DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (c68fe15a81fc)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"

%{C++
%{C++
#include "cert.h"
#include "SharedCertVerifier.h"
#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
%}


[ptr] native CERTCertificatePtr(CERTCertificate);
[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);

[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
interface nsINSSComponent : nsISupports {
interface nsINSSComponent : nsISupports {
  /**
   * When we log out of a PKCS#11 token, any TLS connections that may have
   * involved a client certificate stored on that token must be closed. Since we
   * don't have a fine-grained way to do this, we basically cancel everything.
   * More speficially, this clears all temporary certificate exception overrides
   * More speficially, this clears all temporary certificate exception overrides
   * and any remembered client authentication certificate decisions, and then
   * cancels all network connections (strictly speaking, this last part is
   * overzealous - we only need to cancel all https connections (see bug
   * 1446645)).
   */
   */
  [noscript] void logoutAuthenticatedPK11();

  /**
   * Used to determine if the given CERTCertificate is the certificate we use in
   * tests to simulate a built-in root certificate. Returns false in non-debug
   * tests to simulate a built-in root certificate. Returns false in non-debug
   * builds.
   */
  [noscript] bool isCertTestBuiltInRoot(in CERTCertificatePtr cert);

  /**
  /**
   * Used to determine if the given CERTCertificate is the content signing root
   * certificate.
   */
  [noscript] bool isCertContentSigningRoot(in CERTCertificatePtr cert);


  /**
   * If enabled by the preference "security.enterprise_roots.enabled", returns
   * an array of arrays of bytes representing the imported enterprise root
   * certificates (i.e. root certificates gleaned from the OS certificate
   * store). Returns an empty array otherwise.
   * store). Returns an empty array otherwise.
   * Currently this is only implemented on Windows and MacOS X, so this
   * function returns an empty array on all other platforms.
   */
  Array<Array<octet> > getEnterpriseRoots();


  /**
   * Similarly, but for intermediate certificates.
   */
  Array<Array<octet> > getEnterpriseIntermediates();


  /**
   * Test utility for adding an intermediate certificate to the current set of
   * imported enterprise intermediates, if any. Additions to the set made using
   * this function will be cleared when the value of the preference
   * this function will be cleared when the value of the preference
   * "security.enterprise_roots.enabled" changes.
   */
  void addEnterpriseIntermediate(in Array<octet> intermediateBytes);

  /**
  /**
   * For performance reasons, the builtin roots module is loaded on a background
   * thread. When any code that depends on the builtin roots module runs, it
   * must first wait for the module to be loaded.
   */
  [noscript] void blockUntilLoadableCertsLoaded();
  [noscript] void blockUntilLoadableCertsLoaded();

  /**
   * In theory a token on a PKCS#11 module can be inserted or removed at any
   * time. Operations that may depend on resources on external tokens should
   * call this to ensure they have a recent view of the token.
   * call this to ensure they have a recent view of the token.
   */
  [noscript] void checkForSmartCardChanges();

  /**
   * Used to potentially detect when a user's internet connection is being
   * Used to potentially detect when a user's internet connection is being
   * intercepted. When doing an update ping, if certificate verification fails,
   * we make a note of the issuer distinguished name of that certificate.
   * If a subsequent certificate verification fails, we compare issuer
   * distinguished names. If they match, something may be intercepting the
   * user's traffic (if they don't match, the server is likely misconfigured).
   * user's traffic (if they don't match, the server is likely misconfigured).
   * This function succeeds if the given DN matches the noted DN and fails
   * otherwise (e.g. if the update ping never failed).
   */
  [noscript] void issuerMatchesMitmCanary(in string certIssuer);
  [noscript] void issuerMatchesMitmCanary(in string certIssuer);

  /**
   * Returns true if the user has a PKCS#11 module with removable slots.
   */
   */
  [noscript] bool hasActiveSmartCards();

  /**
   * Returns true if the user has any client authentication certificates.
   */
   */
  [noscript] bool hasUserCertsInstalled();

  /**
   * Returns an already-adrefed handle to the currently configured shared
   * certificate verifier.
   * certificate verifier.
   */
  [noscript] SharedCertVerifierPtr getDefaultCertVerifier();

  /**
   * For clearing both SSL internal and external session cache from JS.
   * For clearing both SSL internal and external session cache from JS.
   */
  void clearSSLExternalAndInternalSessionCache();
};