Initial CAPI PKCS #11 Module.

Needs the updated ckfw.

15 files changed, 3336 insertions, 0 deletions

diff --git a/security/nss/lib/ckfw/capi/Makefile b/security/nss/lib/ckfw/capi/Makefile
new file mode 100644
index 000000000..561fb6cd7
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/Makefile
@@ -0,0 +1,104 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MAKEFILE_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+include manifest.mn
+include $(CORE_DEPTH)/coreconf/config.mk
+include config.mk
+
+EXTRA_LIBS = \
+	$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
+	$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
+	$(NULL)
+
+# can't do this in manifest.mn because OS_TARGET isn't defined there.
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+
+ifdef NS_USE_GCC
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+else 
+EXTRA_SHARED_LIBS += \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.lib \
+        $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.lib \
+        crypt32.lib \
+	advapi32.lib \
+        $(NULL)
+endif # NS_USE_GCC
+else
+
+EXTRA_LIBS += \
+	-L$(NSPR_LIB_DIR) \
+	-lplc4 \
+	-lplds4 \
+	-lnspr4 \
+	$(NULL)
+endif
+
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+# Generate certdata.c.
+generate:
+	perl certdata.perl < certdata.txt
+
+# This'll need some help from a build person.
+
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.1)
+DSO_LDOPTS              = -bM:SRE -bh:4 -bnoentry
+EXTRA_DSO_LDOPTS        = -lc
+MKSHLIB                 = xlC $(DSO_LDOPTS)
+
+$(SHARED_LIBRARY): $(OBJS)
+	@$(MAKE_OBJDIR)
+	rm -f $@
+	$(MKSHLIB) -o $@ $(OBJS) $(EXTRA_LIBS) $(EXTRA_DSO_LDOPTS)
+	chmod +x $@
+
+endif
+
+ifeq ($(OS_TARGET)$(OS_RELEASE), AIX4.2)
+LD      += -G
+endif 
+
+
diff --git a/security/nss/lib/ckfw/capi/README b/security/nss/lib/ckfw/capi/README
new file mode 100644
index 000000000..76fa6638a
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/README
@@ -0,0 +1,6 @@
+This Cryptoki module provides acces to certs and keys stored in
+Microsofts CAPI certificate store.
+
+Currently this module is read only.
+It does not export CA Root trust from the CAPI.
+It does not export CRLs from the CAPI.
diff --git a/security/nss/lib/ckfw/capi/anchor.c b/security/nss/lib/ckfw/capi/anchor.c
new file mode 100644
index 000000000..e21006621
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/anchor.c
@@ -0,0 +1,55 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * capi/canchor.c
+ *
+ * This file "anchors" the actual cryptoki entry points in this module's
+ * shared library, which is required for dynamic loading.  See the 
+ * comments in nssck.api for more information.
+ */
+
+#include "ckcapi.h"
+
+#define MODULE_NAME ckcapi
+#define INSTANCE_NAME (NSSCKMDInstance *)&nss_ckcapi_mdInstance
+#include "nssck.api"
diff --git a/security/nss/lib/ckfw/capi/cfind.c b/security/nss/lib/ckfw/capi/cfind.c
new file mode 100644
index 000000000..c9e1b104b
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cfind.c
@@ -0,0 +1,456 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKCAPI_H
+#include "ckcapi.h"
+#endif /* CKCAPI_H */
+
+/*
+ * ckcapi/cfind.c
+ *
+ * This file implements the NSSCKMDFindObjects object for the
+ * "capi" cryptoki module.
+ */
+
+struct ckcapiFOStr {
+  NSSArena *arena;
+  CK_ULONG n;
+  CK_ULONG i;
+  ckcapiInternalObject **objs;
+};
+
+static void
+ckcapi_mdFindObjects_Final
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
+  NSSArena *arena = fo->arena;
+  PRUint32 i;
+
+  /* walk down an free the unused 'objs' */
+  for (i=fo->i; i < fo->n ; i++) {
+    nss_ckcapi_DestroyInternalObject(fo->objs[i]);
+  }
+
+  nss_ZFreeIf(fo->objs);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(mdFindObjects);
+  if ((NSSArena *)NULL != arena) {
+    NSSArena_Destroy(arena);
+  }
+
+  return;
+}
+
+static NSSCKMDObject *
+ckcapi_mdFindObjects_Next
+(
+  NSSCKMDFindObjects *mdFindObjects,
+  NSSCKFWFindObjects *fwFindObjects,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSArena *arena,
+  CK_RV *pError
+)
+{
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)mdFindObjects->etc;
+  ckcapiInternalObject *io;
+
+  if( fo->i == fo->n ) {
+    *pError = CKR_OK;
+    return (NSSCKMDObject *)NULL;
+  }
+
+  io = fo->objs[ fo->i ];
+  fo->i++;
+
+  return nss_ckcapi_CreateMDObject(arena, io, pError);
+}
+
+static CK_BBOOL
+ckcapi_attrmatch
+(
+  CK_ATTRIBUTE_PTR a,
+  ckcapiInternalObject *o
+)
+{
+  PRBool prb;
+  const NSSItem *b;
+
+  b = nss_ckcapi_FetchAttribute(o, a->type);
+  if (b == NULL) {
+    return CK_FALSE;
+  }
+
+  if( a->ulValueLen != b->size ) {
+    /* match a decoded serial number */
+    if ((a->type == CKA_SERIAL_NUMBER) && (a->ulValueLen < b->size)) {
+	int len;
+	unsigned char *data;
+
+	data = nss_ckcapi_DERUnwrap(b->data, b->size, &len, NULL);
+	if ((len == a->ulValueLen) && 
+		nsslibc_memequal(a->pValue, data, len, (PRStatus *)NULL)) {
+	    return CK_TRUE;
+	}
+    }
+    return CK_FALSE;
+  }
+
+  prb = nsslibc_memequal(a->pValue, b->data, b->size, (PRStatus *)NULL);
+
+  if( PR_TRUE == prb ) {
+    return CK_TRUE;
+  } else {
+    return CK_FALSE;
+  }
+}
+
+
+static CK_BBOOL
+ckcapi_match
+(
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  ckcapiInternalObject *o
+)
+{
+  CK_ULONG i;
+
+  for( i = 0; i < ulAttributeCount; i++ ) {
+    if (CK_FALSE == ckcapi_attrmatch(&pTemplate[i], o)) {
+      return CK_FALSE;
+    }
+  }
+
+  /* Every attribute passed */
+  return CK_TRUE;
+}
+
+#define CKAPI_ITEM_CHUNK  20
+
+#define PUT_Object(obj) \
+  { \
+    if (count >= size) { \
+    *listp = *listp ? \
+		nss_ZREALLOCARRAY(*listp, ckcapiInternalObject *, \
+		               (size+CKAPI_ITEM_CHUNK) ) : \
+		nss_ZNEWARRAY(NULL, ckcapiInternalObject *, \
+		               (size+CKAPI_ITEM_CHUNK) ) ; \
+      if ((ckcapiInternalObject **)NULL == *listp) { \
+        *pError = CKR_HOST_MEMORY; \
+        goto loser; \
+      } \
+      size += CKAPI_ITEM_CHUNK; \
+    } \
+    (*listp)[ count ] = (obj); \
+    count++; \
+  }
+
+static PRUint32
+collect_class(
+  CK_OBJECT_CLASS objClass,
+  LPCSTR storeStr,
+  PRBool hasID,
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  PRUint32 size = *sizep;
+  ckcapiInternalObject *next = NULL;
+  HCERTSTORE hstore;
+  PCCERT_CONTEXT certContext = NULL;
+  PRBool  isKey = 
+     (objClass == CKO_PUBLIC_KEY) | (objClass == CKO_PRIVATE_KEY);
+
+  hstore = CertOpenSystemStore((HCRYPTPROV)NULL, storeStr);
+  if (NULL == hstore) {
+     return count; /* none found does not imply an error */
+  }
+
+  /* FUTURE: use CertFindCertificateInStore to filter better -- so we don't
+   * have to enumerate all the certificates */
+  while ((PCERT_CONTEXT) NULL != 
+         (certContext= CertEnumCertificatesInStore(hstore, certContext))) {
+    /* first filter out non user certs if we are looking for keys */
+    if (isKey) {
+      /* make sure there is a Key Provider Info property */
+      CRYPT_KEY_PROV_INFO key_prov;
+      DWORD size = sizeof(CRYPT_KEY_PROV_INFO);
+      BOOL rv;
+      rv =CertGetCertificateContextProperty(certContext,
+        CERT_KEY_PROV_INFO_PROP_ID, &key_prov, &size);
+      if (!rv) {
+	int reason = GetLastError();
+        /* we only care if it exists, we don't really need to fetch it yet */
+	if (reason == CRYPT_E_NOT_FOUND) {
+	  continue;
+	}
+      }
+    }
+    
+    if ((ckcapiInternalObject *)NULL == next) {
+      next = nss_ZNEW(NULL, ckcapiInternalObject);
+      if ((ckcapiInternalObject *)NULL == next) {
+        *pError = CKR_HOST_MEMORY;
+        goto loser;
+      }
+    }
+    next->type = ckcapiCert;
+    next->u.cert.objClass = objClass;
+    next->u.cert.certContext = certContext;
+    next->u.cert.hasID = hasID;
+    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, next) ) {
+      /* clear cached values that may be dependent on our old certContext */
+      memset(&next->u.cert, 0, sizeof(next->u.cert));
+      /* get a 'permanent' context */
+      next->u.cert.certContext = CertDuplicateCertificateContext(certContext);
+      next->u.cert.objClass = objClass;
+      next->u.cert.certContext = certContext;
+      next->u.cert.hasID = hasID;
+      PUT_Object(next);
+      next = NULL; /* need to allocate a new one now */
+    } else {
+      /* don't cache the values we just loaded */
+      memset(&next->u.cert, 0, sizeof(next->u.cert));
+    }
+  }
+loser:
+  nss_ZFreeIf(next);
+  *sizep = size;
+  return count;
+}
+
+static PRUint32
+collect_all_certs(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  PRUint32 *sizep,
+  PRUint32 count,
+  CK_RV *pError
+)
+{
+  count = collect_class(CKO_CERTIFICATE, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "AddressBook", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "CA", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "Root", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "Trust", PR_FALSE, pTemplate, 
+			ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "TrustedPeople", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError);
+  count = collect_class(CKO_CERTIFICATE, "AuthRoot", PR_FALSE, pTemplate, 
+                        ulAttributeCount, listp, sizep, count, pError);
+  return count;
+}
+
+static CK_OBJECT_CLASS
+ckcapi_GetObjectClass(CK_ATTRIBUTE_PTR pTemplate, 
+                      CK_ULONG ulAttributeCount)
+{
+  CK_ULONG i;
+
+  for (i=0; i < ulAttributeCount; i++)
+  {
+    if (pTemplate[i].type == CKA_CLASS) {
+      return *(CK_OBJECT_CLASS *) pTemplate[i].pValue;
+    }
+  }
+  /* need to return a value that says 'fetch them all' */
+  return CK_INVALID_HANDLE;
+}
+
+static PRUint32
+collect_objects(
+  CK_ATTRIBUTE_PTR pTemplate, 
+  CK_ULONG ulAttributeCount, 
+  ckcapiInternalObject ***listp,
+  CK_RV *pError
+)
+{
+  PRUint32 i;
+  PRUint32 count = 0;
+  PRUint32 size = 0;
+  CK_OBJECT_CLASS objClass;
+
+  /*
+   * first handle the static build in objects (if any)
+   */
+  for( i = 0; i < nss_ckcapi_nObjects; i++ ) {
+    ckcapiInternalObject *o = (ckcapiInternalObject *)&nss_ckcapi_data[i];
+
+    if( CK_TRUE == ckcapi_match(pTemplate, ulAttributeCount, o) ) {
+      PUT_Object(o);
+    }
+  }
+
+  /*
+   * now handle the various object types
+   */
+  objClass = ckcapi_GetObjectClass(pTemplate, ulAttributeCount);
+  *pError = CKR_OK;
+  switch (objClass) {
+  case CKO_CERTIFICATE:
+    count = collect_all_certs(pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    break;
+  case CKO_PUBLIC_KEY:
+    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    break;
+  case CKO_PRIVATE_KEY:
+    count = collect_class(objClass, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    break;
+  /* all of them */
+  case CK_INVALID_HANDLE:
+    count = collect_all_certs(pTemplate, ulAttributeCount, listp, 
+                              &size, count, pError);
+    count = collect_class(CKO_PUBLIC_KEY, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    count = collect_class(CKO_PRIVATE_KEY, "My", PR_TRUE, pTemplate, 
+			ulAttributeCount, listp, &size, count, pError);
+    break;
+  default:
+    goto done; /* no other object types we understand in this module */
+  }
+  if (CKR_OK != *pError) {
+    goto loser;
+  }
+
+
+done:
+  return count;
+loser:
+  nss_ZFreeIf(*listp);
+  return 0;
+}
+
+
+
+NSS_IMPLEMENT NSSCKMDFindObjects *
+nss_ckcapi_FindObjectsInit
+(
+  NSSCKFWSession *fwSession,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  /* This could be made more efficient.  I'm rather rushed. */
+  NSSArena *arena;
+  NSSCKMDFindObjects *rv = (NSSCKMDFindObjects *)NULL;
+  struct ckcapiFOStr *fo = (struct ckcapiFOStr *)NULL;
+  ckcapiInternalObject **temp = (ckcapiInternalObject **)NULL;
+
+  arena = NSSArena_Create();
+  if( (NSSArena *)NULL == arena ) {
+    goto loser;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDFindObjects);
+  if( (NSSCKMDFindObjects *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo = nss_ZNEW(arena, struct ckcapiFOStr);
+  if( (struct ckcapiFOStr *)NULL == fo ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  fo->arena = arena;
+  /* fo->n and fo->i are already zero */
+
+  rv->etc = (void *)fo;
+  rv->Final = ckcapi_mdFindObjects_Final;
+  rv->Next = ckcapi_mdFindObjects_Next;
+  rv->null = (void *)NULL;
+
+  fo->n = collect_objects(pTemplate, ulAttributeCount, &temp, pError);
+  if (*pError != CKR_OK) {
+    goto loser;
+  }
+
+  fo->objs = nss_ZNEWARRAY(arena, ckcapiInternalObject *, fo->n);
+  if( (ckcapiInternalObject **)NULL == fo->objs ) {
+    *pError = CKR_HOST_MEMORY;
+    goto loser;
+  }
+
+  (void)nsslibc_memcpy(fo->objs, temp, sizeof(ckcapiInternalObject *) * fo->n);
+  nss_ZFreeIf(temp);
+  temp = (ckcapiInternalObject **)NULL;
+
+  return rv;
+
+ loser:
+  nss_ZFreeIf(temp);
+  nss_ZFreeIf(fo);
+  nss_ZFreeIf(rv);
+  if ((NSSArena *)NULL != arena) {
+     NSSArena_Destroy(arena);
+  }
+  return (NSSCKMDFindObjects *)NULL;
+}
+
diff --git a/security/nss/lib/ckfw/capi/cinst.c b/security/nss/lib/ckfw/capi/cinst.c
new file mode 100644
index 000000000..5a6ca55df
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cinst.c
@@ -0,0 +1,134 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/cinstance.c
+ *
+ * This file implements the NSSCKMDInstance object for the 
+ * "capi" cryptoki module.
+ */
+
+/*
+ * NSSCKMDInstance methods
+ */
+
+static CK_ULONG
+ckcapi_mdInstance_GetNSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_VERSION
+ckcapi_mdInstance_GetCryptokiVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_CryptokiVersion;
+}
+
+static NSSUTF8 *
+ckcapi_mdInstance_GetManufacturerID
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckcapi_mdInstance_GetLibraryDescription
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_LibraryDescription;
+}
+
+static CK_VERSION
+ckcapi_mdInstance_GetLibraryVersion
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_LibraryVersion;
+}
+
+static CK_RV
+ckcapi_mdInstance_GetSlots
+(
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDSlot *slots[]
+)
+{
+  slots[0] = (NSSCKMDSlot *)&nss_ckcapi_mdSlot;
+  return CKR_OK;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDInstance
+nss_ckcapi_mdInstance = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Finalize */
+  ckcapi_mdInstance_GetNSlots,
+  ckcapi_mdInstance_GetCryptokiVersion,
+  ckcapi_mdInstance_GetManufacturerID,
+  ckcapi_mdInstance_GetLibraryDescription,
+  ckcapi_mdInstance_GetLibraryVersion,
+  NULL, /* ModuleHandlesSessionObjects -- defaults to false */
+  ckcapi_mdInstance_GetSlots,
+  NULL, /* WaitForSlotEvent */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/ckcapiver.c b/security/nss/lib/ckfw/capi/ckcapiver.c
new file mode 100644
index 000000000..d69290575
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/ckcapiver.c
@@ -0,0 +1,59 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+/* Library identity and versioning */
+
+#include "nsscapi.h"
+
+#if defined(DEBUG)
+#define _DEBUG_STRING " (debug)"
+#else
+#define _DEBUG_STRING ""
+#endif
+
+/*
+ * Version information for the 'ident' and 'what commands
+ *
+ * NOTE: the first component of the concatenated rcsid string
+ * must not end in a '$' to prevent rcs keyword substitution.
+ */
+const char __nss_ckcapi_rcsid[] = "$Header: NSS Access to Microsoft Certificate Store "
+        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__ " $";
+const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Microsoft Certificate Store "
+        NSS_CKCAPI_LIBRARY_VERSION _DEBUG_STRING
+        "  " __DATE__ " " __TIME__;
diff --git a/security/nss/lib/ckfw/capi/cobject.c b/security/nss/lib/ckfw/capi/cobject.c
new file mode 100644
index 000000000..e00585a74
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cobject.c
@@ -0,0 +1,987 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+#include "nssbase.h"
+
+/*
+ * ckcapi/cobject.c
+ *
+ * This file implements the NSSCKMDObject object for the
+ * "nss to capi objects" cryptoki module.
+ */
+
+const CK_ATTRIBUTE_TYPE certAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_CERTIFICATE_TYPE,
+    CKA_SUBJECT,
+    CKA_ISSUER,
+    CKA_SERIAL_NUMBER,
+    CKA_VALUE
+};
+const PRUint32 certAttrsCount = NSS_CKCAPI_ARRAY_SIZE(certAttrs);
+
+/* private keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE privKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_SENSITIVE,
+    CKA_DECRYPT,
+    CKA_SIGN,
+    CKA_SIGN_RECOVER,
+    CKA_UNWRAP,
+    CKA_EXTRACTABLE,
+    CKA_ALWAYS_SENSITIVE,
+    CKA_NEVER_EXTRACTABLE,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 privKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(privKeyAttrs);
+
+/* public keys, for now only support RSA */
+const CK_ATTRIBUTE_TYPE pubKeyAttrs[] = {
+    CKA_CLASS,
+    CKA_TOKEN,
+    CKA_PRIVATE,
+    CKA_MODIFIABLE,
+    CKA_LABEL,
+    CKA_KEY_TYPE,
+    CKA_DERIVE,
+    CKA_LOCAL,
+    CKA_SUBJECT,
+    CKA_ENCRYPT,
+    CKA_VERIFY,
+    CKA_VERIFY_RECOVER,
+    CKA_WRAP,
+    CKA_MODULUS,
+    CKA_PUBLIC_EXPONENT,
+};
+const PRUint32 pubKeyAttrsCount = NSS_CKCAPI_ARRAY_SIZE(pubKeyAttrs);
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_CERTIFICATE_TYPE ckc_x509 = CKC_X_509;
+static const CK_KEY_TYPE ckk_rsa = CKK_RSA;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_OBJECT_CLASS cko_private_key = CKO_PRIVATE_KEY;
+static const CK_OBJECT_CLASS cko_public_key = CKO_PUBLIC_KEY;
+static const NSSItem ckcapi_trueItem = { 
+  (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckcapi_falseItem = { 
+  (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) };
+static const NSSItem ckcapi_x509Item = { 
+  (void *)&ckc_x509, (PRUint32)sizeof(CKC_X_509) };
+static const NSSItem ckcapi_rsaItem = { 
+  (void *)&ckk_rsa, (PRUint32)sizeof(CK_KEY_TYPE) };
+static const NSSItem ckcapi_certClassItem = { 
+  (void *)&cko_certificate, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckcapi_privKeyClassItem = {
+  (void *)&cko_private_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+static const NSSItem ckcapi_pubKeyClassItem = {
+  (void *)&cko_public_key, (PRUint32)sizeof(CK_OBJECT_CLASS) };
+
+/*
+ * keep all the knowlege of how the internalObject is laid out in this function
+ *
+ * nss_ckcapi_FetchKeyContainer
+ *
+ * fetches the Provider container and info as well as a key handle for a
+ * private key. If something other than a private key is passed in,
+ * this function fails with CKR_KEY_TYPE_INCONSISTENT
+ */
+NSS_EXTERN CK_RV
+nss_ckcapi_FetchKeyContainer
+(
+  ckcapiInternalObject *iKey,
+  HCRYPTPROV *hProv, 
+  DWORD *keySpec,
+  HCRYPTKEY *hKey
+)
+{
+  ckcapiCertObject *co;
+  BOOL rc, dummy;
+  DWORD msError;
+#ifdef DEBUG
+  char string[512];
+  DWORD stringLen;
+  PCERT_PUBLIC_KEY_INFO pInfo;
+#endif
+
+  if (ckcapiRaw == iKey->type) {
+     /* can't have raw private keys */
+     return CKR_KEY_TYPE_INCONSISTENT;
+  }
+  co=&iKey->u.cert;
+  if (co->objClass != CKO_PRIVATE_KEY) {
+     /* Only private keys have private key provider handles */
+     return CKR_KEY_TYPE_INCONSISTENT;
+  }
+
+  /* OK, get the Provider */
+  rc = CryptAcquireCertificatePrivateKey(co->certContext,
+    CRYPT_ACQUIRE_CACHE_FLAG|CRYPT_ACQUIRE_COMPARE_KEY_FLAG, NULL, hProv, 
+    keySpec, &dummy);
+  if (!rc) {
+    goto loser;
+  }
+
+#ifdef DEBUG
+  /* get information about the provider for debugging purposes */
+  stringLen = sizeof(string);
+  rc = CryptGetProvParam(*hProv, PP_CONTAINER, string, &stringLen, 0);
+  if (!rc) {
+    msError = GetLastError();
+  }
+
+  stringLen = sizeof(string);
+  rc = CryptGetProvParam(*hProv, PP_NAME, string, &stringLen, 0);
+  if (!rc) {
+    msError = GetLastError();
+  }
+
+  pInfo = (PCERT_PUBLIC_KEY_INFO) string;
+  stringLen = sizeof(string);
+  rc = CryptExportPublicKeyInfo(*hProv, *keySpec, X509_ASN_ENCODING,
+  pInfo, &stringLen);
+  if (!rc) {
+    msError = GetLastError();
+  }
+#endif
+
+  /* and get the crypto handle */
+  rc = CryptGetUserKey(*hProv, *keySpec, hKey);
+  if (!rc) {
+    goto loser;
+  }
+  return CKR_OK;
+loser:
+  /* map the microsoft error before leaving */
+  msError = GetLastError();
+  switch (msError) {
+  case ERROR_INVALID_HANDLE:
+  case ERROR_INVALID_PARAMETER:
+  case NTE_BAD_KEY:
+  case NTE_NO_KEY:
+  case NTE_BAD_PUBLIC_KEY:
+  case NTE_BAD_KEYSET:
+  case NTE_KEYSET_NOT_DEF:
+    return CKR_KEY_TYPE_INCONSISTENT;
+  case NTE_BAD_UID:
+  case NTE_KEYSET_ENTRY_BAD:
+    return CKR_DEVICE_ERROR;
+  }
+  return CKR_GENERAL_ERROR;
+}
+
+  
+
+
+/*
+ * unwrap a single DER value
+ */
+char *
+nss_ckcapi_DERUnwrap
+(
+  char *src, 
+  int size, 
+  int *outSize, 
+  char **next
+)
+{
+  unsigned char *start = src;
+  unsigned char *end = src+size;
+  unsigned int len = 0;
+
+  /* initialize error condition return values */
+  *outSize = 0;
+  if (next) {
+    *next = src;
+  }
+
+  if (size < 2) {
+    return start;
+  }
+  src ++ ; /* skip the tag -- should check it against an expected value! */
+  len = (unsigned) *src++;
+  if (len & 0x80) {
+    int count = len & 0x7f;
+    len =0;
+
+    if (count+2 > size) {
+      return start;
+    }
+    while (count-- > 0) {
+      len = (len << 8) | (unsigned) *src++;
+    }
+  }
+  if (len + (src-start) > (unsigned int)size) {
+    return start;
+  }
+  if (next) {
+    *next = src+len;
+  }
+  *outSize = len;
+
+  return src;
+}
+
+/*
+ * take a DER PUBLIC Key block and return the modulus and exponent
+ */
+void
+ckcapi_PopulateModulusExponent(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  char *pkData = certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.pbData;
+  CK_ULONG size= certContext->pCertInfo->SubjectPublicKeyInfo.PublicKey.cbData;
+  CK_ULONG newSize;
+  char *ptr, *newptr;
+
+  /* find the start of the modulus -- this will not give good results if
+   * the key isn't an rsa key! */
+  ptr = nss_ckcapi_DERUnwrap(pkData, size, &newSize, NULL);
+  co->modulus.data = nss_ckcapi_DERUnwrap(ptr, newSize, 
+                                           &co->modulus.size, &newptr);
+  /* changed from signed to unsigned int */
+  if (0 == *(char *)co->modulus.data) {
+    co->modulus.data = ((char *)co->modulus.data)+1;
+    co->modulus.size = co->modulus.size - 1;
+  }
+  /* changed from signed to unsigned int */
+  co->exponent.data = nss_ckcapi_DERUnwrap(newptr, (newptr-ptr)+newSize, 
+						&co->exponent.size, NULL);
+  if (0 == *(char *)co->exponent.data) {
+    co->exponent.data = ((char *)co->exponent.data)+1;
+    co->exponent.size = co->exponent.size - 1;
+  }
+
+  return;
+}
+
+/*
+ * fetch the friendly name attribute.
+ */
+void
+ckcapi_FetchLabel(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  char labelDataUTF16[128];
+  DWORD size = sizeof(labelDataUTF16);
+  DWORD size8 = sizeof(co->labelData);
+  BOOL rv;
+
+  rv = CertGetCertificateContextProperty(certContext,
+	CERT_FRIENDLY_NAME_PROP_ID, labelDataUTF16, &size);
+  if (rv) {
+    size = WideCharToMultiByte(CP_UTF8, 0, (LPCWSTR)labelDataUTF16, size,
+		co->labelData, size8, NULL, 0);
+    if (size == 0) {
+      rv = 0;
+    } else {
+      size = strlen(co->labelData); /* sigh WideCharToMultiByte returns a 
+                                     * broken length, get the real one. */
+    }
+  }
+  /* we are presuming a user cert, make sure it has a nickname, even if
+   * Microsoft never gave it one */
+  if (!rv && co->hasID) {
+    DWORD mserror = GetLastError();
+#define DEFAULT_NICKNAME "no Microsoft nickname"
+    nsslibc_memcpy(co->labelData, DEFAULT_NICKNAME, sizeof(DEFAULT_NICKNAME));
+    size = sizeof(DEFAULT_NICKNAME);
+    rv = 1;
+  }
+    
+  if (rv) {
+    co->label.data = co->labelData;
+    co->label.size = size;
+  }
+  return;
+}
+
+void
+ckcapi_FetchSerial(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = sizeof(co->derSerial);
+
+  BOOL rc = CryptEncodeObject(X509_ASN_ENCODING,
+                         X509_MULTI_BYTE_INTEGER,
+                         &certContext->pCertInfo->SerialNumber,
+			 co->derSerial,
+                         &size);
+  if (rc) {
+    co->serial.data = co->derSerial;
+    co->serial.size = size;
+  }
+  return;
+}
+
+typedef struct _CAPI_RSA_KEY_BLOB {
+  PUBLICKEYSTRUC header;
+  RSAPUBKEY  rsa;
+  char	     data[1];
+} CAPI_RSA_KEY_BLOB;
+
+#define CAPI_MODULUS_OFFSET(modSize)     0
+#define CAPI_PRIME_1_OFFSET(modSize)     (modSize)
+#define CAPI_PRIME_2_OFFSET(modSize)     ((modSize)+(modSize)/2)
+#define CAPI_EXPONENT_1_OFFSET(modSize)  ((modSize)*2)
+#define CAPI_EXPONENT_2_OFFSET(modSize)  ((modSize)*2+(modSize)/2)
+#define CAPI_COEFFICIENT_OFFSET(modSize) ((modSize)*3)
+#define CAPI_PRIVATE_EXP_OFFSET(modSize) ((modSize)*3+(modSize)/2)
+
+void
+ckcapi_FetchPrivateKey(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  HCRYPTPROV hProv;
+  DWORD keySpec;
+  HCRYPTKEY hKey = 0;
+  CK_RV error;
+  DWORD bufLen;
+  BOOL rc;
+  unsigned long modulus;
+  char *buf = NULL;
+  CAPI_RSA_KEY_BLOB *blob;
+
+  error = nss_ckcapi_FetchKeyContainer(io, &hProv, &keySpec, &hKey);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+
+  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  buf = nss_ZNEWARRAY(NULL, char, bufLen);
+  rc = CryptExportKey(hKey, 0, PRIVATEKEYBLOB, 0, buf, &bufLen);
+  if (!rc) {
+    goto loser;
+  }
+  /* validate the blob */
+  blob = (CAPI_RSA_KEY_BLOB *)buf;
+  if ((PRIVATEKEYBLOB != blob->header.bType) ||
+      (0x02 != blob->header.bVersion) ||
+      (0x32415352 != blob->rsa.magic)) {
+    goto loser;
+  }
+  modulus = blob->rsa.bitlen/8;
+  co->privateKey = buf;
+  buf = NULL;
+
+  co->privateExponent.data = &blob->data[CAPI_PRIVATE_EXP_OFFSET(modulus)];
+  co->privateExponent.size = modulus;
+  ckcapi_ReverseData(&co->privateExponent);
+  co->prime1.data = &blob->data[CAPI_PRIME_1_OFFSET(modulus)];
+  co->prime1.size = modulus/2;
+  ckcapi_ReverseData(&co->prime1);
+  co->prime2.data = &blob->data[CAPI_PRIME_2_OFFSET(modulus)];
+  co->prime2.size = modulus/2;
+  ckcapi_ReverseData(&co->prime2);
+  co->exponent1.data = &blob->data[CAPI_EXPONENT_1_OFFSET(modulus)];
+  co->exponent1.size = modulus/2;
+  ckcapi_ReverseData(&co->exponent1);
+  co->exponent2.data = &blob->data[CAPI_EXPONENT_2_OFFSET(modulus)];
+  co->exponent2.size = modulus/2;
+  ckcapi_ReverseData(&co->exponent2);
+  co->coefficient.data = &blob->data[CAPI_COEFFICIENT_OFFSET(modulus)];
+  co->coefficient.size = modulus/2;
+  ckcapi_ReverseData(&co->coefficient);
+
+loser:
+  nss_ZFreeIf(buf);
+  if (0 != hKey) {
+     CryptDestroyKey(hKey);
+  }
+  return;
+}
+
+/*
+ * fetch the key ID.
+ */
+void
+ckcapi_FetchID(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = sizeof(co->idData);
+  BOOL rv;
+
+  rv = CertGetCertificateContextProperty(certContext,
+	CERT_KEY_IDENTIFIER_PROP_ID, co->idData, &size);
+  if (rv) {
+    co->id.data = co->idData;
+    co->id.size = size;
+  }
+  return;
+}
+
+/*
+ * fetch the hash key.
+ */
+void
+ckcapi_FetchHashKey(ckcapiInternalObject *io)
+{
+  ckcapiCertObject *co = &io->u.cert;
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  DWORD size = certContext->cbCertEncoded;
+  DWORD max = sizeof(co->hashKeyData);
+  DWORD offset = 0;
+
+  if (size+1 > max) {
+    offset = size+1 - max;
+    size = max-1;
+  }
+
+  nsslibc_memcpy(co->hashKeyData,certContext->pbCertEncoded+offset, size);
+  co->hashKeyData[size] = (char)(co->objClass & 0xff);
+
+  co->hashKey.data = co->hashKeyData;
+  co->hashKey.size = size+1;
+  return;
+}
+
+const NSSItem *
+ckcapi_FetchCertAttribute(ckcapiInternalObject *io,
+                              CK_ATTRIBUTE_TYPE type)
+{
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_certClassItem;
+  case CKA_TOKEN:
+    return &ckcapi_trueItem;
+  case CKA_MODIFIABLE:
+  case CKA_PRIVATE:
+    return &ckcapi_falseItem;
+  case CKA_CERTIFICATE_TYPE:
+    return &ckcapi_x509Item;
+  case CKA_LABEL:
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (0 == io->u.cert.subject.size) {
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_ISSUER:
+    if (0 == io->u.cert.issuer.size) {
+      io->u.cert.issuer.data = certContext->pCertInfo->Issuer.pbData;
+      io->u.cert.issuer.size = certContext->pCertInfo->Issuer.cbData;
+    }
+    return &io->u.cert.issuer;
+  case CKA_SERIAL_NUMBER:
+    if (0 == io->u.cert.serial.size) {
+      /* not exactly right. This should be the encoded serial number, but
+       * it's the decoded serial number! */
+      ckcapi_FetchSerial(io);
+    }
+    return &io->u.cert.serial;
+  case CKA_VALUE:
+    if (0 == io->u.cert.derCert.size) {
+      io->u.cert.derCert.data = io->u.cert.certContext->pbCertEncoded;
+      io->u.cert.derCert.size = io->u.cert.certContext->cbCertEncoded;
+    }
+    return &io->u.cert.derCert;
+  case CKA_ID:
+    if (!io->u.cert.hasID) {
+      return NULL;
+    }
+    if (0 == io->u.cert.id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->u.cert.id;
+  default:
+    break;
+  }
+  return NULL;
+}
+  
+
+const NSSItem *
+ckcapi_FetchPubKeyAttribute(ckcapiInternalObject *io, 
+                                CK_ATTRIBUTE_TYPE type)
+{
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_pubKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+  case CKA_ENCRYPT:
+  case CKA_VERIFY:
+  case CKA_VERIFY_RECOVER:
+    return &ckcapi_trueItem;
+  case CKA_PRIVATE:
+  case CKA_MODIFIABLE:
+  case CKA_DERIVE:
+  case CKA_WRAP:
+    return &ckcapi_falseItem;
+  case CKA_KEY_TYPE:
+    return &ckcapi_rsaItem;
+  case CKA_LABEL:
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (0 == io->u.cert.subject.size) {
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_MODULUS:
+    if (0 == io->u.cert.modulus.size) {
+	ckcapi_PopulateModulusExponent(io);
+    }
+    return &io->u.cert.modulus;
+  case CKA_PUBLIC_EXPONENT:
+    if (0 == io->u.cert.modulus.size) {
+	ckcapi_PopulateModulusExponent(io);
+    }
+    return &io->u.cert.exponent;
+  case CKA_ID:
+    if (0 == io->u.cert.id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->u.cert.id;
+  default:
+    break;
+  }
+  return NULL;
+}
+const NSSItem *
+ckcapi_FetchPrivKeyAttribute(ckcapiInternalObject *io, 
+                                CK_ATTRIBUTE_TYPE type)
+{
+  PCCERT_CONTEXT certContext = io->u.cert.certContext;
+  switch(type) {
+  case CKA_CLASS:
+    return &ckcapi_privKeyClassItem;
+  case CKA_TOKEN:
+  case CKA_LOCAL:
+  case CKA_SIGN:
+  case CKA_DECRYPT:
+  case CKA_SIGN_RECOVER:
+    return &ckcapi_trueItem;
+  case CKA_SENSITIVE:
+  case CKA_PRIVATE:    /* should move in the future */
+  case CKA_MODIFIABLE:
+  case CKA_DERIVE:
+  case CKA_UNWRAP:
+  case CKA_EXTRACTABLE: /* will probably move in the future */
+  case CKA_ALWAYS_SENSITIVE:
+  case CKA_NEVER_EXTRACTABLE:
+    return &ckcapi_falseItem;
+  case CKA_KEY_TYPE:
+    return &ckcapi_rsaItem;
+  case CKA_LABEL:
+    if (0 == io->u.cert.label.size) {
+      ckcapi_FetchLabel(io);
+    }
+    return &io->u.cert.label;
+  case CKA_SUBJECT:
+    if (0 == io->u.cert.subject.size) {
+      io->u.cert.subject.data = certContext->pCertInfo->Subject.pbData;
+      io->u.cert.subject.size = certContext->pCertInfo->Subject.cbData;
+    }
+    return &io->u.cert.subject;
+  case CKA_MODULUS:
+    if (0 == io->u.cert.modulus.size) {
+      ckcapi_PopulateModulusExponent(io);
+    }
+    return &io->u.cert.modulus;
+  case CKA_PUBLIC_EXPONENT:
+    if (0 == io->u.cert.modulus.size) {
+      ckcapi_PopulateModulusExponent(io);
+    }
+    return &io->u.cert.exponent;
+  case CKA_PRIVATE_EXPONENT:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.privateExponent;
+  case CKA_PRIME_1:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.prime1;
+  case CKA_PRIME_2:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.prime2;
+  case CKA_EXPONENT_1:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.exponent1;
+  case CKA_EXPONENT_2:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.exponent2;
+  case CKA_COEFFICIENT:
+    if (0 == io->u.cert.privateExponent.size) {
+      ckcapi_FetchPrivateKey(io);
+    }
+    return &io->u.cert.coefficient;
+  case CKA_ID:
+    if (0 == io->u.cert.id.size) {
+      ckcapi_FetchID(io);
+    }
+    return &io->u.cert.id;
+  default:
+    return NULL;
+  }
+}
+
+const NSSItem *
+nss_ckcapi_FetchAttribute(ckcapiInternalObject *io, CK_ATTRIBUTE_TYPE type)
+{
+  CK_ULONG i;
+
+  if (io->type == ckcapiRaw) {
+    for( i = 0; i < io->u.raw.n; i++ ) {
+      if( type == io->u.raw.types[i] ) {
+        return &io->u.raw.items[i];
+      }
+    }
+    return NULL;
+  }
+  /* deal with the common attributes */
+  switch (io->u.cert.objClass) {
+  case CKO_CERTIFICATE:
+   return ckcapi_FetchCertAttribute(io, type); 
+  case CKO_PRIVATE_KEY:
+   return ckcapi_FetchPrivKeyAttribute(io, type); 
+  case CKO_PUBLIC_KEY:
+   return ckcapi_FetchPubKeyAttribute(io, type); 
+  }
+  return NULL;
+}
+
+
+/*
+ * Finalize - unneeded
+ * Destroy - CKR_SESSION_READ_ONLY
+ * IsTokenObject - CK_TRUE
+ * GetAttributeCount
+ * GetAttributeTypes
+ * GetAttributeSize
+ * GetAttribute
+ * SetAttribute - unneeded
+ * GetObjectSize
+ */
+
+static CK_RV
+ckcapi_mdObject_Destroy
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CKR_SESSION_READ_ONLY;
+}
+
+static CK_BBOOL
+ckcapi_mdObject_IsTokenObject
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetAttributeCount
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  if (ckcapiRaw == io->type) {
+     return io->u.raw.n;
+  }
+  switch (io->u.cert.objClass) {
+  case CKO_CERTIFICATE:
+    return certAttrsCount;
+  case CKO_PUBLIC_KEY:
+    return pubKeyAttrsCount;
+  case CKO_PRIVATE_KEY:
+    return privKeyAttrsCount;
+  default:
+    break;
+  }
+  return 0;
+}
+
+static CK_RV
+ckcapi_mdObject_GetAttributeTypes
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE_PTR typeArray,
+  CK_ULONG ulCount
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+  CK_ULONG i;
+  CK_RV error = CKR_OK;
+  const CK_ATTRIBUTE_TYPE *attrs = NULL;
+  CK_ULONG size = ckcapi_mdObject_GetAttributeCount(
+			mdObject, fwObject, mdSession, fwSession, 
+			mdToken, fwToken, mdInstance, fwInstance, &error);
+
+  if( size != ulCount ) {
+    return CKR_BUFFER_TOO_SMALL;
+  }
+  if (io->type == ckcapiRaw) {
+    attrs = io->u.raw.types;
+  } else switch(io->u.cert.objClass) {
+    case CKO_CERTIFICATE:
+      attrs = certAttrs;
+      break;
+    case CKO_PUBLIC_KEY:
+      attrs = pubKeyAttrs;
+      break;
+    case CKO_PRIVATE_KEY:
+      attrs = privKeyAttrs;
+      break;
+    default:
+      return CKR_OK;
+  }
+  
+  for( i = 0; i < size; i++) {
+    typeArray[i] = attrs[i];
+  }
+
+  return CKR_OK;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetAttributeSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  const NSSItem *b;
+
+  b = nss_ckcapi_FetchAttribute(io, attribute);
+
+  if ((const NSSItem *)NULL == b) {
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+    return 0;
+  }
+  return b->size;
+}
+
+static NSSCKFWItem
+ckcapi_mdObject_GetAttribute
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_TYPE attribute,
+  CK_RV *pError
+)
+{
+  NSSCKFWItem mdItem;
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+
+  mdItem.needsFreeing = PR_FALSE;
+  mdItem.item = (NSSItem*)nss_ckcapi_FetchAttribute(io, attribute);
+
+  if ((NSSItem *)NULL == mdItem.item) {
+    *pError = CKR_ATTRIBUTE_TYPE_INVALID;
+  }
+
+  return mdItem;
+}
+
+static CK_ULONG
+ckcapi_mdObject_GetObjectSize
+(
+  NSSCKMDObject *mdObject,
+  NSSCKFWObject *fwObject,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *io = (ckcapiInternalObject *)mdObject->etc;
+  CK_ULONG rv = 1;
+
+  /* size is irrelevant to this token */
+  return rv;
+}
+
+static const NSSCKMDObject
+ckcapi_prototype_mdObject = {
+  (void *)NULL, /* etc */
+  NULL, /* Finalize */
+  ckcapi_mdObject_Destroy,
+  ckcapi_mdObject_IsTokenObject,
+  ckcapi_mdObject_GetAttributeCount,
+  ckcapi_mdObject_GetAttributeTypes,
+  ckcapi_mdObject_GetAttributeSize,
+  ckcapi_mdObject_GetAttribute,
+  NULL, /* FreeAttribute */
+  NULL, /* SetAttribute */
+  ckcapi_mdObject_GetObjectSize,
+  (void *)NULL /* null terminator */
+};
+
+static nssHash *ckcapiInternalObjectHash = NULL;
+
+NSS_IMPLEMENT NSSCKMDObject *
+nss_ckcapi_CreateMDObject
+(
+  NSSArena *arena,
+  ckcapiInternalObject *io,
+  CK_RV *pError
+)
+{
+  if ((nssHash *)NULL == ckcapiInternalObjectHash) {
+    ckcapiInternalObjectHash = nssHash_CreateItem(NULL, 10);
+  }
+  if (ckcapiCert == io->type) {
+    /* the hash key, not a cryptographic key */
+    NSSItem *key = &io->u.cert.hashKey;
+    ckcapiInternalObject *old_o = NULL;
+
+    if (key->size == 0) {
+      ckcapi_FetchHashKey(io);
+    }
+    old_o = (ckcapiInternalObject *) 
+              nssHash_Lookup(ckcapiInternalObjectHash, key);
+    if (!old_o) {
+      nssHash_Add(ckcapiInternalObjectHash, key, io);
+    } else if (old_o != io) {
+      nss_ckcapi_DestroyInternalObject(io);
+      io = old_o;
+    }
+  }
+    
+  if ( (void*)NULL == io->mdObject.etc) {
+    (void) nsslibc_memcpy(&io->mdObject,&ckcapi_prototype_mdObject,
+					sizeof(ckcapi_prototype_mdObject));
+    io->mdObject.etc = (void *)io;
+  }
+  return &io->mdObject;
+}
+
+void
+nss_ckcapi_DestroyInternalObject(ckcapiInternalObject *io)
+{
+  if (ckcapiRaw == io->type) {
+    return;
+  }
+  CertFreeCertificateContext(io->u.cert.certContext);
+  nss_ZFreeIf(io->u.cert.privateKey);
+  nss_ZFreeIf(io);
+  return;
+}
diff --git a/security/nss/lib/ckfw/capi/config.mk b/security/nss/lib/ckfw/capi/config.mk
new file mode 100644
index 000000000..fdfc8cf09
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/config.mk
@@ -0,0 +1,71 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+CONFIG_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+#
+#  Override TARGETS variable so that only shared libraries
+#  are specifed as dependencies within rules.mk.
+#
+
+TARGETS        = $(SHARED_LIBRARY)
+LIBRARY        =
+IMPORT_LIBRARY =
+PROGRAM        =
+
+ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+    SHARED_LIBRARY = $(OBJDIR)/$(DLL_PREFIX)$(LIBRARY_NAME)$(LIBRARY_VERSION).$(DLL_SUFFIX)
+    RES = $(OBJDIR)/$(LIBRARY_NAME).res
+    RESNAME = $(LIBRARY_NAME).rc
+endif
+
+ifdef BUILD_IDG
+    DEFINES += -DNSSDEBUG
+endif
+
+#
+# To create a loadable module on Darwin, we must use -bundle.
+#
+ifeq ($(OS_TARGET),Darwin)
+DSO_LDOPTS = -bundle
+endif
+
+ifeq ($(OS_TARGET),SunOS)
+# The -R '$ORIGIN' linker option instructs this library to search for its
+# dependencies in the same directory where it resides.
+MKSHLIB += -R '$$ORIGIN'
+endif
+
diff --git a/security/nss/lib/ckfw/capi/constants.c b/security/nss/lib/ckfw/capi/constants.c
new file mode 100644
index 000000000..4e509da65
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/constants.c
@@ -0,0 +1,98 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+/*
+ * ckcapi/constants.c
+ *
+ * Identification and other constants, all collected here in one place.
+ */
+
+#ifndef NSSBASET_H
+#include "nssbaset.h"
+#endif /* NSSBASET_H */
+
+#ifndef NSSCKT_H
+#include "nssckt.h"
+#endif /* NSSCKT_H */
+
+#ifndef NSSCAPI_H
+#include "nsscapi.h"
+#endif /* NSSCAPI_H */
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_CryptokiVersion =  {
+		NSS_CKCAPI_CRYPTOKI_VERSION_MAJOR,
+		NSS_CKCAPI_CRYPTOKI_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_ManufacturerID = (NSSUTF8 *) "Mozilla Foundation";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_LibraryDescription = (NSSUTF8 *) "NSS Access to Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_LibraryVersion = {
+	NSS_CKCAPI_LIBRARY_VERSION_MAJOR,
+	NSS_CKCAPI_LIBRARY_VERSION_MINOR};
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_SlotDescription = (NSSUTF8 *) "Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_HardwareVersion = { 
+	NSS_CKCAPI_HARDWARE_VERSION_MAJOR,
+	NSS_CKCAPI_HARDWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const CK_VERSION
+nss_ckcapi_FirmwareVersion = { 
+	NSS_CKCAPI_FIRMWARE_VERSION_MAJOR,
+	NSS_CKCAPI_FIRMWARE_VERSION_MINOR };
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenLabel = (NSSUTF8 *) "Microsoft Certificate Store";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenModel = (NSSUTF8 *) "1";
+
+NSS_IMPLEMENT_DATA const NSSUTF8 *
+nss_ckcapi_TokenSerialNumber = (NSSUTF8 *) "1";
+
diff --git a/security/nss/lib/ckfw/capi/crsa.c b/security/nss/lib/ckfw/capi/crsa.c
new file mode 100644
index 000000000..152a921b6
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/crsa.c
@@ -0,0 +1,751 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Red Hat, Inc.
+ * Portions created by the Initial Developer are Copyright (C) 2005
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+#include "secdert.h"
+
+#define SSL3_SHAMD5_HASH_SIZE  36 /* LEN_MD5 (16) + LEN_SHA1 (20) */
+
+/*
+ * ckcapi/crsa.c
+ *
+ * This file implements the NSSCKMDMechnaism and NSSCKMDCryptoOperation objects
+ * for the RSA operation on the CAPI cryptoki module.
+ */
+
+/*
+ * write a Decimal value to a string
+ */
+
+static char *
+putDecimalString(char *cstr, unsigned long value)
+{
+  unsigned long tenpower;
+  int first = 1;
+
+  for (tenpower=10000000; tenpower; tenpower /= 10) {
+    unsigned char digit = (unsigned char )(value/tenpower);
+    value = value % tenpower;
+
+    /* drop leading zeros */
+    if (first && (0 == digit)) {
+      continue;
+    }
+    first = 0;
+    *cstr++ = digit + '0';
+  }
+
+  /* if value was zero, put one of them out */
+  if (first) {
+    *cstr++ = '0';
+  }
+  return cstr;
+}
+
+
+/*
+ * Create a Capi OID string value from a DER OID
+ */
+static char *
+nss_ckcapi_GetOidString
+(
+  unsigned char *oidTag,
+  int oidTagSize,
+  CK_RV *pError
+)
+{
+  unsigned char *oid;
+  char *oidStr;
+  char *cstr;
+  unsigned long value;
+  int oidSize;
+
+  if (DER_OBJECT_ID != *oidTag) {
+    /* wasn't an oid */
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+  oid = nss_ckcapi_DERUnwrap(oidTag, oidTagSize, &oidSize, NULL);
+
+  if (oidSize < 2) {
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+
+  oidStr = nss_ZNEWARRAY( NULL, char, oidSize*4 );
+  if ((char *)NULL == oidStr) {
+    *pError = CKR_HOST_MEMORY;
+    return NULL;
+  }
+  cstr = oidStr;
+  cstr = putDecimalString(cstr, (*oid) / 40);
+  *cstr++ = '.';
+  cstr = putDecimalString(cstr, (*oid) % 40);
+  oidSize--;
+
+  value = 0;
+  while (oidSize--) {
+    oid++;
+    value = (value << 7) + (*oid & 0x7f);
+    if (0 == (*oid & 0x80)) {
+      *cstr++ = '.';
+      cstr = putDecimalString(cstr, value);
+      value = 0;
+    }
+  }
+
+  *cstr = 0; /* NULL terminate */
+
+  if (value != 0) {
+    nss_ZFreeIf(oidStr);
+    *pError = CKR_DATA_INVALID;
+    return NULL;
+  }
+  return oidStr;
+}
+
+
+/*
+ * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
+ * which includes the hash OID. CAPI expects to take a Hash Context. While 
+ * CAPI does have the capability of setting a raw hash value, it does not 
+ * have the ability to sign an arbitrary value. This function tries to
+ * reduce the passed in data into something that CAPI could actually sign.
+ */
+static CK_RV
+ckcapi_GetRawHash
+(
+  const NSSItem *input,
+  NSSItem *hash, 
+  ALG_ID *hashAlg
+)
+{
+   unsigned char *current;
+   unsigned char *algid;
+   unsigned char *oid;
+   unsigned char *hashData;
+   char *oidStr;
+   CK_RV error;
+   int oidSize;
+   int size;
+   /*
+    * there are 2 types of hashes NSS typically tries to sign, regular
+    * RSA signature format (with encoded DER_OIDS), and SSL3 Signed hashes.
+    * CAPI knows not to add any oids to SSL3_Signed hashes, so if we have any
+    * random hash that is exactly the same size as an SSL3 hash, then we can
+    * just pass the data through. CAPI has know way of knowing if the value
+    * is really a combined hash or some other arbitrary data, so it's safe to
+    * handle this case first.
+    */
+  if (SSL3_SHAMD5_HASH_SIZE == input->size) {
+    hash->data = input->data;
+    hash->size = input->size;
+    *hashAlg = CALG_SSL3_SHAMD5;
+    return CKR_OK;
+  }
+
+  current = (unsigned char *)input->data;
+
+  /* make sure we have a sequence tag */
+  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *current) {
+    return CKR_DATA_INVALID;
+  }
+
+  /* parse the input block to get 1) the hash oid, and 2) the raw hash value.
+   * unfortunatly CAPI doesn't have a builtin function to do this work, so
+   * we go ahead and do it by hand here.
+   *
+   * format is:
+   *  SEQUENCE {
+   *     SECQUENCE { // algid
+   *       OID {}    // oid
+   *       ANY {}    // optional params 
+   *     }
+   *     OCTECT {}   // hash
+   */
+
+  /* unwrap */
+  algid = nss_ckcapi_DERUnwrap(current,input->size, &size, NULL);
+  
+  if (algid+size != current+input->size) {
+    /* make sure there is not extra data at the end */
+    return CKR_DATA_INVALID;
+  }
+
+  if ((DER_SEQUENCE|DER_CONSTRUCTED) != *algid) {
+    /* wasn't an algid */
+    return CKR_DATA_INVALID;
+  }
+  oid = nss_ckcapi_DERUnwrap(algid, size, &oidSize, &hashData);
+
+  if (DER_OCTET_STRING != *hashData) {
+    /* wasn't a hash */
+    return CKR_DATA_INVALID;
+  }
+
+  /* get the real hash */
+  current = hashData;
+  size = size - (hashData-algid);
+  hash->data = nss_ckcapi_DERUnwrap(current, size, &hash->size, NULL);
+
+  /* get the real oid as a string. Again, Microsoft does not
+   * export anything that does this for us */
+  oidStr = nss_ckcapi_GetOidString(oid, oidSize, &error);
+  if ((char *)NULL == oidStr ) {
+    return error;
+  }
+
+  /* look up the hash alg from the oid (fortunately CAPI does to this) */ 
+  *hashAlg = CertOIDToAlgId(oidStr);
+  nss_ZFreeIf(oidStr);
+  if (0 == *hashAlg) {
+    return CKR_HOST_MEMORY;
+  }
+
+  /* hash looks reasonably consistent, we should be able to sign it now */
+  return CKR_OK;
+}
+
+/*
+ * So everyone else in the works stores their bignum data MSB first, but not
+ * Microsoft, we need to byte swap everything coming into and out of CAPI.
+ */
+void
+ckcapi_ReverseData(NSSItem *item)
+{
+  int end = (item->size)-1;
+  int middle = (item->size)/2;
+  unsigned char *buf = item->data;
+  int i;
+
+  for (i=0; i < middle; i++) {
+    unsigned char  tmp = buf[i];
+    buf[i] = buf[end-i];
+    buf[end-i] = tmp;
+  }
+  return;
+}
+
+typedef struct ckcapiInternalCryptoOperationRSAPrivStr 
+               ckcapiInternalCryptoOperationRSAPriv;
+struct ckcapiInternalCryptoOperationRSAPrivStr
+{
+  NSSCKMDCryptoOperation mdOperation;
+  NSSCKMDMechanism     *mdMechanism;
+  ckcapiInternalObject *iKey;
+  HCRYPTPROV           hProv;
+  DWORD                keySpec;
+  HCRYPTKEY            hKey;
+  NSSItem	       *buffer;
+};
+
+/*
+ * ckcapi_mdCryptoOperationRSAPriv_Create
+ */
+static NSSCKMDCryptoOperation *
+ckcapi_mdCryptoOperationRSAPriv_Create
+(
+  const NSSCKMDCryptoOperation *proto,
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKMDObject *mdKey,
+  CK_RV *pError
+)
+{
+  ckcapiInternalObject *iKey = (ckcapiInternalObject *)mdKey->etc;
+  const NSSItem *classItem = nss_ckcapi_FetchAttribute(iKey, CKA_CLASS);
+  const NSSItem *keyType = nss_ckcapi_FetchAttribute(iKey, CKA_KEY_TYPE);
+  ckcapiInternalCryptoOperationRSAPriv *iOperation;
+  CK_RV   error;
+  HCRYPTPROV  hProv;
+  DWORD       keySpec;
+  HCRYPTKEY   hKey;
+
+  /* make sure we have the right objects */
+  if (((const NSSItem *)NULL == classItem) ||
+      (sizeof(CK_OBJECT_CLASS) != classItem->size) ||
+      (CKO_PRIVATE_KEY != *(CK_OBJECT_CLASS *)classItem->data) ||
+      ((const NSSItem *)NULL == keyType) ||
+      (sizeof(CK_KEY_TYPE) != keyType->size) ||
+      (CKK_RSA != *(CK_KEY_TYPE *)keyType->data)) {
+    *pError =  CKR_KEY_TYPE_INCONSISTENT;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  error = nss_ckcapi_FetchKeyContainer(iKey, &hProv, &keySpec, &hKey);
+  if (error != CKR_OK) {
+    *pError = error;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+
+  iOperation = nss_ZNEW(NULL, ckcapiInternalCryptoOperationRSAPriv);
+  if ((ckcapiInternalCryptoOperationRSAPriv *)NULL == iOperation) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDCryptoOperation *)NULL;
+  }
+  iOperation->mdMechanism = mdMechanism;
+  iOperation->iKey = iKey;
+  iOperation->hProv = hProv;
+  iOperation->keySpec = keySpec;
+  iOperation->hKey = hKey;
+
+  nsslibc_memcpy(&iOperation->mdOperation, 
+                 proto, sizeof(NSSCKMDCryptoOperation));
+  iOperation->mdOperation.etc = iOperation;
+
+  return &iOperation->mdOperation;
+}
+
+static CK_RV
+ckcapi_mdCryptoOperationRSAPriv_Destroy
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+
+  if (iOperation->hKey) {
+    CryptDestroyKey(iOperation->hKey);
+  }
+  if (iOperation->buffer) {
+    nssItem_Destroy(iOperation->buffer);
+  }
+  nss_ZFreeIf(iOperation);
+  return CKR_OK;
+}
+
+static CK_ULONG
+ckcapi_mdCryptoOperationRSA_GetFinalLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  const NSSItem *modulus = 
+       nss_ckcapi_FetchAttribute(iOperation->iKey, CKA_MODULUS);
+
+  return modulus->size;
+}
+
+
+/*
+ * ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
+ * we won't know the length until we actually decrypt the
+ * input block. Since we go to all the work to decrypt the
+ * the block, we'll save if for when the block is asked for
+ */
+static CK_ULONG
+ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  CK_RV *pError
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  BOOL rc;
+
+  /* Microsoft's Decrypt operation works in place. Since we don't want
+   * to trash our input buffer, we make a copy of it */
+  iOperation->buffer = nssItem_Duplicate((NSSItem *)input, NULL, NULL);
+  if ((NSSItem *) NULL == iOperation->buffer) {
+    *pError = CKR_HOST_MEMORY;
+    return 0;
+  }
+  /* Sigh, reverse it */
+  ckcapi_ReverseData(iOperation->buffer);
+  
+  rc = CryptDecrypt(iOperation->hKey, 0, TRUE, 0, 
+		    iOperation->buffer->data, &iOperation->buffer->size);
+  if (!rc) {
+    DWORD msError = GetLastError();
+    switch (msError) {
+    case NTE_BAD_DATA:
+      *pError = CKR_ENCRYPTED_DATA_INVALID;
+      break;
+    case NTE_FAIL:
+    case NTE_BAD_UID:
+      *pError = CKR_DEVICE_ERROR;
+      break;
+    default:
+      *pError = CKR_GENERAL_ERROR; 
+    }
+    return 0;
+  }
+
+  return iOperation->buffer->size;
+}
+
+/*
+ * ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
+ *
+ * NOTE: ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength is presumed to 
+ * have been called previously.
+ */
+static CK_RV
+ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  NSSItem *buffer = iOperation->buffer;
+
+  if ((NSSItem *)NULL == buffer) {
+    return CKR_GENERAL_ERROR;
+  }
+  nsslibc_memcpy(output->data, buffer->data, buffer->size);
+  output->size = buffer->size;
+  return CKR_OK;
+}
+
+/*
+ * ckcapi_mdCryptoOperationRSASign_UpdateFinal
+ *
+ */
+static CK_RV
+ckcapi_mdCryptoOperationRSASign_UpdateFinal
+(
+  NSSCKMDCryptoOperation *mdOperation,
+  NSSCKFWCryptoOperation *fwOperation,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  const NSSItem *input,
+  NSSItem *output
+)
+{
+  ckcapiInternalCryptoOperationRSAPriv *iOperation =
+       (ckcapiInternalCryptoOperationRSAPriv *)mdOperation->etc;
+  CK_RV error = CKR_OK;
+  DWORD msError;
+  NSSItem hash;
+  HCRYPTHASH hHash = 0;
+  ALG_ID  hashAlg;
+  DWORD  hashSize;
+  DWORD  len; /* temp length value we throw away */
+  BOOL   rc;
+
+  /*
+   * PKCS #11 sign for RSA expects to take a fully DER-encoded hash value, 
+   * which includes the hash OID. CAPI expects to take a Hash Context. While 
+   * CAPI does have the capability of setting a raw hash value, it does not 
+   * have the ability to sign an arbitrary value. This function tries to
+   * reduce the passed in data into something that CAPI could actually sign.
+   */
+  error = ckcapi_GetRawHash(input, &hash, &hashAlg);
+  if (CKR_OK != error) {
+    goto loser;
+  }
+
+  rc = CryptCreateHash(iOperation->hProv, hashAlg, 0, 0, &hHash);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* make sure the hash lens match before we set it */
+  len = sizeof(DWORD);
+  rc = CryptGetHashParam(hHash, HP_HASHSIZE, (BYTE *)&hashSize, &len, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  if (hash.size != hashSize) {
+    /* The input must have been bad for this to happen */
+    error = CKR_DATA_INVALID;
+    goto loser;
+  }
+
+  /* we have an explicit hash, set it, note that the length is
+   * implicit by the hashAlg used in create */
+  rc = CryptSetHashParam(hHash, HP_HASHVAL, hash.data, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* OK, we have the data in a hash structure, sign it! */
+  rc = CryptSignHash(hHash, iOperation->keySpec, NULL, 0,
+                     output->data, &output->size);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* Don't return a signature that might have been broken because of a cosmic
+   * ray, or a broken processor, verify that it is valid... */
+  rc = CryptVerifySignature(hHash, output->data, output->size, 
+                            iOperation->hKey, NULL, 0);
+  if (!rc) {
+    goto loser;
+  }
+
+  /* OK, Microsoft likes to do things completely differently than anyone
+   * else. We need to reverse the data we recieved here */
+  ckcapi_ReverseData(output);
+  CryptDestroyHash(hHash);
+  return CKR_OK;
+
+loser:
+  /* map the microsoft error */
+  if (CKR_OK == error) {
+    msError = GetLastError();
+    switch (msError) {
+    case ERROR_NOT_ENOUGH_MEMORY:
+      error = CKR_HOST_MEMORY;
+      break;
+    case NTE_NO_MEMORY:
+      error = CKR_DEVICE_MEMORY;
+      break;
+    case ERROR_MORE_DATA:
+      return CKR_BUFFER_TOO_SMALL;
+    case ERROR_INVALID_PARAMETER: /* these params were derived from the */
+    case ERROR_INVALID_HANDLE:    /* inputs, so if they are bad, the input */ 
+    case NTE_BAD_ALGID:           /* data is bad */
+    case NTE_BAD_HASH:
+      error = CKR_DATA_INVALID;
+      break;
+    case ERROR_BUSY:
+    case NTE_FAIL:
+    case NTE_BAD_UID:
+      error = CKR_DEVICE_ERROR;
+      break;
+    default:
+      error = CKR_GENERAL_ERROR;
+      break;
+    }
+  }
+  if (hHash) {
+    CryptDestroyHash(hHash);
+  }
+  return error;
+}
+  
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckcapi_mdCryptoOperationRSADecrypt_proto = {
+  NULL, /* etc */
+  ckcapi_mdCryptoOperationRSAPriv_Destroy,
+  NULL, /* GetFinalLengh - not needed for one shot Decrypt/Encrypt */
+  ckcapi_mdCryptoOperationRSADecrypt_GetOperationLength,
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckcapi_mdCryptoOperationRSADecrypt_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+NSS_IMPLEMENT_DATA const NSSCKMDCryptoOperation
+ckcapi_mdCryptoOperationRSASign_proto = {
+  NULL, /* etc */
+  ckcapi_mdCryptoOperationRSAPriv_Destroy,
+  ckcapi_mdCryptoOperationRSA_GetFinalLength,
+  NULL, /* GetOperationLengh - not needed for one shot Sign/Verify */
+  NULL, /* Final - not needed for one shot operation */
+  NULL, /* Update - not needed for one shot operation */
+  NULL, /* DigetUpdate - not needed for one shot operation */
+  ckcapi_mdCryptoOperationRSASign_UpdateFinal,
+  NULL, /* UpdateCombo - not needed for one shot operation */
+  NULL, /* DigetKey - not needed for one shot operation */
+  (void *)NULL /* null terminator */
+};
+
+/********** NSSCKMDMechansim functions ***********************/
+/*
+ * ckcapi_mdMechanismRSA_Destroy
+ */
+static void
+ckcapi_mdMechanismRSA_Destroy
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  nss_ZFreeIf(fwMechanism);
+}
+
+/*
+ * ckcapi_mdMechanismRSA_GetMinKeySize
+ */
+static CK_ULONG
+ckcapi_mdMechanismRSA_GetMinKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 384;
+}
+
+/*
+ * ckcapi_mdMechanismRSA_GetMaxKeySize
+ */
+static CK_ULONG
+ckcapi_mdMechanismRSA_GetMaxKeySize
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return 16384;
+}
+
+/*
+ * ckcapi_mdMechanismRSA_DecryptInit
+ */
+static NSSCKMDCryptoOperation * 
+ckcapi_mdMechanismRSA_DecryptInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckcapi_mdCryptoOperationRSAPriv_Create(
+		&ckcapi_mdCryptoOperationRSADecrypt_proto,
+		mdMechanism, mdKey, pError);
+}
+
+/*
+ * ckcapi_mdMechanismRSA_SignInit
+ */
+static NSSCKMDCryptoOperation * 
+ckcapi_mdMechanismRSA_SignInit
+(
+  NSSCKMDMechanism *mdMechanism,
+  NSSCKFWMechanism *fwMechanism,
+  CK_MECHANISM     *pMechanism,
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKMDObject *mdKey,
+  NSSCKFWObject *fwKey,
+  CK_RV *pError
+)
+{
+  return ckcapi_mdCryptoOperationRSAPriv_Create(
+		&ckcapi_mdCryptoOperationRSASign_proto,
+		mdMechanism, mdKey, pError);
+}
+
+
+NSS_IMPLEMENT_DATA const NSSCKMDMechanism
+nss_ckcapi_mdMechanismRSA = {
+  (void *)NULL, /* etc */
+  ckcapi_mdMechanismRSA_Destroy,
+  ckcapi_mdMechanismRSA_GetMinKeySize,
+  ckcapi_mdMechanismRSA_GetMaxKeySize,
+  NULL, /* GetInHardware - default false */
+  NULL, /* EncryptInit - default errs */
+  ckcapi_mdMechanismRSA_DecryptInit,
+  NULL, /* DigestInit - default errs*/
+  ckcapi_mdMechanismRSA_SignInit,
+  NULL, /* VerifyInit - default errs */
+  ckcapi_mdMechanismRSA_SignInit,  /* SignRecoverInit */
+  NULL, /* VerifyRecoverInit - default errs */
+  NULL, /* DigestEncryptUpdate - default errs */
+  NULL, /* DecryptDigestUpdate - default errs */
+  NULL, /* SignEncryptUpdate - default errs */
+  NULL, /* DecryptVerifyUpdate - default errs */
+  NULL, /* GenerateKey - default errs */
+  NULL, /* GenerateKeyPair - default errs */
+  NULL, /* WrapKey - default errs */
+  NULL, /* UnwrapKey - default errs */
+  NULL, /* DeriveKey - default errs */
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/csession.c b/security/nss/lib/ckfw/capi/csession.c
new file mode 100644
index 000000000..a19de5106
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/csession.c
@@ -0,0 +1,113 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/csession.c
+ *
+ * This file implements the NSSCKMDSession object for the 
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSCKMDFindObjects *
+ckcapi_mdSession_FindObjectsInit
+(
+  NSSCKMDSession *mdSession,
+  NSSCKFWSession *fwSession,
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_ATTRIBUTE_PTR pTemplate,
+  CK_ULONG ulAttributeCount,
+  CK_RV *pError
+)
+{
+  return nss_ckcapi_FindObjectsInit(fwSession, pTemplate, ulAttributeCount, pError);
+}
+
+NSS_IMPLEMENT NSSCKMDSession *
+nss_ckcapi_CreateSession
+(
+  NSSCKFWSession *fwSession,
+  CK_RV *pError
+)
+{
+  NSSArena *arena;
+  NSSCKMDSession *rv;
+
+  arena = NSSCKFWSession_GetArena(fwSession, pError);
+  if( (NSSArena *)NULL == arena ) {
+    return (NSSCKMDSession *)NULL;
+  }
+
+  rv = nss_ZNEW(arena, NSSCKMDSession);
+  if( (NSSCKMDSession *)NULL == rv ) {
+    *pError = CKR_HOST_MEMORY;
+    return (NSSCKMDSession *)NULL;
+  }
+
+  /* 
+   * rv was zeroed when allocated, so we only 
+   * need to set the non-zero members.
+   */
+
+  rv->etc = (void *)fwSession;
+  /* rv->Close */
+  /* rv->GetDeviceError */
+  /* rv->Login */
+  /* rv->Logout */
+  /* rv->InitPIN */
+  /* rv->SetPIN */
+  /* rv->GetOperationStateLen */
+  /* rv->GetOperationState */
+  /* rv->SetOperationState */
+  /* rv->CreateObject */
+  /* rv->CopyObject */
+  rv->FindObjectsInit = ckcapi_mdSession_FindObjectsInit;
+  /* rv->SeedRandom */
+  /* rv->GetRandom */
+  /* rv->null */
+
+  return rv;
+}
diff --git a/security/nss/lib/ckfw/capi/cslot.c b/security/nss/lib/ckfw/capi/cslot.c
new file mode 100644
index 000000000..1c42c107d
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/cslot.c
@@ -0,0 +1,129 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/cslot.c
+ *
+ * This file implements the NSSCKMDSlot object for the
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckcapi_mdSlot_GetSlotDescription
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_SlotDescription;
+}
+
+static NSSUTF8 *
+ckcapi_mdSlot_GetManufacturerID
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static CK_VERSION
+ckcapi_mdSlot_GetHardwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_HardwareVersion;
+}
+
+static CK_VERSION
+ckcapi_mdSlot_GetFirmwareVersion
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_FirmwareVersion;
+}
+
+static NSSCKMDToken *
+ckcapi_mdSlot_GetToken
+(
+  NSSCKMDSlot *mdSlot,
+  NSSCKFWSlot *fwSlot,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSCKMDToken *)&nss_ckcapi_mdToken;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDSlot
+nss_ckcapi_mdSlot = {
+  (void *)NULL, /* etc */
+  NULL, /* Initialize */
+  NULL, /* Destroy */
+  ckcapi_mdSlot_GetSlotDescription,
+  ckcapi_mdSlot_GetManufacturerID,
+  NULL, /* GetTokenPresent -- defaults to true */
+  NULL, /* GetRemovableDevice -- defaults to false */
+  NULL, /* GetHardwareSlot -- defaults to false */
+  ckcapi_mdSlot_GetHardwareVersion,
+  ckcapi_mdSlot_GetFirmwareVersion,
+  ckcapi_mdSlot_GetToken,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/ctoken.c b/security/nss/lib/ckfw/capi/ctoken.c
new file mode 100644
index 000000000..dc75077de
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/ctoken.c
@@ -0,0 +1,233 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#include "ckcapi.h"
+
+/*
+ * ckcapi/ctoken.c
+ *
+ * This file implements the NSSCKMDToken object for the
+ * "nss to capi" cryptoki module.
+ */
+
+static NSSUTF8 *
+ckcapi_mdToken_GetLabel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenLabel;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetManufacturerID
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_ManufacturerID;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetModel
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenModel;
+}
+
+static NSSUTF8 *
+ckcapi_mdToken_GetSerialNumber
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_RV *pError
+)
+{
+  return (NSSUTF8 *)nss_ckcapi_TokenSerialNumber;
+}
+
+static CK_BBOOL
+ckcapi_mdToken_GetIsWriteProtected
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return CK_TRUE;
+}
+
+static CK_VERSION
+ckcapi_mdToken_GetHardwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_HardwareVersion;
+}
+
+static CK_VERSION
+ckcapi_mdToken_GetFirmwareVersion
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return nss_ckcapi_FirmwareVersion;
+}
+
+static NSSCKMDSession *
+ckcapi_mdToken_OpenSession
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  NSSCKFWSession *fwSession,
+  CK_BBOOL rw,
+  CK_RV *pError
+)
+{
+  return nss_ckcapi_CreateSession(fwSession, pError);
+}
+
+static CK_ULONG
+ckcapi_mdToken_GetMechanismCount
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance
+)
+{
+  return (CK_ULONG)1;
+}
+
+static CK_RV
+ckcapi_mdToken_GetMechanismTypes
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE types[]
+)
+{
+  types[0] = CKM_RSA_PKCS;
+  return CKR_OK;
+}
+
+static NSSCKMDMechanism *
+ckcapi_mdToken_GetMechanism
+(
+  NSSCKMDToken *mdToken,
+  NSSCKFWToken *fwToken,
+  NSSCKMDInstance *mdInstance,
+  NSSCKFWInstance *fwInstance,
+  CK_MECHANISM_TYPE which,
+  CK_RV *pError
+)
+{
+  if (which != CKM_RSA_PKCS) {
+    *pError = CKR_MECHANISM_INVALID;
+    return (NSSCKMDMechanism *)NULL;
+  }
+  return (NSSCKMDMechanism *)&nss_ckcapi_mdMechanismRSA;
+}
+
+NSS_IMPLEMENT_DATA const NSSCKMDToken
+nss_ckcapi_mdToken = {
+  (void *)NULL, /* etc */
+  NULL, /* Setup */
+  NULL, /* Invalidate */
+  NULL, /* InitToken -- default errs */
+  ckcapi_mdToken_GetLabel,
+  ckcapi_mdToken_GetManufacturerID,
+  ckcapi_mdToken_GetModel,
+  ckcapi_mdToken_GetSerialNumber,
+  NULL, /* GetHasRNG -- default is false */
+  ckcapi_mdToken_GetIsWriteProtected,
+  NULL, /* GetLoginRequired -- default is false */
+  NULL, /* GetUserPinInitialized -- default is false */
+  NULL, /* GetRestoreKeyNotNeeded -- irrelevant */
+  NULL, /* GetHasClockOnToken -- default is false */
+  NULL, /* GetHasProtectedAuthenticationPath -- default is false */
+  NULL, /* GetSupportsDualCryptoOperations -- default is false */
+  NULL, /* GetMaxSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxRwSessionCount -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetMaxPinLen -- irrelevant */
+  NULL, /* GetMinPinLen -- irrelevant */
+  NULL, /* GetTotalPublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePublicMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetTotalPrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  NULL, /* GetFreePrivateMemory -- default is CK_UNAVAILABLE_INFORMATION */
+  ckcapi_mdToken_GetHardwareVersion,
+  ckcapi_mdToken_GetFirmwareVersion,
+  NULL, /* GetUTCTime -- no clock */
+  ckcapi_mdToken_OpenSession,
+  ckcapi_mdToken_GetMechanismCount,
+  ckcapi_mdToken_GetMechanismTypes,
+  ckcapi_mdToken_GetMechanism,
+  (void *)NULL /* null terminator */
+};
diff --git a/security/nss/lib/ckfw/capi/manifest.mn b/security/nss/lib/ckfw/capi/manifest.mn
new file mode 100644
index 000000000..8959e5d2d
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/manifest.mn
@@ -0,0 +1,66 @@
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revision$ $Date$"
+
+CORE_DEPTH = ../../../..
+
+MODULE = nss
+MAPFILE = $(OBJDIR)/nsscapi.def
+
+EXPORTS =		\
+	nsscapi.h	\
+	$(NULL)
+
+CSRCS =			\
+	anchor.c	\
+	constants.c	\
+	cfind.c		\
+	cinst.c 	\
+	cobject.c	\
+	crsa.c		\
+	csession.c	\
+	cslot.c		\
+	ctoken.c	\
+	ckcapiver.c	\
+	staticobj.c	\
+	$(NULL)
+
+REQUIRES = nspr
+
+LIBRARY_NAME = nsscapi
+
+#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
diff --git a/security/nss/lib/ckfw/capi/staticobj.c b/security/nss/lib/ckfw/capi/staticobj.c
new file mode 100644
index 000000000..8cfd8fbdd
--- /dev/null
+++ b/security/nss/lib/ckfw/capi/staticobj.c
@@ -0,0 +1,74 @@
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ * Portions created by Red Hat, Inc, are Copyright (C) 2005
+ *
+ * Contributor(s):
+ *   Bob Relyea (rrelyea@redhat.com)
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+#ifdef DEBUG
+static const char CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$""; @(#) $RCSfile$ $Revision$ $Date$";
+#endif /* DEBUG */
+
+#ifndef CKCAPI_H
+#include "ckcapi.h"
+#endif /* CKCAPI_H */
+
+static const CK_TRUST ckt_netscape_valid = CKT_NETSCAPE_VALID;
+static const CK_OBJECT_CLASS cko_certificate = CKO_CERTIFICATE;
+static const CK_TRUST ckt_netscape_trusted_delegator = CKT_NETSCAPE_TRUSTED_DELEGATOR;
+static const CK_OBJECT_CLASS cko_netscape_trust = CKO_NETSCAPE_TRUST;
+static const CK_BBOOL ck_true = CK_TRUE;
+static const CK_OBJECT_CLASS cko_data = CKO_DATA;
+static const CK_CERTIFICATE_TYPE ckc_x_509 = CKC_X_509;
+static const CK_BBOOL ck_false = CK_FALSE;
+static const CK_OBJECT_CLASS cko_netscape_builtin_root_list = CKO_NETSCAPE_BUILTIN_ROOT_LIST;
+
+/* example of a static object */
+static const CK_ATTRIBUTE_TYPE nss_ckcapi_types_1 [] = {
+ CKA_CLASS,  CKA_TOKEN,  CKA_PRIVATE,  CKA_MODIFIABLE,  CKA_LABEL
+};
+
+static const NSSItem nss_ckcapi_items_1 [] = {
+  { (void *)&cko_data, (PRUint32)sizeof(CK_OBJECT_CLASS) },
+  { (void *)&ck_true, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)&ck_false, (PRUint32)sizeof(CK_BBOOL) },
+  { (void *)"Mozilla CAPI Access", (PRUint32)20 }
+};
+
+PR_IMPLEMENT_DATA(ckcapiInternalObject) nss_ckcapi_data[] = {
+  { ckcapiRaw, { 5, nss_ckcapi_types_1, nss_ckcapi_items_1} , {NULL} },
+};
+
+PR_IMPLEMENT_DATA(const PRUint32) nss_ckcapi_nObjects = 1;