nsIX509Cert aCert,
+ out boolean aIsTemporary);
+ [binaryname(HasMatchingOverrideScriptable), implicit_jscontext, must_use]
+ boolean hasMatchingOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes,
+ in nsIX509Cert aCert,
+ out boolean aIsTemporary);
+
+ /**
+ * Remove a override for the given hostname:port.
+ *
+ * @param aHostName The host (punycode) whose entry should be cleared.
+ * @param aPort The port whose entry should be cleared.
+ * If it is -1, then it is internaly treated as 443.
+ * If it is 0 and aHostName is "all:temporary-certificates",
+ * then all temporary certificates should be cleared.
+ */
+ [binaryname(ClearValidityOverride), noscript]
+ void clearValidityOverrideNative(in AUTF8String aHostName,
+ in int32_t aPort,
+ in const_OriginAttributesRef aOriginAttributes);
+ [binaryname(ClearValidityOverrideScriptable), implicit_jscontext]
+ void clearValidityOverride(in AUTF8String aHostName,
+ in int32_t aPort,
+ in jsval aOriginAttributes);
+
+ /**
+ * Remove all overrides.
+ */
+ void clearAllOverrides();
+
+ Array<nsICertOverride> getOverrides();
+
+ /**
+ * NOTE: This function is used only for testing!
+ *
+ * @param aDisable If true, disable all security check and make
+ * hasMatchingOverride always return true.
+ */
+ void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable);
+
+ readonly attribute boolean securityCheckDisabled;
+};