I would like to access certificates stored in Mozilla products (Firefox and Thunderbird) from a Delphi (XE) applicaiton. For start I would like to list them, next it would be nice to be able to manage them (import, export, delete) and use them (sign). The software token would be sufficient although using all tokens supported by mozilla would be great.
So far I tried using XPCOM with http://d-gecko.svn.sourceforge.net/viewvc/d-gecko/trunk/ delphi binding. However there is not much documentation around and I am kinda confused with all the terminology and concepts. The best I could manage was:
var ns:nsIX509CertDB;
Using this code I did get instance of certdb object and I was able to ask it for certificates. However it seems to be completely empty (count from FindCertNicknames is 0) and it also does not react on changing OCSP (IsOcspOn always returns true). I am thinking that I did either create new certstore or that I need to activate default user profile somehow.
I also tried accessing softokn.dll as a PKCS#11 library. As this seem to have some sort of PKCS#11 API, it is not responding well. I.e. CKR_BAD_ARGUMENTS on C_Inititialize.
The last and really bad way would be accessing certificate files directly as it should be "standard" NSS but I realy do not like this way.
I explored the PKCS#11 way a little more and I actually got it to do something. The softokn.dll library is "almost" standard PKCS#11 library, see https://developer.mozilla.org/en/PKCS11_Module_Specs . The key thing is that you need to initialize it with special arguments (the structure is described in the linked URL).
Its also handy to check the NSS erorr return values: see CKR_NETSCAPE_... at http://people.mozilla.com/~chofmann/l10n/tree/mozilla/security/nss/cmd/pk11mode/pk11mode.c .
The last key thing is that you need to specify the tokens by hand as the documentation is unclear about using secmod.db - there is a missing word, probably "supported", in "The MOD DB function is not through standard PKCS #11 interfaces".
All this is rather low-level coding and will still need a lot of work so it may be better to use SecureBalackbox as suggested by Eugene if you are starting from scratch.