Interface nsICertStorageType

Get the count of remaining async operations. Called to ensure we don't skip or interrupt any operations during fast shutdown. Must only be called from the main thread.

Given the contents of a CRLite incremental revocation update ("stash"), adds the revocation information to the current set of stashed revocations. The basic unit of the stash file is an issuer subject public key info hash (sha-256) followed by a number of serial numbers corresponding to revoked certificates issued by that issuer. More specifically, each unit consists of: 4 bytes little-endian: the number of serial numbers following the issuer spki hash 1 byte: the length of the issuer spki hash issuer spki hash length bytes: the issuer spki hash as many times as the indicated serial numbers: 1 byte: the length of the serial number serial number length bytes: the serial number The stash file consists of any number of these units concatenated together.

Asynchronously add a list of certificates to the backing storage. See the documentation for nsICertInfo. The given callback is called with the result of the operation when it completes. Must only be called from the main thread.

Given the DER-encoded issuer distinguished name, DER-encoded issuer subject public key info, the bytes of the value of the serial number (so, not including the DER tag and length) of a certificate, and the timestamps from that certificate's embedded SCTs, returns the result of looking up the corresponding entry in the currently-saved CRLite filter (if any). Returns

• STATE_ENFORCE if the lookup indicates the certificate is revoked via CRLite,
• STATE_UNSET if the lookup indicates the certificate is not revoked via CRLite,
• STATE_NOT_ENROLLED if the issuer is not enrolled in CRLite, or
• STATE_NOT_COVERED if the issuer is enrolled but the provided timestamps indicate that the serial number is not covered by the current CRLite filter.
• STATE_NO_FILTER if there is no (usable) CRLite filter. No lookup is performed in the STATE_NOT_ENROLLED and STATE_NOT_COVERED cases.

Get the revocation state of a certificate. STATE_UNSET indicates the certificate is not revoked. STATE_ENFORCE indicates the certificate is revoked. issuer - issuer name, DER encoded serial - serial number, DER encoded subject - subject name, DER encoded pubkey - public key, DER encoded In gecko, must not be called from the main thread. See bug 1541212. xpcshell tests may call this from the main thread.

Asynchronously check if the backing storage has stored data of the given type in the past. This is useful if the backing storage may have had to have been deleted and recreated (as in bug 1546361 when we discovered that moving from a 32-bit binary to a 64-bit binary caused the DB to become unreadable, thus necessitating its deletion and recreation).

Given a DER-encoded issuer subject public key info and the bytes of the value of the serial number (so, not including the DER tag and length), determines if the certificate identified by this issuer SPKI and serial number is revoked according to the current set of stashed CRLite revocation information.

Asynchronously remove the certificates with the given sha-256 hashes from the backing storage. hashes is an array of base64-encoded bytes of the sha-256 hashes of each certificate's bytes (DER-encoded). The given callback is called with the result of the operation when it completes. Must only be called from the main thread.

Given the contents of a new CRLite filter, a list containing base64(sha256(subject DN || subject SPKI)) for each enrolled issuer, and the filter's timestamp coverage, replaces any existing filter with the new one. Also clears any previously-set incremental revocation updates ("stashes").

Asynchronously set the revocation states of a set of certificates. The given callback is called with the result of the operation when it completes. Must only be called from the main thread.