diff options
Diffstat (limited to 'security/manager/ssl/nsICertOverrideService.idl')
-rw-r--r-- | security/manager/ssl/nsICertOverrideService.idl | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/security/manager/ssl/nsICertOverrideService.idl b/security/manager/ssl/nsICertOverrideService.idl new file mode 100644 index 000000000..b220851e2 --- /dev/null +++ b/security/manager/ssl/nsICertOverrideService.idl @@ -0,0 +1,144 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "nsISupports.idl" + +interface nsIArray; +interface nsIX509Cert; + +%{C++ +#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1" +%} + +/** + * This represents the global list of triples + * {host:port, cert-fingerprint, allowed-overrides} + * that the user wants to accept without further warnings. + */ +[scriptable, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)] +interface nsICertOverrideService : nsISupports { + + /** + * Override Untrusted + */ + const short ERROR_UNTRUSTED = 1; + + /** + * Override hostname Mismatch + */ + const short ERROR_MISMATCH = 2; + + /** + * Override Time error + */ + const short ERROR_TIME = 4; + + /** + * The given cert should always be accepted for the given hostname:port, + * regardless of errors verifying the cert. + * Host:Port is a primary key, only one entry per host:port can exist. + * The implementation will store a fingerprint of the cert. + * The implementation will decide which fingerprint alg is used. + * + * Each override is specific to exactly the errors overridden, so + * overriding everything won't match certs at the given host:port + * which only exhibit some subset of errors. + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to, if it is -1 then it + * is internaly treated as 443 + * @param aCert The cert that should always be accepted + * @param aOverrideBits The precise set of errors we want to be overriden + */ + void rememberValidityOverride(in ACString aHostName, + in int32_t aPort, + in nsIX509Cert aCert, + in uint32_t aOverrideBits, + in boolean aTemporary); + + /** + * Certs with the given fingerprint should always be accepted for the + * given hostname:port, regardless of errors verifying the cert. + * Host:Port is a primary key, only one entry per host:port can exist. + * The fingerprint should be an SHA-256 hash of the certificate. + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to, if it is -1 then it + * is internaly treated as 443 + * @param aCertFingerprint The cert fingerprint that should be accepted, in + * the format 'AA:BB:...' (colon-separated upper-case hex bytes). + * @param aOverrideBits The errors we want to be overriden + */ + void rememberTemporaryValidityOverrideUsingFingerprint( + in ACString aHostName, + in int32_t aPort, + in ACString aCertFingerprint, + in uint32_t aOverrideBits); + + /** + * Return whether this host, port, cert triple has a stored override. + * If so, the outparams will contain the specific errors that were + * overridden, and whether the override is permanent, or only for the current + * session. + * + * @param aHostName The host (punycode) this mapping belongs to + * @param aPort The port this mapping belongs to, if it is -1 then it + * is internally treated as 443 + * @param aCert The certificate this mapping belongs to + * @param aOverrideBits The errors that are currently overridden + * @param aIsTemporary Whether the stored override is session-only, + * or permanent + * @return Whether an override has been stored for this host+port+cert + */ + boolean hasMatchingOverride(in ACString aHostName, + in int32_t aPort, + in nsIX509Cert aCert, + out uint32_t aOverrideBits, + out boolean aIsTemporary); + + /** + * Retrieve the stored override for the given hostname:port. + * + * @param aHostName The host (punycode) whose entry should be tested + * @param aPort The port whose entry should be tested, if it is -1 then it + * is internaly treated as 443 + * @param aHashAlg On return value True, the fingerprint hash algorithm + * as an OID value in dotted notation. + * @param aFingerprint On return value True, the stored fingerprint + * @param aOverrideBits The errors that are currently overriden + * @return whether a matching override entry for aHostNameWithPort + * and aFingerprint is currently on file + */ + boolean getValidityOverride(in ACString aHostName, + in int32_t aPort, + out ACString aHashAlg, + out ACString aFingerprint, + out uint32_t aOverrideBits, + out boolean aIsTemporary); + + /** + * Remove a override for the given hostname:port. + * + * @param aHostName The host (punycode) whose entry should be cleared. + * @param aPort The port whose entry should be cleared. + * If it is -1, then it is internaly treated as 443. + * If it is 0 and aHostName is "all:temporary-certificates", + * then all temporary certificates should be cleared. + */ + void clearValidityOverride(in ACString aHostName, + in int32_t aPort); + + /** + * Is the given cert used in rules? + * + * @param aCert The cert we're looking for + * @return how many override entries are currently on file + * for the given certificate + */ + uint32_t isCertUsedForOverrides(in nsIX509Cert aCert, + in boolean aCheckTemporaries, + in boolean aCheckPermanents); +}; |