michael@0: /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- michael@0: * michael@0: * This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: #include "nsISupports.idl" michael@0: michael@0: interface nsIArray; michael@0: interface nsIX509Cert; michael@0: interface nsIX509Cert3; michael@0: interface nsIFile; michael@0: interface nsIInterfaceRequestor; michael@0: interface nsIZipReader; michael@0: interface nsIRecentBadCerts; michael@0: interface nsIX509CertList; michael@0: michael@0: %{C++ michael@0: #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1" michael@0: %} michael@0: michael@0: typedef uint32_t AppTrustedRoot; michael@0: michael@0: [scriptable, function, uuid(0927baea-622d-4e41-a76d-255af426e7fb)] michael@0: interface nsIOpenSignedAppFileCallback : nsISupports michael@0: { michael@0: void openSignedAppFileFinished(in nsresult rv, michael@0: in nsIZipReader aZipReader, michael@0: in nsIX509Cert3 aSignerCert); michael@0: }; michael@0: michael@0: /** michael@0: * This represents a service to access and manipulate michael@0: * X.509 certificates stored in a database. michael@0: */ michael@0: [scriptable, uuid(7446a5b1-84ca-491f-a2fe-0bc60a71ffa5)] michael@0: interface nsIX509CertDB : nsISupports { michael@0: michael@0: /** michael@0: * Constants that define which usages a certificate michael@0: * is trusted for. michael@0: */ michael@0: const unsigned long UNTRUSTED = 0; michael@0: const unsigned long TRUSTED_SSL = 1 << 0; michael@0: const unsigned long TRUSTED_EMAIL = 1 << 1; michael@0: const unsigned long TRUSTED_OBJSIGN = 1 << 2; michael@0: michael@0: /** michael@0: * Given a nickname and optionally a token, michael@0: * locate the matching certificate. michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aNickname The nickname to be used as the key michael@0: * to find a certificate. michael@0: * michael@0: * @return The matching certificate if found. michael@0: */ michael@0: nsIX509Cert findCertByNickname(in nsISupports aToken, michael@0: in AString aNickname); michael@0: michael@0: /** michael@0: * Will find a certificate based on its dbkey michael@0: * retrieved by getting the dbKey attribute of michael@0: * the certificate. michael@0: * michael@0: * @param aDBkey Database internal key, as obtained using michael@0: * attribute dbkey in nsIX509Cert. michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: */ michael@0: nsIX509Cert findCertByDBKey(in string aDBkey, in nsISupports aToken); michael@0: michael@0: /** michael@0: * Obtain a list of certificate nicknames from the database. michael@0: * What the name is depends on type: michael@0: * user, ca, or server cert - the nickname michael@0: * email cert - the email address michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aType Type of certificate to obtain michael@0: * See certificate type constants in nsIX509Cert. michael@0: * @param count The number of nicknames in the returned array michael@0: * @param certNameList The returned array of certificate nicknames. michael@0: */ michael@0: void findCertNicknames(in nsISupports aToken, michael@0: in unsigned long aType, michael@0: out unsigned long count, michael@0: [array, size_is(count)] out wstring certNameList); michael@0: michael@0: /** michael@0: * Find user's own email encryption certificate by nickname. michael@0: * michael@0: * @param aNickname The nickname to be used as the key michael@0: * to find the certificate. michael@0: * michael@0: * @return The matching certificate if found. michael@0: */ michael@0: nsIX509Cert findEmailEncryptionCert(in AString aNickname); michael@0: michael@0: /** michael@0: * Find user's own email signing certificate by nickname. michael@0: * michael@0: * @param aNickname The nickname to be used as the key michael@0: * to find the certificate. michael@0: * michael@0: * @return The matching certificate if found. michael@0: */ michael@0: nsIX509Cert findEmailSigningCert(in AString aNickname); michael@0: michael@0: /** michael@0: * Find a certificate by email address. michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aEmailAddress The email address to be used as the key michael@0: * to find the certificate. michael@0: * michael@0: * @return The matching certificate if found. michael@0: */ michael@0: nsIX509Cert findCertByEmailAddress(in nsISupports aToken, michael@0: in string aEmailAddress); michael@0: michael@0: /** michael@0: * Use this to import a stream sent down as a mime type into michael@0: * the certificate database on the default token. michael@0: * The stream may consist of one or more certificates. michael@0: * michael@0: * @param data The raw data to be imported michael@0: * @param length The length of the data to be imported michael@0: * @param type The type of the certificate, see constants in nsIX509Cert michael@0: * @param ctx A UI context. michael@0: */ michael@0: void importCertificates([array, size_is(length)] in octet data, michael@0: in unsigned long length, michael@0: in unsigned long type, michael@0: in nsIInterfaceRequestor ctx); michael@0: michael@0: /** michael@0: * Import another person's email certificate into the database. michael@0: * michael@0: * @param data The raw data to be imported michael@0: * @param length The length of the data to be imported michael@0: * @param ctx A UI context. michael@0: */ michael@0: void importEmailCertificate([array, size_is(length)] in octet data, michael@0: in unsigned long length, michael@0: in nsIInterfaceRequestor ctx); michael@0: michael@0: /** michael@0: * Import a server machine's certificate into the database. michael@0: * michael@0: * @param data The raw data to be imported michael@0: * @param length The length of the data to be imported michael@0: * @param ctx A UI context. michael@0: */ michael@0: void importServerCertificate([array, size_is(length)] in octet data, michael@0: in unsigned long length, michael@0: in nsIInterfaceRequestor ctx); michael@0: michael@0: /** michael@0: * Import a personal certificate into the database, assuming michael@0: * the database already contains the private key for this certificate. michael@0: * michael@0: * @param data The raw data to be imported michael@0: * @param length The length of the data to be imported michael@0: * @param ctx A UI context. michael@0: */ michael@0: void importUserCertificate([array, size_is(length)] in octet data, michael@0: in unsigned long length, michael@0: in nsIInterfaceRequestor ctx); michael@0: michael@0: /** michael@0: * Delete a certificate stored in the database. michael@0: * michael@0: * @param aCert Delete this certificate. michael@0: */ michael@0: void deleteCertificate(in nsIX509Cert aCert); michael@0: michael@0: /** michael@0: * Modify the trust that is stored and associated to a certificate within michael@0: * a database. Separate trust is stored for michael@0: * One call manipulates the trust for one trust type only. michael@0: * See the trust type constants defined within this interface. michael@0: * michael@0: * @param cert Change the stored trust of this certificate. michael@0: * @param type The type of the certificate. See nsIX509Cert. michael@0: * @param trust A bitmask. The new trust for the possible usages. michael@0: * See the trust constants defined within this interface. michael@0: */ michael@0: void setCertTrust(in nsIX509Cert cert, michael@0: in unsigned long type, michael@0: in unsigned long trust); michael@0: michael@0: /** michael@0: * @param cert The certificate for which to modify trust. michael@0: * @param trustString decoded by CERT_DecodeTrustString. 3 comma separated michael@0: * characters, indicating SSL, Email, and Obj signing michael@0: * trust. michael@0: */ michael@0: void setCertTrustFromString(in nsIX509Cert3 cert, in string trustString); michael@0: michael@0: /** michael@0: * Query whether a certificate is trusted for a particular use. michael@0: * michael@0: * @param cert Obtain the stored trust of this certificate. michael@0: * @param certType The type of the certificate. See nsIX509Cert. michael@0: * @param trustType A single bit from the usages constants defined michael@0: * within this interface. michael@0: * michael@0: * @return Returns true if the certificate is trusted for the given use. michael@0: */ michael@0: boolean isCertTrusted(in nsIX509Cert cert, michael@0: in unsigned long certType, michael@0: in unsigned long trustType); michael@0: michael@0: /** michael@0: * Import certificate(s) from file michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aFile Identifies a file that contains the certificate michael@0: * to be imported. michael@0: * @param aType Describes the type of certificate that is going to michael@0: * be imported. See type constants in nsIX509Cert. michael@0: */ michael@0: void importCertsFromFile(in nsISupports aToken, michael@0: in nsIFile aFile, michael@0: in unsigned long aType); michael@0: michael@0: /** michael@0: * Import a PKCS#12 file containing cert(s) and key(s) into the database. michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aFile Identifies a file that contains the data michael@0: * to be imported. michael@0: */ michael@0: void importPKCS12File(in nsISupports aToken, michael@0: in nsIFile aFile); michael@0: michael@0: /** michael@0: * Export a set of certs and keys from the database to a PKCS#12 file. michael@0: * michael@0: * @param aToken Optionally limits the scope of michael@0: * this function to a token device. michael@0: * Can be null to mean any token. michael@0: * @param aFile Identifies a file that will be filled with the data michael@0: * to be exported. michael@0: * @param count The number of certificates to be exported. michael@0: * @param aCerts The array of all certificates to be exported. michael@0: */ michael@0: void exportPKCS12File(in nsISupports aToken, michael@0: in nsIFile aFile, michael@0: in unsigned long count, michael@0: [array, size_is(count)] in nsIX509Cert aCerts); michael@0: michael@0: /* michael@0: * Decode a raw data presentation and instantiate an object in memory. michael@0: * michael@0: * @param base64 The raw representation of a certificate, michael@0: * encoded as Base 64. michael@0: * @return The new certificate object. michael@0: */ michael@0: nsIX509Cert constructX509FromBase64(in string base64); michael@0: michael@0: /* michael@0: * Decode a raw data presentation and instantiate an object in memory. michael@0: * michael@0: * @param certDER The raw representation of a certificate, michael@0: * encoded as raw DER. michael@0: * @param length The length of the DER string. michael@0: * @return The new certificate object. michael@0: */ michael@0: nsIX509Cert constructX509(in string certDER, in unsigned long length); michael@0: michael@0: /* michael@0: * Obtain a reference to the appropriate service for recent michael@0: * bad certificates. May only be called on the main thread. michael@0: * michael@0: * @param isPrivate True if the service for certs for private connections michael@0: * is desired, false otherwise. michael@0: * @return The requested service. michael@0: */ michael@0: nsIRecentBadCerts getRecentBadCerts(in boolean isPrivate); michael@0: michael@0: /** michael@0: * Verifies the signature on the given JAR file to verify that it has a michael@0: * valid signature. To be considered valid, there must be exactly one michael@0: * signature on the JAR file and that signature must have signed every michael@0: * entry. Further, the signature must come from a certificate that michael@0: * is trusted for code signing. michael@0: * michael@0: * On success, NS_OK, a nsIZipReader, and the trusted certificate that michael@0: * signed the JAR are returned. michael@0: * michael@0: * On failure, an error code is returned. michael@0: * michael@0: * This method returns a nsIZipReader, instead of taking an nsIZipReader michael@0: * as input, to encourage users of the API to verify the signature as the michael@0: * first step in opening the JAR. michael@0: */ michael@0: const AppTrustedRoot AppMarketplaceProdPublicRoot = 1; michael@0: const AppTrustedRoot AppMarketplaceProdReviewersRoot = 2; michael@0: const AppTrustedRoot AppMarketplaceDevPublicRoot = 3; michael@0: const AppTrustedRoot AppMarketplaceDevReviewersRoot = 4; michael@0: const AppTrustedRoot AppXPCShellRoot = 5; michael@0: void openSignedAppFileAsync(in AppTrustedRoot trustedRoot, michael@0: in nsIFile aJarFile, michael@0: in nsIOpenSignedAppFileCallback callback); michael@0: michael@0: /* michael@0: * Add a cert to a cert DB from a binary string. michael@0: * michael@0: * @param certDER The raw DER encoding of a certificate. michael@0: * @param aTrust decoded by CERT_DecodeTrustString. 3 comma separated characters, michael@0: * indicating SSL, Email, and Obj signing trust michael@0: * @param aName name of the cert for display purposes. michael@0: */ michael@0: void addCert(in ACString certDER, in string aTrust, in string aName); michael@0: michael@0: // Flags for verifyCertNow (these must match the values in CertVerifier.cpp): michael@0: // Prevent network traffic. Doesn't work with classic verification. michael@0: const uint32_t FLAG_LOCAL_ONLY = 1 << 0; michael@0: // Do not fall back to DV verification after attempting EV validation. michael@0: // Actually does prevent network traffic, but can cause a valid EV michael@0: // certificate to not be considered valid. michael@0: const uint32_t FLAG_MUST_BE_EV = 1 << 1; michael@0: michael@0: /** Warning: This interface is inteded to use only for testing only as: michael@0: * 1. It can create IO on the main thread. michael@0: * 2. It is in constant change, so in/out can change at any release. michael@0: * michael@0: * Obtain the verification result for a cert given a particular usage. michael@0: * On success, the call returns 0, the chain built during verification, michael@0: * and whether the cert is good for EV usage. michael@0: * On failure, the call returns the PRErrorCode for the verification failure michael@0: * michael@0: * @param aCert Obtain the stored trust of this certificate michael@0: * @param aUsage a integer representing the usage from NSS michael@0: * @param aFlags flags as described above michael@0: * @param verifedChain chain of verification up to the root if success michael@0: * @param aHasEVPolicy bool that signified that the cert was an EV cert michael@0: * @return 0 if success or the value or the error code for the verification michael@0: * failure michael@0: */ michael@0: int32_t /*PRErrorCode*/ michael@0: verifyCertNow(in nsIX509Cert aCert, michael@0: in int64_t /*SECCertificateUsage*/ aUsage, michael@0: in uint32_t aFlags, michael@0: out nsIX509CertList verifiedChain, michael@0: out bool aHasEVPolicy); michael@0: michael@0: // Clears the OCSP cache for the current certificate verification michael@0: // implementation. michael@0: void clearOCSPCache(); michael@0: };