tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

nsINSSComponent.idl (4314B)

      1 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
      2 *
      3 * This Source Code Form is subject to the terms of the Mozilla Public
      4 * License, v. 2.0. If a copy of the MPL was not distributed with this
      5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
      6 
      7 #include "nsISupports.idl"
      8 
      9 %{C++
     10 #include "cert.h"
     11 #include "SharedCertVerifier.h"
     12 #define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
     13 %}
     14 
     15 [ptr] native CERTCertificatePtr(CERTCertificate);
     16 [ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
     17 
     18 [scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
     19 interface nsINSSComponent : nsISupports {
     20  /**
     21   * When we log out of a PKCS#11 token, any TLS connections that may have
     22   * involved a client certificate stored on that token must be closed. Since we
     23   * don't have a fine-grained way to do this, we basically cancel everything.
     24   * More speficially, this clears all temporary certificate exception overrides
     25   * and any remembered client authentication certificate decisions, and then
     26   * cancels all network connections (strictly speaking, this last part is
     27   * overzealous - we only need to cancel all https connections (see bug
     28   * 1446645)).
     29   */
     30  [noscript] void logoutAuthenticatedPK11();
     31 
     32  /**
     33   * Used to determine if the given certificate (represented as an array of
     34   * bytes) is the certificate we use in tests to simulate a built-in root
     35   * certificate. Returns false in non-debug builds.
     36   */
     37  [noscript] boolean isCertTestBuiltInRoot(in Array<octet> cert);
     38 
     39  /**
     40   * If enabled by the preference "security.enterprise_roots.enabled", returns
     41   * an array of arrays of bytes representing the imported enterprise root
     42   * certificates (i.e. root certificates gleaned from the OS certificate
     43   * store). Returns an empty array otherwise.
     44   * Currently this is only implemented on Windows and MacOS X, so this
     45   * function returns an empty array on all other platforms.
     46   */
     47  Array<Array<octet> > getEnterpriseRoots();
     48  ACString getEnterpriseRootsPEM();
     49 
     50  /**
     51   * Similarly, but for intermediate certificates.
     52   */
     53  Array<Array<octet> > getEnterpriseIntermediates();
     54  ACString getEnterpriseIntermediatesPEM();
     55 
     56  /**
     57   * Test utility for adding an intermediate certificate to the current set of
     58   * imported enterprise intermediates, if any. Additions to the set made using
     59   * this function will be cleared when the value of the preference
     60   * "security.enterprise_roots.enabled" changes.
     61   */
     62  void addEnterpriseIntermediate(in Array<octet> intermediateBytes);
     63 
     64  /**
     65   * For performance reasons, the builtin roots module is loaded on a background
     66   * thread. When any code that depends on the builtin roots module runs, it
     67   * must first wait for the module to be loaded.
     68   */
     69  [noscript] void blockUntilLoadableCertsLoaded();
     70 
     71  /**
     72   * In theory a token on a PKCS#11 module can be inserted or removed at any
     73   * time. Operations that may depend on resources on external tokens should
     74   * call this to ensure they have a recent view of the token.
     75   */
     76  [noscript] void checkForSmartCardChanges();
     77 
     78  /**
     79   * Used to potentially detect when a user's internet connection is being
     80   * intercepted. When doing an update ping, if certificate verification fails,
     81   * we make a note of the issuer distinguished name of that certificate.
     82   * If a subsequent certificate verification fails, we compare issuer
     83   * distinguished names. If they match, something may be intercepting the
     84   * user's traffic (if they don't match, the server is likely misconfigured).
     85   * This function succeeds if the given DN matches the noted DN and fails
     86   * otherwise (e.g. if the update ping never failed).
     87   */
     88  [noscript] void issuerMatchesMitmCanary(in string certIssuer);
     89 
     90  /**
     91   * Returns an already-adrefed handle to the currently configured shared
     92   * certificate verifier.
     93   */
     94  [noscript] SharedCertVerifierPtr getDefaultCertVerifier();
     95 
     96  /**
     97   * For clearing both SSL internal and external session cache from JS.
     98   * WARNING: May be racy when using the socket process.
     99   */
    100  void clearSSLExternalAndInternalSessionCache();
    101 
    102  /**
    103   * For clearing both SSL internal and external session cache from JS.
    104   */
    105  [implicit_jscontext]
    106  Promise asyncClearSSLExternalAndInternalSessionCache();
    107 };