Bug 637361: Backout bug 573043
authorBrian Smith <bsmith@mozilla.com>
Tue, 01 Mar 2011 19:11:22 -0800
changeset 63245 3c5f25ac14bf2cdfc5855c7aee09980c1d32b35e
parent 62191 52384369a8d479cecf829debe21e31be78cd8de0
child 63246 dad15c7d80d7d0bbf7f2c02ca06ed2c5f8e00ede
push idunknown
push userunknown
push dateunknown
bugs637361, 573043
milestone2.0b12pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 637361: Backout bug 573043
extensions/auth/nsAuthSSPI.cpp
extensions/auth/nsAuthSSPI.h
netwerk/base/public/Makefile.in
netwerk/base/public/nsISSLStatus.idl
netwerk/base/public/nsISSLStatusProvider.idl
netwerk/base/public/nsIX509Cert.idl
netwerk/protocol/http/nsHttpNTLMAuth.cpp
netwerk/protocol/http/nsHttpNTLMAuth.h
security/manager/boot/public/Makefile.in
security/manager/boot/public/nsISSLStatusProvider.idl
security/manager/ssl/public/Makefile.in
security/manager/ssl/public/nsISSLStatus.idl
security/manager/ssl/public/nsIX509Cert.idl
--- a/extensions/auth/nsAuthSSPI.cpp
+++ b/extensions/auth/nsAuthSSPI.cpp
@@ -16,17 +16,16 @@
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -48,17 +47,16 @@
 //
 
 #include "nsAuthSSPI.h"
 #include "nsIServiceManager.h"
 #include "nsIDNSService.h"
 #include "nsIDNSRecord.h"
 #include "nsNetCID.h"
 #include "nsCOMPtr.h"
-#include "nsICryptoHash.h"
 
 #include <windows.h>
 
 #define SEC_SUCCESS(Status) ((Status) >= 0)
 
 #ifndef KERB_WRAP_NO_ENCRYPT
 #define KERB_WRAP_NO_ENCRYPT 0x80000001
 #endif
@@ -187,18 +185,16 @@ MakeSN(const char *principal, nsCString 
 }
 
 //-----------------------------------------------------------------------------
 
 nsAuthSSPI::nsAuthSSPI(pType package)
     : mServiceFlags(REQ_DEFAULT)
     , mMaxTokenLen(0)
     , mPackage(package)
-    , mCertDERData(nsnull)
-    , mCertDERLength(0)
 {
     memset(&mCred, 0, sizeof(mCred));
     memset(&mCtxt, 0, sizeof(mCtxt));
 }
 
 nsAuthSSPI::~nsAuthSSPI()
 {
     Reset();
@@ -211,24 +207,16 @@ nsAuthSSPI::~nsAuthSSPI()
 #endif
         memset(&mCred, 0, sizeof(mCred));
     }
 }
 
 void
 nsAuthSSPI::Reset()
 {
-    mIsFirst = PR_TRUE;
-
-    if (mCertDERData){
-        nsMemory::Free(mCertDERData);
-        mCertDERData = nsnull;
-        mCertDERLength = 0;   
-    }
-
     if (mCtxt.dwLower || mCtxt.dwUpper) {
         (sspi->DeleteSecurityContext)(&mCtxt);
         memset(&mCtxt, 0, sizeof(mCtxt));
     }
 }
 
 NS_IMPL_ISUPPORTS1(nsAuthSSPI, nsIAuthModule)
 
@@ -236,20 +224,16 @@ NS_IMETHODIMP
 nsAuthSSPI::Init(const char *serviceName,
                  PRUint32    serviceFlags,
                  const PRUnichar *domain,
                  const PRUnichar *username,
                  const PRUnichar *password)
 {
     LOG(("  nsAuthSSPI::Init\n"));
 
-    mIsFirst = PR_TRUE;
-    mCertDERLength = 0;
-    mCertDERData = nsnull;
-
     // The caller must supply a service name to be used. (For why we now require
     // a service name for NTLM, see bug 487872.)
     NS_ENSURE_TRUE(serviceName && *serviceName, NS_ERROR_INVALID_ARG);
 
     nsresult rv;
 
     // XXX lazy initialization like this assumes that we are single threaded
     if (!sspi) {
@@ -325,186 +309,73 @@ nsAuthSSPI::Init(const char *serviceName
                                            &mCred,
                                            &useBefore);
     if (rc != SEC_E_OK)
         return NS_ERROR_UNEXPECTED;
     LOG(("AcquireCredentialsHandle() succeeded.\n"));
     return NS_OK;
 }
 
-// The arguments inToken and inTokenLen are used to pass in the server
-// certificate (when available) in the first call of the function. The
-// second time these arguments hold an input token. 
 NS_IMETHODIMP
 nsAuthSSPI::GetNextToken(const void *inToken,
                          PRUint32    inTokenLen,
                          void      **outToken,
                          PRUint32   *outTokenLen)
 {
-    // String for end-point bindings.
-    const char end_point[] = "tls-server-end-point:"; 
-    const int end_point_length = sizeof(end_point) - 1;
-    const int hash_size = 32;  // Size of a SHA256 hash.
-    const int cbt_size = hash_size + end_point_length;
-	
     SECURITY_STATUS rc;
     TimeStamp ignored;
 
     DWORD ctxAttr, ctxReq = 0;
     CtxtHandle *ctxIn;
     SecBufferDesc ibd, obd;
-    // Optional second input buffer for the CBT (Channel Binding Token)
-    SecBuffer ib[2], ob;
-    // Pointer to the block of memory that stores the CBT
-    char* sspi_cbt = nsnull;
-    SEC_CHANNEL_BINDINGS pendpoint_binding;
+    SecBuffer ib, ob;
 
     LOG(("entering nsAuthSSPI::GetNextToken()\n"));
 
     if (!mCred.dwLower && !mCred.dwUpper) {
         LOG(("nsAuthSSPI::GetNextToken(), not initialized. exiting."));
         return NS_ERROR_NOT_INITIALIZED;
     }
 
     if (mServiceFlags & REQ_DELEGATE)
         ctxReq |= ISC_REQ_DELEGATE;
     if (mServiceFlags & REQ_MUTUAL_AUTH)
         ctxReq |= ISC_REQ_MUTUAL_AUTH;
 
     if (inToken) {
-        if (mIsFirst) {
-            // First time if it comes with a token,
-            // the token represents the server certificate.
-            mIsFirst = PR_FALSE;
-            mCertDERLength = inTokenLen;
-            mCertDERData = nsMemory::Alloc(inTokenLen);
-            if (!mCertDERData)
-                return NS_ERROR_OUT_OF_MEMORY;
-            memcpy(mCertDERData, inToken, inTokenLen);
-
-            // We are starting a new authentication sequence.  
-            // If we have already initialized our
-            // security context, then we're in trouble because it means that the
-            // first sequence failed.  We need to bail or else we might end up in
-            // an infinite loop.
-            if (mCtxt.dwLower || mCtxt.dwUpper) {
-                LOG(("Cannot restart authentication sequence!"));
-                return NS_ERROR_UNEXPECTED;
-            }
-            ctxIn = nsnull;
-            // The certificate needs to be erased before being passed 
-            // to InitializeSecurityContextW().
-            inToken = nsnull;
-            inTokenLen = 0;
-        } else {
-            ibd.ulVersion = SECBUFFER_VERSION;
-            ibd.cBuffers = 0;
-            ibd.pBuffers = ib;
-            
-            // If we have stored a certificate, the Channel Binding Token
-            // needs to be generated and sent in the first input buffer.
-            if (mCertDERLength > 0) {
-                // First we create a proper Endpoint Binding structure. 
-                pendpoint_binding.dwInitiatorAddrType = 0;
-                pendpoint_binding.cbInitiatorLength = 0;
-                pendpoint_binding.dwInitiatorOffset = 0;
-                pendpoint_binding.dwAcceptorAddrType = 0;
-                pendpoint_binding.cbAcceptorLength = 0;
-                pendpoint_binding.dwAcceptorOffset = 0;
-                pendpoint_binding.cbApplicationDataLength = cbt_size;
-                pendpoint_binding.dwApplicationDataOffset = 
-                                            sizeof(SEC_CHANNEL_BINDINGS);
-
-                // Then add it to the array of sec buffers accordingly.
-                ib[ibd.cBuffers].BufferType = SECBUFFER_CHANNEL_BINDINGS;
-                ib[ibd.cBuffers].cbBuffer =
-                        pendpoint_binding.cbApplicationDataLength
-                        + pendpoint_binding.dwApplicationDataOffset;
-          
-                sspi_cbt = (char *) nsMemory::Alloc(ib[ibd.cBuffers].cbBuffer);
-                if (!sspi_cbt){
-                    return NS_ERROR_OUT_OF_MEMORY;
-                }
-
-                // Helper to write in the memory block that stores the CBT
-                char* sspi_cbt_ptr = sspi_cbt;
-          
-                ib[ibd.cBuffers].pvBuffer = sspi_cbt;
-                ibd.cBuffers++;
-
-                memcpy(sspi_cbt_ptr, &pendpoint_binding,
-                       pendpoint_binding.dwApplicationDataOffset);
-                sspi_cbt_ptr += pendpoint_binding.dwApplicationDataOffset;
-
-                memcpy(sspi_cbt_ptr, end_point, end_point_length);
-                sspi_cbt_ptr += end_point_length;
-          
-                // Start hashing. We are always doing SHA256, but depending
-                // on the certificate, a different alogirthm might be needed.
-                nsCAutoString hashString;
-
-                nsresult rv;
-                nsCOMPtr<nsICryptoHash> crypto;
-                crypto = do_CreateInstance(NS_CRYPTO_HASH_CONTRACTID, &rv);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Init(nsICryptoHash::SHA256);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Update((unsigned char*)mCertDERData, mCertDERLength);
-                if (NS_SUCCEEDED(rv))
-                    rv = crypto->Finish(PR_FALSE, hashString);
-                if (NS_FAILED(rv)) {
-                    nsMemory::Free(mCertDERData);
-                    mCertDERData = nsnull;
-                    mCertDERLength = 0;
-                    nsMemory::Free(sspi_cbt);
-                    return rv;
-                }
-          
-                // Once the hash has been computed, we store it in memory right
-                // after the Endpoint structure and the "tls-server-end-point:"
-                // char array.
-                memcpy(sspi_cbt_ptr, hashString.get(), hash_size);
-          
-                // Free memory used to store the server certificate
-                nsMemory::Free(mCertDERData);
-                mCertDERData = nsnull;
-                mCertDERLength = 0;
-            } // End of CBT computation.
-
-            // We always need this SECBUFFER.
-            ib[ibd.cBuffers].BufferType = SECBUFFER_TOKEN;
-            ib[ibd.cBuffers].cbBuffer = inTokenLen;
-            ib[ibd.cBuffers].pvBuffer = (void *) inToken;
-            ibd.cBuffers++;
-            ctxIn = &mCtxt;
-        }
-    } else { // First time and without a token (no server certificate)
-        // We are starting a new authentication sequence.  If we have already 
-        // initialized our security context, then we're in trouble because it 
-        // means that the first sequence failed.  We need to bail or else we 
-        // might end up in an infinite loop.
-        if (mCtxt.dwLower || mCtxt.dwUpper || mCertDERData || mCertDERLength) {
+        ib.BufferType = SECBUFFER_TOKEN;
+        ib.cbBuffer = inTokenLen;
+        ib.pvBuffer = (void *) inToken;
+        ibd.ulVersion = SECBUFFER_VERSION;
+        ibd.cBuffers = 1;
+        ibd.pBuffers = &ib;
+        ctxIn = &mCtxt;
+    }
+    else {
+        // If there is no input token, then we are starting a new
+        // authentication sequence.  If we have already initialized our
+        // security context, then we're in trouble because it means that the
+        // first sequence failed.  We need to bail or else we might end up in
+        // an infinite loop.
+        if (mCtxt.dwLower || mCtxt.dwUpper) {
             LOG(("Cannot restart authentication sequence!"));
             return NS_ERROR_UNEXPECTED;
         }
+
         ctxIn = NULL;
-        mIsFirst = PR_FALSE;
     }
 
     obd.ulVersion = SECBUFFER_VERSION;
     obd.cBuffers = 1;
     obd.pBuffers = &ob;
     ob.BufferType = SECBUFFER_TOKEN;
     ob.cbBuffer = mMaxTokenLen;
     ob.pvBuffer = nsMemory::Alloc(ob.cbBuffer);
-    if (!ob.pvBuffer){
-        if (sspi_cbt)
-            nsMemory::Free(sspi_cbt);
+    if (!ob.pvBuffer)
         return NS_ERROR_OUT_OF_MEMORY;
-    }
     memset(ob.pvBuffer, 0, ob.cbBuffer);
 
     NS_ConvertUTF8toUTF16 wSN(mServiceName);
     SEC_WCHAR *sn = (SEC_WCHAR *) wSN.get();
 
     rc = (sspi->InitializeSecurityContextW)(&mCred,
                                             ctxIn,
                                             sn,
@@ -520,19 +391,17 @@ nsAuthSSPI::GetNextToken(const void *inT
     if (rc == SEC_I_CONTINUE_NEEDED || rc == SEC_E_OK) {
 
 #ifdef PR_LOGGING
         if (rc == SEC_E_OK)
             LOG(("InitializeSecurityContext: succeeded.\n"));
         else
             LOG(("InitializeSecurityContext: continue.\n"));
 #endif
-        if (sspi_cbt)
-            nsMemory::Free(sspi_cbt);
-            
+
         if (!ob.cbBuffer) {
             nsMemory::Free(ob.pvBuffer);
             ob.pvBuffer = NULL;
         }
         *outToken = ob.pvBuffer;
         *outTokenLen = ob.cbBuffer;
 
         if (rc == SEC_E_OK)
--- a/extensions/auth/nsAuthSSPI.h
+++ b/extensions/auth/nsAuthSSPI.h
@@ -15,17 +15,16 @@
  * The Original Code is the SSPI NegotiateAuth Module.
  *
  * The Initial Developer of the Original Code is IBM Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2004
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -77,14 +76,11 @@ private:
     CtxtHandle   mCtxt;
     nsCString    mServiceName;
     PRUint32     mServiceFlags;
     PRUint32     mMaxTokenLen;
     pType        mPackage;
     nsString     mDomain;
     nsString     mUsername;
     nsString     mPassword;
-    PRBool       mIsFirst;	
-    void*        mCertDERData; 
-    PRUint32     mCertDERLength;
 };
 
 #endif /* nsAuthSSPI_h__ */
--- a/netwerk/base/public/Makefile.in
+++ b/netwerk/base/public/Makefile.in
@@ -54,17 +54,16 @@ SDK_XPIDLSRCS   = \
 		nsIStreamListener.idl \
 		nsIIOService.idl \
 		nsIURI.idl \
 		nsIURL.idl \
 		nsIFileURL.idl \
 		nsIUploadChannel.idl \
 		nsIUnicharStreamListener.idl \
 		nsITraceableChannel.idl \
-		nsIX509Cert.idl \
 		$(NULL)
 
 XPIDLSRCS	= \
 		nsIApplicationCache.idl \
 		nsIApplicationCacheChannel.idl \
 		nsIApplicationCacheContainer.idl \
 		nsIApplicationCacheService.idl \
 		nsIAuthInformation.idl \
@@ -139,18 +138,16 @@ XPIDLSRCS	= \
 		nsIProxiedChannel.idl \
 		nsIRandomGenerator.idl \
 		nsIStrictTransportSecurityService.idl \
 		nsIURIWithPrincipal.idl \
 		nsIURIClassifier.idl \
 		nsIRedirectResultListener.idl \
 		mozIThirdPartyUtil.idl \
 		nsISerializationHelper.idl \
-		nsISSLStatus.idl \
-		nsISSLStatusProvider.idl \
 		$(NULL)
 
 ifdef MOZ_IPC
 XPIDLSRCS	+= \
 		nsIChildChannel.idl \
 		nsIParentChannel.idl \
 		nsIParentRedirectingChannel.idl \
 		nsIRedirectChannelRegistrar.idl
deleted file mode 100644
--- a/netwerk/base/public/nsISSLStatus.idl
+++ /dev/null
@@ -1,62 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Terry Hayes <thayes@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-interface nsIX509Cert;
-
-[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
-interface nsISSLStatus : nsISupports {
-  readonly attribute nsIX509Cert serverCert;
-
-  readonly attribute string cipherName;
-  readonly attribute unsigned long keyLength;
-  readonly attribute unsigned long secretKeyLength;
-
-  readonly attribute boolean isDomainMismatch;
-  readonly attribute boolean isNotValidAtThisTime;
-
-  /* Note: To distinguish between 
-   *         "unstrusted because missing or untrusted issuer"
-   *       and 
-   *         "untrusted because self signed"
-   *       query nsIX509Cert3::isSelfSigned 
-   */
-  readonly attribute boolean isUntrusted;
-};
deleted file mode 100644
--- a/netwerk/base/public/nsISSLStatusProvider.idl
+++ /dev/null
@@ -1,44 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 2001
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Terry Hayes <thayes@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-[scriptable, uuid(8de811f0-1dd2-11b2-8bf1-e9aa324984b2)]
-interface nsISSLStatusProvider : nsISupports {
-  readonly attribute nsISupports SSLStatus;
-};
deleted file mode 100644
--- a/netwerk/base/public/nsIX509Cert.idl
+++ /dev/null
@@ -1,268 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
- *
- * ***** BEGIN LICENSE BLOCK *****
- * Version: MPL 1.1/GPL 2.0/LGPL 2.1
- *
- * The contents of this file are subject to the Mozilla Public License Version
- * 1.1 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS IS" basis,
- * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- * for the specific language governing rights and limitations under the
- * License.
- *
- * The Original Code is mozilla.org code.
- *
- * The Initial Developer of the Original Code is
- * Netscape Communications Corporation.
- * Portions created by the Initial Developer are Copyright (C) 1998
- * the Initial Developer. All Rights Reserved.
- *
- * Contributor(s):
- *   Javier Delgadillo <javi@netscape.com>
- *
- * Alternatively, the contents of this file may be used under the terms of
- * either the GNU General Public License Version 2 or later (the "GPL"), or
- * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- * in which case the provisions of the GPL or the LGPL are applicable instead
- * of those above. If you wish to allow use of your version of this file only
- * under the terms of either the GPL or the LGPL, and not to allow others to
- * use your version of this file under the terms of the MPL, indicate your
- * decision by deleting the provisions above and replace them with the notice
- * and other provisions required by the GPL or the LGPL. If you do not delete
- * the provisions above, a recipient may use your version of this file under
- * the terms of any one of the MPL, the GPL or the LGPL.
- *
- * ***** END LICENSE BLOCK ***** */
-
-#include "nsISupports.idl"
-
-interface nsIArray;
-interface nsIX509CertValidity;
-interface nsIASN1Object;
-
-/**
- * This represents a X.509 certificate.
- */
-[scriptable, uuid(f0980f60-ee3d-11d4-998b-00b0d02354a0)]
-interface nsIX509Cert : nsISupports {
-
-  /**
-   *  A nickname for the certificate.
-   */
-  readonly attribute AString nickname;
-
-  /**
-   *  The primary email address of the certificate, if present.
-   */
-  readonly attribute AString emailAddress;
-
-  /**
-   *  Obtain a list of all email addresses
-   *  contained in the certificate.
-   *
-   *  @param length The number of strings in the returned array.
-   *  @return An array of email addresses.
-   */
-  void getEmailAddresses(out unsigned long length, 
-                         [retval, array, size_is(length)] out wstring addresses);
-
-  /**
-   *  Check whether a given address is contained in the certificate.
-   *  The comparison will convert the email address to lowercase.
-   *  The behaviour for non ASCII characters is undefined.
-   *
-   *  @param aEmailAddress The address to search for.
-   *                
-   *  @return True if the address is contained in the certificate.
-   */
-  boolean containsEmailAddress(in AString aEmailAddress);
-
-  /**
-   *  The subject owning the certificate.
-   */
-  readonly attribute AString subjectName;
-
-  /**
-   *  The subject's common name.
-   */
-  readonly attribute AString commonName;
-
-  /**
-   *  The subject's organization.
-   */
-  readonly attribute AString organization;
-
-  /**
-   *  The subject's organizational unit.
-   */
-  readonly attribute AString organizationalUnit;
-
-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the SHA1 algorithm.
-   */
-  readonly attribute AString sha1Fingerprint;
-
-  /**
-   *  The fingerprint of the certificate's public key,
-   *  calculated using the MD5 algorithm.
-   */
-  readonly attribute AString md5Fingerprint;
-
-  /**
-   *  A human readable name identifying the hardware or
-   *  software token the certificate is stored on.
-   */
-  readonly attribute AString tokenName;
-
-  /**
-   *  The subject identifying the issuer certificate.
-   */
-  readonly attribute AString issuerName;
-
-  /**
-   *  The serial number the issuer assigned to this certificate.
-   */
-  readonly attribute AString serialNumber;
-
-  /**
-   *  The issuer subject's common name.
-   */
-  readonly attribute AString issuerCommonName;
-
-  /**
-   *  The issuer subject's organization.
-   */
-  readonly attribute AString issuerOrganization;
-
-  /**
-   *  The issuer subject's organizational unit.
-   */
-  readonly attribute AString issuerOrganizationUnit;
-
-  /**
-   *  The certificate used by the issuer to sign this certificate.
-   */
-  readonly attribute nsIX509Cert issuer;
-
-  /**
-   *  This certificate's validity period.
-   */
-  readonly attribute nsIX509CertValidity validity;
-
-  /**
-   *  A unique identifier of this certificate within the local storage.
-   */
-  readonly attribute string dbKey;
-
-  /**
-   *  A human readable identifier to label this certificate.
-   */
-  readonly attribute string windowTitle;
-
-  /**
-   *  Constants to classify the type of a certificate.
-   */
-  const unsigned long UNKNOWN_CERT =      0;
-  const unsigned long CA_CERT      = 1 << 0;
-  const unsigned long USER_CERT    = 1 << 1;
-  const unsigned long EMAIL_CERT   = 1 << 2;
-  const unsigned long SERVER_CERT  = 1 << 3;
-
-  /**
-   *  Constants for certificate verification results.
-   */
-  const unsigned long VERIFIED_OK          =      0;
-  const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
-  const unsigned long CERT_REVOKED         = 1 << 1;
-  const unsigned long CERT_EXPIRED         = 1 << 2;
-  const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
-  const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
-  const unsigned long ISSUER_UNKNOWN       = 1 << 5;
-  const unsigned long INVALID_CA           = 1 << 6;
-  const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
-  
-  /**
-   *  Constants that describe the certified usages of a certificate.
-   */
-  const unsigned long CERT_USAGE_SSLClient = 0;
-  const unsigned long CERT_USAGE_SSLServer = 1;
-  const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
-  const unsigned long CERT_USAGE_SSLCA = 3;
-  const unsigned long CERT_USAGE_EmailSigner = 4;
-  const unsigned long CERT_USAGE_EmailRecipient = 5;
-  const unsigned long CERT_USAGE_ObjectSigner = 6;
-  const unsigned long CERT_USAGE_UserCertImport = 7;
-  const unsigned long CERT_USAGE_VerifyCA = 8;
-  const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
-  const unsigned long CERT_USAGE_StatusResponder = 10;
-  const unsigned long CERT_USAGE_AnyCA = 11;
-
-  /**
-   *  Obtain a list of certificates that contains this certificate 
-   *  and the issuing certificates of all involved issuers,
-   *  up to the root issuer.
-   *
-   *  @return The chain of certifficates including the issuers.
-   */
-  nsIArray getChain();
-
-  /**
-   *  Obtain an array of human readable strings describing
-   *  the certificate's certified usages.
-   *
-   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
-   *  @param verified The certificate verification result, see constants.
-   *  @param count The number of human readable usages returned.
-   *  @param usages The array of human readable usages.
-   */
-  void getUsagesArray(in boolean ignoreOcsp,
-                      out PRUint32 verified,
-                      out PRUint32 count, 
-                      [array, size_is(count)] out wstring usages);
-
-  /**
-   *  Obtain a single comma separated human readable string describing
-   *  the certificate's certified usages.
-   *
-   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
-   *  @param verified The certificate verification result, see constants.
-   *  @param purposes The string listing the usages.
-   */
-  void getUsagesString(in boolean ignoreOcsp, out PRUint32 verified, out AString usages);
-
-  /**
-   *  Verify the certificate for a particular usage.
-   *
-   *  @return The certificate verification result, see constants.
-   */
-   unsigned long verifyForUsage(in unsigned long usage);
-
-  /**
-   *  This is the attribute which describes the ASN1 layout
-   *  of the certificate.  This can be used when doing a
-   *  "pretty print" of the certificate's ASN1 structure.
-   */
-  readonly attribute nsIASN1Object ASN1Structure;
-
-  /**
-   *  Obtain a raw binary encoding of this certificate
-   *  in DER format.
-   *
-   *  @param length The number of bytes in the binary encoding.
-   *  @param data The bytes representing the DER encoded certificate.
-   */
-  void getRawDER(out unsigned long length,
-	               [retval, array, size_is(length)] out octet data);
-
-  /**
-   *  Test whether two certificate instances represent the 
-   *  same certificate.
-   *
-   *  @return Whether the certificates are equal
-   */
-  boolean equals(in nsIX509Cert other);
-};
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -17,17 +17,16 @@
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@meer.net>
  *   Jim Mathies <jmathies@mozilla.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -48,19 +47,16 @@
 
 //-----------------------------------------------------------------------------
 
 #include "nsIPrefBranch.h"
 #include "nsIPrefService.h"
 #include "nsIServiceManager.h"
 #include "nsIHttpAuthenticableChannel.h"
 #include "nsIURI.h"
-#include "nsIX509Cert.h"
-#include "nsISSLStatus.h"
-#include "nsISSLStatusProvider.h"
 
 static const char kAllowProxies[] = "network.automatic-ntlm-auth.allow-proxies";
 static const char kTrustedURIs[]  = "network.automatic-ntlm-auth.trusted-uris";
 static const char kForceGeneric[] = "network.auth.force-generic-ntlm";
 
 // XXX MatchesBaseURI and TestPref are duplicated in nsHttpNegotiateAuth.cpp,
 // but since that file lives in a separate library we cannot directly share it.
 // bug 236865 addresses this problem.
@@ -234,19 +230,16 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                                   PRBool          isProxyAuth,
                                   nsISupports   **sessionState,
                                   nsISupports   **continuationState,
                                   PRBool         *identityInvalid)
 {
     LOG(("nsHttpNTLMAuth::ChallengeReceived [ss=%p cs=%p]\n",
          *sessionState, *continuationState));
 
-    // Use the native NTLM if available
-    mUseNative = PR_TRUE;
-
     // NOTE: we don't define any session state, but we do use the pointer.
 
     *identityInvalid = PR_FALSE;
 
     // Start a new auth sequence if the challenge is exactly "NTLM".
     // If native NTLM auth apis are available and enabled through prefs,
     // try to use them.
     if (PL_strcasecmp(challenge, "NTLM") == 0) {
@@ -300,18 +293,16 @@ nsHttpNTLMAuth::ChallengeReceived(nsIHtt
                     return NS_ERROR_OUT_OF_MEMORY;
                 NS_ADDREF(*sessionState);
             }
 
             // Use our internal NTLM implementation. Note, this is less secure,
             // see bug 520607 for details.
             LOG(("Trying to fall back on internal ntlm auth.\n"));
             module = do_CreateInstance(NS_AUTH_MODULE_CONTRACTID_PREFIX "ntlm");
-	    
-            mUseNative = PR_FALSE;
 
             // Prompt user for domain, username, and password.
             *identityInvalid = PR_TRUE;
         }
 
         // If this fails, then it means that we cannot do NTLM auth.
         if (!module) {
             LOG(("No ntlm auth modules available.\n"));
@@ -370,75 +361,18 @@ nsHttpNTLMAuth::GenerateCredentials(nsIH
             return rv;
         serviceName.AppendLiteral("HTTP@");
         serviceName.Append(host);
         // initialize auth module
         rv = module->Init(serviceName.get(), nsIAuthModule::REQ_DEFAULT, domain, user, pass);
         if (NS_FAILED(rv))
             return rv;
 
-// This update enables updated Windows machines (Win7 or patched previous
-// versions) and Linux machines running Samba (updated for Channel 
-// Binding), to perform Channel Binding when authenticating using NTLMv2 
-// and an outer secure channel.
-// 
-// Currently only implemented for Windows, linux support will be landing in 
-// a separate patch, update this #ifdef accordingly then.
-#if defined (XP_WIN) /* || defined (LINUX) */
-        PRBool isHttps;
-        rv = uri->SchemeIs("https", &isHttps);
-        if (NS_FAILED(rv))
-            return rv;
-            
-        // When the url starts with https, we should retrieve the server 
-        // certificate and compute the CBT, but only when we are using
-        // the native NTLM implementation and not the internal one.
-        if (isHttps && mUseNative) {
-            nsCOMPtr<nsIChannel> channel = do_QueryInterface(authChannel, &rv);
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISupports> security;
-            rv = channel->GetSecurityInfo(getter_AddRefs(security));
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISSLStatusProvider> 
-                        statusProvider(do_QueryInterface(security));
-            NS_ENSURE_TRUE(statusProvider, NS_ERROR_FAILURE);
-
-            rv = statusProvider->GetSSLStatus(getter_AddRefs(security));
-            if (NS_FAILED(rv))
-                return rv;
-
-            nsCOMPtr<nsISSLStatus> status(do_QueryInterface(security));
-            NS_ENSURE_TRUE(status, NS_ERROR_FAILURE);
-
-            nsCOMPtr<nsIX509Cert> cert;
-            rv = status->GetServerCert(getter_AddRefs(cert));
-            if (NS_FAILED(rv))
-                return rv;
-
-            PRUint32 length;
-            PRUint8* certArray;
-            cert->GetRawDER(&length, &certArray);						  
-			
-            // If there is a server certificate, we pass it along the
-            // first time we call GetNextToken().
-            inBufLen = length;
-            inBuf = certArray;
-        } else { 
-            // If there is no server certificate, we don't pass anything.
-            inBufLen = 0;
-            inBuf = nsnull;
-        }
-#else // Extended protection update is just for Linux and Windows machines.
         inBufLen = 0;
         inBuf = nsnull;
-#endif
     }
     else {
         // decode challenge; skip past "NTLM " to the start of the base64
         // encoded data.
         int len = strlen(challenge);
         if (len < 6)
             return NS_ERROR_UNEXPECTED; // bogus challenge
         challenge += 5;
--- a/netwerk/protocol/http/nsHttpNTLMAuth.h
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.h
@@ -15,17 +15,16 @@
  *
  * The Initial Developer of the Original Code is
  * Netscape Communications Corporation.
  * Portions created by the Initial Developer are Copyright (C) 2003
  * the Initial Developer. All Rights Reserved.
  *
  * Contributor(s):
  *   Darin Fisher <darin@netscape.com>
- *   Guillermo Robla Vicario <groblavicario@gmail.com>
  *
  * Alternatively, the contents of this file may be used under the terms of
  * either the GNU General Public License Version 2 or later (the "GPL"), or
  * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
  * in which case the provisions of the GPL or the LGPL are applicable instead
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
@@ -44,16 +43,11 @@
 class nsHttpNTLMAuth : public nsIHttpAuthenticator
 {
 public:
     NS_DECL_ISUPPORTS
     NS_DECL_NSIHTTPAUTHENTICATOR
 
     nsHttpNTLMAuth() {}
     virtual ~nsHttpNTLMAuth() {}
-
-private:
-    // This flag indicates whether we are using the native NTLM implementation
-    // or the internal one.
-    PRBool  mUseNative;
 };
 
 #endif // !nsHttpNTLMAuth_h__
--- a/security/manager/boot/public/Makefile.in
+++ b/security/manager/boot/public/Makefile.in
@@ -45,12 +45,13 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipboot
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsISecurityWarningDialogs.idl \
     $(NULL)
 
 XPIDLSRCS = \
+    nsISSLStatusProvider.idl \
     nsIBufEntropyCollector.idl \
     $(NULL)
 
 include $(topsrcdir)/config/rules.mk
new file mode 100644
--- /dev/null
+++ b/security/manager/boot/public/nsISSLStatusProvider.idl
@@ -0,0 +1,44 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Terry Hayes <thayes@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+[scriptable, uuid(8de811f0-1dd2-11b2-8bf1-e9aa324984b2)]
+interface nsISSLStatusProvider : nsISupports {
+  readonly attribute nsISupports SSLStatus;
+};
--- a/security/manager/ssl/public/Makefile.in
+++ b/security/manager/ssl/public/Makefile.in
@@ -48,16 +48,17 @@ include $(DEPTH)/config/autoconf.mk
 MODULE = pipnss
 GRE_MODULE	= 1
 
 SDK_XPIDLSRCS = \
     nsIASN1Object.idl \
     nsIASN1Sequence.idl \
     nsICertificateDialogs.idl \
     nsICRLInfo.idl \
+    nsIX509Cert.idl \
     nsIX509CertDB.idl \
     nsIX509CertValidity.idl \
     $(NULL)
 
 XPIDLSRCS = \
     nsISSLCertErrorDialog.idl \
     nsIBadCertListener2.idl \
     nsISSLErrorListener.idl \
@@ -74,16 +75,17 @@ XPIDLSRCS = \
     nsIPKCS11Slot.idl \
     nsIPK11TokenDB.idl \
     nsICertPickDialogs.idl \
     nsIClientAuthDialogs.idl \
     nsIDOMCryptoDialogs.idl \
     nsIGenKeypairInfoDlg.idl \
     nsITokenDialogs.idl \
     nsITokenPasswordDialogs.idl \
+    nsISSLStatus.idl \
     nsIKeygenThread.idl \
     nsICMSSecureMessage.idl \
     nsIUserCertPicker.idl \
     nsIASN1PrintableItem.idl \
     nsICMSDecoder.idl \
     nsICMSEncoder.idl \
     nsICMSMessageErrors.idl \
     nsICMSMessage.idl \
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/public/nsISSLStatus.idl
@@ -0,0 +1,62 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 2001
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Terry Hayes <thayes@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsIX509Cert;
+
+[scriptable, uuid(cfede939-def1-49be-81ed-d401b3a07d1c)]
+interface nsISSLStatus : nsISupports {
+  readonly attribute nsIX509Cert serverCert;
+
+  readonly attribute string cipherName;
+  readonly attribute unsigned long keyLength;
+  readonly attribute unsigned long secretKeyLength;
+
+  readonly attribute boolean isDomainMismatch;
+  readonly attribute boolean isNotValidAtThisTime;
+
+  /* Note: To distinguish between 
+   *         "unstrusted because missing or untrusted issuer"
+   *       and 
+   *         "untrusted because self signed"
+   *       query nsIX509Cert3::isSelfSigned 
+   */
+  readonly attribute boolean isUntrusted;
+};
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@@ -0,0 +1,268 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is mozilla.org code.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1998
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Javier Delgadillo <javi@netscape.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#include "nsISupports.idl"
+
+interface nsIArray;
+interface nsIX509CertValidity;
+interface nsIASN1Object;
+
+/**
+ * This represents a X.509 certificate.
+ */
+[scriptable, uuid(f0980f60-ee3d-11d4-998b-00b0d02354a0)]
+interface nsIX509Cert : nsISupports {
+
+  /**
+   *  A nickname for the certificate.
+   */
+  readonly attribute AString nickname;
+
+  /**
+   *  The primary email address of the certificate, if present.
+   */
+  readonly attribute AString emailAddress;
+
+  /**
+   *  Obtain a list of all email addresses
+   *  contained in the certificate.
+   *
+   *  @param length The number of strings in the returned array.
+   *  @return An array of email addresses.
+   */
+  void getEmailAddresses(out unsigned long length, 
+                         [retval, array, size_is(length)] out wstring addresses);
+
+  /**
+   *  Check whether a given address is contained in the certificate.
+   *  The comparison will convert the email address to lowercase.
+   *  The behaviour for non ASCII characters is undefined.
+   *
+   *  @param aEmailAddress The address to search for.
+   *                
+   *  @return True if the address is contained in the certificate.
+   */
+  boolean containsEmailAddress(in AString aEmailAddress);
+
+  /**
+   *  The subject owning the certificate.
+   */
+  readonly attribute AString subjectName;
+
+  /**
+   *  The subject's common name.
+   */
+  readonly attribute AString commonName;
+
+  /**
+   *  The subject's organization.
+   */
+  readonly attribute AString organization;
+
+  /**
+   *  The subject's organizational unit.
+   */
+  readonly attribute AString organizationalUnit;
+
+  /**
+   *  The fingerprint of the certificate's public key,
+   *  calculated using the SHA1 algorithm.
+   */
+  readonly attribute AString sha1Fingerprint;
+
+  /**
+   *  The fingerprint of the certificate's public key,
+   *  calculated using the MD5 algorithm.
+   */
+  readonly attribute AString md5Fingerprint;
+
+  /**
+   *  A human readable name identifying the hardware or
+   *  software token the certificate is stored on.
+   */
+  readonly attribute AString tokenName;
+
+  /**
+   *  The subject identifying the issuer certificate.
+   */
+  readonly attribute AString issuerName;
+
+  /**
+   *  The serial number the issuer assigned to this certificate.
+   */
+  readonly attribute AString serialNumber;
+
+  /**
+   *  The issuer subject's common name.
+   */
+  readonly attribute AString issuerCommonName;
+
+  /**
+   *  The issuer subject's organization.
+   */
+  readonly attribute AString issuerOrganization;
+
+  /**
+   *  The issuer subject's organizational unit.
+   */
+  readonly attribute AString issuerOrganizationUnit;
+
+  /**
+   *  The certificate used by the issuer to sign this certificate.
+   */
+  readonly attribute nsIX509Cert issuer;
+
+  /**
+   *  This certificate's validity period.
+   */
+  readonly attribute nsIX509CertValidity validity;
+
+  /**
+   *  A unique identifier of this certificate within the local storage.
+   */
+  readonly attribute string dbKey;
+
+  /**
+   *  A human readable identifier to label this certificate.
+   */
+  readonly attribute string windowTitle;
+
+  /**
+   *  Constants to classify the type of a certificate.
+   */
+  const unsigned long UNKNOWN_CERT =      0;
+  const unsigned long CA_CERT      = 1 << 0;
+  const unsigned long USER_CERT    = 1 << 1;
+  const unsigned long EMAIL_CERT   = 1 << 2;
+  const unsigned long SERVER_CERT  = 1 << 3;
+
+  /**
+   *  Constants for certificate verification results.
+   */
+  const unsigned long VERIFIED_OK          =      0;
+  const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0;
+  const unsigned long CERT_REVOKED         = 1 << 1;
+  const unsigned long CERT_EXPIRED         = 1 << 2;
+  const unsigned long CERT_NOT_TRUSTED     = 1 << 3;
+  const unsigned long ISSUER_NOT_TRUSTED   = 1 << 4;
+  const unsigned long ISSUER_UNKNOWN       = 1 << 5;
+  const unsigned long INVALID_CA           = 1 << 6;
+  const unsigned long USAGE_NOT_ALLOWED    = 1 << 7;
+  
+  /**
+   *  Constants that describe the certified usages of a certificate.
+   */
+  const unsigned long CERT_USAGE_SSLClient = 0;
+  const unsigned long CERT_USAGE_SSLServer = 1;
+  const unsigned long CERT_USAGE_SSLServerWithStepUp = 2;
+  const unsigned long CERT_USAGE_SSLCA = 3;
+  const unsigned long CERT_USAGE_EmailSigner = 4;
+  const unsigned long CERT_USAGE_EmailRecipient = 5;
+  const unsigned long CERT_USAGE_ObjectSigner = 6;
+  const unsigned long CERT_USAGE_UserCertImport = 7;
+  const unsigned long CERT_USAGE_VerifyCA = 8;
+  const unsigned long CERT_USAGE_ProtectedObjectSigner = 9;
+  const unsigned long CERT_USAGE_StatusResponder = 10;
+  const unsigned long CERT_USAGE_AnyCA = 11;
+
+  /**
+   *  Obtain a list of certificates that contains this certificate 
+   *  and the issuing certificates of all involved issuers,
+   *  up to the root issuer.
+   *
+   *  @return The chain of certifficates including the issuers.
+   */
+  nsIArray getChain();
+
+  /**
+   *  Obtain an array of human readable strings describing
+   *  the certificate's certified usages.
+   *
+   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
+   *  @param verified The certificate verification result, see constants.
+   *  @param count The number of human readable usages returned.
+   *  @param usages The array of human readable usages.
+   */
+  void getUsagesArray(in boolean ignoreOcsp,
+                      out PRUint32 verified,
+                      out PRUint32 count, 
+                      [array, size_is(count)] out wstring usages);
+
+  /**
+   *  Obtain a single comma separated human readable string describing
+   *  the certificate's certified usages.
+   *
+   *  @param ignoreOcsp Do not use OCSP even if it is currently activated.
+   *  @param verified The certificate verification result, see constants.
+   *  @param purposes The string listing the usages.
+   */
+  void getUsagesString(in boolean ignoreOcsp, out PRUint32 verified, out AString usages);
+
+  /**
+   *  Verify the certificate for a particular usage.
+   *
+   *  @return The certificate verification result, see constants.
+   */
+   unsigned long verifyForUsage(in unsigned long usage);
+
+  /**
+   *  This is the attribute which describes the ASN1 layout
+   *  of the certificate.  This can be used when doing a
+   *  "pretty print" of the certificate's ASN1 structure.
+   */
+  readonly attribute nsIASN1Object ASN1Structure;
+
+  /**
+   *  Obtain a raw binary encoding of this certificate
+   *  in DER format.
+   *
+   *  @param length The number of bytes in the binary encoding.
+   *  @param data The bytes representing the DER encoded certificate.
+   */
+  void getRawDER(out unsigned long length,
+	               [retval, array, size_is(length)] out octet data);
+
+  /**
+   *  Test whether two certificate instances represent the 
+   *  same certificate.
+   *
+   *  @return Whether the certificates are equal
+   */
+  boolean equals(in nsIX509Cert other);
+};