The cleanest and most extensible way to retrieve certificates for a VirtualFile is to actually have the impl on the VirtualFile api itself.

Currently we only know how to return certificates associated with non-nested jar files.
For nested files we will have to rewrite how JarInputStream works as its current impl breaks navigation; no manifest.mf as a child.

For other VirtualFileHandler impls, we have 'free hands' on how we should support certificates.
e.g. com/jboss/acme/X.class --> com/jboss/acme/X.class.cert