bug 1470030 - convert manually-written nsINSSComponent definition to idl r?fkiefer
Defining nsINSSComponent in idl rather than manually in a header file allows us
to make full use of the machinery that already exists to process and generate
the correct definitions. Furthermore, it enables us to define JS-accessible APIs
on nsINSSComponent, which enables us to build frontend features that can work
directly with the data and functionality the underlying implementation has
access to.
MozReview-Commit-ID: JFI9s12wmRE
--- a/netwerk/protocol/http/nsHttpHandler.cpp
+++ b/netwerk/protocol/http/nsHttpHandler.cpp
@@ -2469,25 +2469,25 @@ CanEnableSpeculativeConnect()
nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
if (!component) {
return false;
}
// Check if any 3rd party PKCS#11 module are installed, as they may produce
// client certificates
bool activeSmartCards = false;
- nsresult rv = component->HasActiveSmartCards(activeSmartCards);
+ nsresult rv = component->HasActiveSmartCards(&activeSmartCards);
if (NS_FAILED(rv) || activeSmartCards) {
return false;
}
// If there are any client certificates installed, we can't enable speculative
// connect, as it may pop up the certificate chooser at any time.
bool hasUserCerts = false;
- rv = component->HasUserCertsInstalled(hasUserCerts);
+ rv = component->HasUserCertsInstalled(&hasUserCerts);
if (NS_FAILED(rv) || hasUserCerts) {
return false;
}
return true;
}
nsresult
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -142,17 +142,17 @@ IsCertBuiltInRoot(CERTCertificate* cert,
}
result = false;
#ifdef DEBUG
nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
if (!component) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
- nsresult rv = component->IsCertTestBuiltInRoot(cert, result);
+ nsresult rv = component->IsCertTestBuiltInRoot(cert, &result);
if (NS_FAILED(rv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
if (result) {
return Success;
}
#endif // DEBUG
AutoSECMODListReadLock lock;
--- a/security/manager/ssl/CSTrustDomain.cpp
+++ b/security/manager/ssl/CSTrustDomain.cpp
@@ -65,17 +65,17 @@ CSTrustDomain::GetCertTrust(EndEntityOrC
}
// Is this cert our built-in content signing root?
bool isRoot = false;
nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
if (!component) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
- nsrv = component->IsCertContentSigningRoot(candidateCert.get(), isRoot);
+ nsrv = component->IsCertContentSigningRoot(candidateCert.get(), &isRoot);
if (NS_FAILED(nsrv)) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
if (isRoot) {
CSTrust_LOG(("CSTrustDomain: certificate is a trust anchor\n"));
trustLevel = TrustLevel::TrustAnchor;
return Success;
}
--- a/security/manager/ssl/moz.build
+++ b/security/manager/ssl/moz.build
@@ -18,16 +18,17 @@ XPIDL_SOURCES += [
'nsIClientAuthDialogs.idl',
'nsIContentSignatureVerifier.idl',
'nsICryptoHash.idl',
'nsICryptoHMAC.idl',
'nsIGenKeypairInfoDlg.idl',
'nsIKeygenThread.idl',
'nsIKeyModule.idl',
'nsILocalCertService.idl',
+ 'nsINSSComponent.idl',
'nsINSSErrorsService.idl',
'nsINSSVersion.idl',
'nsIPK11Token.idl',
'nsIPK11TokenDB.idl',
'nsIPKCS11Module.idl',
'nsIPKCS11ModuleDB.idl',
'nsIPKCS11Slot.idl',
'nsIProtectedAuthThread.idl',
new file mode 100644
--- /dev/null
+++ b/security/manager/ssl/nsINSSComponent.idl
@@ -0,0 +1,110 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "nsISupports.idl"
+
+%{C++
+#include "cert.h"
+#include "SharedCertVerifier.h"
+#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
+%}
+
+interface nsIX509CertList;
+
+[ptr] native CERTCertificatePtr(CERTCertificate);
+[ptr] native SharedCertVerifierPtr(mozilla::psm::SharedCertVerifier);
+
+[scriptable, uuid(a0a8f52b-ea18-4abc-a3ca-eccf704ffe63)]
+interface nsINSSComponent : nsISupports {
+ /**
+ * When we log out of a PKCS#11 token, any TLS connections that may have
+ * involved a client certificate stored on that token must be closed. Since we
+ * don't have a fine-grained way to do this, we basically cancel everything.
+ * More speficially, this clears all temporary certificate exception overrides
+ * and any remembered client authentication certificate decisions, and then
+ * cancels all network connections (strictly speaking, this last part is
+ * overzealous - we only need to cancel all https connections (see bug
+ * 1446645)).
+ */
+ [noscript] void logoutAuthenticatedPK11();
+
+ /**
+ * Used to determine if the given CERTCertificate is the certificate we use in
+ * tests to simulate a built-in root certificate. Returns false in non-debug
+ * builds.
+ */
+ [noscript] bool isCertTestBuiltInRoot(in CERTCertificatePtr cert);
+
+ /**
+ * Used to determine if the given CERTCertificate is the content signing root
+ * certificate.
+ */
+ [noscript] bool isCertContentSigningRoot(in CERTCertificatePtr cert);
+
+ /**
+ * If enabled by the preference "security.enterprise_roots.enabled", returns
+ * an nsIX509CertList representing the imported enterprise root certificates
+ * (i.e. root certificates gleaned from the OS certificate store). Returns
+ * null otherwise.
+ * Currently this is only implemented on Windows, so this function returns
+ * null on all other platforms.
+ */
+ [noscript] nsIX509CertList getEnterpriseRoots();
+
+ /**
+ * During initialization, nsINSSComponent collects any 3rd party root
+ * certificates from the OS that may be relevant (e.g. enterprise roots, the
+ * Family Safety root on Windows 8). However, to prevent opening a PKCS#11
+ * login prompt and potentially re-entering initialization, the component
+ * delays trusting these roots until a later event tick. This is the function
+ * that enables that.
+ */
+ [noscript] void trustLoaded3rdPartyRoots();
+
+ /**
+ * For performance reasons, the builtin roots module is loaded on a background
+ * thread. When any code that depends on the builtin roots module runs, it
+ * must first wait for the module to be loaded.
+ */
+ [noscript] void blockUntilLoadableRootsLoaded();
+
+ /**
+ * In theory a token on a PKCS#11 module can be inserted or removed at any
+ * time. Operations that may depend on resources on external tokens should
+ * call this to ensure they have a recent view of the token.
+ */
+ [noscript] void checkForSmartCardChanges();
+
+ /**
+ * Used to potentially detect when a user's internet connection is being
+ * intercepted. When doing an update ping, if certificate verification fails,
+ * we make a note of the issuer distinguished name of that certificate.
+ * If a subsequent certificate verification fails, we compare issuer
+ * distinguished names. If they match, something may be intercepting the
+ * user's traffic (if they don't match, the server is likely misconfigured).
+ * This function succeeds if the given DN matches the noted DN and fails
+ * otherwise (e.g. if the update ping never failed).
+ */
+ [noscript] void issuerMatchesMitmCanary(in string certIssuer);
+
+ /**
+ * Returns true if the user has a PKCS#11 module with removable slots.
+ * Main thread only.
+ */
+ [noscript] bool hasActiveSmartCards();
+
+ /**
+ * Returns true if the user has any client authentication certificates.
+ * Main thread only.
+ */
+ [noscript] bool hasUserCertsInstalled();
+
+ /**
+ * Returns an already-adrefed handle to the currently configured shared
+ * certificate verifier.
+ */
+ [noscript] SharedCertVerifierPtr getDefaultCertVerifier();
+};
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -726,44 +726,16 @@ nsNSSComponent::UnloadEnterpriseRoots()
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("couldn't untrust certificate for TLS server auth"));
}
}
mEnterpriseRoots = nullptr;
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("unloaded enterprise roots"));
}
-NS_IMETHODIMP
-nsNSSComponent::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots)
-{
- MutexAutoLock nsNSSComponentLock(mMutex);
- MOZ_ASSERT(NS_IsMainThread());
- if (!NS_IsMainThread()) {
- return NS_ERROR_NOT_SAME_THREAD;
- }
- NS_ENSURE_ARG_POINTER(enterpriseRoots);
-
- if (!mEnterpriseRoots) {
- *enterpriseRoots = nullptr;
- return NS_OK;
- }
- UniqueCERTCertList enterpriseRootsCopy(
- nsNSSCertList::DupCertList(mEnterpriseRoots));
- if (!enterpriseRootsCopy) {
- return NS_ERROR_FAILURE;
- }
- nsCOMPtr<nsIX509CertList> enterpriseRootsCertList(
- new nsNSSCertList(std::move(enterpriseRootsCopy)));
- if (!enterpriseRootsCertList) {
- return NS_ERROR_FAILURE;
- }
- enterpriseRootsCertList.forget(enterpriseRoots);
- return NS_OK;
-}
-
static const char* kEnterpriseRootModePref = "security.enterprise_roots.enabled";
void
nsNSSComponent::MaybeImportEnterpriseRoots()
{
MutexAutoLock lock(mMutex);
MOZ_ASSERT(NS_IsMainThread());
if (!NS_IsMainThread()) {
@@ -869,16 +841,17 @@ nsNSSComponent::ImportEnterpriseRootsFor
}
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("Imported '%s'", subjectName.get()));
numImported++;
// now owned by mEnterpriseRoots
Unused << nssCertificate.release();
}
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("imported %u roots", numImported));
}
+#endif // XP_WIN
NS_IMETHODIMP
nsNSSComponent::TrustLoaded3rdPartyRoots()
{
MutexAutoLock lock(mMutex);
CERTCertTrust trust = {
CERTDB_TRUSTED_CA | CERTDB_VALID_CA | CERTDB_USER,
@@ -896,25 +869,54 @@ nsNSSComponent::TrustLoaded3rdPartyRoots
UniqueCERTCertificate cert(CERT_DupCertificate(n->cert));
if (ChangeCertTrustWithPossibleAuthentication(cert, trust, nullptr)
!= SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("couldn't trust enterprise certificate for TLS server auth"));
}
}
}
+#ifdef XP_WIN
if (mFamilySafetyRoot &&
ChangeCertTrustWithPossibleAuthentication(mFamilySafetyRoot, trust,
nullptr) != SECSuccess) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
("couldn't trust family safety certificate for TLS server auth"));
}
+#endif
return NS_OK;
}
-#endif // XP_WIN
+
+NS_IMETHODIMP
+nsNSSComponent::GetEnterpriseRoots(nsIX509CertList** enterpriseRoots)
+{
+ MutexAutoLock nsNSSComponentLock(mMutex);
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!NS_IsMainThread()) {
+ return NS_ERROR_NOT_SAME_THREAD;
+ }
+ NS_ENSURE_ARG_POINTER(enterpriseRoots);
+
+ if (!mEnterpriseRoots) {
+ *enterpriseRoots = nullptr;
+ return NS_OK;
+ }
+ UniqueCERTCertList enterpriseRootsCopy(
+ nsNSSCertList::DupCertList(mEnterpriseRoots));
+ if (!enterpriseRootsCopy) {
+ return NS_ERROR_FAILURE;
+ }
+ nsCOMPtr<nsIX509CertList> enterpriseRootsCertList(
+ new nsNSSCertList(std::move(enterpriseRootsCopy)));
+ if (!enterpriseRootsCertList) {
+ return NS_ERROR_FAILURE;
+ }
+ enterpriseRootsCertList.forget(enterpriseRoots);
+ return NS_OK;
+}
class LoadLoadableRootsTask final : public Runnable
{
public:
explicit LoadLoadableRootsTask(nsNSSComponent* nssComponent)
: Runnable("LoadLoadableRootsTask")
, mNSSComponent(nssComponent)
{
@@ -997,70 +999,72 @@ LoadLoadableRootsTask::Run()
return rv;
}
}
// Go back to the main thread to clean up this worker thread.
return NS_DispatchToMainThread(this);
}
-nsresult
-nsNSSComponent::HasActiveSmartCards(bool& result)
+NS_IMETHODIMP
+nsNSSComponent::HasActiveSmartCards(bool* result)
{
+ NS_ENSURE_ARG_POINTER(result);
MOZ_ASSERT(NS_IsMainThread(), "Main thread only");
if (!NS_IsMainThread()) {
return NS_ERROR_NOT_SAME_THREAD;
}
#ifndef MOZ_NO_SMART_CARDS
MutexAutoLock nsNSSComponentLock(mMutex);
AutoSECMODListReadLock secmodLock;
SECMODModuleList* list = SECMOD_GetDefaultModuleList();
while (list) {
if (SECMOD_HasRemovableSlots(list->module)) {
- result = true;
+ *result = true;
return NS_OK;
}
list = list->next;
}
#endif
- result = false;
+ *result = false;
return NS_OK;
}
-nsresult
-nsNSSComponent::HasUserCertsInstalled(bool& result)
+NS_IMETHODIMP
+nsNSSComponent::HasUserCertsInstalled(bool* result)
{
+ NS_ENSURE_ARG_POINTER(result);
MOZ_ASSERT(NS_IsMainThread(), "Main thread only");
if (!NS_IsMainThread()) {
return NS_ERROR_NOT_SAME_THREAD;
}
MutexAutoLock nsNSSComponentLock(mMutex);
if (!mNSSInitialized) {
return NS_ERROR_NOT_INITIALIZED;
}
- result = false;
+ *result = false;
UniqueCERTCertList certList(
CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), certUsageSSLClient,
false, true, nullptr));
if (!certList) {
return NS_OK;
}
// check if the list is empty
if (CERT_LIST_END(CERT_LIST_HEAD(certList), certList)) {
return NS_OK;
}
// The list is not empty, meaning at least one cert is installed
- result = true;
+ *result = true;
return NS_OK;
}
nsresult
nsNSSComponent::BlockUntilLoadableRootsLoaded()
{
MonitorAutoLock rootsLoadedLock(mLoadableRootsLoadedMonitor);
while (!mLoadableRootsLoaded) {
@@ -2317,47 +2321,51 @@ nsNSSComponent::RegisterObservers()
// keep a strong reference to this component. As a result, this will live at
// least as long as the observer service.
observerService->AddObserver(this, PROFILE_BEFORE_CHANGE_TOPIC, false);
observerService->AddObserver(this, NS_XPCOM_SHUTDOWN_OBSERVER_ID, false);
return NS_OK;
}
+NS_IMETHODIMP
+nsNSSComponent::IsCertTestBuiltInRoot(CERTCertificate* cert, bool* result)
+{
+ NS_ENSURE_ARG_POINTER(cert);
+ NS_ENSURE_ARG_POINTER(result);
+ *result = false;
+
#ifdef DEBUG
-NS_IMETHODIMP
-nsNSSComponent::IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result)
-{
- result = false;
-
RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert);
if (!nsc) {
return NS_ERROR_FAILURE;
}
nsAutoString certHash;
nsresult rv = nsc->GetSha256Fingerprint(certHash);
if (NS_FAILED(rv)) {
return rv;
}
MutexAutoLock lock(mMutex);
MOZ_ASSERT(mNSSInitialized);
if (mTestBuiltInRootHash.IsEmpty()) {
return NS_OK;
}
- result = mTestBuiltInRootHash.Equals(certHash);
- return NS_OK;
-}
+ *result = mTestBuiltInRootHash.Equals(certHash);
#endif // DEBUG
+ return NS_OK;
+}
+
NS_IMETHODIMP
-nsNSSComponent::IsCertContentSigningRoot(CERTCertificate* cert, bool& result)
+nsNSSComponent::IsCertContentSigningRoot(CERTCertificate* cert, bool* result)
{
- result = false;
+ NS_ENSURE_ARG_POINTER(result);
+ *result = false;
RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(cert);
if (!nsc) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("creating nsNSSCertificate failed"));
return NS_ERROR_FAILURE;
}
nsAutoString certHash;
nsresult rv = nsc->GetSha256Fingerprint(certHash);
@@ -2369,17 +2377,17 @@ nsNSSComponent::IsCertContentSigningRoot
MutexAutoLock lock(mMutex);
MOZ_ASSERT(mNSSInitialized);
if (mContentSigningRootHash.IsEmpty()) {
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("mContentSigningRootHash is empty"));
return NS_ERROR_FAILURE;
}
- result = mContentSigningRootHash.Equals(certHash);
+ *result = mContentSigningRootHash.Equals(certHash);
return NS_OK;
}
NS_IMETHODIMP
nsNSSComponent::IssuerMatchesMitmCanary(const char* aCertIssuer)
{
MutexAutoLock lock(mMutex);
if (mMitmDetecionEnabled && !mMitmCanaryIssuer.IsEmpty()) {
@@ -2389,38 +2397,44 @@ nsNSSComponent::IssuerMatchesMitmCanary(
}
}
return NS_ERROR_FAILURE;
}
SharedCertVerifier::~SharedCertVerifier() { }
-already_AddRefed<SharedCertVerifier>
-nsNSSComponent::GetDefaultCertVerifier()
+NS_IMETHODIMP
+nsNSSComponent::GetDefaultCertVerifier(SharedCertVerifier** result)
{
MutexAutoLock lock(mMutex);
MOZ_ASSERT(mNSSInitialized);
+ NS_ENSURE_ARG_POINTER(result);
RefPtr<SharedCertVerifier> certVerifier(mDefaultCertVerifier);
- return certVerifier.forget();
+ certVerifier.forget(result);
+ return NS_OK;
}
namespace mozilla { namespace psm {
already_AddRefed<SharedCertVerifier>
GetDefaultCertVerifier()
{
static NS_DEFINE_CID(kNSSComponentCID, NS_NSSCOMPONENT_CID);
nsCOMPtr<nsINSSComponent> nssComponent(do_GetService(kNSSComponentCID));
- if (nssComponent) {
- return nssComponent->GetDefaultCertVerifier();
+ if (!nssComponent) {
+ return nullptr;
}
-
- return nullptr;
+ RefPtr<SharedCertVerifier> result;
+ nsresult rv = nssComponent->GetDefaultCertVerifier(getter_AddRefs(result));
+ if (NS_FAILED(rv)) {
+ return nullptr;
+ }
+ return result.forget();
}
} } // namespace mozilla::psm
NS_IMPL_ISUPPORTS(PipUIContext, nsIInterfaceRequestor)
PipUIContext::PipUIContext()
{
--- a/security/manager/ssl/nsNSSComponent.h
+++ b/security/manager/ssl/nsNSSComponent.h
@@ -2,16 +2,18 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef _nsNSSComponent_h_
#define _nsNSSComponent_h_
+#include "nsINSSComponent.h"
+
#include "ScopedNSSTypes.h"
#include "SharedCertVerifier.h"
#include "mozilla/Attributes.h"
#include "mozilla/Monitor.h"
#include "mozilla/Mutex.h"
#include "mozilla/RefPtr.h"
#include "nsCOMPtr.h"
#include "nsIObserver.h"
@@ -32,107 +34,40 @@ class SmartCardThreadList;
namespace mozilla { namespace psm {
MOZ_MUST_USE
::already_AddRefed<mozilla::psm::SharedCertVerifier>
GetDefaultCertVerifier();
} } // namespace mozilla::psm
-
#define NS_NSSCOMPONENT_CID \
{0x4cb64dfd, 0xca98, 0x4e24, {0xbe, 0xfd, 0x0d, 0x92, 0x85, 0xa3, 0x3b, 0xcb}}
-#define PSM_COMPONENT_CONTRACTID "@mozilla.org/psm;1"
-
-#define NS_INSSCOMPONENT_IID \
- { 0xa0a8f52b, 0xea18, 0x4abc, \
- { 0xa3, 0xca, 0xec, 0xcf, 0x70, 0x4f, 0xfe, 0x63 } }
-
extern bool EnsureNSSInitializedChromeOrContent();
-class NS_NO_VTABLE nsINSSComponent : public nsISupports
-{
-public:
- NS_DECLARE_STATIC_IID_ACCESSOR(NS_INSSCOMPONENT_IID)
-
- NS_IMETHOD LogoutAuthenticatedPK11() = 0;
-
-#ifdef DEBUG
- NS_IMETHOD IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result) = 0;
-#endif
-
- NS_IMETHOD IsCertContentSigningRoot(CERTCertificate* cert, bool& result) = 0;
-
-#ifdef XP_WIN
- NS_IMETHOD GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) = 0;
- NS_IMETHOD TrustLoaded3rdPartyRoots() = 0;
-#endif
-
- NS_IMETHOD BlockUntilLoadableRootsLoaded() = 0;
- NS_IMETHOD CheckForSmartCardChanges() = 0;
- // IssuerMatchesMitmCanary succeeds if aCertIssuer matches the canary and
- // the feature is enabled. It returns an error if the strings don't match,
- // the canary is not set, or the feature is disabled.
- NS_IMETHOD IssuerMatchesMitmCanary(const char* aCertIssuer) = 0;
-
- // Main thread only
- NS_IMETHOD HasActiveSmartCards(bool& result) = 0;
- NS_IMETHOD HasUserCertsInstalled(bool& result) = 0;
-
- virtual ::already_AddRefed<mozilla::psm::SharedCertVerifier>
- GetDefaultCertVerifier() = 0;
-};
-
-NS_DEFINE_STATIC_IID_ACCESSOR(nsINSSComponent, NS_INSSCOMPONENT_IID)
-
// Implementation of the PSM component interface.
class nsNSSComponent final : public nsINSSComponent
, public nsIObserver
{
public:
// LoadLoadableRootsTask updates mLoadableRootsLoaded and
// mLoadableRootsLoadedResult and then signals mLoadableRootsLoadedMonitor.
friend class LoadLoadableRootsTask;
- NS_DEFINE_STATIC_CID_ACCESSOR( NS_NSSCOMPONENT_CID )
-
nsNSSComponent();
NS_DECL_THREADSAFE_ISUPPORTS
+ NS_DECL_NSINSSCOMPONENT
NS_DECL_NSIOBSERVER
nsresult Init();
static nsresult GetNewPrompter(nsIPrompt** result);
- NS_IMETHOD LogoutAuthenticatedPK11() override;
-
-#ifdef DEBUG
- NS_IMETHOD IsCertTestBuiltInRoot(CERTCertificate* cert, bool& result) override;
-#endif
-
- NS_IMETHOD IsCertContentSigningRoot(CERTCertificate* cert, bool& result) override;
-
-#ifdef XP_WIN
- NS_IMETHOD GetEnterpriseRoots(nsIX509CertList** enterpriseRoots) override;
- NS_IMETHOD TrustLoaded3rdPartyRoots() override;
-#endif
-
- NS_IMETHOD BlockUntilLoadableRootsLoaded() override;
- NS_IMETHOD CheckForSmartCardChanges() override;
- NS_IMETHOD IssuerMatchesMitmCanary(const char* aCertIssuer) override;
-
- // Main thread only
- NS_IMETHOD HasActiveSmartCards(bool& result) override;
- NS_IMETHOD HasUserCertsInstalled(bool& result) override;
-
- ::already_AddRefed<mozilla::psm::SharedCertVerifier>
- GetDefaultCertVerifier() override;
-
// The following two methods are thread-safe.
static bool AreAnyWeakCiphersEnabled();
static void UseWeakCiphersOnSocket(PRFileDesc* fd);
static void FillTLSVersionRange(SSLVersionRange& rangeOut,
uint32_t minFromPrefs,
uint32_t maxFromPrefs,
SSLVersionRange defaults);
@@ -176,18 +111,19 @@ private:
nsString mTestBuiltInRootHash;
#endif
nsString mContentSigningRootHash;
RefPtr<mozilla::psm::SharedCertVerifier> mDefaultCertVerifier;
nsString mMitmCanaryIssuer;
bool mMitmDetecionEnabled;
#ifdef XP_WIN
mozilla::UniqueCERTCertificate mFamilySafetyRoot;
+#endif // XP_WIN
+ // Currently this will always be null on non-Windows platforms.
mozilla::UniqueCERTCertList mEnterpriseRoots;
-#endif // XP_WIN
// The following members are accessed only on the main thread:
static int mInstanceCount;
};
inline nsresult
BlockUntilLoadableRootsLoaded()
{