DXR is a code search and navigation tool aimed at making sense of large projects. It supports full-text and regex searches as well as structural queries.

Mercurial (571235778945)

VCS Links

Line Code
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171
/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"
#include "nsIVariant.idl"

%{C++
#define NS_CERTSTORAGE_CONTRACTID "@mozilla.org/security/certstorage;1"
%}

/**
 * Callback type used to notify callers that an operation performed by
 * nsICertStorage has completed. Indicates the result of the requested
 * operation, as well as any data returned by the operation.
 */
[scriptable, function, uuid(3f8fe26a-a436-4ad4-9c1c-a53c60973c31)]
interface nsICertStorageCallback : nsISupports {
  [must_use]
  void done(in nsresult rv, in nsIVariant result);
};

/**
 * A base interface for representing the revocation state of a certificate.
 * Implementing this interface by itself is insufficient; your type must
 * implement an inheriting interface that specifies the certificate by issuer
 * and serial number or by subject and public key hash.
 * Set state to nsICertStorage.STATE_UNSET to mark the certificate as not revoked.
 * Set state to nsICertStorage.STATE_ENFORCE to mark the certificate as revoked.
 */
[scriptable, uuid(96db6fd7-6b64-4a5a-955d-310bd9ca4234)]
interface nsIRevocationState : nsISupports {
  readonly attribute short state;
};

/**
 * An interface representing the revocation state of a certificate by issuer
 * and serial number. Both issuer name and serial number are base64-encoded.
 */
[scriptable, uuid(23ce3546-f1b9-46f6-8de3-77704da5702f)]
interface nsIIssuerAndSerialRevocationState : nsIRevocationState {
    readonly attribute ACString issuer;
    readonly attribute ACString serial;
};

/**
 * An interface representing the revocation state of a certificate by subject
 * and pub key hash (the hash algorithm should be SHA-256). Both subject name
 * and public key hash are base64-encoded.
 */
[scriptable, uuid(e78b51b4-6fa4-41e2-92ce-e9404f541e96)]
interface nsISubjectAndPubKeyRevocationState : nsIRevocationState {
    readonly attribute ACString subject;
    readonly attribute ACString pubKey;
};

/**
 * An interface representing a certificate to add to storage. Consists of the
 * base64-encoded DER bytes of the certificate (cert), the base64-encoded DER
 * bytes of the subject distinguished name of the certificate (subject), and the
 * trust of the certificate (one of the nsICertStorage.TRUST_* constants).
 * (Note that this implementation does not validate that the given subject DN
 * actually matches the subject DN of the certificate, nor that the given cert
 * is a valid DER X.509 certificate.)
 */
[scriptable, uuid(27b66f5e-0faf-403b-95b4-bc11691ac50d)]
interface nsICertInfo : nsISupports {
  readonly attribute ACString cert;
  readonly attribute ACString subject;
  readonly attribute short trust;
};

[scriptable, uuid(327100a7-3401-45ef-b160-bf880f1016fd)]
interface nsICertStorage : nsISupports {
  const octet DATA_TYPE_REVOCATION = 1;
  const octet DATA_TYPE_CERTIFICATE = 2;

  /**
   * Asynchronously check if the backing storage has stored data of the given
   * type in the past. This is useful if the backing storage may have had to
   * have been deleted and recreated (as in bug 1546361 when we discovered that
   * moving from a 32-bit binary to a 64-bit binary caused the DB to become
   * unreadable, thus necessitating its deletion and recreation).
   */
  [must_use]
  void hasPriorData(in octet type, in nsICertStorageCallback callback);

  const short STATE_UNSET = 0;
  const short STATE_ENFORCE = 1;

  /**
   * Asynchronously set the revocation states of a set of certificates.
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void setRevocations(in Array<nsIRevocationState> revocations,
                      in nsICertStorageCallback callback);

  /**
   * Get the revocation state of a certificate. STATE_UNSET indicates the
   * certificate is not revoked. STATE_ENFORCE indicates the certificate is
   * revoked.
   * issuer - issuer name, DER encoded
   * serial - serial number, DER encoded
   * subject - subject name, DER encoded
   * pubkey - public key, DER encoded
   * Must not be called from the main thread. See bug 1541212.
   */
  [must_use]
  short getRevocationState(in Array<octet> issuer,
                           in Array<octet> serial,
                           in Array<octet> subject,
                           in Array<octet> pubkey);

   /**
    * Check that the blocklist data is current. Specifically, that the current
    * time is no more than security.onecrl.maximum_staleness_in_seconds seconds
    * after the last blocklist update (as stored in the
    * services.blocklist.onecrl.checked pref)
    */
  [must_use]
  boolean isBlocklistFresh();

  /**
   * Trust flags to use when adding a adding a certificate.
   * TRUST_INHERIT indicates a certificate inherits trust from another
   * certificate.
   * TRUST_ANCHOR indicates the certificate is a root of trust.
   */
  const short TRUST_INHERIT = 0;
  const short TRUST_ANCHOR = 1;

  /**
   * Asynchronously add a list of certificates to the backing storage.
   * See the documentation for nsICertInfo.
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void addCerts(in Array<nsICertInfo> certs, in nsICertStorageCallback callback);

  /**
   * Asynchronously remove the certificates with the given sha-256 hashes from
   * the backing storage.
   * hashes is an array of base64-encoded bytes of the sha-256 hashes of each
   * certificate's bytes (DER-encoded).
   * The given callback is called with the result of the operation when it
   * completes.
   * Must only be called from the main thread.
   */
  [must_use]
  void removeCertsByHashes(in Array<ACString> hashes,
                           in nsICertStorageCallback callback);

  /**
   * Find all certificates in the backing storage with the given subject
   * distinguished name.
   * subject is the DER-encoded bytes of the subject distinguished name.
   * Returns an array of arrays of bytes, where each inner array corresponds to
   * the DER-encoded bytes of a certificate that has the given subject (although
   * as these certificates were presumably added via addCertBySubject, this
   * aspect is never actually valided by nsICertStorage).
   * Must not be called from the main thread. See bug 1541212.
   */
  [must_use]
  Array<Array<octet> > findCertsBySubject(in Array<octet> subject);
};