diff options
Diffstat (limited to 'security/manager/ssl/nsICertBlocklist.idl')
| -rw-r--r-- | security/manager/ssl/nsICertBlocklist.idl | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertBlocklist.idl b/security/manager/ssl/nsICertBlocklist.idl new file mode 100644 index 000000000..5cf1c0952 --- /dev/null +++ b/security/manager/ssl/nsICertBlocklist.idl @@ -0,0 +1,61 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIX509Cert; + +%{C++ +#define NS_CERTBLOCKLIST_CONTRACTID "@mozilla.org/security/certblocklist;1" +%} + +/** + * Represents a service to add certificates as explicitly blocked/distrusted. + */ +[scriptable, uuid(e0654480-f433-11e4-b939-0800200c9a66)] +interface nsICertBlocklist : nsISupports { + /** + * Add details of a revoked certificate : + * issuer name (base-64 encoded DER) and serial number (base-64 encoded DER). + */ + void revokeCertByIssuerAndSerial(in string issuer, in string serialNumber); + + /** + * Add details of a revoked certificate : + * subject name (base-64 encoded DER) and hash of public key (base-64 encoded + * sha-256 hash of the public key). + */ + void revokeCertBySubjectAndPubKey(in string subject, in string pubKeyHash); + + /** + * Persist (fresh) blocklist entries to the profile (if a profile directory is + * available). Note: calling this will result in synchronous I/O. + */ + void saveEntries(); + + /** + * Check if a certificate is blocked. + * isser - issuer name, DER encoded + * serial - serial number, DER encoded + * subject - subject name, DER encoded + * pubkey - public key, DER encoded + */ + boolean isCertRevoked([const, array, size_is(issuer_length)] in octet issuer, + in unsigned long issuer_length, + [const, array, size_is(serial_length)] in octet serial, + in unsigned long serial_length, + [const, array, size_is(subject_length)] in octet subject, + in unsigned long subject_length, + [const, array, size_is(pubkey_length)] in octet pubkey, + in unsigned long pubkey_length); + + /** + * Check that the blocklist data is current. Specifically, that the current + * time is no more than security.onecrl.maximum_staleness_in_seconds seconds + * after the last blocklist update (as stored in the + * app.update.lastUpdateTime.blocklist-background-update-timer pref) + */ + boolean isBlocklistFresh(); +}; |