The main reason for the rewrite was that the call
KeyCache::mutableInstance()->refresh(keys);
clears the key cache and only adds the passed keys (i.e. the imported
X.509 certificates) to the key cache. In particular, this removed all
OpenPGP keys and all previously existing X.509 certificates from the
key cache. That was certainly not intended.

The new approach is a bit slower because it does an update for each
imported X.509 certificate instead of for all certificates with a single
keylisting.

This change also fixes a regression introduced with commit
0b7978d5
which performed the validation for external and local CMS imports.

GnuPG-bug-id: 5638