Name Description Size
CSTrustDomain.cpp out 8226
CSTrustDomain.h out 3589
CertBlocklist.cpp 20117
CertBlocklist.h proofOfLock 2941
CommonSocketControl.cpp 8278
CommonSocketControl.h 1045
ContentSignatureVerifier.cpp out 15430
ContentSignatureVerifier.h 1115
CredentialManagerSecret.cpp out 3861
CredentialManagerSecret.h out 984
CryptoTask.cpp 1246
CryptoTask.h Frequently we need to run a task on a background thread without blocking the main thread, and then call a callback on the main thread with the result. This class provides the framework for that. Subclasses must: (1) Override CalculateResult for the off-the-main-thread computation. (2) Override CallCallback() for the on-the-main-thread call of the callback. 1481
DER.jsm Class representing a decoded BIT STRING. 10004
DataStorage.cpp 40543
DataStorage.h DataStorage is a threadsafe, generic, narrow string-based hash map that persists data on disk and additionally handles temporary and private data. However, if used in a context where there is no profile directory, data will not be persisted. Its lifecycle is as follows: - Allocate with a filename (this is or will eventually be a file in the profile directory, if the profile exists). - Call Init() from the main thread. This spins off an asynchronous read of the backing file. - Eventually observers of the topic "data-storage-ready" will be notified with the backing filename as the data in the notification when this has completed. - Should the profile directory not be available, (e.g. in xpcshell), DataStorage will not initially read any persistent data. The "data-storage-ready" event will still be emitted. This follows semantics similar to the permission manager and allows tests that test unrelated components to proceed without a profile. - When any persistent data changes, a timer is initialized that will eventually asynchronously write all persistent data to the backing file. When this happens, observers will be notified with the topic "data-storage-written" and the backing filename as the data. It is possible to receive a "data-storage-written" event while there exist pending persistent data changes. However, those changes will cause the timer to be reinitialized and another "data-storage-written" event will be sent. - When any DataStorage observes the topic "profile-before-change" in anticipation of shutdown, all persistent data for all DataStorage instances is synchronously written to the appropriate backing file. The worker thread responsible for these writes is then disabled to prevent further writes to that file (the delayed-write timer is cancelled when this happens). Note that the "worker thread" is actually a single thread shared between all DataStorage instances. If "profile-before-change" is not observed, this happens upon observing "xpcom-shutdown-threads". - For testing purposes, the preference "test.datastorage.write_timer_ms" can be set to cause the asynchronous writing of data to happen more quickly. - To prevent unbounded memory and disk use, the number of entries in each table is limited to 1024. Evictions are handled in by a modified LRU scheme (see implementation comments). - NB: Instances of DataStorage have long lifetimes because they are strong observers of events and won't go away until the observer service does. For each key/value: - The key must be a non-empty string containing no instances of '\t' or '\n' (this is a limitation of how the data is stored and will be addressed in the future). - The key must have a length no more than 256. - The value must not contain '\n' and must have a length no more than 1024. (the length limits are to prevent unbounded disk and memory usage) 10469
DataStorageIPCUtils.h 781
DataStorageList.h 935
EnterpriseRoots.cpp 14949
EnterpriseRoots.h 1061
KeychainSecret.cpp 8023
KeychainSecret.h out 1244
LibSecret.cpp <private> 13053
LibSecret.h out 933
LocalCertService.cpp out 14098
LocalCertService.h 580
NSSErrorsService.cpp Please ensure the NSS error codes are mapped into the positive range 0x1000 to 0xf000 Search for NS_ERROR_MODULE_SECURITY to ensure there are no conflicts. The current code also assumes that NSS library error codes are negative. 6625
NSSErrorsService.h 1662
NSSKeyStore.cpp Implementing OSKeyStore when there is no platform specific one. This key store instead puts the keys into the NSS DB. 7174
NSSKeyStore.h out 1315
OSKeyStore.cpp out 22727
OSKeyStore.h out 3985
OSReauthenticator.cpp 19980
OSReauthenticator.h out 1194 out 2720
PKCS11ModuleDB.cpp lock down the list for reading 6006
PKCS11ModuleDB.h 952
PSMIPCCommon.cpp encrypt this private key 5055
PSMIPCCommon.h 1302
PSMIPCTypes.ipdlh 765
PSMRunnable.cpp 979
PSMRunnable.h 1370
PVerifySSLServerCert.ipdl 968
PublicKeyPinningService.cpp Computes in the location specified by base64Out the SHA256 digest of the DER Encoded subject Public Key Info for the given cert 12338
PublicKeyPinningService.h Sets chainHasValidPins to true if the given (host, certList) passes pinning checks, or to false otherwise. If the host is pinned, returns true via chainHasValidPins if one of the keys in the given certificate chain matches the pin set specified by the hostname. The certList's head is the EE cert and the tail is the trust anchor. Note: if an alt name is a wildcard, it won't necessarily find a pinset that would otherwise be valid for it 2217
PublicSSL.h 636
RemoteSecuritySettings.jsm 27249
RootCertificateTelemetryUtils.cpp 5125
RootCertificateTelemetryUtils.h 1396 60630
SSLServerCertVerification.cpp 65352
SSLServerCertVerification.h 6475
ScopedNSSTypes.h A more convenient way of dealing with digests calculated into stack-allocated buffers. NSS must be initialized on the main thread before use, and the caller must ensure NSS isn't shut down, typically by being within the lifetime of XPCOM. Typical usage, for digesting a buffer in memory: nsCOMPtr<nsISupports> nssDummy = do_GetService(";1", &rv); Digest digest; nsresult rv = digest.DigestBuf(SEC_OID_SHA256, mybuffer, myBufferLen); NS_ENSURE_SUCCESS(rv, rv); rv = MapSECStatus(SomeNSSFunction(..., digest.get(), ...)); Less typical usage, for digesting while doing streaming I/O and similar: Digest digest; UniquePK11Context digestContext(PK11_CreateDigestContext(SEC_OID_SHA256)); NS_ENSURE_TRUE(digestContext, NS_ERROR_OUT_OF_MEMORY); rv = MapSECStatus(PK11_DigestBegin(digestContext.get())); NS_ENSURE_SUCCESS(rv, rv); for (...) { rv = MapSECStatus(PK11_DigestOp(digestContext.get(), ...)); NS_ENSURE_SUCCESS(rv, rv); } rv = digest.End(SEC_OID_SHA256, digestContext); NS_ENSURE_SUCCESS(rv, rv) 12207
SecretDecoderRing.cpp out 10628
SecretDecoderRing.h out 1157
SharedCertVerifier.h 1599
SharedSSLState.cpp static 5407
SharedSSLState.h 2547
StaticHPKPins.errors 2701
StaticHPKPins.h / /* This is an automatically generated file. If you're not 59872
TransportSecurityInfo.cpp 37716
TransportSecurityInfo.h mHaveCertErrrorBits is relied on to determine whether or not a SPDY connection is eligible for joining in nsNSSSocketInfo::JoinConnection() 5913
VerifySSLServerCertChild.cpp 4782
VerifySSLServerCertChild.h 2187
VerifySSLServerCertParent.cpp 6321
VerifySSLServerCertParent.h 2355
X509.jsm Helper function to read a NULL tag from the given DER. @param {DER} der a DER object to read a NULL from @return {NULL} an object representing an ASN.1 NULL 18349
cert_storage 2
components.conf 6618
crashtests 2
md4.c "clean room" MD4 implementation (see RFC 1320) 4769
md4.h md4sum - computes the MD4 sum over the input buffer per RFC 1320 @param input buffer containing input data @param inputLen length of input buffer (number of bytes) @param result 16-byte buffer that will contain the MD4 sum upon return NOTE: MD4 is superceded by MD5. do not use MD4 unless required by the protocol you are implementing (e.g., NTLM requires MD4). NOTE: this interface is designed for relatively small buffers. A streaming interface would make more sense if that were a requirement. Currently, this is good enough for the applications we care about. 1099 6306
nsCertOverrideService.cpp out 22622
nsCertOverrideService.h 67ba681d-5485-4fff-952c-2ee337ffdcd6 5156
nsCertTree.cpp heading for thread 36582
nsCertTree.h Disable the "base class XXX should be explicitly initialized in the copy constructor" warning. 4707
nsClientAuthRemember.cpp out 7410
nsClientAuthRemember.h out 2659
nsCryptoHash.cpp 8238
nsCryptoHash.h 1515
nsICertBlocklist.idl Represents a service to add certificates as explicitly blocked/distrusted. 2159
nsICertOverrideService.idl This represents the global list of triples {host:port, cert-fingerprint, allowed-overrides} that the user wants to accept without further warnings. 5301
nsICertStorage.idl Callback type used to notify callers that an operation performed by nsICertStorage has completed. Indicates the result of the requested operation, as well as any data returned by the operation. 11668
nsICertTree.idl 1224
nsICertificateDialogs.idl Functions that implement user interface dialogs to manage certificates. 2414
nsIClientAuthDialogs.idl Provides UI for SSL client-auth dialogs. 1612
nsIClientAuthRememberService.idl 1813
nsIContentSignatureVerifier.idl An interface for verifying content-signatures, inspired by described here 1693
nsICryptoHMAC.idl nsICryptoHMAC This interface provides HMAC signature algorithms. 3735
nsICryptoHash.idl nsICryptoHash This interface provides crytographic hashing algorithms. 3756
nsIKeyModule.idl forward declaration 1100
nsILocalCertService.idl Get or create a new self-signed X.509 cert to represent this device over a secure transport, like TLS. The cert is stored permanently in the profile's key store after first use, and is valid for 1 year. If an expired or otherwise invalid cert is found with the nickname supplied here, it is removed and a new one is made. @param nickname Nickname that identifies the cert @param cb Callback to be notified with the result 2291
nsINSSComponent.idl When we log out of a PKCS#11 token, any TLS connections that may have involved a client certificate stored on that token must be closed. Since we don't have a fine-grained way to do this, we basically cancel everything. More speficially, this clears all temporary certificate exception overrides and any remembered client authentication certificate decisions, and then cancels all network connections (strictly speaking, this last part is overzealous - we only need to cancel all https connections (see bug 1446645)). 4423
nsINSSErrorsService.idl @param aNSPRCode An error code obtained using PR_GetError() @return True if it is error code defined by the NSS library 3011
nsINSSVersion.idl Minimal required versions as used at build time 1233
nsIOSKeyStore.idl This interface provides encryption and decryption operations for data at rest. The key used to encrypt and decrypt the data is stored in the OS key store. Usage: // obtain the singleton OSKeyStore instance const oskeystore = Cc[";1"].getService(Ci.nsIOSKeyStore); const PASSWORD_LABEL = "mylabel1"; const COOKIE_LABEL = "mylabel2"; // Unlock the key store. // Note that this is not necesssary. The key store will be unlocked // automatically when an operation is performed on it. await oskeystore.asyncUnlock(); // Check if there's a secret for your label already. if (!await oskeystore.asyncSecretAvailable(PASSWORD_LABEL)) { // Fail or generate a new secret for your label. // If you want to generate a new secret, do. // Hold onto `recoveryPhrase` to present to the user. let recoveryPhrase = await oskeystore.asyncGenerateSecret(PASSWORD_LABEL); } // Assuming there's a secret with your label. Encrypt/Decrypt as follows. let encryptedPasswordBytes = await oskeystore.asyncEncryptBytes(PASSWORD_LABEL, passwordBytes); let newPasswordBytes = await oskeystore.asyncDecryptBytes(PASSWORD_LABEL, encryptedPasswordBytes); // Delete the secret from the key store. await oskeystore.asyncDeleteSecret(PASSWORD_LABEL); // Recover a secret from a recovery code. await oskeystore.asyncRecoverSecret(PASSWORD_LABEL, recoveryPhrase); // Lock the key store to prompt the user to log into her OS key store again. await oskeystore.asyncLock(); 5190
nsIOSReauthenticator.idl This interface provides an abstract way to request that the user reauthenticate themselves to the operating system. It may be useful in conjunction with nsIOSKeyStore, whereby consumers of these APIs may consider some secrets too sensitive to access without first reauthenticating the user. Usage: // obtain the singleton nsIOSReauthenticator instance const reauthenticator = Cc[";1"] .getService(Ci.nsIOSReauthenticator); if (await reauthenticator.asyncReauthenticate()) { // do something only authenticated users are allowed to do... } else { // show a "sorry, this isn't allowed" error } 1958
nsIPK11Token.idl The name of the token 2135
nsIPK11TokenDB.idl The PK11 Token Database provides access to the PK11 modules that are installed, and the tokens that are available. Interfaces: nsIPK11TokenDB Threading: ?? 836
nsIPKCS11Module.idl 628
nsIPKCS11ModuleDB.idl 1038
nsIPKCS11Slot.idl Manufacturer ID of the slot. 1553
nsIProtectedAuthThread.idl Used to communicate with the thread for logging on to a token with CKF_PROTECTED_AUTHENTICATION_PATH set. 1466
nsISecretDecoderRing.idl Encrypt to Base64 output. Note that the input must basically be a byte array (i.e. the code points must be within the range [0, 255]). Hence, using this method directly to encrypt passwords (or any text, really) won't work as expected. Instead, use something like nsIScriptableUnicodeConverter to first convert the desired password or text to UTF-8, then encrypt that. Remember to convert back when calling decryptString(). @param text The text to encrypt. @return The encrypted text, encoded as Base64. 2709
nsISecurityUITelemetry.idl Addon installation warnings 6102
nsISiteSecurityService.idl SECURITY_PROPERTY_SET and SECURITY_PROPERTY_UNSET correspond to indicating a site has or does not have the security property in question, respectively. SECURITY_PROPERTY_KNOCKOUT indicates a value on a preloaded list is being overridden, and the associated site does not have the security property in question. SECURITY_PROPERTY_NEGATIVE is used when we've gotten a negative result from HSTS priming. 11267
nsITokenDialogs.idl Displays notification dialog to the user that they are expected to authenticate to the token using its "protected authentication path" feature. 783
nsITokenPasswordDialogs.idl This is the interface for setting and changing password on a PKCS11 token. 902
nsIX509Cert.idl forward declaration 6178
nsIX509CertDB.idl Callback type for use with asyncVerifyCertAtTime. If aPRErrorCode is PRErrorCodeSuccess (i.e. 0), aVerifiedChain represents the verified certificate chain determined by asyncVerifyCertAtTime. aHasEVPolicy represents whether or not the end-entity certificate verified as EV. If aPRErrorCode is non-zero, it represents the error encountered during verification. aVerifiedChain is null in that case and aHasEVPolicy has no meaning. 13214
nsIX509CertValidity.idl Information on the validity period of a X.509 certificate. 1978
nsKeyModule.cpp 2559
nsKeyModule.h 1630
nsNSSCallbacks.cpp out 51137
nsNSSCallbacks.h out 1501
nsNSSCertHelper.cpp out 3615
nsNSSCertHelper.h out 1179
nsNSSCertTrust.cpp 4352
nsNSSCertTrust.h Class for maintaining trust flags for an NSS certificate. 1608
nsNSSCertValidity.cpp 2864
nsNSSCertValidity.h 1057
nsNSSCertificate.cpp static 27170
nsNSSCertificate.h int 3563
nsNSSCertificateDB.cpp out 41128
nsNSSCertificateDB.h fb0bbc5c-452e-4783-b32c-80124693d871 2600
nsNSSComponent.cpp out 103661
nsNSSComponent.h 5857
nsNSSHelper.h 1050
nsNSSIOLayer.cpp out 99452
nsNSSIOLayer.h 13027
nsNSSModule.cpp 5698
nsNSSModule.h 632
nsNSSVersion.cpp 1729
nsNSSVersion.h 842
nsNTLMAuthModule.cpp We don't actually send a LM response, but we still have to send something in this spot 33137
nsNTLMAuthModule.h 750
nsPK11TokenDB.cpp out 8666
nsPK11TokenDB.h out 1870
nsPKCS11Slot.cpp out 8023
nsPKCS11Slot.h out 1507
nsPKCS12Blob.cpp 12020
nsPKCS12Blob.h 1769
nsProtectedAuthThread.cpp 3643
nsProtectedAuthThread.h 1134
nsRandomGenerator.cpp 916
nsRandomGenerator.h 899
nsSSLSocketProvider.cpp 1931
nsSSLSocketProvider.h 217d014a-1dd2-11b2-999c-b0c4df79b324 977 1738147
nsSecureBrowserUI.cpp 5111
nsSecureBrowserUI.h 1512
nsSecurityHeaderParser.cpp 5625
nsSecurityHeaderParser.h 2842
nsSiteSecurityService.cpp out 41722
nsSiteSecurityService.h SecurityPropertyState: A utility enum for representing the different states a security property can be in. SecurityPropertySet and SecurityPropertyUnset correspond to indicating a site has or does not have the security property in question, respectively. SecurityPropertyKnockout indicates a value on a preloaded list is being overridden, and the associated site does not have the security property in question. 6242
nsTLSSocketProvider.cpp 1930
nsTLSSocketProvider.h b9507aec-1dd1-11b2-8cd5-c48ee0c50307 934
nsVerificationJob.h 1084
osclientcerts 5
tests 5