summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsINSSComponent.idl
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsINSSComponent.idl')
-rw-r--r--security/manager/ssl/nsINSSComponent.idl115
1 files changed, 115 insertions, 0 deletions
diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl
new file mode 100644
index 0000000000..bb1259f273
--- /dev/null
+++ b/security/manager/ssl/nsINSSComponent.idl
@@ -0,0 +1,115 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{C++
+#include "cert.h"
+#include "SharedCertVerifier.h"
+#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+%}
+
+[ptr] native CERTCertificatePtr(CERTCertificate);
+[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
+
+[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
+interface nsINSSComponent : nsISupports {
+ /**
+ * When we log out of a PKCS#11 token, any TLS connections that may have
+ * involved a client certificate stored on that token must be closed. Since we
+ * don't have a fine-grained way to do this, we basically cancel everything.
+ * More speficially, this clears all temporary certificate exception overrides
+ * and any remembered client authentication certificate decisions, and then
+ * cancels all network connections (strictly speaking, this last part is
+ * overzealous - we only need to cancel all https connections (see bug
+ * 1446645)).
+ */
+ [noscript] void logoutAuthenticatedPK11();
+
+ /**
+ * Used to determine if the given certificate (represented as an array of
+ * bytes) is the certificate we use in tests to simulate a built-in root
+ * certificate. Returns false in non-debug builds.
+ */
+ [noscript] bool isCertTestBuiltInRoot(in Array<octet> cert);
+
+ /**
+ * If enabled by the preference "security.enterprise_roots.enabled", returns
+ * an array of arrays of bytes representing the imported enterprise root
+ * certificates (i.e. root certificates gleaned from the OS certificate
+ * store). Returns an empty array otherwise.
+ * Currently this is only implemented on Windows and MacOS X, so this
+ * function returns an empty array on all other platforms.
+ */
+ Array<Array<octet> > getEnterpriseRoots();
+
+ /**
+ * Similarly, but for intermediate certificates.
+ */
+ Array<Array<octet> > getEnterpriseIntermediates();
+
+ /**
+ * Test utility for adding an intermediate certificate to the current set of
+ * imported enterprise intermediates, if any. Additions to the set made using
+ * this function will be cleared when the value of the preference
+ * "security.enterprise_roots.enabled" changes.
+ */
+ void addEnterpriseIntermediate(in Array<octet> intermediateBytes);
+
+ /**
+ * For performance reasons, the builtin roots module is loaded on a background
+ * thread. When any code that depends on the builtin roots module runs, it
+ * must first wait for the module to be loaded.
+ */
+ [noscript] void blockUntilLoadableCertsLoaded();
+
+ /**
+ * In theory a token on a PKCS#11 module can be inserted or removed at any
+ * time. Operations that may depend on resources on external tokens should
+ * call this to ensure they have a recent view of the token.
+ */
+ [noscript] void checkForSmartCardChanges();
+
+ /**
+ * Used to potentially detect when a user's internet connection is being
+ * intercepted. When doing an update ping, if certificate verification fails,
+ * we make a note of the issuer distinguished name of that certificate.
+ * If a subsequent certificate verification fails, we compare issuer
+ * distinguished names. If they match, something may be intercepting the
+ * user's traffic (if they don't match, the server is likely misconfigured).
+ * This function succeeds if the given DN matches the noted DN and fails
+ * otherwise (e.g. if the update ping never failed).
+ */
+ [noscript] void issuerMatchesMitmCanary(in string certIssuer);
+
+ /**
+ * Returns true if the user has a PKCS#11 module with removable slots.
+ */
+ [noscript] bool hasActiveSmartCards();
+
+ /**
+ * Returns true if the user has any client authentication certificates.
+ */
+ [noscript] bool hasUserCertsInstalled();
+
+ /**
+ * Returns an already-adrefed handle to the currently configured shared
+ * certificate verifier.
+ */
+ [noscript] SharedCertVerifierPtr getDefaultCertVerifier();
+
+ /**
+ * For clearing both SSL internal and external session cache from JS.
+ * WARNING: May be racy when using the socket process.
+ */
+ void clearSSLExternalAndInternalSessionCache();
+
+ /**
+ * For clearing both SSL internal and external session cache from JS.
+ */
+ [implicit_jscontext]
+ Promise asyncClearSSLExternalAndInternalSessionCache();
+};