/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsISupports.idl" %{C++ #include "cert.h" #include "SharedCertVerifier.h" #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1" %} [ptr] native CERTCertificatePtr(CERTCertificate); [ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier); [scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)] interface nsINSSComponent : nsISupports { /** * When we log out of a PKCS#11 token, any TLS connections that may have * involved a client certificate stored on that token must be closed. Since we * don't have a fine-grained way to do this, we basically cancel everything. * More speficially, this clears all temporary certificate exception overrides * and any remembered client authentication certificate decisions, and then * cancels all network connections (strictly speaking, this last part is * overzealous - we only need to cancel all https connections (see bug * 1446645)). */ [noscript] void logoutAuthenticatedPK11(); /** * Used to determine if the given certificate (represented as an array of * bytes) is the certificate we use in tests to simulate a built-in root * certificate. Returns false in non-debug builds. */ [noscript] bool isCertTestBuiltInRoot(in Array cert); /** * If enabled by the preference "security.enterprise_roots.enabled", returns * an array of arrays of bytes representing the imported enterprise root * certificates (i.e. root certificates gleaned from the OS certificate * store). Returns an empty array otherwise. * Currently this is only implemented on Windows and MacOS X, so this * function returns an empty array on all other platforms. */ Array > getEnterpriseRoots(); /** * Similarly, but for intermediate certificates. */ Array > getEnterpriseIntermediates(); /** * Test utility for adding an intermediate certificate to the current set of * imported enterprise intermediates, if any. Additions to the set made using * this function will be cleared when the value of the preference * "security.enterprise_roots.enabled" changes. */ void addEnterpriseIntermediate(in Array intermediateBytes); /** * For performance reasons, the builtin roots module is loaded on a background * thread. When any code that depends on the builtin roots module runs, it * must first wait for the module to be loaded. */ [noscript] void blockUntilLoadableCertsLoaded(); /** * In theory a token on a PKCS#11 module can be inserted or removed at any * time. Operations that may depend on resources on external tokens should * call this to ensure they have a recent view of the token. */ [noscript] void checkForSmartCardChanges(); /** * Used to potentially detect when a user's internet connection is being * intercepted. When doing an update ping, if certificate verification fails, * we make a note of the issuer distinguished name of that certificate. * If a subsequent certificate verification fails, we compare issuer * distinguished names. If they match, something may be intercepting the * user's traffic (if they don't match, the server is likely misconfigured). * This function succeeds if the given DN matches the noted DN and fails * otherwise (e.g. if the update ping never failed). */ [noscript] void issuerMatchesMitmCanary(in string certIssuer); /** * Returns an already-adrefed handle to the currently configured shared * certificate verifier. */ [noscript] SharedCertVerifierPtr getDefaultCertVerifier(); /** * For clearing both SSL internal and external session cache from JS. * WARNING: May be racy when using the socket process. */ void clearSSLExternalAndInternalSessionCache(); /** * For clearing both SSL internal and external session cache from JS. */ [implicit_jscontext] Promise asyncClearSSLExternalAndInternalSessionCache(); };