gecko-dev/security/manager/ssl/public/nsIX509CertDB.idl

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
 *
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 *
 * The Original Code is mozilla.org code.
 *
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are
 * Copyright (C) 1998 Netscape Communications Corporation. All
 * Rights Reserved.
 *
 * Contributor(s):
 *   Javier Delgadillo <javi@netscape.com>
 *
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable
 * instead of those above.  If you wish to allow use of your
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

#include "nsISupports.idl"

interface nsISupportsArray;
interface nsIX509Cert;
interface nsIPK11Token;
interface nsILocalFile;
interface nsIInterfaceRequestor;
interface nsIURI;

%{C++

#define NS_X509CERTDB_CID { /* da48b3c0-1284-11d5-ac67-000064657374 */ \
    0xda48b3c0,                                                        \
    0x1284,                                                            \
    0x11d5,                                                            \
    {0xac, 0x67, 0x00, 0x00, 0x64, 0x65, 0x73, 0x74}                   \
  }

#define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"

typedef int (*nsCertCompareFunc)(nsIX509Cert *a, nsIX509Cert *b);

%}

native nsCertCompareFunc(nsCertCompareFunc);
native nsAutoString(nsAutoString);
[ref] native nsAutoStringRef(nsAutoString);

[scriptable, uuid(96b2f5ae-4334-11d5-ba27-00108303b117)]
interface nsIOCSPResponder : nsISupports {
  readonly attribute wstring responseSigner;
  readonly attribute wstring serviceURL;
};

[scriptable, uuid(c185d920-4a3e-11d5-ba27-00108303b117)]
interface nsICrlEntry : nsISupports {
  readonly attribute wstring org;
  readonly attribute wstring orgUnit;
  readonly attribute wstring lastUpdate;
  readonly attribute wstring nextUpdate;
};

[scriptable, uuid(da48b3c0-1284-11d5-ac67-000064657374)]
interface nsIX509CertDB : nsISupports {

  /* the database is responsible for managing cert trust */
  const unsigned long UNTRUSTED       =      0;
  const unsigned long TRUSTED_SSL     = 1 << 0;
  const unsigned long TRUSTED_EMAIL   = 1 << 1;
  const unsigned long TRUSTED_OBJSIGN = 1 << 2;

  nsIX509Cert getCertByNickname(in nsIPK11Token aToken,
                                in wstring aNickname);

  /*
   * getCertByDBKey
   *
   * Will find a certificate based on its dbkey
   * retrieved by getting the dbKey attribute of
   * the certificate.
   */
  nsIX509Cert getCertByDBKey(in string aDBkey, in nsIPK11Token aToken);

  /*
   * getCertNicknames
   *
   * Obtain a list of certificate nicknames from the database.
   * What the name is depends on type:
   *  user, ca, or server cert - the nickname
   *  email cert - the email address
   *
   * aToken - PKCS#11 token to get certs from (null for all tokens)
   * aType - type of certificate to obtain (see nsIX509Cert)
   * count, certNameList - the returned array of names
   */
  void getCertNicknames(in nsIPK11Token aToken, 
                        in unsigned long aType,
                        out unsigned long count,
                        [array, size_is(count)] out wstring certNameList);

  /*
   * getCertsByType
   *
   * Obtain a list of certs from the database.
   *
   */
  [notxpcom, noscript] boolean getCertsByType(in unsigned long aType,
                                              in nsCertCompareFunc aCertCmpFn,
                                              out nsISupportsArray certs);

  /*
   * importCertificates
   * Use this to import a stream sent down as a mime type into
   * the default cert db.  The stream may consist of one or more
   * certificates.
   * XXX We may want to add a parameter for a PK11 Token where
   *     the certs will utlimtately live.  Currently, they'll
   *     be placed in the default token.
   */
  [noscript] void importCertificates(in charPtr data,
                                     in unsigned long length,
                                     in unsigned long type,
                                     in nsIInterfaceRequestor ctx);

  /*
   * importCertificate
   *
   * Import a user certificate into the database.
   * XXX This method and the importCertificate should be merged into one.
   */
  [noscript] void importUserCertificate(in charPtr data, 
                                    in unsigned long length,
                                    in nsIInterfaceRequestor ctx);
  /*
   * deleteCertificate
   *
   * Remove a certificate from the database.
   */
  void deleteCertificate(in nsIX509Cert aCert);

  /*
   * setCertTrust
   *
   * The certificate database is responsible for managing cert trust.  This
   * function allows clients to set the trust settings for a cert.
   */
  void setCertTrust(in nsIX509Cert cert,
                    in unsigned long type,
                    in unsigned long trust);

  /*
   * getCertTrust
   *
   * Get the trust settings for this certificate.
   *
   * trustType = TRUSTED_SSL => returns true if cert is trusted SSL cert
   * trustType = TRUSTED_EMAIL => returns true if cert is trusted email cert
   * trustType = TRUSTED_OBJSIGN => returns true if cert is trusted 
   *                                                     object signing cert
   */
  boolean getCertTrust(in nsIX509Cert cert,
                       in unsigned long certType,
                       in unsigned long trustType);

  /*
   * importPKCS12File
   *
   * Import a PKCS#12 file contain cert(s) and key(s) into the database.
   */
  void importPKCS12File(in nsIPK11Token aToken,
                        in nsILocalFile aFile);

  /*
   * exportPKCS12File
   *
   * Export a set of certs and keys from the database to a PKCS#12 file.
   */
  void exportPKCS12File(in nsIPK11Token aToken,
                        in nsILocalFile aFile,
                        in PRUint32 count,
                        [array, size_is(count)] in nsIX509Cert aCerts);
                        //[array, size_is(count)] in wstring aCertNames);
  /*
   * getOCSPResponders
   *
   * Export a set of OCSP responders i.e. CA names and (optional) URLs.
   */
  nsISupportsArray getOCSPResponders();

  /*
   * importCrl
   *
   * Import a CRL into the database.
   */
  [noscript] void importCrl(in charPtr data, 
                            in unsigned long length,
						                in nsIURI uri,
                            in PRUint32 type);

  /*
   * getCrls
   *
   * Get a list of Crl entries in the DB.
   */
  nsISupportsArray getCrls();

  /*
   * deleteCrl
   *
   * Delete the crl.
   */
  void deleteCrl(in PRUint32 crlIndex);

  /*
   * Query about the status of OCSP
   */
  readonly attribute boolean ocspOn;

  /*
   * Use this to temporarily disable OCSP checking.
   * Needed if OCSP checks slow down UI rendering too much.
   * A call to this should be followed with a call to 
   * enableOCSP soon afterwards.
   */
  void disableOCSP();

  /*
   * Sets the OCSP options to correspond with the preferences 
   * values.
   */
  void enableOCSP();
 };