gecko-dev/security/manager/ssl/public/nsIX509CertDB.idl

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 *
 * The Original Code is mozilla.org code.
 *
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are
 * Copyright (C) 1998 Netscape Communications Corporation. All
 * Rights Reserved.
 *
 * Contributor(s):
 *   Javier Delgadillo <javi@netscape.com>
 *
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable
 * instead of those above.  If you wish to allow use of your
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

#include "nsISupports.idl"

interface nsISupportsArray;
interface nsIX509Cert;
interface nsILocalFile;
interface nsIInterfaceRequestor;

%{C++
#define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
%}

[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
interface nsIX509CertDB : nsISupports {

  /* the database is responsible for managing cert trust */
  const unsigned long UNTRUSTED       =      0;
  const unsigned long TRUSTED_SSL     = 1 << 0;
  const unsigned long TRUSTED_EMAIL   = 1 << 1;
  const unsigned long TRUSTED_OBJSIGN = 1 << 2;

  nsIX509Cert getCertByNickname(in nsISupports aToken,
                                in AString aNickname);

  /*
   * getCertByDBKey
   *
   * Will find a certificate based on its dbkey
   * retrieved by getting the dbKey attribute of
   * the certificate.
   */
  nsIX509Cert getCertByDBKey(in string aDBkey, in nsISupports aToken);

  /*
   * getCertNicknames
   *
   * Obtain a list of certificate nicknames from the database.
   * What the name is depends on type:
   *  user, ca, or server cert - the nickname
   *  email cert - the email address
   *
   * aToken - PKCS#11 token to get certs from (null for all tokens)
   * aType - type of certificate to obtain (see nsIX509Cert)
   * count, certNameList - the returned array of names
   */
  void getCertNicknames(in nsISupports aToken, 
                        in unsigned long aType,
                        out unsigned long count,
                        [array, size_is(count)] out wstring certNameList);

  /* Get the user encryption cert */
  nsIX509Cert getEmailEncryptionCert(in AString aNickname);

  /* Get the user signing cert */
  nsIX509Cert getEmailSigningCert(in AString aNickname);

  /* Get a cert by email address */
  nsIX509Cert getCertByEmailAddress(in nsISupports aToken,
                             in string aEmailAddress);

  /*
   * importCertificates
   * Use this to import a stream sent down as a mime type into
   * the default cert db.  The stream may consist of one or more
   * certificates.
   * XXX We may want to add a parameter for a PK11 Token where
   *     the certs will utlimtately live.  Currently, they'll
   *     be placed in the default token.
   */
  void importCertificates([array, size_is(length)] in octet data,
                          in unsigned long length,
                          in unsigned long type,
                          in nsIInterfaceRequestor ctx);

  /*
   * importEmailCertificate
   *
   * Import a user certificate into the database.
   *
   * @param length - The number of bytes contained in the data array.
   *
   * @param data - Raw certificate data, containing the certificate to import.
   */
  void importEmailCertificate([array, size_is(length)] in octet data,
                              in unsigned long length,
                              in nsIInterfaceRequestor ctx);

  void importServerCertificate([array, size_is(length)] in octet data,
                               in unsigned long length,
                               in nsIInterfaceRequestor ctx);

  /*
   * importCertificate
   *
   * Import a user certificate into the database.
   * XXX This method and the importCertificate should be merged into one.
   */
  void importUserCertificate([array, size_is(length)] in octet data,
                             in unsigned long length,
                             in nsIInterfaceRequestor ctx);
  /*
   * deleteCertificate
   *
   * Remove a certificate from the database.
   */
  void deleteCertificate(in nsIX509Cert aCert);

  /*
   * setCertTrust
   *
   * The certificate database is responsible for managing cert trust.  This
   * function allows clients to set the trust settings for a cert.
   */
  void setCertTrust(in nsIX509Cert cert,
                    in unsigned long type,
                    in unsigned long trust);

  /*
   * getCertTrust
   *
   * Get the trust settings for this certificate.
   *
   * trustType = TRUSTED_SSL => returns true if cert is trusted SSL cert
   * trustType = TRUSTED_EMAIL => returns true if cert is trusted email cert
   * trustType = TRUSTED_OBJSIGN => returns true if cert is trusted 
   *                                                     object signing cert
   */
  boolean getCertTrust(in nsIX509Cert cert,
                       in unsigned long certType,
                       in unsigned long trustType);

  /*
   * importCertsFromFile
   *
   * Import certificate(s) from file
   */
  void importCertsFromFile(in nsISupports aToken,
                         in nsILocalFile aFile,
                         in unsigned long aType);

  /*
   * importPKCS12File
   *
   * Import a PKCS#12 file contain cert(s) and key(s) into the database.
   */
  void importPKCS12File(in nsISupports aToken,
                        in nsILocalFile aFile);

  /*
   * exportPKCS12File
   *
   * Export a set of certs and keys from the database to a PKCS#12 file.
   */
  void exportPKCS12File(in nsISupports aToken,
                        in nsILocalFile aFile,
                        in unsigned long count,
                        [array, size_is(count)] in nsIX509Cert aCerts);
                        //[array, size_is(count)] in AString aCertNames);
  /*
   * getOCSPResponders
   *
   * Export a set of OCSP responders i.e. CA names and (optional) URLs.
   */
  nsISupportsArray getOCSPResponders();

  /*
   * Query about the status of OCSP
   */
  readonly attribute boolean ocspOn;

  /*
   * Use this to temporarily disable OCSP checking.
   * Needed if OCSP checks slow down UI rendering too much.
   * A call to this should be followed with a call to 
   * enableOCSP soon afterwards.
   */
  void disableOCSP();

  /*
   * Sets the OCSP options to correspond with the preferences 
   * values.
   */
  void enableOCSP();

  /*
   * decode base64 certificate and return a new nsIX509Cert instance
   * 
   */
  nsIX509Cert constructX509FromBase64(in string base64);
};