/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
/*
 * Internal PKCS #11 functions. Should only be called by pkcs11.c
 */
#include "pkcs11.h"
#include "lgdb.h"
#include "pcert.h"
#include "lowkeyi.h"

/*
 * remove an object.
 */
CK_RV
lg_DestroyObject(SDB *sdb, CK_OBJECT_HANDLE object_id)
{
    CK_RV crv = CKR_OK;
    SECStatus rv;
    NSSLOWCERTCertificate *cert;
    NSSLOWCERTCertTrust tmptrust;
    PRBool isKrl;
    NSSLOWKEYDBHandle *keyHandle;
    NSSLOWCERTCertDBHandle *certHandle;
    const SECItem *dbKey;

    object_id &= ~LG_TOKEN_MASK;
    dbKey = lg_lookupTokenKeyByHandle(sdb,object_id);
    if (dbKey == NULL) {
	return CKR_OBJECT_HANDLE_INVALID;
    }

    /* remove the objects from the real data base */
    switch (object_id & LG_TOKEN_TYPE_MASK) {
    case LG_TOKEN_TYPE_PRIV:
    case LG_TOKEN_TYPE_KEY:
	/* KEYID is the public KEY for DSA and DH, and the MODULUS for
	 *  RSA */
	keyHandle = lg_getKeyDB(sdb);
	if (!keyHandle) {
	    crv = CKR_TOKEN_WRITE_PROTECTED;
	    break;
	}
	rv = nsslowkey_DeleteKey(keyHandle, dbKey);
	if (rv != SECSuccess) {
	    crv = CKR_DEVICE_ERROR;
	}
	break;
    case LG_TOKEN_TYPE_PUB:
	break; /* public keys only exist at the behest of the priv key */
    case LG_TOKEN_TYPE_CERT:
	certHandle = lg_getCertDB(sdb);
	if (!certHandle) {
	    crv = CKR_TOKEN_WRITE_PROTECTED;
	    break;
	}
	cert = nsslowcert_FindCertByKey(certHandle,dbKey);
	if (cert == NULL) {
	    crv = CKR_DEVICE_ERROR;
	    break;
	}
	rv = nsslowcert_DeletePermCertificate(cert);
	if (rv != SECSuccess) {
	    crv = CKR_DEVICE_ERROR;
	}
	nsslowcert_DestroyCertificate(cert);
	break;
    case LG_TOKEN_TYPE_CRL:
	certHandle = lg_getCertDB(sdb);
	if (!certHandle) {
	    crv = CKR_TOKEN_WRITE_PROTECTED;
	    break;
	}
	isKrl = (PRBool) (object_id == LG_TOKEN_KRL_HANDLE);
	rv = nsslowcert_DeletePermCRL(certHandle, dbKey, isKrl);
	if (rv == SECFailure) crv = CKR_DEVICE_ERROR;
	break;
    case LG_TOKEN_TYPE_TRUST:
	certHandle = lg_getCertDB(sdb);
	if (!certHandle) {
	    crv = CKR_TOKEN_WRITE_PROTECTED;
	    break;
	}
	cert = nsslowcert_FindCertByKey(certHandle, dbKey);
	if (cert == NULL) {
	    crv = CKR_DEVICE_ERROR;
	    break;
	}
	tmptrust = *cert->trust;
	tmptrust.sslFlags &= CERTDB_PRESERVE_TRUST_BITS;
	tmptrust.emailFlags &= CERTDB_PRESERVE_TRUST_BITS;
	tmptrust.objectSigningFlags &= CERTDB_PRESERVE_TRUST_BITS;
	tmptrust.sslFlags |= CERTDB_TRUSTED_UNKNOWN;
	tmptrust.emailFlags |= CERTDB_TRUSTED_UNKNOWN;
	tmptrust.objectSigningFlags |= CERTDB_TRUSTED_UNKNOWN;
	rv = nsslowcert_ChangeCertTrust(certHandle, cert, &tmptrust);
	if (rv != SECSuccess) crv = CKR_DEVICE_ERROR;
	nsslowcert_DestroyCertificate(cert);
	break;
    default:
	break;
    }
    lg_DBLock(sdb);
    lg_deleteTokenKeyByHandle(sdb,object_id);
    lg_DBUnlock(sdb);

    return crv;
}