/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #include "nsISupports.idl" interface nsIArray; interface nsIX509CertValidity; interface nsIASN1Object; interface nsICertVerificationListener; %{ C++ /* forward declaration */ typedef struct CERTCertificateStr CERTCertificate; %} [ptr] native CERTCertificatePtr(CERTCertificate); /** * This represents a X.509 certificate. */ [scriptable, uuid(f8ed8364-ced9-4c6e-86ba-48af53c393e6)] interface nsIX509Cert : nsISupports { /** * A nickname for the certificate. */ readonly attribute AString nickname; /** * The primary email address of the certificate, if present. */ readonly attribute AString emailAddress; /** * Obtain a list of all email addresses * contained in the certificate. * * @param length The number of strings in the returned array. * @return An array of email addresses. */ void getEmailAddresses(out unsigned long length, [retval, array, size_is(length)] out wstring addresses); /** * Check whether a given address is contained in the certificate. * The comparison will convert the email address to lowercase. * The behaviour for non ASCII characters is undefined. * * @param aEmailAddress The address to search for. * * @return True if the address is contained in the certificate. */ boolean containsEmailAddress(in AString aEmailAddress); /** * The subject owning the certificate. */ readonly attribute AString subjectName; /** * The subject's common name. */ readonly attribute AString commonName; /** * The subject's organization. */ readonly attribute AString organization; /** * The subject's organizational unit. */ readonly attribute AString organizationalUnit; /** * The fingerprint of the certificate's DER encoding, * calculated using the SHA-256 algorithm. */ readonly attribute AString sha256Fingerprint; /** * The fingerprint of the certificate's DER encoding, * calculated using the SHA1 algorithm. */ readonly attribute AString sha1Fingerprint; /** * A human readable name identifying the hardware or * software token the certificate is stored on. */ readonly attribute AString tokenName; /** * The subject identifying the issuer certificate. */ readonly attribute AString issuerName; /** * The serial number the issuer assigned to this certificate. */ readonly attribute AString serialNumber; /** * The issuer subject's common name. */ readonly attribute AString issuerCommonName; /** * The issuer subject's organization. */ readonly attribute AString issuerOrganization; /** * The issuer subject's organizational unit. */ readonly attribute AString issuerOrganizationUnit; /** * The certificate used by the issuer to sign this certificate. */ readonly attribute nsIX509Cert issuer; /** * This certificate's validity period. */ readonly attribute nsIX509CertValidity validity; /** * A unique identifier of this certificate within the local storage. */ readonly attribute string dbKey; /** * A human readable identifier to label this certificate. */ readonly attribute AString windowTitle; /** * Constants to classify the type of a certificate. */ const unsigned long UNKNOWN_CERT = 0; const unsigned long CA_CERT = 1 << 0; const unsigned long USER_CERT = 1 << 1; const unsigned long EMAIL_CERT = 1 << 2; const unsigned long SERVER_CERT = 1 << 3; const unsigned long ANY_CERT = 0xffff; /** * Type of this certificate */ readonly attribute unsigned long certType; /** * True if the certificate is self-signed. CA issued * certificates are always self-signed. */ readonly attribute boolean isSelfSigned; /** * Constants for certificate verification results. */ const unsigned long VERIFIED_OK = 0; const unsigned long NOT_VERIFIED_UNKNOWN = 1 << 0; const unsigned long CERT_REVOKED = 1 << 1; const unsigned long CERT_EXPIRED = 1 << 2; const unsigned long CERT_NOT_TRUSTED = 1 << 3; const unsigned long ISSUER_NOT_TRUSTED = 1 << 4; const unsigned long ISSUER_UNKNOWN = 1 << 5; const unsigned long INVALID_CA = 1 << 6; const unsigned long USAGE_NOT_ALLOWED = 1 << 7; const unsigned long SIGNATURE_ALGORITHM_DISABLED = 1 << 8; /** * Constants that describe the certified usages of a certificate. * * Deprecated and unused */ const unsigned long CERT_USAGE_SSLClient = 0; const unsigned long CERT_USAGE_SSLServer = 1; const unsigned long CERT_USAGE_SSLServerWithStepUp = 2; const unsigned long CERT_USAGE_SSLCA = 3; const unsigned long CERT_USAGE_EmailSigner = 4; const unsigned long CERT_USAGE_EmailRecipient = 5; const unsigned long CERT_USAGE_ObjectSigner = 6; const unsigned long CERT_USAGE_UserCertImport = 7; const unsigned long CERT_USAGE_VerifyCA = 8; const unsigned long CERT_USAGE_ProtectedObjectSigner = 9; const unsigned long CERT_USAGE_StatusResponder = 10; const unsigned long CERT_USAGE_AnyCA = 11; /** * Constants for specifying the chain mode when exporting a certificate */ const unsigned long CMS_CHAIN_MODE_CertOnly = 1; const unsigned long CMS_CHAIN_MODE_CertChain = 2; const unsigned long CMS_CHAIN_MODE_CertChainWithRoot = 3; /** * Obtain a list of certificates that contains this certificate * and the issuing certificates of all involved issuers, * up to the root issuer. * * @return The chain of certifficates including the issuers. */ nsIArray getChain(); /** * Obtain an array of human readable strings describing * the certificate's certified usages. * * @param localOnly Do not hit the network, even if revocation information * downloading is currently activated. * @param verified The certificate verification result, see constants. * @param count The number of human readable usages returned. * @param usages The array of human readable usages. */ void getUsagesArray(in boolean localOnly, out uint32_t verified, out uint32_t count, [array, size_is(count)] out wstring usages); /** * Async version of nsIX509Cert::getUsagesArray() * * Will not block, will request results asynchronously, * availability of results will be notified on the main thread. */ void requestUsagesArrayAsync(in nsICertVerificationListener cvl); /** * Obtain a single comma separated human readable string describing * the certificate's certified usages. * * @param localOnly Do not hit the network, even if revocation information * downloading is currently activated. * @param verified The certificate verification result, see constants. * @param purposes The string listing the usages. */ void getUsagesString(in boolean localOnly, out uint32_t verified, out AString usages); /** * This is the attribute which describes the ASN1 layout * of the certificate. This can be used when doing a * "pretty print" of the certificate's ASN1 structure. */ readonly attribute nsIASN1Object ASN1Structure; /** * Obtain a raw binary encoding of this certificate * in DER format. * * @param length The number of bytes in the binary encoding. * @param data The bytes representing the DER encoded certificate. */ void getRawDER(out unsigned long length, [retval, array, size_is(length)] out octet data); /** * Test whether two certificate instances represent the * same certificate. * * @return Whether the certificates are equal */ boolean equals(in nsIX509Cert other); /** * The base64 encoding of the DER encoded public key info using the specified * digest. */ readonly attribute ACString sha256SubjectPublicKeyInfoDigest; /** * Obtain the certificate wrapped in a PKCS#7 SignedData structure, * with or without the certificate chain * * @param chainMode Whether to include the chain (with or without the root), see CMS_CHAIN_MODE constants. * @param length The number of bytes of the PKCS#7 data. * @param data The bytes representing the PKCS#7 wrapped certificate. */ void exportAsCMS(in unsigned long chainMode, out unsigned long length, [retval, array, size_is(length)] out octet data); /** * Retrieves the NSS certificate object wrapped by this interface */ [notxpcom, noscript] CERTCertificatePtr getCert(); /** * Human readable names identifying all hardware or * software tokens the certificate is stored on. * * @param length On success, the number of entries in the returned array. * @return On success, an array containing the names of all tokens * the certificate is stored on (may be empty). * On failure the function throws/returns an error. */ void getAllTokenNames(out unsigned long length, [retval, array, size_is(length)] out wstring tokenNames); /** * Either delete the certificate from all cert databases, * or mark it as untrusted. */ void markForPermDeletion(); }; [scriptable, uuid(2fd0a785-9f2d-4327-8871-8c3e0783891d)] interface nsICertVerificationResult : nsISupports { /** * This interface reflects a container of * verification results. Call will not block. * * Obtain an array of human readable strings describing * the certificate's certified usages. * * Mirrors the results produced by * nsIX509Cert::getUsagesArray() * * As of today, this function is a one-shot object, * only the first call will succeed. * This allows an optimization in the implementation, * ownership of result data will be transfered to caller. * * @param cert The certificate that was verified. * @param verified The certificate verification result, * see constants in nsIX509Cert. * @param count The number of human readable usages returned. * @param usages The array of human readable usages. */ void getUsagesArrayResult(out uint32_t verified, out uint32_t count, [array, size_is(count)] out wstring usages); }; [scriptable, uuid(6684bce9-50db-48e1-81b7-98102bf81357)] interface nsICertVerificationListener : nsISupports { /** * Notify that results are ready, that have been requested * using nsIX509Cert::requestUsagesArrayAsync() */ void notify(in nsIX509Cert verifiedCert, in nsICertVerificationResult result); };