security/manager/ssl/public/nsICertOverrideService.idl
author Mike Hommey <mh@glandium.org>
Fri, 25 Feb 2011 12:53:36 +0100
changeset 69247 4820d39b86d725bd2770b4b37ccbb8aca2c4c928
parent 58265 0d7dd95a1d9a3326a4904811ae09574e49ad8112
child 95270 e6da6ece3818eed14dd357220970bfc1d3bfe6e7
permissions -rw-r--r--
Bug 620931 part 3 - Allow GRE and XUL application to use omni.jar independently. r=bsmedberg,r=mwu We now store two independent locations for an omni.jar, allowing GRE/XRE and XUL application to each have their own omni.jar. And since xulrunner setups are very independent from the XUL applications, we implement support for both omni.jar and non omni.jar cases in the same runtime, with the side effect of allowing to switch from one to the other manually without rebuilding the binaries. We let the mozilla::Omnijar API handle both cases, so that callers don't need too much work to support them. We also make the preferences service load the same set of preferences in all the various cases (unified vs. separate, omni.jar vs. no omni.jar). The child process launcher for IPC is modified to pass the base directories needed for the mozilla::Omnijar API initialization in the child process. Finally, the startupcache file name canonicalization is modified to separate APP and GRE resources.

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is mozilla.org code.
 *
 * The Initial Developer of the Original Code is
 * Red Hat, Inc.
 * Portions created by the Initial Developer are Copyright (C) 2006
 * the Initial Developer. All Rights Reserved.
 *
 * Contributor(s):
 *   Kai Engert <kengert@redhat.com>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */

#include "nsISupports.idl"

interface nsIArray;
interface nsIX509Cert;

%{C++
#define NS_CERTOVERRIDE_CONTRACTID "@mozilla.org/security/certoverride;1"
%}

/**
 * This represents the global list of triples
 *   {host:port, cert-fingerprint, allowed-overrides} 
 * that the user wants to accept without further warnings. 
 */
[scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)]
interface nsICertOverrideService : nsISupports {

  /**
   *  Override Untrusted
   */
  const short ERROR_UNTRUSTED = 1;

  /**
   *  Override hostname Mismatch
   */
  const short ERROR_MISMATCH = 2;

  /**
   *  Override Time error
   */
  const short ERROR_TIME = 4;

  /**
   *  The given cert should always be accepted for the given hostname:port,
   *  regardless of errors verifying the cert.
   *  Host:Port is a primary key, only one entry per host:port can exist.
   *  The implementation will store a fingerprint of the cert.
   *  The implementation will decide which fingerprint alg is used.
   *
   *  @param aHostName The host (punycode) this mapping belongs to
   *  @param aPort The port this mapping belongs to, if it is -1 then it 
   *          is internaly treated as 443
   *  @param aCert The cert that should always be accepted
   *  @param aOverrideBits The errors we want to be overriden
   */
  void rememberValidityOverride(in ACString aHostName, 
                                in PRInt32 aPort,
                                in nsIX509Cert aCert,
                                in PRUint32 aOverrideBits,
                                in boolean aTemporary);

  /**
   *  The given cert should always be accepted for the given hostname:port,
   *  regardless of errors verifying the cert.
   *  Host:Port is a primary key, only one entry per host:port can exist.
   *  The implementation will store a fingerprint of the cert.
   *  The implementation will decide which fingerprint alg is used.
   *
   *  @param aHostName The host (punycode) this mapping belongs to
   *  @param aPort The port this mapping belongs to, if it is -1 then it 
   *          is internaly treated as 443
   *  @param aCert The cert that should always be accepted
   *  @param aOverrideBits The errors that are currently overriden
   *  @return whether an override entry for aHostNameWithPort is currently on file
   *          that matches the given certificate
   */
  boolean hasMatchingOverride(in ACString aHostName, 
                              in PRInt32 aPort,
                              in nsIX509Cert aCert,
                              out PRUint32 aOverrideBits,
                              out boolean aIsTemporary);

  /**
   *  Retrieve the stored override for the given hostname:port.
   *
   *  @param aHostName The host (punycode) whose entry should be tested
   *  @param aPort The port whose entry should be tested, if it is -1 then it 
   *          is internaly treated as 443
   *  @param aHashAlg On return value True, the fingerprint hash algorithm
   *                  as an OID value in dotted notation.
   *  @param aFingerprint On return value True, the stored fingerprint 
   *  @param aOverrideBits The errors that are currently overriden
   *  @return whether a matching override entry for aHostNameWithPort 
   *          and aFingerprint is currently on file
   */
  boolean getValidityOverride(in ACString aHostName, 
                              in PRInt32 aPort,
                              out ACString aHashAlg,
                              out ACString aFingerprint,
                              out PRUint32 aOverrideBits,
                              out boolean aIsTemporary);

  /**
   *  Remove a override for the given hostname:port.
   *
   *  @param aHostName The host (punycode) whose entry should be cleared.
   *  @param aPort The port whose entry should be cleared.
   *               If it is -1, then it is internaly treated as 443.
   *               If it is 0 and aHostName is "all:temporary-certificates",
   *               then all temporary certificates should be cleared.
   */
  void clearValidityOverride(in ACString aHostName,
                             in PRInt32 aPort);

  /**
   *  Obtain the full list of hostname:port for which overrides are known.
   *
   *  @param aCount The number of host:port entries returned
   *  @param aHostsWithPortsArray The array of host:port entries returned
   */
  void getAllOverrideHostsWithPorts(out PRUint32 aCount, 
                                    [array, size_is(aCount)] out wstring aHostsWithPortsArray);

  /**
   *  Is the given cert used in rules?
   *
   *  @param aCert The cert we're looking for
   *  @return how many override entries are currently on file
   *          for the given certificate
   */
  PRUint32 isCertUsedForOverrides(in nsIX509Cert aCert,
                                  in boolean aCheckTemporaries,
                                  in boolean aCheckPermanents);
};