summaryrefslogtreecommitdiffstats
path: root/security/manager/ssl/nsICertOverrideService.idl
diff options
context:
space:
mode:
Diffstat (limited to 'security/manager/ssl/nsICertOverrideService.idl')
-rw-r--r--security/manager/ssl/nsICertOverrideService.idl144
1 files changed, 144 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl
new file mode 100644
index 000000000..b220851e2
--- /dev/null
+++ b/security/manager/ssl/nsICertOverrideService.idl
@@ -0,0 +1,144 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509Cert;
+
+%{C++
+#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
+%}
+
+/**
+ * This represents the global list of triples
+ * {host:port, cert-fingerprint, allowed-overrides}
+ * that the user wants to accept without further warnings.
+ */
+[scriptable, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
+interface nsICertOverrideService : nsISupports {
+
+ /**
+ * Override Untrusted
+ */
+ const short ERROR_UNTRUSTED = 1;
+
+ /**
+ * Override hostname Mismatch
+ */
+ const short ERROR_MISMATCH = 2;
+
+ /**
+ * Override Time error
+ */
+ const short ERROR_TIME = 4;
+
+ /**
+ * The given cert should always be accepted for the given hostname:port,
+ * regardless of errors verifying the cert.
+ * Host:Port is a primary key, only one entry per host:port can exist.
+ * The implementation will store a fingerprint of the cert.
+ * The implementation will decide which fingerprint alg is used.
+ *
+ * Each override is specific to exactly the errors overridden, so
+ * overriding everything won't match certs at the given host:port
+ * which only exhibit some subset of errors.
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to, if it is -1 then it
+ * is internaly treated as 443
+ * @param aCert The cert that should always be accepted
+ * @param aOverrideBits The precise set of errors we want to be overriden
+ */
+ void rememberValidityOverride(in ACString aHostName,
+ in int32_t aPort,
+ in nsIX509Cert aCert,
+ in uint32_t aOverrideBits,
+ in boolean aTemporary);
+
+ /**
+ * Certs with the given fingerprint should always be accepted for the
+ * given hostname:port, regardless of errors verifying the cert.
+ * Host:Port is a primary key, only one entry per host:port can exist.
+ * The fingerprint should be an SHA-256 hash of the certificate.
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to, if it is -1 then it
+ * is internaly treated as 443
+ * @param aCertFingerprint The cert fingerprint that should be accepted, in
+ * the format 'AA:BB:...' (colon-separated upper-case hex bytes).
+ * @param aOverrideBits The errors we want to be overriden
+ */
+ void rememberTemporaryValidityOverrideUsingFingerprint(
+ in ACString aHostName,
+ in int32_t aPort,
+ in ACString aCertFingerprint,
+ in uint32_t aOverrideBits);
+
+ /**
+ * Return whether this host, port, cert triple has a stored override.
+ * If so, the outparams will contain the specific errors that were
+ * overridden, and whether the override is permanent, or only for the current
+ * session.
+ *
+ * @param aHostName The host (punycode) this mapping belongs to
+ * @param aPort The port this mapping belongs to, if it is -1 then it
+ * is internally treated as 443
+ * @param aCert The certificate this mapping belongs to
+ * @param aOverrideBits The errors that are currently overridden
+ * @param aIsTemporary Whether the stored override is session-only,
+ * or permanent
+ * @return Whether an override has been stored for this host+port+cert
+ */
+ boolean hasMatchingOverride(in ACString aHostName,
+ in int32_t aPort,
+ in nsIX509Cert aCert,
+ out uint32_t aOverrideBits,
+ out boolean aIsTemporary);
+
+ /**
+ * Retrieve the stored override for the given hostname:port.
+ *
+ * @param aHostName The host (punycode) whose entry should be tested
+ * @param aPort The port whose entry should be tested, if it is -1 then it
+ * is internaly treated as 443
+ * @param aHashAlg On return value True, the fingerprint hash algorithm
+ * as an OID value in dotted notation.
+ * @param aFingerprint On return value True, the stored fingerprint
+ * @param aOverrideBits The errors that are currently overriden
+ * @return whether a matching override entry for aHostNameWithPort
+ * and aFingerprint is currently on file
+ */
+ boolean getValidityOverride(in ACString aHostName,
+ in int32_t aPort,
+ out ACString aHashAlg,
+ out ACString aFingerprint,
+ out uint32_t aOverrideBits,
+ out boolean aIsTemporary);
+
+ /**
+ * Remove a override for the given hostname:port.
+ *
+ * @param aHostName The host (punycode) whose entry should be cleared.
+ * @param aPort The port whose entry should be cleared.
+ * If it is -1, then it is internaly treated as 443.
+ * If it is 0 and aHostName is "all:temporary-certificates",
+ * then all temporary certificates should be cleared.
+ */
+ void clearValidityOverride(in ACString aHostName,
+ in int32_t aPort);
+
+ /**
+ * Is the given cert used in rules?
+ *
+ * @param aCert The cert we're looking for
+ * @return how many override entries are currently on file
+ * for the given certificate
+ */
+ uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
+ in boolean aCheckTemporaries,
+ in boolean aCheckPermanents);
+};