DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (d42c22627c8d)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"
#include "nsIVariant.idl"

%{C++
#define NS_CERTSTORAGE_CONTRACTID "@mozilla.org/security/certstorage;1"
%}

/**
 * Callback type used to notify callers that an operation performed by
 * nsICertStorage has completed. Indicates the result of the requested
 * operation, as well as any data returned by the operation.
 */
[scriptable, function, uuid(3f8fe26a-a436-4ad4-9c1c-a53c60973c31)]
interface nsICertStorageCallback : nsISupports {
  [must_use]
  void done(in nsresult rv, in nsIVariant result);
};

/**
 * A base interface for representing the revocation state of a certificate.
 * Implementing this interface by itself is insufficient; your type must
 * implement an inheriting interface that specifies the certificate by issuer
 * and serial number or by subject and public key hash.
 * Set state to nsICertStorage.STATE_UNSET to mark the certificate as not revoked.
 * Set state to nsICertStorage.STATE_ENFORCE to mark the certificate as revoked.
 */
[scriptable, uuid(96db6fd7-6b64-4a5a-955d-310bd9ca4234)]
interface nsIRevocationState : nsISupports {
  readonly attribute short state;
};

/**
 * An interface representing the revocation state of a certificate by issuer
 * and serial number. Both issuer name and serial number are base64-encoded.
 */
[scriptable, uuid(23ce3546-f1b9-46f6-8de3-77704da5702f)]
interface nsIIssuerAndSerialRevocationState : nsIRevocationState {
    readonly attribute ACString issuer;
    readonly attribute ACString serial;
};

/**
 * An interface representing the revocation state of a certificate by subject
 * and pub key hash (the hash algorithm should be SHA-256). Both subject name
 * and public key hash are base64-encoded.
 */
[scriptable, uuid(e78b51b4-6fa4-41e2-92ce-e9404f541e96)]
interface nsISubjectAndPubKeyRevocationState : nsIRevocationState {
    readonly attribute ACString subject;
    readonly attribute ACString pubKey;
};

/**
 * An interface representing the CRLite enrollment state of a certificate
 * identified by its subject and subject public key info hash.
 * subject is a base 64-encoded DER subject distinguished name.
 * spkiHash is a base 64-encoded SHA-256 hash of a DER subject public key info.
 * state is nsICertStorage.STATE_ENFORCE or STATE_UNSET, meaning the certificate
 * is or is not enrolled in CRLite, respectively.
 */
[scriptable, uuid(5d0d22be-185f-4cf0-b73b-c5a911273e77)]
interface nsICRLiteState : nsISupports {
    readonly attribute ACString subject;
    readonly attribute ACString spkiHash;
    readonly attribute short state;
};

/**
 * An interface representing a certificate to add to storage. Consists of the
 * base64-encoded DER bytes of the certificate (cert), the base64-encoded DER
 * bytes of the subject distinguished name of the certificate (subject), and the
 * trust of the certificate (one of the nsICertStorage.TRUST_* constants).
 * (Note that this implementation does not validate that the given subject DN
 * actually matches the subject DN of the certificate, nor that the given cert
 * is a valid DER X.509 certificate.)
 */
[scriptable, uuid(27b66f5e-0faf-403b-95b4-bc11691ac50d)]
interface nsICertInfo : nsISupports {
  readonly attribute ACString cert;
  readonly attribute ACString subject;
  readonly attribute short trust;
};

[scriptable, uuid(327100a7-3401-45ef-b160-bf880f1016fd)]
interface nsICertStorage : nsISupports {
  const octet DATA_TYPE_REVOCATION = 1;
  const octet DATA_TYPE_CERTIFICATE = 2;
  const octet DATA_TYPE_CRLITE = 3;

  /**
   * Asynchronously check if the backing storage has stored data of the given
   * type in the past. This is useful if the backing storage may have had to
   * have been deleted and recreated (as in bug 1546361 when we discovered that
   * moving from a 32-bit binary to a 64-bit binary caused the DB to become
   * unreadable, thus necessitating its deletion and recreation).
   */
  [must_use]
  void hasPriorData(in octet type, in nsICertStorageCallback callback);

  const short STATE_UNSET = 0;
  const short STATE_ENFORCE = 1;

  /**
   * Asynchronously set the revocation states of a set of certificates.
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void setRevocations(in Array<nsIRevocationState> revocations,
                      in nsICertStorageCallback callback);

  /**
   * Get the revocation state of a certificate. STATE_UNSET indicates the
   * certificate is not revoked. STATE_ENFORCE indicates the certificate is
   * revoked.
   * issuer - issuer name, DER encoded
   * serial - serial number, DER encoded
   * subject - subject name, DER encoded
   * pubkey - public key, DER encoded
   * Must not be called from the main thread. See bug 1541212.
   */
  [must_use]
  short getRevocationState(in Array<octet> issuer,
                           in Array<octet> serial,
                           in Array<octet> subject,
                           in Array<octet> pubkey);

   /**
    * Check that the blocklist data is current. Specifically, that the current
    * time is no more than security.onecrl.maximum_staleness_in_seconds seconds
    * after the last blocklist update (as stored in the
    * services.blocklist.onecrl.checked pref)
    */
  [must_use]
  boolean isBlocklistFresh();

  /**
   * Asynchronously set a batch of CRLite enrollment state. See the
   * documentation for nsICRLiteState.
   * Must only be called from the main thread.
   */
  [must_use]
  void setCRLiteState(in Array<nsICRLiteState> crliteState,
                      in nsICertStorageCallback callback);

  /**
   * Get the CRLite enrollment state of a certificate identified by the given
   * subject distinguished name and subject public key info (both as DER bytes).
   * STATE_ENFORCE indicates the certificate is enrolled, whereas STATE_UNSET
   * indicates it is not.
   */
  [must_use]
  short getCRLiteState(in Array<octet> subject, in Array<octet> spki);

  /**
   * Trust flags to use when adding a adding a certificate.
   * TRUST_INHERIT indicates a certificate inherits trust from another
   * certificate.
   * TRUST_ANCHOR indicates the certificate is a root of trust.
   */
  const short TRUST_INHERIT = 0;
  const short TRUST_ANCHOR = 1;

  /**
   * Asynchronously add a list of certificates to the backing storage.
   * See the documentation for nsICertInfo.
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void addCerts(in Array<nsICertInfo> certs, in nsICertStorageCallback callback);

  /**
   * Asynchronously remove the certificates with the given sha-256 hashes from
   * the backing storage.
   * hashes is an array of base64-encoded bytes of the sha-256 hashes of each
   * certificate's bytes (DER-encoded).
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void removeCertsByHashes(in Array<ACString> hashes,
                           in nsICertStorageCallback callback);

  /**
   * Find all certificates in the backing storage with the given subject
   * distinguished name.
   * subject is the DER-encoded bytes of the subject distinguished name.
   * Returns an array of arrays of bytes, where each inner array corresponds to
   * the DER-encoded bytes of a certificate that has the given subject (although
   * as these certificates were presumably added via addCertBySubject, this
   * aspect is never actually valided by nsICertStorage).
   * Must not be called from the main thread. See bug 1541212.
   */
  [must_use]
  Array<Array<octet> > findCertsBySubject(in Array<octet> subject);
};