| abridged_certs |
|
|
| addons-public-2018-intermediate.pem |
|
2598 |
| addons-public-intermediate.pem |
|
2557 |
| addons-public.pem |
|
2277 |
| addons-stage-intermediate.pem |
|
2492 |
| addons-stage.pem |
|
2232 |
| AppSignatureVerification.cpp |
out |
48590 |
| AppTrustDomain.cpp |
|
12167 |
| AppTrustDomain.h |
out |
3983 |
| cert_storage |
|
|
| CertStorageMemoryReporting.cpp |
|
756 |
| ClientAuthDialogService.sys.mjs |
|
4874 |
| CommonSocketControl.cpp |
|
16045 |
| CommonSocketControl.h |
|
6792 |
| components.conf |
|
6362 |
| content-signature-local.pem |
|
810 |
| content-signature-prod.pem |
|
2277 |
| content-signature-stage.pem |
|
2232 |
| ContentSignatureVerifier.cpp |
out |
16399 |
| ContentSignatureVerifier.h |
|
959 |
| crashtests |
|
|
| CredentialManagerSecret.cpp |
out |
3597 |
| CredentialManagerSecret.h |
out |
910 |
| crypto_hash |
|
|
| CryptoTask.cpp |
|
1246 |
| CryptoTask.h |
Frequently we need to run a task on a background thread without blocking
the main thread, and then call a callback on the main thread with the
result. This class provides the framework for that. Subclasses must:
(1) Override CalculateResult for the off-the-main-thread computation.
(2) Override CallCallback() for the on-the-main-thread call of the
callback.
|
1481 |
| data_storage |
|
|
| DataStorageManager.cpp |
|
2550 |
| DataStorageManager.h |
|
842 |
| DER.sys.mjs |
Class representing a decoded BIT STRING. |
10228 |
| EnterpriseRoots.cpp |
|
21717 |
| EnterpriseRoots.h |
|
1265 |
| gen_cert_header.py |
|
1480 |
| ipcclientcerts |
|
|
| IPCClientCertsChild.cpp |
|
551 |
| IPCClientCertsChild.h |
|
876 |
| IPCClientCertsParent.cpp |
|
5155 |
| IPCClientCertsParent.h |
|
1141 |
| KeychainSecret.cpp |
out |
7076 |
| KeychainSecret.h |
out |
1271 |
| LibSecret.cpp |
<private> |
8051 |
| LibSecret.h |
out |
859 |
| md4.c |
"clean room" MD4 implementation (see RFC 1320)
|
4769 |
| md4.h |
md4sum - computes the MD4 sum over the input buffer per RFC 1320
@param input
buffer containing input data
@param inputLen
length of input buffer (number of bytes)
@param result
16-byte buffer that will contain the MD4 sum upon return
NOTE: MD4 is superceded by MD5. do not use MD4 unless required by the
protocol you are implementing (e.g., NTLM requires MD4).
NOTE: this interface is designed for relatively small buffers. A streaming
interface would make more sense if that were a requirement. Currently, this
is good enough for the applications we care about.
|
1099 |
| metrics.yaml |
|
52114 |
| moz.build |
|
8047 |
| nsCertOverrideService.cpp |
out |
23096 |
| nsCertOverrideService.h |
67ba681d-5485-4fff-952c-2ee337ffdcd6 |
5035 |
| nsCertTree.cpp |
heading for thread |
23763 |
| nsCertTree.h |
Disable the "base class XXX should be explicitly initialized
in the copy constructor" warning. |
3879 |
| nsClientAuthRemember.cpp |
out |
14008 |
| nsClientAuthRemember.h |
|
2640 |
| nsICertificateDialogs.idl |
Functions that implement user interface dialogs to manage certificates.
|
2414 |
| nsICertOverrideService.idl |
The hostname of the server the override is used for.
|
7177 |
| nsICertStorage.idl |
Callback type used to notify callers that an operation performed by
nsICertStorage has completed. Indicates the result of the requested
operation, as well as any data returned by the operation.
|
10266 |
| nsICertTree.idl |
|
903 |
| nsIClientAuthDialogService.idl |
Provides UI when a server requests a TLS client authentication certificate.
|
2160 |
| nsIClientAuthRememberService.idl |
Remember the use of a particular client certificate for a particular
hostname in the context of a given OriginAttributes for the given
duration. The certificate may be null, indicating that no certificate was
used.
|
2557 |
| nsIContentSignatureVerifier.idl |
An interface for verifying content-signatures, inspired by
https://tools.ietf.org/html/draft-thomson-http-content-signature-00
described here https://github.com/franziskuskiefer/content-signature/tree/pki
|
2301 |
| nsICryptoHash.idl |
nsICryptoHash
This interface provides crytographic hashing algorithms.
|
3966 |
| nsIDataStorage.idl |
nsIDataStorage is a threadsafe, generic, narrow string-based hash map that
persists data on disk and additionally handles private (temporary) data.
The file format is portable across architectures. If used in a context where
there is no profile directory, data will not be persisted.
Its lifecycle is as follows:
- Use nsIDataStorageManager to obtain the nsIDataStorage of a particular
purpose. Its backing file will be read on a background thread.
- Should the profile directory not be available, (e.g. in xpcshell),
nsIDataStorage will not read any persistent data.
- When data in the nsIDataStorage changes, those changes will be written
to the backing file on a background thread. If the program crashes or is
closed unexpectedly before the write completes, the changes may be lost.
If the changes were an update to previously stored data, the original data
may be lost as well. A checksum associated with each entry helps identify
incompletely written entries.
- nsIDataStorage does not support transactions. Each entry is independent of
the others.
- When an nsIDataStorage instance observes the topic "profile-before-change"
in anticipation of shutdown, no more changes will be written to the
backing file. To ensure no data is lost, users of nsIDataStorage should
not attempt to change any data after this point.
If "profile-before-change" is not observed, this happens upon observing
"xpcom-shutdown-threads".
- To prevent unbounded memory and disk use, the number of entries in each
table is limited to 2048. Evictions are handled in by a modified LRU scheme
(see implementation comments).
- Note that instances of nsIDataStorage have long lifetimes because they are
strong observers of events and won't go away until the observer service
does.
For each key/value:
- The key must have a length no more than 256.
- The value have a length no more than 1024 (24 for the site security
service state).
The length limits are to prevent unbounded disk and memory usage, and
nsIDataStorage will throw/return an error if given keys or values of
excess length.
Take care when storing data containing bytes that may be 0. When read
from disk, all trailing 0 bytes from keys and values are stripped.
|
5603 |
| nsINSSComponent.idl |
When we log out of a PKCS#11 token, any TLS connections that may have
involved a client certificate stored on that token must be closed. Since we
don't have a fine-grained way to do this, we basically cancel everything.
More speficially, this clears all temporary certificate exception overrides
and any remembered client authentication certificate decisions, and then
cancels all network connections (strictly speaking, this last part is
overzealous - we only need to cancel all https connections (see bug
1446645)).
|
4314 |
| nsINSSErrorsService.idl |
@param aNSPRCode An error code obtained using PR_GetError()
@return True if it is error code defined by the NSS library
|
3282 |
| nsINSSVersion.idl |
Minimal required versions as used at build time |
1153 |
| nsIOSKeyStore.idl |
This interface provides encryption and decryption operations for data at
rest. The key used to encrypt and decrypt the data is stored in the OS
key store.
NB: To first authenticate the user to the system, use
nsIOSReauthenticator.
Usage:
// obtain the singleton OSKeyStore instance
const oskeystore = Cc["@mozilla.org/security/oskeystore;1"].getService(Ci.nsIOSKeyStore);
const PASSWORD_LABEL = "mylabel1";
// Check if there's a secret for your label already.
if (!await oskeystore.asyncSecretAvailable(PASSWORD_LABEL)) {
// Fail or generate a new secret for your label.
// If you want to generate a new secret, do.
// Hold onto `recoveryPhrase` to present to the user.
let recoveryPhrase = await oskeystore.asyncGenerateSecret(PASSWORD_LABEL);
}
// Assuming there's a secret with your label. Encrypt/Decrypt as follows.
let encryptedPasswordBytes = await oskeystore.asyncEncryptBytes(PASSWORD_LABEL, passwordBytes);
let newPasswordBytes = await oskeystore.asyncDecryptBytes(PASSWORD_LABEL, encryptedPasswordBytes);
// Delete the secret from the key store.
await oskeystore.asyncDeleteSecret(PASSWORD_LABEL);
// Recover a secret from a recovery code.
await oskeystore.asyncRecoverSecret(PASSWORD_LABEL, recoveryPhrase);
|
4570 |
| nsIOSReauthenticator.idl |
This interface provides an abstract way to request that the user
reauthenticate themselves to the operating system. It may be useful in
conjunction with nsIOSKeyStore, whereby consumers of these APIs may
consider some secrets too sensitive to access without first
reauthenticating the user.
Usage:
// obtain the singleton nsIOSReauthenticator instance
const reauthenticator = Cc["@mozilla.org/security/osreauthenticator;1"]
.getService(Ci.nsIOSReauthenticator);
if (await reauthenticator.asyncReauthenticate()) {
// do something only authenticated users are allowed to do...
} else {
// show a "sorry, this isn't allowed" error
}
|
1958 |
| nsIPK11Token.idl |
The name of the token
|
2135 |
| nsIPK11TokenDB.idl |
The PK11 Token Database provides access to the PK11 modules
that are installed, and the tokens that are available.
Interfaces: nsIPK11TokenDB
Threading: ??
|
755 |
| nsIPKCS11Module.idl |
|
628 |
| nsIPKCS11ModuleDB.idl |
|
1038 |
| nsIPKCS11Slot.idl |
Manufacturer ID of the slot.
|
1553 |
| nsIPublicKeyPinningService.idl |
Returns true if the host of the given URI has pinning information, and
false otherwise.
|
635 |
| nsISecretDecoderRing.idl |
Encrypt to Base64 output.
Note that the input must basically be a byte array (i.e. the code points
must be within the range [0, 255]). Hence, using this method directly to
encrypt passwords (or any text, really) won't work as expected.
Instead, use something like nsIScriptableUnicodeConverter to first convert
the desired password or text to UTF-8, then encrypt that. Remember to
convert back when calling decryptString().
@param text The text to encrypt.
@return The encrypted text, encoded as Base64.
|
2709 |
| nsISecurityUITelemetry.idl |
Addon installation warnings
|
1280 |
| nsISiteSecurityService.idl |
Parses a given HTTP header and records the results internally.
Currently one header type is supported: HSTS (aka STS).
The format of the HSTS header is defined by the HSTS specification:
https://tools.ietf.org/html/rfc6797
and allows a host to specify that future HTTP requests should be
upgraded to HTTPS.
The caller is responsible for first determining that the header was
delivered via a trustworthy connection (namely, https with no errors).
@param aSourceURI the URI of the resource with the HTTP header.
@param aHeader the HTTP response header specifying security data.
@param aOriginAttributes the origin attributes that isolate this origin,
(note that this implementation does not isolate
by userContextId because of the risk of man-in-
the-middle attacks before trust-on-second-use
happens).
If mPrivateBrowsingId > 0, information gathered
from this header will not be saved persistently.
@param aMaxAge the parsed max-age directive of the header.
@param aIncludeSubdomains the parsed includeSubdomains directive.
@param aFailureResult a more specific failure result if NS_ERROR_FAILURE
was returned.
@return NS_OK if it succeeds
NS_ERROR_FAILURE if it can't be parsed
NS_SUCCESS_LOSS_OF_INSIGNIFICANT_DATA
if there are unrecognized tokens in the header.
|
6770 |
| nsITLSSocketControl.idl |
Calls StartTLS on the socket thread, and resolves with the nsresult
return value of that call.
|
6916 |
| nsITokenPasswordDialogs.idl |
This is the interface for setting and changing password
on a PKCS11 token.
|
902 |
| nsITransportSecurityInfo.idl |
The following parameters are only valid after the TLS handshake
has completed. Check securityState first.
|
4346 |
| nsIX509Cert.idl |
forward declaration |
5052 |
| nsIX509CertDB.idl |
Callback type for use with asyncVerifyCertAtTime.
If aPRErrorCode is PRErrorCodeSuccess (i.e. 0), aVerifiedChain represents the
verified certificate chain determined by asyncVerifyCertAtTime. aHasEVPolicy
represents whether or not the end-entity certificate verified as EV.
If aPRErrorCode is non-zero, it represents the error encountered during
verification. aVerifiedChain is null in that case and aHasEVPolicy has no
meaning.
|
14539 |
| nsIX509CertValidity.idl |
Information on the validity period of a X.509 certificate.
|
728 |
| nsNSSCallbacks.cpp |
out |
37862 |
| nsNSSCallbacks.h |
out |
1518 |
| nsNSSCertHelper.cpp |
out |
2748 |
| nsNSSCertHelper.h |
out |
886 |
| nsNSSCertificate.cpp |
|
20204 |
| nsNSSCertificate.h |
660a3226-915c-4ffb-bb20-8985a632df05 |
1702 |
| nsNSSCertificateDB.cpp |
out |
46140 |
| nsNSSCertificateDB.h |
fb0bbc5c-452e-4783-b32c-80124693d871 |
2606 |
| nsNSSCertTrust.cpp |
|
4352 |
| nsNSSCertTrust.h |
Class for maintaining trust flags for an NSS certificate.
|
1608 |
| nsNSSComponent.cpp |
|
80604 |
| nsNSSComponent.h |
out |
6031 |
| nsNSSHelper.h |
|
1050 |
| nsNSSIOLayer.cpp |
out |
72338 |
| nsNSSIOLayer.h |
in/out |
5969 |
| nsNSSModule.cpp |
|
3800 |
| nsNSSModule.h |
|
586 |
| nsNSSVersion.cpp |
|
1729 |
| nsNSSVersion.h |
|
672 |
| nsNTLMAuthModule.cpp |
We don't actually send a LM response, but we still have to send something in
this spot
|
32169 |
| nsNTLMAuthModule.h |
|
750 |
| nsPK11TokenDB.cpp |
out |
8695 |
| nsPK11TokenDB.h |
out |
1701 |
| nsPKCS11Slot.cpp |
out |
8131 |
| nsPKCS11Slot.h |
out |
1507 |
| nsPKCS12Blob.cpp |
|
12929 |
| nsPKCS12Blob.h |
|
1769 |
| nsRandomGenerator.cpp |
|
1205 |
| nsRandomGenerator.h |
|
734 |
| nsSecureBrowserUI.cpp |
|
5830 |
| nsSecureBrowserUI.h |
|
1334 |
| nsSecurityHeaderParser.cpp |
|
5791 |
| nsSecurityHeaderParser.h |
|
3069 |
| NSSErrorsService.cpp |
Please ensure the NSS error codes are mapped into the positive range 0x1000
to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no
conflicts. The current code also assumes that NSS library error codes are
negative.
|
8603 |
| NSSErrorsService.h |
|
1459 |
| nsSiteSecurityService.cpp |
out |
33895 |
| nsSiteSecurityService.h |
SecurityPropertyState: A utility enum for representing the different states
a security property can be in.
SecurityPropertySet and SecurityPropertyUnset correspond to indicating
a site has or does not have the security property in question, respectively.
SecurityPropertyKnockout indicates a value on a preloaded list is being
overridden, and the associated site does not have the security property
in question.
|
5681 |
| NSSKeyStore.cpp |
Implementing OSKeyStore when there is no platform specific one.
This key store instead puts the keys into the NSS DB.
|
6957 |
| NSSKeyStore.h |
out |
1241 |
| nsSSLSocketProvider.cpp |
|
1940 |
| nsSSLSocketProvider.h |
217d014a-1dd2-11b2-999c-b0c4df79b324 |
814 |
| NSSSocketControl.cpp |
|
24656 |
| NSSSocketControl.h |
|
13712 |
| nsSTSPreloadList.inc |
/
/* This is an automatically generated file. If you're not |
3095994 |
| nsTLSSocketProvider.cpp |
|
1962 |
| nsTLSSocketProvider.h |
b9507aec-1dd1-11b2-8cd5-c48ee0c50307 |
948 |
| nsVerificationJob.h |
|
1084 |
| osclientcerts |
|
|
| OSKeyStore.cpp |
out |
22972 |
| OSKeyStore.h |
out |
3865 |
| OSReauthenticator.cpp |
|
19777 |
| OSReauthenticator.h |
out |
1031 |
| OSReauthenticatorDarwin.mm |
out |
2820 |
| PIPCClientCerts.ipdl |
|
1065 |
| PKCS11ModuleDB.cpp |
lock down the list for reading |
7229 |
| PKCS11ModuleDB.h |
|
1158 |
| PSelectTLSClientAuthCert.ipdl |
|
656 |
| PSMIPCTypes.ipdlh |
|
1041 |
| PSMRunnable.cpp |
|
979 |
| PSMRunnable.h |
|
1413 |
| PublicKeyPinningService.cpp |
Computes in the location specified by base64Out the SHA256 digest
of the DER Encoded subject Public Key Info for the given cert
|
13070 |
| PublicKeyPinningService.h |
Sets chainHasValidPins to true if the given (host, certList) passes pinning
checks, or to false otherwise. If the host is pinned, returns true via
chainHasValidPins if one of the keys in the given certificate chain matches
the pin set specified by the hostname. The certList's head is the EE cert
and the tail is the trust anchor.
Note: if an alt name is a wildcard, it won't necessarily find a pinset
that would otherwise be valid for it
|
1809 |
| PublicSSL.h |
|
605 |
| PVerifySSLServerCert.ipdl |
|
1709 |
| RemoteSecuritySettings.sys.mjs |
Helper function that returns a promise that will resolve with whether or not
the nsICertStorage implementation has prior data of the given type.
@param {Integer} dataType a Ci.nsICertStorage.DATA_TYPE_* constant
indicating the type of data
@returns {Promise} a promise that will resolve with true if the data type is
present
|
22026 |
| RootCertificateTelemetryUtils.cpp |
|
4878 |
| RootCertificateTelemetryUtils.h |
|
1224 |
| RootHashes.inc |
/
/* This is an automatically generated file. If you're not |
43913 |
| rsclientcerts |
|
|
| ScopedNSSTypes.h |
out |
16232 |
| SecretDecoderRing.cpp |
out |
10762 |
| SecretDecoderRing.h |
out |
994 |
| SelectTLSClientAuthCertChild.h |
|
1611 |
| SelectTLSClientAuthCertParent.h |
|
2283 |
| SharedCertVerifier.h |
|
1436 |
| SSLServerCertVerification.cpp |
|
48399 |
| SSLServerCertVerification.h |
|
6366 |
| StaticHPKPins.errors |
|
2701 |
| StaticHPKPins.h |
/
/* This is an automatically generated file. If you're not |
41998 |
| tests |
|
|
| TLSClientAuthCertSelection.cpp |
|
43355 |
| TLSClientAuthCertSelection.h |
|
4663 |
| TransportSecurityInfo.cpp |
|
34758 |
| TransportSecurityInfo.h |
|
4541 |
| trust_anchors |
|
|
| VerifySSLServerCertChild.cpp |
|
5192 |
| VerifySSLServerCertChild.h |
|
2191 |
| VerifySSLServerCertParent.cpp |
|
5857 |
| VerifySSLServerCertParent.h |
|
2254 |
| X509.sys.mjs |
Helper function to read a NULL tag from the given DER.
@param {DER} der a DER object to read a NULL from
@returns {null} an object representing an ASN.1 NULL
|
18327 |
| X509CertValidity.cpp |
|
2807 |
| X509CertValidity.h |
|
816 |