DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (409f3966645a)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"

interface nsIArray;
interface nsIX509Cert;

%{C++
#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
%}

/**
 * This represents the global list of triples
 *   {host:port, cert-fingerprint, allowed-overrides}
 * that the user wants to accept without further warnings.
 */
[scriptable, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
interface nsICertOverrideService : nsISupports {

  /**
   *  Override Untrusted
   */
  const short ERROR_UNTRUSTED = 1;

  /**
   *  Override hostname Mismatch
   */
  const short ERROR_MISMATCH = 2;

  /**
   *  Override Time error
   */
  const short ERROR_TIME = 4;

  /**
   *  The given cert should always be accepted for the given hostname:port,
   *  regardless of errors verifying the cert.
   *  Host:Port is a primary key, only one entry per host:port can exist.
   *  The implementation will store a fingerprint of the cert.
   *  The implementation will decide which fingerprint alg is used.
   *
   *  Each override is specific to exactly the errors overridden, so
   *  overriding everything won't match certs at the given host:port
   *  which only exhibit some subset of errors.
   *
   *  @param aHostName The host (punycode) this mapping belongs to
   *  @param aPort The port this mapping belongs to, if it is -1 then it
   *          is internaly treated as 443
   *  @param aCert The cert that should always be accepted
   *  @param aOverrideBits The precise set of errors we want to be overriden
   */
  [must_use]
  void rememberValidityOverride(in ACString aHostName,
                                in int32_t aPort,
                                in nsIX509Cert aCert,
                                in uint32_t aOverrideBits,
                                in boolean aTemporary);

  /**
   *  Certs with the given fingerprint should always be accepted for the
   *  given hostname:port, regardless of errors verifying the cert.
   *  Host:Port is a primary key, only one entry per host:port can exist.
   *  The fingerprint should be an SHA-256 hash of the certificate.
   *
   *  @param aHostName The host (punycode) this mapping belongs to
   *  @param aPort The port this mapping belongs to, if it is -1 then it
   *          is internaly treated as 443
   *  @param aCertFingerprint The cert fingerprint that should be accepted, in
   *          the format 'AA:BB:...' (colon-separated upper-case hex bytes).
   *  @param aOverrideBits The errors we want to be overriden
   */
  [must_use]
  void rememberTemporaryValidityOverrideUsingFingerprint(
      in ACString aHostName,
      in int32_t aPort,
      in ACString aCertFingerprint,
      in uint32_t aOverrideBits);

  /**
   *  Return whether this host, port, cert triple has a stored override.
   *  If so, the outparams will contain the specific errors that were
   *  overridden, and whether the override is permanent, or only for the current
   *  session.
   *
   *  @param aHostName The host (punycode) this mapping belongs to
   *  @param aPort The port this mapping belongs to, if it is -1 then it
   *         is internally treated as 443
   *  @param aCert The certificate this mapping belongs to
   *  @param aOverrideBits The errors that are currently overridden
   *  @param aIsTemporary Whether the stored override is session-only,
   *         or permanent
   *  @return Whether an override has been stored for this host+port+cert
   */
  [must_use]
  boolean hasMatchingOverride(in ACString aHostName,
                              in int32_t aPort,
                              in nsIX509Cert aCert,
                              out uint32_t aOverrideBits,
                              out boolean aIsTemporary);

  /**
   *  Remove a override for the given hostname:port.
   *
   *  @param aHostName The host (punycode) whose entry should be cleared.
   *  @param aPort The port whose entry should be cleared.
   *               If it is -1, then it is internaly treated as 443.
   *               If it is 0 and aHostName is "all:temporary-certificates",
   *               then all temporary certificates should be cleared.
   */
  void clearValidityOverride(in ACString aHostName,
                             in int32_t aPort);

  /**
   *  Is the given cert used in rules?
   *
   *  @param aCert The cert we're looking for
   *  @return how many override entries are currently on file
   *          for the given certificate
   */
  [must_use]
  uint32_t isCertUsedForOverrides(in nsIX509Cert aCert,
                                  in boolean aCheckTemporaries,
                                  in boolean aCheckPermanents);
};