nsICertOverrideService.idl

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-

 * This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsISupports.idl"

interface nsIArray;

interface nsIX509Cert;

[ref] native const_OriginAttributesRef(const mozilla::OriginAttributes);

%{C++

#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"

namespace mozilla {

class OriginAttributes;

%}

[scriptable, builtinclass, uuid(ed735e24-fa55-4163-906d-17fb78851fe1)]

interface nsICertOverride : nsISupports {

/**

  *   The hostname of the server the override is used for.

*/

  readonly attribute ACString asciiHost;

/**

  *   The port of the server the override is used for.

*/

  readonly attribute int32_t port;

/**

  *   A combination of hostname and port in the form host:port.

  *   Since the port can be -1 which is equivalent to port 433 we use an

  *   existing function of nsCertOverrideService to create this property.

*/

  readonly attribute ACString hostPort;

/**

  *   The fingerprint for the associated certificate.

*/

  readonly attribute ACString fingerprint;

/**

  *   The origin attributes associated with this override.

*/

  [implicit_jscontext]

  readonly attribute jsval originAttributes;

};

[scriptable, builtinclass, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]

interface nsICertOverrideService : nsISupports {

/**

   * When making a TLS connection to the given hostname and port (in the

   * context of the given origin attributes), if the certificate verifier

   * encounters an overridable error when verifying the given certificate, the

   * connection will continue (provided overrides are allowed for that host).

   * @param aHostName The host (punycode) this mapping belongs to

   * @param aPort The port this mapping belongs to. If it is -1 then it

   *              is internaly treated as 443.

   * @param aOriginAttributes the origin attributes of the mapping

   * @param aCert The certificate used by the server

   * @param aTemporary Whether or not to only store the mapping for the session

*/

  [binaryname(RememberValidityOverride), noscript, must_use]

  void rememberValidityOverrideNative(in AUTF8String aHostName,

                                in int32_t aPort,

                                in const_OriginAttributesRef aOriginAttributes,

                                in nsIX509Cert aCert,

                                in boolean aTemporary);

  [binaryname(RememberValidityOverrideScriptable), implicit_jscontext, must_use]

  void rememberValidityOverride(in AUTF8String aHostName,

                                in int32_t aPort,

                                in jsval aOriginAttributes,

                                in nsIX509Cert aCert,

                                in boolean aTemporary);

/**

   *  Return whether this host, port, cert triple has a stored override.

   *  If so, the outparams will contain the specific errors that were

   *  overridden, and whether the override is permanent, or only for the current

   *  session.

   *  @param aHostName The host (punycode) this mapping belongs to

   *  @param aPort The port this mapping belongs to, if it is -1 then it

   *         is internally treated as 443

   *  @param aCert The certificate this mapping belongs to

   *  @param aIsTemporary Whether the stored override is session-only,

   *         or permanent

   *  @return Whether an override has been stored for this host+port+cert

*/

  [binaryname(HasMatchingOverride), noscript, must_use]

  boolean hasMatchingOverrideNative(in AUTF8String aHostName,

                              in int32_t aPort,

                              in const_OriginAttributesRef aOriginAttributes,

                              in nsIX509Cert aCert,

                              out boolean aIsTemporary);

  [binaryname(HasMatchingOverrideScriptable), implicit_jscontext, must_use]

  boolean hasMatchingOverride(in AUTF8String aHostName,

                              in int32_t aPort,

                              in jsval aOriginAttributes,

                              in nsIX509Cert aCert,

                              out boolean aIsTemporary);

/**

   *  Remove a override for the given hostname:port.

   *  @param aHostName The host (punycode) whose entry should be cleared.

   *  @param aPort The port whose entry should be cleared.

   *               If it is -1, then it is internaly treated as 443.

   *               If it is 0 and aHostName is "all:temporary-certificates",

   *               then all temporary certificates should be cleared.

*/

  [binaryname(ClearValidityOverride), noscript]

  void clearValidityOverrideNative(in AUTF8String aHostName,

                             in int32_t aPort,

                             in const_OriginAttributesRef aOriginAttributes);

  [binaryname(ClearValidityOverrideScriptable), implicit_jscontext]

  void clearValidityOverride(in AUTF8String aHostName,

                             in int32_t aPort,

                             in jsval aOriginAttributes);

/**

   *  Remove all overrides.

*/

  void clearAllOverrides();

  Array<nsICertOverride> getOverrides();

/**

   *  NOTE: This function is used only for testing!

   *  @param aDisable If true, disable all security check and make

   *                  hasMatchingOverride always return true.

*/

  void setDisableAllSecurityChecksAndLetAttackersInterceptMyData(in boolean aDisable);

  readonly attribute boolean securityCheckDisabled;

};