1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISupports.idl"
%{C++
#include "cert.h"
#include "SharedCertVerifier.h"
#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
%}
[ptr] native CERTCertificatePtr(CERTCertificate);
[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
interface nsINSSComponent : nsISupports {
/**
* When we log out of a PKCS#11 token, any TLS connections that may have
* involved a client certificate stored on that token must be closed. Since we
* don't have a fine-grained way to do this, we basically cancel everything.
* More speficially, this clears all temporary certificate exception overrides
* and any remembered client authentication certificate decisions, and then
* cancels all network connections (strictly speaking, this last part is
* overzealous - we only need to cancel all https connections (see bug
* 1446645)).
*/
[noscript] void logoutAuthenticatedPK11();
/**
* Used to determine if the given certificate (represented as an array of
* bytes) is the certificate we use in tests to simulate a built-in root
* certificate. Returns false in non-debug builds.
*/
[noscript] boolean isCertTestBuiltInRoot(in Array<octet> cert);
/**
* If enabled by the preference "security.enterprise_roots.enabled", returns
* an array of arrays of bytes representing the imported enterprise root
* certificates (i.e. root certificates gleaned from the OS certificate
* store). Returns an empty array otherwise.
* Currently this is only implemented on Windows and MacOS X, so this
* function returns an empty array on all other platforms.
*/
Array<Array<octet> > getEnterpriseRoots();
ACString getEnterpriseRootsPEM();
/**
* Similarly, but for intermediate certificates.
*/
Array<Array<octet> > getEnterpriseIntermediates();
ACString getEnterpriseIntermediatesPEM();
/**
* Test utility for adding an intermediate certificate to the current set of
* imported enterprise intermediates, if any. Additions to the set made using
* this function will be cleared when the value of the preference
* "security.enterprise_roots.enabled" changes.
*/
void addEnterpriseIntermediate(in Array<octet> intermediateBytes);
/**
* For performance reasons, the builtin roots module is loaded on a background
* thread. When any code that depends on the builtin roots module runs, it
* must first wait for the module to be loaded.
*/
[noscript] void blockUntilLoadableCertsLoaded();
/**
* In theory a token on a PKCS#11 module can be inserted or removed at any
* time. Operations that may depend on resources on external tokens should
* call this to ensure they have a recent view of the token.
*/
[noscript] void checkForSmartCardChanges();
/**
* Used to potentially detect when a user's internet connection is being
* intercepted. When doing an update ping, if certificate verification fails,
* we make a note of the issuer distinguished name of that certificate.
* If a subsequent certificate verification fails, we compare issuer
* distinguished names. If they match, something may be intercepting the
* user's traffic (if they don't match, the server is likely misconfigured).
* This function succeeds if the given DN matches the noted DN and fails
* otherwise (e.g. if the update ping never failed).
*/
[noscript] void issuerMatchesMitmCanary(in string certIssuer);
/**
* Returns an already-adrefed handle to the currently configured shared
* certificate verifier.
*/
[noscript] SharedCertVerifierPtr getDefaultCertVerifier();
/**
* For clearing both SSL internal and external session cache from JS.
* WARNING: May be racy when using the socket process.
*/
void clearSSLExternalAndInternalSessionCache();
/**
* For clearing both SSL internal and external session cache from JS.
*/
[implicit_jscontext]
Promise asyncClearSSLExternalAndInternalSessionCache();
};
|