This represents a service to access and manipulate
X.509 certificates stored in a database.
Given a nickname and optionally a token,
locate the matching certificate.
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aNickname | The nickname to be used as the key to find a certificate. |
| The matching certificate if found. |
Will find a certificate based on its dbkey
retrieved by getting the dbKey attribute of
the certificate.
| aDBkey | Database internal key, as obtained using attribute dbkey in nsIX509Cert. |
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
Obtain a list of certificate nicknames from the database.
What the name is depends on type:
user, ca, or server cert - the nickname
email cert - the email address
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aType | Type of certificate to obtain See certificate type constants in nsIX509Cert. |
| count | The number of nicknames in the returned array |
| certNameList | The returned array of certificate nicknames. |
Find user’s own email encryption certificate by nickname.
| aNickname | The nickname to be used as the key to find the certificate. |
| The matching certificate if found. |
Find user’s own email signing certificate by nickname.
| aNickname | The nickname to be used as the key to find the certificate. |
| The matching certificate if found. |
Find a certificate by email address.
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aEmailAddress | The email address to be used as the key to find the certificate. |
| The matching certificate if found. |
Use this to import a stream sent down as a mime type into
the certificate database on the default token.
The stream may consist of one or more certificates.
| data | The raw data to be imported |
| length | The length of the data to be imported |
| type | The type of the certificate, see constants in nsIX509Cert |
| ctx | A UI context. |
Import another person’s email certificate into the database.
| data | The raw data to be imported |
| length | The length of the data to be imported |
| ctx | A UI context. |
Import a server machine’s certificate into the database.
| data | The raw data to be imported |
| length | The length of the data to be imported |
| ctx | A UI context. |
Import a personal certificate into the database, assuming
the database already contains the private key for this certificate.
| data | The raw data to be imported |
| length | The length of the data to be imported |
| ctx | A UI context. |
Delete a certificate stored in the database.
| aCert | Delete this certificate. |
Modify the trust that is stored and associated to a certificate within
a database. Separate trust is stored for
One call manipulates the trust for one trust type only.
See the trust type constants defined within this interface.
| cert | Change the stored trust of this certificate. |
| type | The type of the certificate. See nsIX509Cert. |
| trust | A bitmask. The new trust for the possible usages. See the trust constants defined within this interface. |
| cert | The certificate for which to modify trust. |
| trustString | decoded by CERT_DecodeTrustString. 3 comma separated characters, indicating SSL, Email, and Obj signing trust. |
Query whether a certificate is trusted for a particular use.
| cert | Obtain the stored trust of this certificate. |
| certType | The type of the certificate. See nsIX509Cert. |
| trustType | A single bit from the usages constants defined within this interface. |
| Returns true if the certificate is trusted for the given use. |
Import certificate(s) from file
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aFile | Identifies a file that contains the certificate to be imported. |
| aType | Describes the type of certificate that is going to be imported. See type constants in nsIX509Cert. |
Import a PKCS#12 file containing cert(s) and key(s) into the database.
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aFile | Identifies a file that contains the data to be imported. |
Export a set of certs and keys from the database to a PKCS#12 file.
| aToken | Optionally limits the scope of this function to a token device. Can be null to mean any token. |
| aFile | Identifies a file that will be filled with the data to be exported. |
| count | The number of certificates to be exported. |
| aCerts | The array of all certificates to be exported. |
Given streams containing a signature and a manifest file, verifies
that the signature is valid for the manifest. The signature must
come from a certificate that is trusted for code signing and that
was issued by the given trusted root.
On success, NS_OK and the trusted certificate that signed the
Manifest are returned.
On failure, an error code is returned.
Warning: This interface is inteded to use only for testing only as:
1. It can create IO on the main thread.
2. It is in constant change, so in/out can change at any release.
Obtain the verification result for a cert given a particular usage.
On success, the call returns 0, the chain built during verification,
and whether the cert is good for EV usage.
On failure, the call returns the PRErrorCode for the verification failure
| aCert | Obtain the stored trust of this certificate |
| aUsage | a integer representing the usage from NSS |
| aFlags | flags as described above |
| verifedChain | chain of verification up to the root if success |
| aHasEVPolicy | bool that signified that the cert was an EV cert |
| 0 if success or the value or the error code for the verification failure |
Constants that define which usages a certificate
is trusted for.
Verifies the signature on the given JAR file to verify that it has a
valid signature. To be considered valid, there must be exactly one
signature on the JAR file and that signature must have signed every
entry. Further, the signature must come from a certificate that
is trusted for code signing.
On success, NS_OK, a nsIZipReader, and the trusted certificate that
signed the JAR are returned.
On failure, an error code is returned.
This method returns a nsIZipReader, instead of taking an nsIZipReader
as input, to encourage users of the API to verify the signature as the
first step in opening the JAR.