зеркало из https://github.com/mozilla/gecko-dev.git
122 строки
4.8 KiB
Plaintext
122 строки
4.8 KiB
Plaintext
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
#include "nsISupports.idl"
|
|
|
|
interface nsIContentSignatureReceiverCallback;
|
|
|
|
/**
|
|
* An interface for verifying content-signatures, inspired by
|
|
* https://tools.ietf.org/html/draft-thomson-http-content-signature-00
|
|
* described here https://github.com/franziskuskiefer/content-signature/tree/pki
|
|
*
|
|
* A new signature verifier instance should be created for each signature
|
|
* verification - you can create these instances with do_CreateInstance.
|
|
*
|
|
* There are two ways to use this functionality:
|
|
* The first allows a signature to be verified all at once by simply calling
|
|
* verifyContentSignature.
|
|
* The second allows for streaming; call createContext with the signature
|
|
* information (and initial data), call update with more data as it becomes
|
|
* available then, finally, call end to verify the signature.
|
|
*/
|
|
[scriptable, uuid(45a5fe2f-c350-4b86-962d-02d5aaaa955a)]
|
|
interface nsIContentSignatureVerifier : nsISupports
|
|
{
|
|
|
|
/**
|
|
* Verifies that the data matches the data that was used to generate the
|
|
* signature.
|
|
*
|
|
* @param aData The data to be tested.
|
|
* @param aContentSignatureHeader The content-signature header,
|
|
* url-safe base64 encoded.
|
|
* @param aCertificateChain The certificate chain to use for verification.
|
|
* PEM encoded string.
|
|
* @param aName The (host)name for which the end entity must
|
|
be valid.
|
|
* @returns true if the signature matches the data and aCertificateChain is
|
|
* valid within aContext, false if not.
|
|
*/
|
|
[must_use]
|
|
boolean verifyContentSignature(in ACString aData,
|
|
in ACString aContentSignatureHeader,
|
|
in ACString aCertificateChain,
|
|
in ACString aName);
|
|
|
|
/**
|
|
* Creates a context to verify a content signature against data that is added
|
|
* later with update calls.
|
|
*
|
|
* @param aData The first chunk of data to be tested.
|
|
* @param aContentSignatureHeader The signature of the data, url-safe base64
|
|
* encoded.
|
|
* @param aCertificateChain The certificate chain to use for
|
|
* verification. PEM encoded string.
|
|
* @param aName The (host)name for which the end entity must
|
|
be valid.
|
|
*/
|
|
[must_use]
|
|
void createContext(in ACString aData, in ACString aContentSignatureHeader,
|
|
in ACString aCertificateChain, in ACString aName);
|
|
|
|
/**
|
|
* Creates a context to verify a content signature against data that is added
|
|
* later with update calls.
|
|
* This does not require the caller to download the certificate chain. It's
|
|
* done internally.
|
|
* It requires the x5u parameter to be present in aContentSignatureHeader
|
|
*
|
|
* NOTE: Callers have to wait for aCallback to return before invoking anything
|
|
* else. Otherwise the ContentSignatureVerifier will fail.
|
|
*
|
|
* @param aCallback Callback that's invoked when the cert chain
|
|
* got fetched.
|
|
* @param aContentSignatureHeader The signature of the data, url-safe base64
|
|
* encoded, and the x5u value.
|
|
* @param aName The (host)name for which the end entity must
|
|
be valid.
|
|
*/
|
|
[must_use]
|
|
void createContextWithoutCertChain(in nsIContentSignatureReceiverCallback aCallback,
|
|
in ACString aContentSignatureHeader,
|
|
in ACString aName);
|
|
|
|
/**
|
|
* Adds data to the context that was used to generate the signature.
|
|
*
|
|
* @param aData More data to be tested.
|
|
*/
|
|
[must_use]
|
|
void update(in ACString aData);
|
|
|
|
/**
|
|
* Finalises the signature and returns the result of the signature
|
|
* verification.
|
|
*
|
|
* @returns true if the signature matches the data added with createContext
|
|
* and update, false if not.
|
|
*/
|
|
[must_use]
|
|
boolean end();
|
|
};
|
|
|
|
/**
|
|
* Callback for nsIContentSignatureVerifier.
|
|
* { 0x1eb90707, 0xdf59, 0x48b7, \
|
|
* { 0x9d, 0x42, 0xd8, 0xbf, 0x63, 0x0a, 0xe7, 0x44 } }
|
|
*/
|
|
[scriptable, uuid(1eb90707-df59-48b7-9d42-d8bf630ae744)]
|
|
interface nsIContentSignatureReceiverCallback : nsISupports
|
|
{
|
|
/**
|
|
* Notification callback that's called by nsIContentSignatureVerifier when
|
|
* the cert chain is downloaded.
|
|
* If download and initialisation were successful, successful is true,
|
|
* otherwise false. If successful is false, the verification must be aborted.
|
|
*/
|
|
void contextCreated(in boolean successful);
|
|
};
|