security/manager/ssl/public/nsICertOverrideService.idl@b8a032363ba2 (annotated)
security/manager/ssl/public/nsICertOverrideService.idl
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
| michael@0 | 1 | /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- |
| michael@0 | 2 | * |
| michael@0 | 3 | * This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 4 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 5 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 6 | |
| michael@0 | 7 | #include "nsISupports.idl" |
| michael@0 | 8 | |
| michael@0 | 9 | interface nsIArray; |
| michael@0 | 10 | interface nsIX509Cert; |
| michael@0 | 11 | |
| michael@0 | 12 | %{C++ |
| michael@0 | 13 | #define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1" |
| michael@0 | 14 | %} |
| michael@0 | 15 | |
| michael@0 | 16 | /** |
| michael@0 | 17 | * This represents the global list of triples |
| michael@0 | 18 | * {host:port, cert-fingerprint, allowed-overrides} |
| michael@0 | 19 | * that the user wants to accept without further warnings. |
| michael@0 | 20 | */ |
| michael@0 | 21 | [scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)] |
| michael@0 | 22 | interface nsICertOverrideService : nsISupports { |
| michael@0 | 23 | |
| michael@0 | 24 | /** |
| michael@0 | 25 | * Override Untrusted |
| michael@0 | 26 | */ |
| michael@0 | 27 | const short ERROR_UNTRUSTED = 1; |
| michael@0 | 28 | |
| michael@0 | 29 | /** |
| michael@0 | 30 | * Override hostname Mismatch |
| michael@0 | 31 | */ |
| michael@0 | 32 | const short ERROR_MISMATCH = 2; |
| michael@0 | 33 | |
| michael@0 | 34 | /** |
| michael@0 | 35 | * Override Time error |
| michael@0 | 36 | */ |
| michael@0 | 37 | const short ERROR_TIME = 4; |
| michael@0 | 38 | |
| michael@0 | 39 | /** |
| michael@0 | 40 | * The given cert should always be accepted for the given hostname:port, |
| michael@0 | 41 | * regardless of errors verifying the cert. |
| michael@0 | 42 | * Host:Port is a primary key, only one entry per host:port can exist. |
| michael@0 | 43 | * The implementation will store a fingerprint of the cert. |
| michael@0 | 44 | * The implementation will decide which fingerprint alg is used. |
| michael@0 | 45 | * |
| michael@0 | 46 | * @param aHostName The host (punycode) this mapping belongs to |
| michael@0 | 47 | * @param aPort The port this mapping belongs to, if it is -1 then it |
| michael@0 | 48 | * is internaly treated as 443 |
| michael@0 | 49 | * @param aCert The cert that should always be accepted |
| michael@0 | 50 | * @param aOverrideBits The errors we want to be overriden |
| michael@0 | 51 | */ |
| michael@0 | 52 | void rememberValidityOverride(in ACString aHostName, |
| michael@0 | 53 | in int32_t aPort, |
| michael@0 | 54 | in nsIX509Cert aCert, |
| michael@0 | 55 | in uint32_t aOverrideBits, |
| michael@0 | 56 | in boolean aTemporary); |
| michael@0 | 57 | |
| michael@0 | 58 | /** |
| michael@0 | 59 | * The given cert should always be accepted for the given hostname:port, |
| michael@0 | 60 | * regardless of errors verifying the cert. |
| michael@0 | 61 | * Host:Port is a primary key, only one entry per host:port can exist. |
| michael@0 | 62 | * The implementation will store a fingerprint of the cert. |
| michael@0 | 63 | * The implementation will decide which fingerprint alg is used. |
| michael@0 | 64 | * |
| michael@0 | 65 | * @param aHostName The host (punycode) this mapping belongs to |
| michael@0 | 66 | * @param aPort The port this mapping belongs to, if it is -1 then it |
| michael@0 | 67 | * is internaly treated as 443 |
| michael@0 | 68 | * @param aCert The cert that should always be accepted |
| michael@0 | 69 | * @param aOverrideBits The errors that are currently overriden |
| michael@0 | 70 | * @return whether an override entry for aHostNameWithPort is currently on file |
| michael@0 | 71 | * that matches the given certificate |
| michael@0 | 72 | */ |
| michael@0 | 73 | boolean hasMatchingOverride(in ACString aHostName, |
| michael@0 | 74 | in int32_t aPort, |
| michael@0 | 75 | in nsIX509Cert aCert, |
| michael@0 | 76 | out uint32_t aOverrideBits, |
| michael@0 | 77 | out boolean aIsTemporary); |
| michael@0 | 78 | |
| michael@0 | 79 | /** |
| michael@0 | 80 | * Retrieve the stored override for the given hostname:port. |
| michael@0 | 81 | * |
| michael@0 | 82 | * @param aHostName The host (punycode) whose entry should be tested |
| michael@0 | 83 | * @param aPort The port whose entry should be tested, if it is -1 then it |
| michael@0 | 84 | * is internaly treated as 443 |
| michael@0 | 85 | * @param aHashAlg On return value True, the fingerprint hash algorithm |
| michael@0 | 86 | * as an OID value in dotted notation. |
| michael@0 | 87 | * @param aFingerprint On return value True, the stored fingerprint |
| michael@0 | 88 | * @param aOverrideBits The errors that are currently overriden |
| michael@0 | 89 | * @return whether a matching override entry for aHostNameWithPort |
| michael@0 | 90 | * and aFingerprint is currently on file |
| michael@0 | 91 | */ |
| michael@0 | 92 | boolean getValidityOverride(in ACString aHostName, |
| michael@0 | 93 | in int32_t aPort, |
| michael@0 | 94 | out ACString aHashAlg, |
| michael@0 | 95 | out ACString aFingerprint, |
| michael@0 | 96 | out uint32_t aOverrideBits, |
| michael@0 | 97 | out boolean aIsTemporary); |
| michael@0 | 98 | |
| michael@0 | 99 | /** |
| michael@0 | 100 | * Remove a override for the given hostname:port. |
| michael@0 | 101 | * |
| michael@0 | 102 | * @param aHostName The host (punycode) whose entry should be cleared. |
| michael@0 | 103 | * @param aPort The port whose entry should be cleared. |
| michael@0 | 104 | * If it is -1, then it is internaly treated as 443. |
| michael@0 | 105 | * If it is 0 and aHostName is "all:temporary-certificates", |
| michael@0 | 106 | * then all temporary certificates should be cleared. |
| michael@0 | 107 | */ |
| michael@0 | 108 | void clearValidityOverride(in ACString aHostName, |
| michael@0 | 109 | in int32_t aPort); |
| michael@0 | 110 | |
| michael@0 | 111 | /** |
| michael@0 | 112 | * Obtain the full list of hostname:port for which overrides are known. |
| michael@0 | 113 | * |
| michael@0 | 114 | * @param aCount The number of host:port entries returned |
| michael@0 | 115 | * @param aHostsWithPortsArray The array of host:port entries returned |
| michael@0 | 116 | */ |
| michael@0 | 117 | void getAllOverrideHostsWithPorts(out uint32_t aCount, |
| michael@0 | 118 | [array, size_is(aCount)] out wstring aHostsWithPortsArray); |
| michael@0 | 119 | |
| michael@0 | 120 | /** |
| michael@0 | 121 | * Is the given cert used in rules? |
| michael@0 | 122 | * |
| michael@0 | 123 | * @param aCert The cert we're looking for |
| michael@0 | 124 | * @return how many override entries are currently on file |
| michael@0 | 125 | * for the given certificate |
| michael@0 | 126 | */ |
| michael@0 | 127 | uint32_t isCertUsedForOverrides(in nsIX509Cert aCert, |
| michael@0 | 128 | in boolean aCheckTemporaries, |
| michael@0 | 129 | in boolean aCheckPermanents); |
| michael@0 | 130 | }; |
