nss-3.21nss-3.21

1 files changed, 670 insertions, 0 deletions

diff --git a/nss/cmd/dbck/dbrecover.c b/nss/cmd/dbck/dbrecover.c
new file mode 100644
index 0000000..372c73b
--- /dev/null
+++ b/nss/cmd/dbck/dbrecover.c
@@ -0,0 +1,670 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+enum {
+    dbInvalidCert = 0,
+    dbNoSMimeProfile,
+    dbOlderCert,
+    dbBadCertificate,
+    dbCertNotWrittenToDB
+};
+
+typedef struct dbRestoreInfoStr
+{
+    NSSLOWCERTCertDBHandle *handle;
+    PRBool verbose;
+    PRFileDesc *out;
+    int nCerts;
+    int nOldCerts;
+    int dbErrors[5];
+    PRBool removeType[3];
+    PRBool promptUser[3];
+} dbRestoreInfo;
+
+char *
+IsEmailCert(CERTCertificate *cert)
+{
+    char *email, *tmp1, *tmp2;
+    PRBool isCA;
+    int len;
+
+    if (!cert->subjectName) {
+	return NULL;
+    }
+
+    tmp1 = PORT_Strstr(cert->subjectName, "E=");
+    tmp2 = PORT_Strstr(cert->subjectName, "MAIL=");
+    /* XXX Nelson has cert for KTrilli which does not have either
+     * of above but is email cert (has cert->emailAddr). 
+     */
+    if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) {
+	return NULL;
+    }
+
+    /*  Server or CA cert, not personal email.  */
+    isCA = CERT_IsCACert(cert, NULL);
+    if (isCA)
+	return NULL;
+
+    /*  XXX CERT_IsCACert advertises checking the key usage ext.,
+	but doesn't appear to. */
+    /*  Check the key usage extension.  */
+    if (cert->keyUsagePresent) {
+	/*  Must at least be able to sign or encrypt (not neccesarily
+	 *  both if it is one of a dual cert).  
+	 */
+	if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || 
+              (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT)))
+	    return NULL;
+
+	/*  CA cert, not personal email.  */
+	if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN))
+	    return NULL;
+    }
+
+    if (cert->emailAddr && cert->emailAddr[0]) {
+	email = PORT_Strdup(cert->emailAddr);
+    } else {
+	if (tmp1)
+	    tmp1 += 2; /* "E="  */
+	else
+	    tmp1 = tmp2 + 5; /* "MAIL=" */
+	len = strcspn(tmp1, ", ");
+	email = (char*)PORT_Alloc(len+1);
+	PORT_Strncpy(email, tmp1, len);
+	email[len] = '\0';
+    }
+
+    return email;
+}
+
+SECStatus
+deleteit(CERTCertificate *cert, void *arg)
+{
+    return SEC_DeletePermCertificate(cert);
+}
+
+/*  Different than DeleteCertificate - has the added bonus of removing
+ *  all certs with the same DN.  
+ */
+SECStatus
+deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert,
+                        PRFileDesc *outfile)
+{
+#if 0
+    certDBEntrySubject *subjectEntry;
+    certDBEntryNickname *nicknameEntry;
+    certDBEntrySMime *smimeEntry;
+    int i;
+#endif
+
+    if (outfile) {
+	PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n");
+	PR_fprintf(outfile, "Deleting redundant certificate:\n");
+	dumpCertificate(cert, -1, outfile);
+    }
+
+    CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL);
+#if 0
+    CERT_LockDB(handle);
+    subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject);
+    /*  It had better be there, or created a bad db.  */
+    PORT_Assert(subjectEntry);
+    for (i=0; i<subjectEntry->ncerts; i++) {
+	DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]);
+    }
+    DeleteDBSubjectEntry(handle, &cert->derSubject);
+    if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) {
+	smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr);
+	if (smimeEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &smimeEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBSMimeEntry(handle, subjectEntry->emailAddr);
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	}
+    }
+    if (subjectEntry->nickname) {
+	nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname);
+	if (nicknameEntry) {
+	    if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject,
+	                              &nicknameEntry->subjectName))
+		/*  Only delete it if it's for this subject!  */
+		DeleteDBNicknameEntry(handle, subjectEntry->nickname);
+	    SEC_DestroyDBEntry((certDBEntry*)nicknameEntry);
+	}
+    }
+    SEC_DestroyDBEntry((certDBEntry*)subjectEntry);
+    CERT_UnlockDB(handle);
+#endif
+    return SECSuccess;
+}
+
+void
+getCertsToDelete(char *numlist, int len, int *certNums, int nCerts)
+{
+    int j, num;
+    char *numstr, *numend, *end;
+
+    numstr = numlist;
+    end = numstr + len - 1;
+    while (numstr != end) {
+	numend = strpbrk(numstr, ", \n");
+	*numend = '\0';
+	if (PORT_Strlen(numstr) == 0)
+	    return;
+	num = PORT_Atoi(numstr);
+	if (numstr == numlist)
+	    certNums[0] = num;
+	for (j=1; j<nCerts+1; j++) {
+	    if (num == certNums[j]) {
+		certNums[j] = -1;
+		break;
+	    }
+	}
+	if (numend == end)
+	    break;
+	numstr = strpbrk(numend+1, "0123456789");
+    }
+}
+
+PRBool
+userSaysDeleteCert(CERTCertificate **certs, int nCerts,
+                   int errtype, dbRestoreInfo *info, int *certNums)
+{
+    char response[32];
+    PRInt32 nb;
+    int i;
+    /*  User wants to remove cert without prompting.  */
+    if (info->promptUser[errtype] == PR_FALSE)
+	return (info->removeType[errtype]);
+    switch (errtype) {
+    case dbInvalidCert:
+	PR_fprintf(PR_STDOUT, "********  Expired ********\n");
+	PR_fprintf(PR_STDOUT, "Cert has expired.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	           "Keep it? (y/n - this one, Y/N - all expired certs) [n] ");
+	break;
+    case dbNoSMimeProfile:
+	PR_fprintf(PR_STDOUT, "********  No Profile ********\n");
+	PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n");
+	dumpCertificate(certs[0], -1, PR_STDOUT);
+	PR_fprintf(PR_STDOUT,
+	      "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] ");
+	break;
+    case dbOlderCert:
+	PR_fprintf(PR_STDOUT, "*******  Redundant nickname/email *******\n\n");
+	PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n");
+	for (i=0; i<nCerts; i++)
+	    dumpCertificate(certs[i], i, PR_STDOUT);
+	PR_fprintf(PR_STDOUT, 
+	"Enter the certs you would like to keep from those listed above.\n");
+	PR_fprintf(PR_STDOUT, 
+	"Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n");
+	PR_fprintf(PR_STDOUT, 
+	"The first cert in the list will be the primary cert\n");
+	PR_fprintf(PR_STDOUT, 
+	" accessed by the nickname/email handle.\n");
+	PR_fprintf(PR_STDOUT, 
+	"List cert numbers to keep here, or hit enter\n");
+	PR_fprintf(PR_STDOUT, 
+	" to always keep only the newest cert:  ");
+	break;
+    default:
+    }
+    nb = PR_Read(PR_STDIN, response, sizeof(response));
+    PR_fprintf(PR_STDOUT, "\n\n");
+    if (errtype == dbOlderCert) {
+	if (!isdigit(response[0])) {
+	    info->promptUser[errtype] = PR_FALSE;
+	    info->removeType[errtype] = PR_TRUE;
+	    return PR_TRUE;
+	}
+	getCertsToDelete(response, nb, certNums, nCerts);
+	return PR_TRUE;
+    }
+    /*  User doesn't want to be prompted for this type anymore.  */
+    if (response[0] == 'Y') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_FALSE;
+	return PR_FALSE;
+    } else if (response[0] == 'N') {
+	info->promptUser[errtype] = PR_FALSE;
+	info->removeType[errtype] = PR_TRUE;
+	return PR_TRUE;
+    }
+    return (response[0] != 'y') ? PR_TRUE : PR_FALSE;
+}
+
+SECStatus
+addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, 
+            NSSLOWCERTCertDBHandle *oldhandle)
+{
+    SECStatus rv = SECSuccess;
+    PRBool allowOverride;
+    PRBool userCert;
+    SECCertTimeValidity validity;
+    CERTCertificate *oldCert = NULL;
+    CERTCertificate *dbCert = NULL;
+    CERTCertificate *newCert = NULL;
+    CERTCertTrust *trust;
+    certDBEntrySMime *smimeEntry = NULL;
+    char *email = NULL;
+    char *nickname = NULL;
+    int nCertsForSubject = 1;
+
+    oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE,
+                                        certEntry->nickname);
+    if (!oldCert) {
+	info->dbErrors[dbBadCertificate]++;
+	SEC_DestroyDBEntry((certDBEntry*)certEntry);
+	return SECSuccess;
+    }
+
+    oldCert->dbEntry = certEntry;
+    oldCert->trust = &certEntry->trust;
+    oldCert->dbhandle = oldhandle;
+
+    trust = oldCert->trust;
+
+    info->nOldCerts++;
+
+    if (info->verbose)
+	PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n");
+
+    if (oldCert->nickname)
+	nickname = PORT_Strdup(oldCert->nickname);
+
+    /*  Always keep user certs.  Skip ahead.  */
+    /*  XXX if someone sends themselves a signed message, it is possible
+	for their cert to be imported as an "other" cert, not a user cert.
+	this mucks with smime entries...  */
+    userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+               (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+    if (userCert)
+	goto createcert;
+
+    /*  If user chooses so, ignore expired certificates.  */
+    allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) ||
+                         (oldCert->keyUsage == certUsageSSLServerWithStepUp));
+    validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride);
+    /*  If cert expired and user wants to delete it, ignore it. */
+    if ((validity != secCertTimeValid) && 
+	 userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) {
+	info->dbErrors[dbInvalidCert]++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Deleting expired certificate:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+
+    /*  New database will already have default certs, don't attempt
+	to overwrite them.  */
+    dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert);
+    if (dbCert) {
+	info->nCerts++;
+	if (info->verbose) {
+	    PR_fprintf(info->out, "Added certificate to database:\n");
+	    dumpCertificate(oldCert, -1, info->out);
+	}
+	goto cleanup;
+    }
+    
+    /*  Determine if cert is S/MIME and get its email if so.  */
+    email = IsEmailCert(oldCert);
+
+    /*
+	XXX  Just create empty profiles?
+    if (email) {
+	SECItem *profile = CERT_FindSMimeProfile(oldCert);
+	if (!profile &&
+	    userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) {
+	    info->dbErrors[dbNoSMimeProfile]++;
+	    if (info->verbose) {
+		PR_fprintf(info->out, 
+		           "Deleted cert missing S/MIME profile.\n");
+		dumpCertificate(oldCert, -1, info->out);
+	    }
+	    goto cleanup;
+	} else {
+	    SECITEM_FreeItem(profile);
+	}
+    }
+    */
+
+createcert:
+
+    /*  Sometimes happens... */
+    if (!nickname && userCert)
+	nickname = PORT_Strdup(oldCert->subjectName);
+
+    /*  Create a new certificate, copy of the old one.  */
+    newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, 
+                                      nickname, PR_FALSE, PR_TRUE);
+    if (!newCert) {
+	PR_fprintf(PR_STDERR, "Unable to create new certificate.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbBadCertificate]++;
+	goto cleanup;
+    }
+
+    /*  Add the cert to the new database.  */
+    rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust);
+    if (rv) {
+	PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n");
+	dumpCertificate(oldCert, -1, PR_STDERR);
+	info->dbErrors[dbCertNotWrittenToDB]++;
+	goto cleanup;
+    }
+
+    if (info->verbose) {
+	PR_fprintf(info->out, "Added certificate to database:\n");
+	dumpCertificate(oldCert, -1, info->out);
+    }
+
+    /*  If the cert is an S/MIME cert, and the first with it's subject,
+     *  modify the subject entry to include the email address,
+     *  CERT_AddTempCertToPerm does not do email addresses and S/MIME entries.
+     */
+    if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */
+#if 0
+	UpdateSubjectWithEmailAddr(newCert, email);
+#endif
+	SECItem emailProfile, profileTime;
+	rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime);
+	/*  calls UpdateSubjectWithEmailAddr  */
+	if (rv == SECSuccess)
+	    rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime);
+    }
+
+    info->nCerts++;
+
+cleanup:
+
+    if (nickname)
+	PORT_Free(nickname);
+    if (email)
+	PORT_Free(email);
+    if (oldCert)
+	CERT_DestroyCertificate(oldCert);
+    if (dbCert)
+	CERT_DestroyCertificate(dbCert);
+    if (newCert)
+	CERT_DestroyCertificate(newCert);
+    if (smimeEntry)
+	SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+    return SECSuccess;
+}
+
+#if 0
+SECStatus
+copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata)
+{
+    SECStatus rv;
+    NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata;
+    certDBEntryCommon common;
+    SECItem dbkey;
+
+    common.type = type;
+    common.version = CERT_DB_FILE_VERSION;
+    common.flags = data->data[2];
+    common.arena = NULL;
+
+    dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN;
+    dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char));
+    PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len);
+    dbkey.data[0] = type;
+
+    rv = WriteDBEntry(newdb, &common, &dbkey, data);
+
+    PORT_Free(dbkey.data);
+    return rv;
+}
+#endif
+
+int
+certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2)
+{
+    return !CERT_IsNewer(*cert1, *cert2);
+}
+
+int
+findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum,
+                          certDBArray *dbArray, dbRestoreInfo *info,
+                          int *subjectWithSMime, int *smimeForSubject)
+{
+    int newestSubject;
+    int subjectsForEmail[50];
+    int i, j, ns, sNum;
+    certDBEntryListNode *subjects = &dbArray->subjects;
+    certDBEntryListNode *smime = &dbArray->smime;
+    certDBEntrySubject *subjectEntry1, *subjectEntry2;
+    certDBEntrySMime *smimeEntry;
+    CERTCertificate **certs;
+    CERTCertificate *cert;
+    CERTCertTrust *trust;
+    PRBool userCert;
+    int *certNums;
+
+    ns = 0;
+    subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum];
+    subjectsForEmail[ns++] = subjectNum;
+
+    *subjectWithSMime = -1;
+    *smimeForSubject = -1;
+    newestSubject = subjectNum;
+
+    cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+    if (cert) {
+	trust = cert->trust;
+	userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) ||
+	          (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) ||
+	         (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER);
+	CERT_DestroyCertificate(cert);
+    }
+
+    /*
+     * XXX Should we make sure that subjectEntry1->emailAddr is not
+     * a null pointer or an empty string before going into the next
+     * two for loops, which pass it to PORT_Strcmp?
+     */
+
+    /*  Loop over the remaining subjects.  */
+    for (i=subjectNum+1; i<subjects.numEntries; i++) {
+	subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i];
+	if (!subjectEntry2)
+	    continue;
+	if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] &&
+	     PORT_Strcmp(subjectEntry1->emailAddr, 
+	                 subjectEntry2->emailAddr) == 0) {
+	    /*  Found a subject using the same email address.  */
+	    subjectsForEmail[ns++] = i;
+	}
+    }
+
+    /*  Find the S/MIME entry for this email address.  */
+    for (i=0; i<smime.numEntries; i++) {
+	smimeEntry = (certDBEntrySMime*)&smime.entries[i];
+	if (smimeEntry->common.arena == NULL)
+	    continue;
+	if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && 
+	    PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) {
+	    /*  Find which of the subjects uses this S/MIME entry.  */
+	    for (j=0; j<ns && *subjectWithSMime < 0; j++) {
+		sNum = subjectsForEmail[j];
+		subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum];
+		if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName,
+		                          &subjectEntry2->derSubject)) {
+		    /*  Found the subject corresponding to the S/MIME entry. */
+		    *subjectWithSMime = sNum;
+		    *smimeForSubject = i;
+		}
+	    }
+	    SEC_DestroyDBEntry((certDBEntry*)smimeEntry);
+	    PORT_Memset(smimeEntry, 0, sizeof(certDBEntry));
+	    break;
+	}
+    }
+
+    if (ns <= 1)
+	return subjectNum;
+
+    if (userCert)
+	return *subjectWithSMime;
+
+    /*  Now find which of the subjects has the newest cert.  */
+    certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*));
+    certNums = (int*)PORT_Alloc((ns+1)*sizeof(int));
+    certNums[0] = 0;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]);
+	certNums[i+1] = i;
+    }
+    /*  Sort the array by validity.  */
+    qsort(certs, ns, sizeof(CERTCertificate*), 
+          (int (*)(const void *, const void *))certIsOlder);
+    newestSubject = -1;
+    for (i=0; i<ns; i++) {
+	sNum = subjectsForEmail[i];
+	subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum];
+	if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject,
+	                          &certs[0]->derSubject))
+	    newestSubject = sNum;
+	else
+	    SEC_DestroyDBEntry((certDBEntry*)subjectEntry1);
+    }
+    if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) {
+	for (i=1; i<ns+1; i++) {
+	    if (certNums[i] >= 0 && certNums[i] != certNums[0]) {
+		deleteAllEntriesForCert(handle, certs[certNums[i]], info->out);
+		info->dbErrors[dbOlderCert]++;
+	    }
+	}
+    }
+    CERT_DestroyCertArray(certs, ns);
+    return newestSubject;
+}
+
+NSSLOWCERTCertDBHandle *
+DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname,
+                            PRFileDesc *outfile, PRBool removeExpired,
+                            PRBool requireProfile, PRBool singleEntry,
+                            PRBool promptUser)
+{
+    SECStatus rv;
+    dbRestoreInfo info;
+    certDBEntryContentVersion *oldContentVersion;
+    certDBArray dbArray;
+    int i;
+
+    PORT_Memset(&dbArray, 0, sizeof(dbArray));
+    PORT_Memset(&info, 0, sizeof(info));
+    info.verbose = (outfile) ? PR_TRUE : PR_FALSE;
+    info.out = (outfile) ? outfile : PR_STDOUT;
+    info.removeType[dbInvalidCert] = removeExpired;
+    info.removeType[dbNoSMimeProfile] = requireProfile;
+    info.removeType[dbOlderCert] = singleEntry;
+    info.promptUser[dbInvalidCert]  = promptUser;
+    info.promptUser[dbNoSMimeProfile]  = promptUser;
+    info.promptUser[dbOlderCert]  = promptUser;
+
+    /*  Allocate a handle to fill with CERT_OpenCertDB below.  */
+    info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle);
+    if (!info.handle) {
+	fprintf(stderr, "unable to get database handle");
+	return NULL;
+    }
+
+    /*  Create a certdb with the most recent set of roots.  */
+    rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE);
+
+    if (rv) {
+	fprintf(stderr, "could not open certificate database");
+	goto loser;
+    }
+
+    /*  Create certificate, subject, nickname, and email records.
+     *  mcom_db seems to have a sequential access bug.  Though reads and writes
+     *  should be allowed during traversal, they seem to screw up the sequence.
+     *  So, stuff all the cert entries into an array, and loop over the array
+     *  doing read/writes in the db.
+     */
+    fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs);
+    for (elem = PR_LIST_HEAD(&dbArray->certs.link);
+         elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) {
+	node = LISTNODE_CAST(elem);
+	addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle);
+	/* entries get destroyed in addCertToDB */
+    }
+#if 0
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, 
+                               copyDBEntry, info.handle);
+#endif
+
+    /*  Fix up the pointers between (nickname|S/MIME) --> (subject).
+     *  Create S/MIME entries for S/MIME certs.
+     *  Have the S/MIME entry point to the last-expiring cert using
+     *  an email address.
+     */
+#if 0
+    CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info);
+#endif
+
+    freeDBEntryList(&dbArray.certs.link);
+
+    /*  Copy over the version record.  */
+    /*  XXX Already exists - and _must_ be correct... */
+    /*
+    versionEntry = ReadDBVersionEntry(oldhandle);
+    rv = WriteDBVersionEntry(info.handle, versionEntry);
+    */
+
+    /*  Copy over the content version record.  */
+    /*  XXX Can probably get useful info from old content version?
+     *      Was this db created before/after this tool?  etc.
+     */
+#if 0
+    oldContentVersion = ReadDBContentVersionEntry(oldhandle);
+    CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); 
+#endif
+
+#if 0
+    /*  Copy over the CRL & KRL records.  */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, 
+                               copyDBEntry, info.handle);
+    /*  XXX Only one KRL, just do db->get? */
+    rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, 
+                               copyDBEntry, info.handle);
+#endif
+
+    PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts);
+
+    PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts);
+    PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", 
+                       info.dbErrors[dbInvalidCert]);
+    PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", 
+                       info.dbErrors[dbNoSMimeProfile]);
+    PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", 
+                       info.dbErrors[dbOlderCert]);
+    PR_fprintf(info.out, "     Rejected %d corrupt certificates.\n", 
+                       info.dbErrors[dbBadCertificate]);
+    PR_fprintf(info.out, "     Rejected %d certificates which did not write to the DB.\n", 
+                       info.dbErrors[dbCertNotWrittenToDB]);
+
+    if (rv)
+	goto loser;
+
+    return info.handle;
+
+loser:
+    if (info.handle) 
+	PORT_Free(info.handle);
+    return NULL;
+}
+