qca/tools/qcatool/main.cpp

/*
 * Copyright (C) 2005-2007  Justin Karneges <justin@affinix.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
 *
 */

#include <QtCrypto>

#include <QCoreApplication>
#include <QDebug>
#include <QFile>
#include <QFileInfo>
#include <QTextStream>
#include <QTimer>
#include <QDir>

#ifdef QT_STATICPLUGIN
#include "import_plugins.h"
#endif

const char *const APPNAME = "qcatool";
const char *const EXENAME = "qcatool";
const char *const VERSION = QCA_VERSION_STR;

static QStringList wrapstring(const QString &str, int width)
{
	QStringList out;
	QString simp = str.simplified();
	QString rest = simp;
	while(true)
	{
		int lastSpace = -1;
		int n;
		for(n = 0; n < rest.length(); ++n)
		{
			if(rest[n].isSpace())
				lastSpace = n;
			if(n == width)
				break;
		}
		if(n == rest.length())
		{
			out += rest;
			break;
		}

		QString line;
		if(lastSpace != -1)
		{
			line = rest.mid(0, lastSpace);
			rest = rest.mid(lastSpace + 1);
		}
		else
		{
			line = rest.mid(0, n);
			rest = rest.mid(n);
		}
		out += line;
	}
	return out;
}

class StreamLogger : public QCA::AbstractLogDevice
{
    Q_OBJECT
public:
	StreamLogger(QTextStream &stream) : QCA::AbstractLogDevice( QStringLiteral("Stream logger") ), _stream(stream)
	{
		QCA::logger()->registerLogDevice (this);
	}

	~StreamLogger() override
	{
		QCA::logger()->unregisterLogDevice (name ());
	}

	void logTextMessage( const QString &message, enum QCA::Logger::Severity severity ) override
	{
		_stream << now () << " " << severityName (severity) << " " << message << endl;
	}

	void logBinaryMessage( const QByteArray &blob, enum QCA::Logger::Severity severity ) override
	{
		Q_UNUSED(blob);
		_stream << now () << " " << severityName (severity) << " " << "Binary blob not implemented yet" << endl;
	}

private:
	inline const char *severityName( enum QCA::Logger::Severity severity )
	{
		if (severity <= QCA::Logger::Debug) {
			return s_severityNames[severity];
		}
		else {
			return s_severityNames[QCA::Logger::Debug+1];
		}
	}

	inline QString now() {
		static QString format = QStringLiteral("yyyy-MM-dd hh:mm:ss");
		return QDateTime::currentDateTime ().toString (format);
	}

private:
	static const char *s_severityNames[];
	QTextStream &_stream;
};

const char *StreamLogger::s_severityNames[] = {
	"Q",
	"M",
	"A",
	"C",
	"E",
	"W",
	"N",
	"I",
	"D",
	"U"
};

static void output_plugin_diagnostic_text()
{
	QString str = QCA::pluginDiagnosticText();
	QCA::clearPluginDiagnosticText();
	if(str[str.length()-1] == QLatin1Char('\n'))
		str.truncate(str.length()-1);
	const QStringList lines = str.split(QLatin1Char('\n'), QString::KeepEmptyParts);
	for(int n = 0; n < lines.count(); ++n)
		fprintf(stderr, "plugin: %s\n", qPrintable(lines[n]));
}

static void output_keystore_diagnostic_text()
{
	QString str = QCA::KeyStoreManager::diagnosticText();
	QCA::KeyStoreManager::clearDiagnosticText();
	if(str[str.length()-1] == QLatin1Char('\n'))
		str.truncate(str.length()-1);
	const QStringList lines = str.split(QLatin1Char('\n'), QString::KeepEmptyParts);
	for(int n = 0; n < lines.count(); ++n)
		fprintf(stderr, "keystore: %s\n", qPrintable(lines[n]));
}

static void output_message_diagnostic_text(QCA::SecureMessage *msg)
{
	QString str = msg->diagnosticText();
	if(str[str.length()-1] == QLatin1Char('\n'))
		str.truncate(str.length()-1);
	const QStringList lines = str.split(QLatin1Char('\n'), QString::KeepEmptyParts);
	for(int n = 0; n < lines.count(); ++n)
		fprintf(stderr, "message: %s\n", qPrintable(lines[n]));
}

class AnimatedKeyGen : public QObject
{
	Q_OBJECT
public:
	static QCA::PrivateKey makeKey(QCA::PKey::Type type, int bits, QCA::DLGroupSet set)
	{
		AnimatedKeyGen kg;
		kg.type = type;
		kg.bits = bits;
		kg.set = set;
		QEventLoop eventLoop;
		kg.eventLoop = &eventLoop;
		QTimer::singleShot(0, &kg, &AnimatedKeyGen::start);
		eventLoop.exec();
		QCA::PrivateKey key = kg.key;
		return key;
	}

private:
	QCA::PKey::Type type;
	int bits;
	QCA::DLGroupSet set;
	QEventLoop *eventLoop;
	QCA::KeyGenerator gen;
	QCA::DLGroup group;
	QCA::PrivateKey key;
	QTimer t;
	int x;

	AnimatedKeyGen()
	{
		gen.setBlockingEnabled(false);
		connect(&gen, &QCA::KeyGenerator::finished, this, &AnimatedKeyGen::gen_finished);
		connect(&t, &QTimer::timeout, this, &AnimatedKeyGen::t_timeout);
	}

private Q_SLOTS:
	void start()
	{
		printf("Generating Key ...  ");
		fflush(stdout);
		x = 0;
		t.start(125);

		if(type == QCA::PKey::RSA)
			gen.createRSA(bits);
		else
			gen.createDLGroup(set);
	}

	void gen_finished()
	{
		if(type == QCA::PKey::DSA || type == QCA::PKey::DH)
		{
			if(group.isNull())
			{
				group = gen.dlGroup();

				if(type == QCA::PKey::DSA)
					gen.createDSA(group);
				else
					gen.createDH(group);
				return;
			}
		}

		key = gen.key();

		printf("\b");
		if(!key.isNull())
			printf("Done\n");
		else
			printf("Error\n");

		eventLoop->exit();
	}

	void t_timeout()
	{
		if(x == 0)
			printf("\b/");
		else if(x == 1)
			printf("\b-");
		else if(x == 2)
			printf("\b\\");
		else if(x == 3)
			printf("\b|");
		fflush(stdout);

		++x;
		x %= 4;
	}
};

class KeyStoreMonitor : public QObject
{
	Q_OBJECT
public:
	static void monitor()
	{
		KeyStoreMonitor monitor;
		QEventLoop eventLoop;
		monitor.eventLoop = &eventLoop;
		QTimer::singleShot(0, &monitor, &KeyStoreMonitor::start);
		eventLoop.exec();
	}

private:
	QEventLoop *eventLoop;
	QCA::KeyStoreManager *ksm;
	QList<QCA::KeyStore*> keyStores;
	QCA::ConsolePrompt *prompt;

private Q_SLOTS:
	void start()
	{
		// user can quit the monitoring by pressing enter
		printf("Monitoring keystores, press 'q' to quit.\n");
		prompt = new QCA::ConsolePrompt(this);
		connect(prompt, &QCA::ConsolePrompt::finished, this, &KeyStoreMonitor::prompt_finished);
		prompt->getChar();

		// kick off the subsystem
		QCA::KeyStoreManager::start();

		// setup keystore manager for monitoring
		ksm = new QCA::KeyStoreManager(this);
		connect(ksm, &QCA::KeyStoreManager::keyStoreAvailable, this, &KeyStoreMonitor::ks_available);
		foreach(const QString &keyStoreId, ksm->keyStores())
			ks_available(keyStoreId);
	}

	void ks_available(const QString &keyStoreId)
	{
		QCA::KeyStore *ks = new QCA::KeyStore(keyStoreId, ksm);
		connect(ks, &QCA::KeyStore::updated, this, &KeyStoreMonitor::ks_updated);
		connect(ks, &QCA::KeyStore::unavailable, this, &KeyStoreMonitor::ks_unavailable);
		keyStores += ks;

		printf("  available:   %s\n", qPrintable(ks->name()));
	}

	void ks_updated()
	{
		QCA::KeyStore *ks = (QCA::KeyStore *)sender();

		printf("  updated:     %s\n", qPrintable(ks->name()));
	}

	void ks_unavailable()
	{
		QCA::KeyStore *ks = (QCA::KeyStore *)sender();

		printf("  unavailable: %s\n", qPrintable(ks->name()));
		keyStores.removeAll(ks);
		delete ks;
	}

	void prompt_finished()
	{
		QChar c = prompt->resultChar();
		if(c == QLatin1Char('q') || c == QLatin1Char('Q'))
		{
			eventLoop->exit();
			return;
		}
		prompt->getChar();
	}
};

class PassphrasePrompt : public QObject
{
	Q_OBJECT
public:
	class Item
	{
	public:
		QString promptStr;
		int id;
		QCA::Event event;
	};

	QCA::EventHandler handler;
	bool allowPrompt;
	bool warned;
	bool have_pass;
	bool used_pass;
	QCA::SecureArray pass;
	QCA::ConsolePrompt *prompt;
	int prompt_id;
	QCA::Event prompt_event;
	QList<Item> pending;
	bool auto_accept;

	QCA::KeyStoreManager ksm;
	QList<QCA::KeyStore*> keyStores;

	PassphrasePrompt() : handler(this), ksm(this)
	{
		allowPrompt = true;
		warned = false;
		have_pass = false;
		auto_accept = false;

		prompt = nullptr;

		connect(&handler, &QCA::EventHandler::eventReady, this, &PassphrasePrompt::ph_eventReady);
		handler.start();

		connect(&ksm, &QCA::KeyStoreManager::keyStoreAvailable, this, &PassphrasePrompt::ks_available);
		foreach(const QString &keyStoreId, ksm.keyStores())
			ks_available(keyStoreId);
	}

	~PassphrasePrompt() override
	{
		qDeleteAll(keyStores);

		if(prompt)
		{
			handler.reject(prompt_id);
			delete prompt;
		}

		while(!pending.isEmpty())
			handler.reject(pending.takeFirst().id);
	}

	void setExplicitPassword(const QCA::SecureArray &_pass)
	{
		have_pass = true;
		used_pass = false;
		pass = _pass;
	}

private Q_SLOTS:
	void ph_eventReady(int id, const QCA::Event &e)
	{
		if(have_pass)
		{
			// only allow using an explicit passphrase once
			if(used_pass)
			{
				handler.reject(id);
				return;
			}
			used_pass = true;
			handler.submitPassword(id, pass);
			return;
		}

		if(!allowPrompt)
		{
			if(!have_pass && !warned)
			{
				warned = true;
				fprintf(stderr, "Error: no passphrase specified (use '--pass=' for none).\n");
			}

			handler.reject(id);
			return;
		}

		if(e.type() == QCA::Event::Password)
		{
			QString type = QStringLiteral("password");
			if(e.passwordStyle() == QCA::Event::StylePassphrase)
				type = QStringLiteral("passphrase");
			else if(e.passwordStyle() == QCA::Event::StylePIN)
				type = QStringLiteral("PIN");

			QString str;
			if(e.source() == QCA::Event::KeyStore)
			{
				QString name;
				QCA::KeyStoreEntry entry = e.keyStoreEntry();
				if(!entry.isNull())
				{
					name = entry.name();
				}
				else
				{
					if(e.keyStoreInfo().type() == QCA::KeyStore::SmartCard)
						name = QStringLiteral("the '") + e.keyStoreInfo().name() + QStringLiteral("' token");
					else
						name = e.keyStoreInfo().name();
				}
				str = QStringLiteral("Enter %1 for %2").arg(type, name);
			}
			else if(!e.fileName().isEmpty())
				str = QStringLiteral("Enter %1 for %2").arg(type, e.fileName());
			else
				str = QStringLiteral("Enter %1").arg(type);

			if(!prompt)
			{
				prompt = new QCA::ConsolePrompt(this);
				connect(prompt, &QCA::ConsolePrompt::finished, this, &PassphrasePrompt::prompt_finished);
				prompt_id = id;
				prompt_event = e;
				prompt->getHidden(str);
			}
			else
			{
				Item i;
				i.promptStr = str;
				i.id = id;
				i.event = e;
				pending += i;
			}
		}
		else if(e.type() == QCA::Event::Token)
		{
			// even though we're being prompted for a missing token,
			//   we should still check if the token is present, due to
			//   a possible race between insert and token request.
			bool found = false;

			// token-only
			if(e.keyStoreEntry().isNull())
			{
				foreach(QCA::KeyStore *ks, keyStores)
				{
					if(ks->id() == e.keyStoreInfo().id())
					{
						found = true;
						break;
					}
				}
			}
			// token-entry
			else
			{
				QCA::KeyStoreEntry kse = e.keyStoreEntry();

				QCA::KeyStore *ks = nullptr;
				foreach(QCA::KeyStore *i, keyStores)
				{
					if(i->id() == e.keyStoreInfo().id())
					{
						ks = i;
						break;
					}
				}
				if(ks)
				{
					QList<QCA::KeyStoreEntry> list = ks->entryList();
					foreach(const QCA::KeyStoreEntry &e, list)
					{
						if(e.id() == kse.id() && kse.isAvailable())
						{
							found = true;
							break;
						}
					}
				}
			}
			if(found)
			{
				// auto-accept
				handler.tokenOkay(id);
				return;
			}

			QCA::KeyStoreEntry entry = e.keyStoreEntry();
			QString name;
			if(!entry.isNull())
			{
				name = QStringLiteral("Please make ") + entry.name() + QStringLiteral(" (of ") + entry.storeName() + QStringLiteral(") available");
			}
			else
			{
				name = QStringLiteral("Please insert the '") + e.keyStoreInfo().name() + QStringLiteral("' token");
			}

			QString str = QStringLiteral("%1 and press Enter (or 'q' to cancel) ...").arg(name);

			if(!prompt)
			{
				fprintf(stderr, "%s\n", qPrintable(str));
				prompt = new QCA::ConsolePrompt(this);
                connect(prompt, &QCA::ConsolePrompt::finished, this, &PassphrasePrompt::prompt_finished);
				prompt_id = id;
				prompt_event = e;
				prompt->getChar();
			}
			else
			{
				Item i;
				i.promptStr = str;
				i.id = id;
				i.event = e;
				pending += i;
			}
		}
		else
			handler.reject(id);
	}

	void prompt_finished()
	{
		if(prompt_event.type() == QCA::Event::Password)
		{
			handler.submitPassword(prompt_id, prompt->result());
		}
		else
		{
			if(auto_accept)
			{
				auto_accept = false;
				handler.tokenOkay(prompt_id);
			}
			else
			{
				QChar c = prompt->resultChar();
				if(c == QLatin1Char('\r') || c == QLatin1Char('\n'))
					handler.tokenOkay(prompt_id);
				else if(c == QLatin1Char('q') || c == QLatin1Char('Q'))
					handler.reject(prompt_id);
				else
				{
					// retry
					prompt->getChar();
					return;
				}
			}
		}

		if(!pending.isEmpty())
		{
			Item i = pending.takeFirst();
			prompt_id = i.id;
			prompt_event = i.event;
			if(i.event.type() == QCA::Event::Password)
			{
				prompt->getHidden(i.promptStr);
			}
			else // Token
			{
				fprintf(stderr, "%s\n", qPrintable(i.promptStr));
				prompt->getChar();
			}
		}
		else
		{
			delete prompt;
			prompt = nullptr;
		}
	}

	void ks_available(const QString &keyStoreId)
	{
		QCA::KeyStore *ks = new QCA::KeyStore(keyStoreId, &ksm);
		connect(ks, &QCA::KeyStore::updated, this, &PassphrasePrompt::ks_updated);
		connect(ks, &QCA::KeyStore::unavailable, this, &PassphrasePrompt::ks_unavailable);
		keyStores += ks;
		ks->startAsynchronousMode();

		// are we currently in a token-only prompt?
		if(prompt && prompt_event.type() == QCA::Event::Token && prompt_event.keyStoreEntry().isNull())
		{
			// was the token we're looking for just inserted?
			if(prompt_event.keyStoreInfo().id() == keyStoreId)
			{
				fprintf(stderr, "Token inserted!  Continuing...\n");

				// auto-accept
				auto_accept = true;
				prompt_finished();
			}
		}
	}

	void ks_unavailable()
	{
		QCA::KeyStore *ks = (QCA::KeyStore *)sender();
		keyStores.removeAll(ks);
		delete ks;
	}

	void ks_updated()
	{
		QCA::KeyStore *ks = (QCA::KeyStore *)sender();

		// are we currently in a token-entry prompt?
		if(prompt && prompt_event.type() == QCA::Event::Token && !prompt_event.keyStoreEntry().isNull())
		{
			QCA::KeyStoreEntry kse = prompt_event.keyStoreEntry();

			// was the token of the entry we're looking for updated?
			if(prompt_event.keyStoreInfo().id() == ks->id())
			{
				// is the entry available?
				bool avail = false;
				QList<QCA::KeyStoreEntry> list = ks->entryList();
				foreach(const QCA::KeyStoreEntry &e, list)
				{
					if(e.id() == kse.id())
					{
						avail = kse.isAvailable();
						break;
					}
				}
				if(avail)
				{
					fprintf(stderr, "Entry available!  Continuing...\n");

					// auto-accept
					auto_accept = true;
					prompt_finished();
				}
			}
		}
	}
};

class PassphrasePromptThread : public QCA::SyncThread
{
    Q_OBJECT
public:
	PassphrasePrompt *pp;

	PassphrasePromptThread()
	{
		start();
	}

	~PassphrasePromptThread() override
	{
		stop();
	}

protected:
	void atStart() override
	{
		pp = new PassphrasePrompt;
	}

	void atEnd() override
	{
		delete pp;
	}
};

static bool promptForNewPassphrase(QCA::SecureArray *result)
{
	QCA::ConsolePrompt prompt;
	prompt.getHidden(QStringLiteral("Enter new passphrase"));
	prompt.waitForFinished();
	QCA::SecureArray out = prompt.result();

	prompt.getHidden(QStringLiteral("Confirm new passphrase"));
	prompt.waitForFinished();

	if(prompt.result() != out)
	{
		fprintf(stderr, "Error: confirmation does not match original entry.\n");
		return false;
	}
	*result = out;
	return true;
}

static void ksm_start_and_wait()
{
	// activate the KeyStoreManager and block until ready
	QCA::KeyStoreManager::start();
	{
		QCA::KeyStoreManager ksm;
		ksm.waitForBusyFinished();
	}
}

static QString line_encode(const QString &in)
{
	QString out;
	for(const QChar &c : in)
	{
		if(c == QLatin1Char('\\'))
			out += QStringLiteral("\\\\");
		else if(c == QLatin1Char('\n'))
			out += QStringLiteral("\\n");
		else
			out += c;
	}
	return out;
}

static QString line_decode(const QString &in)
{
	QString out;
	for(int n = 0; n < in.length(); ++n)
	{
		if(in[n] == QLatin1Char('\\'))
		{
			if(n + 1 < in.length())
			{
				if(in[n + 1] == QLatin1Char('\\'))
					out += QLatin1Char('\\');
				else if(in[n + 1] == QLatin1Char('n'))
					out += QLatin1Char('\n');
				++n;
			}
		}
		else
			out += in[n];
	}
	return out;
}

static QString make_ksentry_string(const QString &id)
{
	QString out;
	out += QStringLiteral("QCATOOL_KEYSTOREENTRY_1\n");
	out += line_encode(id) + QLatin1Char('\n');
	return out;
}

/*static bool write_ksentry_file(const QString &id, const QString &fileName)
{
	QFile f(fileName);
	if(!f.open(QFile::WriteOnly | QFile::Truncate))
		return false;
	f.write(make_ksentry_string(id).toUtf8());
	return true;
}*/

static QString read_ksentry_file(const QString &fileName)
{
	QString out;

	QFile f(fileName);
	if(!f.open(QFile::ReadOnly))
		return out;
	QTextStream ts(&f);
	int linenum = 0;
	while(!ts.atEnd())
	{
		QString line = ts.readLine();
		if(linenum == 0)
		{
			if(line != QLatin1String("QCATOOL_KEYSTOREENTRY_1"))
				return out;
		}
		else
		{
			out = line_decode(line);
			break;
		}
		++linenum;
	}
	return out;
}

static bool is_pem_file(const QString &fileName)
{
	QFile f(fileName);
	if(!f.open(QFile::ReadOnly))
		return false;
	QTextStream ts(&f);
	if(!ts.atEnd())
	{
		QString line = ts.readLine();
		if(line.startsWith(QLatin1String("-----BEGIN")))
			return true;
	}
	return false;
}

static QByteArray read_der_file(const QString &fileName)
{
	QFile f(fileName);
	if(!f.open(QFile::ReadOnly))
		return QByteArray();
	return f.readAll();
}

class InfoType
{
public:
	QCA::CertificateInfoType type;
	QString varname;
	QString shortname;
	QString name;
	QString desc;

	InfoType()
	{
	}

	InfoType(const QCA::CertificateInfoType &_type, const QString &_varname, const QString &_shortname, const QString &_name, const QString &_desc)
	:type(_type), varname(_varname), shortname(_shortname), name(_name), desc(_desc)
	{
	}
};

static QList<InfoType> makeInfoTypeList(bool legacyEmail = false)
{
	QList<InfoType> out;
	out += InfoType(QCA::CommonName,             QStringLiteral("CommonName"),             QStringLiteral("CN"),  QStringLiteral("Common Name (CN)"),          QStringLiteral("Full name, domain, anything"));
	out += InfoType(QCA::Email,                  QStringLiteral("Email"),                  QLatin1String(""),     QStringLiteral("Email Address"),             QLatin1String(""));
	if(legacyEmail)
		out += InfoType(QCA::EmailLegacy,            QStringLiteral("EmailLegacy"),            QLatin1String(""),    QStringLiteral("PKCS#9 Email Address"),      QLatin1String(""));
	out += InfoType(QCA::Organization,           QStringLiteral("Organization"),           QStringLiteral("O"),   QStringLiteral("Organization (O)"),          QStringLiteral("Company, group, etc"));
	out += InfoType(QCA::OrganizationalUnit,     QStringLiteral("OrganizationalUnit"),     QStringLiteral("OU"),  QStringLiteral("Organizational Unit (OU)"),  QStringLiteral("Division/branch of organization"));
	out += InfoType(QCA::Locality,               QStringLiteral("Locality"),               QLatin1String(""),     QStringLiteral("Locality (L)"),              QStringLiteral("City, shire, part of a state"));
	out += InfoType(QCA::State,                  QStringLiteral("State"),                  QLatin1String(""),     QStringLiteral("State (ST)"),                QStringLiteral("State within the country"));
	out += InfoType(QCA::Country,                QStringLiteral("Country"),                QStringLiteral("C"),   QStringLiteral("Country Code (C)"),          QStringLiteral("2-letter code"));
	out += InfoType(QCA::IncorporationLocality,  QStringLiteral("IncorporationLocality"),  QLatin1String(""),     QStringLiteral("Incorporation Locality"),    QStringLiteral("For EV certificates"));
	out += InfoType(QCA::IncorporationState,     QStringLiteral("IncorporationState"),     QLatin1String(""),     QStringLiteral("Incorporation State"),       QStringLiteral("For EV certificates"));
	out += InfoType(QCA::IncorporationCountry,   QStringLiteral("IncorporationCountry"),   QLatin1String(""),     QStringLiteral("Incorporation Country"),     QStringLiteral("For EV certificates"));
	out += InfoType(QCA::URI,                    QStringLiteral("URI"),                    QLatin1String(""),     QStringLiteral("URI"),                       QLatin1String(""));
	out += InfoType(QCA::DNS,                    QStringLiteral("DNS"),                    QLatin1String(""),     QStringLiteral("Domain Name"),               QStringLiteral("Domain (dnsName)"));
	out += InfoType(QCA::IPAddress,              QStringLiteral("IPAddress"),              QLatin1String(""),     QStringLiteral("IP Adddress"),               QLatin1String(""));
	out += InfoType(QCA::XMPP,                   QStringLiteral("XMPP"),                   QLatin1String(""),     QStringLiteral("XMPP Address (JID)"),        QStringLiteral("From RFC 3920 (id-on-xmppAddr)"));
	return out;
}

class MyConstraintType
{
public:
	QCA::ConstraintType type;
	QString varname;
	QString name;
	QString desc;

	MyConstraintType()
	{
	}

	MyConstraintType(const QCA::ConstraintType &_type, const QString &_varname, const QString &_name, const QString &_desc)
	:type(_type), varname(_varname), name(_name), desc(_desc)
	{
	}
};

static QList<MyConstraintType> makeConstraintTypeList()
{
	QList<MyConstraintType> out;
	out += MyConstraintType(QCA::DigitalSignature,    QStringLiteral("DigitalSignature"),    QStringLiteral("Digital Signature"),      QStringLiteral("Can be used for signing"));
	out += MyConstraintType(QCA::NonRepudiation,      QStringLiteral("NonRepudiation"),      QStringLiteral("Non-Repudiation"),        QStringLiteral("Usage is legally binding"));
	out += MyConstraintType(QCA::KeyEncipherment,     QStringLiteral("KeyEncipherment"),     QStringLiteral("Key Encipherment"),       QStringLiteral("Can encrypt other keys"));
	out += MyConstraintType(QCA::DataEncipherment,    QStringLiteral("DataEncipherment"),    QStringLiteral("Data Encipherment"),      QStringLiteral("Can encrypt arbitrary data"));
	out += MyConstraintType(QCA::KeyAgreement,        QStringLiteral("KeyAgreement"),        QStringLiteral("Key Agreement"),          QStringLiteral("Can perform key agreement (DH)"));
	out += MyConstraintType(QCA::KeyCertificateSign,  QStringLiteral("KeyCertificateSign"),  QStringLiteral("Certificate Sign"),       QStringLiteral("Can sign other certificates"));
	out += MyConstraintType(QCA::CRLSign,             QStringLiteral("CRLSign"),             QStringLiteral("CRL Sign"),               QStringLiteral("Can sign CRLs"));
	out += MyConstraintType(QCA::EncipherOnly,        QStringLiteral("EncipherOnly"),        QStringLiteral("Encipher Only"),          QStringLiteral("Can be used for encrypting"));
	out += MyConstraintType(QCA::DecipherOnly,        QStringLiteral("DecipherOnly"),        QStringLiteral("Decipher Only"),          QStringLiteral("Can be used for decrypting"));
	out += MyConstraintType(QCA::ServerAuth,          QStringLiteral("ServerAuth"),          QStringLiteral("Server Authentication"),  QStringLiteral("TLS Server"));
	out += MyConstraintType(QCA::ClientAuth,          QStringLiteral("ClientAuth"),          QStringLiteral("Client Authentication"),  QStringLiteral("TLS Client"));
	out += MyConstraintType(QCA::CodeSigning,         QStringLiteral("CodeSigning"),         QStringLiteral("Code Signing"),           QLatin1String(""));
	out += MyConstraintType(QCA::EmailProtection,     QStringLiteral("EmailProtection"),     QStringLiteral("Email Protection"),       QStringLiteral("S/MIME"));
	out += MyConstraintType(QCA::IPSecEndSystem,      QStringLiteral("IPSecEndSystem"),      QStringLiteral("IPSec End-System"),       QLatin1String(""));
	out += MyConstraintType(QCA::IPSecTunnel,         QStringLiteral("IPSecTunnel"),         QStringLiteral("IPSec Tunnel"),           QLatin1String(""));
	out += MyConstraintType(QCA::IPSecUser,           QStringLiteral("IPSecUser"),           QStringLiteral("IPSec User"),             QLatin1String(""));
	out += MyConstraintType(QCA::TimeStamping,        QStringLiteral("TimeStamping"),        QStringLiteral("Time Stamping"),          QLatin1String(""));
	out += MyConstraintType(QCA::OCSPSigning,         QStringLiteral("OCSPSigning"),         QStringLiteral("OCSP Signing"),           QLatin1String(""));
	return out;
}

const char *crlEntryReasonToString(QCA::CRLEntry::Reason r)
{
	switch(r)
	{
		case QCA::CRLEntry::Unspecified:           return "Unspecified";
		case QCA::CRLEntry::KeyCompromise:         return "KeyCompromise";
		case QCA::CRLEntry::CACompromise:          return "CACompromise";
		case QCA::CRLEntry::AffiliationChanged:    return "AffiliationChanged";
		case QCA::CRLEntry::Superseded:            return "Superseded";
		case QCA::CRLEntry::CessationOfOperation:  return "CessationOfOperation";
		case QCA::CRLEntry::CertificateHold:       return "CertificateHold";
		case QCA::CRLEntry::RemoveFromCRL:         return "RemoveFromCRL";
		case QCA::CRLEntry::PrivilegeWithdrawn:    return "PrivilegeWithdrawn";
		case QCA::CRLEntry::AACompromise:          return "AACompromise";
		default:                                   return "Unknown";
	}
}

static bool validOid(const QString &in)
{
	for(const QChar &c : in)
	{
		if(!c.isDigit() && c != QLatin1Char('.'))
			return false;
	}
	return true;
}

class ValidityLength
{
public:
	int years, months, days;
};

static int vl_getnext(const QString &in, int offset = 0)
{
	if(offset >= in.length())
		return in.length();

	int n = offset;
	bool lookForNonDigit;

	if(in[n].isDigit())
		lookForNonDigit = true;
	else
		lookForNonDigit = false;

	for(++n; n < in.length(); ++n)
	{
		if(in[n].isDigit() != lookForNonDigit)
			break;
	}
	return n;
}

static QStringList vl_getparts(const QString &in)
{
	QStringList out;
	int offset = 0;
	while(true)
	{
		int n = vl_getnext(in, offset);
		if(n == offset)
			break;
		out += in.mid(offset, n - offset);
		offset = n;
	}
	return out;
}

static bool parseValidityLength(const QString &in, ValidityLength *vl)
{
	vl->years = -1;
	vl->months = -1;
	vl->days = -1;

	QStringList parts = vl_getparts(in);
	while(true)
	{
		// first part should be a number
		if(parts.count() < 1)
			break;
		QString str = parts.takeFirst();
		bool ok;
		int x = str.toInt(&ok);
		if(!ok)
			return false;

		// next part should be 1 letter plus any amount of space
		if(parts.count() < 1)
			return false;
		str = parts.takeFirst();
		if(!str[0].isLetter())
			return false;
		str = str.trimmed(); // remove space

		if(str == QLatin1String("y"))
		{
			if(vl->years != -1)
				return false;
			vl->years = x;
		}
		if(str == QLatin1String("m"))
		{
			if(vl->months != -1)
				return false;
			vl->months = x;
		}
		if(str == QLatin1String("d"))
		{
			if(vl->days != -1)
				return false;
			vl->days = x;
		}
	}

	if(vl->years == -1)
		vl->years = 0;
	if(vl->months == -1)
		vl->months = 0;
	if(vl->days == -1)
		vl->days = 0;

	return true;
}

static QString prompt_for(const QString &prompt)
{
	printf("%s: ", prompt.toLatin1().data());
	fflush(stdout);
	QByteArray result(256, 0);
	if(fgets((char *)result.data(), result.size(), stdin))
		return QString::fromLocal8Bit(result).trimmed();
	else
		return QString();
}

static QCA::CertificateOptions promptForCertAttributes(bool advanced, bool req)
{
	QCA::CertificateOptions opts;

	if(advanced)
	{
		if(!req)
		{
			while(true)
			{
				QString str = prompt_for(QStringLiteral("Create an end user ('user') certificate or a CA ('ca') certificate? [user]"));
				if(str.isEmpty())
					str = QStringLiteral("user");
				if(str != QLatin1String("user") && str != QLatin1String("ca"))
				{
					printf("'%s' is not a valid entry.\n", qPrintable(str));
					continue;
				}

				if(str == QLatin1String("ca"))
					opts.setAsCA();
				break;
			}
			printf("\n");

			while(true)
			{
				QString str = prompt_for(QStringLiteral("Serial Number"));
				QCA::BigInteger num;
				if(str.isEmpty() || !num.fromString(str))
				{
					printf("'%s' is not a valid entry.\n", qPrintable(str));
					continue;
				}

				opts.setSerialNumber(num);
				break;
			}
			printf("\n");
		}

		{
			QCA::CertificateInfoOrdered info;
			printf("Choose the information attributes to add to the certificate.  They will be\n"
				"added in the order they are entered.\n\n");
			printf("Available information attributes:\n");
			QList<InfoType> list = makeInfoTypeList();
			for(int n = 0; n < list.count(); ++n)
			{
				const InfoType &i = list[n];
				char c = 'a' + n;
				printf("  %c) %-32s        %s\n", c, qPrintable(i.name), qPrintable(i.desc));
			}
			printf("\n");
			while(true)
			{
				int index;
				while(true)
				{
					QString str = prompt_for(QStringLiteral("Select an attribute to add, or enter to move on"));
					if(str.isEmpty())
					{
						index = -1;
						break;
					}
					if(str.length() == 1)
					{
						index = str[0].toLatin1() - 'a';
						if(index >= 0 && index < list.count())
							break;
					}
					printf("'%s' is not a valid entry.\n", qPrintable(str));
				}
				if(index == -1)
					break;

				QString val = prompt_for(list[index].name);
				info += QCA::CertificateInfoPair(list[index].type, val);
				printf("Added attribute.\n\n");
			}
			opts.setInfoOrdered(info);
		}

		{
			QCA::Constraints constraints;
			printf("\n");
			printf("Choose the constraint attributes to add to the certificate.\n\n");
			printf("Available attributes:\n");
			QList<MyConstraintType> list = makeConstraintTypeList();
			for(int n = 0; n < list.count(); ++n)
			{
				const MyConstraintType &i = list[n];
				char c = 'a' + n;
				printf("  %c) %-32s        %s\n", c, qPrintable(i.name), qPrintable(i.desc));
			}
			printf("\n");
			printf("If no constraints are added, then the certificate may be used for any purpose.\n\n");
			while(true)
			{
				int index;
				while(true)
				{
					QString str = prompt_for(QStringLiteral("Select an attribute to add, or enter to move on"));
					if(str.isEmpty())
					{
						index = -1;
						break;
					}
					if(str.length() == 1)
					{
						index = str[0].toLatin1() - 'a';
						if(index >= 0 && index < list.count())
							break;
					}
					printf("'%s' is not a valid entry.\n\n", qPrintable(str));
				}
				if(index == -1)
					break;

				if(constraints.contains(list[index].type))
				{
					printf("You have already added '%s'.\n\n", qPrintable(list[index].name));
					continue;
				}

				constraints += list[index].type;
				printf("Added attribute.\n\n");
			}
			opts.setConstraints(constraints);
		}

		{
			QStringList policies;
			printf("\n");
			printf("Are there any policy OID attributes that you wish to add?  Use the dotted\n"
				"string format.\n\n");
			while(true)
			{
				QString str = prompt_for(QStringLiteral("Enter a policy OID to add, or enter to move on"));
				if(str.isEmpty())
					break;
				if(!validOid(str))
				{
					printf("'%s' is not a valid entry.\n\n", qPrintable(str));
					continue;
				}
				if(policies.contains(str))
				{
					printf("You have already added '%s'.\n\n", qPrintable(str));
					continue;
				}

				policies += str;
				printf("Added attribute.\n\n");
			}
			opts.setPolicies(policies);
		}

		printf("\n");
	}
	else
	{
		QCA::CertificateInfo info;
		info.insert(QCA::CommonName, prompt_for(QStringLiteral("Common Name")));
		info.insert(QCA::Country, prompt_for(QStringLiteral("Country Code (2 letters)")));
		info.insert(QCA::Organization, prompt_for(QStringLiteral("Organization")));
		info.insert(QCA::Email, prompt_for(QStringLiteral("Email")));
		opts.setInfo(info);

		printf("\n");
	}

	if(!req)
	{
		while(true)
		{
			QString str = prompt_for(QStringLiteral("How long should the certificate be valid? (e.g. '1y2m3d')"));
			ValidityLength vl;
			if(!parseValidityLength(str, &vl))
			{
				printf("'%s' is not a valid entry.\n\n", qPrintable(str));
				continue;
			}

			if(vl.years == 0 && vl.months == 0 && vl.days == 0)
			{
				printf("The certificate must be valid for at least one day.\n\n");
				continue;
			}

			QDateTime start = QDateTime::currentDateTimeUtc();
			QDateTime end = start;
			if(vl.years > 0)
				end = end.addYears(vl.years);
			if(vl.months > 0)
				end = end.addMonths(vl.months);
			if(vl.days > 0)
				end = end.addDays(vl.days);
			opts.setValidityPeriod(start, end);

			QStringList parts;
			if(vl.years > 0)
				parts += QStringLiteral("%1 year(s)").arg(vl.years);
			if(vl.months > 0)
				parts += QStringLiteral("%1 month(s)").arg(vl.months);
			if(vl.days > 0)
				parts += QStringLiteral("%1 day(s)").arg(vl.days);
			QString out;
			if(parts.count() == 1)
				out = parts[0];
			else if(parts.count() == 2)
				out = parts[0] + QStringLiteral(" and ") + parts[1];
			else if(parts.count() == 3)
				out = parts[0] + QStringLiteral(", ") + parts[1] + QStringLiteral(", and ") + parts[2];
			printf("Certificate will be valid for %s.\n", qPrintable(out));
			break;
		}
		printf("\n");
	}

	return opts;
}

// qsettings seems to give us a string type for both bool and int (and
//   possibly others, but those are the only two we care about here).
//   in order to figure out what is actually a bool or an int, we need
//   to examine the string.  so for the functions below, we convert
//   the variant to a string, and then inspect it to see if it looks
//   like a bool or an int.

static bool string_is_bool(const QString &in)
{
	QString lc = in.toLower();
	if(lc == QLatin1String("true") || lc == QLatin1String("false"))
		return true;
	return false;
}

static bool string_is_int(const QString &in)
{
	bool ok;
	in.toInt(&ok);
	return ok;
}

static bool variant_is_bool(const QVariant &in)
{
	if(in.canConvert<QString>() && string_is_bool(in.toString()))
		return true;
	return false;
}

static bool variant_is_int(const QVariant &in)
{
	if(in.canConvert<QString>() && string_is_int(in.toString()))
		return true;
	return false;
}

static QString prompt_for_string(const QString &prompt, const QString &def = QString())
{
	printf("%s", prompt.toLatin1().data());
	fflush(stdout);
	QByteArray result(256, 0);
	if(!fgets((char *)result.data(), result.size(), stdin))
		return QString();
	if(result[result.length()-1] == '\n')
		result.truncate(result.length()-1);
	// empty input -> use default
	if(result.isEmpty())
		return def;
	// trimmed input could result in an empty value, but in that case
	//   it is treated as if the user wishes to submit an empty value.
	return QString::fromLocal8Bit(result).trimmed();
}

static int prompt_for_int(const QString &prompt, int def = 0)
{
	while(true)
	{
		QString str = prompt_for_string(prompt);
		if(str.isEmpty())
			return def;
		bool ok;
		int x = str.toInt(&ok);
		if(ok)
			return x;
		printf("'%s' is not a valid entry.\n\n", qPrintable(str));
	}
}

static bool partial_compare_nocase(const QString &in, const QString &target, int min = 1)
{
	if(in.length() >= min && in.length() <= target.length() && target.mid(0, in.length()).toLower() == in.toLower())
		return true;
	return false;
}

static bool prompt_for_bool(const QString &prompt, bool def = false)
{
	while(true)
	{
		QString str = prompt_for_string(prompt);
		if(str.isEmpty())
			return def;
		if(partial_compare_nocase(str, QStringLiteral("true")))
			return true;
		else if(partial_compare_nocase(str, QStringLiteral("false")))
			return false;
		printf("'%s' is not a valid entry.\n\n", qPrintable(str));
	}
}

static bool prompt_for_yesno(const QString &prompt, bool def = false)
{
	while(true)
	{
		QString str = prompt_for_string(prompt);
		if(str.isEmpty())
			return def;
		if(partial_compare_nocase(str, QStringLiteral("yes")))
			return true;
		else if(partial_compare_nocase(str, QStringLiteral("no")))
			return false;
		printf("'%s' is not a valid entry.\n\n", qPrintable(str));
	}
}

static QString prompt_for_slotevent_method(const QString &prompt, const QString &def = QString())
{
	while(true)
	{
		QString str = prompt_for_string(prompt);
		if(str.isEmpty())
			return def;
		if(partial_compare_nocase(str, QStringLiteral("auto")))
			return QStringLiteral("auto");
		else if(partial_compare_nocase(str, QStringLiteral("trigger")))
			return QStringLiteral("trigger");
		else if(partial_compare_nocase(str, QStringLiteral("poll")))
			return QStringLiteral("poll");
		printf("'%s' is not a valid entry.\n\n", qPrintable(str));
	}
}

static QVariantMap provider_config_edit_generic(const QVariantMap &in)
{
	QVariantMap config = in;
	QMutableMapIterator<QString,QVariant> it(config);
	while(it.hasNext())
	{
		it.next();
		QString var = it.key();
		if(var == QLatin1String("formtype"))
			continue;
		QVariant val = it.value();

		// fields must be bool, int, or string
		QVariant newval;
		QString prompt = QStringLiteral("%1: [%2] ").arg(var, val.toString());
		if(variant_is_bool(val))
			newval = prompt_for_bool(QStringLiteral("bool   ") + prompt, val.toBool());
		else if(variant_is_int(val))
			newval = prompt_for_int(QStringLiteral("int    ") + prompt, val.toInt());
		else if(val.canConvert<QString>())
			newval = prompt_for_string(QStringLiteral("string ") + prompt, val.toString());
		else
			continue; // skip bogus fields

		it.setValue(newval);
	}

	return config;
}

class Pkcs11ProviderConfig
{
public:
	bool allow_protected_authentication;
	bool cert_private;
	bool enabled;
	QString library;
	QString name;
	int private_mask;
	QString slotevent_method;
	int slotevent_timeout;

	Pkcs11ProviderConfig() :
		allow_protected_authentication(true),
		cert_private(false),
		enabled(false),
		private_mask(0),
		slotevent_method(QStringLiteral("auto")),
		slotevent_timeout(0)
	{
	}

	QVariantMap toVariantMap() const
	{
		QVariantMap out;
		out[QStringLiteral("allow_protected_authentication")] = allow_protected_authentication;
		out[QStringLiteral("cert_private")] = cert_private;
		out[QStringLiteral("enabled")] = enabled;
		out[QStringLiteral("library")] = library;
		out[QStringLiteral("name")] = name;
		out[QStringLiteral("private_mask")] = private_mask;
		out[QStringLiteral("slotevent_method")] = slotevent_method;
		out[QStringLiteral("slotevent_timeout")] = slotevent_timeout;
		return out;
	}

	bool fromVariantMap(const QVariantMap &in)
	{
		allow_protected_authentication = in[QStringLiteral("allow_protected_authentication")].toBool();
		cert_private = in[QStringLiteral("cert_private")].toBool();
		enabled = in[QStringLiteral("enabled")].toBool();
		library = in[QStringLiteral("library")].toString();
		name = in[QStringLiteral("name")].toString();
		private_mask = in[QStringLiteral("private_mask")].toInt();
		slotevent_method = in[QStringLiteral("slotevent_method")].toString();
		slotevent_timeout = in[QStringLiteral("slotevent_timeout")].toInt();
		return true;
	}
};

class Pkcs11Config
{
public:
	bool allow_load_rootca;
	bool allow_protected_authentication;
	int log_level;
	int pin_cache;
	QList<Pkcs11ProviderConfig> providers;

	QVariantMap orig_config;

	Pkcs11Config() :
		allow_load_rootca(false),
		allow_protected_authentication(true),
		log_level(0),
		pin_cache(-1)
	{
	}

	QVariantMap toVariantMap() const
	{
		QVariantMap out = orig_config;

		// form type
		out[QStringLiteral("formtype")] = QLatin1String("http://affinix.com/qca/forms/qca-pkcs11#1.0");

		// base settings
		out[QStringLiteral("allow_load_rootca")] = allow_load_rootca;
		out[QStringLiteral("allow_protected_authentication")] = allow_protected_authentication;
		out[QStringLiteral("log_level")] = log_level;
		out[QStringLiteral("pin_cache")] = pin_cache;

		// provider settings (always write at least 10 providers)
		for(int n = 0; n < 10 || n < providers.count(); ++n)
		{
			QString prefix = QString::asprintf("provider_%02d_", n);

			Pkcs11ProviderConfig provider;
			if(n < providers.count())
				provider = providers[n];

			QVariantMap subconfig = provider.toVariantMap();
			QMapIterator<QString,QVariant> it(subconfig);
			while(it.hasNext())
			{
				it.next();
				out.insert(prefix + it.key(), it.value());
			}
		}

		return out;
	}

	bool fromVariantMap(const QVariantMap &in)
	{
		if(in[QStringLiteral("formtype")] != QLatin1String("http://affinix.com/qca/forms/qca-pkcs11#1.0"))
			return false;

		allow_load_rootca = in[QStringLiteral("allow_load_rootca")].toBool();
		allow_protected_authentication = in[QStringLiteral("allow_protected_authentication")].toBool();
		log_level = in[QStringLiteral("log_level")].toInt();
		pin_cache = in[QStringLiteral("pin_cache")].toInt();

		for(int n = 0;; ++n)
		{
			QString prefix = QString::asprintf("provider_%02d_", n);

			// collect all key/values with this prefix into a
			//   a separate container, leaving out the prefix
			//   from the keys.
			QVariantMap subconfig;
			QMapIterator<QString,QVariant> it(in);
			while(it.hasNext())
			{
				it.next();
				if(it.key().startsWith(prefix))
					subconfig.insert(it.key().mid(prefix.length()), it.value());
			}

			// if there are no config items with this prefix, we're done
			if(subconfig.isEmpty())
				break;

			Pkcs11ProviderConfig provider;
			if(!provider.fromVariantMap(subconfig))
				return false;

			// skip unnamed entries
			if(provider.name.isEmpty())
				continue;

			// skip duplicate entries
			bool have_name_already = false;
			foreach(const Pkcs11ProviderConfig &i, providers)
			{
				if(i.name == provider.name)
				{
					have_name_already = true;
					break;
				}
			}
			if(have_name_already)
				continue;

			providers += provider;
		}

		orig_config = in;
		return true;
	}
};

static QVariantMap provider_config_edit_pkcs11(const QVariantMap &in)
{
	Pkcs11Config config;
	if(!config.fromVariantMap(in))
	{
		fprintf(stderr, "Error: unable to parse PKCS#11 provider configuration.\n");
		return QVariantMap();
	}

	while(true)
	{
		printf("\n");
		printf("Global settings:\n");
		printf("  Allow loading of root CAs: %s\n", config.allow_load_rootca ? "Yes" : "No");
		printf("  Allow protected authentication: %s\n", config.allow_protected_authentication ? "Yes" : "No");
		QString str;
		if(config.pin_cache == -1)
			str = QStringLiteral("No limit");
		else
			str = QStringLiteral("%1 seconds").arg(config.pin_cache);
		printf("  Maximum PIN cache time: %s\n", qPrintable(str));
		printf("  Log level: %d\n", config.log_level);
		printf("\n");
		printf("PKCS#11 modules:\n");
		if(!config.providers.isEmpty())
		{
			foreach(const Pkcs11ProviderConfig &provider, config.providers)
				printf("  %s\n", qPrintable(provider.name));
		}
		else
			printf("  (None)\n");
		printf("\n");
		printf("Actions:\n");
		printf("  a) Edit global settings\n");
		printf("  b) Add PKCS#11 module\n");
		printf("  c) Edit PKCS#11 module\n");
		printf("  d) Remove PKCS#11 module\n");
		printf("\n");

		int index;
		while(true)
		{
			QString str = prompt_for(QStringLiteral("Select an action, or enter to quit"));
			if(str.isEmpty())
			{
				index = -1;
				break;
			}
			if(str.length() == 1)
			{
				index = str[0].toLatin1() - 'a';
				if(index >= 0 && index < 4)
					break;
			}
			printf("'%s' is not a valid entry.\n\n", qPrintable(str));
		}
		if(index == -1)
			break;

		if(index == 0)
		{
			printf("\n");

			QString prompt;
			prompt = QStringLiteral("Allow loading of root CAs: [%1] ").arg(config.allow_load_rootca ? QStringLiteral("Yes") : QStringLiteral("No"));
			config.allow_load_rootca = prompt_for_yesno(prompt, config.allow_load_rootca);
			prompt = QStringLiteral("Allow protected authentication: [%1] ").arg(config.allow_protected_authentication ? QStringLiteral("Yes") : QStringLiteral("No"));
			config.allow_protected_authentication = prompt_for_yesno(prompt, config.allow_protected_authentication);
			prompt = QStringLiteral("Maximum PIN cache time in seconds (-1 for no limit): [%1] ").arg(config.pin_cache);
			config.pin_cache = prompt_for_int(prompt, config.pin_cache);
			prompt = QStringLiteral("Log level: [%1] ").arg(config.log_level);
			config.log_level = prompt_for_int(prompt, config.log_level);
		}
		else // 1, 2, 3
		{
			int at = -1;

			// for edit/remove, need to select provider
			if(index == 2 || index == 3)
			{
				printf("\nWhich PKCS#11 module?\n");
				for(int n = 0; n < config.providers.count(); ++n)
				{
					const Pkcs11ProviderConfig &provider = config.providers[n];
					char c = 'a' + n;
					printf("  %c) %s\n", c, qPrintable(provider.name));
				}
				printf("\n");

				int index;
				while(true)
				{
					QString str = prompt_for(QStringLiteral("Select a module, or enter to go back"));
					if(str.isEmpty())
					{
						index = -1;
						break;
					}
					if(str.length() == 1)
					{
						index = str[0].toLatin1() - 'a';
						if(index >= 0 && index < config.providers.count())
							break;
					}
					printf("'%s' is not a valid entry.\n", qPrintable(str));
				}

				// exit?
				if(index == -1)
					continue;

				at = index;
			}

			// edit the entry
			if(index == 1 || index == 2)
			{
				Pkcs11ProviderConfig provider;
				if(index == 2) // edit
					provider = config.providers[at];
				provider.enabled = true;
				printf("\n");

				QString prompt;

				// prompt for unique name
				while(true)
				{
					if(index == 1)
						prompt = QStringLiteral("Unique friendly name: ");
					else
						prompt = QStringLiteral("Unique friendly name: [%1] ").arg(provider.name);
					provider.name = prompt_for_string(prompt, provider.name);

					if(provider.name.isEmpty())
					{
						printf("The friendly name cannot be blank.\n\n");
						continue;
					}

					bool have_name_already = false;
					for(int n = 0; n < config.providers.count(); ++n)
					{
						const Pkcs11ProviderConfig &i = config.providers[n];

						// skip checking against the entry we are editing
						if(at != -1 && n == at)
							continue;

						if(i.name == provider.name)
						{
							have_name_already = true;
							break;
						}
					}
					if(have_name_already)
					{
						printf("This name is already used by another module.\n\n");
						continue;
					}

					break;
				}

				// prompt for library file
				QString last;
				while(true)
				{
					if(index == 1)
						prompt = QStringLiteral("Library filename: ");
					else
						prompt = QStringLiteral("Library filename: [%1] ").arg(provider.library);
					provider.library = prompt_for_string(prompt, provider.library);

					if(provider.library.isEmpty())
					{
						printf("The library filename cannot be blank.\n\n");
						continue;
					}

					if(last != provider.library && !QFile::exists(provider.library))
					{
						last = provider.library;
						printf("'%s' does not exist.\nPress enter again if you really want this.\n\n", qPrintable(provider.library));
						continue;
					}

					break;
				}

				prompt = QStringLiteral("Allow protected authentication: [%1] ").arg(provider.allow_protected_authentication ? QStringLiteral("Yes") : QStringLiteral("No"));
				provider.allow_protected_authentication = prompt_for_yesno(prompt, provider.allow_protected_authentication);
				prompt = QStringLiteral("Provider stores certificates as private objects: [%1] ").arg(provider.cert_private ? QStringLiteral("Yes") : QStringLiteral("No"));
				provider.cert_private = prompt_for_yesno(prompt, provider.cert_private);
				printf("\n");
				printf("Provider private key mask:\n");
				printf("    0        Determine automatically.\n");
				printf("    1        Use sign.\n");
				printf("    2        Use sign recover.\n");
				printf("    4        Use decrypt.\n");
				printf("    8        Use unwrap.\n");
				prompt = QStringLiteral("Mask value: [%1] ").arg(provider.private_mask);
				provider.private_mask = prompt_for_int(prompt, provider.private_mask);
				printf("\n");
				printf("Slot event method:\n");
				printf("    auto     Determine automatically.\n");
				printf("    trigger  Use trigger.\n");
				printf("    poll     Use poll.\n");
				prompt = QStringLiteral("Method value: [%1] ").arg(provider.slotevent_method);
				provider.slotevent_method = prompt_for_slotevent_method(prompt, provider.slotevent_method);
				if(provider.slotevent_method == QLatin1String("poll"))
				{
					prompt = QStringLiteral("Poll timeout (0 for no preference): [%1] ").arg(provider.slotevent_timeout);
					provider.slotevent_timeout = prompt_for_int(prompt, provider.slotevent_timeout);
				}
				else
					provider.slotevent_timeout = 0;

				if(index == 1)
					config.providers += provider;
				else // 2
					config.providers[at] = provider;
			}
			// remove the entry
			else // 3
			{
				config.providers.removeAt(at);
			}
		}
	}

	return config.toVariantMap();
}

static QVariantMap provider_config_edit(const QVariantMap &in)
{
	// see if we have a configurator for a known form type
	if(in[QStringLiteral("formtype")] == QLatin1String("http://affinix.com/qca/forms/qca-pkcs11#1.0"))
		return provider_config_edit_pkcs11(in);

	// otherwise, use the generic configurator
	return provider_config_edit_generic(in);
}

static QString get_fingerprint(const QCA::Certificate &cert, const QString &hashType)
{
	QString hex = QCA::Hash(hashType).hashToString(cert.toDER());
	QString out;
	for(int n = 0; n < hex.count(); ++n)
	{
		if(n != 0 && n % 2 == 0)
			out += QLatin1Char(':');
		out += hex[n];
	}
	return out;
}

static QString kstype_to_string(QCA::KeyStore::Type _type)
{
	QString type;
	switch(_type)
	{
		case QCA::KeyStore::System:      type = QStringLiteral("Sys "); break;
		case QCA::KeyStore::User:        type = QStringLiteral("User"); break;
		case QCA::KeyStore::Application: type = QStringLiteral("App "); break;
		case QCA::KeyStore::SmartCard:   type = QStringLiteral("Card"); break;
		case QCA::KeyStore::PGPKeyring:  type = QStringLiteral("PGP "); break;
		default:                         type = QStringLiteral("XXXX"); break;
	}
	return type;
}

static QString ksentrytype_to_string(QCA::KeyStoreEntry::Type _type)
{
	QString type;
	switch(_type)
	{
		case QCA::KeyStoreEntry::TypeKeyBundle:    type = QStringLiteral("Key "); break;
		case QCA::KeyStoreEntry::TypeCertificate:  type = QStringLiteral("Cert"); break;
		case QCA::KeyStoreEntry::TypeCRL:          type = QStringLiteral("CRL "); break;
		case QCA::KeyStoreEntry::TypePGPSecretKey: type = QStringLiteral("PSec"); break;
		case QCA::KeyStoreEntry::TypePGPPublicKey: type = QStringLiteral("PPub"); break;
		default:                                   type = QStringLiteral("XXXX"); break;
	}
	return type;
}

static void try_print_info(const char *name, const QStringList &values)
{
	if(!values.isEmpty())
	{
		QString value = values.join(QStringLiteral(", "));
		printf("   %s: %s\n", name, value.toUtf8().data());
	}
}

static void print_info(const char *title, const QCA::CertificateInfo &info)
{
	QList<InfoType> list = makeInfoTypeList();
	printf("%s\n", title);
	foreach(const InfoType &t, list)
		try_print_info(qPrintable(t.name), info.values(t.type));
}

static void print_info_ordered(const char *title, const QCA::CertificateInfoOrdered &info)
{
	QList<InfoType> list = makeInfoTypeList(true);
	printf("%s\n", title);
	foreach(const QCA::CertificateInfoPair &pair, info)
	{
		QCA::CertificateInfoType type = pair.type();
		QString name;
		int at = -1;
		for(int n = 0; n < list.count(); ++n)
		{
			if(list[n].type == type)
			{
				at = n;
				break;
			}
		}

		// known type?
		if(at != -1)
		{
			name = list[at].name;
		}
		else
		{
			if(pair.type().section() == QCA::CertificateInfoType::DN)
				name = QStringLiteral("DN:") + pair.type().id();
			else
				name = QStringLiteral("AN:") + pair.type().id();
		}

		printf("   %s: %s\n", qPrintable(name), pair.value().toUtf8().data());
	}
}

static QString constraint_to_string(const QCA::ConstraintType &t)
{
	QList<MyConstraintType> list = makeConstraintTypeList();
	for(int n = 0; n < list.count(); ++n)
	{
		if(list[n].type == t)
			return list[n].name;
	}
	return t.id();
}

static QString sigalgo_to_string(QCA::SignatureAlgorithm algo)
{
	QString str;
	switch(algo)
	{
		case QCA::EMSA1_SHA1:       str = QStringLiteral("EMSA1(SHA1)"); break;
		case QCA::EMSA3_SHA1:       str = QStringLiteral("EMSA3(SHA1)"); break;
		case QCA::EMSA3_MD5:        str = QStringLiteral("EMSA3(MD5)"); break;
		case QCA::EMSA3_MD2:        str = QStringLiteral("EMSA3(MD2)"); break;
		case QCA::EMSA3_RIPEMD160:  str = QStringLiteral("EMSA3(RIPEMD160)"); break;
		case QCA::EMSA3_Raw:        str = QStringLiteral("EMSA3(raw)"); break;
		default:                    str = QStringLiteral("Unknown"); break;
	}
	return str;
}

static void print_cert(const QCA::Certificate &cert, bool ordered = false)
{
	printf("Serial Number: %s\n", qPrintable(cert.serialNumber().toString()));

	if(ordered)
	{
		print_info_ordered("Subject", cert.subjectInfoOrdered());
		print_info_ordered("Issuer", cert.issuerInfoOrdered());
	}
	else
	{
		print_info("Subject", cert.subjectInfo());
		print_info("Issuer", cert.issuerInfo());
	}

	printf("Validity\n");
	printf("   Not before: %s\n", qPrintable(cert.notValidBefore().toString()));
	printf("   Not after:  %s\n", qPrintable(cert.notValidAfter().toString()));

	printf("Constraints\n");
	QCA::Constraints constraints = cert.constraints();
	int n;
	if(!constraints.isEmpty())
	{
		for(n = 0; n < constraints.count(); ++n)
			printf("   %s\n", qPrintable(constraint_to_string(constraints[n])));
	}
	else
		printf("   No constraints\n");

	printf("Policies\n");
	QStringList policies = cert.policies();
	if(!policies.isEmpty())
	{
		for(n = 0; n < policies.count(); ++n)
			printf("   %s\n", qPrintable(policies[n]));
	}
	else
		printf("   No policies\n");

	QByteArray id;
	printf("Issuer Key ID: ");
	id = cert.issuerKeyId();
	if(!id.isEmpty())
		printf("%s\n", qPrintable(QCA::arrayToHex(id)));
	else
		printf("None\n");

	printf("Subject Key ID: ");
	id = cert.subjectKeyId();
	if(!id.isEmpty())
		printf("%s\n", qPrintable(QCA::arrayToHex(id)));
	else
		printf("None\n");

	printf("CA: %s\n", cert.isCA() ? "Yes": "No");
	printf("Signature Algorithm: %s\n", qPrintable(sigalgo_to_string(cert.signatureAlgorithm())));

	QCA::PublicKey key = cert.subjectPublicKey();
	printf("Public Key:\n%s", key.toPEM().toLatin1().data());

	printf("SHA1 Fingerprint: %s\n", qPrintable(get_fingerprint(cert, QStringLiteral("sha1"))));
	printf("MD5 Fingerprint: %s\n", qPrintable(get_fingerprint(cert, QStringLiteral("md5"))));
}

static void print_certreq(const QCA::CertificateRequest &cert, bool ordered = false)
{
	if(ordered)
		print_info_ordered("Subject", cert.subjectInfoOrdered());
	else
		print_info("Subject", cert.subjectInfo());

	printf("Constraints\n");
	QCA::Constraints constraints = cert.constraints();
	int n;
	if(!constraints.isEmpty())
	{
		for(n = 0; n < constraints.count(); ++n)
			printf("   %s\n", qPrintable(constraint_to_string(constraints[n])));
	}
	else
		printf("   No constraints\n");

	printf("Policies\n");
	QStringList policies = cert.policies();
	if(!policies.isEmpty())
	{
		for(n = 0; n < policies.count(); ++n)
			printf("   %s\n", qPrintable(policies[n]));
	}
	else
		printf("   No policies\n");

	printf("CA: %s\n", cert.isCA() ? "Yes": "No");
	printf("Signature Algorithm: %s\n", qPrintable(sigalgo_to_string(cert.signatureAlgorithm())));

	QCA::PublicKey key = cert.subjectPublicKey();
	printf("Public Key:\n%s", key.toPEM().toLatin1().data());
}

static void print_crl(const QCA::CRL &crl, bool ordered = false)
{
	if(ordered)
		print_info_ordered("Issuer", crl.issuerInfoOrdered());
	else
		print_info("Issuer", crl.issuerInfo());

	int num = crl.number();
	if(num != -1)
		printf("Number: %d\n", num);

	printf("Validity\n");
	printf("   This update: %s\n", qPrintable(crl.thisUpdate().toString()));
	printf("   Next update: %s\n", qPrintable(crl.nextUpdate().toString()));

	QByteArray id;
	printf("Issuer Key ID: ");
	id = crl.issuerKeyId();
	if(!id.isEmpty())
		printf("%s\n", qPrintable(QCA::arrayToHex(id)));
	else
		printf("None\n");

	printf("Signature Algorithm: %s\n", qPrintable(sigalgo_to_string(crl.signatureAlgorithm())));

	QList<QCA::CRLEntry> revokedList = crl.revoked();
	foreach(const QCA::CRLEntry &entry, revokedList)
	{
		printf("   %s: %s, %s\n",
			qPrintable(entry.serialNumber().toString()),
			crlEntryReasonToString(entry.reason()),
			qPrintable(entry.time().toString()));
	}
}

static QString format_pgp_fingerprint(const QString &in)
{
	QString out;
	bool first = true;
	for(int n = 0; n + 3 < in.length(); n += 4)
	{
		if(!first)
			out += QLatin1Char(' ');
		else
			first = false;
		out += in.mid(n, 4).toUpper();
	}
	return out;
}

static void print_pgp(const QCA::PGPKey &key)
{
	printf("Key ID: %s\n", qPrintable(key.keyId()));
	printf("User IDs:\n");
	foreach(const QString &s, key.userIds())
		printf("   %s\n", qPrintable(s));
	printf("Validity\n");
	printf("   Not before: %s\n", qPrintable(key.creationDate().toString()));
	if(!key.expirationDate().isNull())
		printf("   Not after:  %s\n", qPrintable(key.expirationDate().toString()));
	else
		printf("   Not after:  (no expiration)\n");
	printf("In Keyring: %s\n", key.inKeyring() ? "Yes": "No");
	printf("Secret Key: %s\n", key.isSecret() ? "Yes": "No");
	printf("Trusted:    %s\n", key.isTrusted() ? "Yes": "No");
	printf("Fingerprint: %s\n", qPrintable(format_pgp_fingerprint(key.fingerprint())));
}

static QString validityToString(QCA::Validity v)
{
	QString s;
	switch(v)
	{
		case QCA::ValidityGood:
			s = QStringLiteral("Validated");
			break;
		case QCA::ErrorRejected:
			s = QStringLiteral("Root CA is marked to reject the specified purpose");
			break;
		case QCA::ErrorUntrusted:
			s = QStringLiteral("Certificate not trusted for the required purpose");
			break;
		case QCA::ErrorSignatureFailed:
			s = QStringLiteral("Invalid signature");
			break;
		case QCA::ErrorInvalidCA:
			s = QStringLiteral("Invalid CA certificate");
			break;
		case QCA::ErrorInvalidPurpose:
			s = QStringLiteral("Invalid certificate purpose");
			break;
		case QCA::ErrorSelfSigned:
			s = QStringLiteral("Certificate is self-signed");
			break;
		case QCA::ErrorRevoked:
			s = QStringLiteral("Certificate has been revoked");
			break;
		case QCA::ErrorPathLengthExceeded:
			s = QStringLiteral("Maximum certificate chain length exceeded");
			break;
		case QCA::ErrorExpired:
			s = QStringLiteral("Certificate has expired");
			break;
		case QCA::ErrorExpiredCA:
			s = QStringLiteral("CA has expired");
			break;
		case QCA::ErrorValidityUnknown:
		default:
			s = QStringLiteral("General certificate validation error");
			break;
	}
	return s;
}

static QString smIdentityResultToString(QCA::SecureMessageSignature::IdentityResult r)
{
	QString str;
	switch(r)
	{
		case QCA::SecureMessageSignature::Valid:             str = QStringLiteral("Valid"); break;
		case QCA::SecureMessageSignature::InvalidSignature:  str = QStringLiteral("InvalidSignature"); break;
		case QCA::SecureMessageSignature::InvalidKey:        str = QStringLiteral("InvalidKey"); break;
		case QCA::SecureMessageSignature::NoKey:             str = QStringLiteral("NoKey"); break;
		default:                                             str = QStringLiteral("Unknown");
	}
	return str;
}

static QString smErrorToString(QCA::SecureMessage::Error e)
{
	QMap<QCA::SecureMessage::Error,QString> map;
	map[QCA::SecureMessage::ErrorPassphrase] = QStringLiteral("ErrorPassphrase");
	map[QCA::SecureMessage::ErrorFormat] = QStringLiteral("ErrorFormat");
	map[QCA::SecureMessage::ErrorSignerExpired] = QStringLiteral("ErrorSignerExpired");
	map[QCA::SecureMessage::ErrorSignerInvalid] = QStringLiteral("ErrorSignerInvalid");
	map[QCA::SecureMessage::ErrorEncryptExpired] = QStringLiteral("ErrorEncryptExpired");
	map[QCA::SecureMessage::ErrorEncryptUntrusted] = QStringLiteral("ErrorEncryptUntrusted");
	map[QCA::SecureMessage::ErrorEncryptInvalid] = QStringLiteral("ErrorEncryptInvalid");
	map[QCA::SecureMessage::ErrorNeedCard] = QStringLiteral("ErrorNeedCard");
	map[QCA::SecureMessage::ErrorCertKeyMismatch] = QStringLiteral("ErrorCertKeyMismatch");
	map[QCA::SecureMessage::ErrorUnknown] = QStringLiteral("ErrorUnknown");
	return map[e];
}

static void smDisplaySignatures(const QList<QCA::SecureMessageSignature> &signers)
{
	foreach(const QCA::SecureMessageSignature &signer, signers)
	{
		QCA::SecureMessageSignature::IdentityResult r = signer.identityResult();
		fprintf(stderr, "IdentityResult: %s\n", qPrintable(smIdentityResultToString(r)));

		QCA::SecureMessageKey key = signer.key();
		if(!key.isNull())
		{
			if(key.type() == QCA::SecureMessageKey::PGP)
			{
				QCA::PGPKey pub = key.pgpPublicKey();
				fprintf(stderr, "From: %s (%s)\n", qPrintable(pub.primaryUserId()), qPrintable(pub.keyId()));
			}
			else
			{
				QCA::Certificate cert = key.x509CertificateChain().primary();
				QString emailStr;
				QCA::CertificateInfo info = cert.subjectInfo();
				if(info.contains(QCA::Email))
					emailStr = QStringLiteral(" (%1)").arg(info.value(QCA::Email));
				fprintf(stderr, "From: %s%s\n", qPrintable(cert.commonName()), qPrintable(emailStr));
			}
		}
	}
}

static const char *mime_signpart =
	"Content-Type: text/plain; charset=UTF-8\r\n"
	"Content-Transfer-Encoding: 8bit\r\n"
	"\r\n"
	"%1";

static const char *mime_signed =
	"Content-Type: multipart/signed;\r\n"
	"	micalg=%1;\r\n"
	"	boundary=QCATOOL-0001;\r\n"
	"	protocol=\"application/pkcs7-signature\"\r\n"
	"\r\n"
	"\r\n"
	"--QCATOOL-0001\r\n"
	"%2\r\n"
	"--QCATOOL-0001\r\n"
	"Content-Transfer-Encoding: base64\r\n"
	"Content-Type: application/pkcs7-signature;\r\n"
	"	name=smime.p7s\r\n"
	"Content-Disposition: attachment;\r\n"
	"	filename=smime.p7s\r\n"
	"\r\n"
	"%3\r\n"
	"\r\n"
	"--QCATOOL-0001--\r\n";

static const char *mime_enveloped =
	"Mime-Version: 1.0\r\n"
	"Content-Transfer-Encoding: base64\r\n"
	"Content-Type: application/pkcs7-mime;\r\n"
	"	name=smime.p7m;\r\n"
	"	smime-type=enveloped-data\r\n"
	"Content-Disposition: attachment;\r\n"
	"	filename=smime.p7m\r\n"
	"\r\n"
	"%1\r\n";

static QString add_cr(const QString &in)
{
	QString out = in;
	int at = 0;
	while(true)
	{
		at = out.indexOf(QLatin1Char('\n'), at);
		if(at == -1)
			break;
		if(at - 1 >= 0 && out[at - 1] != QLatin1Char('\r'))
		{
			out.insert(at, QLatin1Char('\r'));
			++at;
		}
		++at;
	}
	return out;
}

static QString rem_cr(const QString &in)
{
	QString out = in;
	out.replace(QLatin1String("\r\n"), QLatin1String("\n"));
	return out;
}

static int indexOf_newline(const QString &in, int offset = 0)
{
	for(int n = offset; n < in.length(); ++n)
	{
		if(n + 1 < in.length() && in[n] == QLatin1Char('\r') && in[n + 1] == QLatin1Char('\n'))
			return n;
		if(in[n] == QLatin1Char('\n'))
			return n;
	}
	return -1;
}

static int indexOf_doublenewline(const QString &in, int offset = 0)
{
	int at = -1;
	while(true)
	{
		int n = indexOf_newline(in, offset);
		if(n == -1)
			return -1;

		if(at != -1)
		{
			if(n == offset)
				break;
		}

		at = n;
		if(in[n] == QLatin1Char('\n'))
			offset = n + 1;
		else
			offset = n + 2;
	}
	return at;
}

// this is so gross
static int newline_len(const QString &in, int offset = 0)
{
	if(in[offset] == QLatin1Char('\r'))
		return 2;
	else
		return 1;
}

// all of this mime stuff is a total hack
static QString open_mime_envelope(const QString &in)
{
	int n = indexOf_doublenewline(in);
	if(n == -1)
		return QString();
	return in.mid(n + (newline_len(in, n) * 2)); // good lord
}

static bool open_mime_data_sig(const QString &in, QString *data, QString *sig)
{
	int n = in.indexOf(QLatin1String("boundary="));
	if(n == -1)
		return false;
	n += 9;
	int i = indexOf_newline(in, n);
	if(i == -1)
		return false;
	QString boundary;
	QString bregion = in.mid(n, i - n);
	n = bregion.indexOf(QLatin1Char(';'));
	if(n != -1)
		boundary = bregion.mid(0, n);
	else
		boundary = bregion;

	if(boundary[0] == QLatin1Char('\"'))
		boundary.remove(0, 1);
	if(boundary[boundary.length() - 1] == QLatin1Char('\"'))
		boundary.remove(boundary.length() - 1, 1);
	//printf("boundary: [%s]\n", qPrintable(boundary));
	QString boundary_end = QStringLiteral("--") + boundary;
	boundary = QStringLiteral("--") + boundary;

	QString work = open_mime_envelope(in);
	//printf("work: [%s]\n", qPrintable(work));

	n = work.indexOf(boundary);
	if(n == -1)
		return false;
	n += boundary.length();
	i = indexOf_newline(work, n);
	if(i == -1)
		return false;
	n += newline_len(work, i);
	int data_start = n;

	n = work.indexOf(boundary, data_start);
	if(n == -1)
		return false;
	int data_end = n;

	n = data_end + boundary.length();
	i = indexOf_newline(work, n);
	if(i == -1)
		return false;
	n += newline_len(work, i);
	int next = n;

	QString tmp_data = work.mid(data_start, data_end - data_start);
	n = work.indexOf(boundary_end, next);
	if(n == -1)
		return false;
	QString tmp_sig = work.mid(next, n - next);

	// nuke some newlines
	if(tmp_data.right(2) == QLatin1String("\r\n"))
		tmp_data.truncate(tmp_data.length() - 2);
	else if(tmp_data.right(1) == QLatin1String("\n"))
		tmp_data.truncate(tmp_data.length() - 1);
	if(tmp_sig.right(2) == QLatin1String("\r\n"))
		tmp_sig.truncate(tmp_sig.length() - 2);
	else if(tmp_sig.right(1) == QLatin1String("\n"))
		tmp_sig.truncate(tmp_sig.length() - 1);

	tmp_sig = open_mime_envelope(tmp_sig);

	*data = tmp_data;
	*sig = tmp_sig;
	return true;
}

static QString idHash(const QString &id)
{
	// hash the id and take the rightmost 4 hex characters
	return QCA::Hash(QStringLiteral("md5")).hashToString(id.toUtf8()).right(4);
}

// first = ids, second = names
static QPair<QStringList, QStringList> getKeyStoreStrings(const QStringList &list, QCA::KeyStoreManager *ksm)
{
	QPair<QStringList, QStringList> out;
	for(int n = 0; n < list.count(); ++n)
	{
		QCA::KeyStore ks(list[n], ksm);
		out.first.append(idHash(ks.id()));
		out.second.append(ks.name());
	}
	return out;
}

static QPair<QStringList, QStringList> getKeyStoreEntryStrings(const QList<QCA::KeyStoreEntry> &list)
{
	QPair<QStringList, QStringList> out;
	for(int n = 0; n < list.count(); ++n)
	{
		out.first.append(idHash(list[n].id()));
		out.second.append(list[n].name());
	}
	return out;
}

static QList<int> getPartialMatches(const QStringList &list, const QString &str)
{
	QList<int> out;
	for(int n = 0; n < list.count(); ++n)
	{
		if(list[n].contains(str, Qt::CaseInsensitive))
			out += n;
	}
	return out;
}

static int findByString(const QPair<QStringList, QStringList> &in, const QString &str)
{
	// exact id match
	int n = in.first.indexOf(str);
	if(n != -1)
		return n;

	// partial id match
	QList<int> ret = getPartialMatches(in.first, str);
	if(!ret.isEmpty())
		return ret.first();

	// partial name match
	ret = getPartialMatches(in.second, str);
	if(!ret.isEmpty())
		return ret.first();

	return -1;
}

static QString getKeyStore(const QString &name)
{
	QCA::KeyStoreManager ksm;
	QStringList storeList = ksm.keyStores();
	int n = findByString(getKeyStoreStrings(storeList, &ksm), name);
	if(n != -1)
		return storeList[n];
	return QString();
}

static QCA::KeyStoreEntry getKeyStoreEntry(QCA::KeyStore *store, const QString &name)
{
	QList<QCA::KeyStoreEntry> list = store->entryList();
	int n = findByString(getKeyStoreEntryStrings(list), name);
	if(n != -1)
		return list[n];
	return QCA::KeyStoreEntry();
}

// here are a bunch of get_Foo functions for the various types

// E - generic entry
// K - private key
// C - cert
// X - keybundle
// P - pgp public key
// S - pgp secret key

// in all cases but K, the store:obj notation can be used.  if there
//   is no colon present, then we treat the input as a filename. we
//   try the file as an exported passive entry id, and if the type
//   is C or X, we'll fall back to regular files if necessary.

static QCA::KeyStoreEntry get_E(const QString &name, bool nopassiveerror = false)
{
	QCA::KeyStoreEntry entry;

	QCA::KeyStoreManager::start();

	int n = name.indexOf(QLatin1Char(':'));
	if(n != -1)
	{
		ksm_start_and_wait();

		// store:obj lookup
		QString storeName = name.mid(0, n);
		QString objectName = name.mid(n + 1);

		QCA::KeyStoreManager ksm;
		QCA::KeyStore store(getKeyStore(storeName), &ksm);
		if(!store.isValid())
		{
			fprintf(stderr, "Error: no such store [%s].\n", qPrintable(storeName));
			return entry;
		}

		entry = getKeyStoreEntry(&store, objectName);
		if(entry.isNull())
		{
			fprintf(stderr, "Error: no such object [%s].\n", qPrintable(objectName));
			return entry;
		}
	}
	else
	{
		// exported id
		QString serialized = read_ksentry_file(name);
		entry = QCA::KeyStoreEntry(serialized);
		if(entry.isNull())
		{
			if(!nopassiveerror)
				fprintf(stderr, "Error: invalid/unknown entry [%s].\n", qPrintable(name));
			return entry;
		}
	}

	return entry;
}

static QCA::PrivateKey get_K(const QString &name)
{
	QCA::PrivateKey key;

	int n = name.indexOf(QLatin1Char(':'));
	if(n != -1)
	{
		fprintf(stderr, "Error: cannot use store:obj notation for raw private keys.\n");
		return key;
	}

	if(is_pem_file(name))
		key = QCA::PrivateKey::fromPEMFile(name);
	else
		key = QCA::PrivateKey::fromDER(read_der_file(name));
	if(key.isNull())
	{
		fprintf(stderr, "Error: unable to read/process private key file.\n");
		return key;
	}

	return key;
}

static QCA::Certificate get_C(const QString &name)
{
	QCA::KeyStoreEntry entry = get_E(name, true);
	if(!entry.isNull())
	{
		if(entry.type() != QCA::KeyStoreEntry::TypeCertificate)
		{
			fprintf(stderr, "Error: entry is not a certificate.\n");
			return QCA::Certificate();
		}
		return entry.certificate();
	}

	if(!QCA::isSupported("cert"))
	{
		fprintf(stderr, "Error: need 'cert' feature.\n");
		return QCA::Certificate();
	}

	// try file
	QCA::Certificate cert;
	if(is_pem_file(name))
		cert = QCA::Certificate::fromPEMFile(name);
	else
		cert = QCA::Certificate::fromDER(read_der_file(name));
	if(cert.isNull())
	{
		fprintf(stderr, "Error: unable to read/process certificate file.\n");
		return cert;
	}

	return cert;
}

static QCA::KeyBundle get_X(const QString &name)
{
	QCA::KeyStoreEntry entry = get_E(name, true);
	if(!entry.isNull())
	{
		if(entry.type() != QCA::KeyStoreEntry::TypeKeyBundle)
		{
			fprintf(stderr, "Error: entry is not a keybundle.\n");
			return QCA::KeyBundle();
		}
		return entry.keyBundle();
	}

	if(!QCA::isSupported("pkcs12"))
	{
		fprintf(stderr, "Error: need 'pkcs12' feature.\n");
		return QCA::KeyBundle();
	}

	// try file
	QCA::KeyBundle key = QCA::KeyBundle::fromFile(name);
	if(key.isNull())
	{
		fprintf(stderr, "Error: unable to read/process keybundle file.\n");
		return key;
	}

	return key;
}

static QCA::PGPKey get_P(const QString &name)
{
	QCA::KeyStoreEntry entry = get_E(name, true);
	if(!entry.isNull())
	{
		if(entry.type() != QCA::KeyStoreEntry::TypePGPPublicKey && entry.type() != QCA::KeyStoreEntry::TypePGPSecretKey)
		{
			fprintf(stderr, "Error: entry is not a pgp public key.\n");
			return QCA::PGPKey();
		}
		return entry.pgpPublicKey();
	}

	// try file
	QCA::PGPKey key = QCA::PGPKey::fromFile(name);
	if(key.isNull())
	{
		fprintf(stderr, "Error: unable to read/process pgp key file.\n");
		return key;
	}

	return key;
}

static QPair<QCA::PGPKey, QCA::PGPKey> get_S(const QString &name, bool noerror = false)
{
	QPair<QCA::PGPKey, QCA::PGPKey> key;
	QCA::KeyStoreEntry entry = get_E(name, true);
	if(!entry.isNull())
	{
		if(entry.type() != QCA::KeyStoreEntry::TypePGPSecretKey)
		{
			if(!noerror)
				fprintf(stderr, "Error: entry is not a pgp secret key.\n");
			return key;
		}

		key.first = entry.pgpSecretKey();
		key.second = entry.pgpPublicKey();
		return key;
	}
	return key;
}

static void usage()
{
	printf("%s: simple qca utility\n", APPNAME);
	printf("usage: %s (options) [command]\n", EXENAME);
	printf(" options: --pass=x, --newpass=x, --nonroots=x, --roots=x, --nosys,\n");
	printf("          --noprompt, --ordered, --debug, --log-file=x, --log-level=n,\n");
	printf("          --nobundle\n");
	printf("\n");
	printf(" help|--help|-h                        This help text\n");
	printf(" version|--version|-v                  Print version information\n");
	printf(" plugins                               List available plugins\n");
	printf(" config [command]\n");
	printf("   save [provider]                     Save default provider config\n");
	printf("   edit [provider]                     Edit provider config\n");
	printf(" key [command]\n");
	printf("   make rsa|dsa [bits]                 Create a key pair\n");
	printf("   changepass [K]                      Add/change/remove passphrase of a key\n");
	printf(" cert [command]\n");
	printf("   makereq [K]                         Create certificate request (CSR)\n");
	printf("   makeself [K]                        Create self-signed certificate\n");
	printf("   makereqadv [K]                      Advanced version of 'makereq'\n");
	printf("   makeselfadv [K]                     Advanced version of 'makeself'\n");
	printf("   validate [C]                        Validate certificate\n");
	printf(" keybundle [command]\n");
	printf("   make [K] [C]                        Create a keybundle\n");
	printf("   extract [X]                         Extract certificate(s) and key\n");
	printf("   changepass [X]                      Change passphrase of a keybundle\n");
	printf(" keystore [command]\n");
	printf("   list-stores                         List all available keystores\n");
	printf("   list [storeName]                    List content of a keystore\n");
	printf("   monitor                             Monitor for keystore availability\n");
	printf("   export [E]                          Export a keystore entry's content\n");
	printf("   exportref [E]                       Export a keystore entry reference\n");
	printf("   addkb [storeName] [cert.p12]        Add a keybundle into a keystore\n");
	printf("   addpgp [storeName] [key.asc]        Add a PGP key into a keystore\n");
	printf("   remove [E]                          Remove an object from a keystore\n");
	printf(" show [command]\n");
	printf("   cert [C]                            Examine a certificate\n");
	printf("   req [req.pem]                       Examine a certificate request (CSR)\n");
	printf("   crl [crl.pem]                       Examine a certificate revocation list\n");
	printf("   kb [X]                              Examine a keybundle\n");
	printf("   pgp [P|S]                           Examine a PGP key\n");
	printf(" message [command]\n");
	printf("   sign pgp|pgpdetach|smime [X|S]      Sign a message\n");
	printf("   encrypt pgp|smime [C|P]             Encrypt a message\n");
	printf("   signencrypt [S] [P]                 PGP sign & encrypt a message\n");
	printf("   verify pgp|smime                    Verify a message\n");
	printf("   decrypt pgp|smime ((X) ...)         Decrypt a message (S/MIME needs X)\n");
	printf("   exportcerts                         Export certs from S/MIME message\n");
	printf("\n");
	printf("Object types: K = private key, C = certificate, X = key bundle,\n");
	printf("  P = PGP public key, S = PGP secret key, E = generic entry\n");
	printf("\n");
	printf("An object must be either a filename or a keystore reference (\"store:obj\").\n");
	printf("\n");
	printf("Log level is from 0 (quiet) to 8 (debug)\n");
	printf("\n");
}

int main(int argc, char **argv)
{
	QCA::Initializer qcaInit;
	QCoreApplication app(argc, argv);
	QFile logFile;
	QTextStream logStream (stderr);
	StreamLogger streamLogger (logStream);

	QStringList args;
	for(int n = 1; n < argc; ++n)
		args.append(QString::fromLocal8Bit(argv[n]));

	if(args.count() < 1)
	{
		usage();
		return 1;
	}

	bool have_pass = false;
	bool have_newpass = false;
	QCA::SecureArray pass, newpass;
	bool allowprompt = true;
	bool ordered = false;
	bool debug = false;
	bool nosys = false;
	bool nobundle = false;
	QString rootsFile, nonRootsFile;

	for(int n = 0; n < args.count(); ++n)
	{
		QString s = args[n];
		if(!s.startsWith(QLatin1String("--")))
			continue;
		QString var;
		QString val;
		int x = s.indexOf(QLatin1Char('='));
		if(x != -1)
		{
			var = s.mid(2, x - 2);
			val = s.mid(x + 1);
		}
		else
		{
			var = s.mid(2);
		}

		bool known = true;

		if(var == QLatin1String("pass"))
		{
			have_pass = true;
			pass = val.toUtf8();
		}
		else if(var == QLatin1String("newpass"))
		{
			have_newpass = true;
			newpass = val.toUtf8();
		}
		else if(var == QLatin1String("log-file"))
		{
			logFile.setFileName (val);
			logFile.open (QIODevice::Append | QIODevice::Text | QIODevice::Unbuffered);
			logStream.setDevice (&logFile);
		}
		else if(var == QLatin1String("log-level"))
		{
			QCA::logger ()->setLevel ((QCA::Logger::Severity)val.toInt ());
		}
		else if(var == QLatin1String("noprompt"))
			allowprompt = false;
		else if(var == QLatin1String("ordered"))
			ordered = true;
		else if(var == QLatin1String("debug"))
			debug = true;
		else if(var == QLatin1String("roots"))
			rootsFile = val;
		else if(var == QLatin1String("nonroots"))
			nonRootsFile = val;
		else if(var == QLatin1String("nosys"))
			nosys = true;
		else if(var == QLatin1String("nobundle"))
			nobundle = true;
		else
			known = false;

		if(known)
		{
			args.removeAt(n);
			--n; // adjust position
		}
	}

	// help
	if(args.isEmpty() || args[0] == QLatin1String("help") || args[0] == QLatin1String("--help") || args[0] == QLatin1String("-h"))
	{
		usage();
		return 0;
	}

	// version
	if(args[0] == QLatin1String("version") || args[0] == QLatin1String("--version") || args[0] == QLatin1String("-v"))
	{
		int ver = qcaVersion();
		int maj = (ver >> 16) & 0xff;
		int min = (ver >> 8) & 0xff;
		int bug = ver & 0xff;
		printf("%s version %s by Justin Karneges\n", APPNAME, VERSION);
		printf("Using QCA version %d.%d.%d\n", maj, min, bug);
		return 0;
	}

	// show plugins
	if(args[0] == QLatin1String("plugins"))
	{
		QStringList paths = QCA::pluginPaths();
		if(!paths.isEmpty())
		{
			for(int n = 0; n < paths.count(); ++n)
			{
				printf("  %s\n", qPrintable(QDir::toNativeSeparators(paths[n])));
			}
		}
		else
			printf("  (none)\n");

		QCA::ProviderList list = QCA::providers();

		if(debug)
			output_plugin_diagnostic_text();

		printf("Available Providers:\n");
		if(!list.isEmpty())
		{
			for(int n = 0; n < list.count(); ++n)
			{
				printf("  %s\n", qPrintable(list[n]->name()));
				QString credit = list[n]->credit();
				if(!credit.isEmpty())
				{
					QStringList lines = wrapstring(credit, 74);
					foreach(const QString &s, lines)
						printf("    %s\n", qPrintable(s));
				}
				if (debug)
				{
					QStringList capabilities = list[n]->features();
					foreach(const QString &capability, capabilities)
					{
						printf("    *%s", qPrintable(capability));
						if(!QCA::isSupported(qPrintable(capability), list[n]->name()))
						{
							printf("(NOT supported) - bug");
						}
						printf("\n");
					}
				}
			}
		}
		else
			printf("  (none)\n");

		QCA::unloadAllPlugins();

		if(debug)
			output_plugin_diagnostic_text();

		return 0;
	}

	// config stuff
	if(args[0] == QLatin1String("config"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("save"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QString name = args[2];
			QCA::Provider *p = QCA::findProvider(name);
			if(!p)
			{
				fprintf(stderr, "Error: no such provider '%s'.\n", qPrintable(name));
				return 1;
			}

			QVariantMap map1 = p->defaultConfig();
			if(map1.isEmpty())
			{
				fprintf(stderr, "Error: provider does not support configuration.\n");
				return 1;
			}

			// set and save
			QCA::setProviderConfig(name, map1);
			QCA::saveProviderConfig(name);
			printf("Done.\n");
			return 0;
		}
		else if(args[1] == QLatin1String("edit"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QString name = args[2];
			if(!QCA::findProvider(name))
			{
				fprintf(stderr, "Error: no such provider '%s'.\n", qPrintable(name));
				return 1;
			}

			QVariantMap map1 = QCA::getProviderConfig(name);
			if(map1.isEmpty())
			{
				fprintf(stderr, "Error: provider does not support configuration.\n");
				return 1;
			}

			printf("Editing configuration for %s ...\n", qPrintable(name));
			printf("Note: to clear a string entry, type whitespace and press enter.\n");

			map1 = provider_config_edit(map1);
			if(map1.isEmpty())
				return 1;

			// set and save
			QCA::setProviderConfig(name, map1);
			QCA::saveProviderConfig(name);
			printf("Done.\n");
			return 0;
		}
		else
		{
			usage();
			return 1;
		}
	}

	// enable console passphrase prompt
	PassphrasePromptThread passphrasePrompt;
	if(!allowprompt)
		passphrasePrompt.pp->allowPrompt = false;
	if(have_pass)
		passphrasePrompt.pp->setExplicitPassword(pass);

	if(args[0] == QLatin1String("key"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("make"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			bool genrsa;
			int bits;

			if(args[2] == QLatin1String("rsa"))
			{
				if(!QCA::isSupported("rsa"))
				{
					fprintf(stderr, "Error: need 'rsa' feature.\n");
					return 1;
				}

				genrsa = true;
				bits = args[3].toInt();
				if(bits < 512)
				{
					fprintf(stderr, "Error: RSA bits must be at least 512.\n");
					return 1;
				}
			}
			else if(args[2] == QLatin1String("dsa"))
			{
				if(!QCA::isSupported("dsa"))
				{
					fprintf(stderr, "Error: need 'dsa' feature.\n");
					return 1;
				}

				if(!QCA::isSupported("dlgroup"))
				{
					fprintf(stderr, "Error: need 'dlgroup' feature.\n");
					return 1;
				}

				genrsa = false;
				bits = args[3].toInt();
				if(bits != 512 && bits != 768 && bits != 1024)
				{
					fprintf(stderr, "Error: DSA bits must be 512, 768, or 1024.\n");
					return 1;
				}
			}
			else
			{
				usage();
				return 1;
			}

			if(!allowprompt && !have_newpass)
			{
				fprintf(stderr, "Error: no passphrase specified (use '--newpass=' for none).\n");
				return 1;
			}

			QCA::PrivateKey priv;
			QString pubFileName, privFileName;

			if(genrsa)
			{
				// note: third arg is bogus, doesn't apply to RSA
				priv = AnimatedKeyGen::makeKey(QCA::PKey::RSA, bits, QCA::DSA_512);
				pubFileName = QStringLiteral("rsapub.pem");
				privFileName = QStringLiteral("rsapriv.pem");
			}
			else // dsa
			{
				QCA::DLGroupSet set;
				if(bits == 512)
					set = QCA::DSA_512;
				else if(bits == 768)
					set = QCA::DSA_768;
				else // 1024
					set = QCA::DSA_1024;

				// note: second arg is bogus, doesn't apply to DSA
				priv = AnimatedKeyGen::makeKey(QCA::PKey::DSA, 0, set);
				pubFileName = QStringLiteral("dsapub.pem");
				privFileName = QStringLiteral("dsapriv.pem");
			}

			if(priv.isNull())
			{
				fprintf(stderr, "Error: unable to generate key.\n");
				return 1;
			}

			QCA::PublicKey pub = priv.toPublicKey();

			// prompt for new passphrase if necessary
			if(!have_newpass)
			{
				while(!promptForNewPassphrase(&newpass))
				{
				}
				have_newpass = true;
			}

			if(pub.toPEMFile(pubFileName))
				printf("Public key saved to %s\n", qPrintable(pubFileName));
			else
			{
				fprintf(stderr, "Error: can't encode/write %s\n", qPrintable(pubFileName));
				return 1;
			}

			bool ok;
			if(!newpass.isEmpty())
				ok = priv.toPEMFile(privFileName, newpass);
			else
				ok = priv.toPEMFile(privFileName);
			if(ok)
				printf("Private key saved to %s\n", qPrintable(privFileName));
			else
			{
				fprintf(stderr, "Error: can't encode/write %s\n", qPrintable(privFileName));
				return 1;
			}
		}
		else if(args[1] == QLatin1String("changepass"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::PrivateKey priv = get_K(args[2]);
			if(priv.isNull())
				return 1;

			if(!allowprompt && !have_newpass)
			{
				fprintf(stderr, "Error: no passphrase specified (use '--newpass=' for none).\n");
				return 1;
			}

			// prompt for new passphrase if necessary
			if(!have_newpass)
			{
				while(!promptForNewPassphrase(&newpass))
				{
				}
				have_newpass = true;
			}

			QString out;
			if(!newpass.isEmpty())
				out = priv.toPEM(newpass);
			else
				out = priv.toPEM();
			if(!out.isEmpty())
				printf("%s", qPrintable(out));
			else
			{
				fprintf(stderr, "Error: can't encode key.\n");
				return 1;
			}
		}
		else
		{
			usage();
			return 1;
		}
	}
	else if(args[0] == QLatin1String("cert"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("makereq") || args[1] == QLatin1String("makereqadv"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("csr"))
			{
				fprintf(stderr, "Error: need 'csr' feature.\n");
				return 1;
			}

			QCA::PrivateKey priv = get_K(args[2]);
			if(priv.isNull())
				return 1;

			printf("\n");

			bool advanced = (args[1] == QLatin1String("makereqadv")) ? true: false;

			QCA::CertificateOptions opts = promptForCertAttributes(advanced, true);
			QCA::CertificateRequest req(opts, priv);

			QString reqname = QStringLiteral("certreq.pem");
			if(req.toPEMFile(reqname))
				printf("Certificate request saved to %s\n", qPrintable(reqname));
			else
			{
				fprintf(stderr, "Error: can't encode/write %s\n", qPrintable(reqname));
				return 1;
			}
		}
		else if(args[1] == QLatin1String("makeself") || args[1] == QLatin1String("makeselfadv"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("cert"))
			{
				fprintf(stderr, "Error: need 'cert' feature.\n");
				return 1;
			}

			QCA::PrivateKey priv = get_K(args[2]);
			if(priv.isNull())
				return 1;

			printf("\n");

			bool advanced = (args[1] == QLatin1String("makeselfadv")) ? true: false;

			QCA::CertificateOptions opts = promptForCertAttributes(advanced, false);
			QCA::Certificate cert(opts, priv);

			QString certname = QStringLiteral("cert.pem");
			if(cert.toPEMFile(certname))
				printf("Certificate saved to %s\n", qPrintable(certname));
			else
			{
				fprintf(stderr, "Error: can't encode/write %s\n", qPrintable(certname));
				return 1;
			}
		}
		else if(args[1] == QLatin1String("validate"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::Certificate target = get_C(args[2]);
			if(target.isNull())
				return 1;

			// get roots
			QCA::CertificateCollection roots;
			if(!nosys)
				roots += QCA::systemStore();
			if(!rootsFile.isEmpty())
				roots += QCA::CertificateCollection::fromFlatTextFile(rootsFile);

			// get nonroots
			QCA::CertificateCollection nonroots;
			if(!nonRootsFile.isEmpty())
				nonroots = QCA::CertificateCollection::fromFlatTextFile(nonRootsFile);

			QCA::Validity v = target.validate(roots, nonroots);
			if(v == QCA::ValidityGood)
				printf("Certificate is valid\n");
			else
			{
				printf("Certificate is NOT valid: %s\n", qPrintable(validityToString(v)));
				return 1;
			}
		}
		else
		{
			usage();
			return 1;
		}
	}
	else if(args[0] == QLatin1String("keybundle"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("make"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("pkcs12"))
			{
				fprintf(stderr, "Error: need 'pkcs12' feature.\n");
				return 1;
			}

			QCA::PrivateKey priv = get_K(args[2]);
			if(priv.isNull())
				return 1;

			QCA::Certificate cert = get_C(args[3]);
			if(cert.isNull())
				return 1;

			// get roots
			QCA::CertificateCollection roots;
			if(!nosys)
				roots += QCA::systemStore();
			if(!rootsFile.isEmpty())
				roots += QCA::CertificateCollection::fromFlatTextFile(rootsFile);

			// get nonroots
			QCA::CertificateCollection nonroots;
			if(!nonRootsFile.isEmpty())
				nonroots = QCA::CertificateCollection::fromFlatTextFile(nonRootsFile);

			QList<QCA::Certificate> issuer_pool = roots.certificates() + nonroots.certificates();

			QCA::CertificateChain chain;
			chain += cert;
			chain = chain.complete(issuer_pool);

			QCA::KeyBundle key;
			key.setName(chain.primary().commonName());
			key.setCertificateChainAndKey(chain, priv);

			if(!allowprompt && !have_newpass)
			{
				fprintf(stderr, "Error: no passphrase specified (use '--newpass=' for none).\n");
				return 1;
			}

			// prompt for new passphrase if necessary
			if(!have_newpass)
			{
				while(!promptForNewPassphrase(&newpass))
				{
				}
				have_newpass = true;
			}

			if(newpass.isEmpty())
			{
				fprintf(stderr, "Error: keybundles cannot have empty passphrases.\n");
				return 1;
			}

			QString newFileName = QStringLiteral("cert.p12");

			if(key.toFile(newFileName, newpass))
				printf("Keybundle saved to %s\n", qPrintable(newFileName));
			else
			{
				fprintf(stderr, "Error: can't encode keybundle.\n");
				return 1;
			}
		}
		else if(args[1] == QLatin1String("extract"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyBundle key = get_X(args[2]);
			if(key.isNull())
				return 1;

			QCA::PrivateKey priv = key.privateKey();
			bool export_priv = priv.canExport();

			if(export_priv)
			{
				fprintf(stderr, "You will need to create a passphrase for the extracted private key.\n");

				if(!allowprompt && !have_newpass)
				{
					fprintf(stderr, "Error: no passphrase specified (use '--newpass=' for none).\n");
					return 1;
				}

				// prompt for new passphrase if necessary
				if(!have_newpass)
				{
					while(!promptForNewPassphrase(&newpass))
					{
					}
					have_newpass = true;
				}
			}

			printf("Certs: (first is primary)\n");
			QCA::CertificateChain chain = key.certificateChain();
			for(int n = 0; n < chain.count(); ++n)
				printf("%s", qPrintable(chain[n].toPEM()));
			printf("Private Key:\n");
			if(export_priv)
			{
				QString out;
				if(!newpass.isEmpty())
					out = priv.toPEM(newpass);
				else
					out = priv.toPEM();
				printf("%s", qPrintable(out));
			}
			else
			{
				printf("(Key is not exportable)\n");
			}
		}
		else if(args[1] == QLatin1String("changepass"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyBundle key = get_X(args[2]);
			if(key.isNull())
				return 1;

			if(!key.privateKey().canExport())
			{
				fprintf(stderr, "Error: private key not exportable.\n");
				return 1;
			}

			if(!allowprompt && !have_newpass)
			{
				fprintf(stderr, "Error: no passphrase specified (use '--newpass=' for none).\n");
				return 1;
			}

			// prompt for new passphrase if necessary
			if(!have_newpass)
			{
				while(!promptForNewPassphrase(&newpass))
				{
				}
				have_newpass = true;
			}

			if(newpass.isEmpty())
			{
				fprintf(stderr, "Error: keybundles cannot have empty passphrases.\n");
				return 1;
			}

			QFileInfo fi(args[2]);
			QString newFileName = fi.baseName() + QStringLiteral("_new.p12");

			if(key.toFile(newFileName, newpass))
				printf("Keybundle saved to %s\n", qPrintable(newFileName));
			else
			{
				fprintf(stderr, "Error: can't encode keybundle.\n");
				return 1;
			}
		}
		else
		{
			usage();
			return 1;
		}
	}
	else if(args[0] == QLatin1String("keystore"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("list-stores"))
		{
			ksm_start_and_wait();

			QCA::KeyStoreManager ksm;
			QStringList storeList = ksm.keyStores();

			for(int n = 0; n < storeList.count(); ++n)
			{
				QCA::KeyStore ks(storeList[n], &ksm);
				QString type = kstype_to_string(ks.type());
				printf("%s %s [%s]\n", qPrintable(type), qPrintable(idHash(ks.id())), qPrintable(ks.name()));
			}

			if(debug)
				output_keystore_diagnostic_text();
		}
		else if(args[1] == QLatin1String("list"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			ksm_start_and_wait();

			QCA::KeyStoreManager ksm;
			QCA::KeyStore store(getKeyStore(args[2]), &ksm);
			if(!store.isValid())
			{
				if(debug)
					output_keystore_diagnostic_text();

				fprintf(stderr, "Error: no such store\n");
				return 1;
			}

			QList<QCA::KeyStoreEntry> list = store.entryList();
			for(int n = 0; n < list.count(); ++n)
			{
				QCA::KeyStoreEntry i = list[n];
				QString type = ksentrytype_to_string(i.type());
				printf("%s %s [%s]\n", qPrintable(type), qPrintable(idHash(i.id())), qPrintable(i.name()));
			}

			if(debug)
				output_keystore_diagnostic_text();
		}
		else if(args[1] == QLatin1String("monitor"))
		{
			KeyStoreMonitor::monitor();

			if(debug)
				output_keystore_diagnostic_text();
		}
		else if(args[1] == QLatin1String("export"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyStoreEntry entry = get_E(args[2]);
			if(entry.isNull())
				return 1;

			if(entry.type() == QCA::KeyStoreEntry::TypeCertificate)
				printf("%s", qPrintable(entry.certificate().toPEM()));
			else if(entry.type() == QCA::KeyStoreEntry::TypeCRL)
				printf("%s", qPrintable(entry.crl().toPEM()));
			else if(entry.type() == QCA::KeyStoreEntry::TypePGPPublicKey || entry.type() == QCA::KeyStoreEntry::TypePGPSecretKey)
				printf("%s", qPrintable(entry.pgpPublicKey().toString()));
			else if(entry.type() == QCA::KeyStoreEntry::TypeKeyBundle)
			{
				fprintf(stderr, "Error: use 'keybundle extract' command instead.\n");
				return 1;
			}
			else
			{
				fprintf(stderr, "Error: cannot export type '%d'.\n", entry.type());
				return 1;
			}
		}
		else if(args[1] == QLatin1String("exportref"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyStoreEntry entry = get_E(args[2]);
			if(entry.isNull())
				return 1;
			printf("%s", make_ksentry_string(entry.toString()).toUtf8().data());
		}
		else if(args[1] == QLatin1String("addkb"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			ksm_start_and_wait();

			QCA::KeyStoreManager ksm;
			QCA::KeyStore store(getKeyStore(args[2]), &ksm);
			if(!store.isValid())
			{
				fprintf(stderr, "Error: no such store\n");
				return 1;
			}

			QCA::KeyBundle key = get_X(args[3]);
			if(key.isNull())
				return 1;

			if(!store.writeEntry(key).isEmpty())
				printf("Entry written.\n");
			else
			{
				fprintf(stderr, "Error: unable to write entry.\n");
				return 1;
			}
		}
		else if(args[1] == QLatin1String("addpgp"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("openpgp"))
			{
				fprintf(stderr, "Error: need 'openpgp' feature.\n");
				return 1;
			}

			ksm_start_and_wait();

			QCA::KeyStoreManager ksm;
			QCA::KeyStore store(getKeyStore(args[2]), &ksm);
			if(!store.isValid())
			{
				fprintf(stderr, "Error: no such store\n");
				return 1;
			}

			QCA::PGPKey pub = QCA::PGPKey::fromFile(args[3]);
			if(pub.isNull())
				return 1;

			if(!store.writeEntry(pub).isEmpty())
				printf("Entry written.\n");
			else
			{
				fprintf(stderr, "Error: unable to write entry.\n");
				return 1;
			}
		}
		else if(args[1] == QLatin1String("remove"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyStoreEntry entry = get_E(args[2]);
			if(entry.isNull())
				return 1;

			QCA::KeyStoreManager ksm;
			QCA::KeyStore store(entry.storeId(), &ksm);
			if(!store.isValid())
			{
				fprintf(stderr, "Error: no such store\n");
				return 1;
			}

			if(store.removeEntry(entry.id()))
				printf("Entry removed.\n");
			else
			{
				fprintf(stderr, "Error: unable to remove entry.\n");
				return 1;
			}
		}
		else
		{
			usage();
			return 1;
		}
	}
	else if(args[0] == QLatin1String("show"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("cert"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::Certificate cert = get_C(args[2]);
			if(cert.isNull())
				return 1;

			print_cert(cert, ordered);
		}
		else if(args[1] == QLatin1String("req"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("csr"))
			{
				fprintf(stderr, "Error: need 'csr' feature.\n");
				return 1;
			}

			QCA::CertificateRequest req(args[2]);
			if(req.isNull())
			{
				fprintf(stderr, "Error: can't read/process certificate request file.\n");
				return 1;
			}

			print_certreq(req, ordered);
		}
		else if(args[1] == QLatin1String("crl"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("crl"))
			{
				fprintf(stderr, "Error: need 'crl' feature.\n");
				return 1;
			}

			QCA::CRL crl;
			if(is_pem_file(args[2]))
				crl = QCA::CRL::fromPEMFile(args[2]);
			else
				crl = QCA::CRL::fromDER(read_der_file(args[2]));
			if(crl.isNull())
			{
				fprintf(stderr, "Error: unable to read/process CRL file.\n");
				return 1;
			}

			print_crl(crl, ordered);
		}
		else if(args[1] == QLatin1String("kb"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::KeyBundle key = get_X(args[2]);
			if(key.isNull())
				return 1;

			printf("Keybundle contains %d certificates.  Displaying primary:\n", key.certificateChain().count());
			print_cert(key.certificateChain().primary(), ordered);
		}
		else if(args[1] == QLatin1String("pgp"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			// try for secret key, then try public key
			QCA::PGPKey key = get_S(args[2], true).first;
			if(key.isNull())
			{
				key = get_P(args[2]);
				if(key.isNull())
					return 1;
			}

			print_pgp(key);
		}
		else
		{
			usage();
			return 1;
		}
	}
	else if(args[0] == QLatin1String("message"))
	{
		if(args.count() < 2)
		{
			usage();
			return 1;
		}

		if(args[1] == QLatin1String("sign"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			QCA::SecureMessageSystem *sms;
			QCA::SecureMessageKey skey;
			QCA::SecureMessage::SignMode mode;
			bool pgp = false;

			if(args[2] == QLatin1String("pgp"))
			{
				if(!QCA::isSupported("openpgp"))
				{
					fprintf(stderr, "Error: need 'openpgp' feature.\n");
					return 1;
				}

				QPair<QCA::PGPKey, QCA::PGPKey> key = get_S(args[3]);
				if(key.first.isNull())
					return 1;

				sms = new QCA::OpenPGP;
				skey.setPGPSecretKey(key.first);
				mode = QCA::SecureMessage::Clearsign;
				pgp = true;
			}
			else if(args[2] == QLatin1String("pgpdetach"))
			{
				if(!QCA::isSupported("openpgp"))
				{
					fprintf(stderr, "Error: need 'openpgp' feature.\n");
					return 1;
				}

				QPair<QCA::PGPKey, QCA::PGPKey> key = get_S(args[3]);
				if(key.first.isNull())
					return 1;

				sms = new QCA::OpenPGP;
				skey.setPGPSecretKey(key.first);
				mode = QCA::SecureMessage::Detached;
				pgp = true;
			}
			else if(args[2] == QLatin1String("smime"))
			{
				if(!QCA::isSupported("cms"))
				{
					fprintf(stderr, "Error: need 'cms' feature.\n");
					return 1;
				}

				QCA::KeyBundle key = get_X(args[3]);
				if(key.isNull())
					return 1;

				// get nonroots
				QCA::CertificateCollection nonroots;
				if(!nonRootsFile.isEmpty())
					nonroots = QCA::CertificateCollection::fromFlatTextFile(nonRootsFile);

				QList<QCA::Certificate> issuer_pool = nonroots.certificates();

				QCA::CertificateChain chain = key.certificateChain();
				chain = chain.complete(issuer_pool);

				sms = new QCA::CMS;
				skey.setX509CertificateChain(chain);
				skey.setX509PrivateKey(key.privateKey());
				mode = QCA::SecureMessage::Detached;
			}
			else
			{
				usage();
				return 1;
			}

			// read input data from stdin all at once
			QByteArray plain;
			while(!feof(stdin))
			{
				QByteArray block(1024, 0);
				int n = fread(block.data(), 1, 1024, stdin);
				if(n < 0)
					break;
				block.resize(n);
				plain += block;
			}

			// smime envelope
			if(!pgp)
			{
				QString text = add_cr(QString::fromUtf8(plain));
				plain = QString::fromLatin1(mime_signpart).arg(text).toUtf8();
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			msg->setSigner(skey);
			// pgp should always be ascii
			if(pgp)
				msg->setFormat(QCA::SecureMessage::Ascii);
			msg->setBundleSignerEnabled(!nobundle);
			msg->startSign(mode);
			msg->update(plain);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
			{
				output_keystore_diagnostic_text();
				output_message_diagnostic_text(msg);
			}

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;

				fprintf(stderr, "Error: unable to sign: %s\n", qPrintable(errstr));
				return 1;
			}

			QString hashName = msg->hashName();

			QByteArray output;
			if(mode == QCA::SecureMessage::Detached)
				output = msg->signature();
			else
				output = msg->read();

			delete msg;
			delete sms;

			// smime envelope
			if(!pgp)
			{
				QCA::Base64 enc;
				enc.setLineBreaksEnabled(true);
				enc.setLineBreaksColumn(76);
				QString sigtext = add_cr(enc.arrayToString(output));
				QString str = QString::fromLatin1(mime_signed).arg(hashName, QString::fromUtf8(plain), sigtext);
				output = str.toUtf8();
			}

			printf("%s", output.data());
		}
		else if(args[1] == QLatin1String("encrypt"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			QCA::SecureMessageSystem *sms;
			QCA::SecureMessageKey skey;
			bool pgp = false;

			if(args[2] == QLatin1String("pgp"))
			{
				if(!QCA::isSupported("openpgp"))
				{
					fprintf(stderr, "Error: need 'openpgp' feature.\n");
					return 1;
				}

				QCA::PGPKey key = get_P(args[3]);
				if(key.isNull())
					return 1;

				sms = new QCA::OpenPGP;
				skey.setPGPPublicKey(key);
				pgp = true;
			}
			else if(args[2] == QLatin1String("smime"))
			{
				if(!QCA::isSupported("cms"))
				{
					fprintf(stderr, "Error: need 'cms' feature.\n");
					return 1;
				}

				QCA::Certificate cert = get_C(args[3]);
				if(cert.isNull())
					return 1;

				sms = new QCA::CMS;
				skey.setX509CertificateChain(cert);
			}
			else
			{
				usage();
				return 1;
			}

			// read input data from stdin all at once
			QByteArray plain;
			while(!feof(stdin))
			{
				QByteArray block(1024, 0);
				int n = fread(block.data(), 1, 1024, stdin);
				if(n < 0)
					break;
				block.resize(n);
				plain += block;
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			msg->setRecipient(skey);
			// pgp should always be ascii
			if(pgp)
				msg->setFormat(QCA::SecureMessage::Ascii);
			msg->startEncrypt();
			msg->update(plain);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
			{
				output_keystore_diagnostic_text();
				output_message_diagnostic_text(msg);
			}

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;
				fprintf(stderr, "Error: unable to encrypt: %s\n", qPrintable(errstr));
				return 1;
			}

			QByteArray output = msg->read();
			delete msg;
			delete sms;

			// smime envelope
			if(!pgp)
			{
				QCA::Base64 enc;
				enc.setLineBreaksEnabled(true);
				enc.setLineBreaksColumn(76);
				QString enctext = add_cr(enc.arrayToString(output));
				QString str = QString::fromLatin1(mime_enveloped).arg(enctext);
				output = str.toUtf8();
			}

			printf("%s", output.data());
		}
		else if(args[1] == QLatin1String("signencrypt"))
		{
			if(args.count() < 4)
			{
				usage();
				return 1;
			}

			if(!QCA::isSupported("openpgp"))
			{
				fprintf(stderr, "Error: need 'openpgp' feature.\n");
				return 1;
			}

			QCA::SecureMessageSystem *sms;
			QCA::SecureMessageKey skey;
			QCA::SecureMessageKey rkey;

			{
				QPair<QCA::PGPKey,QCA::PGPKey> sec = get_S(args[2]);
				if(sec.first.isNull())
					return 1;

				QCA::PGPKey pub = get_P(args[3]);
				if(pub.isNull())
					return 1;

				sms = new QCA::OpenPGP;
				skey.setPGPSecretKey(sec.first);
				rkey.setPGPPublicKey(pub);
			}

			// read input data from stdin all at once
			QByteArray plain;
			while(!feof(stdin))
			{
				QByteArray block(1024, 0);
				int n = fread(block.data(), 1, 1024, stdin);
				if(n < 0)
					break;
				block.resize(n);
				plain += block;
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			if(!msg->canSignAndEncrypt())
			{
				delete msg;
				delete sms;
				fprintf(stderr, "Error: cannot perform integrated sign and encrypt.\n");
				return 1;
			}

			msg->setSigner(skey);
			msg->setRecipient(rkey);
			msg->setFormat(QCA::SecureMessage::Ascii);
			msg->startSignAndEncrypt();
			msg->update(plain);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
			{
				output_keystore_diagnostic_text();
				output_message_diagnostic_text(msg);
			}

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;
				fprintf(stderr, "Error: unable to sign and encrypt: %s\n", qPrintable(errstr));
				return 1;
			}

			QByteArray output = msg->read();
			delete msg;
			delete sms;

			printf("%s", output.data());
		}
		else if(args[1] == QLatin1String("verify"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::SecureMessageSystem *sms;
			bool pgp = false;

			if(args[2] == QLatin1String("pgp"))
			{
				if(!QCA::isSupported("openpgp"))
				{
					fprintf(stderr, "Error: need 'openpgp' feature.\n");
					return 1;
				}

				sms = new QCA::OpenPGP;
				pgp = true;
			}
			else if(args[2] == QLatin1String("smime"))
			{
				if(!QCA::isSupported("cms"))
				{
					fprintf(stderr, "Error: need 'cms' feature.\n");
					return 1;
				}

				// get roots
				QCA::CertificateCollection roots;
				if(!nosys)
					roots += QCA::systemStore();
				if(!rootsFile.isEmpty())
					roots += QCA::CertificateCollection::fromFlatTextFile(rootsFile);

				// get intermediates and possible signers, in case
				//   the message does not have them.
				QCA::CertificateCollection nonroots;
				if(!nonRootsFile.isEmpty())
					nonroots += QCA::CertificateCollection::fromFlatTextFile(nonRootsFile);

				sms = new QCA::CMS;
				((QCA::CMS *)sms)->setTrustedCertificates(roots);
				((QCA::CMS *)sms)->setUntrustedCertificates(nonroots);
			}
			else
			{
				usage();
				return 1;
			}

			QByteArray data, sig;
			QString smime_text;
			{
				// read input data from stdin all at once
				QByteArray plain;
				while(!feof(stdin))
				{
					QByteArray block(1024, 0);
					int n = fread(block.data(), 1, 1024, stdin);
					if(n < 0)
						break;
					block.resize(n);
					plain += block;
				}

				if(pgp)
				{
					// pgp can be either a detached signature followed
					//  by data, or an integrated message.

					// detached signature?
					if(plain.startsWith("-----BEGIN PGP SIGNATURE-----"))
					{
						QByteArray footer = "-----END PGP SIGNATURE-----\n";
						int n = plain.indexOf(footer);
						if(n == -1)
						{
							delete sms;
							fprintf(stderr, "Error: pgp signature header, but no footer.\n");
							return 1;
						}

						n += footer.length();
						sig = plain.mid(0, n);
						data = plain.mid(n);
					}
					else
					{
						data = plain;
					}
				}
				else
				{
					// smime envelope
					QString in = QString::fromUtf8(plain);
					in = add_cr(in); // change the line endings?!
					QString str, sigtext;
					if(!open_mime_data_sig(in, &str, &sigtext))
					{
						fprintf(stderr, "Error: can't parse message file.\n");
						return 1;
					}

					data = str.toUtf8();
					smime_text = str;

					QCA::Base64 dec;
					dec.setLineBreaksEnabled(true);
					sig = dec.stringToArray(rem_cr(sigtext)).toByteArray();
				}
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			if(pgp)
				msg->setFormat(QCA::SecureMessage::Ascii);
			msg->startVerify(sig);
			msg->update(data);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
			{
				output_keystore_diagnostic_text();
				output_message_diagnostic_text(msg);
			}

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;
				fprintf(stderr, "Error: verify failed: %s\n", qPrintable(errstr));
				return 1;
			}

			QByteArray output;
			if(pgp && sig.isEmpty())
				output = msg->read();

			QList<QCA::SecureMessageSignature> signers = msg->signers();
			delete msg;
			delete sms;

			// for pgp clearsign, pgp signed (non-detached), and smime,
			//   the signed content was inside of the message.  we need
			//   to print that content now
			if(pgp)
			{
				printf("%s", output.data());
			}
			else
			{
				QString str = open_mime_envelope(smime_text);
				printf("%s", str.toUtf8().data());
			}

			smDisplaySignatures(signers);

			bool allgood = true;
			foreach(const QCA::SecureMessageSignature &signer, signers)
			{
				if(signer.identityResult() != QCA::SecureMessageSignature::Valid)
				{
					allgood = false;
					break;
				}
			}

			if(!allgood)
				return 1;
		}
		else if(args[1] == QLatin1String("decrypt"))
		{
			if(args.count() < 3)
			{
				usage();
				return 1;
			}

			QCA::SecureMessageSystem *sms;
			bool pgp = false;

			if(args[2] == QLatin1String("pgp"))
			{
				if(!QCA::isSupported("openpgp"))
				{
					fprintf(stderr, "Error: need 'openpgp' feature.\n");
					return 1;
				}

				sms = new QCA::OpenPGP;
				pgp = true;
			}
			else if(args[2] == QLatin1String("smime"))
			{
				if(args.count() < 4)
				{
					usage();
					return 1;
				}

				if(!QCA::isSupported("cms"))
				{
					fprintf(stderr, "Error: need 'cms' feature.\n");
					return 1;
				}

				// user can provide many possible decrypt keys
				QList<QCA::KeyBundle> keys;
				for(int n = 3; n < args.count(); ++n)
				{
					QCA::KeyBundle key = get_X(args[n]);
					if(key.isNull())
						return 1;
					keys += key;
				}

				sms = new QCA::CMS;

				QList<QCA::SecureMessageKey> skeys;
				foreach(const QCA::KeyBundle &key, keys)
				{
					QCA::SecureMessageKey skey;
					skey.setX509CertificateChain(key.certificateChain());
					skey.setX509PrivateKey(key.privateKey());
					skeys += skey;
				}

				((QCA::CMS*)sms)->setPrivateKeys(skeys);
			}
			else
			{
				usage();
				return 1;
			}

			// read input data from stdin all at once
			QByteArray plain;
			while(!feof(stdin))
			{
				QByteArray block(1024, 0);
				int n = fread(block.data(), 1, 1024, stdin);
				if(n < 0)
					break;
				block.resize(n);
				plain += block;
			}

			// smime envelope
			if(!pgp)
			{
				QString in = QString::fromUtf8(plain);
				QString str = open_mime_envelope(in);
				if(str.isEmpty())
				{
					delete sms;
					fprintf(stderr, "Error: can't parse message file.\n");
					return 1;
				}

				QCA::Base64 dec;
				dec.setLineBreaksEnabled(true);
				plain = dec.stringToArray(rem_cr(str)).toByteArray();
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			if(pgp)
				msg->setFormat(QCA::SecureMessage::Ascii);
			msg->startDecrypt();
			msg->update(plain);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
			{
				output_keystore_diagnostic_text();
				output_message_diagnostic_text(msg);
			}

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;
				fprintf(stderr, "Error: decrypt failed: %s\n", qPrintable(errstr));
				return 1;
			}

			QByteArray output = msg->read();

			QList<QCA::SecureMessageSignature> signers;
			bool wasSigned = false;
			if(msg->wasSigned())
			{
				signers = msg->signers();
				wasSigned = true;
			}
			delete msg;
			delete sms;

			printf("%s", output.data());

			if(wasSigned)
			{
				fprintf(stderr, "Message was also signed:\n");

				smDisplaySignatures(signers);

				bool allgood = true;
				foreach(const QCA::SecureMessageSignature &signer, signers)
				{
					if(signer.identityResult() != QCA::SecureMessageSignature::Valid)
					{
						allgood = false;
						break;
					}
				}

				if(!allgood)
					return 1;
			}
		}
		else if(args[1] == QLatin1String("exportcerts"))
		{
			if(!QCA::isSupported("cms"))
			{
				fprintf(stderr, "Error: need 'cms' feature.\n");
				return 1;
			}

			QCA::SecureMessageSystem *sms = new QCA::CMS;

			QByteArray data, sig;
			QString smime_text;
			{
				// read input data from stdin all at once
				QByteArray plain;
				while(!feof(stdin))
				{
					QByteArray block(1024, 0);
					int n = fread(block.data(), 1, 1024, stdin);
					if(n < 0)
						break;
					block.resize(n);
					plain += block;
				}

				// smime envelope
				QString in = QString::fromUtf8(plain);
				QString str, sigtext;
				if(!open_mime_data_sig(in, &str, &sigtext))
				{
					delete sms;
					fprintf(stderr, "Error: can't parse message file.\n");
					return 1;
				}

				data = str.toUtf8();
				smime_text = str;

				QCA::Base64 dec;
				dec.setLineBreaksEnabled(true);
				sig = dec.stringToArray(rem_cr(sigtext)).toByteArray();
			}

			QCA::SecureMessage *msg = new QCA::SecureMessage(sms);
			msg->startVerify(sig);
			msg->update(data);
			msg->end();
			msg->waitForFinished(-1);

			if(debug)
				output_message_diagnostic_text(msg);

			if(!msg->success())
			{
				QString errstr = smErrorToString(msg->errorCode());
				delete msg;
				delete sms;
				fprintf(stderr, "Error: export failed: %s\n", qPrintable(errstr));
				return 1;
			}

			QList<QCA::SecureMessageSignature> signers = msg->signers();
			delete msg;
			delete sms;

			// print out all certs of all signers
			foreach(const QCA::SecureMessageSignature &signer, signers)
			{
				QCA::SecureMessageKey key = signer.key();
				if(!key.isNull())
				{
					foreach(const QCA::Certificate &c, key.x509CertificateChain())
						printf("%s", qPrintable(c.toPEM()));
				}
			}
		}
		else
		{
			usage();
			return 1;
		}
	}
	else
	{
		usage();
		return 1;
	}

	return 0;
}

#include "main.moc"