summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsICertBlocklist.idl
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsICertBlocklist.idl')
-rw-r--r--security/manager/ssl/nsICertBlocklist.idl61
1 files changed, 61 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertBlocklist.idl b/security/manager/ssl/nsICertBlocklist.idl
new file mode 100644
index 000000000..5cf1c0952
--- /dev/null
+++ b/security/manager/ssl/nsICertBlocklist.idl
@@ -0,0 +1,61 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIX509Cert;
+
+%{C++
+#define NS_CERTBLOCKLIST_CONTRACTID "@mozilla.org/security/certblocklist;1"
+%}
+
+/**
+ * Represents a service to add certificates as explicitly blocked/distrusted.
+ */
+[scriptable, uuid(e0654480-f433-11e4-b939-0800200c9a66)]
+interface nsICertBlocklist : nsISupports {
+ /**
+ * Add details of a revoked certificate :
+ * issuer name (base-64 encoded DER) and serial number (base-64 encoded DER).
+ */
+ void revokeCertByIssuerAndSerial(in string issuer, in string serialNumber);
+
+ /**
+ * Add details of a revoked certificate :
+ * subject name (base-64 encoded DER) and hash of public key (base-64 encoded
+ * sha-256 hash of the public key).
+ */
+ void revokeCertBySubjectAndPubKey(in string subject, in string pubKeyHash);
+
+ /**
+ * Persist (fresh) blocklist entries to the profile (if a profile directory is
+ * available). Note: calling this will result in synchronous I/O.
+ */
+ void saveEntries();
+
+ /**
+ * Check if a certificate is blocked.
+ * isser - issuer name, DER encoded
+ * serial - serial number, DER encoded
+ * subject - subject name, DER encoded
+ * pubkey - public key, DER encoded
+ */
+ boolean isCertRevoked([const, array, size_is(issuer_length)] in octet issuer,
+ in unsigned long issuer_length,
+ [const, array, size_is(serial_length)] in octet serial,
+ in unsigned long serial_length,
+ [const, array, size_is(subject_length)] in octet subject,
+ in unsigned long subject_length,
+ [const, array, size_is(pubkey_length)] in octet pubkey,
+ in unsigned long pubkey_length);
+
+ /**
+ * Check that the blocklist data is current. Specifically, that the current
+ * time is no more than security.onecrl.maximum_staleness_in_seconds seconds
+ * after the last blocklist update (as stored in the
+ * app.update.lastUpdateTime.blocklist-background-update-timer pref)
+ */
+ boolean isBlocklistFresh();
+};