security/manager/ssl/nsITransportSecurityInfo.idl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"

interface nsIObjectOutputStream;
interface nsIX509Cert;

%{ C++
namespace IPC {
class MessageWriter;
}
%}

[ptr] native IpcMessageWriterPtr(IPC::MessageWriter);

[builtinclass, scriptable, uuid(216112d3-28bc-4671-b057-f98cc09ba1ea)]
interface nsITransportSecurityInfo : nsISupports {
    cenum OverridableErrorCategory : 32 {
      ERROR_UNSET,
      ERROR_TRUST,
      ERROR_DOMAIN,
      ERROR_TIME,
    };

    readonly attribute unsigned long securityState;
    readonly attribute long errorCode; // PRErrorCode
    // errorCode as string (e.g. "SEC_ERROR_UNKNOWN_ISSUER")
    readonly attribute AString errorCodeString;

    /**
     * The following parameters are only valid after the TLS handshake
     * has completed.  Check securityState first.
     */

    /**
     * If certificate verification failed, this will be the peer certificate
     * chain provided in the handshake, so it can be used for error reporting.
     * If verification succeeded, this will be empty.
     */
    readonly attribute Array<nsIX509Cert> failedCertChain;

    readonly attribute nsIX509Cert serverCert;
    readonly attribute Array<nsIX509Cert> succeededCertChain;

    [must_use]
    readonly attribute ACString cipherName;
    [must_use]
    readonly attribute unsigned long keyLength;
    [must_use]
    readonly attribute unsigned long secretKeyLength;
    [must_use]
    readonly attribute ACString keaGroupName;
    [must_use]
    readonly attribute ACString signatureSchemeName;

    const short SSL_VERSION_3   = 0;
    const short TLS_VERSION_1   = 1;
    const short TLS_VERSION_1_1 = 2;
    const short TLS_VERSION_1_2 = 3;
    const short TLS_VERSION_1_3 = 4;
    [must_use]
    readonly attribute unsigned short protocolVersion;

    const short CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE          = 0;
    const short CERTIFICATE_TRANSPARENCY_POLICY_COMPLIANT        = 5;
    const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_ENOUGH_SCTS  = 6;
    const short CERTIFICATE_TRANSPARENCY_POLICY_NOT_DIVERSE_SCTS = 7;
    [must_use]
    readonly attribute unsigned short certificateTransparencyStatus;

    [must_use]
    readonly attribute boolean isAcceptedEch;
    [must_use]
    readonly attribute boolean isDelegatedCredential;
    [must_use]
    readonly attribute nsITransportSecurityInfo_OverridableErrorCategory overridableErrorCategory;

    /**
     * True if OCSP requests were made to query the status of certificates
     * used in this connection.
     */
    [must_use]
    readonly attribute boolean madeOCSPRequests;

    /**
     * True if the DNS record used for this connection was fetched over an encrypted connection.
     */
    [must_use]
    readonly attribute boolean usedPrivateDNS;

    /**
     * True only if (and after) serverCert was successfully validated as
     * Extended Validation (EV).
     */
    [must_use]
    readonly attribute boolean isExtendedValidation;

    [notxpcom, noscript]
    void SerializeToIPC(in IpcMessageWriterPtr aWriter);

    /**
     * Serializes the data represented in this interface to a base64-encoded
     * string that can be deserialized using TransportSecurityInfo::Read.
     */
    [must_use]
    ACString toString();

    /* negotiatedNPN is '' if no NPN list was provided by the client,
     * or if the server did not select any protocol choice from that
     * list. That also includes the case where the server does not
     * implement NPN.
     *
     * If negotiatedNPN is read before NPN has progressed to the point
     * where this information is available NS_ERROR_NOT_CONNECTED is
     * raised.
     */
    readonly attribute ACString negotiatedNPN;

    /**
     * True iff the connection was resumed using the resumption token.
     */
    readonly attribute boolean resumed;

    /**
     * True iff the succeededCertChain is built in root.
     */
    readonly attribute boolean isBuiltCertChainRootBuiltInRoot;

    /**
     * The id used to uniquely identify the connection to the peer.
     */
    readonly attribute ACString peerId;
};