security/manager/ssl/public/nsICertOverrideService.idl@b8a032363ba2
security/manager/ssl/public/nsICertOverrideService.idl
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
2 *
3 * This Source Code Form is subject to the terms of the Mozilla Public
4 * License, v. 2.0. If a copy of the MPL was not distributed with this
5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
7 #include "nsISupports.idl"
9 interface nsIArray;
10 interface nsIX509Cert;
12 %{C++
13 #define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
14 %}
16 /**
17 * This represents the global list of triples
18 * {host:port, cert-fingerprint, allowed-overrides}
19 * that the user wants to accept without further warnings.
20 */
21 [scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)]
22 interface nsICertOverrideService : nsISupports {
24 /**
25 * Override Untrusted
26 */
27 const short ERROR_UNTRUSTED = 1;
29 /**
30 * Override hostname Mismatch
31 */
32 const short ERROR_MISMATCH = 2;
34 /**
35 * Override Time error
36 */
37 const short ERROR_TIME = 4;
39 /**
40 * The given cert should always be accepted for the given hostname:port,
41 * regardless of errors verifying the cert.
42 * Host:Port is a primary key, only one entry per host:port can exist.
43 * The implementation will store a fingerprint of the cert.
44 * The implementation will decide which fingerprint alg is used.
45 *
46 * @param aHostName The host (punycode) this mapping belongs to
47 * @param aPort The port this mapping belongs to, if it is -1 then it
48 * is internaly treated as 443
49 * @param aCert The cert that should always be accepted
50 * @param aOverrideBits The errors we want to be overriden
51 */
52 void rememberValidityOverride(in ACString aHostName,
53 in int32_t aPort,
54 in nsIX509Cert aCert,
55 in uint32_t aOverrideBits,
56 in boolean aTemporary);
58 /**
59 * The given cert should always be accepted for the given hostname:port,
60 * regardless of errors verifying the cert.
61 * Host:Port is a primary key, only one entry per host:port can exist.
62 * The implementation will store a fingerprint of the cert.
63 * The implementation will decide which fingerprint alg is used.
64 *
65 * @param aHostName The host (punycode) this mapping belongs to
66 * @param aPort The port this mapping belongs to, if it is -1 then it
67 * is internaly treated as 443
68 * @param aCert The cert that should always be accepted
69 * @param aOverrideBits The errors that are currently overriden
70 * @return whether an override entry for aHostNameWithPort is currently on file
71 * that matches the given certificate
72 */
73 boolean hasMatchingOverride(in ACString aHostName,
74 in int32_t aPort,
75 in nsIX509Cert aCert,
76 out uint32_t aOverrideBits,
77 out boolean aIsTemporary);
79 /**
80 * Retrieve the stored override for the given hostname:port.
81 *
82 * @param aHostName The host (punycode) whose entry should be tested
83 * @param aPort The port whose entry should be tested, if it is -1 then it
84 * is internaly treated as 443
85 * @param aHashAlg On return value True, the fingerprint hash algorithm
86 * as an OID value in dotted notation.
87 * @param aFingerprint On return value True, the stored fingerprint
88 * @param aOverrideBits The errors that are currently overriden
89 * @return whether a matching override entry for aHostNameWithPort
90 * and aFingerprint is currently on file
91 */
92 boolean getValidityOverride(in ACString aHostName,
93 in int32_t aPort,
94 out ACString aHashAlg,
95 out ACString aFingerprint,
96 out uint32_t aOverrideBits,
97 out boolean aIsTemporary);
99 /**
100 * Remove a override for the given hostname:port.
101 *
102 * @param aHostName The host (punycode) whose entry should be cleared.
103 * @param aPort The port whose entry should be cleared.
104 * If it is -1, then it is internaly treated as 443.
105 * If it is 0 and aHostName is "all:temporary-certificates",
106 * then all temporary certificates should be cleared.
107 */
108 void clearValidityOverride(in ACString aHostName,
109 in int32_t aPort);
111 /**
112 * Obtain the full list of hostname:port for which overrides are known.
113 *
114 * @param aCount The number of host:port entries returned
115 * @param aHostsWithPortsArray The array of host:port entries returned
116 */
117 void getAllOverrideHostsWithPorts(out uint32_t aCount,
118 [array, size_is(aCount)] out wstring aHostsWithPortsArray);
120 /**
121 * Is the given cert used in rules?
122 *
123 * @param aCert The cert we're looking for
124 * @return how many override entries are currently on file
125 * for the given certificate
126 */
127 uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
128 in boolean aCheckTemporaries,
129 in boolean aCheckPermanents);
130 };
