1 files changed, 105 insertions, 0 deletions

diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl
new file mode 100644
index 0000000000..c0f6054ddf
--- /dev/null
+++ b/security/manager/ssl/nsINSSComponent.idl
@@ -0,0 +1,105 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{C++
+#include "cert.h"
+#include "SharedCertVerifier.h"
+#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+%}
+
+[ptr] native CERTCertificatePtr(CERTCertificate);
+[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
+
+[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
+interface nsINSSComponent : nsISupports {
+  /**
+   * When we log out of a PKCS#11 token, any TLS connections that may have
+   * involved a client certificate stored on that token must be closed. Since we
+   * don't have a fine-grained way to do this, we basically cancel everything.
+   * More speficially, this clears all temporary certificate exception overrides
+   * and any remembered client authentication certificate decisions, and then
+   * cancels all network connections (strictly speaking, this last part is
+   * overzealous - we only need to cancel all https connections (see bug
+   * 1446645)).
+   */
+  [noscript] void logoutAuthenticatedPK11();
+
+  /**
+   * Used to determine if the given certificate (represented as an array of
+   * bytes) is the certificate we use in tests to simulate a built-in root
+   * certificate. Returns false in non-debug builds.
+   */
+  [noscript] bool isCertTestBuiltInRoot(in Array<octet> cert);
+
+  /**
+   * If enabled by the preference "security.enterprise_roots.enabled", returns
+   * an array of arrays of bytes representing the imported enterprise root
+   * certificates (i.e. root certificates gleaned from the OS certificate
+   * store). Returns an empty array otherwise.
+   * Currently this is only implemented on Windows and MacOS X, so this
+   * function returns an empty array on all other platforms.
+   */
+  Array<Array<octet> > getEnterpriseRoots();
+
+  /**
+   * Similarly, but for intermediate certificates.
+   */
+  Array<Array<octet> > getEnterpriseIntermediates();
+
+  /**
+   * Test utility for adding an intermediate certificate to the current set of
+   * imported enterprise intermediates, if any. Additions to the set made using
+   * this function will be cleared when the value of the preference
+   * "security.enterprise_roots.enabled" changes.
+   */
+  void addEnterpriseIntermediate(in Array<octet> intermediateBytes);
+
+  /**
+   * For performance reasons, the builtin roots module is loaded on a background
+   * thread. When any code that depends on the builtin roots module runs, it
+   * must first wait for the module to be loaded.
+   */
+  [noscript] void blockUntilLoadableCertsLoaded();
+
+  /**
+   * In theory a token on a PKCS#11 module can be inserted or removed at any
+   * time. Operations that may depend on resources on external tokens should
+   * call this to ensure they have a recent view of the token.
+   */
+  [noscript] void checkForSmartCardChanges();
+
+  /**
+   * Used to potentially detect when a user's internet connection is being
+   * intercepted. When doing an update ping, if certificate verification fails,
+   * we make a note of the issuer distinguished name of that certificate.
+   * If a subsequent certificate verification fails, we compare issuer
+   * distinguished names. If they match, something may be intercepting the
+   * user's traffic (if they don't match, the server is likely misconfigured).
+   * This function succeeds if the given DN matches the noted DN and fails
+   * otherwise (e.g. if the update ping never failed).
+   */
+  [noscript] void issuerMatchesMitmCanary(in string certIssuer);
+
+  /**
+   * Returns an already-adrefed handle to the currently configured shared
+   * certificate verifier.
+   */
+  [noscript] SharedCertVerifierPtr getDefaultCertVerifier();
+
+  /**
+   * For clearing both SSL internal and external session cache from JS.
+   * WARNING: May be racy when using the socket process.
+   */
+  void clearSSLExternalAndInternalSessionCache();
+
+  /**
+   * For clearing both SSL internal and external session cache from JS.
+   */
+  [implicit_jscontext]
+  Promise asyncClearSSLExternalAndInternalSessionCache();
+};