Bug 637361: Backout bug 573043
authorBrian Smith <bsmith@mozilla.com>
Tue, 01 Mar 2011 19:11:22 -0800
changeset 63245 3c5f25ac14bf2cdfc5855c7aee09980c1d32b35e
parent 62191 52384369a8d479cecf829debe21e31be78cd8de0
child 63246 dad15c7d80d7d0bbf7f2c02ca06ed2c5f8e00ede
push idunknown
push userunknown
push dateunknown
bugs637361, 573043
milestone2.0b12pre
Bug 637361: Backout bug 573043
extensions/auth/nsAuthSSPI.cpp
extensions/auth/nsAuthSSPI.h
netwerk/base/public/Makefile.in
netwerk/base/public/nsISSLStatus.idl
netwerk/base/public/nsISSLStatusProvider.idl
netwerk/base/public/nsIX509Cert.idl
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/protocol/http/nsHttpNTLMAuth.h
security/manager/boot/public/Makefile.in
security/manager/boot/public/nsISSLStatusProvider.idl
security/manager/ssl/public/Makefile.in
security/manager/ssl/public/nsISSLStatus.idl
security/manager/ssl/public/nsIX509Cert.idl
--- a/extensions/auth/nsAuthSSPI.cpp
+++ b/extensions/auth/nsAuthSSPI.cpp
@@ -16,17 +16,16 @@
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -48,17 +47,16 @@
 //
 
 #include "nsAuthSSPI.h"
 #include "nsIServiceManager.h"
 #include "nsIDNSService.h"
 #include "nsIDNSRecord.h"
 #include "nsNetCID.h"
 #include "nsCOMPtr.h"
-#include "nsICryptoHash.h"
 
 #include <windows.h>
 
 #define SEC_SUCCESS(Status) ((Status) >= 0)
 
 #ifndef KERB_WRAP_NO_ENCRYPT
 #define KERB_WRAP_NO_ENCRYPT 0x80000001
 #endif
@@ -187,18 +185,16 @@ MakeSN(const char *principal, nsCString 
 }
 
 //-----------------------------------------------------------------------------
 
 nsAuthSSPI::nsAuthSSPI(pType package)
     : mServiceFlags(REQ_DEFAULT)
     , mMaxTokenLen(0)
     , mPackage(package)
-    , mCertDERData(nsnull)
-    , mCertDERLength(0)
 {
     memset(&mCred, 0, sizeof(mCred));
     memset(&mCtxt, 0, sizeof(mCtxt));
 }
 
 nsAuthSSPI::~nsAuthSSPI()
 {
     Reset();
@@ -211,24 +207,16 @@ nsAuthSSPI::~nsAuthSSPI()
 #endif
         memset(&mCred, 0, sizeof(mCred));
     }
 }
 
 void
 nsAuthSSPI::Reset()
 {
-    mIsFirst = PR_TRUE;
-
-    if (mCertDERData){
-        nsMemory::Free(mCertDERData);
-        mCertDERData = nsnull;
-        mCertDERLength = 0;   
-    }
-
     if (mCtxt.dwLower || mCtxt.dwUpper) {
         (sspi->DeleteSecurityContext)(&mCtxt);
         memset(&mCtxt, 0, sizeof(mCtxt));
     }
 }
 
 NS_IMPL_ISUPPORTS1(nsAuthSSPI, nsIAuthModule)
 
@@ -236,20 +224,16 @@ NS_IMETHODIMP
 nsAuthSSPI::Init(const char *serviceName,
                  PRUint32    serviceFlags,
                  const PRUnichar *domain,
                  const PRUnichar *username,
                  const PRUnichar *password)
 {
     LOG(("  nsAuthSSPI::Init\n"));
 
-    mIsFirst = PR_TRUE;
-    mCertDERLength = 0;
-    mCertDERData = nsnull;
-
     // The caller must supply a service name to be used. (For why we now require
     // a service name for NTLM, see bug 487872.)
     NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
 
     nsresult rv;
 
     // XXX lazy initialization like this assumes that we are single threaded
     if (!sspi) {
@@ -325,186 +309,73 @@ nsAuthSSPI::Init(const char *serviceName
                                            &mCred,
                                            &useBefore);
     if (rc != SEC_E_OK)
         return NS_ERROR_UNEXPECTED;
     LOG(("AcquireCredentialsHandle() succeeded.\n"));
     return NS_OK;
 }
 
-// The arguments inToken and inTokenLen are used to pass in the server
-// certificate (when available) in the first call of the function. The
-// second time these arguments hold an input token. 
 NS_IMETHODIMP
 nsAuthSSPI::GetNextToken(const void *inToken,
                          PRUint32    inTokenLen,
                          void      **outToken,
                          PRUint32   *outTokenLen)
 {
-    // String for end-point bindings.
-    const char end_point[] = "tls-server-end-point:"; 
-    const int end_point_length = sizeof(end_point) - 1;
-    const int hash_size = 32;  // Size of a SHA256 hash.
-    const int cbt_size = hash_size + end_point_length;
-	
     SECURITY_STATUS rc;
     TimeStamp ignored;
 
     DWORD ctxAttr, ctxReq = 0;
     CtxtHandle *ctxIn;
     SecBufferDesc ibd, obd;
-    // Optional second input buffer for the CBT (Channel Binding Token)
-    SecBuffer ib[2], ob;
-    // Pointer to the block of memory that stores the CBT
-    char* sspi_cbt = nsnull;
-    SEC_CHANNEL_BINDINGS pendpoint_binding;
+    SecBuffer ib, ob;
 
     LOG(("entering nsAuthSSPI::GetNextToken()\n"));
 
     if (!mCred.dwLower && !mCred.dwUpper) {
         LOG(("nsAuthSSPI::GetNextToken(), not initialized. exiting."));
         return NS_ERROR_NOT_INITIALIZED;
     }
 
     if (mServiceFlags & REQ_DELEGATE)
         ctxReq |= ISC_REQ_DELEGATE;
     if (mServiceFlags & REQ_MUTUAL_AUTH)
         ctxReq |= ISC_REQ_MUTUAL_AUTH;
 
     if (inToken) {
-        if (mIsFirst) {
-            // First time if it comes with a token,
-            // the token represents the server certificate.
-            mIsFirst = PR_FALSE;
-            mCertDERLength = inTokenLen;
-            mCertDERData = nsMemory::Alloc(inTokenLen);
-            if (!mCertDERData)
-                return NS_ERROR_OUT_OF_MEMORY;
-            memcpy(mCertDERData, inToken, inTokenLen);
-
-            // We are starting a new authentication sequence.  
-            // If we have already initialized our
-            // security context, then we're in trouble because it means that the
-            // first sequence failed.  We need to bail or else we might end up in
-            // an infinite loop.
-            if (mCtxt.dwLower || mCtxt.dwUpper) {
-                LOG(("Cannot restart authentication sequence!"));
-                return NS_ERROR_UNEXPECTED;
-            }
-            ctxIn = nsnull;
-            // The certificate needs to be erased before being passed 
-            // to InitializeSecurityContextW().
-            inToken = nsnull;
-            inTokenLen = 0;
-        } else {
-            ibd.ulVersion = SECBUFFER_VERSION;
-            ibd.cBuffers = 0;
-            ibd.pBuffers = ib;
-            
-            // If we have stored a certificate, the Channel Binding Token
-            // needs to be generated and sent in the first input buffer.
-            if (mCertDERLength > 0) {
-                // First we create a proper Endpoint Binding structure. 
-                pendpoint_binding.dwInitiatorAddrType = 0;
-                pendpoint_binding.cbInitiatorLength = 0;
-                pendpoint_binding.dwInitiatorOffset = 0;
-                pendpoint_binding.dwAcceptorAddrType = 0;
-                pendpoint_binding.cbAcceptorLength = 0;
-                pendpoint_binding.dwAcceptorOffset = 0;
-                pendpoint_binding.cbApplicationDataLength = cbt_size;
-                pendpoint_binding.dwApplicationDataOffset = 
-                                            sizeof(SEC_CHANNEL_BINDINGS);
-
-                // Then add it to the array of sec buffers accordingly.
-                ib[ibd.cBuffers].BufferType = SECBUFFER_CHANNEL_BINDINGS;
-                ib[ibd.cBuffers].cbBuffer =
-                        pendpoint_binding.cbApplicationDataLength
-                        + pendpoint_binding.dwApplicationDataOffset;
-          
-                sspi_cbt = (char *) nsMemory::Alloc(ib[ibd.cBuffers].cbBuffer);
-                if (!sspi_cbt){
-                    return NS_ERROR_OUT_OF_MEMORY;
-                }
-
-                // Helper to write in the memory block that stores the CBT
-                char* sspi_cbt_ptr = sspi_cbt;
-          
-                ib[ibd.cBuffers].pvBuffer = sspi_cbt;
-                ibd.cBuffers++;
-
-                memcpy(sspi_cbt_ptr, &pendpoint_binding,
-                       pendpoint_binding.dwApplicationDataOffset);
-                sspi_cbt_ptr += pendpoint_binding.dwApplicationDataOffset;
-
-                memcpy(sspi_cbt_ptr, end_point, end_point_length);
-                sspi_cbt_ptr += end_point_length;
-          
-                // Start hashing. We are always doing SHA256, but depending
-                // on the certificate, a different alogirthm might be needed.
-                nsCAutoString hashString;
-
-                nsresult rv;
-                nsCOMPtr<nsICryptoHash> crypto;
-                crypto = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Init(nsICryptoHash::SHA256);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Update((unsigned char*)mCertDERData, mCertDERLength);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Finish(PR_FALSE, hashString);
-                if (NS_FAILED(rv)) {
-                    nsMemory::Free(mCertDERData);
-                    mCertDERData = nsnull;
-                    mCertDERLength = 0;
-                    nsMemory::Free(sspi_cbt);
-                    return rv;
-                }
-          
-                // Once the hash has been computed, we store it in memory right
-                // after the Endpoint structure and the "tls-server-end-point:"
-                // char array.
-                memcpy(sspi_cbt_ptr, hashString.get(), hash_size);
-          
-                // Free memory used to store the server certificate
-                nsMemory::Free(mCertDERData);
-                mCertDERData = nsnull;
-                mCertDERLength = 0;
-            } // End of CBT computation.
-
-            // We always need this SECBUFFER.
-            ib[ibd.cBuffers].BufferType = SECBUFFER_TOKEN;
-            ib[ibd.cBuffers].cbBuffer = inTokenLen;
-            ib[ibd.cBuffers].pvBuffer = (void *) inToken;
-            ibd.cBuffers++;
-            ctxIn = &mCtxt;
-        }
-    } else { // First time and without a token (no server certificate)
-        // We are starting a new authentication sequence.  If we have already 
-        // initialized our security context, then we're in trouble because it 
-        // means that the first sequence failed.  We need to bail or else we 
-        // might end up in an infinite loop.
-        if (mCtxt.dwLower || mCtxt.dwUpper || mCertDERData || mCertDERLength) {
+        ib.BufferType = SECBUFFER_TOKEN;
+        ib.cbBuffer = inTokenLen;
+        ib.pvBuffer = (void *) inToken;
+        ibd.ulVersion = SECBUFFER_VERSION;
+        ibd.cBuffers = 1;
+        ibd.pBuffers = &ib;
+        ctxIn = &mCtxt;
+    }
+    else {
+        // If there is no input token, then we are starting a new
+        // authentication sequence.  If we have already initialized our
+        // security context, then we're in trouble because it means that the
+        // first sequence failed.  We need to bail or else we might end up in
+        // an infinite loop.
+        if (mCtxt.dwLower || mCtxt.dwUpper) {
             LOG(("Cannot restart authentication sequence!"));
             return NS_ERROR_UNEXPECTED;
         }
+
         ctxIn = NULL;
-        mIsFirst = PR_FALSE;
     }
 
     obd.ulVersion = SECBUFFER_VERSION;
     obd.cBuffers = 1;
     obd.pBuffers = &ob;
     ob.BufferType = SECBUFFER_TOKEN;
     ob.cbBuffer = mMaxTokenLen;
     ob.pvBuffer = nsMemory::Alloc(ob.cbBuffer);
-    if (!ob.pvBuffer){
-        if (sspi_cbt)
-            nsMemory::Free(sspi_cbt);
+    if (!ob.pvBuffer)
         return NS_ERROR_OUT_OF_MEMORY;
-    }
     memset(ob.pvBuffer, 0, ob.cbBuffer);
 
     NS_ConvertUTF8toUTF16 wSN(mServiceName);
     SEC_WCHAR *sn = (SEC_WCHAR *) wSN.get();
 
     rc = (sspi->InitializeSecurityContextW)(&mCred,
                                             ctxIn,
                                             sn,
@@ -520,19 +391,17 @@ nsAuthSSPI::GetNextToken(const void *inT
     if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
 
 #ifdef PR_LOGGING
         if (rc == SEC_E_OK)
             LOG(("InitializeSecurityContext: succeeded.\n"));
         else
             LOG(("InitializeSecurityContext: continue.\n"));
 #endif
-        if (sspi_cbt)
-            nsMemory::Free(sspi_cbt);
-            
+
         if (!ob.cbBuffer) {
             nsMemory::Free(ob.pvBuffer);
             ob.pvBuffer = NULL;
         }
         *outToken = ob.pvBuffer;
         *outTokenLen = ob.cbBuffer;
 
         if (rc == SEC_E_OK)
--- a/extensions/auth/nsAuthSSPI.h
+++ b/extensions/auth/nsAuthSSPI.h
@@ -15,17 +15,16 @@
  * The Original Code is the SSPI NegotiateAuth Module.
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -77,14 +76,11 @@ private:
     CtxtHandle   mCtxt;
     nsCString    mServiceName;
     PRUint32     mServiceFlags;
     PRUint32     mMaxTokenLen;
     pType        mPackage;
     nsString     mDomain;
     nsString     mUsername;
     nsString     mPassword;
-    PRBool       mIsFirst;	
-    void*        mCertDERData; 
-    PRUint32     mCertDERLength;
 };
 
 #endif /* nsAuthSSPI_h__ */
--- a/netwerk/base/public/Makefile.in
+++ b/netwerk/base/public/Makefile.in
@@ -54,17 +54,16 @@ SDK_XPIDLSRCS   = \
 		nsIStreamListener.idl \
 		nsIIOService.idl \
 		nsIURI.idl \
 		nsIURL.idl \
 		nsIFileURL.idl \
 		nsIUploadChannel.idl \
 		nsIUnicharStreamListener.idl \
 		nsITraceableChannel.idl \
-		nsIX509Cert.idl \
 		$(NULL)
 
 XPIDLSRCS	= \
 		nsIApplicationCache.idl \
 		nsIApplicationCacheChannel.idl \
 		nsIApplicationCacheContainer.idl \
 		nsIApplicationCacheService.idl \
 		nsIAuthInformation.idl \
@@ -139,18 +138,16 @@ XPIDLSRCS	= \
 		nsIProxiedChannel.idl \
 		nsIRandomGenerator.idl \
 		nsIStrictTransportSecurityService.idl \
 		nsIURIWithPrincipal.idl \
 		nsIURIClassifier.idl \
 		nsIRedirectResultListener.idl \
 		mozIThirdPartyUtil.idl \
 		nsISerializationHelper.idl \
-		nsISSLStatus.idl \
-		nsISSLStatusProvider.idl \
 		$(NULL)
 
 ifdef MOZ_IPC
 XPIDLSRCS	+= \
 		nsIChildChannel.idl \
 		nsIParentChannel.idl \
 		nsIParentRedirectingChannel.idl \
 		nsIRedirectChannelRegistrar.idl
deleted file mode 100644
--- a/netwerk/base/public/nsISSLStatus.idl
+++ /dev/null
@@ -1,62 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Terry Hayes <thayes@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-interface nsIX509Cert;
-
-[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
-interface nsISSLStatus : nsISupports {
-  readonly attribute nsIX509Cert serverCert;
-
-  readonly attribute string cipherName;
-  readonly attribute unsigned long keyLength;
-  readonly attribute unsigned long secretKeyLength;
-
-  readonly attribute boolean isDomainMismatch;
-  readonly attribute boolean isNotValidAtThisTime;
-
-  /* Note: To distinguish between 
-   *         "unstrusted because missing or untrusted issuer"
-   *       and 
-   *         "untrusted because self signed"
-   *       query nsIX509Cert3::isSelfSigned 
-   */
-  readonly attribute boolean isUntrusted;
-};
deleted file mode 100644
--- a/netwerk/base/public/nsISSLStatusProvider.idl
+++ /dev/null
@@ -1,44 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Terry Hayes <thayes@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-[scriptable, uuid(8de811f0-1dd2-11b2-8bf1-e9aa324984b2)]
-interface nsISSLStatusProvider : nsISupports {
-  readonly attribute nsISupports SSLStatus;
-};
deleted file mode 100644
--- a/netwerk/base/public/nsIX509Cert.idl
+++ /dev/null
@@ -1,268 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Javier Delgadillo <javi@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-interface nsIArray;
-interface nsIX509CertValidity;
-interface nsIASN1Object;
-
-/**
- * This represents a X.509 certificate.
- */
-[scriptable, uuid(f0980f60-ee3d-11d4-998b-00b0d02354a0)]
-interface nsIX509Cert : nsISupports {
-
-  /**
-   *  A nickname for the certificate.
-   */
-  readonly attribute AString nickname;
-
-  /**
-   *  The primary email address of the certificate, if present.
-   */
-  readonly attribute AString emailAddress;
-
-  /**
-   *  Obtain a list of all email addresses
-   *  contained in the certificate.
-   *
-   *  @param length The number of strings in the returned array.
-   *  @return An array of email addresses.
-   */
-  void getEmailAddresses(out unsigned long length, 
-                         [retval, array, size_is(length)] out wstring addresses);
-
-  /**
-   *  Check whether a given address is contained in the certificate.
-   *  The comparison will convert the email address to lowercase.
-   *  The behaviour for non ASCII characters is undefined.
-   *
-   *  @param aEmailAddress The address to search for.
-   *                
-   *  @return True if the address is contained in the certificate.
-   */
-  boolean containsEmailAddress(in AString aEmailAddress);
-
-  /**
-   *  The subject owning the certificate.
-   */
-  readonly attribute AString subjectName;
-
-  /**
-   *  The subject's common name.
-   */
-  readonly attribute AString commonName;
-
-  /**
-   *  The subject's organization.
-   */
-  readonly attribute AString organization;
-
-  /**
-   *  The subject's organizational unit.
-   */
-  readonly attribute AString organizationalUnit;
-
-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the SHA1 algorithm.
-   */
-  readonly attribute AString sha1Fingerprint;
-
-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the MD5 algorithm.
-   */
-  readonly attribute AString md5Fingerprint;
-
-  /**
-   *  A human readable name identifying the hardware or
-   *  software token the certificate is stored on.
-   */
-  readonly attribute AString tokenName;
-
-  /**
-   *  The subject identifying the issuer certificate.
-   */
-  readonly attribute AString issuerName;
-
-  /**
-   *  The serial number the issuer assigned to this certificate.
-   */
-  readonly attribute AString serialNumber;
-
-  /**
-   *  The issuer subject's common name.
-   */
-  readonly attribute AString issuerCommonName;
-
-  /**
-   *  The issuer subject's organization.
-   */
-  readonly attribute AString issuerOrganization;
-
-  /**
-   *  The issuer subject's organizational unit.
-   */
-  readonly attribute AString issuerOrganizationUnit;
-
-  /**
-   *  The certificate used by the issuer to sign this certificate.
-   */
-  readonly attribute nsIX509Cert issuer;
-
-  /**
-   *  This certificate's validity period.
-   */
-  readonly attribute nsIX509CertValidity validity;
-
-  /**
-   *  A unique identifier of this certificate within the local storage.
-   */
-  readonly attribute string dbKey;
-
-  /**
-   *  A human readable identifier to label this certificate.
-   */
-  readonly attribute string windowTitle;
-
-  /**
-   *  Constants to classify the type of a certificate.
-   */
-  const unsigned long UNKNOWN_CERT =      0;
-  const unsigned long CA_CERT      = 1 << 0;
-  const unsigned long USER_CERT    = 1 << 1;
-  const unsigned long EMAIL_CERT   = 1 << 2;
-  const unsigned long SERVER_CERT  = 1 << 3;
-
-  /**
-   *  Constants for certificate verification results.
-   */
-  const unsigned long VERIFIED_OK          =      0;
-  const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
-  const unsigned long CERT_REVOKED         = 1 << 1;
-  const unsigned long CERT_EXPIRED         = 1 << 2;
-  const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
-  const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
-  const unsigned long ISSUER_UNKNOWN       = 1 << 5;
-  const unsigned long INVALID_CA           = 1 << 6;
-  const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
-  
-  /**
-   *  Constants that describe the certified usages of a certificate.
-   */
-  const unsigned long CERT_USAGE_SSLClient = 0;
-  const unsigned long CERT_USAGE_SSLServer = 1;
-  const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
-  const unsigned long CERT_USAGE_SSLCA = 3;
-  const unsigned long CERT_USAGE_EmailSigner = 4;
-  const unsigned long CERT_USAGE_EmailRecipient = 5;
-  const unsigned long CERT_USAGE_ObjectSigner = 6;
-  const unsigned long CERT_USAGE_UserCertImport = 7;
-  const unsigned long CERT_USAGE_VerifyCA = 8;
-  const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
-  const unsigned long CERT_USAGE_StatusResponder = 10;
-  const unsigned long CERT_USAGE_AnyCA = 11;
-
-  /**
-   *  Obtain a list of certificates that contains this certificate 
-   *  and the issuing certificates of all involved issuers,
-   *  up to the root issuer.
-   *
-   *  @return The chain of certifficates including the issuers.
-   */
-  nsIArray getChain();
-
-  /**
-   *  Obtain an array of human readable strings describing
-   *  the certificate's certified usages.
-   *
-   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
-   *  @param verified The certificate verification result, see constants.
-   *  @param count The number of human readable usages returned.
-   *  @param usages The array of human readable usages.
-   */
-  void getUsagesArray(in boolean ignoreOcsp,
-                      out PRUint32 verified,
-                      out PRUint32 count, 
-                      [array, size_is(count)] out wstring usages);
-
-  /**
-   *  Obtain a single comma separated human readable string describing
-   *  the certificate's certified usages.
-   *
-   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
-   *  @param verified The certificate verification result, see constants.
-   *  @param purposes The string listing the usages.
-   */
-  void getUsagesString(in boolean ignoreOcsp, out PRUint32 verified, out AString usages);
-
-  /**
-   *  Verify the certificate for a particular usage.
-   *
-   *  @return The certificate verification result, see constants.
-   */
-   unsigned long verifyForUsage(in unsigned long usage);
-
-  /**
-   *  This is the attribute which describes the ASN1 layout
-   *  of the certificate.  This can be used when doing a
-   *  "pretty print" of the certificate's ASN1 structure.
-   */
-  readonly attribute nsIASN1Object ASN1Structure;
-
-  /**
-   *  Obtain a raw binary encoding of this certificate
-   *  in DER format.
-   *
-   *  @param length The number of bytes in the binary encoding.
-   *  @param data The bytes representing the DER encoded certificate.
-   */
-  void getRawDER(out unsigned long length,
-	               [retval, array, size_is(length)] out octet data);
-
-  /**
-   *  Test whether two certificate instances represent the 
-   *  same certificate.
-   *
-   *  @return Whether the certificates are equal
-   */
-  boolean equals(in nsIX509Cert other);
-};
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -17,17 +17,16 @@
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -48,19 +47,16 @@
 
 //-----------------------------------------------------------------------------
 
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsIServiceManager.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
-#include "nsIX509Cert.h"
-#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
 
 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
 // bug 236865 addresses this problem.
@@ -234,19 +230,16 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                                   PRBool          isProxyAuth,
                                   nsISupports   **sessionState,
                                   nsISupports   **continuationState,
                                   PRBool         *identityInvalid)
 {
     LOG(("nsHttpNTLMAuth::ChallengeReceived [ss=%p cs=%p]\n",
          *sessionState, *continuationState));
 
-    // Use the native NTLM if available
-    mUseNative = PR_TRUE;
-
     // NOTE: we don't define any session state, but we do use the pointer.
 
     *identityInvalid = PR_FALSE;
 
     // Start a new auth sequence if the challenge is exactly "NTLM".
     // If native NTLM auth apis are available and enabled through prefs,
     // try to use them.
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
@@ -300,18 +293,16 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
             LOG(("Trying to fall back on internal ntlm auth.\n"));
             module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
-	    
-            mUseNative = PR_FALSE;
 
             // Prompt user for domain, username, and password.
             *identityInvalid = PR_TRUE;
         }
 
         // If this fails, then it means that we cannot do NTLM auth.
         if (!module) {
             LOG(("No ntlm auth modules available.\n"));
@@ -370,75 +361,18 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
             return rv;
         serviceName.AppendLiteral("HTTP@");
         serviceName.Append(host);
         // initialize auth module
         rv = module->Init(serviceName.get(), nsIAuthModule::REQ_DEFAULT, domain, user, pass);
         if (NS_FAILED(rv))
             return rv;
 
-// This update enables updated Windows machines (Win7 or patched previous
-// versions) and Linux machines running Samba (updated for Channel 
-// Binding), to perform Channel Binding when authenticating using NTLMv2 
-// and an outer secure channel.
-// 
-// Currently only implemented for Windows, linux support will be landing in 
-// a separate patch, update this #ifdef accordingly then.
-#if defined (XP_WIN) /* || defined (LINUX) */
-        PRBool isHttps;
-        rv = uri->SchemeIs("https", &isHttps);
-        if (NS_FAILED(rv))
-            return rv;
-            
-        // When the url starts with https, we should retrieve the server 
-        // certificate and compute the CBT, but only when we are using
-        // the native NTLM implementation and not the internal one.
-        if (isHttps && mUseNative) {
-            nsCOMPtr<nsIChannel> channel = do_QueryInterface(authChannel, &rv);
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISupports> security;
-            rv = channel->GetSecurityInfo(getter_AddRefs(security));
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISSLStatusProvider> 
-                        statusProvider(do_QueryInterface(security));
-            NS_ENSURE_TRUE(statusProvider, NS_ERROR_FAILURE);
-
-            rv = statusProvider->GetSSLStatus(getter_AddRefs(security));
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISSLStatus> status(do_QueryInterface(security));
-            NS_ENSURE_TRUE(status, NS_ERROR_FAILURE);
-
-            nsCOMPtr<nsIX509Cert> cert;
-            rv = status->GetServerCert(getter_AddRefs(cert));
-            if (NS_FAILED(rv))
-                return rv;
-
-            PRUint32 length;
-            PRUint8* certArray;
-            cert->GetRawDER(&length, &certArray);						  
-			
-            // If there is a server certificate, we pass it along the
-            // first time we call GetNextToken().
-            inBufLen = length;
-            inBuf = certArray;
-        } else { 
-            // If there is no server certificate, we don't pass anything.
-            inBufLen = 0;
-            inBuf = nsnull;
-        }
-#else // Extended protection update is just for Linux and Windows machines.
         inBufLen = 0;
         inBuf = nsnull;
-#endif
     }
     else {
         // decode challenge; skip past "NTLM " to the start of the base64
         // encoded data.
         int len = strlen(challenge);
         if (len < 6)
             return NS_ERROR_UNEXPECTED; // bogus challenge
         challenge += 5;
--- a/netwerk/protocol/http/nsHttpNTLMAuth.h
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.h
@@ -15,17 +15,16 @@
  *
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@netscape.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -44,16 +43,11 @@
 class nsHttpNTLMAuth : public nsIHttpAuthenticator
 {
 public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSIHTTPAUTHENTICATOR
 
     nsHttpNTLMAuth() {}
     virtual ~nsHttpNTLMAuth() {}
-
-private:
-    // This flag indicates whether we are using the native NTLM implementation
-    // or the internal one.
-    PRBool  mUseNative;
 };
 
 #endif // !nsHttpNTLMAuth_h__
--- a/security/manager/boot/public/Makefile.in
+++ b/security/manager/boot/public/Makefile.in
@@ -45,12 +45,13 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipboot
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsISecurityWarningDialogs.idl \
     $(NULL)
 
 XPIDLSRCS = \
+    nsISSLStatusProvider.idl \
     nsIBufEntropyCollector.idl \
     $(NULL)
 
 include $(topsrcdir)/config/rules.mk
new file mode 100644
--- /dev/null
+++ b/security/manager/boot/public/nsISSLStatusProvider.idl
@@ -0,0 +1,44 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Terry Hayes <thayes@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(8de811f0-1dd2-11b2-8bf1-e9aa324984b2)]
+interface nsISSLStatusProvider : nsISupports {
+  readonly attribute nsISupports SSLStatus;
+};
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -48,16 +48,17 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipnss
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsIASN1Object.idl \
     nsIASN1Sequence.idl \
     nsICertificateDialogs.idl \
     nsICRLInfo.idl \
+    nsIX509Cert.idl \
     nsIX509CertDB.idl \
     nsIX509CertValidity.idl \
     $(NULL)
 
 XPIDLSRCS = \
     nsISSLCertErrorDialog.idl \
     nsIBadCertListener2.idl \
     nsISSLErrorListener.idl \
@@ -74,16 +75,17 @@ XPIDLSRCS = \
     nsIPKCS11Slot.idl \
     nsIPK11TokenDB.idl \
     nsICertPickDialogs.idl \
     nsIClientAuthDialogs.idl \
     nsIDOMCryptoDialogs.idl \
     nsIGenKeypairInfoDlg.idl \
     nsITokenDialogs.idl \
     nsITokenPasswordDialogs.idl \
+    nsISSLStatus.idl \
     nsIKeygenThread.idl \
     nsICMSSecureMessage.idl \
     nsIUserCertPicker.idl \
     nsIASN1PrintableItem.idl \
     nsICMSDecoder.idl \
     nsICMSEncoder.idl \
     nsICMSMessageErrors.idl \
     nsICMSMessage.idl \
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/public/nsISSLStatus.idl
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Terry Hayes <thayes@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsIX509Cert;
+
+[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
+interface nsISSLStatus : nsISupports {
+  readonly attribute nsIX509Cert serverCert;
+
+  readonly attribute string cipherName;
+  readonly attribute unsigned long keyLength;
+  readonly attribute unsigned long secretKeyLength;
+
+  readonly attribute boolean isDomainMismatch;
+  readonly attribute boolean isNotValidAtThisTime;
+
+  /* Note: To distinguish between 
+   *         "unstrusted because missing or untrusted issuer"
+   *       and 
+   *         "untrusted because self signed"
+   *       query nsIX509Cert3::isSelfSigned 
+   */
+  readonly attribute boolean isUntrusted;
+};
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@@ -0,0 +1,268 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Javier Delgadillo <javi@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509CertValidity;
+interface nsIASN1Object;
+
+/**
+ * This represents a X.509 certificate.
+ */
+[scriptable, uuid(f0980f60-ee3d-11d4-998b-00b0d02354a0)]
+interface nsIX509Cert : nsISupports {
+
+  /**
+   *  A nickname for the certificate.
+   */
+  readonly attribute AString nickname;
+
+  /**
+   *  The primary email address of the certificate, if present.
+   */
+  readonly attribute AString emailAddress;
+
+  /**
+   *  Obtain a list of all email addresses
+   *  contained in the certificate.
+   *
+   *  @param length The number of strings in the returned array.
+   *  @return An array of email addresses.
+   */
+  void getEmailAddresses(out unsigned long length, 
+                         [retval, array, size_is(length)] out wstring addresses);
+
+  /**
+   *  Check whether a given address is contained in the certificate.
+   *  The comparison will convert the email address to lowercase.
+   *  The behaviour for non ASCII characters is undefined.
+   *
+   *  @param aEmailAddress The address to search for.
+   *                
+   *  @return True if the address is contained in the certificate.
+   */
+  boolean containsEmailAddress(in AString aEmailAddress);
+
+  /**
+   *  The subject owning the certificate.
+   */
+  readonly attribute AString subjectName;
+
+  /**
+   *  The subject's common name.
+   */
+  readonly attribute AString commonName;
+
+  /**
+   *  The subject's organization.
+   */
+  readonly attribute AString organization;
+
+  /**
+   *  The subject's organizational unit.
+   */
+  readonly attribute AString organizationalUnit;
+
+  /**
+   *  The fingerprint of the certificate's public key,
+   *  calculated using the SHA1 algorithm.
+   */
+  readonly attribute AString sha1Fingerprint;
+
+  /**
+   *  The fingerprint of the certificate's public key,
+   *  calculated using the MD5 algorithm.
+   */
+  readonly attribute AString md5Fingerprint;
+
+  /**
+   *  A human readable name identifying the hardware or
+   *  software token the certificate is stored on.
+   */
+  readonly attribute AString tokenName;
+
+  /**
+   *  The subject identifying the issuer certificate.
+   */
+  readonly attribute AString issuerName;
+
+  /**
+   *  The serial number the issuer assigned to this certificate.
+   */
+  readonly attribute AString serialNumber;
+
+  /**
+   *  The issuer subject's common name.
+   */
+  readonly attribute AString issuerCommonName;
+
+  /**
+   *  The issuer subject's organization.
+   */
+  readonly attribute AString issuerOrganization;
+
+  /**
+   *  The issuer subject's organizational unit.
+   */
+  readonly attribute AString issuerOrganizationUnit;
+
+  /**
+   *  The certificate used by the issuer to sign this certificate.
+   */
+  readonly attribute nsIX509Cert issuer;
+
+  /**
+   *  This certificate's validity period.
+   */
+  readonly attribute nsIX509CertValidity validity;
+
+  /**
+   *  A unique identifier of this certificate within the local storage.
+   */
+  readonly attribute string dbKey;
+
+  /**
+   *  A human readable identifier to label this certificate.
+   */
+  readonly attribute string windowTitle;
+
+  /**
+   *  Constants to classify the type of a certificate.
+   */
+  const unsigned long UNKNOWN_CERT =      0;
+  const unsigned long CA_CERT      = 1 << 0;
+  const unsigned long USER_CERT    = 1 << 1;
+  const unsigned long EMAIL_CERT   = 1 << 2;
+  const unsigned long SERVER_CERT  = 1 << 3;
+
+  /**
+   *  Constants for certificate verification results.
+   */
+  const unsigned long VERIFIED_OK          =      0;
+  const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
+  const unsigned long CERT_REVOKED         = 1 << 1;
+  const unsigned long CERT_EXPIRED         = 1 << 2;
+  const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
+  const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
+  const unsigned long ISSUER_UNKNOWN       = 1 << 5;
+  const unsigned long INVALID_CA           = 1 << 6;
+  const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
+  
+  /**
+   *  Constants that describe the certified usages of a certificate.
+   */
+  const unsigned long CERT_USAGE_SSLClient = 0;
+  const unsigned long CERT_USAGE_SSLServer = 1;
+  const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
+  const unsigned long CERT_USAGE_SSLCA = 3;
+  const unsigned long CERT_USAGE_EmailSigner = 4;
+  const unsigned long CERT_USAGE_EmailRecipient = 5;
+  const unsigned long CERT_USAGE_ObjectSigner = 6;
+  const unsigned long CERT_USAGE_UserCertImport = 7;
+  const unsigned long CERT_USAGE_VerifyCA = 8;
+  const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
+  const unsigned long CERT_USAGE_StatusResponder = 10;
+  const unsigned long CERT_USAGE_AnyCA = 11;
+
+  /**
+   *  Obtain a list of certificates that contains this certificate 
+   *  and the issuing certificates of all involved issuers,
+   *  up to the root issuer.
+   *
+   *  @return The chain of certifficates including the issuers.
+   */
+  nsIArray getChain();
+
+  /**
+   *  Obtain an array of human readable strings describing
+   *  the certificate's certified usages.
+   *
+   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
+   *  @param verified The certificate verification result, see constants.
+   *  @param count The number of human readable usages returned.
+   *  @param usages The array of human readable usages.
+   */
+  void getUsagesArray(in boolean ignoreOcsp,
+                      out PRUint32 verified,
+                      out PRUint32 count, 
+                      [array, size_is(count)] out wstring usages);
+
+  /**
+   *  Obtain a single comma separated human readable string describing
+   *  the certificate's certified usages.
+   *
+   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
+   *  @param verified The certificate verification result, see constants.
+   *  @param purposes The string listing the usages.
+   */
+  void getUsagesString(in boolean ignoreOcsp, out PRUint32 verified, out AString usages);
+
+  /**
+   *  Verify the certificate for a particular usage.
+   *
+   *  @return The certificate verification result, see constants.
+   */
+   unsigned long verifyForUsage(in unsigned long usage);
+
+  /**
+   *  This is the attribute which describes the ASN1 layout
+   *  of the certificate.  This can be used when doing a
+   *  "pretty print" of the certificate's ASN1 structure.
+   */
+  readonly attribute nsIASN1Object ASN1Structure;
+
+  /**
+   *  Obtain a raw binary encoding of this certificate
+   *  in DER format.
+   *
+   *  @param length The number of bytes in the binary encoding.
+   *  @param data The bytes representing the DER encoded certificate.
+   */
+  void getRawDER(out unsigned long length,
+	               [retval, array, size_is(length)] out octet data);
+
+  /**
+   *  Test whether two certificate instances represent the 
+   *  same certificate.
+   *
+   *  @return Whether the certificates are equal
+   */
+  boolean equals(in nsIX509Cert other);
+};