/* -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
/*
 *  Authors: Jeffrey Stedfast <fejj@ximian.com>
 *
 *  Copyright 2001 Ximian, Inc. (www.ximian.com)
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of version 2 of the GNU General Public
 * License as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public
 * License along with this program; if not, write to the
 * Free Software Foundation, Inc., 59 Temple Place - Suite 330,
 * Boston, MA 02111-1307, USA.
 *
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#ifdef HAVE_NSS
#include "camel-smime-context.h"

#include "camel-mime-filter-from.h"
#include "camel-mime-filter-crlf.h"
#include "camel-stream-filter.h"
#include "camel-stream-fs.h"
#include "camel-stream-mem.h"
#include "camel-mime-part.h"
#include "camel-multipart.h"

#include "nss.h"
#include <cms.h>
#include <cert.h>
#include <certdb.h>
#include <pkcs11.h>
#include <smime.h>

#include <gtk/gtk.h> /* for _() macro */

#define d(x)

struct _CamelSMimeContextPrivate {
	CERTCertDBHandle *certdb;
};


static CamelMimeMessage *smime_sign      (CamelCMSContext *ctx, CamelMimeMessage *message,
					  const char *userid, gboolean signing_time,
					  gboolean detached, CamelException *ex);

static CamelMimeMessage *smime_certsonly (CamelCMSContext *ctx, CamelMimeMessage *message,
					  const char *userid, GPtrArray *recipients,
					  CamelException *ex);

static CamelMimeMessage *smime_encrypt   (CamelCMSContext *ctx, CamelMimeMessage *message,
					  const char *userid, GPtrArray *recipients, 
					  CamelException *ex);

static CamelMimeMessage *smime_envelope  (CamelCMSContext *ctx, CamelMimeMessage *message,
					  const char *userid, GPtrArray *recipients, 
					  CamelException *ex);

static CamelMimeMessage *smime_decode    (CamelCMSContext *ctx, CamelMimeMessage *message,
					  CamelCMSValidityInfo **info, CamelException *ex);

static CamelCMSContextClass *parent_class;

static void
camel_smime_context_init (CamelSMimeContext *context)
{
	context->priv = g_new0 (struct _CamelSMimeContextPrivate, 1);
}

static void
camel_smime_context_finalise (CamelObject *o)
{
	CamelSMimeContext *context = (CamelSMimeContext *)o;
	
	g_free (context->encryption_key);
	g_free (context->priv);
}

static void
camel_smime_context_class_init (CamelSMimeContextClass *camel_smime_context_class)
{
	CamelCMSContextClass *camel_cms_context_class =
		CAMEL_CMS_CONTEXT_CLASS (camel_smime_context_class);
	
	parent_class = CAMEL_CMS_CONTEXT_CLASS (camel_type_get_global_classfuncs (camel_cms_context_get_type ()));
	
	camel_cms_context_class->sign = smime_sign;
	camel_cms_context_class->certsonly = smime_certsonly;
	camel_cms_context_class->encrypt = smime_encrypt;
	camel_cms_context_class->envelope = smime_envelope;
	camel_cms_context_class->decode = smime_decode;
}

CamelType
camel_smime_context_get_type (void)
{
	static CamelType type = CAMEL_INVALID_TYPE;
	
	if (type == CAMEL_INVALID_TYPE) {
		type = camel_type_register (camel_cms_context_get_type (),
					    "CamelSMimeContext",
					    sizeof (CamelSMimeContext),
					    sizeof (CamelSMimeContextClass),
					    (CamelObjectClassInitFunc) camel_smime_context_class_init,
					    NULL,
					    (CamelObjectInitFunc) camel_smime_context_init,
					    (CamelObjectFinalizeFunc) camel_smime_context_finalise);
	}
	
	return type;
}


/**
 * camel_smime_context_new:
 * @session: CamelSession
 * @encryption_key: preferred encryption key (used when attaching cert chains to messages)
 *
 * This creates a new CamelSMimeContext object which is used to sign,
 * verify, encrypt and decrypt streams.
 *
 * Return value: the new CamelSMimeContext
 **/
CamelSMimeContext *
camel_smime_context_new (CamelSession *session, const char *encryption_key)
{
	CamelSMimeContext *context;
	CERTCertDBHandle *certdb;
	
	g_return_val_if_fail (session != NULL, NULL);
	g_return_val_if_fail (CAMEL_IS_SESSION (session), NULL);
	
	certdb = CERT_GetDefaultCertDB ();
	if (!certdb)
		return NULL;
	
	context = CAMEL_SMIME_CONTEXT (camel_object_new (CAMEL_SMIME_CONTEXT_TYPE));
	
	camel_cms_context_construct (CAMEL_CMS_CONTEXT (context), session);
	
	context->encryption_key = g_strdup (encryption_key);
	context->priv->certdb = certdb;
	
	return context;
}


struct _GetPasswdData {
	CamelSession *session;
	const char *userid;
	CamelException *ex;
};

static char *
smime_get_password (PK11SlotInfo *info, PRBool retry, void *arg)
{
	CamelSession *session = ((struct _GetPasswdData *)arg)->session;
	const char *userid = ((struct _GetPasswdData *)arg)->userid;
	CamelException *ex = ((struct _GetPasswdData *)arg)->ex;
	char *prompt, *passwd, *ret;
	
	prompt = g_strdup_printf (_("Please enter your password for %s"), userid);
	passwd = camel_session_get_password (session, prompt, TRUE,
					     NULL, userid, ex);
	g_free (prompt);
	
	ret = PL_strdup (passwd);
	g_free (passwd);
	
	return ret;
}

static PK11SymKey *
decode_key_cb (void *arg, SECAlgorithmID *algid)
{
	return (PK11SymKey *)arg;
}


static NSSCMSMessage *
signed_data (CamelSMimeContext *ctx, const char *userid, gboolean signing_time,
	     gboolean detached, CamelException *ex)
{
	NSSCMSMessage *cmsg = NULL;
	NSSCMSContentInfo *cinfo;
	NSSCMSSignedData *sigd;
	NSSCMSSignerInfo *signerinfo;
	CERTCertificate *cert, *ekpcert;
	
	if (!userid) {
		camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM,
				     _("Please indicate the nickname of a certificate to sign with."));
		return NULL;
	}
	
	if ((cert = CERT_FindCertByNickname (ctx->priv->certdb, (char *) userid)) == NULL) {
		camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
				      _("The signature certificate for \"%s\" does not exist."),
				      userid);
		return NULL;
	}
	
	/* create the cms message object */
	cmsg = NSS_CMSMessage_Create (NULL);
	
	/* build chain of objects: message->signedData->data */
	sigd = NSS_CMSSignedData_Create (cmsg);
	
	cinfo = NSS_CMSMessage_GetContentInfo (cmsg);
	NSS_CMSContentInfo_SetContent_SignedData (cmsg, cinfo, sigd); 
	
	cinfo = NSS_CMSSignedData_GetContentInfo (sigd);
	
	/* speciffy whether we want detached signatures or not */
	NSS_CMSContentInfo_SetContent_Data (cmsg, cinfo, NULL, detached);
	
	/* create & attach signer information */
	signerinfo = NSS_CMSSignerInfo_Create (cmsg, cert, SEC_OID_SHA1);
	
	/* include the cert chain */
	NSS_CMSSignerInfo_IncludeCerts (signerinfo, NSSCMSCM_CertChain, 
					certUsageEmailSigner);
	
	if (signing_time) {
		NSS_CMSSignerInfo_AddSigningTime (signerinfo, PR_Now ());
	}
	
	if (TRUE) {
		/* Add S/MIME Capabilities */
		NSS_CMSSignerInfo_AddSMIMECaps (signerinfo);
	}
	
	if (ctx->encryption_key) {
		/* get the cert, add it to the message */
		ekpcert = CERT_FindCertByNickname (ctx->priv->certdb, ctx->encryption_key);
		if (!ekpcert) {
			camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
					      _("The encryption certificate for \"%s\" does not exist."),
					      ctx->encryption_key);
			goto exception;
		}
		
		NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs (signerinfo, ekpcert, ctx->priv->certdb);
		
		NSS_CMSSignedData_AddCertificate (sigd, ekpcert);
	} else {
		/* check signing cert for fitness as encryption cert */
		/* if yes, add signing cert as EncryptionKeyPreference */
		NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs (signerinfo, cert, ctx->priv->certdb);
	}
	
	NSS_CMSSignedData_AddSignerInfo (sigd, signerinfo);
	
	return cmsg;
	
 exception:
	
	NSS_CMSMessage_Destroy (cmsg);
	
	return NULL;
}

static void
smime_sign_restore (CamelMimePart *mime_part, GSList **encodings)
{
	CamelDataWrapper *wrapper;
	
	wrapper = camel_medium_get_content_object (CAMEL_MEDIUM (mime_part));
	if (!wrapper)
		return;
	
	if (CAMEL_IS_MULTIPART (wrapper)) {
		int parts, i;
		
		parts = camel_multipart_get_number (CAMEL_MULTIPART (wrapper));
		for (i = 0; i < parts; i++) {
			CamelMimePart *part = camel_multipart_get_part (CAMEL_MULTIPART (wrapper), i);
			
			smime_sign_restore (part, encodings);
			*encodings = (*encodings)->next;
		}
	} else {
		CamelMimePartEncodingType encoding;
		
		if (CAMEL_IS_MIME_MESSAGE (wrapper)) {
			/* restore the message parts' subparts */
			smime_sign_restore (CAMEL_MIME_PART (wrapper), encodings);
		} else {
			encoding = GPOINTER_TO_INT ((*encodings)->data);
			
			camel_mime_part_set_encoding (mime_part, encoding);
		}
	}
}

static void
smime_sign_prepare (CamelMimePart *mime_part, GSList **encodings)
{
	CamelDataWrapper *wrapper;
	int parts, i;
	
	wrapper = camel_medium_get_content_object (CAMEL_MEDIUM (mime_part));
	if (!wrapper)
		return;
	
	if (CAMEL_IS_MULTIPART (wrapper)) {
		parts = camel_multipart_get_number (CAMEL_MULTIPART (wrapper));
		for (i = 0; i < parts; i++) {
			CamelMimePart *part = camel_multipart_get_part (CAMEL_MULTIPART (wrapper), i);
			
			smime_sign_prepare (part, encodings);
		}
	} else {
		CamelMimePartEncodingType encoding;
		
		if (CAMEL_IS_MIME_MESSAGE (wrapper)) {
			/* prepare the message parts' subparts */
			smime_sign_prepare (CAMEL_MIME_PART (wrapper), encodings);
		} else {
			encoding = camel_mime_part_get_encoding (mime_part);
			
			/* FIXME: find the best encoding for this part and use that instead?? */
			/* the encoding should really be QP or Base64 */
			if (encoding != CAMEL_MIME_PART_ENCODING_BASE64)
				camel_mime_part_set_encoding (mime_part, CAMEL_MIME_PART_ENCODING_QUOTEDPRINTABLE);
			
			*encodings = g_slist_append (*encodings, GINT_TO_POINTER (encoding));
		}
	}
}


static CamelMimeMessage *
smime_sign (CamelCMSContext *ctx, CamelMimeMessage *message,
	    const char *userid, gboolean signing_time,
	    gboolean detached, CamelException *ex)
{
	CamelMimeMessage *mesg = NULL;
	NSSCMSMessage *cmsg = NULL;
	struct _GetPasswdData *data;
	PLArenaPool *arena;
	NSSCMSEncoderContext *ecx;
	SECItem output = { 0, 0, 0 };
	CamelStream *stream;
	GSList *list, *encodings = NULL;
	GByteArray *buf;
	
	cmsg = signed_data (CAMEL_SMIME_CONTEXT (ctx), userid, signing_time, detached, ex);
	if (!cmsg)
		return NULL;
	
	arena = PORT_NewArena (1024);
	data = g_new (struct _GetPasswdData, 1);
	data->session = ctx->session;
	data->userid = userid;
	data->ex = ex;
	ecx = NSS_CMSEncoder_Start (cmsg, NULL, NULL, &output, arena,
				    smime_get_password, data, NULL, NULL,
				    NULL, NULL);
	
	stream = camel_stream_mem_new ();
	
	smime_sign_prepare (CAMEL_MIME_PART (message), &encodings);
	camel_data_wrapper_write_to_stream (CAMEL_DATA_WRAPPER (message), stream);
	list = encodings;
	smime_sign_restore (CAMEL_MIME_PART (message), &list);
	g_slist_free (encodings);
	
	buf = CAMEL_STREAM_MEM (stream)->buffer;
	
	NSS_CMSEncoder_Update (ecx, buf->data, buf->len);
	NSS_CMSEncoder_Finish (ecx);
	
	camel_object_unref (CAMEL_OBJECT (stream));
	g_free (data);
	
	/* write the result to a camel stream */
	stream = camel_stream_mem_new ();
	camel_stream_write (stream, output.data, output.len);
	PORT_FreeArena (arena, PR_FALSE);
	
	NSS_CMSMessage_Destroy (cmsg);
	
	/* parse the stream into a new CamelMimeMessage */
	mesg = camel_mime_message_new ();
	camel_stream_reset (stream);
	camel_data_wrapper_construct_from_stream (CAMEL_DATA_WRAPPER (mesg), stream);
	camel_object_unref (CAMEL_OBJECT (stream));
	
	return mesg;
}


static NSSCMSMessage *
certsonly_data (CamelSMimeContext *ctx, const char *userid, GPtrArray *recipients, CamelException *ex)
{
	NSSCMSMessage *cmsg = NULL;
	NSSCMSContentInfo *cinfo;
	NSSCMSSignedData *sigd;
	CERTCertificate **rcerts;
	int i = 0;
	
	/* find the signer's and the recipients' certs */
	rcerts = g_new (CERTCertificate *, recipients->len + 2);
	rcerts[0] = CERT_FindCertByNicknameOrEmailAddr (ctx->priv->certdb, (char *) userid);
	if (!rcerts[0]) {
		camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
				      _("Failed to find certificate for \"%s\"."),
				      recipients->pdata[i]);
		goto exception;
	}
	
	for (i = 0; i < recipients->len; i++) {
		rcerts[i + 1] = CERT_FindCertByNicknameOrEmailAddr (ctx->priv->certdb,
								    recipients->pdata[i]);
		
		if (!rcerts[i + 1]) {
			camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
					      _("Failed to find certificate for \"%s\"."),
					      recipients->pdata[i]);
			goto exception;
		}
	}
	rcerts[i + 1] = NULL;
	
	/* create the cms message object */
	cmsg = NSS_CMSMessage_Create (NULL);
	
	sigd = NSS_CMSSignedData_CreateCertsOnly (cmsg, rcerts[0], PR_TRUE);
	
	/* add the recipient cert chain */
	for (i = 0; i < recipients->len; i++) {
		NSS_CMSSignedData_AddCertChain (sigd, rcerts[i]);
	}
	
	cinfo = NSS_CMSMessage_GetContentInfo (cmsg);
	NSS_CMSContentInfo_SetContent_SignedData (cmsg, cinfo, sigd);
	
	cinfo = NSS_CMSSignedData_GetContentInfo (sigd);
	NSS_CMSContentInfo_SetContent_Data (cmsg, cinfo, NULL, PR_FALSE);
	
	g_free (rcerts);
	
	return cmsg;
	
 exception:
	
	NSS_CMSMessage_Destroy (cmsg);
	
	g_free (rcerts);
	
	return NULL;
}

static CamelMimeMessage *
smime_certsonly (CamelCMSContext *ctx, CamelMimeMessage *message,
		 const char *userid, GPtrArray *recipients,
		 CamelException *ex)
{
	CamelMimeMessage *mesg = NULL;
	struct _GetPasswdData *data;
	NSSCMSMessage *cmsg = NULL;
	PLArenaPool *arena;
	NSSCMSEncoderContext *ecx;
	SECItem output = { 0, 0, 0 };
	CamelStream *stream;
	GByteArray *buf;
	
	cmsg = certsonly_data (CAMEL_SMIME_CONTEXT (ctx), userid, recipients, ex);
	if (!cmsg)
		return NULL;
	
	arena = PORT_NewArena (1024);
	data = g_new (struct _GetPasswdData, 1);
	data->session = ctx->session;
	data->userid = userid;
	data->ex = ex;
	ecx = NSS_CMSEncoder_Start (cmsg, NULL, NULL, &output, arena,
				    smime_get_password, data, NULL, NULL,
				    NULL, NULL);
	
	stream = camel_stream_mem_new ();
	camel_data_wrapper_write_to_stream (CAMEL_DATA_WRAPPER (message), stream);
	buf = CAMEL_STREAM_MEM (stream)->buffer;
	
	NSS_CMSEncoder_Update (ecx, buf->data, buf->len);
	NSS_CMSEncoder_Finish (ecx);
	
	camel_object_unref (CAMEL_OBJECT (stream));
	g_free (data);
	
	/* write the result to a camel stream */
	stream = camel_stream_mem_new ();
	camel_stream_write (stream, output.data, output.len);
	PORT_FreeArena (arena, PR_FALSE);
	
	NSS_CMSMessage_Destroy (cmsg);
	
	/* parse the stream into a new CamelMimeMessage */
	mesg = camel_mime_message_new ();
	camel_stream_reset (stream);
	camel_data_wrapper_construct_from_stream (CAMEL_DATA_WRAPPER (mesg), stream);
	camel_object_unref (CAMEL_OBJECT (stream));
	
	return mesg;
}


static NSSCMSMessage *
enveloped_data (CamelSMimeContext *ctx, const char *userid, GPtrArray *recipients, CamelException *ex)
{
	NSSCMSMessage *cmsg = NULL;
	NSSCMSContentInfo *cinfo;
	NSSCMSEnvelopedData *envd;
	NSSCMSRecipientInfo *rinfo;
	CERTCertificate **rcerts;
	SECOidTag bulkalgtag;
	int keysize, i;
	
	/* find the recipient certs by email address or nickname */
	rcerts = g_new (CERTCertificate *, recipients->len + 2);
	rcerts[0] = CERT_FindCertByNicknameOrEmailAddr (ctx->priv->certdb, (char *) userid);
	if (!rcerts[0]) {
		camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
				      _("Failed to find certificate for \"%s\"."),
				      userid);
		goto exception;
	}
	
	for (i = 0; i < recipients->len; i++) {
		rcerts[i + 1] = CERT_FindCertByNicknameOrEmailAddr (ctx->priv->certdb,  
								    recipients->pdata[i]);
		if (!rcerts[i + 1]) {
			camel_exception_setv (ex, CAMEL_EXCEPTION_SYSTEM,
					      _("Failed to find certificate for \"%s\"."),
					      recipients->pdata[i]);
			goto exception;
		}
	}
	rcerts[i + 1] = NULL;
	
	/* find a nice bulk algorithm */
	if (!NSS_SMIMEUtil_FindBulkAlgForRecipients (rcerts, &bulkalgtag, &keysize)) {
		camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM,
				     _("Failed to find a common bulk algorithm."));
		goto exception;
	}
	
	/* create a cms message object */
	cmsg = NSS_CMSMessage_Create (NULL);
	
	envd = NSS_CMSEnvelopedData_Create (cmsg, bulkalgtag, keysize);
	cinfo = NSS_CMSMessage_GetContentInfo (cmsg);
	NSS_CMSContentInfo_SetContent_EnvelopedData (cmsg, cinfo, envd);
	
	cinfo = NSS_CMSEnvelopedData_GetContentInfo (envd);
	NSS_CMSContentInfo_SetContent_Data (cmsg, cinfo, NULL, PR_FALSE);
	
	/* create & attach recipient information */
	for (i = 0; rcerts[i] != NULL; i++) {
		rinfo = NSS_CMSRecipientInfo_Create (cmsg, rcerts[i]);
		NSS_CMSEnvelopedData_AddRecipient (envd, rinfo);
	}
	
	g_free (rcerts);
	
	return cmsg;
	
 exception:
	
	NSS_CMSMessage_Destroy (cmsg);
	
	g_free (rcerts);
	
	return NULL;
}

static CamelMimeMessage *
smime_envelope (CamelCMSContext *ctx, CamelMimeMessage *message,
		const char *userid, GPtrArray *recipients, 
		CamelException *ex)
{
	CamelMimeMessage *mesg = NULL;
	struct _GetPasswdData *data;
	NSSCMSMessage *cmsg = NULL;
	PLArenaPool *arena;
	NSSCMSEncoderContext *ecx;
	SECItem output = { 0, 0, 0 };
	CamelStream *stream;
	GByteArray *buf;
	
	cmsg = enveloped_data (CAMEL_SMIME_CONTEXT (ctx), userid, recipients, ex);
	if (!cmsg)
		return NULL;
	
	arena = PORT_NewArena (1024);
	data = g_new (struct _GetPasswdData, 1);
	data->session = ctx->session;
	data->userid = userid;
	data->ex = ex;
	ecx = NSS_CMSEncoder_Start (cmsg, NULL, NULL, &output, arena,
				    smime_get_password, data, NULL, NULL,
				    NULL, NULL);
	
	stream = camel_stream_mem_new ();
	camel_data_wrapper_write_to_stream (CAMEL_DATA_WRAPPER (message), stream);
	buf = CAMEL_STREAM_MEM (stream)->buffer;
	
	NSS_CMSEncoder_Update (ecx, buf->data, buf->len);
	NSS_CMSEncoder_Finish (ecx);
	
	camel_object_unref (CAMEL_OBJECT (stream));
	g_free (data);
	
	/* write the result to a camel stream */
	stream = camel_stream_mem_new ();
	camel_stream_write (stream, output.data, output.len);
	PORT_FreeArena (arena, PR_FALSE);
	
	NSS_CMSMessage_Destroy (cmsg);
	
	/* parse the stream into a new CamelMimeMessage */
	mesg = camel_mime_message_new ();
	camel_stream_reset (stream);
	camel_data_wrapper_construct_from_stream (CAMEL_DATA_WRAPPER (mesg), stream);
	camel_object_unref (CAMEL_OBJECT (stream));
	
	return mesg;
}


struct _BulkKey {
	PK11SymKey *bulkkey;
	SECOidTag bulkalgtag;
	int keysize;
};

static NSSCMSMessage *
encrypted_data (CamelSMimeContext *ctx, GByteArray *input, struct _BulkKey *key,
		CamelStream *ostream, CamelException *ex)
{
	NSSCMSMessage *cmsg = NULL;
	NSSCMSContentInfo *cinfo;
	NSSCMSEncryptedData *encd;
	NSSCMSEncoderContext *ecx = NULL;
	PLArenaPool *arena = NULL;
	SECItem output = { 0, 0, 0 };
	
	/* arena for output */
	arena = PORT_NewArena (1024);
	
	/* create cms message object */
	cmsg = NSS_CMSMessage_Create (NULL);
	
	encd = NSS_CMSEncryptedData_Create (cmsg, key->bulkalgtag, key->keysize);
	
	cinfo = NSS_CMSMessage_GetContentInfo (cmsg);
	NSS_CMSContentInfo_SetContent_EncryptedData (cmsg, cinfo, encd);
	
	cinfo = NSS_CMSEncryptedData_GetContentInfo (encd);
	NSS_CMSContentInfo_SetContent_Data (cmsg, cinfo, NULL, PR_FALSE);
	
	ecx = NSS_CMSEncoder_Start (cmsg, NULL, NULL, &output, arena, NULL, NULL,
				    decode_key_cb, key->bulkkey, NULL, NULL);
	
	NSS_CMSEncoder_Update (ecx, input->data, input->len);
	
	NSS_CMSEncoder_Finish (ecx);
	
	camel_stream_write (ostream, output.data, output.len);
	
	if (arena)
		PORT_FreeArena (arena, PR_FALSE);
	
	return cmsg;
}

static struct _BulkKey *
get_bulkkey (CamelSMimeContext *ctx, const char *userid, GPtrArray *recipients, CamelException *ex)
{
	struct _BulkKey *bulkkey = NULL;
	NSSCMSMessage *env_cmsg;
	NSSCMSContentInfo *cinfo;
	SECItem dummyOut = { 0, 0, 0 };
	SECItem dummyIn  = { 0, 0, 0 };
	char str[] = "You are not a beautiful and unique snowflake.";
	PLArenaPool *arena;
	int i, nlevels;
	
	/* construct an enveloped data message to obtain bulk keys */
	arena = PORT_NewArena (1024);
	dummyIn.data = (unsigned char *)str;
	dummyIn.len = strlen (str);
	
	env_cmsg = enveloped_data (ctx, userid, recipients, ex);
	NSS_CMSDEREncode (env_cmsg, &dummyIn, &dummyOut, arena);
	/*camel_stream_write (envstream, dummyOut.data, dummyOut.len);*/
	PORT_FreeArena (arena, PR_FALSE);
	
	/* get the content info for the enveloped data */
	nlevels = NSS_CMSMessage_ContentLevelCount (env_cmsg);
	for (i = 0; i < nlevels; i++) {
		SECOidTag typetag;
		
		cinfo = NSS_CMSMessage_ContentLevel (env_cmsg, i);
		typetag = NSS_CMSContentInfo_GetContentTypeTag (cinfo);
		if (typetag == SEC_OID_PKCS7_DATA) {
			bulkkey = g_new (struct _BulkKey, 1);
			
			/* get the symmertic key */
			bulkkey->bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag (cinfo);
			bulkkey->keysize = NSS_CMSContentInfo_GetBulkKeySize (cinfo);
			bulkkey->bulkkey = NSS_CMSContentInfo_GetBulkKey (cinfo);
			
			return bulkkey;
		}
	}
	
	return NULL;
}

static CamelMimeMessage *
smime_encrypt (CamelCMSContext *ctx, CamelMimeMessage *message,
	       const char *userid, GPtrArray *recipients, 
	       CamelException *ex)
{
	struct _BulkKey *bulkkey = NULL;
	CamelMimeMessage *mesg = NULL;
	NSSCMSMessage *cmsg = NULL;
	CamelStream *stream;
	GByteArray *buf;
	
	bulkkey = get_bulkkey (CAMEL_SMIME_CONTEXT (ctx), userid, recipients, ex);
	if (!bulkkey)
		return NULL;
	
	buf = g_byte_array_new ();
	stream = camel_stream_mem_new ();
	camel_stream_mem_set_byte_array (CAMEL_STREAM_MEM (stream), buf);
	camel_data_wrapper_write_to_stream (CAMEL_DATA_WRAPPER (message), stream);
	camel_object_unref (CAMEL_OBJECT (stream));
	
	stream = camel_stream_mem_new ();
	cmsg = encrypted_data (CAMEL_SMIME_CONTEXT (ctx), buf, bulkkey, stream, ex);
	g_byte_array_free (buf, TRUE);
	g_free (bulkkey);
	if (!cmsg) {
		camel_object_unref (CAMEL_OBJECT (stream));
		return NULL;
	}
	
	NSS_CMSMessage_Destroy (cmsg);
	
	/* parse the stream into a new CamelMimeMessage */
	mesg = camel_mime_message_new ();
	camel_stream_reset (stream);
	camel_data_wrapper_construct_from_stream (CAMEL_DATA_WRAPPER (mesg), stream);
	camel_object_unref (CAMEL_OBJECT (stream));
	
	return mesg;
}


static NSSCMSMessage *
decode_data (CamelSMimeContext *ctx, GByteArray *input, CamelStream *ostream,
	     CamelCMSValidityInfo **info, CamelException *ex)
{
	NSSCMSDecoderContext *dcx;
	struct _GetPasswdData *data;
	CamelCMSValidityInfo *vinfo = NULL;
	NSSCMSMessage *cmsg = NULL;
	NSSCMSContentInfo *cinfo;
	NSSCMSSignedData *sigd = NULL;
	NSSCMSEnvelopedData *envd;
	NSSCMSEncryptedData *encd;
	int nlevels, i, nsigners, j;
	char *signercn;
	NSSCMSSignerInfo *si;
	SECOidTag typetag;
	SECItem *item;
	
	data = g_new (struct _GetPasswdData, 1);
	data->session = CAMEL_CMS_CONTEXT (ctx)->session;
	data->userid = NULL;
	data->ex = ex;
	
	dcx = NSS_CMSDecoder_Start (NULL,
				    NULL, NULL,
				    smime_get_password, data,
				    decode_key_cb,
				    NULL);
	
	NSS_CMSDecoder_Update (dcx, input->data, input->len);
	
	cmsg = NSS_CMSDecoder_Finish (dcx);
	g_free (data);
	if (cmsg == NULL) {
		camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM,
				     _("Failed to decode message."));
		return NULL;
	}
	
	nlevels = NSS_CMSMessage_ContentLevelCount (cmsg);
	for (i = 0; i < nlevels; i++) {
		CamelCMSSigner *signers = NULL;
		
		cinfo = NSS_CMSMessage_ContentLevel (cmsg, i);
		typetag = NSS_CMSContentInfo_GetContentTypeTag (cinfo);
		
		if (info && !vinfo) {
			vinfo = g_new0 (CamelCMSValidityInfo, 1);
			*info = vinfo;
		} else if (vinfo) {
			vinfo->next = g_new0 (CamelCMSValidityInfo, 1);
			vinfo = vinfo->next;
		}
		
		switch (typetag) {
		case SEC_OID_PKCS7_SIGNED_DATA:
			if (vinfo)
				vinfo->type = CAMEL_CMS_TYPE_SIGNED;
			
			sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent (cinfo);
			
			/* import the certificates */
			NSS_CMSSignedData_ImportCerts (sigd, ctx->priv->certdb,
						       certUsageEmailSigner, PR_FALSE);
			
			/* find out about signers */
			nsigners = NSS_CMSSignedData_SignerInfoCount (sigd);
			
			if (nsigners == 0) {
				/* must be a cert transport message */
				SECStatus retval;
				
				/* XXX workaround for bug #54014 */
				NSS_CMSSignedData_ImportCerts (sigd, ctx->priv->certdb, 
							       certUsageEmailSigner, PR_TRUE);
				
				retval = NSS_CMSSignedData_VerifyCertsOnly (sigd, ctx->priv->certdb, 
									    certUsageEmailSigner);
				if (retval != SECSuccess) {
					camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM,
							     _("Failed to verify certificates."));
					goto exception;
				}
				
				return cmsg;
			}
			
			for (j = 0; vinfo && j < nsigners; j++) {
				if (!signers) {
					signers = g_new0 (CamelCMSSigner, 1);
					vinfo->signers = signers;
				} else {
					signers->next = g_new0 (CamelCMSSigner, 1);
					signers = signers->next;
				}
				
				si = NSS_CMSSignedData_GetSignerInfo (sigd, j);
				signercn = NSS_CMSSignerInfo_GetSignerCommonName (si);
				if (signercn == NULL)
					signercn = "";
				
				NSS_CMSSignedData_VerifySignerInfo (sigd, j, ctx->priv->certdb, 
								    certUsageEmailSigner);
				
				if (signers) {
					signers->signercn = g_strdup (signercn);
					signers->status = g_strdup (
						NSS_CMSUtil_VerificationStatusToString (
							NSS_CMSSignerInfo_GetVerificationStatus (si)));
				}
			}
			break;
		case SEC_OID_PKCS7_ENVELOPED_DATA:
			if (vinfo)
				vinfo->type = CAMEL_CMS_TYPE_ENVELOPED;
			
			envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent (cinfo);
			break;
		case SEC_OID_PKCS7_ENCRYPTED_DATA:
			if (vinfo)
				vinfo->type = CAMEL_CMS_TYPE_ENCRYPTED;
			
			encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent (cinfo);
			break;
		case SEC_OID_PKCS7_DATA:
			break;
		default:
			break;
		}
	}
	
	item = NSS_CMSMessage_GetContent (cmsg);
	camel_stream_write (ostream, item->data, item->len);
	
	return cmsg;
	
 exception:
	
	if (info)
		camel_cms_validity_info_free (*info);
	
	if (cmsg)
		NSS_CMSMessage_Destroy (cmsg);
	
	return NULL;
}


static CamelMimeMessage *
smime_decode (CamelCMSContext *ctx, CamelMimeMessage *message,
	      CamelCMSValidityInfo **info, CamelException *ex)
{
	CamelMimeMessage *mesg = NULL;
	NSSCMSMessage *cmsg = NULL;
	CamelStream *stream, *ostream;
	GByteArray *buf;
	
	stream = camel_stream_mem_new ();
	camel_data_wrapper_write_to_stream (CAMEL_DATA_WRAPPER (message), stream);
	buf = CAMEL_STREAM_MEM (stream)->buffer;
	
	ostream = camel_stream_mem_new ();
	cmsg = decode_data (CAMEL_SMIME_CONTEXT (ctx), buf, ostream, info, ex);
	camel_object_unref (CAMEL_OBJECT (stream));
	if (!cmsg) {
		camel_object_unref (CAMEL_OBJECT (ostream));
		return NULL;
	}
	
	/* construct a new mime message from the stream */
	mesg = camel_mime_message_new ();
	camel_stream_reset (ostream);
	camel_data_wrapper_construct_from_stream (CAMEL_DATA_WRAPPER (mesg), ostream);
	camel_object_unref (CAMEL_OBJECT (ostream));
	
	return mesg;
}

#endif /* HAVE_NSS */