From 6bf0a5cb5034a7e684dcc3500e841785237ce2dd Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 19:32:43 +0200 Subject: Adding upstream version 1:115.7.0. Signed-off-by: Daniel Baumann --- security/manager/ssl/nsINSSComponent.idl | 105 +++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 security/manager/ssl/nsINSSComponent.idl (limited to 'security/manager/ssl/nsINSSComponent.idl') diff --git a/security/manager/ssl/nsINSSComponent.idl b/security/manager/ssl/nsINSSComponent.idl new file mode 100644 index 0000000000..c0f6054ddf --- /dev/null +++ b/security/manager/ssl/nsINSSComponent.idl @@ -0,0 +1,105 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +%{C++ +#include "cert.h" +#include "SharedCertVerifier.h" +#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1" +%} + +[ptr] native CERTCertificatePtr(CERTCertificate); +[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier); + +[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)] +interface nsINSSComponent : nsISupports { + /** + * When we log out of a PKCS#11 token, any TLS connections that may have + * involved a client certificate stored on that token must be closed. Since we + * don't have a fine-grained way to do this, we basically cancel everything. + * More speficially, this clears all temporary certificate exception overrides + * and any remembered client authentication certificate decisions, and then + * cancels all network connections (strictly speaking, this last part is + * overzealous - we only need to cancel all https connections (see bug + * 1446645)). + */ + [noscript] void logoutAuthenticatedPK11(); + + /** + * Used to determine if the given certificate (represented as an array of + * bytes) is the certificate we use in tests to simulate a built-in root + * certificate. Returns false in non-debug builds. + */ + [noscript] bool isCertTestBuiltInRoot(in Array cert); + + /** + * If enabled by the preference "security.enterprise_roots.enabled", returns + * an array of arrays of bytes representing the imported enterprise root + * certificates (i.e. root certificates gleaned from the OS certificate + * store). Returns an empty array otherwise. + * Currently this is only implemented on Windows and MacOS X, so this + * function returns an empty array on all other platforms. + */ + Array > getEnterpriseRoots(); + + /** + * Similarly, but for intermediate certificates. + */ + Array > getEnterpriseIntermediates(); + + /** + * Test utility for adding an intermediate certificate to the current set of + * imported enterprise intermediates, if any. Additions to the set made using + * this function will be cleared when the value of the preference + * "security.enterprise_roots.enabled" changes. + */ + void addEnterpriseIntermediate(in Array intermediateBytes); + + /** + * For performance reasons, the builtin roots module is loaded on a background + * thread. When any code that depends on the builtin roots module runs, it + * must first wait for the module to be loaded. + */ + [noscript] void blockUntilLoadableCertsLoaded(); + + /** + * In theory a token on a PKCS#11 module can be inserted or removed at any + * time. Operations that may depend on resources on external tokens should + * call this to ensure they have a recent view of the token. + */ + [noscript] void checkForSmartCardChanges(); + + /** + * Used to potentially detect when a user's internet connection is being + * intercepted. When doing an update ping, if certificate verification fails, + * we make a note of the issuer distinguished name of that certificate. + * If a subsequent certificate verification fails, we compare issuer + * distinguished names. If they match, something may be intercepting the + * user's traffic (if they don't match, the server is likely misconfigured). + * This function succeeds if the given DN matches the noted DN and fails + * otherwise (e.g. if the update ping never failed). + */ + [noscript] void issuerMatchesMitmCanary(in string certIssuer); + + /** + * Returns an already-adrefed handle to the currently configured shared + * certificate verifier. + */ + [noscript] SharedCertVerifierPtr getDefaultCertVerifier(); + + /** + * For clearing both SSL internal and external session cache from JS. + * WARNING: May be racy when using the socket process. + */ + void clearSSLExternalAndInternalSessionCache(); + + /** + * For clearing both SSL internal and external session cache from JS. + */ + [implicit_jscontext] + Promise asyncClearSSLExternalAndInternalSessionCache(); +}; -- cgit v1.2.3