Name Description Size
addons-public-intermediate.crt 1847
addons-public.crt 1641
addons-stage-intermediate.crt 1798
addons-stage.crt 1608
AppSignatureVerification.cpp out 48524
AppTrustDomain.cpp additionalNameConstraints 11237
AppTrustDomain.h out 3961
builtins
cert_storage
CertStorageMemoryReporting.cpp 756
ClientAuthDialogService.sys.mjs 3085
CommonSocketControl.cpp 16155
CommonSocketControl.h 6853
components.conf 6198
content-signature-local.crt 558
content-signature-prod.crt 1641
content-signature-stage.crt 1608
ContentSignatureVerifier.cpp out 16119
ContentSignatureVerifier.h 1115
crashtests
CredentialManagerSecret.cpp out 3597
CredentialManagerSecret.h out 910
crypto_hash
CryptoTask.cpp 1246
CryptoTask.h Frequently we need to run a task on a background thread without blocking the main thread, and then call a callback on the main thread with the result. This class provides the framework for that. Subclasses must: (1) Override CalculateResult for the off-the-main-thread computation. (2) Override CallCallback() for the on-the-main-thread call of the callback. 1481
data_storage
DataStorageManager.cpp 2550
DataStorageManager.h 842
DER.sys.mjs Class representing a decoded BIT STRING. 10228
EnterpriseRoots.cpp 21456
EnterpriseRoots.h 1265
gen_cert_header.py 1686
ipcclientcerts
IPCClientCertsChild.cpp 551
IPCClientCertsChild.h 876
IPCClientCertsParent.cpp 4963
IPCClientCertsParent.h 1141
KeychainSecret.cpp 7094
KeychainSecret.h out 1271
LibSecret.cpp <private> 10645
LibSecret.h out 859
md4.c "clean room" MD4 implementation (see RFC 1320) 4769
md4.h md4sum - computes the MD4 sum over the input buffer per RFC 1320 @param input buffer containing input data @param inputLen length of input buffer (number of bytes) @param result 16-byte buffer that will contain the MD4 sum upon return NOTE: MD4 is superceded by MD5. do not use MD4 unless required by the protocol you are implementing (e.g., NTLM requires MD4). NOTE: this interface is designed for relatively small buffers. A streaming interface would make more sense if that were a requirement. Currently, this is good enough for the applications we care about. 1099
metrics.yaml 5414
moz.build 7361
nsCertOverrideService.cpp out 21958
nsCertOverrideService.h 67ba681d-5485-4fff-952c-2ee337ffdcd6 4914
nsCertTree.cpp heading for thread 23763
nsCertTree.h Disable the "base class XXX should be explicitly initialized in the copy constructor" warning. 3879
nsClientAuthRemember.cpp out 13123
nsClientAuthRemember.h 2685
nsICertificateDialogs.idl Functions that implement user interface dialogs to manage certificates. 2414
nsICertOverrideService.idl The hostname of the server the override is used for. 5659
nsICertStorage.idl Callback type used to notify callers that an operation performed by nsICertStorage has completed. Indicates the result of the requested operation, as well as any data returned by the operation. 11271
nsICertTree.idl 903
nsIClientAuthDialogService.idl Provides UI when a server requests a TLS client authentication certificate. 1628
nsIClientAuthRememberService.idl 2070
nsIContentSignatureVerifier.idl An interface for verifying content-signatures, inspired by https://tools.ietf.org/html/draft-thomson-http-content-signature-00 described here https://github.com/franziskuskiefer/content-signature/tree/pki 2301
nsICryptoHash.idl nsICryptoHash This interface provides crytographic hashing algorithms. 3966
nsIDataStorage.idl nsIDataStorage is a threadsafe, generic, narrow string-based hash map that persists data on disk and additionally handles private (temporary) data. The file format is portable across architectures. If used in a context where there is no profile directory, data will not be persisted. Its lifecycle is as follows: - Use nsIDataStorageManager to obtain the nsIDataStorage of a particular purpose. Its backing file will be read on a background thread. - Should the profile directory not be available, (e.g. in xpcshell), nsIDataStorage will not read any persistent data. - When data in the nsIDataStorage changes, those changes will be written to the backing file on a background thread. If the program crashes or is closed unexpectedly before the write completes, the changes may be lost. If the changes were an update to previously stored data, the original data may be lost as well. A checksum associated with each entry helps identify incompletely written entries. - nsIDataStorage does not support transactions. Each entry is independent of the others. - When an nsIDataStorage instance observes the topic "profile-before-change" in anticipation of shutdown, no more changes will be written to the backing file. To ensure no data is lost, users of nsIDataStorage should not attempt to change any data after this point. If "profile-before-change" is not observed, this happens upon observing "xpcom-shutdown-threads". - To prevent unbounded memory and disk use, the number of entries in each table is limited to 2048. Evictions are handled in by a modified LRU scheme (see implementation comments). - Note that instances of nsIDataStorage have long lifetimes because they are strong observers of events and won't go away until the observer service does. For each key/value: - The key must have a length no more than 256. - The value have a length no more than 1024 (24 for the site security service state). The length limits are to prevent unbounded disk and memory usage, and nsIDataStorage will throw/return an error if given keys or values of excess length. Take care when storing data containing bytes that may be 0. When read from disk, all trailing 0 bytes from keys and values are stripped. 5450
nsINSSComponent.idl When we log out of a PKCS#11 token, any TLS connections that may have involved a client certificate stored on that token must be closed. Since we don't have a fine-grained way to do this, we basically cancel everything. More speficially, this clears all temporary certificate exception overrides and any remembered client authentication certificate decisions, and then cancels all network connections (strictly speaking, this last part is overzealous - we only need to cancel all https connections (see bug 1446645)). 4314
nsINSSErrorsService.idl @param aNSPRCode An error code obtained using PR_GetError() @return True if it is error code defined by the NSS library 3011
nsINSSVersion.idl Minimal required versions as used at build time 1153
nsIOSKeyStore.idl This interface provides encryption and decryption operations for data at rest. The key used to encrypt and decrypt the data is stored in the OS key store. NB: To first authenticate the user to the system, use nsIOSReauthenticator. Usage: // obtain the singleton OSKeyStore instance const oskeystore = Cc["@mozilla.org/security/oskeystore;1"].getService(Ci.nsIOSKeyStore); const PASSWORD_LABEL = "mylabel1"; // Check if there's a secret for your label already. if (!await oskeystore.asyncSecretAvailable(PASSWORD_LABEL)) { // Fail or generate a new secret for your label. // If you want to generate a new secret, do. // Hold onto `recoveryPhrase` to present to the user. let recoveryPhrase = await oskeystore.asyncGenerateSecret(PASSWORD_LABEL); } // Assuming there's a secret with your label. Encrypt/Decrypt as follows. let encryptedPasswordBytes = await oskeystore.asyncEncryptBytes(PASSWORD_LABEL, passwordBytes); let newPasswordBytes = await oskeystore.asyncDecryptBytes(PASSWORD_LABEL, encryptedPasswordBytes); // Delete the secret from the key store. await oskeystore.asyncDeleteSecret(PASSWORD_LABEL); // Recover a secret from a recovery code. await oskeystore.asyncRecoverSecret(PASSWORD_LABEL, recoveryPhrase); 4288
nsIOSReauthenticator.idl This interface provides an abstract way to request that the user reauthenticate themselves to the operating system. It may be useful in conjunction with nsIOSKeyStore, whereby consumers of these APIs may consider some secrets too sensitive to access without first reauthenticating the user. Usage: // obtain the singleton nsIOSReauthenticator instance const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"] .getService(Ci.nsIOSReauthenticator); if (await reauthenticator.asyncReauthenticate()) { // do something only authenticated users are allowed to do... } else { // show a "sorry, this isn't allowed" error } 1958
nsIPK11Token.idl The name of the token 2135
nsIPK11TokenDB.idl The PK11 Token Database provides access to the PK11 modules that are installed, and the tokens that are available. Interfaces: nsIPK11TokenDB Threading: ?? 755
nsIPKCS11Module.idl 628
nsIPKCS11ModuleDB.idl 1038
nsIPKCS11Slot.idl Manufacturer ID of the slot. 1553
nsIPublicKeyPinningService.idl Returns true if the host of the given URI has pinning information, and false otherwise. 635
nsISecretDecoderRing.idl Encrypt to Base64 output. Note that the input must basically be a byte array (i.e. the code points must be within the range [0, 255]). Hence, using this method directly to encrypt passwords (or any text, really) won't work as expected. Instead, use something like nsIScriptableUnicodeConverter to first convert the desired password or text to UTF-8, then encrypt that. Remember to convert back when calling decryptString(). @param text The text to encrypt. @return The encrypted text, encoded as Base64. 2709
nsISecurityUITelemetry.idl Addon installation warnings 1280
nsISiteSecurityService.idl Parses a given HTTP header and records the results internally. Currently one header type is supported: HSTS (aka STS). The format of the HSTS header is defined by the HSTS specification: https://tools.ietf.org/html/rfc6797 and allows a host to specify that future HTTP requests should be upgraded to HTTPS. The caller is responsible for first determining that the header was delivered via a trustworthy connection (namely, https with no errors). @param aSourceURI the URI of the resource with the HTTP header. @param aHeader the HTTP response header specifying security data. @param aOriginAttributes the origin attributes that isolate this origin, (note that this implementation does not isolate by userContextId because of the risk of man-in- the-middle attacks before trust-on-second-use happens). If mPrivateBrowsingId > 0, information gathered from this header will not be saved persistently. @param aMaxAge the parsed max-age directive of the header. @param aIncludeSubdomains the parsed includeSubdomains directive. @param aFailureResult a more specific failure result if NS_ERROR_FAILURE was returned. @return NS_OK if it succeeds NS_ERROR_FAILURE if it can't be parsed NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA if there are unrecognized tokens in the header. 6770
nsITLSSocketControl.idl Calls StartTLS on the socket thread, and resolves with the nsresult return value of that call. 6916
nsITokenPasswordDialogs.idl This is the interface for setting and changing password on a PKCS11 token. 902
nsITransportSecurityInfo.idl The following parameters are only valid after the TLS handshake has completed. Check securityState first. 4346
nsIX509Cert.idl forward declaration 5052
nsIX509CertDB.idl Callback type for use with asyncVerifyCertAtTime. If aPRErrorCode is PRErrorCodeSuccess (i.e. 0), aVerifiedChain represents the verified certificate chain determined by asyncVerifyCertAtTime. aHasEVPolicy represents whether or not the end-entity certificate verified as EV. If aPRErrorCode is non-zero, it represents the error encountered during verification. aVerifiedChain is null in that case and aHasEVPolicy has no meaning. 14094
nsIX509CertValidity.idl Information on the validity period of a X.509 certificate. 728
nsNSSCallbacks.cpp out 38813
nsNSSCallbacks.h out 1518
nsNSSCertHelper.cpp out 3100
nsNSSCertHelper.h out 1065
nsNSSCertificate.cpp 20204
nsNSSCertificate.h 660a3226-915c-4ffb-bb20-8985a632df05 1696
nsNSSCertificateDB.cpp out 43735
nsNSSCertificateDB.h fb0bbc5c-452e-4783-b32c-80124693d871 2600
nsNSSCertTrust.cpp 4352
nsNSSCertTrust.h Class for maintaining trust flags for an NSS certificate. 1608
nsNSSComponent.cpp 91500
nsNSSComponent.h out 5505
nsNSSHelper.h 1050
nsNSSIOLayer.cpp out 63196
nsNSSIOLayer.h in/out 4911
nsNSSModule.cpp 3800
nsNSSModule.h 586
nsNSSVersion.cpp 1729
nsNSSVersion.h 842
nsNTLMAuthModule.cpp We don't actually send a LM response, but we still have to send something in this spot 32232
nsNTLMAuthModule.h 750
nsPK11TokenDB.cpp out 8695
nsPK11TokenDB.h out 1870
nsPKCS11Slot.cpp out 8060
nsPKCS11Slot.h out 1507
nsPKCS12Blob.cpp 12872
nsPKCS12Blob.h 1769
nsRandomGenerator.cpp 1205
nsRandomGenerator.h 899
nsSecureBrowserUI.cpp 5772
nsSecureBrowserUI.h 1497
nsSecurityHeaderParser.cpp 5625
nsSecurityHeaderParser.h 2842
NSSErrorsService.cpp Please ensure the NSS error codes are mapped into the positive range 0x1000 to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no conflicts. The current code also assumes that NSS library error codes are negative. 6625
NSSErrorsService.h 1623
nsSiteSecurityService.cpp out 35133
nsSiteSecurityService.h SecurityPropertyState: A utility enum for representing the different states a security property can be in. SecurityPropertySet and SecurityPropertyUnset correspond to indicating a site has or does not have the security property in question, respectively. SecurityPropertyKnockout indicates a value on a preloaded list is being overridden, and the associated site does not have the security property in question. 5995
NSSKeyStore.cpp Implementing OSKeyStore when there is no platform specific one. This key store instead puts the keys into the NSS DB. 4982
NSSKeyStore.h out 1241
nsSSLSocketProvider.cpp 1940
nsSSLSocketProvider.h 217d014a-1dd2-11b2-999c-b0c4df79b324 977
NSSSocketControl.cpp 25107
NSSSocketControl.h 12761
nsSTSPreloadList.inc / /* This is an automatically generated file. If you're not 2911806
nsTLSSocketProvider.cpp 1962
nsTLSSocketProvider.h b9507aec-1dd1-11b2-8cd5-c48ee0c50307 934
nsVerificationJob.h 1084
osclientcerts
OSKeyStore.cpp out 20017
OSKeyStore.h out 3804
OSReauthenticator.cpp 20003
OSReauthenticator.h out 1194
OSReauthenticatorDarwin.mm out 2820
PIPCClientCerts.ipdl 1065
PKCS11ModuleDB.cpp lock down the list for reading 5977
PKCS11ModuleDB.h 952
PSelectTLSClientAuthCert.ipdl 656
PSMIPCTypes.ipdlh 1286
PSMRunnable.cpp 979
PSMRunnable.h 1413
PublicKeyPinningService.cpp Computes in the location specified by base64Out the SHA256 digest of the DER Encoded subject Public Key Info for the given cert 13451
PublicKeyPinningService.h Sets chainHasValidPins to true if the given (host, certList) passes pinning checks, or to false otherwise. If the host is pinned, returns true via chainHasValidPins if one of the keys in the given certificate chain matches the pin set specified by the hostname. The certList's head is the EE cert and the tail is the trust anchor. Note: if an alt name is a wildcard, it won't necessarily find a pinset that would otherwise be valid for it 1809
PublicSSL.h 636
PVerifySSLServerCert.ipdl 1049
RemoteSecuritySettings.sys.mjs Helper function that returns a promise that will resolve with whether or not the nsICertStorage implementation has prior data of the given type. @param {Integer} dataType a Ci.nsICertStorage.DATA_TYPE_* constant indicating the type of data @returns {Promise} a promise that will resolve with true if the data type is present 22640
RootCertificateTelemetryUtils.cpp 5270
RootCertificateTelemetryUtils.h 1396
RootHashes.inc / /* This is an automatically generated file. If you're not 74902
rsclientcerts
ScopedNSSTypes.h out 15994
SecretDecoderRing.cpp out 10762
SecretDecoderRing.h out 1157
SelectTLSClientAuthCertChild.h 1611
SelectTLSClientAuthCertParent.h 2283
SharedCertVerifier.h 1316
SharedSSLState.cpp static 5529
SharedSSLState.h 2129
SSLServerCertVerification.cpp 46820
SSLServerCertVerification.h 6536
StaticHPKPins.errors 2701
StaticHPKPins.h / /* This is an automatically generated file. If you're not 43149
tests
TLSClientAuthCertSelection.cpp 42424
TLSClientAuthCertSelection.h 4540
TransportSecurityInfo.cpp 35081
TransportSecurityInfo.h 4541
VerifySSLServerCertChild.cpp 5466
VerifySSLServerCertChild.h 2208
VerifySSLServerCertParent.cpp 6506
VerifySSLServerCertParent.h 2356
X509.sys.mjs Helper function to read a NULL tag from the given DER. @param {DER} der a DER object to read a NULL from @returns {null} an object representing an ASN.1 NULL 18327
X509CertValidity.cpp 2807
X509CertValidity.h 816