/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * The following code handles the storage of PKCS 11 modules used by the
 * NSS. This file is written to abstract away how the modules are
 * stored so we can decide that later.
 */
#include "secport.h"
#include "prprf.h"
#include "prenv.h"
#include "utilpars.h"
#include "utilmodt.h"

/*
 * return the expected matching quote value for the one specified
 */
PRBool
NSSUTIL_ArgGetPair(char c)
{
    switch (c) {
        case '\'':
            return c;
        case '\"':
            return c;
        case '<':
            return '>';
        case '{':
            return '}';
        case '[':
            return ']';
        case '(':
            return ')';
        default:
            break;
    }
    return ' ';
}

PRBool
NSSUTIL_ArgIsBlank(char c)
{
    return isspace((unsigned char)c);
}

PRBool
NSSUTIL_ArgIsEscape(char c)
{
    return c == '\\';
}

PRBool
NSSUTIL_ArgIsQuote(char c)
{
    switch (c) {
        case '\'':
        case '\"':
        case '<':
        case '{': /* } end curly to keep vi bracket matching working */
        case '(': /* ) */
        case '[': /* ] */
            return PR_TRUE;
        default:
            break;
    }
    return PR_FALSE;
}

const char *
NSSUTIL_ArgStrip(const char *c)
{
    while (*c && NSSUTIL_ArgIsBlank(*c))
        c++;
    return c;
}

/*
 * find the end of the current tag/value pair. string should be pointing just
 * after the equal sign. Handles quoted characters.
 */
const char *
NSSUTIL_ArgFindEnd(const char *string)
{
    char endChar = ' ';
    PRBool lastEscape = PR_FALSE;

    if (NSSUTIL_ArgIsQuote(*string)) {
        endChar = NSSUTIL_ArgGetPair(*string);
        string++;
    }

    for (; *string; string++) {
        if (lastEscape) {
            lastEscape = PR_FALSE;
            continue;
        }
        if (NSSUTIL_ArgIsEscape(*string) && !lastEscape) {
            lastEscape = PR_TRUE;
            continue;
        }
        if ((endChar == ' ') && NSSUTIL_ArgIsBlank(*string))
            break;
        if (*string == endChar) {
            break;
        }
    }

    return string;
}

/*
 * get the value pointed to by string. string should be pointing just beyond
 * the equal sign.
 */
char *
NSSUTIL_ArgFetchValue(const char *string, int *pcount)
{
    const char *end = NSSUTIL_ArgFindEnd(string);
    char *retString, *copyString;
    PRBool lastEscape = PR_FALSE;
    int len;

    len = end - string;
    if (len == 0) {
        *pcount = 0;
        return NULL;
    }

    copyString = retString = (char *)PORT_Alloc(len + 1);

    if (*end)
        len++;
    *pcount = len;
    if (retString == NULL)
        return NULL;

    if (NSSUTIL_ArgIsQuote(*string))
        string++;
    for (; string < end; string++) {
        if (NSSUTIL_ArgIsEscape(*string) && !lastEscape) {
            lastEscape = PR_TRUE;
            continue;
        }
        lastEscape = PR_FALSE;
        *copyString++ = *string;
    }
    *copyString = 0;
    return retString;
}

/*
 * point to the next parameter in string
 */
const char *
NSSUTIL_ArgSkipParameter(const char *string)
{
    const char *end;
    /* look for the end of the <name>= */
    for (; *string; string++) {
        if (*string == '=') {
            string++;
            break;
        }
        if (NSSUTIL_ArgIsBlank(*string))
            return (string);
    }

    end = NSSUTIL_ArgFindEnd(string);
    if (*end)
        end++;
    return end;
}

/*
 * get the value from that tag value pair.
 */
char *
NSSUTIL_ArgGetParamValue(const char *paramName, const char *parameters)
{
    char searchValue[256];
    int paramLen = strlen(paramName);
    char *returnValue = NULL;
    int next;

    if ((parameters == NULL) || (*parameters == 0))
        return NULL;

    PORT_Assert(paramLen + 2 < sizeof(searchValue));

    PORT_Strcpy(searchValue, paramName);
    PORT_Strcat(searchValue, "=");
    while (*parameters) {
        if (PORT_Strncasecmp(parameters, searchValue, paramLen + 1) == 0) {
            parameters += paramLen + 1;
            returnValue = NSSUTIL_ArgFetchValue(parameters, &next);
            break;
        } else {
            parameters = NSSUTIL_ArgSkipParameter(parameters);
        }
        parameters = NSSUTIL_ArgStrip(parameters);
    }
    return returnValue;
}

/*
 * find the next flag in the parameter list
 */
const char *
NSSUTIL_ArgNextFlag(const char *flags)
{
    for (; *flags; flags++) {
        if (*flags == ',') {
            flags++;
            break;
        }
    }
    return flags;
}

/*
 * return true if the flag is set in the label parameter.
 */
PRBool
NSSUTIL_ArgHasFlag(const char *label, const char *flag, const char *parameters)
{
    char *flags;
    const char *index;
    int len = strlen(flag);
    PRBool found = PR_FALSE;

    flags = NSSUTIL_ArgGetParamValue(label, parameters);
    if (flags == NULL)
        return PR_FALSE;

    for (index = flags; *index; index = NSSUTIL_ArgNextFlag(index)) {
        if (PORT_Strncasecmp(index, flag, len) == 0) {
            found = PR_TRUE;
            break;
        }
    }
    PORT_Free(flags);
    return found;
}

/*
 * decode a number. handle octal (leading '0'), hex (leading '0x') or decimal
 */
long
NSSUTIL_ArgDecodeNumber(const char *num)
{
    int radix = 10;
    unsigned long value = 0;
    long retValue = 0;
    int sign = 1;
    int digit;

    if (num == NULL)
        return retValue;

    num = NSSUTIL_ArgStrip(num);

    if (*num == '-') {
        sign = -1;
        num++;
    }

    if (*num == '0') {
        radix = 8;
        num++;
        if ((*num == 'x') || (*num == 'X')) {
            radix = 16;
            num++;
        }
    }

    for (; *num; num++) {
        if (isdigit(*num)) {
            digit = *num - '0';
        } else if ((*num >= 'a') && (*num <= 'f')) {
            digit = *num - 'a' + 10;
        } else if ((*num >= 'A') && (*num <= 'F')) {
            digit = *num - 'A' + 10;
        } else {
            break;
        }
        if (digit >= radix)
            break;
        value = value * radix + digit;
    }

    retValue = ((int)value) * sign;
    return retValue;
}

/*
 * parameters are tag value pairs. This function returns the tag or label (the
 * value before the equal size.
 */
char *
NSSUTIL_ArgGetLabel(const char *inString, int *next)
{
    char *name = NULL;
    const char *string;
    int len;

    /* look for the end of the <label>= */
    for (string = inString; *string; string++) {
        if (*string == '=') {
            break;
        }
        if (NSSUTIL_ArgIsBlank(*string))
            break;
    }

    len = string - inString;

    *next = len;
    if (*string == '=')
        (*next) += 1;
    if (len > 0) {
        name = PORT_Alloc(len + 1);
        PORT_Strncpy(name, inString, len);
        name[len] = 0;
    }
    return name;
}

/*
 * read an argument at a Long integer
 */
long
NSSUTIL_ArgReadLong(const char *label, const char *params,
                    long defValue, PRBool *isdefault)
{
    char *value;
    long retValue;
    if (isdefault)
        *isdefault = PR_FALSE;

    value = NSSUTIL_ArgGetParamValue(label, params);
    if (value == NULL) {
        if (isdefault)
            *isdefault = PR_TRUE;
        return defValue;
    }
    retValue = NSSUTIL_ArgDecodeNumber(value);
    if (value)
        PORT_Free(value);

    return retValue;
}

/*
 * prepare a string to be quoted with 'quote' marks. We do that by adding
 * appropriate escapes.
 */
static int
nssutil_escapeQuotesSize(const char *string, char quote, PRBool addquotes)
{
    int escapes = 0, size = 0;
    const char *src;

    size = addquotes ? 2 : 0;
    for (src = string; *src; src++) {
        if ((*src == quote) || (*src == '\\'))
            escapes++;
        size++;
    }
    return size + escapes + 1;
}

static char *
nssutil_escapeQuotes(const char *string, char quote, PRBool addquotes)
{
    char *newString = 0;
    int size = 0;
    const char *src;
    char *dest;

    size = nssutil_escapeQuotesSize(string, quote, addquotes);

    dest = newString = PORT_ZAlloc(size);
    if (newString == NULL) {
        return NULL;
    }

    if (addquotes)
        *dest++ = quote;
    for (src = string; *src; src++, dest++) {
        if ((*src == '\\') || (*src == quote)) {
            *dest++ = '\\';
        }
        *dest = *src;
    }
    if (addquotes)
        *dest = quote;

    return newString;
}

int
NSSUTIL_EscapeSize(const char *string, char quote)
{
    return nssutil_escapeQuotesSize(string, quote, PR_FALSE);
}

char *
NSSUTIL_Escape(const char *string, char quote)
{
    return nssutil_escapeQuotes(string, quote, PR_FALSE);
}

int
NSSUTIL_QuoteSize(const char *string, char quote)
{
    return nssutil_escapeQuotesSize(string, quote, PR_TRUE);
}

char *
NSSUTIL_Quote(const char *string, char quote)
{
    return nssutil_escapeQuotes(string, quote, PR_TRUE);
}

int
NSSUTIL_DoubleEscapeSize(const char *string, char quote1, char quote2)
{
    int escapes = 0, size = 0;
    const char *src;
    for (src = string; *src; src++) {
        if (*src == '\\')
            escapes += 3; /* \\\\ */
        if (*src == quote1)
            escapes += 2; /* \\quote1 */
        if (*src == quote2)
            escapes++; /* \quote2 */
        size++;
    }

    return escapes + size + 1;
}

char *
NSSUTIL_DoubleEscape(const char *string, char quote1, char quote2)
{
    char *round1 = NULL;
    char *retValue = NULL;
    if (string == NULL) {
        goto done;
    }
    round1 = nssutil_escapeQuotes(string, quote1, PR_FALSE);
    if (round1) {
        retValue = nssutil_escapeQuotes(round1, quote2, PR_FALSE);
        PORT_Free(round1);
    }

done:
    if (retValue == NULL) {
        retValue = PORT_Strdup("");
    }
    return retValue;
}

/************************************************************************
 * These functions are used in contructing strings.
 * NOTE: they will always return a string, but sometimes it will return
 * a specific NULL string. These strings must be freed with util_freePair.
 */

/* string to return on error... */
static char *nssutil_nullString = "";

static char *
nssutil_formatValue(PLArenaPool *arena, char *value, char quote)
{
    char *vp, *vp2, *retval;
    int size = 0, escapes = 0;

    for (vp = value; *vp; vp++) {
        if ((*vp == quote) || (*vp == NSSUTIL_ARG_ESCAPE))
            escapes++;
        size++;
    }
    if (arena) {
        retval = PORT_ArenaZAlloc(arena, size + escapes + 1);
    } else {
        retval = PORT_ZAlloc(size + escapes + 1);
    }
    if (retval == NULL)
        return NULL;
    vp2 = retval;
    for (vp = value; *vp; vp++) {
        if ((*vp == quote) || (*vp == NSSUTIL_ARG_ESCAPE))
            *vp2++ = NSSUTIL_ARG_ESCAPE;
        *vp2++ = *vp;
    }
    return retval;
}

static PRBool
nssutil_argHasChar(char *v, char c)
{
    for (; *v; v++) {
        if (*v == c)
            return PR_TRUE;
    }
    return PR_FALSE;
}

static PRBool
nssutil_argHasBlanks(char *v)
{
    for (; *v; v++) {
        if (NSSUTIL_ArgIsBlank(*v))
            return PR_TRUE;
    }
    return PR_FALSE;
}

static char *
nssutil_formatPair(char *name, char *value, char quote)
{
    char openQuote = quote;
    char closeQuote = NSSUTIL_ArgGetPair(quote);
    char *newValue = NULL;
    char *returnValue;
    PRBool need_quote = PR_FALSE;

    if (!value || (*value == 0))
        return nssutil_nullString;

    if (nssutil_argHasBlanks(value) || NSSUTIL_ArgIsQuote(value[0]))
        need_quote = PR_TRUE;

    if ((need_quote && nssutil_argHasChar(value, closeQuote)) || nssutil_argHasChar(value, NSSUTIL_ARG_ESCAPE)) {
        value = newValue = nssutil_formatValue(NULL, value, quote);
        if (newValue == NULL)
            return nssutil_nullString;
    }
    if (need_quote) {
        returnValue = PR_smprintf("%s=%c%s%c", name, openQuote, value, closeQuote);
    } else {
        returnValue = PR_smprintf("%s=%s", name, value);
    }
    if (returnValue == NULL)
        returnValue = nssutil_nullString;

    if (newValue)
        PORT_Free(newValue);

    return returnValue;
}

static char *
nssutil_formatIntPair(char *name, unsigned long value,
                      unsigned long def)
{
    char *returnValue;

    if (value == def)
        return nssutil_nullString;

    returnValue = PR_smprintf("%s=%d", name, value);

    return returnValue;
}

static void
nssutil_freePair(char *pair)
{
    if (pair && pair != nssutil_nullString) {
        PR_smprintf_free(pair);
    }
}

/************************************************************************
 * Parse the Slot specific parameters in the NSS params.
 */

struct nssutilArgSlotFlagTable {
    char *name;
    int len;
    unsigned long value;
};

#define NSSUTIL_ARG_ENTRY(arg, flag) \
    {                                \
        #arg, sizeof(#arg) - 1, flag \
    }
static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = {
    NSSUTIL_ARG_ENTRY(RSA, SECMOD_RSA_FLAG),
    NSSUTIL_ARG_ENTRY(ECC, SECMOD_ECC_FLAG),
    NSSUTIL_ARG_ENTRY(DSA, SECMOD_RSA_FLAG),
    NSSUTIL_ARG_ENTRY(RC2, SECMOD_RC4_FLAG),
    NSSUTIL_ARG_ENTRY(RC4, SECMOD_RC2_FLAG),
    NSSUTIL_ARG_ENTRY(DES, SECMOD_DES_FLAG),
    NSSUTIL_ARG_ENTRY(DH, SECMOD_DH_FLAG),
    NSSUTIL_ARG_ENTRY(FORTEZZA, SECMOD_FORTEZZA_FLAG),
    NSSUTIL_ARG_ENTRY(RC5, SECMOD_RC5_FLAG),
    NSSUTIL_ARG_ENTRY(SHA1, SECMOD_SHA1_FLAG),
    NSSUTIL_ARG_ENTRY(SHA256, SECMOD_SHA256_FLAG),
    NSSUTIL_ARG_ENTRY(SHA512, SECMOD_SHA512_FLAG),
    NSSUTIL_ARG_ENTRY(MD5, SECMOD_MD5_FLAG),
    NSSUTIL_ARG_ENTRY(MD2, SECMOD_MD2_FLAG),
    NSSUTIL_ARG_ENTRY(SSL, SECMOD_SSL_FLAG),
    NSSUTIL_ARG_ENTRY(TLS, SECMOD_TLS_FLAG),
    NSSUTIL_ARG_ENTRY(AES, SECMOD_AES_FLAG),
    NSSUTIL_ARG_ENTRY(Camellia, SECMOD_CAMELLIA_FLAG),
    NSSUTIL_ARG_ENTRY(SEED, SECMOD_SEED_FLAG),
    NSSUTIL_ARG_ENTRY(PublicCerts, SECMOD_FRIENDLY_FLAG),
    NSSUTIL_ARG_ENTRY(RANDOM, SECMOD_RANDOM_FLAG),
    NSSUTIL_ARG_ENTRY(Disable, SECMOD_DISABLE_FLAG),
};

static int nssutil_argSlotFlagTableSize =
    sizeof(nssutil_argSlotFlagTable) / sizeof(nssutil_argSlotFlagTable[0]);

/* turn the slot flags into a bit mask */
unsigned long
NSSUTIL_ArgParseSlotFlags(const char *label, const char *params)
{
    char *flags;
    const char *index;
    unsigned long retValue = 0;
    int i;
    PRBool all = PR_FALSE;

    flags = NSSUTIL_ArgGetParamValue(label, params);
    if (flags == NULL)
        return 0;

    if (PORT_Strcasecmp(flags, "all") == 0)
        all = PR_TRUE;

    for (index = flags; *index; index = NSSUTIL_ArgNextFlag(index)) {
        for (i = 0; i < nssutil_argSlotFlagTableSize; i++) {
            if (all ||
                (PORT_Strncasecmp(index, nssutil_argSlotFlagTable[i].name,
                                  nssutil_argSlotFlagTable[i].len) == 0)) {
                retValue |= nssutil_argSlotFlagTable[i].value;
            }
        }
    }
    PORT_Free(flags);
    return retValue;
}

/* parse a single slot specific parameter */
static void
nssutil_argDecodeSingleSlotInfo(char *name, char *params,
                                struct NSSUTILPreSlotInfoStr *slotInfo)
{
    char *askpw;

    slotInfo->slotID = NSSUTIL_ArgDecodeNumber(name);
    slotInfo->defaultFlags = NSSUTIL_ArgParseSlotFlags("slotFlags", params);
    slotInfo->timeout = NSSUTIL_ArgReadLong("timeout", params, 0, NULL);

    askpw = NSSUTIL_ArgGetParamValue("askpw", params);
    slotInfo->askpw = 0;

    if (askpw) {
        if (PORT_Strcasecmp(askpw, "every") == 0) {
            slotInfo->askpw = -1;
        } else if (PORT_Strcasecmp(askpw, "timeout") == 0) {
            slotInfo->askpw = 1;
        }
        PORT_Free(askpw);
        slotInfo->defaultFlags |= PK11_OWN_PW_DEFAULTS;
    }
    slotInfo->hasRootCerts = NSSUTIL_ArgHasFlag("rootFlags", "hasRootCerts",
                                                params);
    slotInfo->hasRootTrust = NSSUTIL_ArgHasFlag("rootFlags", "hasRootTrust",
                                                params);
}

/* parse all the slot specific parameters. */
struct NSSUTILPreSlotInfoStr *
NSSUTIL_ArgParseSlotInfo(PLArenaPool *arena, const char *slotParams,
                         int *retCount)
{
    const char *slotIndex;
    struct NSSUTILPreSlotInfoStr *slotInfo = NULL;
    int i = 0, count = 0, next;

    *retCount = 0;
    if ((slotParams == NULL) || (*slotParams == 0))
        return NULL;

    /* first count the number of slots */
    for (slotIndex = NSSUTIL_ArgStrip(slotParams); *slotIndex;
         slotIndex = NSSUTIL_ArgStrip(NSSUTIL_ArgSkipParameter(slotIndex))) {
        count++;
    }

    /* get the data structures */
    if (arena) {
        slotInfo = PORT_ArenaZNewArray(arena,
                                       struct NSSUTILPreSlotInfoStr, count);
    } else {
        slotInfo = PORT_ZNewArray(struct NSSUTILPreSlotInfoStr, count);
    }
    if (slotInfo == NULL)
        return NULL;

    for (slotIndex = NSSUTIL_ArgStrip(slotParams), i = 0;
         *slotIndex && i < count;) {
        char *name;
        name = NSSUTIL_ArgGetLabel(slotIndex, &next);
        slotIndex += next;

        if (!NSSUTIL_ArgIsBlank(*slotIndex)) {
            char *args = NSSUTIL_ArgFetchValue(slotIndex, &next);
            slotIndex += next;
            if (args) {
                nssutil_argDecodeSingleSlotInfo(name, args, &slotInfo[i]);
                i++;
                PORT_Free(args);
            }
        }
        if (name)
            PORT_Free(name);
        slotIndex = NSSUTIL_ArgStrip(slotIndex);
    }
    *retCount = i;
    return slotInfo;
}

/************************************************************************
 * make a new slot specific parameter
 */
/* first make the slot flags */
static char *
nssutil_mkSlotFlags(unsigned long defaultFlags)
{
    char *flags = NULL;
    unsigned int i;
    int j;

    for (i = 0; i < sizeof(defaultFlags) * 8; i++) {
        if (defaultFlags & (1UL << i)) {
            char *string = NULL;

            for (j = 0; j < nssutil_argSlotFlagTableSize; j++) {
                if (nssutil_argSlotFlagTable[j].value == (1UL << i)) {
                    string = nssutil_argSlotFlagTable[j].name;
                    break;
                }
            }
            if (string) {
                if (flags) {
                    char *tmp;
                    tmp = PR_smprintf("%s,%s", flags, string);
                    PR_smprintf_free(flags);
                    flags = tmp;
                } else {
                    flags = PR_smprintf("%s", string);
                }
            }
        }
    }

    return flags;
}

/* now make the root flags */
#define NSSUTIL_MAX_ROOT_FLAG_SIZE sizeof("hasRootCerts") + sizeof("hasRootTrust")
static char *
nssutil_mkRootFlags(PRBool hasRootCerts, PRBool hasRootTrust)
{
    char *flags = (char *)PORT_ZAlloc(NSSUTIL_MAX_ROOT_FLAG_SIZE);
    PRBool first = PR_TRUE;

    PORT_Memset(flags, 0, NSSUTIL_MAX_ROOT_FLAG_SIZE);
    if (hasRootCerts) {
        PORT_Strcat(flags, "hasRootCerts");
        first = PR_FALSE;
    }
    if (hasRootTrust) {
        if (!first)
            PORT_Strcat(flags, ",");
        PORT_Strcat(flags, "hasRootTrust");
    }
    return flags;
}

/* now make a full slot string */
char *
NSSUTIL_MkSlotString(unsigned long slotID, unsigned long defaultFlags,
                     unsigned long timeout, unsigned char askpw_in,
                     PRBool hasRootCerts, PRBool hasRootTrust)
{
    char *askpw, *flags, *rootFlags, *slotString;
    char *flagPair, *rootFlagsPair;

    switch (askpw_in) {
        case 0xff:
            askpw = "every";
            break;
        case 1:
            askpw = "timeout";
            break;
        default:
            askpw = "any";
            break;
    }
    flags = nssutil_mkSlotFlags(defaultFlags);
    rootFlags = nssutil_mkRootFlags(hasRootCerts, hasRootTrust);
    flagPair = nssutil_formatPair("slotFlags", flags, '\'');
    rootFlagsPair = nssutil_formatPair("rootFlags", rootFlags, '\'');
    if (flags)
        PR_smprintf_free(flags);
    if (rootFlags)
        PORT_Free(rootFlags);
    if (defaultFlags & PK11_OWN_PW_DEFAULTS) {
        slotString = PR_smprintf("0x%08lx=[%s askpw=%s timeout=%d %s]",
                                 (PRUint32)slotID, flagPair, askpw, timeout,
                                 rootFlagsPair);
    } else {
        slotString = PR_smprintf("0x%08lx=[%s %s]",
                                 (PRUint32)slotID, flagPair, rootFlagsPair);
    }
    nssutil_freePair(flagPair);
    nssutil_freePair(rootFlagsPair);
    return slotString;
}

/************************************************************************
 * Parse Full module specs into: library, commonName, module parameters,
 * and NSS specifi parameters.
 */
SECStatus
NSSUTIL_ArgParseModuleSpecEx(const char *modulespec, char **lib, char **mod,
                             char **parameters, char **nss,
                             char **config)
{
    int next;
    modulespec = NSSUTIL_ArgStrip(modulespec);

    *lib = *mod = *parameters = *nss = *config = 0;

    while (*modulespec) {
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *lib, "library=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *mod, "name=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *parameters, "parameters=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *nss, "nss=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *config, "config=", ;)
        NSSUTIL_HANDLE_FINAL_ARG(modulespec)
    }
    return SECSuccess;
}

/************************************************************************
 * Parse Full module specs into: library, commonName, module parameters,
 * and NSS specifi parameters.
 */
SECStatus
NSSUTIL_ArgParseModuleSpec(const char *modulespec, char **lib, char **mod,
                           char **parameters, char **nss)
{
    int next;
    modulespec = NSSUTIL_ArgStrip(modulespec);

    *lib = *mod = *parameters = *nss = 0;

    while (*modulespec) {
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *lib, "library=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *mod, "name=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *parameters, "parameters=", ;)
        NSSUTIL_HANDLE_STRING_ARG(modulespec, *nss, "nss=", ;)
        NSSUTIL_HANDLE_FINAL_ARG(modulespec)
    }
    return SECSuccess;
}

/************************************************************************
 * make a new module spec from it's components */
char *
NSSUTIL_MkModuleSpecEx(char *dllName, char *commonName, char *parameters,
                       char *NSS,
                       char *config)
{
    char *moduleSpec;
    char *lib, *name, *param, *nss, *conf;

    /*
     * now the final spec
     */
    lib = nssutil_formatPair("library", dllName, '\"');
    name = nssutil_formatPair("name", commonName, '\"');
    param = nssutil_formatPair("parameters", parameters, '\"');
    nss = nssutil_formatPair("NSS", NSS, '\"');
    if (config) {
        conf = nssutil_formatPair("config", config, '\"');
        moduleSpec = PR_smprintf("%s %s %s %s %s", lib, name, param, nss, conf);
        nssutil_freePair(conf);
    } else {
        moduleSpec = PR_smprintf("%s %s %s %s", lib, name, param, nss);
    }
    nssutil_freePair(lib);
    nssutil_freePair(name);
    nssutil_freePair(param);
    nssutil_freePair(nss);
    return (moduleSpec);
}

/************************************************************************
 * make a new module spec from it's components */
char *
NSSUTIL_MkModuleSpec(char *dllName, char *commonName, char *parameters,
                     char *NSS)
{
    return NSSUTIL_MkModuleSpecEx(dllName, commonName, parameters, NSS, NULL);
}

/************************************************************************
 * add a single flag to the Flags= section inside the spec's NSS= section */
char *
NSSUTIL_AddNSSFlagToModuleSpec(char *spec, char *addFlag)
{
    const char *prefix = "flags=";
    const size_t prefixLen = strlen(prefix);
    char *lib = NULL, *name = NULL, *param = NULL, *nss = NULL, *conf = NULL;
    char *nss2 = NULL, *result = NULL;
    SECStatus rv;

    rv = NSSUTIL_ArgParseModuleSpecEx(spec, &lib, &name, &param, &nss, &conf);
    if (rv != SECSuccess) {
        return NULL;
    }

    if (nss && NSSUTIL_ArgHasFlag("flags", addFlag, nss)) {
        /* It's already there, nothing to do! */
        PORT_Free(lib);
        PORT_Free(name);
        PORT_Free(param);
        PORT_Free(nss);
        PORT_Free(conf);
        return PORT_Strdup(spec);
    }

    if (!nss || !strlen(nss)) {
        nss2 = PORT_Alloc(prefixLen + strlen(addFlag) + 1);
        PORT_Strcpy(nss2, prefix);
        PORT_Strcat(nss2, addFlag);
    } else {
        const char *iNss = nss;
        PRBool alreadyAdded = PR_FALSE;
        size_t maxSize = strlen(nss) + strlen(addFlag) + prefixLen + 2; /* space and null terminator */
        nss2 = PORT_Alloc(maxSize);
        *nss2 = 0;
        while (*iNss) {
            iNss = NSSUTIL_ArgStrip(iNss);
            if (PORT_Strncasecmp(iNss, prefix, prefixLen) == 0) {
                /* We found an existing Flags= section. */
                char *oldFlags;
                const char *valPtr;
                int valSize;
                valPtr = iNss + prefixLen;
                oldFlags = NSSUTIL_ArgFetchValue(valPtr, &valSize);
                iNss = valPtr + valSize;
                PORT_Strcat(nss2, prefix);
                PORT_Strcat(nss2, oldFlags);
                PORT_Strcat(nss2, ",");
                PORT_Strcat(nss2, addFlag);
                PORT_Strcat(nss2, " ");
                PORT_Free(oldFlags);
                alreadyAdded = PR_TRUE;
                iNss = NSSUTIL_ArgStrip(iNss);
                PORT_Strcat(nss2, iNss); /* remainder of input */
                break;
            } else {
                /* Append this other name=value pair and continue. */
                const char *startOfNext = NSSUTIL_ArgSkipParameter(iNss);
                PORT_Strncat(nss2, iNss, (startOfNext - iNss));
                if (nss2[strlen(nss2) - 1] != ' ') {
                    PORT_Strcat(nss2, " ");
                }
                iNss = startOfNext;
            }
            iNss = NSSUTIL_ArgStrip(iNss);
        }
        if (!alreadyAdded) {
            /* nss wasn't empty, and it didn't contain a Flags section. We can
             * assume that other content from nss has already been added to
             * nss2, which means we already have a trailing space separator. */
            PORT_Strcat(nss2, prefix);
            PORT_Strcat(nss2, addFlag);
        }
    }

    result = NSSUTIL_MkModuleSpecEx(lib, name, param, nss2, conf);
    PORT_Free(lib);
    PORT_Free(name);
    PORT_Free(param);
    PORT_Free(nss);
    PORT_Free(nss2);
    PORT_Free(conf);
    return result;
}

#define NSSUTIL_ARG_FORTEZZA_FLAG "FORTEZZA"
/******************************************************************************
 * Parse the cipher flags from the NSS parameter
 */
void
NSSUTIL_ArgParseCipherFlags(unsigned long *newCiphers, const char *cipherList)
{
    newCiphers[0] = newCiphers[1] = 0;
    if ((cipherList == NULL) || (*cipherList == 0))
        return;

    for (; *cipherList; cipherList = NSSUTIL_ArgNextFlag(cipherList)) {
        if (PORT_Strncasecmp(cipherList, NSSUTIL_ARG_FORTEZZA_FLAG,
                             sizeof(NSSUTIL_ARG_FORTEZZA_FLAG) - 1) == 0) {
            newCiphers[0] |= SECMOD_FORTEZZA_FLAG;
        }

        /* add additional flags here as necessary */
        /* direct bit mapping escape */
        if (*cipherList == 0) {
            if (cipherList[1] == 'l') {
                newCiphers[1] |= atoi(&cipherList[2]);
            } else {
                newCiphers[0] |= atoi(&cipherList[2]);
            }
        }
    }
}

/*********************************************************************
 * make NSS parameter...
 */
/* First make NSS specific flags */
#define MAX_FLAG_SIZE sizeof("internal") + sizeof("FIPS") + sizeof("moduleDB") + \
                          sizeof("moduleDBOnly") + sizeof("critical")
static char *
nssutil_mkNSSFlags(PRBool internal, PRBool isFIPS,
                   PRBool isModuleDB, PRBool isModuleDBOnly, PRBool isCritical)
{
    char *flags = (char *)PORT_ZAlloc(MAX_FLAG_SIZE);
    PRBool first = PR_TRUE;

    PORT_Memset(flags, 0, MAX_FLAG_SIZE);
    if (internal) {
        PORT_Strcat(flags, "internal");
        first = PR_FALSE;
    }
    if (isFIPS) {
        if (!first)
            PORT_Strcat(flags, ",");
        PORT_Strcat(flags, "FIPS");
        first = PR_FALSE;
    }
    if (isModuleDB) {
        if (!first)
            PORT_Strcat(flags, ",");
        PORT_Strcat(flags, "moduleDB");
        first = PR_FALSE;
    }
    if (isModuleDBOnly) {
        if (!first)
            PORT_Strcat(flags, ",");
        PORT_Strcat(flags, "moduleDBOnly");
        first = PR_FALSE;
    }
    if (isCritical) {
        if (!first)
            PORT_Strcat(flags, ",");
        PORT_Strcat(flags, "critical");
    }
    return flags;
}

/* construct the NSS cipher flags */
static char *
nssutil_mkCipherFlags(unsigned long ssl0, unsigned long ssl1)
{
    char *cipher = NULL;
    unsigned int i;

    for (i = 0; i < sizeof(ssl0) * 8; i++) {
        if (ssl0 & (1UL << i)) {
            char *string;
            if ((1UL << i) == SECMOD_FORTEZZA_FLAG) {
                string = PR_smprintf("%s", NSSUTIL_ARG_FORTEZZA_FLAG);
            } else {
                string = PR_smprintf("0h0x%08lx", 1UL << i);
            }
            if (cipher) {
                char *tmp;
                tmp = PR_smprintf("%s,%s", cipher, string);
                PR_smprintf_free(cipher);
                PR_smprintf_free(string);
                cipher = tmp;
            } else {
                cipher = string;
            }
        }
    }
    for (i = 0; i < sizeof(ssl0) * 8; i++) {
        if (ssl1 & (1UL << i)) {
            if (cipher) {
                char *tmp;
                tmp = PR_smprintf("%s,0l0x%08lx", cipher, 1UL << i);
                PR_smprintf_free(cipher);
                cipher = tmp;
            } else {
                cipher = PR_smprintf("0l0x%08lx", 1UL << i);
            }
        }
    }

    return cipher;
}

/* Assemble a full NSS string. */
char *
NSSUTIL_MkNSSString(char **slotStrings, int slotCount, PRBool internal,
                    PRBool isFIPS, PRBool isModuleDB, PRBool isModuleDBOnly,
                    PRBool isCritical, unsigned long trustOrder,
                    unsigned long cipherOrder, unsigned long ssl0, unsigned long ssl1)
{
    int slotLen, i;
    char *slotParams, *ciphers, *nss, *nssFlags;
    const char *tmp;
    char *trustOrderPair, *cipherOrderPair, *slotPair, *cipherPair, *flagPair;

    /* now let's build up the string
     * first the slot infos
     */
    slotLen = 0;
    for (i = 0; i < (int)slotCount; i++) {
        slotLen += PORT_Strlen(slotStrings[i]) + 1;
    }
    slotLen += 1; /* space for the final NULL */

    slotParams = (char *)PORT_ZAlloc(slotLen);
    PORT_Memset(slotParams, 0, slotLen);
    for (i = 0; i < (int)slotCount; i++) {
        PORT_Strcat(slotParams, slotStrings[i]);
        PORT_Strcat(slotParams, " ");
        PR_smprintf_free(slotStrings[i]);
        slotStrings[i] = NULL;
    }

    /*
     * now the NSS structure
     */
    nssFlags = nssutil_mkNSSFlags(internal, isFIPS, isModuleDB, isModuleDBOnly,
                                  isCritical);
    /* for now only the internal module is critical */
    ciphers = nssutil_mkCipherFlags(ssl0, ssl1);

    trustOrderPair = nssutil_formatIntPair("trustOrder", trustOrder,
                                           NSSUTIL_DEFAULT_TRUST_ORDER);
    cipherOrderPair = nssutil_formatIntPair("cipherOrder", cipherOrder,
                                            NSSUTIL_DEFAULT_CIPHER_ORDER);
    slotPair = nssutil_formatPair("slotParams", slotParams, '{'); /* } */
    if (slotParams)
        PORT_Free(slotParams);
    cipherPair = nssutil_formatPair("ciphers", ciphers, '\'');
    if (ciphers)
        PR_smprintf_free(ciphers);
    flagPair = nssutil_formatPair("Flags", nssFlags, '\'');
    if (nssFlags)
        PORT_Free(nssFlags);
    nss = PR_smprintf("%s %s %s %s %s", trustOrderPair,
                      cipherOrderPair, slotPair, cipherPair, flagPair);
    nssutil_freePair(trustOrderPair);
    nssutil_freePair(cipherOrderPair);
    nssutil_freePair(slotPair);
    nssutil_freePair(cipherPair);
    nssutil_freePair(flagPair);
    tmp = NSSUTIL_ArgStrip(nss);
    if (*tmp == '\0') {
        PR_smprintf_free(nss);
        nss = NULL;
    }
    return nss;
}

/*****************************************************************************
 *
 * Private calls for use by softoken and utilmod.c
 */

#define SQLDB "sql:"
#define EXTERNDB "extern:"
#define LEGACY "dbm:"
#define MULTIACCESS "multiaccess:"
#define SECMOD_DB "secmod.db"
const char *
_NSSUTIL_EvaluateConfigDir(const char *configdir,
                           NSSDBType *pdbType, char **appName)
{
    NSSDBType dbType;
    PRBool checkEnvDefaultDB = PR_FALSE;
    *appName = NULL;
    /* force the default */
    dbType = NSS_DB_TYPE_SQL;
    if (configdir == NULL) {
        checkEnvDefaultDB = PR_TRUE;
    } else if (PORT_Strncmp(configdir, MULTIACCESS, sizeof(MULTIACCESS) - 1) == 0) {
        char *cdir;
        dbType = NSS_DB_TYPE_MULTIACCESS;

        *appName = PORT_Strdup(configdir + sizeof(MULTIACCESS) - 1);
        if (*appName == NULL) {
            return configdir;
        }
        cdir = *appName;
        while (*cdir && *cdir != ':') {
            cdir++;
        }
        if (*cdir == ':') {
            *cdir = 0;
            cdir++;
        }
        configdir = cdir;
    } else if (PORT_Strncmp(configdir, SQLDB, sizeof(SQLDB) - 1) == 0) {
        dbType = NSS_DB_TYPE_SQL;
        configdir = configdir + sizeof(SQLDB) - 1;
    } else if (PORT_Strncmp(configdir, EXTERNDB, sizeof(EXTERNDB) - 1) == 0) {
        dbType = NSS_DB_TYPE_EXTERN;
        configdir = configdir + sizeof(EXTERNDB) - 1;
    } else if (PORT_Strncmp(configdir, LEGACY, sizeof(LEGACY) - 1) == 0) {
        dbType = NSS_DB_TYPE_LEGACY;
        configdir = configdir + sizeof(LEGACY) - 1;
    } else {
        checkEnvDefaultDB = PR_TRUE;
    }

    /* look up the default from the environment */
    if (checkEnvDefaultDB) {
        char *defaultType = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE");
        if (defaultType != NULL) {
            if (PORT_Strncmp(defaultType, SQLDB, sizeof(SQLDB) - 2) == 0) {
                dbType = NSS_DB_TYPE_SQL;
            } else if (PORT_Strncmp(defaultType, EXTERNDB, sizeof(EXTERNDB) - 2) == 0) {
                dbType = NSS_DB_TYPE_EXTERN;
            } else if (PORT_Strncmp(defaultType, LEGACY, sizeof(LEGACY) - 2) == 0) {
                dbType = NSS_DB_TYPE_LEGACY;
            }
        }
    }
    /* if the caller has already set a type, don't change it */
    if (*pdbType == NSS_DB_TYPE_NONE) {
        *pdbType = dbType;
    }
    return configdir;
}

char *
_NSSUTIL_GetSecmodName(const char *param, NSSDBType *dbType, char **appName,
                       char **filename, PRBool *rw)
{
    int next;
    char *configdir = NULL;
    char *secmodName = NULL;
    char *value = NULL;
    const char *save_params = param;
    const char *lconfigdir;
    PRBool noModDB = PR_FALSE;
    param = NSSUTIL_ArgStrip(param);

    while (*param) {
        NSSUTIL_HANDLE_STRING_ARG(param, configdir, "configDir=", ;)
        NSSUTIL_HANDLE_STRING_ARG(param, secmodName, "secmod=", ;)
        NSSUTIL_HANDLE_FINAL_ARG(param)
    }

    *rw = PR_TRUE;
    if (NSSUTIL_ArgHasFlag("flags", "readOnly", save_params)) {
        *rw = PR_FALSE;
    }

    if (!secmodName || *secmodName == '\0') {
        if (secmodName)
            PORT_Free(secmodName);
        secmodName = PORT_Strdup(SECMOD_DB);
    }

    *filename = secmodName;
    lconfigdir = _NSSUTIL_EvaluateConfigDir(configdir, dbType, appName);

    if (NSSUTIL_ArgHasFlag("flags", "noModDB", save_params)) {
        /* there isn't a module db, don't load the legacy support */
        noModDB = PR_TRUE;
        *dbType = NSS_DB_TYPE_SQL;
        PORT_Free(*filename);
        *filename = NULL;
        *rw = PR_FALSE;
    }

    /* only use the renamed secmod for legacy databases */
    if ((*dbType != NSS_DB_TYPE_LEGACY) &&
        (*dbType != NSS_DB_TYPE_MULTIACCESS) &&
        !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
        secmodName = "pkcs11.txt";
    }

    if (noModDB) {
        value = NULL;
    } else if (lconfigdir && lconfigdir[0] != '\0') {
        value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
                            lconfigdir, secmodName);
    } else {
        value = PR_smprintf("%s", secmodName);
    }
    if (configdir)
        PORT_Free(configdir);
    return value;
}