/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include "nsCertTree.h"

#include "ScopedNSSTypes.h"

#include "mozilla/Logging.h"

#include "nsArray.h"

#include "nsArrayUtils.h"

#include "nsHashKeys.h"

#include "nsISupportsPrimitives.h"

#include "nsIX509CertDB.h"

#include "nsIX509Cert.h"

#include "nsIX509CertValidity.h"

#include "nsNSSCertHelper.h"

#include "nsNSSCertificate.h"

#include "nsNSSCertificateDB.h"

#include "nsNSSHelper.h"

#include "nsReadableUtils.h"

#include "nsTHashtable.h"

#include "nsUnicharUtils.h"

#include "nsXPCOMCID.h"

#include "nsString.h"

#include "nsTreeColumns.h"

#include "pkix/pkixtypes.h"

using namespace mozilla;

extern LazyLogModule gPIPNSSLog;

static NS_DEFINE_CID(kCertOverrideCID, NS_CERTOVERRIDE_CID);

// treeArrayElStr

//

// structure used to hold map of tree.  Each thread (an organization

// field from a cert) has an element in the array.  The numChildren field

// stores the number of certs corresponding to that thread.

struct treeArrayElStr {

  nsString   orgName;     /* heading for thread                   */

  bool       open;        /* toggle open state for thread         */

  int32_t    certIndex;   /* index into cert array for 1st cert   */

  int32_t    numChildren; /* number of chidren (certs) for thread */

};

CompareCacheHashEntryPtr::CompareCacheHashEntryPtr()

{

  entry = new CompareCacheHashEntry;

}

CompareCacheHashEntryPtr::~CompareCacheHashEntryPtr()

{

  delete entry;

}

CompareCacheHashEntry::CompareCacheHashEntry()

  : key(nullptr)

  , mCritInit()

{

  for (int i = 0; i < max_criterions; ++i) {

    mCritInit[i] = false;

    mCrit[i].SetIsVoid(true);

  }

}

static bool

CompareCacheMatchEntry(const PLDHashEntryHdr *hdr, const void *key)

{

  const CompareCacheHashEntryPtr *entryPtr = static_cast<const CompareCacheHashEntryPtr*>(hdr);

  return entryPtr->entry->key == key;

}

static void

CompareCacheInitEntry(PLDHashEntryHdr *hdr, const void *key)

{

  new (hdr) CompareCacheHashEntryPtr();

  CompareCacheHashEntryPtr *entryPtr = static_cast<CompareCacheHashEntryPtr*>(hdr);

  entryPtr->entry->key = (void*)key;

}

static void

CompareCacheClearEntry(PLDHashTable *table, PLDHashEntryHdr *hdr)

{

  CompareCacheHashEntryPtr *entryPtr = static_cast<CompareCacheHashEntryPtr*>(hdr);

  entryPtr->~CompareCacheHashEntryPtr();

}

static const PLDHashTableOps gMapOps = {

  PLDHashTable::HashVoidPtrKeyStub,

  CompareCacheMatchEntry,

  PLDHashTable::MoveEntryStub,

  CompareCacheClearEntry,

  CompareCacheInitEntry

};

NS_IMPL_ISUPPORTS0(nsCertAddonInfo)

NS_IMPL_ISUPPORTS(nsCertTreeDispInfo, nsICertTreeItem)

nsCertTreeDispInfo::nsCertTreeDispInfo()

  : mAddonInfo(nullptr)

  , mTypeOfEntry(direct_db)

  , mPort(-1)

  , mOverrideBits(nsCertOverride::OverrideBits::None)

  , mIsTemporary(true)

{

}

nsCertTreeDispInfo::nsCertTreeDispInfo(nsCertTreeDispInfo &other)

{

  mAddonInfo = other.mAddonInfo;

  mTypeOfEntry = other.mTypeOfEntry;

  mAsciiHost = other.mAsciiHost;

  mPort = other.mPort;

  mOverrideBits = other.mOverrideBits;

  mIsTemporary = other.mIsTemporary;

  mCert = other.mCert;

}

nsCertTreeDispInfo::~nsCertTreeDispInfo()

{

}

NS_IMETHODIMP

nsCertTreeDispInfo::GetCert(nsIX509Cert **_cert)

{

  NS_ENSURE_ARG(_cert);

  if (mCert) {

    // we may already have the cert for temporary overrides

    *_cert = mCert;

    NS_IF_ADDREF(*_cert);

    return NS_OK;

  }

  if (mAddonInfo) {

    *_cert = mAddonInfo->mCert.get();

    NS_IF_ADDREF(*_cert);

  }

  else {

    *_cert = nullptr;

  }

  return NS_OK;

}

NS_IMETHODIMP

nsCertTreeDispInfo::GetHostPort(nsAString &aHostPort)

{

  nsAutoCString hostPort;

  nsCertOverrideService::GetHostWithPort(mAsciiHost, mPort, hostPort);

  aHostPort = NS_ConvertUTF8toUTF16(hostPort);

  return NS_OK;

}

NS_IMPL_ISUPPORTS(nsCertTree, nsICertTree, nsITreeView)

nsCertTree::nsCertTree()

  : mTreeArray(nullptr)

  , mNumOrgs(0)

  , mNumRows(0)

  , mCompareCache(&gMapOps, sizeof(CompareCacheHashEntryPtr),

                  kInitialCacheLength)

{

  mOverrideService = do_GetService("@mozilla.org/security/certoverride;1");

  // Might be a different service if someone is overriding the contract

  nsCOMPtr<nsICertOverrideService> origCertOverride =

    do_GetService(kCertOverrideCID);

  mOriginalOverrideService =

    static_cast<nsCertOverrideService*>(origCertOverride.get());

  mCellText = nullptr;

}

void nsCertTree::ClearCompareHash()

{

  mCompareCache.ClearAndPrepareForLength(kInitialCacheLength);

}

nsCertTree::~nsCertTree()

{

  delete [] mTreeArray;

}

void

nsCertTree::FreeCertArray()

{

  mDispInfo.Clear();

}

CompareCacheHashEntry*

nsCertTree::getCacheEntry(void* cache, void* aCert)

{

  PLDHashTable& aCompareCache = *static_cast<PLDHashTable*>(cache);

  auto entryPtr = static_cast<CompareCacheHashEntryPtr*>

                             (aCompareCache.Add(aCert, fallible));

  return entryPtr ? entryPtr->entry : nullptr;

}

void nsCertTree::RemoveCacheEntry(void *key)

{

  mCompareCache.Remove(key);

}

// CountOrganizations

//

// Count the number of different organizations encountered in the cert

// list.

int32_t

nsCertTree::CountOrganizations()

{

  uint32_t i, certCount;

  certCount = mDispInfo.Length();

  if (certCount == 0) return 0;

  nsCOMPtr<nsIX509Cert> orgCert = nullptr;

  nsCertAddonInfo *addonInfo = mDispInfo.ElementAt(0)->mAddonInfo;

  if (addonInfo) {

    orgCert = addonInfo->mCert;

  }

  nsCOMPtr<nsIX509Cert> nextCert = nullptr;

  int32_t orgCount = 1;

  for (i=1; i<certCount; i++) {

    nextCert = nullptr;

    addonInfo = mDispInfo.SafeElementAt(i, nullptr)->mAddonInfo;

    if (addonInfo) {

      nextCert = addonInfo->mCert;

    }

    // XXX we assume issuer org is always criterion 1

    if (CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None) != 0) {

      orgCert = nextCert;

      orgCount++;

    }

  }

  return orgCount;

}

// GetThreadDescAtIndex

//

// If the row at index is an organization thread, return the collection

// associated with that thread.  Otherwise, return null.

treeArrayEl *

nsCertTree::GetThreadDescAtIndex(int32_t index)

{

  int i, idx=0;

  if (index < 0) return nullptr;

  for (i=0; i<mNumOrgs; i++) {

    if (index == idx) {

      return &mTreeArray[i];

    }

    if (mTreeArray[i].open) {

      idx += mTreeArray[i].numChildren;

    }

    idx++;

    if (idx > index) break;

  }

  return nullptr;

}

//  GetCertAtIndex

//

//  If the row at index is a cert, return that cert.  Otherwise, return null.

already_AddRefed<nsIX509Cert>

nsCertTree::GetCertAtIndex(int32_t index, int32_t *outAbsoluteCertOffset)

{

  RefPtr<nsCertTreeDispInfo> certdi(

    GetDispInfoAtIndex(index, outAbsoluteCertOffset));

  if (!certdi)

    return nullptr;

  nsCOMPtr<nsIX509Cert> ret;

  if (certdi->mCert) {

    ret = certdi->mCert;

  } else if (certdi->mAddonInfo) {

    ret = certdi->mAddonInfo->mCert;

  }

  return ret.forget();

}

//  If the row at index is a cert, return that cert.  Otherwise, return null.

already_AddRefed<nsCertTreeDispInfo>

nsCertTree::GetDispInfoAtIndex(int32_t index,

                               int32_t *outAbsoluteCertOffset)

{

  int i, idx = 0, cIndex = 0, nc;

  if (index < 0) return nullptr;

  // Loop over the threads

  for (i=0; i<mNumOrgs; i++) {

    if (index == idx) return nullptr; // index is for thread

    idx++; // get past the thread

    nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;

    if (index < idx + nc) { // cert is within range of this thread

      int32_t certIndex = cIndex + index - idx;

      if (outAbsoluteCertOffset)

        *outAbsoluteCertOffset = certIndex;

      RefPtr<nsCertTreeDispInfo> certdi(mDispInfo.SafeElementAt(certIndex,

                                                                nullptr));

      if (certdi) {

        return certdi.forget();

      }

      break;

    }

    if (mTreeArray[i].open)

      idx += mTreeArray[i].numChildren;

    cIndex += mTreeArray[i].numChildren;

    if (idx > index) break;

  }

  return nullptr;

}

nsCertTree::nsCertCompareFunc

nsCertTree::GetCompareFuncFromCertType(uint32_t aType)

{

  switch (aType) {

    case nsIX509Cert::ANY_CERT:

    case nsIX509Cert::USER_CERT:

      return CmpUserCert;

    case nsIX509Cert::CA_CERT:

      return CmpCACert;

    case nsIX509Cert::EMAIL_CERT:

      return CmpEmailCert;

    case nsIX509Cert::SERVER_CERT:

    default:

      return CmpWebSiteCert;

  }

}

struct nsCertAndArrayAndPositionAndCounterAndTracker

{

  RefPtr<nsCertAddonInfo> certai;

  nsTArray< RefPtr<nsCertTreeDispInfo> > *array;

  int position;

  int counter;

  nsTHashtable<nsCStringHashKey> *tracker;

};

// Used to enumerate host:port overrides that match a stored

// certificate, creates and adds a display-info-object to the

// provided array. Increments insert position and entry counter.

// We remove the given key from the tracker, which is used to

// track entries that have not yet been handled.

// The created display-info references the cert, so make a note

// of that by incrementing the cert usage counter.

static void

MatchingCertOverridesCallback(const nsCertOverride &aSettings,

                              void *aUserData)

{

  nsCertAndArrayAndPositionAndCounterAndTracker *cap =

    (nsCertAndArrayAndPositionAndCounterAndTracker*)aUserData;

  if (!cap)

    return;

  nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;

  if (certdi) {

    if (cap->certai)

      cap->certai->mUsageCount++;

    certdi->mAddonInfo = cap->certai;

    certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;

    certdi->mAsciiHost = aSettings.mAsciiHost;

    certdi->mPort = aSettings.mPort;

    certdi->mOverrideBits = aSettings.mOverrideBits;

    certdi->mIsTemporary = aSettings.mIsTemporary;

    certdi->mCert = aSettings.mCert;

    cap->array->InsertElementAt(cap->position, certdi);

    cap->position++;

    cap->counter++;

  }

  // this entry is now associated to a displayed cert, remove

  // it from the list of remaining entries

  nsAutoCString hostPort;

  nsCertOverrideService::GetHostWithPort(aSettings.mAsciiHost, aSettings.mPort, hostPort);

  cap->tracker->RemoveEntry(hostPort);

}

// Used to collect a list of the (unique) host:port keys

// for all stored overrides.

static void

CollectAllHostPortOverridesCallback(const nsCertOverride &aSettings,

                                    void *aUserData)

{

  nsTHashtable<nsCStringHashKey> *collectorTable =

    (nsTHashtable<nsCStringHashKey> *)aUserData;

  if (!collectorTable)

    return;

  nsAutoCString hostPort;

  nsCertOverrideService::GetHostWithPort(aSettings.mAsciiHost, aSettings.mPort, hostPort);

  collectorTable->PutEntry(hostPort);

}

struct nsArrayAndPositionAndCounterAndTracker

{

  nsTArray< RefPtr<nsCertTreeDispInfo> > *array;

  int position;

  int counter;

  nsTHashtable<nsCStringHashKey> *tracker;

};

// Used when enumerating the stored host:port overrides where

// no associated certificate was found in the NSS database.

static void

AddRemaningHostPortOverridesCallback(const nsCertOverride &aSettings,

                                     void *aUserData)

{

  nsArrayAndPositionAndCounterAndTracker *cap =

    (nsArrayAndPositionAndCounterAndTracker*)aUserData;

  if (!cap)

    return;

  nsAutoCString hostPort;

  nsCertOverrideService::GetHostWithPort(aSettings.mAsciiHost, aSettings.mPort, hostPort);

  if (!cap->tracker->GetEntry(hostPort))

    return;

  // This entry is not associated to any stored cert,

  // so we still need to display it.

  nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;

  if (certdi) {

    certdi->mAddonInfo = nullptr;

    certdi->mTypeOfEntry = nsCertTreeDispInfo::host_port_override;

    certdi->mAsciiHost = aSettings.mAsciiHost;

    certdi->mPort = aSettings.mPort;

    certdi->mOverrideBits = aSettings.mOverrideBits;

    certdi->mIsTemporary = aSettings.mIsTemporary;

    certdi->mCert = aSettings.mCert;

    cap->array->InsertElementAt(cap->position, certdi);

    cap->position++;

    cap->counter++;

  }

}

nsresult

nsCertTree::GetCertsByTypeFromCertList(nsIX509CertList* aCertList,

                                       uint32_t aWantedType,

                                       nsCertCompareFunc  aCertCmpFn,

                                       void *aCertCmpFnArg)

{

  MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("GetCertsByTypeFromCertList"));

  if (!aCertList)

    return NS_ERROR_FAILURE;

  if (!mOriginalOverrideService)

    return NS_ERROR_FAILURE;

  nsTHashtable<nsCStringHashKey> allHostPortOverrideKeys;

  if (aWantedType == nsIX509Cert::SERVER_CERT) {

    mOriginalOverrideService->

      EnumerateCertOverrides(nullptr,

                             CollectAllHostPortOverridesCallback,

                             &allHostPortOverrideKeys);

  }

  int count = 0;

  nsCOMPtr<nsISimpleEnumerator> certListEnumerator;

  nsresult rv = aCertList->GetEnumerator(getter_AddRefs(certListEnumerator));

  if (NS_FAILED(rv)) {

    return rv;

  }

  bool hasMore = false;

  rv = certListEnumerator->HasMoreElements(&hasMore);

  if (NS_FAILED(rv)) {

    return rv;

  }

  while (hasMore) {

    nsCOMPtr<nsISupports> certSupports;

    rv = certListEnumerator->GetNext(getter_AddRefs(certSupports));

    if (NS_FAILED(rv)) {

      return rv;

    }

    nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(certSupports);

    if (!cert) {

      return NS_ERROR_FAILURE;

    }

    bool wantThisCert = (aWantedType == nsIX509Cert::ANY_CERT);

    bool wantThisCertIfNoOverrides = false;

    bool wantThisCertIfHaveOverrides = false;

    bool addOverrides = false;

    if (!wantThisCert) {

      uint32_t thisCertType;

      rv = cert->GetCertType(&thisCertType);

      if (NS_FAILED(rv)) {

        return rv;

      }

      // The output from GetCertType is a "guess", which can be wrong.

      // The guess is based on stored trust flags, but for the host:port

      // overrides, we are storing certs without any trust flags associated.

      // So we must check whether the cert really belongs to the

      // server, email or unknown tab. We will lookup the cert in the override

      // list to come to the decision. Unfortunately, the lookup in the

      // override list is quite expensive. Therefore we are using this

      // lengthy if/else statement to minimize

      // the number of override-list-lookups.

      if (aWantedType == nsIX509Cert::SERVER_CERT &&

          thisCertType == nsIX509Cert::UNKNOWN_CERT) {

        // This unknown cert was stored without trust

        // Are there host:port based overrides stored?

        // If yes, display them.

        addOverrides = true;

      } else if (aWantedType == nsIX509Cert::SERVER_CERT &&

                 thisCertType == nsIX509Cert::SERVER_CERT) {

        // This server cert is explicitly marked as a web site peer,

        // with or without trust, but editable, so show it

        wantThisCert = true;

        // Are there host:port based overrides stored?

        // If yes, display them.

        addOverrides = true;

      } else if (aWantedType == nsIX509Cert::SERVER_CERT &&

                 thisCertType == nsIX509Cert::EMAIL_CERT) {

        // This cert might have been categorized as an email cert

        // because it carries an email address. But is it really one?

        // Our cert categorization is uncertain when it comes to

        // distinguish between email certs and web site certs.

        // So, let's see if we have an override for that cert

        // and if there is, conclude it's really a web site cert.

        addOverrides = true;

      } else if (aWantedType == nsIX509Cert::EMAIL_CERT &&

                 thisCertType == nsIX509Cert::EMAIL_CERT) {

        // This cert might have been categorized as an email cert

        // because it carries an email address. But is it really one?

        // Our cert categorization is uncertain when it comes to

        // distinguish between email certs and web site certs.

        // So, let's see if we have an override for that cert

        // and if there is, conclude it's really a web site cert.

        wantThisCertIfNoOverrides = true;

      } else if (thisCertType == aWantedType) {

        wantThisCert = true;

      }

    }

    if (wantThisCertIfNoOverrides || wantThisCertIfHaveOverrides) {

      uint32_t ocount = 0;

      nsresult rv =

        mOverrideService->IsCertUsedForOverrides(cert,

                                                 true, // we want temporaries

                                                 true, // we want permanents

                                                 &ocount);

      if (wantThisCertIfNoOverrides) {

        if (NS_FAILED(rv) || ocount == 0) {

          // no overrides for this cert

          wantThisCert = true;

        }

      }

      if (wantThisCertIfHaveOverrides) {

        if (NS_SUCCEEDED(rv) && ocount > 0) {

          // there are overrides for this cert

          wantThisCert = true;

        }

      }

    }

    RefPtr<nsCertAddonInfo> certai(new nsCertAddonInfo);

    certai->mCert = cert;

    certai->mUsageCount = 0;

    if (wantThisCert || addOverrides) {

      int InsertPosition = 0;

      for (; InsertPosition < count; ++InsertPosition) {

        nsCOMPtr<nsIX509Cert> otherCert = nullptr;

        RefPtr<nsCertTreeDispInfo> elem(

          mDispInfo.SafeElementAt(InsertPosition, nullptr));

        if (elem && elem->mAddonInfo) {

          otherCert = elem->mAddonInfo->mCert;

        }

        if ((*aCertCmpFn)(aCertCmpFnArg, cert, otherCert) < 0) {

          break;

        }

      }

      if (wantThisCert) {

        nsCertTreeDispInfo *certdi = new nsCertTreeDispInfo;

        certdi->mAddonInfo = certai;

        certai->mUsageCount++;

        certdi->mTypeOfEntry = nsCertTreeDispInfo::direct_db;

        // not necessary: certdi->mAsciiHost.Clear(); certdi->mPort = -1;

        certdi->mOverrideBits = nsCertOverride::OverrideBits::None;

        certdi->mIsTemporary = false;

        mDispInfo.InsertElementAt(InsertPosition, certdi);

        ++count;

        ++InsertPosition;

      }

      if (addOverrides) {

        nsCertAndArrayAndPositionAndCounterAndTracker cap;

        cap.certai = certai;

        cap.array = &mDispInfo;

        cap.position = InsertPosition;

        cap.counter = 0;

        cap.tracker = &allHostPortOverrideKeys;

        mOriginalOverrideService->

          EnumerateCertOverrides(cert, MatchingCertOverridesCallback, &cap);

        count += cap.counter;

      }

    }

    rv = certListEnumerator->HasMoreElements(&hasMore);

    if (NS_FAILED(rv)) {

      return rv;

    }

  }

  if (aWantedType == nsIX509Cert::SERVER_CERT) {

    nsArrayAndPositionAndCounterAndTracker cap;

    cap.array = &mDispInfo;

    cap.position = 0;

    cap.counter = 0;

    cap.tracker = &allHostPortOverrideKeys;

    mOriginalOverrideService->

      EnumerateCertOverrides(nullptr, AddRemaningHostPortOverridesCallback, &cap);

  }

  return NS_OK;

}

// LoadCerts

//

// Load all of the certificates in the DB for this type.  Sort them

// by token, organization, then common name.

NS_IMETHODIMP

nsCertTree::LoadCertsFromCache(nsIX509CertList *aCache, uint32_t aType)

{

  if (mTreeArray) {

    FreeCertArray();

    delete [] mTreeArray;

    mTreeArray = nullptr;

    mNumRows = 0;

  }

  ClearCompareHash();

  nsresult rv = GetCertsByTypeFromCertList(aCache, aType,

                                           GetCompareFuncFromCertType(aType),

                                           &mCompareCache);

  if (NS_FAILED(rv)) {

    return rv;

  }

  return UpdateUIContents();

}

NS_IMETHODIMP

nsCertTree::LoadCerts(uint32_t aType)

{

  if (mTreeArray) {

    FreeCertArray();

    delete [] mTreeArray;

    mTreeArray = nullptr;

    mNumRows = 0;

  }

  ClearCompareHash();

  nsCOMPtr<nsIX509CertDB> certdb(do_GetService(NS_X509CERTDB_CONTRACTID));

  nsCOMPtr<nsIX509CertList> certList;

  nsresult rv = certdb->GetCerts(getter_AddRefs(certList));

  if (NS_FAILED(rv)) {

    return rv;

  }

  rv = GetCertsByTypeFromCertList(certList, aType,

                                  GetCompareFuncFromCertType(aType),

                                  &mCompareCache);

  if (NS_FAILED(rv)) {

    return rv;

  }

  return UpdateUIContents();

}

nsresult

nsCertTree::UpdateUIContents()

{

  uint32_t count = mDispInfo.Length();

  mNumOrgs = CountOrganizations();

  mTreeArray = new treeArrayEl[mNumOrgs];

  mCellText = nsArrayBase::Create();

if (count) {

  uint32_t j = 0;

  nsCOMPtr<nsIX509Cert> orgCert = nullptr;

  nsCertAddonInfo *addonInfo = mDispInfo.ElementAt(j)->mAddonInfo;

  if (addonInfo) {

    orgCert = addonInfo->mCert;

  }

  for (int32_t i=0; i<mNumOrgs; i++) {

    nsString &orgNameRef = mTreeArray[i].orgName;

    if (!orgCert) {

      GetPIPNSSBundleString("CertOrgUnknown", orgNameRef);

    }

    else {

      orgCert->GetIssuerOrganization(orgNameRef);

      if (orgNameRef.IsEmpty())

        orgCert->GetCommonName(orgNameRef);

    }

    mTreeArray[i].open = true;

    mTreeArray[i].certIndex = j;

    mTreeArray[i].numChildren = 1;

    if (++j >= count) break;

    nsCOMPtr<nsIX509Cert> nextCert = nullptr;

    nsCertAddonInfo *addonInfo = mDispInfo.SafeElementAt(j, nullptr)->mAddonInfo;

    if (addonInfo) {

      nextCert = addonInfo->mCert;

    }

    while (0 == CmpBy(&mCompareCache, orgCert, nextCert, sort_IssuerOrg, sort_None, sort_None)) {

      mTreeArray[i].numChildren++;

      if (++j >= count) break;

      nextCert = nullptr;

      addonInfo = mDispInfo.SafeElementAt(j, nullptr)->mAddonInfo;

      if (addonInfo) {

        nextCert = addonInfo->mCert;

      }

    }

    orgCert = nextCert;

  }

}

  if (mTree) {

    mTree->BeginUpdateBatch();

    mTree->RowCountChanged(0, -mNumRows);

  }

  mNumRows = count + mNumOrgs;

  if (mTree)

    mTree->EndUpdateBatch();

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::DeleteEntryObject(uint32_t index)

{

  if (!mTreeArray) {

    return NS_ERROR_FAILURE;

  }

  nsCOMPtr<nsIX509CertDB> certdb =

    do_GetService("@mozilla.org/security/x509certdb;1");

  if (!certdb) {

    return NS_ERROR_FAILURE;

  }

  int i;

  uint32_t idx = 0, cIndex = 0, nc;

  // Loop over the threads

  for (i=0; i<mNumOrgs; i++) {

    if (index == idx)

      return NS_OK; // index is for thread

    idx++; // get past the thread

    nc = (mTreeArray[i].open) ? mTreeArray[i].numChildren : 0;

    if (index < idx + nc) { // cert is within range of this thread

      int32_t certIndex = cIndex + index - idx;

      bool canRemoveEntry = false;

      RefPtr<nsCertTreeDispInfo> certdi(mDispInfo.SafeElementAt(certIndex,

                                                                nullptr));

      // We will remove the element from the visual tree.

      // Only if we have a certdi, then we can check for additional actions.

      nsCOMPtr<nsIX509Cert> cert = nullptr;

      if (certdi) {

        if (certdi->mAddonInfo) {

          cert = certdi->mAddonInfo->mCert;

        }

        nsCertAddonInfo* addonInfo =

          certdi->mAddonInfo ? certdi->mAddonInfo.get() : nullptr;

        if (certdi->mTypeOfEntry == nsCertTreeDispInfo::host_port_override) {

          mOverrideService->ClearValidityOverride(certdi->mAsciiHost, certdi->mPort);

          if (addonInfo) {

            addonInfo->mUsageCount--;

            if (addonInfo->mUsageCount == 0) {

              // The certificate stored in the database is no longer

              // referenced by any other object displayed.

              // That means we no longer need to keep it around

              // and really can remove it.

              canRemoveEntry = true;

            }

          }

        }

        else {

          if (addonInfo && addonInfo->mUsageCount > 1) {

            // user is trying to delete a perm trusted cert,

            // although there are still overrides stored,

            // so, we keep the cert, but remove the trust

            UniqueCERTCertificate nsscert(cert->GetCert());

            if (nsscert) {

              CERTCertTrust trust;

              memset((void*)&trust, 0, sizeof(trust));

              SECStatus srv = CERT_DecodeTrustString(&trust, ""); // no override

              if (srv == SECSuccess) {

                ChangeCertTrustWithPossibleAuthentication(nsscert, trust,

                                                          nullptr);

              }

            }

          }

          else {

            canRemoveEntry = true;

          }

        }

      }

      mDispInfo.RemoveElementAt(certIndex);

      if (canRemoveEntry) {

        RemoveCacheEntry(cert);

        certdb->DeleteCertificate(cert);

      }

      delete [] mTreeArray;

      mTreeArray = nullptr;

      return UpdateUIContents();

    }

    if (mTreeArray[i].open)

      idx += mTreeArray[i].numChildren;

    cIndex += mTreeArray[i].numChildren;

    if (idx > index)

      break;

  }

  return NS_ERROR_FAILURE;

}

//////////////////////////////////////////////////////////////////////////////

//

//  Begin nsITreeView methods

//

/////////////////////////////////////////////////////////////////////////////

NS_IMETHODIMP

nsCertTree::GetCert(uint32_t aIndex, nsIX509Cert **_cert)

{

  NS_ENSURE_ARG(_cert);

  *_cert = GetCertAtIndex(aIndex).take();

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetTreeItem(uint32_t aIndex, nsICertTreeItem **_treeitem)

{

  NS_ENSURE_ARG(_treeitem);

  RefPtr<nsCertTreeDispInfo> certdi(GetDispInfoAtIndex(aIndex));

  if (!certdi)

    return NS_ERROR_FAILURE;

  *_treeitem = certdi;

  NS_IF_ADDREF(*_treeitem);

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetRowCount(int32_t *aRowCount)

{

  if (!mTreeArray)

    return NS_ERROR_NOT_INITIALIZED;

  uint32_t count = 0;

  for (int32_t i=0; i<mNumOrgs; i++) {

    if (mTreeArray[i].open) {

      count += mTreeArray[i].numChildren;

    }

    count++;

  }

  *aRowCount = count;

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetSelection(nsITreeSelection * *aSelection)

{

  *aSelection = mSelection;

  NS_IF_ADDREF(*aSelection);

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::SetSelection(nsITreeSelection * aSelection)

{

  mSelection = aSelection;

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetRowProperties(int32_t index, nsAString& aProps)

{

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetCellProperties(int32_t row, nsTreeColumn* col,

                              nsAString& aProps)

{

  return NS_OK;

}

NS_IMETHODIMP

nsCertTree::GetColumnProperties(nsTreeColumn* col, nsAString& aProps)

{

  return NS_OK;

}