michael@0: /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "nsISupports.idl" michael@0: michael@0: interface nsIArray; michael@0: interface nsIX509Cert; michael@0: michael@0: %{C++ michael@0: #define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1" michael@0: %} michael@0: michael@0: /** michael@0: * This represents the global list of triples michael@0: * {host:port, cert-fingerprint, allowed-overrides} michael@0: * that the user wants to accept without further warnings. michael@0: */ michael@0: [scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)] michael@0: interface nsICertOverrideService : nsISupports { michael@0: michael@0: /** michael@0: * Override Untrusted michael@0: */ michael@0: const short ERROR_UNTRUSTED = 1; michael@0: michael@0: /** michael@0: * Override hostname Mismatch michael@0: */ michael@0: const short ERROR_MISMATCH = 2; michael@0: michael@0: /** michael@0: * Override Time error michael@0: */ michael@0: const short ERROR_TIME = 4; michael@0: michael@0: /** michael@0: * The given cert should always be accepted for the given hostname:port, michael@0: * regardless of errors verifying the cert. michael@0: * Host:Port is a primary key, only one entry per host:port can exist. michael@0: * The implementation will store a fingerprint of the cert. michael@0: * The implementation will decide which fingerprint alg is used. michael@0: * michael@0: * @param aHostName The host (punycode) this mapping belongs to michael@0: * @param aPort The port this mapping belongs to, if it is -1 then it michael@0: * is internaly treated as 443 michael@0: * @param aCert The cert that should always be accepted michael@0: * @param aOverrideBits The errors we want to be overriden michael@0: */ michael@0: void rememberValidityOverride(in ACString aHostName, michael@0: in int32_t aPort, michael@0: in nsIX509Cert aCert, michael@0: in uint32_t aOverrideBits, michael@0: in boolean aTemporary); michael@0: michael@0: /** michael@0: * The given cert should always be accepted for the given hostname:port, michael@0: * regardless of errors verifying the cert. michael@0: * Host:Port is a primary key, only one entry per host:port can exist. michael@0: * The implementation will store a fingerprint of the cert. michael@0: * The implementation will decide which fingerprint alg is used. michael@0: * michael@0: * @param aHostName The host (punycode) this mapping belongs to michael@0: * @param aPort The port this mapping belongs to, if it is -1 then it michael@0: * is internaly treated as 443 michael@0: * @param aCert The cert that should always be accepted michael@0: * @param aOverrideBits The errors that are currently overriden michael@0: * @return whether an override entry for aHostNameWithPort is currently on file michael@0: * that matches the given certificate michael@0: */ michael@0: boolean hasMatchingOverride(in ACString aHostName, michael@0: in int32_t aPort, michael@0: in nsIX509Cert aCert, michael@0: out uint32_t aOverrideBits, michael@0: out boolean aIsTemporary); michael@0: michael@0: /** michael@0: * Retrieve the stored override for the given hostname:port. michael@0: * michael@0: * @param aHostName The host (punycode) whose entry should be tested michael@0: * @param aPort The port whose entry should be tested, if it is -1 then it michael@0: * is internaly treated as 443 michael@0: * @param aHashAlg On return value True, the fingerprint hash algorithm michael@0: * as an OID value in dotted notation. michael@0: * @param aFingerprint On return value True, the stored fingerprint michael@0: * @param aOverrideBits The errors that are currently overriden michael@0: * @return whether a matching override entry for aHostNameWithPort michael@0: * and aFingerprint is currently on file michael@0: */ michael@0: boolean getValidityOverride(in ACString aHostName, michael@0: in int32_t aPort, michael@0: out ACString aHashAlg, michael@0: out ACString aFingerprint, michael@0: out uint32_t aOverrideBits, michael@0: out boolean aIsTemporary); michael@0: michael@0: /** michael@0: * Remove a override for the given hostname:port. michael@0: * michael@0: * @param aHostName The host (punycode) whose entry should be cleared. michael@0: * @param aPort The port whose entry should be cleared. michael@0: * If it is -1, then it is internaly treated as 443. michael@0: * If it is 0 and aHostName is "all:temporary-certificates", michael@0: * then all temporary certificates should be cleared. michael@0: */ michael@0: void clearValidityOverride(in ACString aHostName, michael@0: in int32_t aPort); michael@0: michael@0: /** michael@0: * Obtain the full list of hostname:port for which overrides are known. michael@0: * michael@0: * @param aCount The number of host:port entries returned michael@0: * @param aHostsWithPortsArray The array of host:port entries returned michael@0: */ michael@0: void getAllOverrideHostsWithPorts(out uint32_t aCount, michael@0: [array, size_is(aCount)] out wstring aHostsWithPortsArray); michael@0: michael@0: /** michael@0: * Is the given cert used in rules? michael@0: * michael@0: * @param aCert The cert we're looking for michael@0: * @return how many override entries are currently on file michael@0: * for the given certificate michael@0: */ michael@0: uint32_t isCertUsedForOverrides(in nsIX509Cert aCert, michael@0: in boolean aCheckTemporaries, michael@0: in boolean aCheckPermanents); michael@0: };