corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
current
tubestation/security/manager/ssl/nsIContentSignatureVerifier.idl
Dana Keeler 88d8e888f0 Bug 1769669 - require specifying the trusted root in content signature verifier r=jschanck,leplatrem,robwu,barret 
Before this patch, the content signature verifier
(nsIContentSignatureVerifier/ContentSignatureVerifier) would identify the root
it trusted based on the value of a preference. This patch changes the
implementation to require a specified hard-coded root to trust as with add-on
signature verification.

Depends on D146644

Differential Revision: https://phabricator.services.mozilla.com/D146645
2022-06-03 23:26:28 +00:00

50 lines
2.2 KiB
Plaintext
Raw Permalink Blame History

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "nsISupports.idl"
#include "nsIX509CertDB.idl"
interface nsIContentSignatureReceiverCallback;
/**
* An interface for verifying content-signatures, inspired by
* https://tools.ietf.org/html/draft-thomson-http-content-signature-00
* described here https://github.com/franziskuskiefer/content-signature/tree/pki
*/
[scriptable, uuid(45a5fe2f-c350-4b86-962d-02d5aaaa955a)]
interface nsIContentSignatureVerifier : nsISupports
{
const AppTrustedRoot ContentSignatureProdRoot = 1;
const AppTrustedRoot ContentSignatureStageRoot = 2;
const AppTrustedRoot ContentSignatureDevRoot = 3;
const AppTrustedRoot ContentSignatureLocalRoot = 4;
/**
* Verifies that the data matches the data that was used to generate the
* signature.
*
* @param aData The data to be tested.
* @param aContentSignatureHeader The content-signature header,
* url-safe base64 encoded.
* @param aCertificateChain The certificate chain to use for verification.
* PEM encoded string.
* @param aHostname The hostname for which the end entity must
* be valid.
* @param aTrustedRoot The identifier corresponding to the
* expected root certificate of the
* certificate chain (note that the root need
* not actually be included in the chain).
* @returns Promise that resolves with the value true if the signature
* matches the data and aCertificateChain is valid within aContext,
* and false if not. Rejects if another error occurred.
*/
[implicit_jscontext, must_use]
Promise asyncVerifyContentSignature(in ACString aData,
in ACString aContentSignatureHeader,
in ACString aCertificateChain,
in ACString aHostname,
in AppTrustedRoot aTrustedRoot);
};
Reference in New Issue View Git Blame Copy Permalink