1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/manager/ssl/public/nsICertOverrideService.idl Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,130 @@
1.4 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
1.5 + *
1.6 + * This Source Code Form is subject to the terms of the Mozilla Public
1.7 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.8 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.9 +
1.10 +#include "nsISupports.idl"
1.11 +
1.12 +interface nsIArray;
1.13 +interface nsIX509Cert;
1.14 +
1.15 +%{C++
1.16 +#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
1.17 +%}
1.18 +
1.19 +/**
1.20 + * This represents the global list of triples
1.21 + * {host:port, cert-fingerprint, allowed-overrides}
1.22 + * that the user wants to accept without further warnings.
1.23 + */
1.24 +[scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)]
1.25 +interface nsICertOverrideService : nsISupports {
1.26 +
1.27 + /**
1.28 + * Override Untrusted
1.29 + */
1.30 + const short ERROR_UNTRUSTED = 1;
1.31 +
1.32 + /**
1.33 + * Override hostname Mismatch
1.34 + */
1.35 + const short ERROR_MISMATCH = 2;
1.36 +
1.37 + /**
1.38 + * Override Time error
1.39 + */
1.40 + const short ERROR_TIME = 4;
1.41 +
1.42 + /**
1.43 + * The given cert should always be accepted for the given hostname:port,
1.44 + * regardless of errors verifying the cert.
1.45 + * Host:Port is a primary key, only one entry per host:port can exist.
1.46 + * The implementation will store a fingerprint of the cert.
1.47 + * The implementation will decide which fingerprint alg is used.
1.48 + *
1.49 + * @param aHostName The host (punycode) this mapping belongs to
1.50 + * @param aPort The port this mapping belongs to, if it is -1 then it
1.51 + * is internaly treated as 443
1.52 + * @param aCert The cert that should always be accepted
1.53 + * @param aOverrideBits The errors we want to be overriden
1.54 + */
1.55 + void rememberValidityOverride(in ACString aHostName,
1.56 + in int32_t aPort,
1.57 + in nsIX509Cert aCert,
1.58 + in uint32_t aOverrideBits,
1.59 + in boolean aTemporary);
1.60 +
1.61 + /**
1.62 + * The given cert should always be accepted for the given hostname:port,
1.63 + * regardless of errors verifying the cert.
1.64 + * Host:Port is a primary key, only one entry per host:port can exist.
1.65 + * The implementation will store a fingerprint of the cert.
1.66 + * The implementation will decide which fingerprint alg is used.
1.67 + *
1.68 + * @param aHostName The host (punycode) this mapping belongs to
1.69 + * @param aPort The port this mapping belongs to, if it is -1 then it
1.70 + * is internaly treated as 443
1.71 + * @param aCert The cert that should always be accepted
1.72 + * @param aOverrideBits The errors that are currently overriden
1.73 + * @return whether an override entry for aHostNameWithPort is currently on file
1.74 + * that matches the given certificate
1.75 + */
1.76 + boolean hasMatchingOverride(in ACString aHostName,
1.77 + in int32_t aPort,
1.78 + in nsIX509Cert aCert,
1.79 + out uint32_t aOverrideBits,
1.80 + out boolean aIsTemporary);
1.81 +
1.82 + /**
1.83 + * Retrieve the stored override for the given hostname:port.
1.84 + *
1.85 + * @param aHostName The host (punycode) whose entry should be tested
1.86 + * @param aPort The port whose entry should be tested, if it is -1 then it
1.87 + * is internaly treated as 443
1.88 + * @param aHashAlg On return value True, the fingerprint hash algorithm
1.89 + * as an OID value in dotted notation.
1.90 + * @param aFingerprint On return value True, the stored fingerprint
1.91 + * @param aOverrideBits The errors that are currently overriden
1.92 + * @return whether a matching override entry for aHostNameWithPort
1.93 + * and aFingerprint is currently on file
1.94 + */
1.95 + boolean getValidityOverride(in ACString aHostName,
1.96 + in int32_t aPort,
1.97 + out ACString aHashAlg,
1.98 + out ACString aFingerprint,
1.99 + out uint32_t aOverrideBits,
1.100 + out boolean aIsTemporary);
1.101 +
1.102 + /**
1.103 + * Remove a override for the given hostname:port.
1.104 + *
1.105 + * @param aHostName The host (punycode) whose entry should be cleared.
1.106 + * @param aPort The port whose entry should be cleared.
1.107 + * If it is -1, then it is internaly treated as 443.
1.108 + * If it is 0 and aHostName is "all:temporary-certificates",
1.109 + * then all temporary certificates should be cleared.
1.110 + */
1.111 + void clearValidityOverride(in ACString aHostName,
1.112 + in int32_t aPort);
1.113 +
1.114 + /**
1.115 + * Obtain the full list of hostname:port for which overrides are known.
1.116 + *
1.117 + * @param aCount The number of host:port entries returned
1.118 + * @param aHostsWithPortsArray The array of host:port entries returned
1.119 + */
1.120 + void getAllOverrideHostsWithPorts(out uint32_t aCount,
1.121 + [array, size_is(aCount)] out wstring aHostsWithPortsArray);
1.122 +
1.123 + /**
1.124 + * Is the given cert used in rules?
1.125 + *
1.126 + * @param aCert The cert we're looking for
1.127 + * @return how many override entries are currently on file
1.128 + * for the given certificate
1.129 + */
1.130 + uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
1.131 + in boolean aCheckTemporaries,
1.132 + in boolean aCheckPermanents);
1.133 +};
