Rewrite parsing of enveloped-data using NSS
Rewrite parsing of enveloped-data when we're using keys with NSS. To
bypass NSS's insistence that we have a recipient certificate that's
stored in a token (i.e., a temporary certificate won't do), we decrypt
the bulk key using the private key, and then re-encrypt it with a
throwaway RSA public key, then decrypt the whole thing using the
corresponding private key. This lets us avoid having to drive the bulk
decryption ourselves.