path: root/smime/lib/e-cert-db.c

/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
/* The following is the mozilla license blurb, as the bodies some of
 * these functions were derived from the mozilla source. */
/* e-cert-db.c
 *
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is the Netscape security libraries.
 *
 * The Initial Developer of the Original Code is
 * Netscape Communications Corporation.
 * Portions created by the Initial Developer are Copyright (C) 1994-2000
 * the Initial Developer. All Rights Reserved.
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 */

/*
 * Author: Chris Toshok (toshok@ximian.com)
 *
 * Copyright (C) 1999-2008 Novell, Inc. (www.novell.com)
 */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <gtk/gtk.h>
#include <glib/gi18n.h>
#include <glib/gstdio.h>

#include <camel/camel.h>

/* private NSS defines used by PSM */
/* (must be declated before cert.h) */
#define CERT_NewTempCertificate __CERT_NewTempCertificate
#define CERT_AddTempCertToPerm __CERT_AddTempCertToPerm

#include "e-cert-db.h"
#include "e-cert-trust.h"
#include "e-pkcs12.h"

#include "gmodule.h"

#include "nss.h"
#include "ssl.h"
#include "p12plcy.h"
#include "pk11func.h"
#include "nssckbi.h"
#include <secerr.h>
#include "secmod.h"
#include "certdb.h"
#include "plstr.h"
#include "prprf.h"
#include "prmem.h"
#include "e-util/e-util.h"
#include "e-util/e-util-private.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>

enum {
    PK11_PASSWD,
    PK11_CHANGE_PASSWD,
    CONFIRM_CA_CERT_IMPORT,
    LAST_SIGNAL
};

static guint e_cert_db_signals[LAST_SIGNAL];

G_DEFINE_TYPE (ECertDB, e_cert_db, G_TYPE_OBJECT)

GQuark
e_certdb_error_quark (void)
{
    static GQuark q = 0;
    if (q == 0)
        q = g_quark_from_static_string ("e-certdb-error-quark");

    return q;
}

static const gchar *
nss_error_to_string (glong errorcode)
{
#define cs(a,b) case a: return b;

    switch (errorcode) {
    cs (SEC_ERROR_IO, "An I/O error occurred during security authorization.")
    cs (SEC_ERROR_LIBRARY_FAILURE, "security library failure.")
    cs (SEC_ERROR_BAD_DATA, "security library: received bad data.")
    cs (SEC_ERROR_OUTPUT_LEN, "security library: output length error.")
    cs (SEC_ERROR_INPUT_LEN, "security library has experienced an input length error.")
    cs (SEC_ERROR_INVALID_ARGS, "security library: invalid arguments.")
    cs (SEC_ERROR_INVALID_ALGORITHM, "security library: invalid algorithm.")
    cs (SEC_ERROR_INVALID_AVA, "security library: invalid AVA.")
    cs (SEC_ERROR_INVALID_TIME, "Improperly formatted time string.")
    cs (SEC_ERROR_BAD_DER, "security library: improperly formatted DER-encoded message.")
    cs (SEC_ERROR_BAD_SIGNATURE, "Peer's certificate has an invalid signature.")
    cs (SEC_ERROR_EXPIRED_CERTIFICATE, "Peer's Certificate has expired.")
    cs (SEC_ERROR_REVOKED_CERTIFICATE, "Peer's Certificate has been revoked.")
    cs (SEC_ERROR_UNKNOWN_ISSUER, "Peer's Certificate issuer is not recognized.")
    cs (SEC_ERROR_BAD_KEY, "Peer's public key is invalid.")
    cs (SEC_ERROR_BAD_PASSWORD, "The security password entered is incorrect.")
    cs (SEC_ERROR_RETRY_PASSWORD, "New password entered incorrectly.  Please try again.")
    cs (SEC_ERROR_NO_NODELOCK, "security library: no nodelock.")
    cs (SEC_ERROR_BAD_DATABASE, "security library: bad database.")
    cs (SEC_ERROR_NO_MEMORY, "security library: memory allocation failure.")
    cs (SEC_ERROR_UNTRUSTED_ISSUER, "Peer's certificate issuer has been marked as not trusted by the user.")
    cs (SEC_ERROR_UNTRUSTED_CERT, "Peer's certificate has been marked as not trusted by the user.")
    cs (SEC_ERROR_DUPLICATE_CERT, "Certificate already exists in your database.")
    cs (SEC_ERROR_DUPLICATE_CERT_NAME, "Downloaded certificate's name duplicates one already in your database.")
    cs (SEC_ERROR_ADDING_CERT, "Error adding certificate to database.")
    cs (SEC_ERROR_FILING_KEY, "Error refiling the key for this certificate.")
    cs (SEC_ERROR_NO_KEY, "The private key for this certificate cannot be found in key database")
    cs (SEC_ERROR_CERT_VALID, "This certificate is valid.")
    cs (SEC_ERROR_CERT_NOT_VALID, "This certificate is not valid.")
    cs (SEC_ERROR_CERT_NO_RESPONSE, "Cert Library: No Response")
    cs (SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE, "The certificate issuer's certificate has expired.  Check your system date and time.")
    cs (SEC_ERROR_CRL_EXPIRED, "The CRL for the certificate's issuer has expired.  Update it or check your system date and time.")
    cs (SEC_ERROR_CRL_BAD_SIGNATURE, "The CRL for the certificate's issuer has an invalid signature.")
    cs (SEC_ERROR_CRL_INVALID, "New CRL has an invalid format.")
    cs (SEC_ERROR_EXTENSION_VALUE_INVALID, "Certificate extension value is invalid.")
    cs (SEC_ERROR_EXTENSION_NOT_FOUND, "Certificate extension not found.")
    cs (SEC_ERROR_CA_CERT_INVALID, "Issuer certificate is invalid.")
    cs (SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, "Certificate path length constraint is invalid.")
    cs (SEC_ERROR_CERT_USAGES_INVALID, "Certificate usages field is invalid.")
    cs (SEC_INTERNAL_ONLY, "**Internal ONLY module**")
    cs (SEC_ERROR_INVALID_KEY, "The key does not support the requested operation.")
    cs (SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION, "Certificate contains unknown critical extension.")
    cs (SEC_ERROR_OLD_CRL, "New CRL is not later than the current one.")
    cs (SEC_ERROR_NO_EMAIL_CERT, "Not encrypted or signed: you do not yet have an email certificate.")
    cs (SEC_ERROR_NO_RECIPIENT_CERTS_QUERY, "Not encrypted: you do not have certificates for each of the recipients.")
    cs (SEC_ERROR_NOT_A_RECIPIENT, "Cannot decrypt: you are not a recipient, or matching certificate and private key not found.")
    cs (SEC_ERROR_PKCS7_KEYALG_MISMATCH, "Cannot decrypt: key encryption algorithm does not match your certificate.")
    cs (SEC_ERROR_PKCS7_BAD_SIGNATURE, "Signature verification failed: no signer found, too many signers found, or improper or corrupted data.")
    cs (SEC_ERROR_UNSUPPORTED_KEYALG, "Unsupported or unknown key algorithm.")
    cs (SEC_ERROR_DECRYPTION_DISALLOWED, "Cannot decrypt: encrypted using a disallowed algorithm or key size.")
    cs (XP_SEC_FORTEZZA_BAD_CARD, "Fortezza card has not been properly initialized.  Please remove it and return it to your issuer.")
    cs (XP_SEC_FORTEZZA_NO_CARD, "No Fortezza cards Found")
    cs (XP_SEC_FORTEZZA_NONE_SELECTED, "No Fortezza card selected")
    cs (XP_SEC_FORTEZZA_MORE_INFO, "Please select a personality to get more info on")
    cs (XP_SEC_FORTEZZA_PERSON_NOT_FOUND, "Personality not found")
    cs (XP_SEC_FORTEZZA_NO_MORE_INFO, "No more information on that Personality")
    cs (XP_SEC_FORTEZZA_BAD_PIN, "Invalid Pin")
    cs (XP_SEC_FORTEZZA_PERSON_ERROR, "Couldn't initialize Fortezza personalities.")
    cs (SEC_ERROR_NO_KRL, "No KRL for this site's certificate has been found.")
    cs (SEC_ERROR_KRL_EXPIRED, "The KRL for this site's certificate has expired.")
    cs (SEC_ERROR_KRL_BAD_SIGNATURE, "The KRL for this site's certificate has an invalid signature.")
    cs (SEC_ERROR_REVOKED_KEY, "The key for this site's certificate has been revoked.")
    cs (SEC_ERROR_KRL_INVALID, "New KRL has an invalid format.")
    cs (SEC_ERROR_NEED_RANDOM, "security library: need random data.")
    cs (SEC_ERROR_NO_MODULE, "security library: no security module can perform the requested operation.")
    cs (SEC_ERROR_NO_TOKEN, "The security card or token does not exist, needs to be initialized, or has been removed.")
    cs (SEC_ERROR_READ_ONLY, "security library: read-only database.")
    cs (SEC_ERROR_NO_SLOT_SELECTED, "No slot or token was selected.")
    cs (SEC_ERROR_CERT_NICKNAME_COLLISION, "A certificate with the same nickname already exists.")
    cs (SEC_ERROR_KEY_NICKNAME_COLLISION, "A key with the same nickname already exists.")
    cs (SEC_ERROR_SAFE_NOT_CREATED, "error while creating safe object")
    cs (SEC_ERROR_BAGGAGE_NOT_CREATED, "error while creating baggage object")
    cs (XP_JAVA_REMOVE_PRINCIPAL_ERROR, "Couldn't remove the principal")
    cs (XP_JAVA_DELETE_PRIVILEGE_ERROR, "Couldn't delete the privilege")
    cs (XP_JAVA_CERT_NOT_EXISTS_ERROR, "This principal doesn't have a certificate")
    cs (SEC_ERROR_BAD_EXPORT_ALGORITHM, "Required algorithm is not allowed.")
    cs (SEC_ERROR_EXPORTING_CERTIFICATES, "Error attempting to export certificates.")
    cs (SEC_ERROR_IMPORTING_CERTIFICATES, "Error attempting to import certificates.")
    cs (SEC_ERROR_PKCS12_DECODING_PFX, "Unable to import.  Decoding error.  File not valid.")
    cs (SEC_ERROR_PKCS12_INVALID_MAC, "Unable to import.  Invalid MAC.  Incorrect password or corrupt file.")
    cs (SEC_ERROR_PKCS12_UNSUPPORTED_MAC_ALGORITHM, "Unable to import.  MAC algorithm not supported.")
    cs (SEC_ERROR_PKCS12_UNSUPPORTED_TRANSPORT_MODE, "Unable to import.  Only password integrity and privacy modes supported.")
    cs (SEC_ERROR_PKCS12_CORRUPT_PFX_STRUCTURE, "Unable to import.  File structure is corrupt.")
    cs (SEC_ERROR_PKCS12_UNSUPPORTED_PBE_ALGORITHM, "Unable to import.  Encryption algorithm not supported.")
    cs (SEC_ERROR_PKCS12_UNSUPPORTED_VERSION, "Unable to import.  File version not supported.")
    cs (SEC_ERROR_PKCS12_PRIVACY_PASSWORD_INCORRECT, "Unable to import.  Incorrect privacy password.")
    cs (SEC_ERROR_PKCS12_CERT_COLLISION, "Unable to import.  Same nickname already exists in database.")
    cs (SEC_ERROR_USER_CANCELLED, "The user pressed cancel.")
    cs (SEC_ERROR_PKCS12_DUPLICATE_DATA, "Not imported, already in database.")
    cs (SEC_ERROR_MESSAGE_SEND_ABORTED, "Message not sent.")
    cs (SEC_ERROR_INADEQUATE_KEY_USAGE, "Certificate key usage inadequate for attempted operation.")
    cs (SEC_ERROR_INADEQUATE_CERT_TYPE, "Certificate type not approved for application.")
    cs (SEC_ERROR_CERT_ADDR_MISMATCH, "Address in signing certificate does not match address in message headers.")
    cs (SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY, "Unable to import.  Error attempting to import private key.")
    cs (SEC_ERROR_PKCS12_IMPORTING_CERT_CHAIN, "Unable to import.  Error attempting to import certificate chain.")
    cs (SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME, "Unable to export.  Unable to locate certificate or key by nickname.")
    cs (SEC_ERROR_PKCS12_UNABLE_TO_EXPORT_KEY, "Unable to export.  Private Key could not be located and exported.")
    cs (SEC_ERROR_PKCS12_UNABLE_TO_WRITE, "Unable to export.  Unable to write the export file.")
    cs (SEC_ERROR_PKCS12_UNABLE_TO_READ, "Unable to import.  Unable to read the import file.")
    cs (SEC_ERROR_PKCS12_KEY_DATABASE_NOT_INITIALIZED, "Unable to export.  Key database corrupt or deleted.")
    cs (SEC_ERROR_KEYGEN_FAIL, "Unable to generate public/private key pair.")
    cs (SEC_ERROR_INVALID_PASSWORD, "Password entered is invalid.  Please pick a different one.")
    cs (SEC_ERROR_RETRY_OLD_PASSWORD, "Old password entered incorrectly.  Please try again.")
    cs (SEC_ERROR_BAD_NICKNAME, "Certificate nickname already in use.")
    cs (SEC_ERROR_NOT_FORTEZZA_ISSUER, "Peer FORTEZZA chain has a non-FORTEZZA Certificate.")
    cs (SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY, "A sensitive key cannot be moved to the slot where it is needed.")
    cs (SEC_ERROR_JS_INVALID_MODULE_NAME, "Invalid module name.")
    cs (SEC_ERROR_JS_INVALID_DLL, "Invalid module path/filename")
    cs (SEC_ERROR_JS_ADD_MOD_FAILURE, "Unable to add module")
    cs (SEC_ERROR_JS_DEL_MOD_FAILURE, "Unable to delete module")
    cs (SEC_ERROR_OLD_KRL, "New KRL is not later than the current one.")
    cs (SEC_ERROR_CKL_CONFLICT, "New CKL has different issuer than current CKL.  Delete current CKL.")
    cs (SEC_ERROR_CERT_NOT_IN_NAME_SPACE, "The Certifying Authority for this certificate is not permitted to issue a certificate with this name.")
    cs (SEC_ERROR_KRL_NOT_YET_VALID, "The key revocation list for this certificate is not yet valid.")
    cs (SEC_ERROR_CRL_NOT_YET_VALID, "The certificate revocation list for this certificate is not yet valid.")
    cs (SEC_ERROR_UNKNOWN_CERT, "The requested certificate could not be found.")
    cs (SEC_ERROR_UNKNOWN_SIGNER, "The signer's certificate could not be found.")
    cs (SEC_ERROR_CERT_BAD_ACCESS_LOCATION,  "The location for the certificate status server has invalid format.")
    cs (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_TYPE, "The OCSP response cannot be fully decoded; it is of an unknown type.")
    cs (SEC_ERROR_OCSP_BAD_HTTP_RESPONSE, "The OCSP server returned unexpected/invalid HTTP data.")
    cs (SEC_ERROR_OCSP_MALFORMED_REQUEST, "The OCSP server found the request to be corrupted or improperly formed.")
    cs (SEC_ERROR_OCSP_SERVER_ERROR, "The OCSP server experienced an internal error.")
    cs (SEC_ERROR_OCSP_TRY_SERVER_LATER, "The OCSP server suggests trying again later.")
    cs (SEC_ERROR_OCSP_REQUEST_NEEDS_SIG, "The OCSP server requires a signature on this request.")
    cs (SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST, "The OCSP server has refused this request as unauthorized.")
    cs (SEC_ERROR_OCSP_UNKNOWN_RESPONSE_STATUS, "The OCSP server returned an unrecognizable status.")
    cs (SEC_ERROR_OCSP_UNKNOWN_CERT, "The OCSP server has no status for the certificate.")
    cs (SEC_ERROR_OCSP_NOT_ENABLED, "You must enable OCSP before performing this operation.")
    cs (SEC_ERROR_OCSP_NO_DEFAULT_RESPONDER, "You must set the OCSP default responder before performing this operation.")
    cs (SEC_ERROR_OCSP_MALFORMED_RESPONSE, "The response from the OCSP server was corrupted or improperly formed.")
    cs (SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE, "The signer of the OCSP response is not authorized to give status for this certificate.")
    cs (SEC_ERROR_OCSP_FUTURE_RESPONSE, "The OCSP response is not yet valid (contains a date in the future).")
    cs (SEC_ERROR_OCSP_OLD_RESPONSE, "The OCSP response contains out-of-date information.")
    cs (SEC_ERROR_DIGEST_NOT_FOUND, "The CMS or PKCS #7 Digest was not found in signed message.")
    cs (SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE, "The CMS or PKCS #7 Message type is unsupported.")
    cs (SEC_ERROR_MODULE_STUCK, "PKCS #11 module could not be removed because it is still in use.")
    cs (SEC_ERROR_BAD_TEMPLATE, "Could not decode ASN.1 data. Specified template was invalid.")
    cs (SEC_ERROR_CRL_NOT_FOUND, "No matching CRL was found.")
    cs (SEC_ERROR_REUSED_ISSUER_AND_SERIAL, "You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert.")
    cs (SEC_ERROR_BUSY, "NSS could not shutdown. Objects are still in use.")
    cs (SEC_ERROR_EXTRA_INPUT, "DER-encoded message contained extra unused data.")
    cs (SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE, "Unsupported elliptic curve.")
    cs (SEC_ERROR_UNSUPPORTED_EC_POINT_FORM, "Unsupported elliptic curve point form.")
    cs (SEC_ERROR_UNRECOGNIZED_OID, "Unrecognized Object Identifier.")
    cs (SEC_ERROR_OCSP_INVALID_SIGNING_CERT, "Invalid OCSP signing certificate in OCSP response.")
    cs (SEC_ERROR_REVOKED_CERTIFICATE_CRL, "Certificate is revoked in issuer's certificate revocation list.")
    cs (SEC_ERROR_REVOKED_CERTIFICATE_OCSP, "Issuer's OCSP responder reports certificate is revoked.")
    cs (SEC_ERROR_CRL_INVALID_VERSION, "Issuer's Certificate Revocation List has an unknown version number.")
    cs (SEC_ERROR_CRL_V1_CRITICAL_EXTENSION, "Issuer's V1 Certificate Revocation List has a critical extension.")
    cs (SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, "Issuer's V2 Certificate Revocation List has an unknown critical extension.")
    cs (SEC_ERROR_UNKNOWN_OBJECT_TYPE, "Unknown object type specified.")
    cs (SEC_ERROR_INCOMPATIBLE_PKCS11, "PKCS #11 driver violates the spec in an incompatible way.")
    cs (SEC_ERROR_NO_EVENT, "No new slot event is available at this time.")
    cs (SEC_ERROR_CRL_ALREADY_EXISTS, "CRL already exists.")
    cs (SEC_ERROR_NOT_INITIALIZED, "NSS is not initialized.")
    cs (SEC_ERROR_TOKEN_NOT_LOGGED_IN, "The operation failed because the PKCS#11 token is not logged in.")
    cs (SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, "Configured OCSP responder's certificate is invalid.")
    cs (SEC_ERROR_OCSP_BAD_SIGNATURE, "OCSP response has an invalid signature.")

    #if defined (NSS_VMAJOR) && defined (NSS_VMINOR) && defined (NSS_VPATCH) && (NSS_VMAJOR > 3 || (NSS_VMAJOR == 3 && NSS_VMINOR > 12) || (NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH >= 2))
    cs (SEC_ERROR_OUT_OF_SEARCH_LIMITS, "Cert validation search is out of search limits")
    cs (SEC_ERROR_INVALID_POLICY_MAPPING, "Policy mapping contains anypolicy")
    cs (SEC_ERROR_POLICY_VALIDATION_FAILED, "Cert chain fails policy validation")
    cs (SEC_ERROR_UNKNOWN_AIA_LOCATION_TYPE, "Unknown location type in cert AIA extension")
    cs (SEC_ERROR_BAD_HTTP_RESPONSE, "Server returned bad HTTP response")
    cs (SEC_ERROR_BAD_LDAP_RESPONSE, "Server returned bad LDAP response")
    cs (SEC_ERROR_FAILED_TO_ENCODE_DATA, "Failed to encode data with ASN1 encoder")
    cs (SEC_ERROR_BAD_INFO_ACCESS_LOCATION, "Bad information access location in cert extension")
    cs (SEC_ERROR_LIBPKIX_INTERNAL, "Libpkix internal error occured during cert validation.")
    cs (SEC_ERROR_PKCS11_GENERAL_ERROR, "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
    cs (SEC_ERROR_PKCS11_FUNCTION_FAILED, "A PKCS #11 module returned CKR_FUNCTION_FAILED, indicating that the requested function could not be performed.  Trying the same operation again might succeed.")
    cs (SEC_ERROR_PKCS11_DEVICE_ERROR, "A PKCS #11 module returned CKR_DEVICE_ERROR, indicating that a problem has occurred with the token or slot.")
    #endif
    }

    #undef cs

    return NULL;
}

static void
set_nss_error (GError **error)
{
    glong err_code;
    const gchar *err_str;

    if (!error)
        return;

    g_return_if_fail (*error == NULL);

    err_code = PORT_GetError ();

    if (!err_code)
        return;

    err_str = nss_error_to_string (err_code);
    if (!err_str)
        return;

    *error = g_error_new_literal (E_CERTDB_ERROR, err_code, err_str);
}

static SECStatus PR_CALLBACK
collect_certs (gpointer arg,
               SECItem **certs,
               gint numcerts)
{
    CERTDERCerts *collectArgs;
    SECItem *cert;
    SECStatus rv;

    collectArgs = (CERTDERCerts *) arg;

    collectArgs->numcerts = numcerts;
    collectArgs->rawCerts = (SECItem *) PORT_ArenaZAlloc (
        collectArgs->arena, sizeof (SECItem) * numcerts);
    if (collectArgs->rawCerts == NULL)
        return (SECFailure);

    cert = collectArgs->rawCerts;

    while (numcerts--) {
        rv = SECITEM_CopyItem (collectArgs->arena, cert, *certs);
        if (rv == SECFailure)
            return (SECFailure);
        cert++;
        certs++;
    }

    return (SECSuccess);
}

static CERTDERCerts *
e_cert_db_get_certs_from_package (PRArenaPool *arena,
                                  gchar *data,
                                  guint32 length)
{
    /*nsNSSShutDownPreventionLock locker;*/
    CERTDERCerts *collectArgs =
        (CERTDERCerts *) PORT_ArenaZAlloc (arena, sizeof (CERTDERCerts));
    SECStatus sec_rv;

    if (!collectArgs)
        return NULL;

    collectArgs->arena = arena;
    sec_rv = CERT_DecodeCertPackage (
        data,
                    length, collect_certs,
                    (gpointer) collectArgs);

    if (sec_rv != SECSuccess)
        return NULL;

    return collectArgs;
}

#ifdef notyet
PRBool
ucs2_ascii_conversion_fn (PRBool toUnicode,
                          guchar *inBuf,
                          guint inBufLen,
                          guchar *outBuf,
                          guint maxOutBufLen,
                          guint *outBufLen,
                          PRBool swapBytes)
{
    printf ("in ucs2_ascii_conversion_fn\n");
}
#endif

static gchar * PR_CALLBACK
pk11_password (PK11SlotInfo *slot,
               PRBool retry,
               gpointer arg)
{
    gchar *pwd;
    gchar *nsspwd;

    gboolean rv = FALSE;

    g_signal_emit (
        e_cert_db_peek (),
        e_cert_db_signals[PK11_PASSWD], 0,
        slot,
        retry,
        &pwd,
        &rv);

    if (pwd == NULL)
        return NULL;

    nsspwd = PORT_Strdup (pwd);
    memset (pwd, 0, strlen (pwd));
    g_free (pwd);
    return nsspwd;
}

static void
initialize_nss (void)
{
    /* Use camel_init() to initialise NSS consistently... */
    camel_init (e_get_user_data_dir (), TRUE);

    /* ... except for the bits we only seem to do here. FIXME */
    PK11_SetPasswordFunc (pk11_password);

    /* Enable ciphers for PKCS#12 */
    SEC_PKCS12EnableCipher (PKCS12_RC4_40, 1);
    SEC_PKCS12EnableCipher (PKCS12_RC4_128, 1);
    SEC_PKCS12EnableCipher (PKCS12_RC2_CBC_40, 1);
    SEC_PKCS12EnableCipher (PKCS12_RC2_CBC_128, 1);
    SEC_PKCS12EnableCipher (PKCS12_DES_56, 1);
    SEC_PKCS12EnableCipher (PKCS12_DES_EDE3_168, 1);
    SEC_PKCS12SetPreferredCipher (PKCS12_DES_EDE3_168, 1);
#ifdef notyet
    PORT_SetUCS2_ASCIIConversionFunction (ucs2_ascii_conversion_fn);
#endif
}

static void
install_loadable_roots (void)
{
    SECMODModuleList *list = SECMOD_GetDefaultModuleList ();
    SECMODListLock *lock = SECMOD_GetDefaultModuleListLock ();
    SECMODModule *RootsModule = NULL;
    gint i;

    SECMOD_GetReadLock (lock);
    while (!RootsModule && list) {
        SECMODModule *module = list->module;

        for (i = 0; i < module->slotCount; i++) {
            PK11SlotInfo *slot = module->slots[i];
            if (PK11_IsPresent (slot)) {
                if (PK11_HasRootCerts (slot)) {
                    RootsModule = module;
                    break;
                }
            }
        }

        list = list->next;
    }
    SECMOD_ReleaseReadLock (lock);

    if (RootsModule) {
        /* Check version, and unload module if it is too old */
        CK_INFO info;

        if (PK11_GetModInfo (RootsModule, &info) != SECSuccess) {
            /* Do not use this module */
            RootsModule = NULL;
        } else {
            /* NSS_BUILTINS_LIBRARY_VERSION_MAJOR and NSS_BUILTINS_LIBRARY_VERSION_MINOR
             * define the version we expect to have.
             * Later version are fine.
             * Older versions are not ok, and we will replace with our own version.
             */
            if ((info.libraryVersion.major < NSS_BUILTINS_LIBRARY_VERSION_MAJOR)
                || (info.libraryVersion.major == NSS_BUILTINS_LIBRARY_VERSION_MAJOR
                && info.libraryVersion.minor < NSS_BUILTINS_LIBRARY_VERSION_MINOR)) {
                PRInt32 modType;

                SECMOD_DeleteModule (RootsModule->commonName, &modType);

                RootsModule = NULL;
            }
        }
    }

    if (!RootsModule) {
#ifndef G_OS_WIN32
        /* grovel in various places for mozilla's built-in
         * cert module.
         *
         * XXX yes this is gross.  *sigh *
        */
        const gchar *paths_to_check[] = {
#ifdef MOZILLA_NSS_LIB_DIR
            MOZILLA_NSS_LIB_DIR,
#endif
            "/usr/lib",
            "/usr/lib/mozilla",
            "/opt/mozilla/lib",
            "/opt/mozilla/lib/mozilla"
        };

        for (i = 0; i < G_N_ELEMENTS (paths_to_check); i++) {
            gchar *dll_path = g_module_build_path (paths_to_check[i], "nssckbi");

            if (g_file_test (dll_path, G_FILE_TEST_EXISTS)) {
                PRInt32 modType;

                /* Delete the existing module */
                SECMOD_DeleteModule ("Mozilla Root Certs", &modType);

                SECMOD_AddNewModule ("Mozilla Root Certs",dll_path, 0, 0);
                g_free (dll_path);
                break;
            }

            g_free (dll_path);
        }
#else
        /* FIXME: Might be useful to look up if there is a
         * Mozilla installation on the machine and use the
         * nssckbi.dll from there.
         */
#endif
    }
}

static void
e_cert_db_class_init (ECertDBClass *class)
{
    GObjectClass *object_class;

    object_class = G_OBJECT_CLASS (class);

    initialize_nss ();
    /* check to see if you have a rootcert module installed */
    install_loadable_roots ();

    e_cert_db_signals[PK11_PASSWD] = g_signal_new (
        "pk11_passwd",
        G_OBJECT_CLASS_TYPE (object_class),
        G_SIGNAL_RUN_LAST,
        G_STRUCT_OFFSET (ECertDBClass, pk11_passwd),
        NULL, NULL,
        e_marshal_BOOLEAN__POINTER_BOOLEAN_POINTER,
        G_TYPE_BOOLEAN, 3,
        G_TYPE_POINTER, G_TYPE_BOOLEAN, G_TYPE_POINTER);

    e_cert_db_signals[PK11_CHANGE_PASSWD] = g_signal_new (
        "pk11_change_passwd",
        G_OBJECT_CLASS_TYPE (object_class),
        G_SIGNAL_RUN_LAST,
        G_STRUCT_OFFSET (ECertDBClass, pk11_change_passwd),
        NULL, NULL,
        e_marshal_BOOLEAN__POINTER_POINTER,
        G_TYPE_BOOLEAN, 2,
        G_TYPE_POINTER, G_TYPE_POINTER);

    e_cert_db_signals[CONFIRM_CA_CERT_IMPORT] = g_signal_new (
        "confirm_ca_cert_import",
        G_OBJECT_CLASS_TYPE (object_class),
        G_SIGNAL_RUN_LAST,
        G_STRUCT_OFFSET (ECertDBClass, confirm_ca_cert_import),
        NULL, NULL,
        e_marshal_BOOLEAN__POINTER_POINTER_POINTER_POINTER,
        G_TYPE_BOOLEAN, 4,
        G_TYPE_POINTER, G_TYPE_POINTER, G_TYPE_POINTER, G_TYPE_POINTER);
}

static void
e_cert_db_init (ECertDB *ec)
{
}

GMutex init_mutex;
static ECertDB *cert_db = NULL;

ECertDB *
e_cert_db_peek (void)
{
    g_mutex_lock (&init_mutex);
    if (!cert_db)
        cert_db = g_object_new (E_TYPE_CERT_DB, NULL);
    g_mutex_unlock (&init_mutex);

    return cert_db;
}

void
e_cert_db_shutdown (void)
{
    /* XXX */
}

/* searching for certificates */
ECert *
e_cert_db_find_cert_by_nickname (ECertDB *certdb,
                                 const gchar *nickname,
                                 GError **error)
{
    /*  nsNSSShutDownPreventionLock locker;*/
    CERTCertificate *cert = NULL;

    /*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Getting \"%s\"\n", asciiname));*/
    cert = PK11_FindCertFromNickname ((gchar *) nickname, NULL);
    if (!cert) {
        cert = CERT_FindCertByNickname (CERT_GetDefaultCertDB (), (gchar *) nickname);
    }

    if (cert) {
        /*    PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("got it\n"));*/
        ECert *ecert = e_cert_new (cert);
        return ecert;
    }
    else {
        set_nss_error (error);
        return NULL;
    }
}

#ifdef notyet
ECert *
e_cert_db_find_cert_by_key (ECertDB *certdb,
                            const gchar *db_key,
                            GError **error)
{
    /*  nsNSSShutDownPreventionLock locker;*/
    SECItem keyItem = {siBuffer, NULL, 0};
    SECItem *dummy;
    CERTIssuerAndSN issuerSN;
    gulong moduleID,slotID;
    CERTCertificate *cert;

    if (!db_key) {
        set_nss_error (error);
        return NULL;
    }

    dummy = NSSBase64_DecodeBuffer (
        NULL, &keyItem, db_key,
        (PRUint32) PL_strlen (db_key));

    /* someday maybe we can speed up the search using the moduleID and slotID*/
    moduleID = NS_NSS_GET_LONG (keyItem.data);
    slotID = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG]);

    /* build the issuer/SN structure*/
    issuerSN.serialNumber.len = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG *2]);
    issuerSN.derIssuer.len = NS_NSS_GET_LONG (&keyItem.data[NS_NSS_LONG *3]);
    issuerSN.serialNumber.data= &keyItem.data[NS_NSS_LONG *4];
    issuerSN.derIssuer.data= &keyItem.data[NS_NSS_LONG *4+
                           issuerSN.serialNumber.len];

    cert = CERT_FindCertByIssuerAndSN (CERT_GetDefaultCertDB (), &issuerSN);
    PR_FREEIF (keyItem.data);
    if (cert) {
        ECert *ecert = e_cert_new (cert);
        return e_cert;
    }

    set_nss_error (error);
    return NULL;
}

GList *
e_cert_db_get_cert_nicknames (ECertDB *certdb,
                              ECertType cert_type,
                              GError **error)
{
}

ECert *
e_cert_db_find_email_encryption_cert (ECertDB *certdb,
                                      const gchar *nickname,
                                      GError **error)
{
}

ECert *
e_cert_db_find_email_signing_cert (ECertDB *certdb,
                                   const gchar *nickname,
                                   GError **error)
{
}
#endif

ECert *
e_cert_db_find_cert_by_email_address (ECertDB *certdb,
                                      const gchar *email,
                                      GError **error)
{
    /*  nsNSSShutDownPreventionLock locker; */
    ECert *cert;
    CERTCertificate *any_cert;
    CERTCertList *certlist;

    any_cert = CERT_FindCertByNicknameOrEmailAddr (
        CERT_GetDefaultCertDB (), (gchar *) email);

    if (!any_cert) {
        set_nss_error (error);
        return NULL;
    }

    /* any_cert now contains a cert with the right subject,
     * but it might not have the correct usage. */
    certlist = CERT_CreateSubjectCertList (
        NULL,
        CERT_GetDefaultCertDB (),
        &any_cert->derSubject,
        PR_Now (), PR_TRUE);
    if (!certlist) {
        set_nss_error (error);
        CERT_DestroyCertificate (any_cert);
        return NULL;
    }

    if (SECSuccess != CERT_FilterCertListByUsage (
        certlist, certUsageEmailRecipient, PR_FALSE)) {
        set_nss_error (error);
        CERT_DestroyCertificate (any_cert);
        CERT_DestroyCertList (certlist);
        return NULL;
    }

    if (CERT_LIST_END (CERT_LIST_HEAD (certlist), certlist)) {
        set_nss_error (error);
        CERT_DestroyCertificate (any_cert);
        CERT_DestroyCertList (certlist);
        return NULL;
    }

    cert = e_cert_new (CERT_DupCertificate (CERT_LIST_HEAD (certlist)->cert));

    CERT_DestroyCertList (certlist);
    CERT_DestroyCertificate (any_cert);

    return cert;
}

static gboolean
confirm_download_ca_cert (ECertDB *cert_db,
                          ECert *cert,
                          gboolean *trust_ssl,
                          gboolean *trust_email,
                          gboolean *trust_objsign)
{
    gboolean rv = FALSE;

    *trust_ssl =
        *trust_email =
        *trust_objsign = FALSE;

    g_signal_emit (
        e_cert_db_peek (),
        e_cert_db_signals[CONFIRM_CA_CERT_IMPORT], 0,
        cert,
        trust_ssl,
        trust_email,
        trust_objsign,
        &rv);

    return rv;
}

static gboolean
handle_ca_cert_download (ECertDB *cert_db,
                         GList *certs,
                         GError **error)
{
    ECert *certToShow;
    SECItem der;
    gchar *raw_der = NULL;
    CERTCertificate *tmpCert;

    /* First thing we have to do is figure out which certificate
     * we're gonna present to the user.  The CA may have sent down
     * a list of certs which may or may not be a chained list of
     * certs.  Until the day we can design some solid UI for the
     * general case, we'll code to the > 90% case.  That case is
     * where a CA sends down a list that is a chain up to its root
     * in either ascending or descending order.  What we're gonna
     * do is compare the first 2 entries, if the first was signed
     * by the second, we assume the leaf cert is the first cert
     * and display it.  If the second cert was signed by the first
     * cert, then we assume the first cert is the root and the
     * last cert in the array is the leaf.  In this case we
     * display the last cert.
    */

    /*  nsNSSShutDownPreventionLock locker;*/

    if (certs == NULL) {
        g_warning ("Didn't get any certs to import.");
        return TRUE;
    }
    else if (certs->next == NULL) {
        /* there's 1 cert */
        certToShow = E_CERT (certs->data);
    }
    else {
        /* there are multiple certs */
        ECert *cert0;
        ECert *cert1;
        const gchar * cert0SubjectName;
        const gchar * cert0IssuerName;
        const gchar * cert1SubjectName;
        const gchar * cert1IssuerName;

        cert0 = E_CERT (certs->data);
        cert1 = E_CERT (certs->next->data);

        cert0IssuerName = e_cert_get_issuer_name (cert0);
        cert0SubjectName = e_cert_get_subject_name (cert0);

        cert1IssuerName = e_cert_get_issuer_name (cert1);
        cert1SubjectName = e_cert_get_subject_name (cert1);

        if (!strcmp (cert1IssuerName, cert0SubjectName)) {
            /* In this case, the first cert in the list signed the second,
             * so the first cert is the root.  Let's display the last cert
             * in the list. */
            certToShow = E_CERT (g_list_last (certs)->data);
        }
        else if (!strcmp (cert0IssuerName, cert1SubjectName)) {
            /* In this case the second cert has signed the first cert.  The
             * first cert is the leaf, so let's display it. */
            certToShow = cert0;
        } else {
            /* It's not a chain, so let's just show the first one in the
             * downloaded list. */
            certToShow = cert0;
        }
    }

    if (!certToShow) {
        set_nss_error (error);
        return FALSE;
    }

    if (!e_cert_get_raw_der (certToShow, &raw_der, &der.len)) {
        set_nss_error (error);
        return FALSE;
    }

    der.data = (guchar *) raw_der;

    {
        /*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Creating temp cert\n"));*/
        CERTCertDBHandle *certdb = CERT_GetDefaultCertDB ();
        tmpCert = CERT_FindCertByDERCert (certdb, &der);
        if (!tmpCert) {
            tmpCert = CERT_NewTempCertificate (
                certdb, &der,
                NULL, PR_FALSE, PR_TRUE);
        }
        if (!tmpCert) {
            g_warning ("Couldn't create cert from DER blob");
            set_nss_error (error);
            return FALSE;
        }
    }

#if 0
    CERTCertificateCleaner tmpCertCleaner (tmpCert);
#endif

    if (tmpCert->isperm) {
        if (error && !*error)
            *error = g_error_new_literal (E_CERTDB_ERROR, 0, _("Certificate already exists"));
        return FALSE;
    }
    else {
        gboolean trust_ssl, trust_email, trust_objsign;
        gchar *nickname;
        SECStatus srv;
        CERTCertTrust trust;

        if (!confirm_download_ca_cert (
            cert_db, certToShow, &trust_ssl,
            &trust_email, &trust_objsign)) {
            set_nss_error (error);
            return FALSE;
        }

        /*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("trust is %d\n", trustBits));*/

        nickname = CERT_MakeCANickname (tmpCert);

        /*PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Created nick \"%s\"\n", nickname.get()));*/

        e_cert_trust_init (&trust);
        e_cert_trust_set_valid_ca (&trust);
        e_cert_trust_add_ca_trust (
            &trust,
            trust_ssl,
            trust_email,
            trust_objsign);

        srv = CERT_AddTempCertToPerm (
            tmpCert,
            nickname,
            &trust);

        /* If we aren't logged into the token, then what *should*
         * happen is the above call should fail, and we should
         * authenticate and then try again. But see NSS bug #595861.
         * With NSS 3.12.6 at least, the above call will fail, but
         * it *will* have added the cert to the database, with
         * random trust bits. We have to authenticate and then set
         * the trust bits correctly. And calling
         * CERT_AddTempCertToPerm() again doesn't work either -- it'll
         * fail even though it arguably ought to succeed (which is
         * probably another NSS bug).
         * So if we get SEC_ERROR_TOKEN_NOT_LOGGED_IN, we first try
         * CERT_ChangeCertTrust(), and if that doesn't work we hope
         * we're on a fixed version of NSS and we try calling
         * CERT_AddTempCertToPerm() again instead. */
        if (srv != SECSuccess &&
            PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
            e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot ())) {
            srv = CERT_ChangeCertTrust (
                CERT_GetDefaultCertDB (),
                tmpCert, &trust);
            if (srv != SECSuccess)
                srv = CERT_AddTempCertToPerm (
                    tmpCert,
                    nickname,
                    &trust);
        }
        if (srv != SECSuccess) {
            set_nss_error (error);
            return FALSE;
        }

#if 0
        /* Now it's time to add the rest of the certs we just downloaded.
         * Since we didn't prompt the user about any of these certs, we
         * won't set any trust bits for them. */
        e_cert_trust_init (&trust);
        e_cert_trust_set_valid_ca (&trust);
        e_cert_trusts_add_ca_trust (&trust, 0, 0, 0);
        for (PRUint32 i = 0; i < numCerts; i++) {
            if (i == selCertIndex)
                continue;

            certToShow = do_QueryElementAt (x509Certs, i);
            certToShow->GetRawDER (&der.len, (PRUint8 **) &der.data);

            CERTCertificate *tmpCert2 =
                CERT_NewTempCertificate (certdb, &der, nsnull, PR_FALSE, PR_TRUE);

            if (!tmpCert2) {
                NS_ASSERTION (0, "Couldn't create temp cert from DER blob\n");
                continue;  /* Let's try to import the rest of 'em */
            }
            nickname.Adopt (CERT_MakeCANickname (tmpCert2));
            CERT_AddTempCertToPerm (
                tmpCert2, NS_CONST_CAST (gchar *,nickname.get ()),
                defaultTrust.GetTrust ());
            CERT_DestroyCertificate (tmpCert2);
        }
#endif
        return TRUE;
    }
}
gboolean e_cert_db_change_cert_trust (CERTCertificate *cert, CERTCertTrust *trust)
{
    SECStatus srv;

    srv = CERT_ChangeCertTrust (
        CERT_GetDefaultCertDB (),
        cert, trust);
    if (srv != SECSuccess &&
        PORT_GetError () == SEC_ERROR_TOKEN_NOT_LOGGED_IN &&
        e_cert_db_login_to_slot (NULL, PK11_GetInternalKeySlot ()))
        srv = CERT_ChangeCertTrust (
            CERT_GetDefaultCertDB (),
            cert, trust);

    if (srv != SECSuccess) {
        glong err = PORT_GetError ();
        g_warning (
            "CERT_ChangeCertTrust() failed: %s\n",
            nss_error_to_string (err));
        return FALSE;
    }
    return TRUE;
}

/* deleting certificates */
gboolean
e_cert_db_delete_cert (ECertDB *certdb,
                       ECert *ecert)
{
    /*  nsNSSShutDownPreventionLock locker;
     *  nsNSSCertificate *nssCert = NS_STATIC_CAST (nsNSSCertificate *, aCert); */

    CERTCertificate *cert;

    if (!e_cert_mark_for_deletion (ecert)) {
        return FALSE;
    }

    cert = e_cert_get_internal_cert (ecert);
    if (cert->slot && e_cert_get_cert_type (ecert) != E_CERT_USER) {
        /* To delete a cert of a slot (builtin, most likely), mark it as
         * completely untrusted.  This way we keep a copy cached in the
         * local database, and next time we try to load it off of the
         * external token/slot, we'll know not to trust it.  We don't
         * want to do that with user certs, because a user may  re-store
         * the cert onto the card again at which point we *will* want to
         * trust that cert if it chains up properly. */
        CERTCertTrust trust;

        e_cert_trust_init_with_values (&trust, 0, 0, 0);
        return e_cert_db_change_cert_trust (cert, &trust);
    }

    return TRUE;
}

/* importing certificates */
gboolean
e_cert_db_import_certs (ECertDB *certdb,
                        gchar *data,
                        guint32 length,
                        ECertType cert_type,
                        GSList **imported_certs,
                        GError **error)
{
    /*nsNSSShutDownPreventionLock locker;*/
    PRArenaPool *arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
    GList *certs = NULL;
    CERTDERCerts *certCollection = e_cert_db_get_certs_from_package (arena, data, length);
    gint i;
    gboolean rv;

    if (!certCollection) {
        set_nss_error (error);
        PORT_FreeArena (arena, PR_FALSE);
        return FALSE;
    }

    /* Now let's create some certs to work with */
    for (i = 0; i < certCollection->numcerts; i++) {
        SECItem *currItem = &certCollection->rawCerts[i];
        ECert *cert;

        cert = e_cert_new_from_der ((gchar *) currItem->data, currItem->len);
        if (!cert) {
            set_nss_error (error);
            g_list_foreach (certs, (GFunc) g_object_unref, NULL);
            g_list_free (certs);
            PORT_FreeArena (arena, PR_FALSE);
            return FALSE;
        }
        certs = g_list_append (certs, cert);
    }
    switch (cert_type) {
    case E_CERT_CA:
        rv = handle_ca_cert_download (certdb, certs, error);
        if (rv && imported_certs) {
            GList *l;

            /* copy certificates to the caller */
            *imported_certs = NULL;
            for (l = certs; l; l = l->next) {
                ECert *cert = l->data;

                if (cert)
                    *imported_certs = g_slist_prepend (*imported_certs, g_object_ref (cert));
            }

            *imported_certs = g_slist_reverse (*imported_certs);
        }
        break;
    default:
        /* We only deal with import CA certs in this method currently.*/
        set_nss_error (error);
        PORT_FreeArena (arena, PR_FALSE);
        rv = FALSE;
    }

    g_list_foreach (certs, (GFunc) g_object_unref, NULL);
    g_list_free (certs);
    PORT_FreeArena (arena, PR_FALSE);
    return rv;
}

gboolean
e_cert_db_import_email_cert (ECertDB *certdb,
                             gchar *data,
                             guint32 length,
                             GSList **imported_certs,
                             GError **error)
{
    /*nsNSSShutDownPreventionLock locker;*/
    SECStatus srv = SECFailure;
    gboolean rv = TRUE;
    CERTCertificate * cert;
    SECItem **rawCerts;
    gint numcerts;
    gint i;
    PRArenaPool *arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
    CERTDERCerts *certCollection = e_cert_db_get_certs_from_package (arena, data, length);

    if (!certCollection) {
        set_nss_error (error);
        PORT_FreeArena (arena, PR_FALSE);
        return FALSE;
    }

    cert = CERT_NewTempCertificate (
        CERT_GetDefaultCertDB (), certCollection->rawCerts,
        (gchar *) NULL, PR_FALSE, PR_TRUE);
    if (!cert) {
        set_nss_error (error);
        rv = FALSE;
        goto loser;
    }
    numcerts = certCollection->numcerts;
    rawCerts = (SECItem **) PORT_Alloc (sizeof (SECItem *) * numcerts);
    if (!rawCerts) {
        set_nss_error (error);
        rv = FALSE;
        goto loser;
    }

    for (i = 0; i < numcerts; i++) {
        rawCerts[i] = &certCollection->rawCerts[i];
    }

    srv = CERT_ImportCerts (
        CERT_GetDefaultCertDB (), certUsageEmailSigner,
        numcerts, rawCerts, NULL, PR_TRUE, PR_FALSE,
        NULL);
    if (srv != SECSuccess) {
        set_nss_error (error);
        rv = FALSE;
        goto loser;
    }
    CERT_SaveSMimeProfile (cert, NULL, NULL);

    if (imported_certs) {
        *imported_certs = NULL;
        for (i = 0; i < certCollection->numcerts; i++) {
            SECItem *currItem = &certCollection->rawCerts[i];
            ECert *cert;

            cert = e_cert_new_from_der ((gchar *) currItem->data, currItem->len);
            if (cert)
                *imported_certs = g_slist_prepend (*imported_certs, cert);
        }

        *imported_certs = g_slist_reverse (*imported_certs);
    }

    PORT_Free (rawCerts);
 loser:
    if (cert)
        CERT_DestroyCertificate (cert);
    if (arena)
        PORT_FreeArena (arena, PR_TRUE);
    return rv;
}

static gchar *
default_nickname (CERTCertificate *cert)
{
    /*  nsNSSShutDownPreventionLock locker; */
    gchar *username = NULL;
    gchar *caname = NULL;
    gchar *nickname = NULL;
    gchar *tmp = NULL;
    gint count;
    const gchar *nickFmt = NULL;
    CERTCertificate *dummycert;
    PK11SlotInfo *slot = NULL;
    CK_OBJECT_HANDLE keyHandle;

    CERTCertDBHandle *defaultcertdb = CERT_GetDefaultCertDB ();

    username = CERT_GetCommonName (&cert->subject);
    if (username == NULL)
        username = PL_strdup ("");

    if (username == NULL)
        goto loser;

    caname = CERT_GetOrgName (&cert->issuer);
    if (caname == NULL)
        caname = PL_strdup ("");

    if (caname == NULL)
        goto loser;

    count = 1;

    nickFmt = "%1$s's %2$s ID";

    nickname = PR_smprintf (nickFmt, username, caname);
    /*
     * We need to see if the private key exists on a token, if it does
     * then we need to check for nicknames that already exist on the smart
     * card.
     */
    slot = PK11_KeyForCertExists (cert, &keyHandle, NULL);
    if (slot == NULL) {
        goto loser;
    }
    if (!PK11_IsInternal (slot)) {
        tmp = PR_smprintf ("%s:%s", PK11_GetTokenName (slot), nickname);
        PR_Free (nickname);
        nickname = tmp;
        tmp = NULL;
    }
    tmp = nickname;
    while (1) {
        if (count > 1) {
            nickname = PR_smprintf ("%s #%d", tmp, count);
        }

        if (nickname == NULL)
            goto loser;

        if (PK11_IsInternal (slot)) {
            /* look up the nickname to make sure it isn't in use already */
            dummycert = CERT_FindCertByNickname (defaultcertdb, nickname);

        } else {
            /*
             * Check the cert against others that already live on the smart
             * card.
             */
            dummycert = PK11_FindCertFromNickname (nickname, NULL);
            if (dummycert != NULL) {
                /*
                 * Make sure the subject names are different.
                 */
                if (CERT_CompareName (&cert->subject, &dummycert->subject) == SECEqual) {
                    /*
                     * There is another certificate with the same nickname and
                     * the same subject name on the smart card, so let's use this
                     * nickname.
                     */
                    CERT_DestroyCertificate (dummycert);
                    dummycert = NULL;
                }
            }
        }
        if (dummycert == NULL)
            goto done;

        /* found a cert, destroy it and loop */
        CERT_DestroyCertificate (dummycert);
        if (tmp != nickname) PR_Free (nickname);
        count++;
    } /* end of while (1) */

 loser:
    if (nickname) {
        PR_Free (nickname);
    }
    nickname = NULL;
 done:
    if (caname) {
        PR_Free (caname);
    }
    if (username)  {
        PR_Free (username);
    }
    if (slot != NULL) {
        PK11_FreeSlot (slot);
        if (nickname != NULL) {
            tmp = nickname;
            nickname = strchr (tmp, ':');
            if (nickname != NULL) {
                nickname++;
                nickname = PL_strdup (nickname);
                PR_Free (tmp);
                tmp = NULL;
            } else {
                nickname = tmp;
                tmp = NULL;
            }
        }
    }
    PR_FREEIF (tmp);
    return (nickname);
}

gboolean
e_cert_db_import_user_cert (ECertDB *certdb,
                            gchar *data,
                            guint32 length,
                            GError **error)
{
    /*  nsNSSShutDownPreventionLock locker;*/
    PK11SlotInfo *slot;
    gchar * nickname = NULL;
    gboolean rv = FALSE;
    gint numCACerts;
    SECItem *CACerts;
    CERTDERCerts * collectArgs;
    PRArenaPool *arena;
    CERTCertificate * cert = NULL;

    arena = PORT_NewArena (DER_DEFAULT_CHUNKSIZE);
    if (arena == NULL) {
        set_nss_error (error);
        goto loser;
    }

    collectArgs = e_cert_db_get_certs_from_package (arena, data, length);
    if (!collectArgs) {
        set_nss_error (error);
        goto loser;
    }

    cert = CERT_NewTempCertificate (
        CERT_GetDefaultCertDB (), collectArgs->rawCerts,
        (gchar *) NULL, PR_FALSE, PR_TRUE);
    if (!cert) {
        set_nss_error (error);
        goto loser;
    }

    slot = PK11_KeyForCertExists (cert, NULL, NULL);
    if (slot == NULL) {
        set_nss_error (error);
        goto loser;
    }
    PK11_FreeSlot (slot);

    /* pick a nickname for the cert */
    if (cert->nickname) {
        /* sigh, we need a call to look up other certs with this subject and
         * identify nicknames from them. We can no longer walk down internal
         * database structures  rjr */
        nickname = cert->nickname;
    }
    else {
        nickname = default_nickname (cert);
    }

    /* user wants to import the cert */
    slot = PK11_ImportCertForKey (cert, nickname, NULL);
    if (!slot) {
        set_nss_error (error);
        goto loser;
    }
    PK11_FreeSlot (slot);
    numCACerts = collectArgs->numcerts - 1;

    if (numCACerts) {
        CACerts = collectArgs->rawCerts + 1;
        if (!CERT_ImportCAChain (CACerts, numCACerts, certUsageUserCertImport)) {
            rv = TRUE;
        }
    }

 loser:
    if (arena) {
        PORT_FreeArena (arena, PR_FALSE);
    }
    if (cert) {
        CERT_DestroyCertificate (cert);
    }
    return rv;
}

gboolean
e_cert_db_import_server_cert (ECertDB *certdb,
                              gchar *data,
                              guint32 length,
                              GSList **imported_certs,
                              GError **error)
{
    /* not c&p'ing this over at the moment, as we don't have a UI
     * for server certs anyway */
    return FALSE;
}

gboolean
e_cert_db_import_certs_from_file (ECertDB *cert_db,
                                  const gchar *file_path,
                                  ECertType cert_type,
                                  GSList **imported_certs,
                                  GError **error)
{
    gboolean rv;
    gint fd;
    struct stat sb;
    gchar *buf;
    gint bytes_read;

    switch (cert_type) {
    case E_CERT_CA:
    case E_CERT_CONTACT:
    case E_CERT_SITE:
        /* good */
        break;

    default:
        /* not supported (yet) */
        set_nss_error (error);
        return FALSE;
    }

    fd = g_open (file_path, O_RDONLY | O_BINARY, 0);
    if (fd == -1) {
        set_nss_error (error);
        return FALSE;
    }

    if (-1 == fstat (fd, &sb)) {
        set_nss_error (error);
        close (fd);
        return FALSE;
    }

    buf = g_malloc (sb.st_size);
    if (!buf) {
        set_nss_error (error);
        close (fd);
        return FALSE;
    }

    bytes_read = read (fd, buf, sb.st_size);

    close (fd);

    if (bytes_read != sb.st_size) {
        set_nss_error (error);
        rv = FALSE;
    }
    else {
        printf ("importing %d bytes from '%s'\n", bytes_read, file_path);

        switch (cert_type) {
        case E_CERT_CA:
            rv = e_cert_db_import_certs (cert_db, buf, bytes_read, cert_type, imported_certs, error);
            break;

        case E_CERT_SITE:
            rv = e_cert_db_import_server_cert (cert_db, buf, bytes_read, imported_certs, error);
            break;

        case E_CERT_CONTACT:
            rv = e_cert_db_import_email_cert (cert_db, buf, bytes_read, imported_certs, error);
            break;

        default:
            rv = FALSE;
            break;
        }
    }

    g_free (buf);
    return rv;
}

gboolean
e_cert_db_import_pkcs12_file (ECertDB *cert_db,
                              const gchar *file_path,
                              GError **error)
{
    EPKCS12 *pkcs12 = e_pkcs12_new ();
    GError *e = NULL;

    if (!e_pkcs12_import_from_file (pkcs12, file_path, &e)) {
        g_propagate_error (error, e);
        return FALSE;
    }

    return TRUE;
}

#ifdef notyet
gboolean
e_cert_db_export_pkcs12_file (ECertDB *cert_db,
                              const gchar *file_path,
                              GList *certs,
                              GError **error)
{
}
#endif

gboolean
e_cert_db_login_to_slot (ECertDB *cert_db,
                         PK11SlotInfo *slot)
{
    if (PK11_NeedLogin (slot)) {
        PK11_Logout (slot);

        if (PK11_NeedUserInit (slot)) {
            gchar *pwd;
            gboolean rv = FALSE;

            printf ("initializing slot password\n");

            g_signal_emit (
                e_cert_db_peek (),
                e_cert_db_signals[PK11_CHANGE_PASSWD], 0,
                NULL,
                &pwd,
                &rv);

            if (!rv)
                return FALSE;

            /* the user needs to specify the initial password */
            PK11_InitPin (slot, "", pwd);
        }

        PK11_SetPasswordFunc (pk11_password);
        if (PK11_Authenticate (slot, PR_TRUE, NULL) != SECSuccess) {
            printf (
                "PK11_Authenticate failed (err = %d/%d)\n",
                PORT_GetError (), PORT_GetError () + 0x2000);
            return FALSE;
        }
    }

    return TRUE;
}