diff -r 000000000000 -r 6474c204b198 security/manager/ssl/public/nsICertOverrideService.idl
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/security/manager/ssl/public/nsICertOverrideService.idl	Wed Dec 31 06:09:35 2014 +0100
@@ -0,0 +1,130 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509Cert;
+
+%{C++
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
+%}
+
+/**
+ * This represents the global list of triples
+ *   {host:port, cert-fingerprint, allowed-overrides} 
+ * that the user wants to accept without further warnings. 
+ */
+[scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)]
+interface nsICertOverrideService : nsISupports {
+
+  /**
+   *  Override Untrusted
+   */
+  const short ERROR_UNTRUSTED = 1;
+
+  /**
+   *  Override hostname Mismatch
+   */
+  const short ERROR_MISMATCH = 2;
+
+  /**
+   *  Override Time error
+   */
+  const short ERROR_TIME = 4;
+
+  /**
+   *  The given cert should always be accepted for the given hostname:port,
+   *  regardless of errors verifying the cert.
+   *  Host:Port is a primary key, only one entry per host:port can exist.
+   *  The implementation will store a fingerprint of the cert.
+   *  The implementation will decide which fingerprint alg is used.
+   *
+   *  @param aHostName The host (punycode) this mapping belongs to
+   *  @param aPort The port this mapping belongs to, if it is -1 then it 
+   *          is internaly treated as 443
+   *  @param aCert The cert that should always be accepted
+   *  @param aOverrideBits The errors we want to be overriden
+   */
+  void rememberValidityOverride(in ACString aHostName, 
+                                in int32_t aPort,
+                                in nsIX509Cert aCert,
+                                in uint32_t aOverrideBits,
+                                in boolean aTemporary);
+
+  /**
+   *  The given cert should always be accepted for the given hostname:port,
+   *  regardless of errors verifying the cert.
+   *  Host:Port is a primary key, only one entry per host:port can exist.
+   *  The implementation will store a fingerprint of the cert.
+   *  The implementation will decide which fingerprint alg is used.
+   *
+   *  @param aHostName The host (punycode) this mapping belongs to
+   *  @param aPort The port this mapping belongs to, if it is -1 then it 
+   *          is internaly treated as 443
+   *  @param aCert The cert that should always be accepted
+   *  @param aOverrideBits The errors that are currently overriden
+   *  @return whether an override entry for aHostNameWithPort is currently on file
+   *          that matches the given certificate
+   */
+  boolean hasMatchingOverride(in ACString aHostName, 
+                              in int32_t aPort,
+                              in nsIX509Cert aCert,
+                              out uint32_t aOverrideBits,
+                              out boolean aIsTemporary);
+
+  /**
+   *  Retrieve the stored override for the given hostname:port.
+   *
+   *  @param aHostName The host (punycode) whose entry should be tested
+   *  @param aPort The port whose entry should be tested, if it is -1 then it 
+   *          is internaly treated as 443
+   *  @param aHashAlg On return value True, the fingerprint hash algorithm
+   *                  as an OID value in dotted notation.
+   *  @param aFingerprint On return value True, the stored fingerprint 
+   *  @param aOverrideBits The errors that are currently overriden
+   *  @return whether a matching override entry for aHostNameWithPort 
+   *          and aFingerprint is currently on file
+   */
+  boolean getValidityOverride(in ACString aHostName, 
+                              in int32_t aPort,
+                              out ACString aHashAlg,
+                              out ACString aFingerprint,
+                              out uint32_t aOverrideBits,
+                              out boolean aIsTemporary);
+
+  /**
+   *  Remove a override for the given hostname:port.
+   *
+   *  @param aHostName The host (punycode) whose entry should be cleared.
+   *  @param aPort The port whose entry should be cleared.
+   *               If it is -1, then it is internaly treated as 443.
+   *               If it is 0 and aHostName is "all:temporary-certificates",
+   *               then all temporary certificates should be cleared.
+   */
+  void clearValidityOverride(in ACString aHostName,
+                             in int32_t aPort);
+
+  /**
+   *  Obtain the full list of hostname:port for which overrides are known.
+   *
+   *  @param aCount The number of host:port entries returned
+   *  @param aHostsWithPortsArray The array of host:port entries returned
+   */
+  void getAllOverrideHostsWithPorts(out uint32_t aCount, 
+                                    [array, size_is(aCount)] out wstring aHostsWithPortsArray);
+
+  /**
+   *  Is the given cert used in rules?
+   *
+   *  @param aCert The cert we're looking for
+   *  @return how many override entries are currently on file
+   *          for the given certificate
+   */
+  uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
+                                  in boolean aCheckTemporaries,
+                                  in boolean aCheckPermanents);
+};